The FDA patches the regulations with guidance documents, but there is a desperate need to modernize 21 CFR 820 to ISO 13485.
FDA Proposed Amendment to 21 CFR 820
On February 23, 2022, the FDA published a proposed rule for medical device quality system regulation amendments. The FDA planned to implement amended regulations within 12 months, but the consensus of the device industry is that a transition of several years would be necessary. In the proposed rule, the FDA justifies the need for amended regulations based on the “redundancy of effort to comply with two substantially similar requirements,” creating inefficiencies. In public presentations, the FDA supporting arguments for the proposed quality system rule change relies heavily upon comparing similarities between 21 CFR 820 and ISO 13485. However, the comparison table provided is quite vague (see the table from page 2 of FDA’s presentation reproduced below). The FDA also provided estimates of projected cost savings resulting from the proposed rule. What is completely absent from the discussion of the proposed rule is any mention of the need to modernize 21 CFR 820.
Are the requirements “substantively similar”?
The above table provided by the FDA claims that the requirements of 21 CFR 820 are substantively similar to the requirements of ISO 13485. However, there are some some aspects of ISO 13485 that will modernize 21 CFR 820. The areas of impact are: 1) software, 2) risk management, 3) human factors or usability engineering, and 4) post-market surveillance. The paragraphs below identify the applicable clauses of ISO 13485 where each of the four areas are covered.
Modernize 21 CFR 820 to include software and software security
Despite the limited proliferation of software in medical devices during the 1990s, 21 CFR 820 includes seven references to software. However there are some Clauses of ISO 13485 that reference software that are not covered in the QSR. Modernizing 21 CFR 820 to reference ISO 13485 will incorporate these additional areas of applicability. Clause 4.1.6 includes a requirement for validation of quality system software. Clause 7.6 includes a requirement for validation of software used to manage calibrated devices used for monitoring and measurement. Clause 7.3 includes a requirement for validation of software embedded in devices, but that requirement was already included in 21 CFR 820.30. The FDA can modernize 21 CFR 820 further by defining Software as a Medical Device (SaMD), referencing IEC 62304 for management of the software development lifecycle, referencing IEC/TR 80002-1 for hazard analysis of software, referencing AAMI TIR57 for cybersecurity, and referencing ISO 27001 for network security. Currently the FDA strategy is to implement guidance documents for cybersecurity and software validation requirements, but ISO 13485 only references IEC 62304. Then only aspect of 21 CFR 820 that appears to be adequate with regard to software is validation of software used for automation in 21 CFR 820.75. This requirement is similar to Clause 7.5.6 (i.e., validation of processes for production and service provisions).
Does 21 CFR 820 adequately cover risk management?
The FDA already recognizes ISO 14971:2019 as the standard for risk management of medical devices. However, risk is only mentioned once in 21 CFR 820. In order to modernize 21 CFR 820, it will be necessary for the FDA to identify how risk should be integrated throughout the quality system requirements. The FDA recently conducted two webinars related to risk management of medical devices, but implementing a risk-based approach to quality systems is a struggle for companies that already have ISO 13485 certification. Therefore, a guidance document with examples of how to implement a risk-based approach to quality system implementation would be very helpful to the medical device industry.
Modernize 21 CFR 820 to include Human Factors and Usability Engineering
ISO 13485 references IEC 62366-1 as the applicable standard for usability engineering requirements, but there is no similar requirement found in 21 CFR 820. Therefore, human factors is an area where 21 CFR 820 needs to be modernized. The FDA has released guidance documents for the human factors content to be included in a 510k pre-market notification, but the guidance was released in 2016 and the guidance does not reflect the FDA’s current thoughts on human factors / usability engineering best practices. The FDA recently released a draft guidance for the format and content of human factors testing in a pre-market 510k submission, but that document is not a final guidance document and there is no mention of human factors, usability engineering, or even use errors in 21 CFR 820. Device manufacturers should be creating work instructions for use-related risk analysis (URRA) and fault-tree analysis to estimate the risks associated with use errors as identified the draft guidance. These work instructions will also need to be linked with the design and development process and the post-market surveillance process.
Modernize 21 CFR 820 to include Post-Market Surveillance
ISO/TR 20416:2020 is a new standard specific to post-market surveillance, but it is not recognized by the FDA. There is also no section of 21 CFR 820 that includes a post-market surveillance requirement. The FDA QSR focuses on reactive elements such as:
21 CFR 820.100 – CAPA
21 CFR 820.198 – Complaint Handling
21 CFR 803 – Medical Device Reporting
21 CFR 820.200 – Servicing
21 CFR 820.250 – Statistical Techniques
The FDA does occasionally require 522 Post-Market Surveillance Studies for devices that demonstrate risks that require post-market safety studies. In addition, most Class 3 devices are required to conduct post-approval studies (PAS). For Class 3 devices, the FDA requires the submitter provide a plan for a post-market study. Once the study plan is accepted by the FDA, the manufacturer must report on the progress of the study. Upon completion of the study, most manufacturers are not required to continue PMS.
How will the FDA enforce compliance with ISO 13485?
It is not clear how the FDA would enforce compliance with Clause 8.2.1 in ISO 13485, because there is no substantively equivalent requirement in the current 21 CFR 820 regulations. The QSR is 26 years old, and the regulation does not mention cybersecurity, human factors, or post-market surveillance. Risk is only mentioned once by the regulation, and software is only mentioned seven times. The FDA has “patched” the regulations through guidance documents, but there is a desperate need for new regulations that include critical elements. The transition of quality system requirements for the USA from 21 CFR 820 to ISO 13485:2016 will force regulators to establish policies for compliance with all of the quality system elements that are not in 21 CFR 820.
Companies that do not already have ISO 13485 certification should be proactive by 1) updating their quality system to comply with the ISO 13485 standard and 2) adopting the best practices outlined in the following related standards:
AAMI/TIR57:2016 – Principles For Medical Device Security – Risk Management
IEC 62366-1:2015 – Medical devices — Part 1: Application of usability engineering to medical devices
ISO/TR 20416:2020 – Medical devices — Post-market surveillance for manufacturers
ISO 14971:2019 – Medical Devices – Application Of Risk Management To Medical Devices
IEC 62304:2015 – Medical Device Software – Software Life Cycle Processes
ISO/TR 80002-1:2009 – Medical device software — Part 1: Guidance on the application of ISO 14971 to medical device software
ISO/TR 80002-2:2017 – Medical device software — Part 2: Validation of software for medical device quality systems
What is the potential impact of the US FDA requiring software, risk management, cybersecurity, human factors, and post-market surveillance as part of a medical device company’s quality system?
What are the best human factors questions to ask the FDA during a pre-submission meeting, and what information content do you need in a 510k?
Talk to the FDA before human factors validation
The FDA did not start enforcing the requirement to apply human factors and usability engineering to medical device design until 2017 because the final version of the human factors guidance document was not released until February 3, 2016. Approximately ninety percent of the human factors testing reports submitted to the FDA in 510k pre-market submissions are deficient because the 510k submission content only includes the final summative testing report. The FDA needs a complete usability engineering file, and the human factors information needs to comply with FDA guidelines for the format and content of a 510k pre-market submission–not just IEC 62366-1:2015.
What human factors information does the FDA want?
For several years, FDA submission deficiency letters indicated that you should not include the frequency of occurrence in your estimation of use-related risks, but the FDA never provided this information in a guidance document. On December 9, 2022, the FDA finally released a draft human factors guidance regarding the format and content of a 510k pre-market submission. The new draft guidance includes the requirement for a use-related risk analysis (URRA) in table 2 (copied below).
In this new draft FDA guidance, the FDA identifies three different human factors submission categories. For the first category, only a conclusion and high-level summary are needed. For the second category, a user specification is also needed. For the third category, you need a comprehensive human factors engineering report with the following elements described in Section IV of the draft FDA guidance:
Submission Category 1, 2, and 3
Conclusion and high-level summary
Submission Category 2 and 3
Descriptions of intended device users, uses, use environments, and training
Description of the device-user interface
Summary of known use problems
Submission Category 3 only
Summary of preliminary analyses and evaluations
Use-related risk analysis to analyze hazards and risks associated with the use of the device
Identification and description of critical tasks
Details of validation testing of the final design
Before you spend tens of thousands or hundreds of thousands of dollars on human factors testing, you want to make sure the FDA agrees with your human factors testing plan. Otherwise, you will pay for the testing twice: once for your initial submission and a second time in your response to the FDA request for additional information to address deficiencies. Testing can cost more than your electrical safety testing. The facility needs to have the right equipment and space for the testing, you need support personnel to set up the equipment, you need to recruit participants, you need to compensate participants, and you need device samples.
When can you ask the FDA human factors questions?
The FDA cannot provide consulting advice on a submission, and the agency will not review data during pre-submission meetings. The FDA can provide feedback on protocols, specifications, and scientific justifications. Therefore, you should submit questions to the FDA in a pre-submission when you have a draft protocol, a draft specification, or a draft justification for why a task is not critical. Pre-submissions are “non-binding.” You can change your design and approach to human factors. Therefore, don’t wait until your information is 100% finalized. Share your documentation at the draft stage during the development phase and before your design freeze. You need these answers when you are planning a study and obtaining quotes.
What are the best human factors questions to ask in a pre-sub?
In the FDA guidance for pre-submission meetings, the FDA provides suggested questions to ask:
Does the Agency have comments on our proposed human factors engineering process?
Is the attached use-related risk analysis plan adequate? Does the Agency agree that we have identified all the critical tasks?
Does the Agency agree with our proposed test participant recruitment plan for the human factors validation testing?
The above examples are only suggestions, but the best approach is to provide a brief example of what the human factors information will look like and ask the FDA to comment on the examples. The FDA does not have time to review data during a pre-sub meeting, but the FDA can review a few rows extracted from your URRA and comment on your proposed approach to the human factors process.
Human factors questions that are not appropriate
The FDA pre-submission guidance cautions you only to ask 3-4 questions for each meeting request because the FDA has difficulty answering more questions in a 60-minute teleconference. Therefore, you should not ask questions already answered in the FDA guidance. The new draft guidance includes examples of when a device modification can leverage existing human factors information and when new information is needed to support a premarket submission. Instead of asking a question specific to leveraging existing human factors information, instead, provide your rationale for leveraging existing data and ask if the FDA has any concerns with your overall approach to human factors.
Recommended human factors action items
Create a procedure for your human factors process that includes detailed instructions for creating the information required in a usability engineering report and templates for each document.
Learn why you need to start with software validation documentation before you jump into software development.
When do you create software validation documentation for a medical device or IVD?
At least once a week, I speak with the founder of a new MedTech company that developed a new software application as a medical device (SaMD). The founder will ask me to explain the process for obtaining a 510(k), and they want help with software validation documentation. Many people I speak with have never even heard of IEC 62304.
Even though they already have a working application, usually, validation documentation has not even been started. Although you can create all of your software validation documentation after you create a working application, certain tasks are important to perform before you develop software code. Jumping into software development without the foundational documentation will not get your device to market faster. Instead, you will struggle to create documentation retroactively, and the process will be slower. In the end, the result will be a frustrating delay in the launch of your device.
What are the 11 software validation documents required by the FDA?
In 2005 the FDA released a guidance document outlining software validation documentation content required for a premarket submission. There were 11 documents identified in that guidance:
What the FDA guidance fails to explain is that some of these documents need to be created before software development begins, or your software validation documentation will be missing critical design elements. Therefore, it is important to create a software development plan that schedules activities that result in those documents at the right time. In contrast, four of the eleven documents can wait until your software development is complete.
Which of the software validation documents can wait until the end?
The level of concern only determines what documents the FDA wants to review in a submission rather than what documents are needed for a design history file. In fact, the level of concern (LOC) document is no longer required as a separate document in premarket submissions using the FDA eSTAR template because the template already incorporates the questions that document your LOC. The revision level history document is simply a summary of revisions made to the software during the development process, and that document can be created manually or automatically at the end of the process, or the revision level history can be a living document that is created as changes are made. The traceability matrix can also be a living document created as changes are made, but its only purpose is to act as a tool to provide traceability from hazards to software requirements, to design specifications, and finally to verification and validation reports. Other software tools, such as Application Lifecycle Management (ALM) Software, are designed to ensure the traceability of every hazard and requirement throughout the entire development process. Finally, unresolved anomalies should only be documented at the time of submission. The list may be incomplete until all verification and validation testing is completed, and the list should be the shortest at the time of submission.
What documentation will be created near the end of development?
The software design specification (SDS) is typically a living document until your development process is completed, and you may need to update the SDS after the initial software release to add new features, maintain interoperability with software accessories, or change security controls. The SDS can not begin, however, until you have software requirements and the basic architecture defined. The verification and validation activities are discrete documents created after each revision of the SDS and must therefore be one of the last documents created–especially when provided to the FDA as a summary of the verification and validation efforts.
Which validation documents do you need first?
At the beginning of software development, you need a procedure(s) that defines your software development process. That procedure should have a section that explains the software development environment–including how patches and upgrades will be controlled and released. If you don’t have a quality system procedure that defines your development process, then each developer may document their coding and validation activities differently. That does not mean that you can’t improve or change the procedure once development has begun, but we recommend limiting the implementation of a revised procedure when making major software changes and discussing how revisions will be implemented for any work that remains in progress or has already been completed.
When do the remaining software validation documents get created?
The remaining four software validation documents required for a premarket submission to the FDA are:
Software hazard analysis
Software requirements specification (SRS)
Architecture design chart
Your development process will be iterative, and therefore, you should be building and refining these four documents iteratively in parallel with your software code. At the beginning of your project, your design plan will need a brief software description. Your initial software description needs to include the indications for use, a list of the software’s functional elements, and the elements of your user specification (i.e., intended patient population, intended users, and user interface). If you are using lean startup methodology, the first version of your device description will be limited to a minimal viable product (MVP). The target performance of the MVP should be documented as an initial software requirements specification (SRS). This initial SRS might only consist of one requirement, but the SRS will expand quickly. Next, you need to perform an initial software hazard analysis to identify the possible hazards. It is important to remember that software hazards are typically hazardous situations and are not limited to direct physical harm. For each potential hazard you identify in your hazard analysis, you will need a software requirement to address each hazard, and each requirement needs to be added to your SRS. As your software becomes more complex by adding software features, your device description needs to be updated. As you add functions and requirements to your software application, your SRS will need updates too. Finally, your development team will need a tool to track data flow and calculations from one software function to the next. That tool is your architecture design chart, and you will want to organize your SRS to match the various software modules identified in your architecture diagram. This phase is iterative and non-linear, you will always have failures, and typically a team of developers will collaborate virtually. Maintaining a current version of the four software documents is critical to keeping your development team on track.
How do you perform a software hazard analysis?
One of the most important pre-requisite tasks for software developers is conducting a hazard analysis. You can develop an algorithm before you write any code, but if you start developing your application to execute an algorithm before you perform a software hazard analysis, you will be missing critical software requirements. Software hazard analysis is different from traditional device hazard analysis because software hazards are unique to software. A traditional device hazard analysis consists of three steps: 1) answering the 37 questions in Annex A of ISO/TR 24971:2020, 2) systematically identifying hazards by using Table C1 in Annex C of ISO 14971:2019, and 3) reviewing the risks associated with previous versions of the device and similar competitor devices. A software hazard analysis will have very few hazards identified from steps 1 and 2 above. Instead, the best resource for software hazard analysis is IEC/TR 80002-1:2009. You should still use the other two standards, especially if you are developing software in a medical device (SiMD) or firmware, but IEC/TR 80002-1 has a wealth of tables that can be used to populate your initial hazards analysis and to update your hazard analysis when you add new features.
How do you document your hazard analysis?
Another key difference between a traditional hazard analysis and a software hazard analysis is how you document the hazards. Most devices use a design FMEA (dFMEA) to document hazards. The dFMEA is a bottom-up method for documenting your risk analysis by starting with device failure modes. Another tool for documenting hazards is a fault tree diagram.
A fault tree is a top-down method for documenting your risk analysis, where you identify all of the potential causes that contribute to a specific failure mode. Fault tree diagrams lend themselves to complaint investigations because complaint investigations begin with the identification of the failure (i.e., complaint) at the top of the diagram. For software, the FDA will not allow you to use the probability of occurrence to estimate risks. Instead, software risk estimation should be limited to the severity of the potential harm. Therefore, a fault tree diagram is generally a better tool for documenting software risk analysis and organizing your list of hazards. You might even consider creating a separate fault tree diagram for each module of your software identified in the architecture diagram. This approach will also help you identify the potential impact of any software hazard by looking at the failure at the top of the fault tree. The higher the potential severity of the software failure, the more resources the software team needs to apply to developing software risk controls and verifying risk control effectiveness for the associated fault tree.
The FDA Breakthrough Device Designation was created in 2015 to expedite device access for life-threatening and debilitating diseases.
What is the FDA Breakthrough Device Designation?
The FDA Breakthrough Device Designation is a formal identification by the US FDA that a device in development should be expedited for patient access because it has a reasonable chance of providing more effective treatment than the standard of care for the treatment or diagnosis of life-threatening or irreversibly debilitating human disease or conditions.
To be granted breakthrough status, your device must also meet at least one of the following four secondary criteria:
Represents Breakthrough Technology
No Approved or Cleared Alternatives Exist
Offers Significant Advantages over Existing Approved or Cleared Alternatives
Device Availability is in the Best Interest of Patients
Once the FDA has designated your device as a breakthrough device, all future communications with the FDA related to that device should be identified with the Q-sub reference number assigned to your breakthrough request.
What are the benefits of receiving the designation?
The breakthrough designation helps the FDA identify new technology to focus on in order to expedite access to novel devices that will save lives and treat debilitating diseases. It takes the FDA longer to review these devices because they may raise novel scientific and regulatory issues. Therefore, the FDA prioritizes 510k and De Novo submissions for breakthrough devices over other 510k and De Novo submissions, and the FDA’s senior management is involved in the review process. The average review time for the seventeen 510k cleared breakthrough devices was 155 days*. This may not seem like an expedited review, but the average review time for 510k cleared devices that require additional testing data is almost 270 days. The average review time for the twenty De Novo Classification Requests designated as breakthrough devices was 251 days*. This represents a significant improvement compared to the average De Novo Decision timeline of 338 days for 2019-2022.
*Metrics updated on 10/31/2022 with data through 9/30/2022
Breakthrough Device Designation by the FDA also has a benefit concerning reimbursement. Typically new technology is not covered by CMS for the first two years. Specifically, the Centers for Medicare and Medicaid Services (CMS) typically takes two years to establish qualification for public reimbursement coverage in the USA. In contrast, private insurers are inconsistent in their coverage because Medicare Administrative Contractor (MAC) is divided into 13 different US regions, each making independent coverage decisions case-by-case. When you receive Breakthrough Device Designation, you receive immediate coverage through CMS until traditional coverage takes effect. This interim coverage period allows your company to establish the clinical benefits of your device so that you can apply for payment and coding to establish long-term reimbursement coverage.
Mechanisms of Expedited FDA Review
In addition to identifying breakthrough devices for priority review and involving the FDA’s senior management, the FDA also offers four other mechanisms for improving the review time. First, the FDA offers “Sprint discussions.” A “Sprint” discussion allows the FDA and the company to discuss a single topic and reach an agreement in a set time period (e.g., 45 days). The FDA provides an example of a Sprint discussion similar to a pre-submission meeting, but the overall timeline is half the duration of the FDA’s target MDUFA V decision goals.
The second mechanism for improving the review time is a Data Development Plan (DDP). Using this mechanism, the FDA will work with the company to finalize the non-clinical and clinical testing plans for the breakthrough device. This may include starting clinical testing earlier while deferring certain non-clinical testing.
The third mechanism for improving the review time is Clinical Protocol Agreement. In this scenario, the FDA will interactively review changes to clinical protocols rather than conducting a protocol acceptance review first. Therefore, the time required to review and approve a clinical protocol change is less, and the sponsor can complete their clinical studies in less time.
The fourth mechanism for improving the review time is a prioritized pre-submission review. If a company prefers to discuss multiple issues in one meeting rather than conducting Sprint discussions on single topics, then the FDA will prioritize pre-submission review. The prioritized pre-submission will be tracked as an interactive review with a shorter timeline than other pre-submission meeting requests.
How do you apply to the FDA for Breakthrough Designation?
To receive the designation, you must prepare a Breakthrough Device Designation request and submit it to the FDA Document Control Center (DCC) as an eCopy. The eCopy can be done via FedEx or through the new Customer Collaboration Portal (CCP) launched by the FDA in 2022. Your application could consist of a single document, but we recommend at least three documents: 1) a formal request outlining how your device meets the criteria for breakthrough designation, 2) a detailed device description, and 3) preliminary clinical data demonstrating the feasibility of your device delivering performance claimed in your request for designation. There are no user fees associated with the application for breakthrough designation, and you are not prevented from submitting other types of submissions in parallel with the breakthrough designation request, such as a pre-submission or investigational device exemption (IDE).
When should you apply to the FDA?
If the FDA denies an initial breakthrough designation request, the company may re-submit a request at a later date. Therefore, companies should submit requests as soon as they can provide preliminary clinical data to demonstrate the feasibility of the device’s claimed performance. Therefore, a breakthrough designation request would typically be submitted at the conclusion of an Early Feasibility Study (EFS), which allows a maximum of ten clinical subjects.
How many companies have received Breakthrough Designation from the FDA?
Since the start of the Breakthrough Designation program in 2015, the FDA has granted 728 devices Breakthrough Device Designation*. CDRH, the device division of the FDA, granted 722, while CBER, the biologics division of the FDA, granted 6*. The breakthrough designation, however, does not guarantee FDA market authorization. Only 56 of the breakthrough designations have resulted in market authorization so far. Two of the 56 devices were reviewed by CBER. Of the remaining 54 devices, 16 devices received 510k clearance, 18 De Novo Classification Requests were granted, and 20 PMAs were approved*. Given the number of submissions received each year, only 10-15% of De Novo and PMA submissions are also Breakthrough Devices. In contrast, only about 0.1% of 510k submissions are also Breakthrough Devices.
*Metrics updated on 10/31/2022 with data through 9/30/2022
MDUFA V is the agreement between the FDA and the medical device industry to fund the review of medical device submissions by the FDA.
What is MDUFA V?
The Medical Device User Fee and Modernization Act (MDUFMA or MDUFA) is a set of agreements between the Food and Drug Administration (FDA) and the medical device industry to provide funds for the Office of Device Evaluations (ODE) to review medical device submissions. FDA user fees were first authorized via MDUFMA in 2002 for FY 2003. Each MDUFA reauthorization has lasted five years, and FY 2023 will be the 21st year.
How are the MDUFA V user fees decided?
Section 738A(b)(1) of the FD&C Act requires that FDA consult with a range of stakeholders, including representatives from patient and consumer advocacy groups, healthcare professionals, and scientific and academic experts, in developing recommendations for the next MDUFA five-year cycle. The FDA initiated the reauthorization process by holding a public meeting on October 27, 2020, where stakeholders and other public members were allowed to present their views on the reauthorization. The following is a list of the four industry groups represented in the MDUFA V negotiations with the FDA:
The FD&C Act further requires that FDA continue meeting with the representatives of patient and consumer advocacy groups at least once every month during negotiations with the regulated industry to continue discussions of stakeholder views on the reauthorization and their suggestions for changes.
What are FDA user fees?
At the very core of it, the FDA user fees fund the FDA Office of Device Evaluation (ODE) budget. Without these user fees, the FDA cannot begin reviewing a medical device submission. This includes 510k, PMA, and De Novo submissions. Before the FDA assigns a reviewer to your submission, you must pay the appropriate device user fee in full unless eligible for a waiver or exemption. If you pay the user fee by credit card, you will need to allow a few extra days for the user fee to clear. Otherwise, your submission will be placed on “User Fee Hold.” Small businesses may qualify for a reduced fee. The FDA will announce the user fees for FY 2024 in a Federal Register notice next August 2023.
When does MDUFA V take effect?
Our team regularly checked the announcement of the MDUFA V user fees from August until last week’s announcement. The announcement of the FY 2023 user fees was delayed because Congress did not approve the MDUFA reauthorization until the last week of September. The new user fees were originally expected to take effect on October 1, 2022, but the announcement of actual user fees for 2022 was announced on October 5, 2022. This was two months later than expected.
Why was MDUFA V delayed, and will it happen again?
MDUFA V was delayed because the user fee reauthorization requires an act of Congress. The House of Representatives approved the Food and Drug Amendments of 2022 on June 8, 2022. However, the Senate did not file a bill until after the August recess. There were also differences between the legislation proposed by the House and the Senate. Therefore, to ensure that the FDA did not have to furlough employees when MDUFA IV funding expired, a temporary reauthorization was approved and signed by the President on September 30, 2022. The short-term continuing resolution is a temporary stopgap to continue funding the FDA until December 16, 2022. However, the continuing resolution covers funding for medical device user fees through September 30, 2027. Therefore, the device industry can expect the FDA to continue to operate regardless of the outcome of temporary policies that expire this December. Still, similar delays occurred with previous MDUFA reauthorization, and we expect more of the same US partisan politics between August 2027 and the November 2027 election.
How much did MDUFA V user fees increase?
The increase is dependent upon the fee type. Annual registration fees are increasing by 14.47% (i.e., $5,672 to $6,493). The MDUFA V user fees increased by a stupendous amount (+55.90%) from $12,745 to $19,870 for the 510k user fees. Yikes! De Novo Classification Requests increased by 17.79% from $112,457 to $132,464. Other submissions increased by similar amounts. For more details, check out the table below (also posted on our homepage).
FDA User Fee FY 2023 represents a 55.90% increase in the 510(k) user fee
Do user fees ever decrease?
If we lived in a magical world where gas prices dropped and stayed low, the inflation-adjusted pricing would decrease for FDA user fees. That has happened once, but I fit into skinny jeans once too.
Why is August 1st important?
August 1st is the first day the FDA starts to accept Small Business Certification Requests for the new fiscal year. That means any small business that wants to keep small business status needs to reapply, and any new business that qualifies for small business status must also apply. The importance of applying for small business status is how much you could save on your submission. The FDA will complete its review of the Small Business Certification Request within 60 calendar days of receipt. Upon completion of the review by the FDA, the FDA will send you a decision letter with your small business designation number or a justification for denial.
Does small business status expire?
Yes, small business status expires. The small business status expires on September 30 of the fiscal year it is granted. A new MDUFA Small Business Certification Request must be submitted and approved each fiscal year to qualify as a small business. If you forget to reapply for small business status on August 1, you can reapply anytime during the year. Still, you will temporarily lose small business status from October 1 until the qualification is renewed. The good news is there is no fee associated with the submission of a Small Business Certification Request. For more information, please visit our webpage dedicated to small business qualifications.
Do you need help completing your initial FDA registration and listing for a medical device? Watch our video to learn how.
The two most common situations for when a company needs to register its establishment with the FDA are 1) when the company is a contract manufacturer and producing a finished device for the first time, and 2) when the company is a specifications developer that recently received a 510k and is about to begin distribution of the newly cleared product. If your company is a specification developer, and you have not yet submitted your first 510k, then you must complete your Medical Device User Fee Cover Sheet first. If you have already received 510k clearance, or your device is exempt from 510k clearance, this article and the associated video will help you complete your FDA registration and listing.
Small Business Status does not apply to FDA registration
Most first-time 510k submissions are from small companies. If your company has gross receipts of less than $100 million, you should apply for status as a small business by completing FDA Form 3602 (for US-based companies) or FDA Form 3602A (for foreign companies)–along with your company’s tax return for the previous year. You should apply every year on August 1st. The qualification process takes 60 days, and you never know when you might need to submit a 510k for a device modification. Qualifying for small business status saves substantially on FDA submission fees. The FDA’s review and decision regarding your application for small business status require 60 days, and the status expires each year on September 30th. If you want additional information about small business qualifications, we created a webpage dedicated to this topic.
Medical Device User Fee Amendment (MDUFA)
A few weeks before you submit your first 510k to the FDA, it is recommended that you create a new account for the user fee website and make your Device Facility User Fee (DFUF) payment. This is the website you must access to pay the 510k submission fee. If you are taking advantage of small business status, you will need the Small Business Decision Number you received in the FDA decision letter in response to FDA Form 3602A. Small and large businesses should follow the directions in the guidance document to set up a new MDUFA account.
Once the user fee account has been created, you need to complete a 510k user fee cover sheet. The FDA provides instructions on how to complete the cover sheet. Payment must be submitted to the FDA as well, and the FDA offers multiple ways to pay the user fee for FDA registration.
After you submit your 510k and receive your 510k clearance letter, you may now begin the marketing and distribution of a product. Once a company starts distributing a new product, the company has 30 days to register the facility and list each device with the FDA. Before registering with the FDA, you must also make a second DFUF payment for the establishment registration fee of $5,672 (the Establishment Registration User Fee increases annually). There is no discount for small business status when paying the FDA registration fee, and the fee is not prorated. Discounts are only available for submission fees (e.g., the 510k user fee). The FDA registration fee must be paid for each facility registered between October 1 and December 31. Your registration will become inactive if renewal fees are not paid on time.
FDA Registration and Listings System (FURLS) Database
The FURLS database is a separate database where companies register facilities and list devices with the FDA. The FURLS account ID and password used for FDA registration of your facility is separate from the user name and password for the user fee website used for the DFUF payment. After you pay the annual registration user fee, you will receive the following information via email: Payment Identification Number (PIN) and Payment Confirmation Number (PCN). You will need this information to complete the registration in the FURLS database.
To create a new FURLS account, you access the following website. This new account should only be created if your company does not already have an account, and the person creating the account should be a trusted manager with the authority to designate sub-accounts when needed. Creating a new account will result in issuing an account ID, and you will need to select a password during the process. You need this information for logging into the system in the future. The FDA also has an account management page if you already have an FDA registration and listing account and need help managing it or making changes.
FDA Registration and Listing – Additional Resources
The FDA created a webpage explaining medical device FDA registration and listing, but the following page is the place I recommend that most companies begin reading. If you want Medical Device Academy to help you with FDA registration, we offer this free of charge to our 510k submission clients and turnkey quality system clients. New clients, and clients that have not hired us for a 510k or quality system, can hire us as a US Agent and/or help with registration and listing by using our calendly link for registration and listing assistance.
If you want additional training on registering and listing your facility with the FDA, please visit the updated CDRH Learn webpage: (Click on “Start Here/The Basics”). The FDA offers a “post-test” and certificate for anyone completing the post-test. I recommend completing this training before setting up a new account and anyone responsible for updating the FDA registration and listing information.
The FDA and Health Canada both have executive-level orders requiring medical device shortage reporting or supply-chain disruptions.
In a previous article, we discussed supply-chain disruptions and mentioned that there might be medical device shortage reporting requirements if that disruption causes a market shortage of the manufactured device. Both the United States and Canada have reporting requirements for supply disruptions or the market’s ability to meet the demand of specific types of devices.
Both the U.S. FDA and Health Canada have executive-level orders that require reporting of shortages or disruptions to the supply of medical devices deemed necessary for the COVID-19 Health Emergency. There is some overlap, but each country is monitoring and experiencing shortages and disruptions of different devices.
Where did medical device shortage reporting responsibilities come from?
Check 21 CFR 820, ISO 13485:2016, and even peek at SOR 98-282 and see if you can find your obligations for reporting. Go ahead. I’ll wait… Not much in there, right? Adverse events, complaints, etc., but not market shortages. Medical device shortage reporting is specific to health emergencies. The U.S. FDA and Health Canada happen to be two authorities having jurisdiction with reporting requirements for shortages concerning the COVID-19 Health Emergency. However, there may be others, so having your organization’s regulatory affairs manager verify the reporting requirements for the markets in which you are engaged might not be bad.
U.S. FDA 506J reporting-
In the United States, an Amendment to the U.S. Food, Drug, and Cosmetics Act requires regulatory reporting by medical device manufacturers to the U.S. FDA. It is sometimes called 506J reporting for the Section of the U.S. FD&C Act where it is located.
You will find the statutory requirements outlined within 21 USC 356J.
For the full text read, 21 USC 356j: Discontinuance or interruption in the production of medical devices. (Interestingly enough, the website where this information is available is not an HTTPS site, so visit at your own discretion).
There are two types of devices that the FDA is monitoring. “Critical” devices and an FDA-published list of devices for which COVID-19 is causing a higher than expected demand.
The FDA has released a guidance document that contains criteria for what is considered to be a “Critical Device”. This includes devices such as those used during surgery, emergency medical care, and those intended to treat, diagnose, prevent, or mitigate COVID-19.
There is also a published list of concerned devices that the FDA is specifically monitoring. The FDA website lists these devices by product code, but include the following device types;
Clinical Chemistry Products
General ICU/Hospital Products
Infusion Pumps and Related Accessories
Needles and Syringes
Personal Protective Equipment (PPE)
Testing Supplies and Equipment
Vital Sign Monitoring
Understandably this process may not be intuitive, and for this, the FDA has released a guidance document that addresses;
Who must make the notification
When you should make a notification
What information needs to be included within your 506J notification
How to make a notification, and
Penalties for failure to make a notification
The referenced product codes may not be an all-inclusive list or entirely up to date. The best suggestion for full compliance is to go straight to the source of the regulation, in part because noncompliance can result in enforcement action from the FDA. If you think that your device might require notification to the FDA but isn’t in the reference table, you should contact the FDA for notification clarification. Below is the quote from the FDA website, and it includes the contact email for asking these specific questions to ‘the agency.’
“If a device type is not included in this table, but you believe it requires a notification under section 506J of the FD&C Act, or if you have questions regarding the device types in this table, you should contact FDA at CDRHManufacturerShortage@fda.hhs.gov and include “Question” in the subject line of the email.”
Link to the FDA Guidance Document for 506J Reporting- HERE
How to make a 506J report to the U.S. FDA?
The FDA accepts 506J reports in multiple ways. For example, you may use the 506J Reporting web form or submit a notification by email directly to (Include Email Here). In addition, Medical Device Academy has developed a Work Instruction and Form to determine if your company is experiencing a reportable discontinuance or meaningful disruption in manufacturing a medical device as well as compiling the report for submission.
There are a few methods of notification, a web form for individual notifications and spreadsheet options for multiple notifications at once, or emailing a report directly to the FDA reporting email included below;
It is for this process that Medical Device Academy developed WI-010 506J Shortage Reporting to the U.S. FDA. This work instruction and associated form, FRM-053 506J Reporting Form are designed to walk you through the process of determining reportability and compiling the information necessary to either complete the webform or email the report directly to the shortage reporting email.
Medical Device Shortage Reporting to Health Canada
Rather than discontinuance and disruption of manufacture, Health Canada is monitoring for shortages of specific devices. Therefore, Health Canada wants Medical Device Shortage Reports regardless of the reason for the shortage. It also shows that this is not identical reporting of the same conditions to two different authorities. Health Canada will also accept reports from Importers because the frame of reference is Canada’s supply of medical devices concerning Canada’s needs.
As an Authority Having Jurisdiction, Health Canada also has reporting requirements for medical device shortage reporting of specific types of medical devices. Health Canada is also an independent authority that uses a different device classification system than the U.S. FDA.
The table below shows the device types by their classification level that HC requires supply chain disruption notifications for. This information is current as of September 5th, 2021, and the link below will take you to the HC website page for the most up-to-date list.
List of ‘Specified Devices’ that Health Canada is monitoring for shortage reporting
One of the things that Health Canada does an excellent job of is defining its expectations. In the Second Interim Order Respecting Drugs, Medical Devices and Foods for a Special Dietary Purpose in Relation to COVID-19, it is explained the Manufacturers or Importers should report to the Minister actual or expected shortages of the device, OR components, accessories, or parts. These notifications must be made within 5-days of becoming aware of the shortage or the anticipated shortage date. Update reports must be made within 2-days of becoming aware of new information regarding the shortage, and a closing report must be made within 2-days of the end of the shortage.
(This link is to the HC website for the 2nd Interim Order referenced above)
These reports are submitted online through the Health Canada Website. They have an entire section dedicated to medical device shortages, and the reporting links can be found there (Link here). If you have any questions or are on the fence about notification, you can email Health Canada at MD.shortages-penurie.de.IM@canada.ca.
The webform for reporting a shortage is the same webform that is used for providing update reports to Health Canada as well. This is both for manufacturers of specified medical devices as well as importers.
What can you do to stay ahead of medical device supply chain disruptions and comply with reporting requirements of possible device shortages?
Supply chain issues can be somewhat cyclical. As we approach the holiday season, we also approach the shipping season. Public shipping services such as FedEx and UPS see an increase in freight as the holiday seasons approach. Manufacturers need raw materials and components to stock the shelves with all of those holiday gifts. Since we are still living under pandemic conditions, I would be willing to bet there will be more care packages and mailed gifts in place of traditional gatherings. On top of the approaching increase in demand, staffing shortages can very quickly exacerbate supply chain bottlenecks. All the while importers are still expected to… well, import! If transportation affects all general industry you can bet it can also cause medical device supply chain disruptions.
So what does an overburdened mail service have to do with medical devices and quality systems?
Consider, how are your customers getting your product in their hands? How are you receiving raw materials and components? How about your contract manufacturer? Do they have supply chain redundancies? Does your supplier quality agreement address notifications for shipping disruptions?
Do you have a regulatory obligation to report a shortage/supply chain disruption or interruption of manufacturing to the FDA, or Health Canada? The FDA monitors for discontinuance and meaningful disruption of manufacturing certain devices and similarly Health Canada monitors their own list of devices for market shortages. Supply chain disruptions either through difficulty sourcing of raw materials and components, or through transportation breakdown of finished devices to market are just one way you could experience a reportable disruption or shortage.
Matthew did not choose the topic of medical device supply chain disruptions randomly. His signature brand of pessimistic cynicism is the reason we have him tasked with keeping his fingers on the pulse of global concerns and potential threats and risks. Potential supply chain disruptions will involve your quality staff in developing preventive actions and contingency plans in case there is an issue. Then, your regulatory team will be in charge of reporting and AHJ notification if you are an affected manufacturer (or importer in Canada!). Understaffed and overloaded shipping and transportation suppliers are about to be bombarded with seasonal freight. This makes them an attractive target for ransomware because, just like healthcare facilities, they will not be in a situation where they can afford any downtime.
Regulatory responsibilities related to device supply chain disruptions – Organized by Jurisdiction
The FDA requires reporting shortages and supply chain disruptions to CDHR of permanent discontinuance or interruption in manufacturing of a medical device in Section 506J of the FD&C Act. Especially so in response to the COVID-19 public health emergency. In part, the general public’s need for healthcare during the pandemic guides what devices the FDA needs notification about.
Currently, the FDA is concerned about specific device types by product code or any devices that are critical to public health during a public health emergency. For the most up to date list, the URL to the FDA website will show the specific product codes of the monitored device types;
As an Authority Having Jurisdiction, Health Canada also has reporting requirements for supply chain disruptions of specific types of medical devices. Health Canada is also an independent authority that uses a different device classification system than the U.S. FDA.
The table below shows the device types by their classification level that HC requires supply chain disruption notifications for. This information is current as of September 5th, 2021, and the following link will take you to the HC webpage for the most up-to-date list.
Class I Medical Devices
Masks (surgical, procedure or medical masks) – Level 1, 2, 3 (ATSM)
N95 respirators for medical use
KN95 respirators for medical use
Gowns (isolation or surgical gowns) – Level 2, 3 and 4
Gowns (chemotherapy gowns)
Class II Medical Devices
Ventilators (including bi-level positive airway pressure or BiPAP machines, and continuous positive airway pressure or CPAP machines)
Pulse Oximeters (single measurement)
Aspirators/suction pumps (portable and stationary)
Manual resuscitation bags (individually or part of a kit)
Medical Gloves – Examination and Surgical (Nitrile, Vinyl)
Oxygen Delivery Devices
Class III Medical Devices
Ventilators (including bi-level positive airway pressure or BiPAP machines)
Harden your supply chain with redundancies. Now is the time to qualify a second supplier as a contingency plan before it is too late…. Maybe even consider opening a Preventive Action? (HINT HINT for those ISO 13485 manufacturers that need to beef up their Clause 8.5.3. operations!)
Supply chains have both up and downstream functions. First, you likely need to source raw materials and components for production. Then you also need to ship those finished devices to distribution centers and your customers. Disrupt either of those and your ability to sell your devices is compromised or even completely halted.
Ask yourself, “Do I have a backup option for shipping?”, and “Do I have a backup option for raw materials and components?”.
Why go through all of that effort? Well, if you lose UPS and have to use FedEx instead, are their shipping procedures identical? Likely you will need a WI level document for each shipper to explain the process. It is easier to pre-qualify a contingency supplier and establish a WI now rather than in December when holiday shipping is at its peak. Consider if you also need to open accounts, etc. Scheduling pickup online may not be intuitive.
Just identifying a backup is important, but you can take that a step further and pre-qualify them. If they are a shipping and transportation supplier then give them a shipment or two in order to evaluate them. Hold them to the same standards you would for your primary supplier.
Did your shipment arrive on time? Was it damaged during transit? This is provisional, or pre-qualification. Did they perform adequately enough to use as a tentative supplier in the event the primary supplier is unable to perform? This is designed to make a full qualification of this supplier simple and easy… If you need to utilize them that is. Maintaining this pre-qualification should also be simple and easy as well. Once a year or so have them deliver a shipment for you.
That is just for importing or shipping finished devices. Do you have backup raw material or components suppliers identified? If not identifying or even pre-qualifying secondary suppliers might not be a bad idea either. You are probably tied down to a specific geographic area for shipping and transportation. You may not be for raw materials. If you need barrels of silicone consider a backup supplier from a different area than your primary supplier. Natural disasters create havoc for shipping. If your silicone comes from Company A, and they are closed down because of a hurricane then Company B ten miles away is likely affected as well.
For example, if you are in the U.S. and your primary supplier is in the Northeast then a backup supplier in the Southeast may be strategically important. Whereas a backup supplier from the Southwest may be cost-prohibitive.
What about your suppliers? Is your device high-risk enough that if your supply chain is disrupted, you have an obligation to report it to the FDA? In that scenario, if you use a contract manufacturer, it may be worth requiring supply chain contingencies and clearly identifying who owns what reporting responsibilities within your quality agreement with them.
There is an element of proactive responsibility in reporting these shortages, or projected shortages. In order to be able to predict medical device supply chain disruptions, there should be metrics that your quality system is monitoring. What is your monthly production capacity? How much raw material or components does your warehousing have on hand? How many units could you manufacture if the transport industry stopped right this second?
Determine what you need to track in order to identify a disruption before it occurs.
Prepare for notification now. This article looked at the problem from the point of view that transportation issues were the root cause of the supply chain disruption. However, many other things could be disruptive, such as natural disasters and supply availability. Therefore, develop a WI level document for conducting these types of regulatory reporting activities and train personnel before a disruption happens. It is easier to tackle these kinds of problems if you already have process controls in place and trained competent staff than if you wait until the reporting timeline clock is already ticking.
In the near future, we will be posting a new blog about 506J and Shortage Reporting. We will also have a work instruction and training webinar available soon.
Future blogs about device supply chain disruptions…Shortage Reporting
About the Author
Matthew came to us with a regulatory background that focused on OSHA and NFPA regulations when he was a Firefighter/EMT. Since we kidnapped him from his other career, he now works in Medical Device Quality Management Systems, Technical/Medical Writing, and is a Lead Auditor. Matthew has updated all of our procedures for He is currently a student in Champlain College’s Cybersecurity and Digital Forensics program, and we are proud to say that he is also a member of both the Golden Keys and Phi Theta Kappa Honor Societies! Matthew participates as a member of our audit team and has a passion for risk management and human factors engineering. Always the mad scientist, Matthew pairs his professional life in regulatory affairs with hobbies in the culinary arts as he also holds a Butchers/Meat Cutters certificate from Vermont Technical College.
Maybe you need an FDA inspection plan. Does everyone in your company know what they need to do when FDA inspectors arrive at your facility?
Be proactive and don’t just let FDA inspections happen. You need to have an FDA inspection plan, and that plan needs to cover the roles and responsbilities for everyone. Below we have a list of 15 items that are in our FDA inspection work instruction (WI-009). If you already have a plan, try using the following checklist to assess your readiness for the next next inspection:
What will you ask and do when your FDA inspector calls the Friday before the inspection?
Who should be contacted by the FDA inspector if you are on vacation?
How will you communicate to the rest of your company that an FDA inspection is planned for Monday morning?
Who will greet the FDA inspector upon arrival, and what should they do?
Which conference room will the FDA inspector spend most of their time in?
Who will be in the conference room with you and the FDA inspector?
How will you track document and records requests, and how will you communicate that information to others?
How will you retrieve documents and records requested by the FDA inspector?
Who will conduct a tour of the facility with the FDA inspector and how will the tour be managed?
When quality issues are identified, how will you respond?
What will you do for lunches during the inspection?
Who will attend the closing meeting with the FDA inspector?
Should you “promise to correct” 483 inspection observations identified by the FDA?
How and when will you repsond to the inspector with corrective action plans?
If your company is outside of the USA, what should you do differently to prepare?
What will you ask and do when your FDA inspector calls the Friday before the inspection?
Most people begin their FDA inspection plan with the arrival of the inspector. However, you should consider including earlier events in your plan. Such as closure of previous 483 inspection observations, scheduling of mock-FDA inspections in your annual audit schedule, and details of how to interact with the inspector when they contact you just before an inspection. Most inspections will be conducted by a single inspector, but occasionally inspectors will be training another inspector. In this situation you can count on them following the QSIT manual more carefully, and you are more likely to receive an FDA 483 inspection observation. In the worst-case scenario, the lead inspector will split up from the trainee, and they will “tag-team” your company. This is not proper FDA procedure, but you should be prepared for that possibility. Therefore, make sure you ask the inspector if they are going to be alone or with another inspector when you speak with them on the phone. You should also get their name and phone number. You may even want to consider reviewing FDAZilla Store for details about your FDA inspector’s past inspection 483s and warning letters. Immediately after the call with the inspector, you should reserve a conference room(s) for the inspection and cancel your other meetings for the week. You should also verify that the person that contacted you is really from the FDA. You can do this by looking up their contact information on the Health and Human Services Directory. Your inspector should have a phone number and email you can verify on that directory.
Who should be contacted by the FDA inspector if you are on vacation?
You should always have a back-up designated for speaking with FDA inspectors, handling MDR reporting, and initiating recalls when you are on vacation. These are critical tasks that require timely actions. You can’t expect inspectors, MDRs, or recalls to wait you to get back in the office. It doesn’t matter what the reason is. Weddings, funerals, and ski trips should not be rescheduled. You need a back-up, and often that person is the CEO or President of your company. Make sure you have a strong systems in place (i.e. an FDA inspection plan, an MDR procedure, and a recall procedure). Whomever is your back-up needs to be trained and ready for action. This is also the purpose of conducting a mock-FDA inspection, including examples of MDRs in your medical device reporting procedure, and conducting mock recalls. This ensures you and your back-up are trained effectively.
How will you communicate to the rest of your company that an FDA inspection is planned for Monday morning?
Most companies have an emergeny call list as part of their business continuity planning, and after the past 18 months of living with a Covid-19 pandemic your firm should certainly have a business continuity plan. Your FDA inspection plan should leverage that process. Contact the same people and notify them of when the FDA inspector is coming. If you are unable to find a conference room available for the inspection (i.e. see below), then ask the manager(s) that reserved the designated room for FDA inspections to relocate to another conference room for the week. Make sure you tell them who the inspector will be, and you might even be able to provide a photo of the inspector (try seraching LinkedIn). Make sure that you remind everyone to smile, and to listen carefully to the question asked. Everyone should be trained to answer only the questions asked, and nobody should run and hide. There should also be no need to stop your operations just because an inspector is visiting. You might even include the name of the inspector on a “Welcome Board” if your company has one at the entryway or in public areas. The more an FDA inspection appears as “routine” the better your outcome will be.
Who will greet the FDA inspector upon arrival, and what should they do?
By the time an FDA inspector(s) actually arrives at your company, all of the managers in your company should already been notified of the inspection and a conference room should be reserved for the inspection. Therefore, when the person that is greeting people in the lobby comes to work on Monday morning, you (or their supervisor) need to communicate with them and make sure that they are prepared for arrival. There are four things that should be communicated:
the name of the inspector(s) that are arriving
the list of managers that should be notified when the inspector(s) arrives (possibly identical to the buisness continuity call list)
the conference room that is reserved for the inspection
If the person greeting the inspector(s) is also going to escort them to the conference room and help them get set-up, then they will need additional instructions. If that escorting inspectors to the conference room and helping them get set-up is delegated to a different person, then the following considerations should be included in that person’s instructions:
the location of bathrooms and emergency exit instructions in case of a fire
the information for wireless connectivity
recommendations for seating in the conference room based upon the expected participants (see below)
It is important that an escort for the inspectors is able to bring the inspector(s) to the conference room as quickly as possible. They should not be expected to wait more than a few minutes for an escort.
Does your FDA inspection plan identify a specific room for the inspector? Is there a back-up?
Some companies have a specific room that is designated for inspections and 3rd party certification audits. If your comapny can do that, it will be very helpful because it reduces the decision making that is required immediatley prior to the inspection. Having a specific room for the inspection also eliminates the need to tell everyone else in the company where the inspector will be. Instead the location of the inspection can be in the work instruction or written FDA inspection plan. You shouldn’t need a back-up plan if there is a specific room designated for an FDA inspection, but our firm has a client that will be hosting three notified body auditors simultaneouly for three days. In that situation, you might need more than one room.
Does your FDA inspection plan have assigned seating?
You might think that it really doesn’t matter where people sit in a conference room, but you will probably want consider the layout of charging cords and the flow of interviewees requested by the inspector. In your conference room, you will need room for at least the following people:
the management representative (i.e. you)
If there is an inspector and a trainee, you will probably want to seat them together to facilitate them working together. You as the Management Representative also need to be in the room, and it may help for you to sit next to the scribe to facilitate communication between you and to make it easier for them to hand you documents after the scribe logs the documents into their notes. The scribe should probably sit closest to the door, because they will be receiving documents, logs, and records that are brought to the room. You will also need one more seat next to you, and probaby accross from the inspector(s), for interviewees. This person will rotate as different processes are reviewed. I also recommend having a location in the middle of the table for an “in box” where documents, logs, and records for the inspector are placed after being logged in. A second location in the middle of the table can be used for a “discard pile” as you finish using your copy of each document, log, and record. You may refer back to these copies later. The “discard pile” should be 100% copies rather than originals. Originals should never be brought into the room with the inspector.
Who is the scribe in your FDA inspection plan?
The perfect scribe would know the quality system well and they would have the typing skills of a professional stenographer. You might have someone that is an executive assistant in your company or a paralegal that could do this job, but you might also have a document control specialist that fits this requirement. Some companies will even hire a temp for the duration of the inspection that has this type of skill, but a temp is unlikely to know the jargon and quality system requirements well. I have taken on the role of scribe many times for my clients, because I type fast and know their quality system. I also don’t want to interferre with the inspection process. As scribe I can answer questions and offer suggestions when appropriate, but most of my time is spent taking notes and communicating by instant messenger with company members that are outside of the inspection room.
You should seriously consider using an application such as Slack as a tool for communication during the inspection. Then anyone in your company that needs to know the status of the inspection can be provided access to the Slack channel for the inspection. This can also act as your record of requests from the inspector. It’s even possible for people on the Slack channel to share pictures of documents to confirm that they have identified the document being requested. You could even invite someone to speak remotely with the inspector via Slack with Zoom integration. All the scribe needs to do is share the Zoom app with a larger display in the same conference room so the inspector can see it too.
Does your FDA inspection plan include provisions for document and record retrieval?
The most important part of document and record retrieval during an FDA inspection is to remember that inspectors should never receive the original document. Ideally, a copier would be located immediately outside of the conference room and three copies would be made of every document before it enters the inspection room. The originals can be stored next to the copier until someone has time to return them to the proper storage location. The three copies should all be stamped “uncontrolled documents” to differentiate them from the originals. When the three copies are brought into the room, they should be handed to the scribe. The scribe should log the time the copies were delivered in the Slack channel. Then the copies should be handed to you, the Management Representative. You should skim the document to make sure that the correct document was received. Then one copy would be given to the inspector and another copy would be made available to the interviewee. If only two copies are needed, the extra copy can be placed in the “discard pile.” Even if your system is 100% electronic, I recommend printing copies for the inspection. The paper copies are easier for inspectors to review, and it eliminates the ability for the inspector to hunt around your electronic document system. In this situation, the scribe may do all of the printing.
Does your FDA inspection plan indicate who will conduct a tour of the facility with the FDA inspector and how will the tour be managed?
I’m surprised by the number of companies that don’t seem to have a map of their facility. Medical device manufacturing facilities should have two kinds of facility maps. One should identify where pest control monitoring stations are located, and the second should indicate your evacuation route to exit the building. All guests should be shown the evacuation route map, probably within the first 30 minutes of arrival. The second map will be requested by the inspector eventually if you conduct manufacturing at your facility. Therefore, it would be helpful to use one or both of these facility maps as a starting point for creating a map of the route that inspectors should be taken on during a tour. I prefer to start with where raw materials enter the facility, and then I follow the process flow of material until we reach finished goods storage and shipping. If you can do this without back-tracking multiple times, then that will probalby be the preferred route. The purpose of planning the route out in advance is to help estimate how long the tour will take, and to make sure there is consistency. If someone starts the tour, and then another person takes over the tour, the new person should be aware of what the next location is and what areas have not been observed yet. There may also be safety reasons for avoiding certain areas during a tour and asking the inspector to observe those areas from a distance. Welding processes, for example, often fall into this safety category.
When quality issues (i.e. FDA 483 inspection observations) are identified, is this covered by your FDA inspection plan?
Third party certificaton body auditors will typically make you aware of nonconformities as they are identified, but FDA inspectors often will hold off on identifying 483 inspection observations until the end of the inspection in a closing meeting. However, you can typically identify several areas that may result in a 483 inspection observation during the inspection. You and the manager of that area may want to consider initiating a draft CAPA plan for each of these quality issues before the closing meeting. This would give you an opportunity to demonstrate making immediate corrections and you might be able to get feedback from the inspector on your root cause analysis and corrective action plan before the closing meeting. Sometimes this will result in an inspector identifying low-risk quality issues verbally instead of writing them out on FDA Form 483. I find the best way to make sure CAPA plans are initiated early is to have a debrief each day after the inspector leaves. All of the managers involved in the inspection should participate, and the debrief can be done virtually or in person. Virtually may be necessary, because often managers need to leave work before the inspector ends for the day. You should consider including this in your FDA inspection plan as well.
Does your FDA inspection plan include plans for daily lunches?
If your facility is located outside the USA, skip this paragraph and go to the section below about companies located outside the USA. If your company is locagted inside the USA, you can be certain that the FDA inspector will not eat lunch at your facility. They will leave for lunch on their own, and then they will return after lunch. Therefore, you may not have control of the timing of a lunch break but you will have time to take one. Most managers use the lunch break as a time to catch-up on emails. However, I think it makes more sense to change your email settings to “out of office.” You can indicate that you are hosting an audit and you will answer questions as a batch that evening or then next morning. You might use the lunch break to take a walk and relax, you might have short debrief meeting with other managers, and you might spend some time preparing documents, logs, and records that the inspector may have requested before they left. Most inspectors use this strategy of asking for a list of documents and records in advance. This is also a good strategy to learn as an internal auditor or supplier auditor. If you have a back-room team that is supporting you, don’t make them wait for a break. Have someone in your company take their lunch orders or arrange for a catered buffet lunch. This will keep your support team happy, and you should definitely remember to include lunch for the team and changing your email settings to “out of office” in your FDA inspection plan.
Does your FDA inspection plan state who will attend the closing meeting?
Most companies have every manager that was in the opening meeting attend the closing meeting. This is ok, but it is important for anyone that might need to initiate a CAPA to be present in the meeting so that they can ask the inspector for clarification if needed. Scheduling a closing meeting should be part of your FDA inpsection plan. However, the past 18 months of the Covid-19 pandemic has taught us that we can attend this type of meeting remotely via Zoom. Therefore, we recommend letting the managers go home early if they are no longer needed as auditees. Instead, ask them to call in for a Zoom meeting at the time the FDA inspector estimates for review of the 483 inspection observations with the company.
Should you “promise to correct” 483 inspection observations identified by the FDA?
During the closing meeting the FDA inspector will review 483 inspection observations with you and any of the other managers present at the closing meeting. The inspector will ask if you promise to correct the 483 inspection observations that were identified. You should confirm that you will, and the FDA inspector will add this to the Annotations in the Observations section of FDA Form 483 that you will recive at the closing meeting. By stating this, you are agreeing to create a corrective action plan for each of the 483 inspection observations. You could change you mind later, but the better approach is to perform a thorough investigation of the 483 inspection observation first. If you determine that corrective action is not required, you can explain this in your CAPA plan and provide data to support it. The only likely reason for not correcting an observation is that you determined the incorrect information was provided to the inspector. In that case, you may need to do some retraining or organize your records better as a corrective action to prevent recurrence in a future inspection. You might even make modifications to your work instruction for “Conducting an FDA Inspection” (i.e. FDA inspection plan).
How and when will you repsond to the inspector with corrective action plans?
Your FDA inspection plan should include details on how respond to FDA 483 inspection observations and when the response must be submitted by. The FDA inspector will give you instructions for submission of your corrective action plans by email to the applicable email address for your region of the country. This email address and contact information should be added to your work instruction as an update after the first inspection if you are not sure in advance. You should respond with a copy of your CAPAs with 15 business days. Regardless of what the inspector told you, there is always a possibility that the outcome of your inspection could be “Official Action Indicated.” This is because the inspector’s supervisor makes the final decision on whether a Warning Letter will be issued and regarding the approval of the final inspection report. You should also confirm what the 15-day deadline is, because your state’s holidays may be different from the US Federal holidays.
If your company is outside of the USA, what should you do differently to prepare?
The US FDA only has jurisdiction over companies that are located in the USA. Therefore, if your company is registered with the FDA, you can only be inspected if you agree to host the FDA inspector when they contact you. FDA inspectors will contact foreign firms 6-8 weeks in advance, and they will typically give you a couple of weeks to choose from. After you confirm the dates for the inspection, then they will make their travel plans. Therefore, you will know exactly when the FDA inspection is schedulea and you will have more than month to prepare. Therefore, you should do four things differently:
You should send the FDA inspector directions from the airport to your facility and provide recommendations for potential hotels to stay at. Ideally the hotels you recommend will provide transportation from the airport and managers that are speak passable English). The hotels should be appropriate for business travel–not royalty. If it is convenient, you may even offer to pick-up the inspector at the hotel each day to ensure they have no problems with local transportation.
You should offer to provide lunches for the inspector during the inspection. This should not be considered entertainment. The purpose is make sure the inspector has lunch (i.e. a light meal or snacks) and drinks (i.e. water and coffee) during the inspection so that they do not have to negotiate local traffic, struggle with ordering food in a language they don’t know, and to eliminate delays associate with having lunch off-site. Make sure you remember to ask about food allergies and dietary restrictions. You might even follow-up with a draft menu to obtain confirmation that your proposed menu is appropriate.
You should schedule a mock-FDA inspection immediately to verify that everyone is prepared and to identify any CAPAs that need to initiated before the FDA inspector finds the problems.
During the first day of the inspection, you may consider asking the inspector if they would like to go out for dinner one of the evenings with a couple of people from your company or if they would like any recommendations for restaurants to eat at. If you are not familiar with US customs and international travel, ask the hotel concierge for advice. When you are out to dinner, the conversation should remain professional and if you normally drink alcohol at dinner you may want to consider the “BOB” compaign in the Netherlands as a role model.
How are you going to train everyone in your company?
You need an easy way to train everyone in your company. Why not give them a video to watch? Next Monday, July 26, 2021 @ Noon EDT, we are hosting a webinar on how to prepare for an FDA inspection. It is a live webinar where you will be able to ask questions, and we are bundling the webinar with our new work instruction for “Conducting an FDA Inspection” (WI-009). If you register for the webinar, you will receive access to the live webinar, you will receive the native slide deck, and you will receive a copy of the work instruction. You can use the work instruction as an FDA inspection plan template for your company. The webinar will be recorded for anyone that is unable to attend the live session. You will be sent a link to download the recording to watch it as many times as you wish, and we recommend that you use the webinar as training for the rest of your company.
Did you know you can download competitor inspectional observations to learn which quality issues are likely to result in warning letters?
Not long ago the FDA published their Inspectional Observation Data Sets. They are Excel spreadsheets of the dreaded 483 inspection observations and warning letters that the FDA issues after performing inspection of manufacturers. There is a spreadsheet for each of the following topic areas, and we will take a look at the ‘Devices’ observations. A post-mortem data analysis or speculative data autopsy if you will… What can we learn when examining an FDA inspection observation?
Human Tissue for Transplantation
Parts 1240 and 1250
Foods (includes Dietary Supplements)
Total number of inspections and 483s
These are nonconformities written by the FDA to the Code of Federal Regulations, so there won’t be any statistics for ISO 13485:2016 or Regulation (EU) 2017/745. There will be lots of findings under the ‘QSR’ or 21 CFR 820. The good news, unlike an ISO Standard, is that the Code of Federal Regulations is publicly available online for free. It isn’t a pay-to-play game and we can share the full text of the requirement without violating any copyright licensing agreements.
The top 10 areas for inspection observations and warning letters are:
Medical Device Reporting
Documentation of CAPA actions and results
Device Master Record
Corrective and preventive action is the most common reason for warning letters
The winning quality system requirement that resulted in the most 483 inspection observations and warning letters was for Corrective and Preventive Actions under 21 CFR 820.100(a). This finding is listed when a manufacturer fails to establish a CAPA procedure or the procedure is inadequate. This finding was cited 165 times. In addition, CAPA activities or their results were not documented or were not documented adequately a total of 32 times under 21 CFR 820.100(b). This gives us a grand total of 197 observations for the CAPA process.
Corrective and preventive actions are either fixing an identified problem and making sure it doesn’t happen again, or stopping a potential problem from happening in the first place. It is both the reactive and proactive response for quality issues and product non-conformance. The text of the requirement is:
“§820.100 Corrective and preventive action.
(a) Each manufacturer shall establish and maintain procedures for implementing corrective and preventive action. The procedures shall include requirements for:
(1) Analyzing processes, work operations, concessions, quality audit reports, quality records, service records, complaints, returned product, and other sources of quality data to identify existing and potential causes of nonconforming product, or other quality problems. Appropriate statistical methodology shall be employed where necessary to detect recurring quality problems;
(2) Investigating the cause of nonconformities relating to product, processes, and the quality system;
(3) Identifying the action(s) needed to correct and prevent recurrence of nonconforming product and other quality problems;
(4) Verifying or validating the corrective and preventive action to ensure that such action is effective and does not adversely affect the finished device;
(5) Implementing and recording changes in methods and procedures needed to correct and prevent identified quality problems;
(6) Ensuring that information related to quality problems or nonconforming product is disseminated to those directly responsible for assuring the quality of such product or the prevention of such problems; and
(7) Submitting relevant information on identified quality problems, as well as corrective and preventive actions, for management review.
(b) All activities required under this section, and their results, shall be documented.“
We can see that under section (a) the requirement is that there is an established and maintained process control with a numerical list of required inputs and outputs of that process. The process control is easy, use a procedure. You have to establish a procedure and you have to maintain it. That is one part of the first 165 observations.
The second part is that the procedure needs to be ‘adequate’. That means that bullets (1)-(7) need to be addressed within that procedure. For example number (2) is “Investigating the cause of nonconformities relating to product, processes, and the quality system;”. This means that the procedure should be explaining not only that your quality system will be doing that investigation, but who will be doing it and how they will be doing it.
“The cause of nonconformities shall be investigated”, may not be an adequate process control. Yes, it addressed the need for a root cause evaluation, but does it do that adequately?
“The RA/QA Manager will complete or assign a staff member to complete the root cause evaluation of Corrective Actions utilizing methods such as a ‘5-Why Analysis’ by filling in section 2. Of the CAPA report form.” This wording is much closer to what is needed in a procedure. It explains who is doing what, roughly how they might do it, where that activity gets documented and identifies the record that the activity produces.
Which brings us to the extra 32 findings where the activities and their results either weren’t documented or were done so poorly. This is why identifying the input (Root Cause Analysis) and the output (Section 2. of the CAPA report) are important. It allows you, the inspector or an auditor to trace from the procedure to the record that part of the process produces to demonstrate conformity.
As the age old saying goes, “if it isn’t documented, it didn’t happen”. That record should show that yes you did a root cause analysis (the activity) and what the conclusion of that analysis was (the results of that activity). These types of records are so vital to your quality system that there is an entire process dedicated to the control of records. I’ll give you a hint, it is Subpart-M of the QSR.
This is also a great segway to show how the processes go hand in hand and CAPA is interrelated to Document Control, Record Control, and your Quality System Record. Your system processes will continually wrap back around to each other in this manner. For example, CAPAs are a required input into your Management Review process so if you don’t have a CAPA procedure you aren’t performing adequate management reviews.
A note on other systems
If your quality system is also ISO 13485:2016 compliant, Corrective Actions and Preventive Actions are separate items under separate sub-clauses. Corrective Actions are in 8.5.2., and Preventive Actions are in 8.5.3. Meaning if you have a mature quality system that has never had a preventive action, then your CA might be fine, but the PA of that process may be inadequate.
Complaints are the second most common reason for warning letters
The silver medal goes to complaints. Much like CAPA the biggest issue is no, or inadequate complaint handling procedures. This specific finding was cited 139 times (overall complaint handling has more but this specific issue was the most cited). Not to sound like a broken record but again, complaint handling is a specific process that requires an ‘established and maintained procedure”.
As a procedure it has to exist, it has to be maintained, and each process has requirements for inputs and outputs that must be outlined. Complaint handling is a little bit different in the QSR in that there isn’t a ‘complaint’ sub-part. Complaints are under Sub-Part M- Records, specifically 21 CFR 820.198 Complaint Files.
To compare, Complaints in accordance with ISO 13485:2016 are under Measurement Analysis and Improvement, specifically Sub-clause 8.2.2. Complaint Handling. It is sandwiched in between Feedback and Reporting to Regulatory Authorities. That had to have been done on purpose because those processes are inherently intertwined and their inputs and outputs directly feed into each other:
“§820.198 Complaint files.
(a) Each manufacturer shall maintain complaint files. Each manufacturer shall establish and maintain procedures for receiving, reviewing, and evaluating complaints by a formally designated unit. Such procedures shall ensure that:
(1) All complaints are processed in a uniform and timely manner;
(2) Oral complaints are documented upon receipt; and
(3) Complaints are evaluated to determine whether the complaint represents an event which is required to be reported to FDA under part 803 of this chapter, Medical Device Reporting.”
This sub-section of ‘Records’ may be less intuitive than what we saw under CA/PA. We can see that we have to maintain complaint files. We also need a procedure that covers receipt, review, and evaluation of complaints. Then we have to name a formally designated complaint handling unit to do all of that.
Further we need to make sure that complaints are handled uniformly and efficiently. It should be a cookie cutter process with a known timeline. Every complaint goes through the same review and evaluation within a specific time period. If it takes six months to review a complaint, that definitely is not a ‘timely manner’.
Not every complaint will be sent to you via certified mail with ‘Complaint’ written across the top in big BOLD letters. Sometimes people will simply tell you about a complaint they have verbally and your process needs to define how it is addressing these verbal communications. Otherwise your FDA inspection observation will be written, and you run the risk of receiving warning letters.
This of course begs the question, what is a complaint? How will I know if I received one? Fortunately 21 CFR 820.3 provides us with definitions, one of them being what exactly a complaint is “(b) Complaint means any written, electronic, or oral communication that alleges deficiencies related to the identity, quality, durability, reliability, safety, effectiveness, or performance of a device after it is released for distribution.”.
There is no quiz at the end of this but I would caution you that this will probably be on the test. Anytime you ask a question like that and the regulation provides a definition for it, then it’s a good idea to include that definition within your procedure. This is a way to make sure that there is uniformity in the understanding of a procedure. If you miss a complaint because you didn’t realize that it was a complaint then your process is not effective. Eventually an auditor will pick up on the deficiencies in the process, document a finding and you will be doing a CAPA to fix it.
Every complaint needs to be reviewed, but not every complaint needs to be investigated. This was a much less cited issue (5). You are allowed to decide that an investigation isn’t needed. However, if you do then you must keep a record of why you decided that and name the person responsible for that decision.
That isn’t carte’ blanche to just write off investigations whenever you want. There are some things that require an investigation and there is no accepted rationale for not performing one. An example is when there is a possible failure of a device, it’s labeling or packaging to meet any of their specifications. Those need to be investigated without exception. What your system is allowed to do though is if you have already done an investigation and you received related similar complaints, there is no need to repeat the same investigation for every complaint.
An important concept of complaint handling is that you should be triaging your complaints as you receive them. There are certain types of complaints that must be reported to the FDA. More information is actually found under 21 CFR 803, not the 820 that we have been examining. These special complaints need to be identifiably separate from your normal run of the mill complaints. These complaints specifically need a determination of;
Whether the device failed to meet specifications;
Whether the device was being used for treatment or diagnosis; and
The relationship, if any, of the device to the reported incident or adverse event.
Outside of those special reportable complaints, all investigations have certain required outputs. By addressing every complaint in a uniform repeatable manner, this can be boiled down to a form. In fact creating a specific complaint form makes sure that all of the required information has been documented. Each record of an investigation by your formally designated complaint handling unit has to be include;
The name of the device;
The date the complaint was received;
Any unique device identifier (UDI) or universal product code (UPC), and any other device identification(s) and control number(s) used;
The name, address, and phone number of the complainant;
The nature and details of the complaint;
The dates and results of the investigation;
Any corrective action taken; and
Any reply to the complainant.
Some companies and corporations sprawl across the globe and have many sites all over the place. Not every manufacturer is limited to containing all of their operations within a single building. There are times where the formally designated complaint handling unit may be somewhere other than where the manufacturing is taking place. That is acceptable as long as communication between the two is reasonably acceptable. The manufacturer needs access to the records of the complaint investigations performed. Just as everything must be documented, all of that documentation must be producible as well. If not, your inspector will produce FDA 483 inpsection observations and warning letters.
If the complaint handling unit is outside of the United States the records have to be accessible in the United states from either the place where the manufacturers records are normally kept or at the initial distributor.
Medical Device Reporting is the third most common reason for warning letters
The bronze medal recipient shows a drop in sheer numbers of FDA inspection observations. A total of 68 were written for the fiscal year of 2020, and these findings have a high likelihood of resulting in warning letters because these incidents may involve serious injuries and death. We are slowing down, but this is still a topic that gets an FDA inspection observation almost every week.
But again part of the issue is no, or bad procedures to control this process. Not to be confused with the (EU) MDR since as an industry we love acronyms so much, Medical Device Reporting is referenced within the Quality System Requirements of 21 CFR 820. We took a peek above in Complaint Handling. What makes this unique is that MDR actually lives in 21 CFR 803 Medical Device Reporting. What makes it even more special is that Part 803 is further broken down into sub-parts.
We will take a look at Sub-part E which is the reporting requirements for manufacturers. Medical Device Reporting is a process and as such needs a procedure to control it and that procedure must be maintained.
Some key points to capture is that there are reporting timelines that are measured in calendar days from when you become aware of information that reasonably suggests that one of your devices;
“(1) May have caused or contributed to a death or serious injury or (2) Has malfunctioned and this device or a similar device that you market would be likely to cause or contribute to a death or serious injury, if the malfunction were to recur.”
There are some crucial takeaways. First, the clock starts ticking down calendar days, not work days, and holidays count. You can’t hold off reporting that your device killed someone because it’s around the holidays and over a few weekends.
Second, is that reporting timelines vary, generally between 5 and 30 calendar days. That means it is important to know the specific timeline for the type of report you are making and what the authority having jurisdiction requires for a timeline. The FDA may differ from Health Canada which in turn may differ from the EU, etc.
Third is that the bar to meet is what would be ‘reasonably known’, and that is somewhat of an ambiguous requirement open to interpretation.
They help clarify this with,
“(i) Any information that you can obtain by contacting a user facility, importer, or other initial reporter; (ii) Any information in your possession; or (iii) Any information that you can obtain by analysis, testing, or other evaluation of the device.”
The first two are usually not an issue, but the one that tends to get less attention is deeper analysis, testing or evaluation of the device. Due diligence is required here to make sure that you actually do know the information that should be ‘reasonably known’ to you.
The burden of investigation and root cause determination is placed squarely on the shoulders of the manufacturers and that is a process that can take some time. What happens when the reporting timely is fast approaching but your investigation won’t be finished before the clock runs out? The short answer is to report it anyway.
The longer answer is to report what information you do have with an explanation of why the report doesn’t have all of the required information. Then explain what you did to try to get all of the information, and file a supplemental or follow-up report later to fill in the gaps. Only having a partial report ready is not an excuse to miss the reporting deadline. It is however, the perfect excuse to get an FDA inpsection observation or warning letters.