Blog

Archive for FDA

Private Labeled Devices with FDA Approval

This article explains the FDA regulations related to private labeled devices that are already 510k cleared and distributors want to import.

Untitled presentation 1 e1650334733162 Private Labeled Devices with FDA Approval

This article was initially inspired by a question asked on the Medical Devices Group website hosted by Joe Hage. Companies often ask about how to private labeled devices in the USA, because they are unable to find anywhere in the FDA regulations where private labeling of the device is described. The reason for this is because the FDA regulations for devices allow for the labeling to identify the distributor only—without any mention of the OEM manufacturer on the label. In contrast, most other countries have “own-brand labeling” regulations or regulations for private labeling devices. It is also important to remember that the FDA only approves devices through the pre-market approval (PMA) pathway. All other devices fall into one of three categories: 1) 510k exempt, 2) 510k cleared, or 3) De Novo classification request approved. Devices that fall into the third category will subsequently fall into category 1 or 2 after the FDA approves the classification request.

Questions about the private labeled devices process for FDA

Our distribution company is interested in getting a private labeled devices agreement with an OEM to sell a Class II medical device in the USA. The OEM has 510(k) clearance, and the only product change will be the company’s name and address on the label. There will be no change to the indications for use. Please answer the following questions:

  1. Is it legal to eliminate all mention of the OEM from the device labeling?
  2. Who is responsible for complaint handling and medical device reporting? OEM or private-labeled distributor?
  3. What is the process to get this private label for the Class II device?
  4. How can our distribution company avoid paying the FDA user fee?

Answer to the first question about private labeled devices

The FDA is unique in that they allow either the distributor or the manufacturer to be identified on the label, but both are not required. Therefore, if Joe Hage were the distributor, and you were the manufacturer, there are two legal options for the private labeled device: 1) “Distributed by Joe Hage”, or 2) “Manufactured for Joe Hage.”

The manufacturer is not required to be identified on the label. However, the OEM must be registered and listed with the FDA. If the OEM is outside the USA, then the distributor must register and list with the FDA as the initial importer and reference the K number when they complete the FDA listing. There is no approval required by the FDA. You will need a quality agreement defining the roles and responsibilities of each party, but that is all.

Answer to the second question about private labeled devices

The quality agreement must specify which company is responsible for complaint handling (21 CFR 820.198) and medical device reporting (21 CFR 803). In this situation, the OEM is the specification developer, as defined by the FDA. Therefore, the OEM will be responsible for reporting and execution of recalls. Therefore, even if the distributor with a private label agreement is identified as the “complaint file establishment,” the OEM will still need to obtain copies of the complaint information from the distributor, and determine if medical device reporting and/or corrections and removals are required (i.e., recalls).

Answer to the third question about private labeled devices

There is no formal process for “getting a private label.” The entire private label process is negotiated between the distributor and the OEM with no involvement of the FDA. However, in the listing of devices within the FDA FURLS database, all brand names of the device must be identified. Therefore, the OEM will need to add the new brand name used by the distributor to their listing for the 510(k) cleared product. However, the FDA does have the option to keep this information confidential by merely checking a box in the device listing form.

Answer to the fourth question about private labeled devices

If the distribution company is the initial importer of a device into the USA, then the distributor must be registered with the US FDA as the initial importer, and the distributor will need to pay the FDA user fee for the establishment registration. That user fee is $5,236 for FY 2020, and there is no small business discount for this fee. The only way to avoid paying the user fee is to have another company import the device, who is already registered with the FDA, and to distribute the product for that company. I imagine some logistics brokers might be acting as an initial importer for multiple distributors to help them avoid paying the annual FDA user fee for establishments. That company might also be providing US Agent services for multiple OEMs. However, I have not found a company doing this.

Is private labeling of device legal in the USA?

The FDA is unique in that they allow either the distributor or the manufacturer to be identified on the label, but both are not required. Therefore, if Joe Hage were the distributor, and you were the manufacturer, there are two legal options for the private label: 1) “Distributed by Joe Hage”, or 2) “Manufactured for Joe Hage.”

Who must register, list, and pay user fees for medical devices?

This question is frequently asked, and the table with the information was not visible on my mobile browser. Therefore, I copied the table from the FDA website and posted the information in the image below. The information is copied directly from the FDA website:

Registration and Listing Requirements for Domestic Establishments

Who must register list and pay fig 1 1024x697 Private Labeled Devices with FDA ApprovalWho must register list and pay fig 2 1024x710 Private Labeled Devices with FDA Approval

Registration and Listing Requirements for Foreign Establishments

Who must register list and pay fig 3 1024x947 Private Labeled Devices with FDA Approval

For products that are manufactured outside the USA, and imported into the USA, the initial importer is often the company identified on the label. There are two typical private labeling situations, but other possibilities exist:

  1. If the initial importer owns the 510(k), then the manufacturer outside the USA is identified as the “contract manufacturer,” and the initial importer is identified as the “specifications developer.” Both companies must register their establishments with the FDA, and there needs to be a quality agreement between the two companies defining roles and responsibilities. The contract manufacturer outside the USA is not automatically exempt from reporting requirements and complaint handling. The contract manufacturer outside the USA may decide to label the product as a) “Manufactured by”, b) “Manufactured for”, or c) “Distributed by.” Options “a”, “b” and “c” would list the importer’s name because they own the 510(k), and they are the distributor. This situation often occurs when companies outside the USA want to sell a product in the USA, but they do not want to take on the responsibility of obtaining 510(k) clearance. These firms often believe this will exempt them from FDA inspections, but the FDA is increasingly conducting FDA inspections of contract manufacturers due to this private label situation.
  2. If the manufacturer owns the 510(k), then the manufacturer outside the USA is identified as the “specifications developer” and the “manufacturer,” while the initial importer will be identified as the “initial importer.” The importer may also be specified as the complaint file establishment and/or repackager/relabeler in the FDA registration database. The manufacturer outside the USA will not be able to import the device into the USA without identifying an initial importer in the USA in the FDA FURLS database. The manufacturer outside the USA may decide to label the product as a) “Manufactured by”, b) “Manufactured for”, or c) “Distributed by.” Options “b” and “c” would list the importer’s name, while option “a” would list the manufacturer’s name. This situation often occurs when US companies want to be the distributor for a product made outside the USA, and the company wants a private labeled product. This also happens when the OEM wants the option to have multiple US distributors.

In both of the above private-label situations, the non-US firm must have a US Agent identified because the company is located outside the USA. The US Agent may be the initial importer, but this is not required. It could also be a consulting service that acts as your US Agent. The US Agent will be responsible for receiving communications from the FDA and confirming their role as US agents each year when the registration is renewed. Medical Device Academy offers this service to non-US clients we help obtain 510(k) clearance.

Follow-up questions

A Korean company, with a US distribution subsidiary, would like to private label a medical device with an existing 510(k) owned by another company in their name. Does the Korean company need a contract in place before private labeling? Does the US subsidiary and/or the Korean parent company need to be registered in the USA prior distribution of the private-labeled version of the device in the USA?

Rob’s response: Initially, it was unclear from the wording of the question as to whom is the 510(k) owner, which company will be on the label, who is doing the labeling, and who is doing the importing to the USA. The person asking Joe Hage this question tried clarifying their question via email, but we quickly switched to scheduling a phone call using my calendly link. I have reworded the question above, but here are some of the important details I learned during our phone call:

  1. The person asking was already acting as the relabeler, repackager, and they were distributing the product in the USA. This person’s company is also registered with the FDA.
  2. The device is 510(k) cleared by another US company, and there is no need to worry about the complications of an initial importer being identified for a product manufactured in the USA.

In this situation, the relabeler/repackager can relabel the product for the Korean company’s US subsidiary as long as there is a quality agreement in place for all three parties (i.e., relabeler, distributor, and manufacturer). There is no need for the Korean parent company to register with the FDA. There is no need for a new 510(k) submission, and the US subsidiary does not need to register with the FDA—as long as the quality agreement specifies that the US subsidiary will maintain records of distribution, facilitate recalls if required, and notify the manufacturer of any potential complaints and/or adverse events immediately. The manufacturer with 510(k) clearance will be responsible for complaint handling, medical device reporting, and execution of recalls according to the agreement. The relabeler will be responsible for maintaining records of each lot of product that is relabeled for the US subsidiary, and the relabeler must maintain distribution records that link the original manufacturer’s lot to the lot marked on the relabeled product.

If you have questions about the private labeling of your device, please contact us.

Posted in: FDA

Leave a Comment (22) →

FDA Guidance Documents Released Recently

The article reviews FDA guidance documents released in the past few months, including the new Final FDA guidance on biocompatibility, published June 16.

ODE Final Guidance Documents FDA Guidance Documents Released Recently

For anyone responsible for monitoring new and revised regulatory requirements, the FDA guidance documents are something you probably check at least once every month. If you are not familiar with these FDA resources, here are the links for two of the medical device FDA guidance documents webpages:

New Final FDA Guidance Documents

The last time I reviewed an FDA guidance document was in February for the new guidance document from the FDA related to usability engineering and human factors engineering. There was a new final FDA guidance document released by the office of device evaluation on June 16: “Use of ISO 10993-1.This biocompatibility guidance was expected for release in December, but the release was delayed.

Use of ISO 10993-1

The new biocompatibility guidance that was published last month provides specific guidance about the application of certain tests required for demonstrating biocompatibility. For example, test article preparation and risk assessments for the applicability of specific tests is addressed. A revised test matrix is included in the guidance document. Special considerations are provided for each of the following biocompatiblity tests:

  • cytotoxicity,
  • sensitization,
  • hemocompatibility,
  • pyrogenicity,
  • implantation,
  • genotoxicity,
  • carcinogenicity,
  • reproductive and developmental toxicity, and
  • degradation assessments

New Final Rule for Symbology

In addition to FDA guidance documents, the FDA also released a final rule on symbology that will modify 21 CFR Parts 600, 801, and 809. The FDA is finally changing its position on the acceptance of harmonized symbols in place of English text. The FDA is accepting ISO 15223-1 as a recognized standard and allowing manufacturers to use the symbols instead of English text to facilitate global harmonization of labeling. The FDA is only allowing the use of Rx-Only as to indicate that a product is a prescription only. The guidance even defines the acceptable process for creating new product-specific pictograms. The effective date of the new final rule will be September 13, 2016. 

New Draft FDA Guidance Documents

In addition to final FDA guidance documents, there have been several new draft guidance documents that were released recently:

  1. List of Highest Priority Devices for Human Factors Review
  2. Public Notification of Emerging Postmarket Medical Device Signals (“Emerging Signals”)
  3. Characterization of UHMWPE for Orthopedic Devices
  4. Technical Considerations for Devices for Additive Manufacturing

The second two FDA guidance documents focus on materials that are important for orthopedic manufacturers because UHMWPE is used as a wear surface for join implants, and many of the implants and instruments are now being manufactured using additive manufacturing instead of forging, casting or milling bar stock.

How to keep up on FDA Regulation Changes

If you are interested in keeping up on new and revised regulations from the FDA, I wrote a blog explaining four ways to identify new and updated FDA regulations. The blog identifies FDA webpages for the following four types of updates:

  1. Guidance Documents
  2. Recognized Consensus Standards
  3. Device Classifications
  4. Total Product Lifecycle (TPLC) Database

The ISO 15223-1 standard for medical device symbols has been released for several years, but the FDA did not recognize it until June 14, 2016. The recognition of the Standard is part of the implementation process for the new final rule regarding the use of symbology for medical device labeling. The timing of this new final rule coincides with the implementation of UDI labeling requirements for Class II devices. Also, the new European Medical Device Regulations now specify labeling requirements for the primary sterile packaging as part of the Essential Requirement (ER) 19.2:

  • (a) an indication permitting the sterile packaging to be recognized as such,
  • (b) a declaration that the device is in a sterile condition,
  • (c) the method of sterilization,
  • (d) the name and address  of the manufacturer,
  • (e) a description of the device,
  • (f) if the device is intended for clinical investigations, the words: ‘exclusively for clinical investigations’,
  • (g) if the device is custom-made, the words’ custom-made device’,
  • (h) the month and year of manufacture,
  • (i) an indication of the time limit for using or implanting the device safely,
  • (j) an instruction to check the Instructions For Use for what to do if the sterile packaging is damaged etc.

These new requirements will require many manufacturers to redesign labeling for sterile packaging, and the ability to use symbology will assist in creating globally harmonized labeling.

Posted in: FDA

Leave a Comment (0) →

FDA 483 Inspection Observations Pareto Chart for FY 2015 Data

This article presents a Pareto Analysis of FDA 483 inspection observations from FY 2015. It compares the trends observed with a similar Pareto analysis that was performed a couple of years ago on FY 2013 data.

FY 2015 Pareto Analysis of FDA 483s FDA 483 Inspection Observations Pareto Chart for FY 2015 Data

Method of Data Analysis for FDA 483 Inspection Observations

The FDA posts Excel spreadsheets on the website to download data for FDA 483 Inspection Observations. These spreadsheets include inspection results for all the divisions of the FDA. To perform data analysis for FY 2015 results, I deleted the sheets that were not specific to medical device manufacturer inspections (i.e., only used data from CDRH). I sorted the data by the regulation that was referenced. For example, all the sub-clauses for 21 CFR 803 were combined into one category for the Pareto analysis. The combined categories were then sorted from the most frequent 483 inspection observations to the least frequent 483 inspection observations. The data was then added to the graph that I produced in February 2014 using FY 2013 results as a second data set. The resulting graph is shown above.

Comparison of FDA 483 Inspection Observations between FY 2013 and FY 2015

For MDR Compliance (i.e., 21 CFR 803), there was a slight increase in the number of 483 observations issued from FY 2013 to FY 2015. However, the difference was only a 1% increase from 6.2% to 7.2% of the total number of 483s issued. There was an even smaller increase in the number of findings related to purchasing controls (i.e., 5.6% increased to 6.1%). I noticed a slight drop in the number of findings related to design controls, CAPA, and complaint handling. However, the overall trend for FY 2013 and FY 2015 is essentially the same.

There are two other categories where an increase was observed: 1) process validation increased by 0.7% from 4.8% to 5.5%, and 2) control of nonconforming product increased 0.8% from 4.3% to 5.1%. These areas are important. Control of nonconforming product is one of the major sources of CAPAs and often results in design changes. Therefore, FDA inspectors are reviewing your data for a nonconforming product during inspections to help them identify potential CAPAs and design changes that may have been made. The typical sequence is 1) nonconformity, 2) investigate nonconformity as part of a CAPA, and 3) initiate a design change as a corrective action.

Process validation is a completely different area that is separate from CAPA, complaint handling, and MDRs. However, inadequate process validation is a common root cause of nonconformities. Therefore, inspectors often follow an audit trail from a nonconforming product record back to a process change that was implemented but inadequately validated. Thus, an increased focus on nonconformities may be the reason for an increase in FDA 483 inspection observations related to process validation.

So what’s the big deal?

This proves that the FDA inspectors continue to be predictable. The “playbook” for FDA inspections is the QSIT Manual. It hasn’t changed since 1996. Yet, companies continue to be shocked and amazed by FDA inspectors.

Additional Resources

If you want to learn how to prepare for FDA inspections, I recorded a webinar you can download (FREE). I recorded the webinar in May of 2014, but it’s been a couple of years, and I’ve learned a few new tricks. Therefore, I’m going to re-record the webinar and update it for lessons learned. I’ll even share a few tools and approaches to avoid findings and reduce the risk of warning letters. I’m also evaluating a new application that is designed for teams to have private chats and file sharing during an inspection. Stay tuned to my webinars page, and I’ll post that webinar soon. Maybe I’ll record something from Germany next month.

Until then, I am working on a webinar specific to medical device reporting. Many companies have still not updated their MDR procedures to reflect the eMDR process using electronic submissions gateways. Therefore, I’m releasing an updated procedure for MDRs, and I am offering a webinar bundle to train people on how to comply with 21 CFR 803 and the procedure. You might also be interested in my previous webinar specific to control of the nonconforming product.

Posted in: FDA

Leave a Comment (2) →

483 Response: Which corrective action plan should you write first?

Article explains how to determine which FDA Form 483 response you should write a corrective action plan for first and why.

chicken and egg 483 Response: Which corrective action plan should you write first?

In a perfect world, you would not receive any inspection observations from your next FDA inspection. However, most companies get at least one observation resulting from an FDA inspection and often there are multiple observations on an FDA Form 483. If you

Most Common FDA 483 inspection observation

Companies that have not experienced an FDA inspection before worry too much and prepare too little. Inspections are predictable and certain inspection observations are much more common than others. A couple of years ago I wrote an article analyzing the most common FDA inspection observations. The most common observations are specific to design controls (i.e., 21 CFR 820.30). However, this fact is distorted because many companies receive multiple observations during the same inspection related to design controls. For example, a client of mine recently received three from one inspector: 1) lack of design reviews, 2) lack of design validation, and 3) lack of risk analysis. All three were found during the review of the same design history file and the one corrective action addresses all three observations.

how to determine which FDA Form 483 response you should write a corrective action plan for first

2nd Most Common FDA 483 inspection observation

The second most common observation is specific to corrective and preventive actions (i.e., 21 CFR 820.100). Typically the company has inadequate procedures for verifying and validating effectiveness of corrective actions taken. If this is one of your FDA 483 observations, then you may have a problem with CAPA training or with the design of your CAPA form. If there is no place on the CAPA form to document your effectiveness check, then you might easily forget to perform the verification and validation of effectiveness. Another possibility is that personnel are confused between verification of implementation and the verification of effectiveness.

What if you have multiple FDA 483 observations?

Other common FDA 483 observations include medical device reporting, complaint handling and rework of nonconforming product. If you receive more than one FDA 483 inspection observation, you need to assume there is a chance that the inspection outcome will be “Official Action Indicated” (OAI). In this case, you need to provide a 483 response to your FDA district office within 15 business days. With such a short time to prepare your 483 response, you need to be efficient. Which 483 response should you initiate first and why?

If one of the inspection observations is related to the CAPA process, that 483 response should be your top priority. The reason for this is that the FDA will want to see objective evidence of implementing corrective actions whenever possible. If you use your CAPA procedure and form to document the 483 response, then you can show the FDA how the revised procedure or form will be used in your 483 response. If you write your 483 response for other inspection observations first, then the other 483 responses are using the existing procedure or form that the identified as inadequate.

Your first step should always be to implement corrective actions to address an inadequate CAPA process by revising the procedure or the form. Once the procedure or form is updated, then you can use the new process to document the rest of your 483 responses.

Training Webinar for an FDA 483 response

If you need help preparing an FDA 483 response, click here for our webinar explaining the 7 steps for responding to an FDA Form 483 inspection observation. You can also download a CAPA procedure and CAPA form from our SOP page.

Posted in: FDA

Leave a Comment (0) →

Usability Engineering and Human Factors Testing for Devices

Yesterday, February 3, the FDA released a new guidance document on the subject of “Applying Human Factors and Usability Engineering to Medical Devices.” This is a final guidance document that replaces the previous version that was released in 2000 and the draft that was released in 2011. The diagram below is Figure 3 from this new FDA guidance, and it includes references to sections 5 through 9 of the guidance document.

Screenshot 2016 02 04 at 1.24.04 PM Usability Engineering and Human Factors Testing for Devices

Applying Human factors engineering and usability engineering to medical devices

What’s in the new FDA Guidance on Usability Engineering?

The organization of the guidance is similar to an ISO standard. Section 1 is the introduction. Section 2 is the scope of the guidance. Section 3 includes definitions, and Section 4 provides an overview of the human factors process and usability engineering as these concepts apply to medical devices. Sections 5 through 9 of the guidance explain the details of the process for applying these concepts to medical devices and risk management. The guidance document includes six references to national and international standards that include human factors engineering or usability engineering, and there are 19 references to articles about human factors engineering and usability engineering at the end of the guidance document.

Adding Usability to Your Risk Management Procedure

The steps in the process for human factors engineering and usability engineering mirror the risk management process as defined in ISO 14971 except this guidance does not specify developing a risk management plan or the need to create a risk management file. Identification of hazards related to use errors is the first step. Then risk controls are implemented in order to reduce the risk of harm due to use errors. The risk controls are verified and validated, typically through simulated use studies or clinical studies. Therefore, you should be able to integrate usability engineering into your risk management process by specifying that hazards should include use errors, the environment of use, and the device/user interface. The risk controls section does not need to be revised, but the verification and validation of risk controls need to include simulated use and/or clinical studies in order to verify that risk controls specifically reduce the risk of use errors. It might also be useful to specify that the environment for use should be included in simulated use studies.

Creating a Usability Engineering Report Template

Clients often ask me what they need to do with regard to human factors engineering and usability engineering for documentation in their technical file and design history file. I recommend that they create a usability engineering report based upon ANSI/AAMI/IEC 62366. However, companies often do not want to purchase the standard, and they seldom have time to read and understand what the standard is recommending. Now we have a free guidance document that is available from the FDA. Therefore, I recommend that you create a template for your usability engineering report based on this new guidance. If your company makes many types of products with multiple hazard types, then you will need a somewhat generic report template. However, companies with only one or two device families should be able to pre-populate a report template with the sections for specific categories of hazards that are applicable to their device family. Once you have a template, this can be used to create a usability engineering report during the design process for any new medical device you are developing.

Updating Your Risk Management File to Include Usability

For products that are already on the market, you should already have human factors engineering and usability engineering incorporated into your risk management file. If you don’t, I recommend updating your risk management file in the following ways:

  1. update your post-market surveillance plan/risk management plan to specifically gather information about use errors related to the use environment, the user, and the device/user interface

  2. update your hazard identification report to include hazards related to use errors

  3. update your risk analysis to include risk controls that you have implemented to reduce the risk of harm related to use errors

  4. perform and document verification and validation of any new risk controls that you may implement related to use errors

  5. update your instructions for use to include warnings and precautions about use errors

  6. develop training tools, such as videos, to demonstrate possible use errors and how to avoid them

The bulk of human factors engineering and usability engineering is documented in the risk management file. Risk management documentation is only required for FDA submissions that include: 1) software of moderate level of concern or higher, 2) De Novo Classification Requests, and 3) PMA submission. If you have a non-software device for which you are submitting a 510(k), then you do not include a risk analysis with your submission. Therefore, the only way that the usability factors are addressed is by reviewing the simulated use validation of the device and the instructions for use. It is still critical that design teams address usability engineering, however, because identifying use errors and implementing risk controls to eliminate use errors will prevent product complaints and adverse events. If these issues are not addressed during the design of a new product, corrective actions and possibly recalls will be needed after the product launch. FDA inspectors will also identify weaknesses in your risk management activities when they identify complaints that are not addressed in your risk analysis.

Additional Training Resources for Usability Engineering

Our human factors testing webinar was recently updated by Research Collective–a consulting firm specializing in usability engineering. SYS-048, Medical Device Academy’s Usability Procedure, is compliant with IEC/ISO 62366-1 (2015). The procedure includes a template for conducting summative (validation) usability testing. We have also updated our design plan template to include usability testing elements.

Posted in: FDA

Leave a Comment (1) →

How to handle FDA inspector with incompetencies and ego

Handle FDA inspector egos and incompetencies during an audit of your facility–including requests for exempt quality system records.

p31653 p v7 aa e1449491882329 298x300 How to handle FDA inspector with incompetencies and ego

This is not how to handle FDA inspectors or auditors!

This topic was submitted to my suggestion box from a colleague in Australia. Originally I posted this as an announcement for my LinkedIn Group, but the post was limited to ISO certification body auditors and excluded FDA inspectors. The basic approach is the same, but there are some important nuances regarding how to handle FDA inspector incompetencies and ego that I include in this article.

Handle FDA Inspector Distrust

In general, anyone that works for the FDA is genuinely concerned about public health and welfare. They also have a very low tolerance for unethical behavior. This has not always been the case at the FDA, and the agency has fought hard over the past twenty years to eliminate anyone from their ranks that is not ethical. Therefore, if an FDA inspector thinks that you have something to hide, the best approach to handle FDA inspector concerns is to give them anything they ask for–and quickly.

Unlike ISO auditors, FDA inspectors are not allowed to review three types of records:

  1. Management Review Meeting Minutes
  2. Internal Audit Reports
  3. Supplier Audit Reports

The FDA can learn almost everything they want to know by reviewing CAPAs that resulted from Management Reviews, internal audits, and supplier audits. However, some FDA inspectors will still ask to see records that are part of the quality system record exceptions (i.e., 21 CFR 820.180c). Some quality system managers design cover sheets for these three records to specifically show FDA inspectors only the information that they are entitled to. If I am faced with this situation, I handle FDA inspector requests for restricted quality system records in the following way.

“Here is a copy of the quality system record you requested. This is one of the records that are exempt from the requirements in 21 CFR 820.180. However, we have nothing to hide. Therefore, you can take as many notes as you like about the content of this record, but you may not take a copy of the record with you.”

The above approach is intended to convince an FDA inspector that you have nothing to hide. Still, it also requires that you review and edit your records before approval and archiving to make sure that statements made in the records are appropriate–regardless of the audience reading the record.

Handle FDA Inspector and auditor personality

100% of auditors are a little weird (yep, takes one to know one). You travel for a living and tell people what’s wrong with their quality system. If you don’t start drinking scotch, you probably will eventually. However, a little patience, understanding, and communication helps. For example, provide directions (that are accurate). Recommend a hotel (middle of the road, not the Ritz or a fleabag). Tell them about the corporate discount. Ask them in advance if they have food allergies (I’m gluten-free, and not by choice), and then try to remember not to serve only the things they are allergic to (yes, Panera Bread is a crappy choice, but a gluten-free pizza is heaven). If Uber makes sense, recommend it because nobody wants to negotiate with Payless Rent-A-Car at 11:59 pm.

FDA inspectors are in the same situation as auditors with regard to being travel weary. However, FDA inspectors will probably not take your recommendation for a hotel. Instead, they will follow FDA guidelines and stay at a hotel chain where they prefer to accumulate membership points, and they can get a government employee discount. In addition, FDA inspectors will not eat at your facility. It seems as though a few companies entertained FDA inspectors at clubs and fancy restaurants in the past. In order to eliminate any possible perception of unethical behavior, FDA inspectors are now instructed to leave your facility for lunch and return to complete the day. They probably won’t even accept a cup of coffee unless you place a carafe on the table for everyone to drink. You can also count on the FDA inspectors driving a rental car if they do not live locally.

Handle FDA Inspector and Auditor Ego

Everyone has an ego. Auditors typically have a big one, and a few FDA inspectors do too. I’m not shy, I’m smart, and I love a good debate. If I’m you’re auditor; you’re lucky because I’ll admit when I’m wrong or make a mistake. Most auditors will not admit mistakes. In fact, the stronger they argue a point, the more likely that they are insecure on the topic or that they have a personal preference that is a result of a bad experience. Unfortunately, FDA inspectors seem to be even more likely to argue a point when they know very little experience.

Don’t ask FDA inspectors and auditors to prove something is in the regulations or the standard. Instead, try reading Habit 5 by Covey (7 Habits of Highly Effective People). You need to be an empathic listener. The FDA inspector or auditor doesn’t hate you. They might even be trying to help you. They also might be wrong, but try restating what the person is saying in your own words and try explaining why it’s important. This shows them that you were listening, you understand what they said, and you understand how they feel about the issue. Pause. Then tell them how you were trying to address this issue.

One of the areas where the above approach is especially important is when an FDA inspector is reviewing complaint records and medical device reports (MDRs). You want to convince the FDA inspector that you are doing everything you can do to investigate the complaint or adverse event, and you want to prevent a recurrence. Remember that someone was hurt by your device or misuse of your device, and FDA inspectors take public safety very seriously. You will not be able to handle an FDA inspector that believes you are doing less than you could be.

Handle FDA Inspector and Auditor Incompetencies

FDA inspectors rarely have industry experience, but they know the regulations. Therefore, arguing the regulations with an FDA inspector is a huge mistake. The only frame of reference for “industry best practice” is what the FDA inspector has seen at other device manufacturers they audit. Therefore, it is very import to know how experienced your FDA inspector is. If they don’t have a lot of experience, they will be defensive, and you might need to “educate” them.

During ISO audits, you have less time to retrain your auditor. Don’t even try. I do this for a living, and we’re a stubborn bunch of orifices. Instead, try the empathic listening first. 99% of the time, one or both of you are not communicating clearly. Either they can’t find what they are looking for, or they misunderstood what you were telling them. It could be a difference of interpretation, but it’s probably not. If it is, then say, “We were interpreting that requirement as…”. Say this once. If they argue, let it drop for now.

Resolution of 483 Observations and Audit Findings

You shouldn’t just take incorrect findings lying down. Do your homework. Send me an email. Get help. If you’re right, then contest it at the closing meeting in a factual and persuasive way. If the auditor holds their ground, ask what the policy is for resolving disputes. This is supposed to be covered as part of the closing meeting of every audit. If your auditor is just lazy, sloppy and incompetent–request a new auditor. You might even disagree in writing, address the finding anyway, and then request the new auditor. That shows the management of the certification body that you’re not lazy, sloppy, or incompetent.

FDA inspection 483 observations are a little different. If you and the inspector disagree, you should state this in the closing meeting when they give you the 483 observation, and you should be clear that you disagree prior to the end of the inspection when they start preparing FDA Form 483. Once a 483 observation is issued, however, your only recourse is to persuade the district office that the 483 observation is undeserved. The FDA district office will have copies of all your procedures and records and a copy of the FDA inspector’s notes. Be careful with complaints to the district office, though. FDA inspectors are far more likely to retaliate than ISO auditors.

Caution

If you make a habit of disputing everything, your auditor or FDA inspector will come prepared for war. You also will have little credibility with the managers at the certification body or the FDA district office. Dispute only justified things and provide a written, factual justification that is devoid of all emotion.

Responding to FDA 483 Observations

If you do receive FDA 483 observations, it is important that you respond with well-conceived corrective action plans. If you need help with responding to an FDA 483 inspection observation, you might be interested in my webinar on this topic.

Posted in: FDA

Leave a Comment (0) →

Strategic planning of a mock FDA inspection

This article shows you how to think strategically when you plan a mock FDA inspection to ensure that you successfully prevent an unpleasant FDA inspection.

strategic planning Strategic planning of a mock FDA inspection

For the past couple of years, several clients have asked me to conduct mock FDA inspections to prepare them for a potential FDA inspection. I am writing from Shanghai, China, where I am conducting a mock FDA inspection for a medical device client with another auditor from the company’s business unit in the USA.

The mock FDA inspections I conduct are internal audits and technically not an inspection because inspectors are looking for nonconformities, and I am looking for conformity with the FDA regulations (i.e., 21 CFR 820, 21 CFR 803 and 21 CFR 806). Inspections are conducted by FDA investigators that are conducting an inspection in accordance with the FDA QSIT manual (http://www.fda.gov/ICECI/Inspections/InspectionGuides/ucm074883.htm). I use the process approach to conduct audits of the four major quality systems that FDA inspectors focus on during an FDA inspection. Still, as an auditor, I have several advantages that an inspector doesn’t.

  1. I can evaluate auditees and coach them on how to respond to an FDA inspector more effectively.
  2. I can teach my client’s internal auditors and management team how to use internal audits and Notified Body audits as practice for their next FDA inspection.
  3. I can avoid any area that my client wants me to and focus on areas of concern.
  4. I can help my client identify the most likely product or product family to be targeted by the FDA.
  5. I can give my client advice and help them implement corrective actions.
  6. I can teach my client how to respond to potential FDA Form 483s to avoid a Warning Letter.

Opening meeting for a mock FDA inspection

FDA inspections are not planned, but it is important to make sure that the right people are available and present during a mock FDA inspection, or your “inspector(s)” may not be able to review the records or interview the most important people. Therefore, I provide an agenda ahead of time, indicating which processes I will be auditing on which days. My agenda for a mock FDA inspection begins with an opening meeting, but the purpose of this opening meeting is primarily training. I take advantage of having all the senior managers in one room as an opportunity to explain how they can benefit most from the audit, and to remind them of what to expect during a real FDA inspection.

CAPA Sources

After the opening meeting, I take a brief tour—unless I already know the facility well. Before I leave for the tour, I ask my client to be prepared for me to begin auditing nonconformities, complaint handling, MDRs, and recalls when I return to the conference room. I select these areas because the FDA always starts with the CAPA process, but they look closely at the sources of CAPAs at the same time. I believe that inspectors rarely take “random samples.” Instead, most inspectors use the sources of CAPAs to help them bias there sampling of CAPAs.

Production and Process Controls

The next major process in my agenda after CAPAs and sources of CAPAs is production and process controls. The sequence of my process for auditing this area is always the same: 1) request the Device Master Record (DMR) for the target product or product family, 2) request two or more recent Device Master Records (DHRs) that were associated with a complaint record or MDR (remember samples are never random), and 3) I then go to the production areas identified in the DHR, and I try to interview the people that produced the lot identified in the DHR—rather than the people the department manager feels are the most experienced. This process of working backward from complaint records and MDRs to the activities on the production floor often allows me to help companies identify a root cause that they missed when the complaint or MDR was initially investigated.

Design Controls

Auditing a Design History File (DHF) is about as exciting as watching paint dry for most auditors. Still, I am always fascinated with how things work, so I am more engaging with the design team members I interview during a mock FDA inspection. I also like to focus on aspects of the design that have proven to be less than perfect—by reviewing nonconformities, complaints, MDRs, recalls, and CAPAs first. For example, if I see several complaints related to primary packaging failures, I am going to spend more time reviewing the shipping validation and shelf-life testing, than I might normally allocate.

Management Processes

The FDA is somewhat limited in this area because, in accordance with 21 CFR 820.180(e), the records of internal audits, supplier evaluations, and management reviews are exempt from FDA inspections. During a mock FDA inspection, I do not have this constraint. Therefore, I will often look more closely at these three areas than an FDA inspector to make sure my client has effective management processes. While procedures and schedules are the focus of an FDA inspector, I will make sure that the problems I observed in nonconformities, complaints, MDRs, and recalls are being addressed by management. As a quality manager, this is not always easy to do. Still, as an independent consultant, I have the luxury of being blunt when a senior manager needs to hear from someone other than the typical “yes men.” I also can use this part of mock FDA inspections to benchmark best practices I have learned from the hundreds of companies against what my client is currently doing to manage their quality system.

When to schedule a mock FDA inspection

Scheduling a mock FDA inspection immediately after an FDA inspection is pointless, but there is an optimal time for scheduling your mock FDA inspection. The FDA target is to conduct inspections once every two years for Class II device manufacturers. However, some district offices do better or worse than this target. Therefore, it’s important to keep track of the typical frequency in your district and the date of your last inspection. If the FDA is on a two-year cycle, you want to conduct your mock FDA inspection approximately 6-9 months before the next FDA inspection to ensure that you have time to implement corrective actions before the FDA inspector arrives.

Additional Resources

If you are interested in learning more about this topic, I highly recommend watching and listening to my free webinar on how to prepare for an FDA inspection:

http://robertpackard.wpengine.com/how-to-prepare-for-an-fda-medical-device-inspection/

In addition to preparing for an actual inspection, every company must know how to respond effectively to an FDA 483 inspection observation:

http://robertpackard.wpengine.com/7-steps-respond-fda-483-inspection-observation/

In addition to my blog, I also have recorded a webinar on this topic:

http://robertpackard.wpengine.com/7-steps-respond-fda-483-inspection-observation-webinar/

Finally, every manager needs to be reminded that FDA 483s are just another opportunity to write a CAPA and improve their quality system. Therefore, do yourself a favor and watch my new webinar on creating a risk-based CAPA process:

http://robertpackard.wpengine.com/create-a-risk-based-capa-process/.

Posted in: FDA

Leave a Comment (1) →

21 CFR 820.180 – Exceptions to the US FDA’s Record Requirements

21 CFR 820.180 Exceptions to the US FDA’s Record Requirements 21 CFR 820.180   Exceptions to the US FDA’s Record RequirementsThis article provides practical advice for how to deal with records the FDA is not allowed to request during an inspection and FDA inspector tactics specific to 21 CFR 820.180 – exceptions. When I meet with a new consulting client, the phrase I dread hearing is “the FDA can’t see that.” Indeed, the FDA is not supposed to review the content of internal audit reports, supplier audit reports, and management reviews to encourage companies to use these tools to address quality problems without having to worry about the FDA beating them with their reports. This policy is officially stated in subsection C of 21 CFR 820.180–exceptions:

21 CFR 820.180 – Exceptions

“[21 CFR 820.180 – exceptions] does not apply to the reports required by 820.20(c) Management review, 820.22 Quality audits, and supplier audit reports used to meet the requirements of 820.50(a) Evaluation of suppliers, contractors, and consultants, but does apply to procedures established under these provisions. Upon request of a designated employee of FDA, an employee in management with executive responsibility shall certify in writing that the management reviews and quality audits required under this part, and supplier audits where applicable, have been performed and documented, the dates on which they were performed and that any required corrective action has been undertaken.”

The Problem with Hiding Records

The problem with the mentality of hiding things from the FDA is that it fails every time. The FDA can get to issues in your management reviews and your internal audits by asking, “Can I please see all the CAPAs resulting from audits and management reviews.” One client I spoke with said that they purposely don’t open any CAPAs from audits or management reviews for that reason. I was in complete shock, but I managed to keep my poker face and asked the client, “So what do you think the FDA will do when you say that you don’t have any CAPAs resulting from audits or management reviews?” Management responsibility is a frequent FDA inspection target. Most companies are subjected to a Level 2, QSIT inspection on a biannual basis. During these comprehensive inspections, the inspector reviews the four major subsystems: 1) management controls, 2) design controls, 3) CAPA, and 4) production and process controls. The FDA will ask open-ended questions to determine the effectiveness of the QMS. If the inspector is not going to look at the actual meeting minutes from the management review, you can expect them to look at the following apparent targets:

  1. “May I see your procedure for Management Reviews?”
  2. “May I please have a copy of your organization chart?”
  3. “Could I see the agenda and attendees list from your last management review?”

The inspector could also ask for copies of inputs that are identified in the Management Review procedure, such as: “Could I have a copy of the most recent scrap trend analysis for production?” or “What is your threshold for taking corrective actions for rejects found in receiving inspection?” One Quality Manager told me a fascinating story about his local inspector. During a previous inspection, the inspector requested a copy of the management review. The Quality Manager showed him the cover page that indicated the agenda and the attendees. The Quality Manager refused to let the inspector see the rest of the meeting minutes. The inspector then proceeded to conduct a brutal 3-day inspection where a myriad of 483’s was written. Twelve months later, the inspector returned to perform a “Compliance Follow-up.” This time when the inspector asked to see the management review, the Quality Manager agreed to let the inspector see the entire meeting minutes. From that point onward, each time the inspector got close to identifying a new 483’s, the inspector would stop following the audit trail at the last moment before the nonconformity was identified. The Quality Manager said it was almost like the inspector was showing him that he could find all kinds of problems to write-up if he wanted to. Still, he was taking it easy on the company because the Quality Manager was cooperative. My philosophy is to create a QMS that is open for review by any customer, auditor, and even the FDA. No matter what they find, it’s just another opportunity to improve. This has worked well for me, but you need to follow a few basic rules when writing audit reports and management review meeting minutes.

Rules for Writing Audit Reports & Management Reviews

  1. DO NOT write anything inflammatory or opinionated in your documents. My motto is, “Stick to the facts, Jack (or Jill).”
  2. I ask other people in the management team to read and review the meeting minutes before they are finalized. The variety of perspectives in top management helps to make sure that the final document is well written and clear—especially to FDA inspectors.
  3. I structure the documents as per a standard template that is a controlled document. This ensures that each report or management review was conducted as per the procedure. I typically reference the applicable clauses and sub-clauses throughout the document. For example, I will reference ISO 13485:2003, Section 5.6.2h) for the slide titled “New and Revised Regulatory Requirements.” I put the reference next to the slide title just to make it clear what requirement this slide is addressing.
  4. If there is an area that I covered, but there was nothing to discuss, I write, “There was no further discussion on this topic.”
  5. If there is an area that I did not cover, I make sure I do the following:
  6. write a justification for not covering the area,
  7. indicate the last time the area was covered (and the result at that time), and
  8. document when the area will be covered in the future.

You can continue to listen to the advice of consultants that think of creative ways to hide things from the FDA, or you can follow the above advice. If you follow my advice, then you can spend the rest of your time working on the CAPAs for each area where you identified a weakness—instead of spending your time trying to hide your problems. If you need help preparing for an FDA inspection or responding to FDA 483 inspection observations or warning letters, please email Rob Packard. We have two people on our team that used to work for the agency.

Posted in: FDA

Leave a Comment (1) →

Software Design Validation – FDA Requirements

What are the FDA software design validation requirements for software as a medical device (SaMD) and software in a medical device (SiMD).qsit Software Design Validation   FDA Requirements

If your product has software, then the investigator is instructed by the FDA QSIT Inspection Manual to consider reviewing software validation. Since inadequate software validation causes many quality problems with devices, you should be shocked if an investigator doesn’t review the software validation of a device containing software. Software-containing devices are also the only devices that manufacturers are required to submit a risk analysis for when submitting premarket notifications (i.e., 510k submissions).

Software Design Validation

Validation confirms that a device meets the user needs. Software validation is no different. Unfortunately, “software design validation” is also the term that we use to mean software design and development–which includes software verification activities and software validation activities. The software verification activities consist of unit testing, integration testing, and system testing. In software verification, we are verifying that each requirement of the software design specification (SDS) meets the requirements of the software requirements specification (SRS). In contrast, software validation involves simulated use or actual use testing of the software to confirm that it meets the user needs of the software. The “device” is the final complete software program in the operating environment in which it is intended to be used (i.e., operating system and hardware), and the “user needs” may be defined as system-level requirements in the SRS or as the intended purpose of the software in the software description.

To facilitate the validation of software, a traceability matrix is typically used to facilitate the construction of validation protocols. The traceability matrix will identify each requirement in the left-hand column of the matrix. The columns to the right of the requirements should include the following:

  1. hazard identification
  2. the potential severity of harm
  3. P1 – the probability of occurrence
  4. P2 – the probability of occurrence resulting in harm
  5. risk controls
  6. design outputs or references to the code modules that are responsible for each requirement
  7. references to verification and validation testing for each risk control
  8. estimation of residual risks
  9. risk/benefit analysis of each risk and overall risk
  10. traceability to information disclosed to users and patients or residual risks

Since the failure of each module can easily result in multiple failure modes, the above approach to documenting design requirements and risk analysis is generally more effective than using an FMEA. This approach also has the benefit of lending itself to assessing risk each time new complaints, service reports, and other post-market surveillance information is gathered.

The use of a traceability matrix also lends itself to the early stages of debugging software modules and unit validation. Each software design requirement will typically have a section of code (i.e., a software module) that is associated with it. That module will be validated initially as a standalone unit operation to verify that it performs the intended function. In addition to verifying the correct function, the software validation protocol should also verify that the embedded risk controls catch incorrect inputs to the module for that module. The correct error code should be generated, and applicable alarms should be triggered.

Finally, after each requirement has been verified, the entire software program must be validated as well. When changes are made, the module and program as a whole must be re-validated. Inspectors and auditors will specifically review changes made in recent versions to verify that revalidation of the entire program was performed–not just unit testing. You must also comply with IEC 62304, medical device software – software lifecycle processes. This is required for CE Marking as a harmonized standard and recognized by the US FDA. One of the implications of applying IEC 62304 is that you must consider the risk of using software of unknown pedigree or provenance (SOUP).

Software Risk Analysis

Each requirement of the software design validation requirements document will typically have a risk associated with it if the software fails to perform that requirement. These risks are quantified concerning the severity of harm and the probability of occurrence of harm. The likelihood of occurrence of harm has two factors: P1 and P2, as defined in Annex E of ISO 14971:2007 (see our updated risk management training).

P1 is the probability of occurrence, and for software, we have two factors. First, the situation must occur that will trigger a failure of the software. Second, does the software have a design risk control that prevents harm or provides a warning of the potential for harm? P2 is the probability that occurrence will result in harm; P2 has one factor. P2 is determined by evaluating the likelihood that failure will result in harm if the risk control is not 100% effective.

An investigator reviewing the risk assessment should verify that risk has been estimated for each software design requirement. There should be harm identified for each software design requirement, or the traceability matrix should indicate that no harm can result from failure to meet the software design requirement. Next, the risk assessment should indicate what the risk controls are for each requirement identified with the potential for harm. In accordance with ISO 14971, design risk controls should be implemented first to eliminate the possibility of harm. Wherever it is impossible to eliminate the possibility of harm, a protective measure (i.e., an alarm) should be used.

Each risk control must be verified for effectiveness as part of the software validation. Also, the residual risk for each potential harm is subject to a risk/benefit analysis in accordance with EN ISO 14971:2012, Annex ZA Deviation #4. The international version, ISO 14971:2007 (which is recognized by the US FDA and Health Canada), allows companies to limit a risk/benefit analysis to only unacceptable risks. Therefore, the European requirement (i.e., EN ISO 14971:2012) is more stringent. Companies that intend to CE Mark medical devices should comply with the EN version of the risk management standard instead of the international version for risk management.

Posted in: FDA

Leave a Comment (2) →

FDA QSIT Inspection of Design Validation: Part I-Non-Software

qsit FDA QSIT Inspection of Design Validation: Part I Non SoftwareThis article reviews FDA QSIT inspection requirements of design validation and is specific to devices that do not contain software.

In the FDA QSIT Manual (http://bit.ly/QSITManual), the word “validation” appears in the QSR 78 times. This exceeds the frequency of the name “verification,” “production,” “corrective” and the acronym “CAPA.” The word “validation” is almost as frequent as the word “management”–which appears 80 times in the QSIT Manual. The section of the QSIT Manual specific to design validation is pages 35-40.

The FDA selects only one product or product family when they are inspecting design controls. Therefore, if you keep track of which products have already been inspected by the agency, you can often predict the most likely product for the investigator to select during the next inspection. The number of MDRs and recalls reported will have an impact on the investigator’s selection. Class, I devices are not selected.

The QSIT Manual instructs inspectors to verify that acceptance criteria were specified before conducting design validation activities and that the validation meets the user needs and intended uses. There should also be no remaining discrepancies from the design validation. Inspectors must verify that all validation activities were performed using initial production devices or production equivalents. The last item to verify is that design changes were controlled–including performing design validation of the changes.

Risk Analysis

Risk analysis is seldom reviewed in great detail–except software risk analysis. However, when a nonconforming product is reworked, it is required to review the adverse effects of rework. QSIT inspectors will expect you to document this review of risks. Investigators will also expect risks to be reviewed and updated in accordance with trend analysis of complaints, service reports, and nonconformities. Finally, when companies assess the need to report recalls, the FDA expects to see a health hazard evaluation to be completed (http://bit.ly/HHE-Form). A detailed review of risk analysis is uncommon in QSIT inspections but receives greater emphasis in the review of CE marking applications.

Predetermined Acceptance Criteria

Investigators reviewing your design validation protocols will specifically look at the acceptance criteria for testing you perform. Investigators are looking for two things. First, were the acceptance criteria met without deviation? Second, was the protocol approved before knowing the results (i.e., was this a prospective design validation protocol?). In certain areas, there are also known risks associated with products that the investigators will look for. For example, in sterilization validation, the investigator will verify that the validation was performed to the most current version of the standard and that the validation has addressed the most common pitfalls of sterilization. For example:

  • Have the most challenging devices been identified?
  • Has performance been validated at the maximum sterilization dose?

User Needs & Intended Uses are Met

In the area of user needs and intended uses, there are few problems with the initial launch of devices for the intended use. Problems typically arise when companies expand the intended use to new patient populations and new intended uses. When this occurs, there may be unique user needs and risks that need to be evaluated. Therefore, the FDA periodically reviews claims made by companies in marketing communications to ensure that claims do not stray beyond the cleared intended use of the device. This will sometimes be identified as a 483 inspection observation. In some instances, the FDA will issue a warning letter to a company that continues to market a device for uncleared indications.

Initial Production Devices or Production Equivalents

When investigators review validation protocols and reports, the documentation must include traceability to the production lot(s) of the device. Investigators may even request a copy of the Device History Record (DHR) for the production lot used for validation. If a production lot is not used, then the design validation documentation must disclose how the product differs from production lots, and why the results are acceptable. The samples used should be subjected to the final test/inspection requirements. If final test/inspection requirements are not yet established, samples should be retained, so that they can be inspected at a later date. Without this traceability, you may have to repeat your design validation with a production lot.

Validation of Design Changes

Far too many hours are wasted writing justifications for why re-validation is not required. I recommend that re-validation of design be performed for any design change if all three of the following criterion are not met:

  1. a sound scientific rationale can be provided with references
  2. the logic does not require a subject matter expert to understand it
  3. quantitative analysis is possible to analyze the risk impact

Many design validations require simulated use with a physician. Companies should obtain as much user feedback as possible before launching a device. Therefore, any re-validation that requires simulated use and user feedback should be a priority over writing a rationale for not conducting re-validation.

Posted in: FDA

Leave a Comment (0) →
Page 2 of 4 1234