Blog

Archive for FDA

FDA QSIT Inspection of Design Validation: Part 2-Software

qsit FDA QSIT Inspection of Design Validation: Part 2 SoftwareThis article reviews FDA QSIT inspection requirements of design validation and is specific to devices containing software.

If the product selected has software, then the investigator is instructed by the FDA QSIT Inspection Manual (http://bit.ly/QSITManual) to consider reviewing software validation. Since inadequate software validation causes many quality problems with devices, you should be shocked if an investigator doesn’t review software validation of a device containing software. Software-containing devices are also the only devices that manufacturers are required to submit a risk analysis for when submitting premarket notifications (i.e., 510k submissions).

Software Validation

Validation confirms that a device meets the user needs. Software validation is no different. In the case of software validation, the “device” is the final complete software program in the operating environment in which it is intended to be used (i.e., operating system and hardware), and the “” is the “software design requirements” document.

To facilitate the validation of software, a traceability matrix is typically used to facilitate the construction of validation protocols. The traceability matrix will identify each requirement in the left-hand column of the matrix. The columns to the right of the requirements should include the following:

  1. hazard identification
  2. the potential severity of harm
  3. P1 – the probability of occurrence
  4. P2 – the probability of occurrence resulting in harm
  5. risk controls
  6. design outputs or references to the code modules that are responsible for each requirement
  7. references to verification and validation testing for each risk control
  8. estimation of residual risks
  9. risk/benefit analysis of each risk and overall risk
  10. traceability to information disclosed to users and patients or residual risks

Since the failure of each module can easily result in multiple failure modes, the above approach to documenting design requirements and risk analysis is generally more effective than using an FMEA. This approach also has the benefit of lending itself to assessing risk each time new complaints, service reports, and other post-market surveillance information is gathered.

The use of a traceability matrix also lends itself to the early stages of debugging software modules and unit validation. Each software design requirement will typically have a section of code (i.e., a software module) that is associated with it. That module will be validated initially as a standalone unit operation to verify that it performs the intended function. In addition to verifying the correct function, the software validation protocol should also verify that the embedded risk controls catch incorrect inputs to the module for that module. The correct error code should be generated, and applicable alarms should be triggered.

Finally, after each requirement has been verified, the entire software program must be validated as well. When changes are made, the module and program as the whole must be re-validated. Inspectors and auditors will specifically review changes made in recent versions to verify that revalidation of the entire program was performed–not just unit testing. You must also comply with IEC 62304, medical device software – software lifecycle processes. This is required for CE Marking as a harmonized standard and recognized by the US FDA (http://bit.ly/Recognized-Consensus-Standards). One of the implications of applying IEC 62304 is that you must consider the risk of using software of unknown pedigree or provenance (SOUP).

Software Risk Analysis

Each requirement of the software design requirements document will typically have a risk associated with it if the software fails to perform that requirement. These risks are quantified concerning the severity of harm and the probability of occurrence of harm. The likelihood of occurrence of harm has two factors: P1 and P2, as defined in Annex E of ISO 14971:2007 (http://bit.ly/14971-Webinar).

P1 is the probability of occurrence, and for software, we have two factors. First, the situation must occur that will trigger a failure of the software. Second, does the software have a design risk control that prevents harm or provides a warning of the potential for harm? P2 is the probability that occurrence will result in harm; P2 has one factor. P2 is determined by evaluating the likelihood that failure will result in harm if the risk control is not 100% effective.

An investigator reviewing the risk assessment should verify that risk has been estimated for each software design requirement. There should be harm identified for each software design requirement, or the traceability matrix should indicate that no harm can result from failure to meet the software design requirement. Next, the risk assessment should indicate what the risk controls are for each requirement identified with the potential for harm. In accordance with ISO 14971, design risk controls should be implemented first to eliminate the possibility of harm. Wherever it is impossible to eliminate the possibility of harm, a protective measure (i.e., alarm) should be used.

Each risk control must be verified for effectiveness as part of the software validation. Also, the residual risk for each potential harm is subject to a risk/benefit analysis in accordance with EN ISO 14971:2012, Annex ZA Deviation #4 (http://bit.ly/14971dev4). The international version, ISO 14971:2007 (which is recognized by the US FDA and Health Canada), allows companies to limit a risk/benefit analysis to only unacceptable risks. Therefore, the European requirement (i.e., EN ISO 14971:2012) is more stringent. Companies that intend to CE Mark medical devices should comply with the EN version of the risk management standard instead of the international version for risk management.

Posted in: FDA

Leave a Comment (2) →

FDA QSIT Inspection of Design Validation: Part I-Non-Software

qsit FDA QSIT Inspection of Design Validation: Part I Non SoftwareThis article reviews FDA QSIT inspection requirements of design validation and is specific to devices that do not contain software.

In the FDA QSIT Manual (http://bit.ly/QSITManual), the word “validation” appears in the QSR 78 times. This exceeds the frequency of the name “verification,” “production,” “corrective” and the acronym “CAPA.” The word “validation” is almost as frequent as the word “management”–which appears 80 times in the QSIT Manual. The section of the QSIT Manual specific to design validation is pages 35-40.

The FDA selects only one product or product family when they are inspecting design controls. Therefore, if you keep track of which products have already been inspected by the agency, you can often predict the most likely product for the investigator to select during the next inspection. The number of MDRs and recalls reported will have an impact on the investigator’s selection. Class, I devices are not selected.

The QSIT Manual instructs inspectors to verify that acceptance criteria were specified before conducting design validation activities and that the validation meets the user needs and intended uses. There should also be no remaining discrepancies from the design validation. Inspectors must verify that all validation activities were performed using initial production devices or production equivalents. The last item to verify is that design changes were controlled–including performing design validation of the changes.

Risk Analysis

Risk analysis is seldom reviewed in great detail–except software risk analysis. However, when a nonconforming product is reworked, it is required to review the adverse effects of rework. QSIT inspectors will expect you to document this review of risks. Investigators will also expect risks to be reviewed and updated in accordance with trend analysis of complaints, service reports, and nonconformities. Finally, when companies assess the need to report recalls, the FDA expects to see a health hazard evaluation to be completed (http://bit.ly/HHE-Form). A detailed review of risk analysis is uncommon in QSIT inspections but receives greater emphasis in the review of CE marking applications.

Predetermined Acceptance Criteria

Investigators reviewing your design validation protocols will specifically look at the acceptance criteria for testing you perform. Investigators are looking for two things. First, were the acceptance criteria met without deviation? Second, was the protocol approved before knowing the results (i.e., was this a prospective design validation protocol?). In certain areas, there are also known risks associated with products that the investigators will look for. For example, in sterilization validation, the investigator will verify that the validation was performed to the most current version of the standard and that the validation has addressed the most common pitfalls of sterilization. For example:

  • Have the most challenging devices been identified?
  • Has performance been validated at the maximum sterilization dose?

User Needs & Intended Uses are Met

In the area of user needs and intended uses, there are few problems with the initial launch of devices for the intended use. Problems typically arise when companies expand the intended use to new patient populations and new intended uses. When this occurs, there may be unique user needs and risks that need to be evaluated. Therefore, the FDA periodically reviews claims made by companies in marketing communications to ensure that claims do not stray beyond the cleared intended use of the device. This will sometimes be identified as a 483 inspection observation. In some instances, the FDA will issue a warning letter to a company that continues to market a device for uncleared indications.

Initial Production Devices or Production Equivalents

When investigators review validation protocols and reports, the documentation must include traceability to the production lot(s) of the device. Investigators may even request a copy of the Device History Record (DHR) for the production lot used for validation. If a production lot is not used, then the design validation documentation must disclose how the product differs from production lots, and why the results are acceptable. The samples used should be subjected to the final test/inspection requirements. If final test/inspection requirements are not yet established, samples should be retained, so that they can be inspected at a later date. Without this traceability, you may have to repeat your design validation with a production lot.

Validation of Design Changes

Far too many hours are wasted writing justifications for why re-validation is not required. I recommend that re-validation of design be performed for any design change if all three of the following criterion are not met:

  1. a sound scientific rationale can be provided with references
  2. the logic does not require a subject matter expert to understand it
  3. quantitative analysis is possible to analyze the risk impact

Many design validations require simulated use with a physician. Companies should obtain as much user feedback as possible before launching a device. Therefore, any re-validation that requires simulated use and user feedback should be a priority over writing a rationale for not conducting re-validation.

Posted in: FDA

Leave a Comment (0) →

Obtaining an FDA Certificate to Foreign Government for Medical Devices

certificate to foreign gov Obtaining an FDA Certificate to Foreign Government for Medical DevicesThis article explains how to obtain an FDA Certificate to Foreign Government when you are trying to submit an application for registration of a medical device to a regulatory body outside the United States (e.g., COFEPRIS approval for exports to Mexico).

What is an FDA Certificate to Foreign Government?

If you have a medical device that is registered and listed with the US FDA, then you can obtain a Certificate to Foreign Government from the US FDA. A Certificate to Foreign Government is a certificate issued by the US FDA verifying that your company may legally export the device, and the device may be distributed in the United States. Regulatory bodies in some countries request a “Certificate of Free Sale.” Still, these are issued by the US FDA for foods, while the agency issues Certificates to Foreign Governments for medical devices. The name of the certificate is not the same for all countries, and regulators use the terminology most familiar to their country. The US FDA has more information about the different types of certificates on the following FDA webpage: http://bit.ly/FDA-Export-Certificates.

How do you obtain a Certificate to Foreign Government?

The following page on the FDA website answers common questions about exporting medical devices. http://bit.ly/Exporting-Medical-Devices. One of the most common requirements of foreign registrations is providing a Certificate to Foreign Government. If your product is currently registered and listed with the US FDA, you are managing your registration and listing using an FDA Unified Registration and Listings System (FURLS) account (http://bit.ly/registration-listing-blog). Through this account, you can access the new CDRH Export Certification and Tracking System (CECATS). CECATS allows manufacturers to request export documents, including Certificates to Foreign Governments, online versus paper submissions. CECATS reduces certificate processing time and will enable you to validate firm-specific data in real-time. You can also obtain a status update for your certificate request. If you have additional questions about CECATS or export certificates, the FDA also created an Exporting FAQs page: http://bit.ly/Exporting-FAQs.

How much does a Certificate to Foreign Government Cost?

Certificates to Foreign Government are product specific and cost $175 for the original certificate. Each additional copy (official copies from the FDA are usually required) costs $15 per copy. Up to 50 pages (including the certificate, manufacturer page, and attachment pages) may be submitted for the same product. Each time an increment of 50 pages is exceeded, an additional fee of $175 will be charged.

If the original is three pages long and you request an original and ten copies (33 total pages), then your charge will be $175 for the original and $150 for the ten copies–a combined total of $325. However, an original and 20 copies (63 pages) would exceed the 50-page limit, and you would be charged $175 for the first original and $225 for the first 15 copies. You would then be charged $175 for a second original and another $60 for four more copies.

Don’t wait until the last minute to request Certificates to Foreign Governments. I recommend ordering 5-10 copies when you first register a product in the FURLS database, instead of waiting until you need it. The same is true of other types of certificates, such as CE Marking certificates from your Notified Body.

Posted in: FDA

Leave a Comment (2) →

FDA Establishment Registration and Listing for Medical Devices

fda registered facility FDA Establishment Registration and Listing for Medical DevicesThe two most common situations for when a company needs to register their establishment with the FDA is 1) when the company is a contract manufacturer and producing a finished device for the first time, and 2) when the company is a specifications developer that recently received a 510(k) and is about to begin distribution of the newly cleared product. If your company is a specification developer, and you have not yet submitted your first 510(k), then you need to complete your Medical Device User Fee Cover Sheet first.

Small Business Status

Most first-time 510(k) submissions are from small companies. If your company has gross receipts of less than $100 million, then you should apply for status as a small business by completing FDA Form 3602A–along with your company’s tax return for the previous year. Qualifying for small business status saves substantially on FDA submission fees. The FDA’s review and decision regarding your application for small business status require 60 days, and the status expires each year on September 30. Click on this link for a guidance document explaining the process for requesting small business status in detail.

Medical Device User Fee Amendment (MDUFA)

A few weeks before you submit your first 510(k) to the FDA, it is recommended that you create a new account for the user fee website and make your Device Facility User Fee (DFUF) payment. This is the website you must access to pay the 510(k) submission fee. If you are taking advantage of small business status, you will need the Small Business Decision Number that you received in the FDA decision letter in response to FDA Form 3602A. Small and large businesses should follow the directions in the guidance document to set-up a new MDUFA account.

Once the user fee account has been created, you need to complete a 510(k) user fee cover sheet. The FDA provides instructions on how to complete the cover sheet. Payment must be submitted to the FDA as well, and the FDA offers multiple ways to pay the user fee.

After you submit your 510(k) and receive your 510(k) clearance letter, you now may begin the marketing and distribution of a product. Once a company starts the distribution of a new product, the company has 30 days to register the facility and list each device with the FDA. Before registering with the FDA, you must also make a second DFUF payment for the establishment registration fee of $3,313. There is no discount for small business status, and the establishment fee must be paid for each facility being registered.

FDA Unified Registration and Listings System (FURLS) Database

The FURLS database is a separate database where companies register facilities and list devices with the FDA. The FURLS account ID and password used for registering your facility is separate from the user name and password for the user fee website used for the DFUF payment. After you pay the annual registration user fee, you will receive the following information via email: Payment Identification Number (PIN), and Payment Confirmation Number (PCN). You will need this information to complete the registration in the FURLS database.

To create a new FURLS account, you access the following website. This new account should only be created if your company does not already have an account, and the person creating the account should be a trusted manager with authority to designate sub-accounts when needed. The process of creating a new account will result in the issuance of an account ID, and you will need to select a password during the process. You need this information for logging into the system in the future. If you have an account and need help managing it or making changes, the FDA also has an account management page.

FDA Establishment Registration and Listing-Additional Resources

The FDA created a webpage explaining medical device registration and listing, but the following page is the place I recommend that most companies begin reading.

If you want additional training on how to register and list your facility with the FDA, please visit the updated CDRH Learn webpage: (Click on “Start Here/The Basics”). The FDA offers a “post-test” and certificate for anyone completing the post-test. I recommend completing this training before setting up a new account, and anyone that will be responsible for updating the registration and listing information.

Posted in: FDA

Leave a Comment (0) →

5 Classic blunders that result in an fda warning letter from CDRH

FDA Warning 5 Classic blunders that result in an fda warning letter from CDRHThis blog reviews 5 of the most common reasons for why CDRH issues FDA warning letters, and preventive actions are suggested for each of the five reasons.

The following is a quote from an interview I conducted with a former FDA inspector:

“You’re in deep trouble if the [FDA 483] response is excellent, and the corrective actions are excellent, but when the FDA comes back, you never bothered to implement those corrective actions. Now you know that you have that warning letter coming at you.”

#1 – No actions implemented for CAPAs

The former inspector is describing one of the most common reasons for FDA warning letters. If an FDA investigator issues an FDA 483, you are required to respond with a corrective action plan (http://bit.ly/FDA-483). However, you must implement your plan to close the FDA 483 inspection observation(s) during the next FDA inspection. CDRH’s QSIT inspection manual (http://bit.ly/QSITManual) requires that the CAPA process be evaluated during every inspection–even during abbreviated inspections, where only two of the four major quality subsystems are sampled (i.e., “CAPA + 1”). Therefore, the FDA investigator will notice if no actions have been taken for CAPAs that were initiated since the last inspection. If the CAPAs are specific to the FDA 483–CDRH requires the FDA investigator to review those records first. To ensure that corrective actions are being implemented and documented, I recommend three ways of controlling the process:

  1. monitor the “aging” of CAPAs and establish a quality objective for average days aging
  2. have an independent expert perform a desktop audit of your CAPA process
  3. ensure that you carefully review each CAPA that is behind schedule during Management Reviews (which should be at least quarterly)

#2 – FDA 483 response submitted late

A second common reason for receiving an FDA warning letter is a failure to submit an FDA 483 response to the district office within 15 business days. The FDA has always involuntarily required a medical device firm to respond to an FDA 483 within 15 business days, but in 2009, a post-inspection review program (http://bit.ly/15Dayresponse) was initiated where it became mandatory that response from any FDA 483 must be received by the Agency within 15 business days, or FDA warning letters are automatically issued. This is an automatic issuance that results in a very quick response from your CDRH district office. Therefore, you need to respond aggressively to FDA 483s with corrective actions and submit your response early.

Note: The FDA warning letters are only issued when inspection observations result in “Official Action Indicated” (OAI). However, inspectors will not tell you if the outcome is OAI or Voluntary Action Indicated (VAI). This determination is made by the District Office of the FDA. Therefore, all device manufacturers should assume that the outcome may be OAI. 

#3 – Submitting a response without evidence of implementing changes

This past Saturday, I recorded a webinar on the “7 Steps to Respond to an FDA 483 Inspection Observation” (http://bit.ly/FDA-483-response-webinar). The title of the third slide in that presentation is “The FDA may be late…”. I mentioned that it is not uncommon for FDA warning letters to be issued six months after the actual inspection occurred. The following warning letter is an example (http://bit.ly/fda-warning-letters-example1).

I don’t personally know this firm, but I found this example by searching through the FDA warning letters database: http://bit.ly/fda-warning-letter-search. The company received an FDA 483 with multiple inspection observations on November 4, 2010. The company was non-compliant in the following areas: CAPA (21 CFR 820.100), complaint handling (21 CFR 820.198), and design controls (21 CFR 820.30). The company responded to CDRH on November 23. This was 13 business days after the FDA 483 was received, and with FedEx shipping, it probably arrived at the FDA barely in time–November 29 (the Monday after Thanksgiving).

Unfortunately, the response did not include evidence of correcting the existing procedure deficiencies. The plan indicated changes were going to be made, but the FDA expects you to revise procedure deficiencies quickly (i.e., before you mail the response to the FDA 483). If it is not possible to make corrections in this timeframe, a risk-based approach is recommended. For example, the complaint handling process is the most critical of the three processes identified as deficient in the warning letter. Therefore, the company should have enclosed a revised complaint handling procedure and promised to revise the CAPA and design control procedures within a few weeks.

The FDA warning letter was not issued for this example until April 6, 2011–almost exactly six (6) months from the date of the FDA 483 issuance. CDRH offices are ghost towns in December. Therefore, it was important for the company to contact CHRH early in November and identify an email address and contact to send documentation regarding the implementation of corrective actions. The company could have revised the other two procedures in December and implemented all three procedures in December. Evidence of thorough implementation of corrections and corrective actions by email is often adequate to prevent FDA warning letters.

For international firms, this is extremely important because a second warning letter for an international firm results in a warning letter with automatic detention (i.e., the company cannot import a product into the USA). In this example, the second warning letter was issued on November 26, 2012 (http://bit.ly/fda-warning-letters-example2).

#4 – Failure to remove objectionable marketing communications

The FDA does not routinely visit companies that only manufacture Class 1 (i.e., low-risk) devices. However, they routinely visit companies that manufacture medium-risk, Class 2 devices. The FDA reviews websites and other marketing communications for marketing claims that are not within the scope of an issued 510k. Typically, the claims that are allowed are almost verbatim from 21 CFR (i.e., Title 21 Code of Federal Regulations). Therefore, many companies receive an FDA 483 indicating that they are claiming an indication for the use of which the device does not have clearance (i.e., a 510k) for. In these cases, the company is expected to remove the claims and/or submit a 510k. In these cases, often CDRH will wait a year or more before taking additional action to give the firm ample time to obtain clearance for the indications. Here is a link to an example of a warning letter of this type: http://bit.ly/fda-warning-letters-example3.

#5 – Design controls are not implemented at all

Design controls are the most common reason for the issuance of an FDA 483 (http://bit.ly/FY2013-483-Data-Analysis). If you read the blog, Medical Device Academy wrote on the data analysis of FDA 483 inspection observations issued in FY2013 by CDRH, and you may have wondered how design controls are the #1 most common FDA 483. Still, the highest individual clause reference is #8 [i.e., 21 CFR 820.30(i)]. If you review this next warning letter example (http://bit.ly/fda-warning-letters-example4), it should become clear that some companies do not have a design control process implemented at all. In this situation, the FDA investigator is likely to issue a separate FDA 483 against each of the required elements:

  1. 21 CFR 820.30(e) – design reviews
  2. 21 CFR 820.30(f) – design verification
  3. 21 CFR 820.30(g) – design validation
  4. 21 CFR 820.30(h) – design transfer
  5. 21 CFR 820.30(i) – design changes

In this specific example, the FDA investigator issued the FDA 483 on August 16, 2012, and the warning letter was issued immediately after the FDA returned from the holidays–January 4, 2013. This firm had a narrow window of time between August and November to submit an FDA 483 response and then follow-up with documentation of completing the CAPA plan. The warning letter indicates that the corrective action plan was not adequate, but the FDA still took several months to issue the warning letter.

If you recently had an FDA inspection and received an FDA 483, make sure you don’t make any of the mistakes above. You might also want to take the webinar on this topic: http://bit.ly/FDA-483-response-webinar.

If it’s been a year since you received an FDA inspection, you might want to watch the video on this webpage: http://bit.ly/regulatory-compliance-services

Posted in: FDA

Leave a Comment (0) →

7 Steps to Respond to an FDA 483 Inspection Observation

7 steps fda 483 blog 7 Steps to Respond to an FDA 483 Inspection ObservationResponding in 15 days is one of 7 steps on how to respond to an FDA 483 inspection observation. Blog also includes advice from a former FDA investigator. 

When an FDA investigator has an inspection observation, the investigator issues an FDA 483. This is the FDA’s form number. If your company receives an FDA 483, how you respond to the FDA 483 is crucial to avoiding a Warning Letter. In the words of a former FDA investigator, “Many, many times I have seen an [Official Action Indicated (OAI)] classified inspection that had been recommended for a Warning Letter by the compliance branch be set aside based upon the response of the firm.”

The best way for your company to respond to an FDA 483 is by writing a cover letter. Then every observation needs to be addressed in the response as a separate CAPA–unless the root cause is identical for two observations. Make sure that your response includes the following seven steps below:

  1. respond within 15 business days (earlier is better)
  2. use your CAPA form and a cover letter–instead of a memo
  3. document the investigation that was conducted with a concisely stated root cause
  4. identify containment measures and corrections to address each specific observation by the FDA inspector
  5. identify corrective actions planned and the date(s) you expect to complete implementation
  6. Include documentation of containment, corrections and corrective actions that are completed at the time you submit the response
  7. follow-up with a memo confirming that all the corrective actions are complete and include all related documentation–including training for any new procedures or any new corrective actions that warranted training

Respond to the FDA 483 violation(s) in less than 15 business days

The FDA has always involuntarily required a medical device firm, or any firm under FDA jurisdiction that received an FDA 483, to respond in writing to the FDA 483 to the District Office within 15 business days. As of two years ago (http://www.gpo.gov/fdsys/pkg/FR-2009-08-11/pdf/E9-19107.pdf), it became mandatory that the Agency must receive a response from any FDA 483 within 15 business days, or an automatic Warning Letter is issued. You need to respond aggressively to FDA 483s with corrective actions, and submit your response early.

Use your CAPA forms instead of a memo.

I have asked several former FDA investigators whether they would prefer to see firms submit responses in memo format, or by using their CAPA forms and a cover letter. Some told me that they prefer to see firms use their CAPA forms, while others don’t seem to have a preference. Nobody from the FDA has ever indicated a preference for a memo. I see no point in doubling your work and risking transcription errors. If you have an electronic system that does not have an easy-to-follow output format, go ahead and copy-and-paste the information from your electronic database to your memo. If the CAPA system output is easy to follow, just use a cover letter and copies of the forms.

Document the investigation and root cause

This is definitely my pet-peeve, but a one-sentence “root cause” is not enough for an FDA 483 response. Regardless of whether I am doing a mock-FDA inspection, an internal audit, or a supplier audit–I expect you to document how you determined the root cause (http://robertpackard.wpengine.com/five-tools-for-conducting-root-cause-analysis/). If it’s trivial and obvious, then it must have been something important, or I would not have written a nonconformity. Therefore, you should be looking beyond the immediate scope of the FDA 483 to ensure that a similar problem cannot occur elsewhere. In the language of the FDA, this is a preventive action, because you are preventing occurrence with another process or product. Most ISO certification auditors are purists, and they won’t accept this as a preventive action. You will have to show the purists something special–maybe from your data analysis.

Don’t forget containment and correction

For every 483 observation, including the subparts, you need to identify if immediate containment is necessary and how you can correct the problem. Whenever possible, you should attempt to implement the containment and corrections during your FDA inspection. It would be fantastic to give the FDA inspector a copy of the new CAPA you initiated during the audit. The new CAPA would identify containment and corrections that have been or will be implemented–including any nonconformity(s) you initiated to quarantine product. You may still get an FDA 483 inspection observation, but you are likely to convert a possible Official Action Indicated (OAI) into a Voluntary Action Indicated (VAI). You can also modify the CAPA wording later to include a cross-reference to the FDA 483 and quote the exact wording the inspector uses.

Explain the corrective action plans and timelines

Clarity, brevity, and realistic plans are critical in this section of your response. I prefer a table that looks like the example shown below.

7 steps 483 chart 7 Steps to Respond to an FDA 483 Inspection Observation

Show the FDA you have already taken action

Whenever possible, you want to show the FDA that you are taking action without delay. If you revised the SOP for MDRs and scheduled a group training for July 15, then you should provide the FDA a copy of the revised procedure and a copy of the agenda for your planned training session. The only caution is to only commit to actions you are certain you will implement. You can always do more, but it will be much harder to explain why you did not implement an action you submitted in your FDA 483 response.

Follow-up before the FDA does

The FDA’s compliance office will be looking for a response when an FDA 483 is issued, and they will review your response. The investigator will get a copy of the FDA 483 response, and the investigator will comment on the response. The compliance office and the investigator enter their comments into a CDRH database. Still, the comments are only general, as to whether the response is adequate or inadequate and will require additional review.

If you do not hear back from the FDA, do not assume that the compliance office or the investigator was satisfied. You should also follow-up several months later (earlier if possible) with a letter that includes evidence of the completed corrective actions, and your verification of effectiveness. If the verification is compelling and received in less than six months of the inspection, you may convince the compliance office to hold off a planned Warning Letter.

If you are interested in root cause analysis and improving your CAPA process, please click on this link for another webinar recording: http://robertpackard.wpengine.com/5-ways-improve-capa-process/. A webinar recording titled “7 Steps to Respond to an FDA 483” is now available at the following link: http://robertpackard.wpengine.com/7-steps-respond-fda-483-inspection-observation-webinar/.

Posted in: FDA

Leave a Comment (2) →

5 Common Mistakes Related to Compliance with FDA Recalls (21 CFR 806)

FDA Recall 01 5 Common Mistakes Related to Compliance with FDA Recalls (21 CFR 806)This article identifies five common mistakes that occur when companies conduct FDA recalls, as required by 21 CFR 806.

As an experienced FDA medical device investigator, at one time or another, many firms I inspected struggled with deciphering FDA regulations and would misinterpret 21 CFR 806 (http://bit.ly/21CFR806-Recall). Fortunately, FDA 483 inspection observations can be easily avoided by doing two things. First, personnel responsible for corrections and removals need proper training—not just “read and understand.” Second, your forms and procedures need to comply fully with 21 CFR 806. The following is a list of 5 common mistakes made that are related to 21 CFR 806:

  1. incorrect interpretation of recall exemptions
  2. misinterpretation of reporting and documentation requirements
  3. failure to comply with recall reporting timelines
  4. failure to properly classify a recall
  5. insufficient recall training for quality personnel

21 CFR 806.1(b) – Recall Exemptions

The section of the regulations that deal with recall exemptions, 21 CFR 806.1(b), is the most widely confused interpretation. There are four categories of exemptions from correction and removal reporting:

  1. “actions were taken by device manufacturers or importers to improve the performance or quality of a device, but that does not reduce a risk to health posed by the device or remedy a violation of the act caused by the device.

  2. Market withdrawals as defined in 806.2(h).

  3. routine servicing as defined in 806.2(k), and

  4. stock recoveries as defined in 806.2(l).”

The risk to health is referenced in 21 CFR 806.1(b)(1) and has two definitions. The first is easily interpreted when there is a reasonable probability that the use or exposure of a medical device could cause serious adverse health consequences or death. Part 2 is confusing in that the definition states that a risk to health can be considered a temporary or medically reversible adverse health consequence, or the possibility of serious adverse health consequences is remote. The second part of the definition of “risk to health,” is not clarified in the recall regulations. Still, you can refer to 21 CFR 803.3 (Medical Device Reporting definitions) for the definition of “serious injury”:

  1. an injury or illness that is life-threatening,
  2. results in permanent impairment of a body function or permanent damage to a body structure, or
  3. necessitates medical or surgical intervention to preclude permanent impairment of a body function or permanent damage to a body structure.

21 CFR 806.10 – Reporting & Documenting FDA Recalls

This section, 21 CFR 806.10 (http://bit.ly/Reporting-FDA-Recalls), is frequently misinterpreted. Corrections and removals by manufacturers and importers require reporting to CDRH, but there are two conditions. Either of the following conditions requires reporting if the correction or removal was initiated:

  1. “To reduce a risk to health posed by the device; or.”
  2. “To remedy a violation of the act caused by the device which may present a risk to health unless the information has already been provided as outlined in paragraph (f) of this section or the corrective or removal action is exempt from the reporting requirements under 806.1(b).”

It is usually better to err on the side of caution and report the correction and removal, but in all cases, properly document your rationale for reporting or not reporting.

21 CFR 806.10(b) – Recall Timelines

Reporting of corrections and removals requires the firm to report these recalls to FDA within ten days. Timeframes are important, so the information can be disseminated to the Regional and District Office after notifications are made to the FDA. 

21 CFR 7.3(m) – Recall Classification

Even when manufacturers and importers file a recall report within the specified timeframes, many times, the recall is improperly classified. Many manufacturers fail to classify their correction and removal based on severity properly. As reported by the FDA in 2013, a study (http://bit.ly/CDRH-Recall-Report) was conducted by CDRH on reported recalls, and this explanation of recall classifications was provided:

“As defined at Title 21, Code of Federal Regulations (CFR), 7.3(g), ‘Recall means a firm’s removal or correction of a marketed product that the Food and Drug Administration considers being in violation of the laws it administers and against which the agency would initiate legal action, e.g., seizure.’

  • A Class I recall is a situation in which there is a reasonable probability that the use of or exposure to a violative product will cause serious adverse health consequences or death.
  • A Class II recall is a situation in which the use of or exposure to a violative product may cause temporary or medically reversible adverse health consequences or where the probability of serious adverse health consequences is remote.
  • Also, a Class III recall is a situation in which the use of, or exposure to, a violative product is not likely to cause adverse health consequences.”

Insufficient Training on FDA Recall Procedures

Each year, the FDA emphasizes the need for investigators to determine that each firm under the FDA area of jurisdiction properly maintains “Recall SOPs,” provides training on these procedures, and fully implements them. When your company performs an initial review of a recall procedure, or the recall procedure is re-written, a systematic review of each element in the regulations is needed. When you perform this review for your Recall SOP, ensure that you verify each of the first four common mistakes are addressed. You should also consider creating an exam to verify the effectiveness of training (http://bit.ly/TrainingExams). If your company manufactures or imports radiologic devices, ensure that the special requirement below is included in your procedure.

Special Requirement: Radiation Emitting Devices

Radiation emitting devices, such as medical lasers, X-Ray, and UV emitting devices, hold another special requirement seldom observed by the CDRH Compliance officers and FDA investigators that are not fully trained in radiation-emitting devices. If a medical device manufacturer or importer becomes aware of a defect in any radiation-emitting device that could cause serious injury, death, or require medical intervention to preclude serious injury or death, this defect must be reported to FDA under 21 CFR 1003. This regulation is one of the few FDA regulations that have significant teeth to mandate each manufacturer or importer to “Repair, Replace or Refund the purchase price” of the device when the manufacturer becomes aware of a major defect in their device (21 CFR 1004). This applies to medical and non-medical radiation-emitting devices, both of which are under FDA jurisdiction.

In some extreme cases, when I observed major defects in a medical device that also included a radiation-emitting device as well, if the CDRH Office of Compliance was unwilling to require a recall of the device, the recall could be mandated by the CDRH Division of Enforcement B (http://bit.ly/CDRH-Divisions-and-Offices). Division of Enforcement B has responsibility for enforcement of medical device regulations to radiologic devices.

Medical Device Academy recorded a webinar on the topic of FDA recalls. You can purchase the webinar by clicking on the following link: http://bit.ly/FDA-recalls-webinar.

Posted in: FDA

Leave a Comment (0) →

Medical Device Regulation: FDA Pilot Programs for Global Harmonization

international harmonization Medical Device Regulation: FDA Pilot Programs for Global HarmonizationThis blog provides an overview of global harmonization efforts by the FDA that were implemented for medical device regulation.

Harmonization of international regulatory requirements for medical devices began in 1992 with the founding of the Global Harmonization Task Force (GHTF). There were five founding regulatory bodies: 1) US FDA, 2) Health Canada, 3) European Commission, 4) Therapeutics Goods Administration of Australia, and 5) Ministry of Health, Labour and Welfare in Japan. The organization created many guidance documents for the medical device industry, and members of the GHTF organization also participated in the development of ISO 13485 that was released in 1996. GHTF was disbanded in late 2012, and it has been replaced by the International Medical Device Regulators Forum (IMDRF) (http://bit.ly/IMDRFDoc), and IMDRF maintains the documentation created by GHTF.

In 1996, when ISO 13485 was released, Health Canada made certification to ISO 13485 mandatory for all medical device manufacturers that wanted to distribute in Canada. Health Canada’s requirement for ISO 13485 certification resulted in the widespread adoption of ISO 13485 certification throughout the world. At the same time, the US FDA chose to publish its Quality System Regulations (http://bit.ly/21CFR820-compliance). The QSR is very similar to ISO 13485, but there are minor differences beyond the obvious reorganization of the requirements.

FDA Modernization Act of 1997

Under the FDA Modernization Act of 1997, the FDA implemented a 3rd party review program for 510(k) reviews and inspections (http://bit.ly/3rd-party-implementation). This program involves “Accredited Persons” (AP) that have been trained by the FDA and work for a third-party consulting firm, registrar, or Notified Body. The FDA expanded the pilot program for 510(k) reviews to include most 510(K) devices (http://bit.ly/3rd-Party-Review-List). Unfortunately, even though there was great interest from third-parties to participate in the program, there was little interest from manufacturers. After more than a decade, only the following seven third-party organizations have managed to get an Accredited Person (AP) to complete the qualification process so that they can perform inspections independently:

  1. BSI
  2. LNE/G-MED
  3. CMS/ITRI
  4. Orion Registrar
  5. SGS
  6. TUV SUD
  7. TUV Rheinland

The FDA continues to experiment with different approaches to international harmonization. In 2003, Health Canada (HC) signed a memorandum of understanding between Health Canada (HC) and the U.S. In 2006, the FDA launched the pilot, Multi-purpose Audit Program (pMAP) (http://bit.ly/HC-FDA-pMAP). Third-party auditors performed ten combined audits. The conclusions and recommendations resulting from the pMAP were posted on the FDA website in 2010. One of the recommendations was to develop a guidance document for the format and content of regulatory reports. Therefore, in 2011, GD211 (http://bit.ly/GD211-report) was released by HC, and several videos were posted on the FDA website by HC and the US FDA for training (http://bit.ly/CDRH-Learn-Course-list).

Once the 14 recognized registrars had managed to train their CMDCAS auditors (http://bit.ly/CMDCAS) on the GD211 report format, the FDA announced the Voluntary Audit Report Submission Pilot Program (http://bit.ly/Voluntary-Audit-Report). For eligible companies, they may submit a regulatory report in the GD211 format, and the FDA will remove the manufacturer from the routine workload for FDA inspections. A few companies have taken advantage of this and successfully avoided a routine inspection for 12 months.

FDA’s New Pilot Program

Recently, the FDA announced a new Voluntary Compliance Improvement Program Pilot (http://bit.ly/FDA-VCIP). This new program is a small pilot that will allow 3-5 manufacturers to select a third party (to be approved by the FDA) to help them identify areas for compliance improvement and initiate corrective actions. Identification of areas for improvement would presumably be determined during a mock-FDA inspection performed by the third party, but this is not explained in the FDA announcement. This program is available by invitation only, but it appears to be a significant departure from the AP program and voluntary submission of GD211 audit reports.

IMDRF is finally starting to have an impact on the harmonization of medical device inspections. In January 2014, the FDA began accepting inspection reports from the Medical Device Single-Audit Program Pilot (MDSAP) as a substitute for routine agency reports. Kim Trautman at the FDA is the IMDRF representative chairing the program, and her presentation announcing the program can be downloaded at the following website link: http://bit.ly/IMDRF-MDSAP. This program should be extremely popular with manufacturers because the MDSAP reports can also be used to meet requirements for inspections by Japan’s MHLW and Brazil’s ANVISA. ANVISA has a massive backlog of inspections due to a strike by government workers, and many companies were forced to file a lawsuit against ANVISA to accelerate the inspection prioritization. The challenge with the MDSAP will be to train and qualify third parties to conduct the audits correctly.

Posted in: FDA

Leave a Comment (2) →

Data Analysis of Medical Device FDA Form 483s Issued in FY2013

The author performed data analysis of medical device FDA Form 483s issued in FY2013. Was Design Controls, CAPA, or complaint handling the number one 483?

The FDA recently updated its webpage for “Inspections, Compliance, Enforcement, and Criminal Investigations” (http://bit.ly/FDA483s). The update was the addition of FY2013’s inspection observations (i.e., 483s). Medical Device Academy performed data analysis of the inspection observations report for FY2013. The high frequency of FDA Form 483s referencing CAPA and complaint handling was not a surprise, but the results of the Pareto analysis (http://bit.ly/ParetoChart) might surprise you.

Pareto Chart FY2013 483s Data Analysis of Medical Device FDA Form 483s Issued in FY2013

Data without Categories Data Analysis of Medical Device FDA Form 483s Issued in FY2013

Ranking of Individual Observation References

If you sort the raw data from the FDA, instead of categorizing the observations first, you see that 21 CFR 820.100(a) (i.e., the CAPA procedure requirement) is the most frequently referenced section. Complaint handling, 21 CFR 820.198(a), is the second most frequently referenced section. CAPA even gets the third spot on the table to the left, while the highest-ranking of an individual section for design controls [i.e., 21 CFR 820.30(i)] is eighth. The problem with this approach is that there 244 different sections to review, and it’s difficult to identify which process areas to focus on. Therefore, Medical Device Academy categorized the data by section first and then sorted the data.

The section of the CFR referenced categorized the data from FY2013. For example, there are 15 different sub-sections related to section 21 CFR 820.198. Therefore, all 15 were grouped under one category. The categorization of the data allowed us to reduce the number of observation references from 244 to 32. By doing this, it was clear that CAPA (11.75%) and complaint handling (10.65%) are more frequently referenced in FDA Form 483s than the next most frequent section—medical device reporting (6.24%). However, categorizing the data first shows that design controls (21 CFR 820.30) were referenced more frequently than any other category in FY2013.

You may also expect to see a large percentage of Form 483 observations issued against management responsibilities. However, section 820.20 (i.e., management responsibilities) ranks 13th out of 32 categories (4.05% in the table below). We even considered that maybe FDA inspectors were issuing fewer 483s against section 820.20 in FY2013 than previous years. However, FY2012 also had slightly more than 4% of the FDA Form 483s issued against this category.

CDRH FY2013 Form 483s Data Analysis of Medical Device FDA Form 483s Issued in FY2013The frequency of 13.25% for design controls may surprise you. However, when all 15 of the different observation references for design controls are combined into one category, there is a total of 582 observations. For the sake of comparison, only 12.68% of the FDA 483 observations were related to design controls in FY2012. Therefore, inadequate implementation of design controls (http://bit.ly/Implementing820-30) remains the most frequently referenced observation.

If you are interested in downloading the Excel spreadsheet that we used to create the above chart and graph, please follow this link: http://bit.ly/Download-Pareto483s.

Preventive Actions

The Pareto analysis can also be used to focus your internal auditors or a mock-FDA inspection. For example, your next audit might start with a review of the CAPA process, since that is the second most frequent observation reference by FDA inspectors (http://bit.ly/CAPAMistakes). Next, you may want to audit complaint records and medical device reporting (http://bit.ly/outsourcing-complaints). These are the third and fourth most frequent observation references. Finally, after you have finished these three areas, you should select a product line that has not been recently inspected by the FDA and perform an audit of the Design History File (DHF): http://bit.ly/AuditDesign.  The auditor should verify that all the changes made to the Device Master Record (DMR) have been documented and validated in accordance with your Design Controls procedure.

In addition to performing a mock-FDA inspection, you should also invest in training of employees in each of the four most critical areas:

  1. Design Controls
  2. CAPA
  3. Complaint Handling
  4. MDRs

Signing a training record to indicate that you read and understood a procedure does not meet the requirements for training personnel. You need to develop a training curriculum for each subject area with practical examples—not just bullet points copied from the QSR. In addition to reading and sharing the blogs that are referenced for each of the above areas, you might also consider reviewing the following blog about training effectiveness: http://bit.ly/TrainingExams.

If you are interested in training courses, Medical Device Academy has a library of pre-recorded webinars available: http://bit.ly/QA-RA-Webinars. We also have exams that can be used to verify training effectiveness after each webinar. Please let us know if you are looking for something specific because we develop new customized training webinars every month.

Posted in: FDA

Leave a Comment (3) →

4 Ways to Create Your Own FDA Medical Device Regulatory Updates

Although FDA medical device regulations are centrally located in one place: http://bit.ly/FDA-homepage, this blog discusses four information areas you can monitor to create your own FDA medical device regulatory updates-(guidance docs, standards,), etc.

fdaupdates 4 Ways to Create Your Own FDA Medical Device Regulatory Updates

  1. Guidance documents released (http://bit.ly/FDA-guidance),
  2. Recognized standards (http://bit.ly/Recognized-Consensus-Standards),
  3. Device classifications (http://bit.ly/ProductClassification), and
  4. Total Product Lifecycle (TPLC) database (http://bit.ly/FDA-TPLC).

Guidance Documents

When you check the FDA website for the new draft and final guidance documents, the webpage to monitor is http://bit.ly/newFDAguidance. This page had already had four new guidance documents in 2014, and in October 2013,  the FDA released an important update about the eCopy program for 510(k) submissions: http://bit.ly/FDA-eCopy.

Recognized Standards

The FDA has a separate database for all recognized consensus standards: http://bit.ly/Recognized-Consensus-Standards. This database is used to verify which Standards can be used for verification and validation testing of new devices, and the reference of any of these Standards in a device submission must also be accompanied by the completion of Form FDA 3654: http://bit.ly/Form-FDA-3654.

Device Classifications

Changes to device classifications and/or regulatory approval pathways are rare at the FDA, but you should periodically check the classification database to verify that there have been no changes. The most likely changes will be the addition or removal of recognized standards applicable to your devices. The database for looking up device classifications can be found at http://bit.ly/ProductClassification.

TPLC Database

For each 3-letter product classification code, there is a database that shows all the recent 510(k) submissions, all recalls, and summarizes all the medical device reports submitted for serious injuries and deaths. This database, http://bit.ly/FDA-TPLC, should be monitored to proactively identify problems that occurred with similar products before they happen to your product. Also, there may be voluntary reports from user facilities regarding your device that were not reported directly to your company. The possibility of voluntary reports makes this an important database to monitor weekly. Other resources include:

  1. http://bit.ly/CDRH-news-updates – This is the page of the device division of the FDA (CDRH), where news and updates are posted. You may find it helpful to register for receiving the RSS feeds from this page so that you are informed of any updates as FDA posts them.
  2. http://bit.ly/CDRH-Learn – This is the page where CDRH lists all of the online training courses for medical device manufacturers. This includes popular courses such as the “Pre-market Notification Process – 510(k)s” and “Medical Device Recalls.” This page also had four recent updates: 1) “Investigation Device Exemption Process – IDE,” updated on December 6, 2013; 2) “Device Establishment Registration and Listing,” updated on July 31, 2013; 3) “Global Initiatives,” updated on October 31, 2013; and 4) “Unique Device Identification (UDI) System,” updated on December 23, 2013.

Next Steps

Review each of the above streams of information from the US FDA on a scheduled basis as preparation for quarterly management reviews and determine any potential impact on your organization’s quality system and procedures. This gap analysis should be performed by someone familiar with the specific process(es) addressed by the regulations. The most likely actions to be taken are:

  1. Initiate specific changes to existing procedures
  2. Create new procedures, or
  3. Initiate a quality plan for more substantial changes to your quality system

Management Review-Free Webinar Recording

If you need more help preparing for your management review, here’s a link to a free webinar I recorded: http://bit.ly/Clause5-6. You will also receive a management review slide deck, as well.

Posted in: FDA

Leave a Comment (0) →
Page 2 of 3 123