Device Supply Chain Disruptions

3 Comments / FDA, Supplier Quality Management / By Matthew Walker

What can you do to stay ahead of medical device supply chain disruptions and comply with reporting requirements of possible device shortages?

Device Supply Chain Disruptions Device Supply Chain Disruptions

Supply chain issues can be somewhat cyclical. As we approach the holiday season, we also approach the shipping season. Public shipping services such as FedEx and UPS see an increase in freight as the holiday seasons approach. Manufacturers need raw materials and components to stock the shelves with all of those holiday gifts. Since we are still living under pandemic conditions, I would be willing to bet there will be more care packages and mailed gifts in place of traditional gatherings. On top of the approaching increase in demand, staffing shortages can very quickly exacerbate supply chain bottlenecks. All the while importers are still expected to… well, import! If transportation affects all general industry you can bet it can also cause medical device supply chain disruptions.

So what does an overburdened mail service have to do with medical devices and quality systems?

Consider, how are your customers getting your product in their hands? How are you receiving raw materials and components? How about your contract manufacturer? Do they have supply chain redundancies? Does your supplier quality agreement address notifications for shipping disruptions?

Do you have a regulatory obligation to report a shortage/supply chain disruption or interruption of manufacturing to the FDA, or Health Canada? The FDA monitors for discontinuance and meaningful disruption of manufacturing certain devices and similarly Health Canada monitors their own list of devices for market shortages. Supply chain disruptions either through difficulty sourcing of raw materials and components, or through transportation breakdown of finished devices to market are just one way you could experience a reportable disruption or shortage.

Matthew did not choose the topic of medical device supply chain disruptions randomly. His signature brand of pessimistic cynicism is the reason we have him tasked with keeping his fingers on the pulse of global concerns and potential threats and risks. Potential supply chain disruptions will involve your quality staff in developing preventive actions and contingency plans in case there is an issue. Then, your regulatory team will be in charge of reporting and AHJ notification if you are an affected manufacturer (or importer in Canada!). Understaffed and overloaded shipping and transportation suppliers are about to be bombarded with seasonal freight. This makes them an attractive target for ransomware because, just like healthcare facilities, they will not be in a situation where they can afford any downtime.

U.S. FDA

The FDA requires reporting shortages and supply chain disruptions to CDHR of permanent discontinuance or interruption in manufacturing of a medical device in Section 506J of the FD&C Act. Especially so in response to the COVID-19 public health emergency. In part, the general public’s need for healthcare during the pandemic guides what devices the FDA needs notification about.

Currently, the FDA is concerned about specific device types by product code or any devices that are critical to public health during a public health emergency. For the most up to date list, the URL to the FDA website will show the specific product codes of the monitored device types;

Health Canada

As an Authority Having Jurisdiction, Health Canada also has reporting requirements for supply chain disruptions of specific types of medical devices. Health Canada is also an independent authority that uses a different device classification system than the U.S. FDA.

The table below shows the device types by their classification level that HC requires supply chain disruption notifications for. This information is current as of September 5^th, 2021, and the following link will take you to the HC webpage for the most up-to-date list.

Class I Medical Devices

Masks (surgical, procedure or medical masks) – Level 1, 2, 3 (ATSM)

N95 respirators for medical use

KN95 respirators for medical use

Face shields

Gowns (isolation or surgical gowns) – Level 2, 3 and 4

Gowns (chemotherapy gowns)

Class II Medical Devices

Ventilators (including bi-level positive airway pressure or BiPAP machines, and continuous positive airway pressure or CPAP machines)

Infrared thermometers

Digital thermometers

Oxygen Concentrators

Pulse Oximeters (single measurement)

Aspirators/suction pumps (portable and stationary)

Laryngoscopes

Endotracheal tubes

Manual resuscitation bags (individually or part of a kit)

Medical Gloves – Examination and Surgical (Nitrile, Vinyl)

Oxygen Delivery Devices

Class III Medical Devices

Ventilators (including bi-level positive airway pressure or BiPAP machines)

Pulse Oximeters (continuous monitoring)

Vital Signs Monitors

Dialyzers

Infusion Pumps

Anesthesia Delivery Devices

Class IV Medical Devices

Extracorporeal Membrane Oxygenation (ECMO) Devices

How to prevent device supply chain disruptions

Harden your supply chain with redundancies. Now is the time to qualify a second supplier as a contingency plan before it is too late…. Maybe even consider opening a Preventive Action? (HINT HINT for those ISO 13485 manufacturers that need to beef up their Clause 8.5.3. operations!)

Supply chains have both up and downstream functions. First, you likely need to source raw materials and components for production. Then you also need to ship those finished devices to distribution centers and your customers. Disrupt either of those and your ability to sell your devices is compromised or even completely halted.

Ask yourself, “Do I have a backup option for shipping?”, and “Do I have a backup option for raw materials and components?”.

Why?

Why go through all of that effort? Well, if you lose UPS and have to use FedEx instead, are their shipping procedures identical? Likely you will need a WI level document for each shipper to explain the process. It is easier to pre-qualify a contingency supplier and establish a WI now rather than in December when holiday shipping is at its peak. Consider if you also need to open accounts, etc. Scheduling pickup online may not be intuitive.

Just identifying a backup is important, but you can take that a step further and pre-qualify them. If they are a shipping and transportation supplier then give them a shipment or two in order to evaluate them. Hold them to the same standards you would for your primary supplier.

Did your shipment arrive on time? Was it damaged during transit? This is provisional, or pre-qualification. Did they perform adequately enough to use as a tentative supplier in the event the primary supplier is unable to perform? This is designed to make a full qualification of this supplier simple and easy… If you need to utilize them that is. Maintaining this pre-qualification should also be simple and easy as well. Once a year or so have them deliver a shipment for you.

That is just for importing or shipping finished devices. Do you have backup raw material or components suppliers identified? If not identifying or even pre-qualifying secondary suppliers might not be a bad idea either. You are probably tied down to a specific geographic area for shipping and transportation. You may not be for raw materials. If you need barrels of silicone consider a backup supplier from a different area than your primary supplier. Natural disasters create havoc for shipping. If your silicone comes from Company A, and they are closed down because of a hurricane then Company B ten miles away is likely affected as well.

For example, if you are in the U.S. and your primary supplier is in the Northeast then a backup supplier in the Southeast may be strategically important. Whereas a backup supplier from the Southwest may be cost-prohibitive.

What about your suppliers? Is your device high-risk enough that if your supply chain is disrupted, you have an obligation to report it to the FDA? In that scenario, if you use a contract manufacturer, it may be worth requiring supply chain contingencies and clearly identifying who owns what reporting responsibilities within your quality agreement with them.

There is an element of proactive responsibility in reporting these shortages, or projected shortages. In order to be able to predict medical device supply chain disruptions, there should be metrics that your quality system is monitoring. What is your monthly production capacity? How much raw material or components does your warehousing have on hand? How many units could you manufacture if the transport industry stopped right this second?

Determine what you need to track in order to identify a disruption before it occurs.

Prepare for notification now. This article looked at the problem from the point of view that transportation issues were the root cause of the supply chain disruption. However, many other things could be disruptive, such as natural disasters and supply availability. Therefore, develop a WI level document for conducting these types of regulatory reporting activities and train personnel before a disruption happens. It is easier to tackle these kinds of problems if you already have process controls in place and trained competent staff than if you wait until the reporting timeline clock is already ticking.

In the near future, we will be posting a new blog about 506J and Shortage Reporting. We will also have a work instruction and training webinar available soon.

Future blogs about device supply chain disruptions…Shortage Reporting

About the Author

Matthew came to us with a regulatory background that focused on OSHA and NFPA regulations when he was a Firefighter/EMT. Since we kidnapped him from his other career, he now works in Medical Device Quality Management Systems, Technical/Medical Writing, and is a Lead Auditor. Matthew has updated all of our procedures for He is currently a student in Champlain College’s Cybersecurity and Digital Forensics program, and we are proud to say that he is also a member of both the Golden Keys and Phi Theta Kappa Honor Societies! Matthew participates as a member of our audit team and has a passion for risk management and human factors engineering. Always the mad scientist, Matthew pairs his professional life in regulatory affairs with hobbies in the culinary arts as he also holds a Butchers/Meat Cutters certificate from Vermont Technical College.

Email: Matthew@FDAeCopy.com

Connect on Linkedin: http://www.linkedin.com/in/matthew-walker-214718101/

Device Supply Chain Disruptions Read More »

Feb 8 2022

How to find updated FDA forms for a 510k

1 Comment / 510(k) / By Robert Packard

Before you complete FDA forms for your 510k submission, you need to made sure you have the most updated FDA forms.

How do you know if the FDA form you are using is current?

The FDA assigns numbers to each FDA form and the document control number is found in the bottom left footer of the document. In addition, the top right-hand header of the document will have an expiration date for the form (see the picture below). Often the changes to FDA forms are minor, but you should only submit the current version of the FDA form which has not expired.

What happens if you are using an expired FDA form?

In the past, if you included an obsolete document in your submission the FDA would often ignore this an proceed with the review of your submission anyway. Now FDA reviewers will identify the obsolete form and require you to resubmit the document on the current version of the form. If the reviewer is conducting an initial Refusal to Accept (RTA) screening, and one of the required items in the RTA screening are identified, then you will receive an RTA Hold letter and the RTA checklist will include a comment that you have used an obsolete version of an FDA Form.

If there are no deficiencies identified in the RTA checklist, the reviewer may still send you an email asking you to submit the document on the correct form. This could be a formal amendment (e.g. K123456/A001) or it could be as an informal email of the corrected document. This type of request could also be identified after the substantive review is complete in the form of a comment in an Additional Information (AI) Request or as part of an Interactive Review Request. An AI Request must be responded to with a formal supplement submitted to the Document Control Center (DCC) as a supplement to the original submission (e.g. K123456/S001) or as an informal ammendment submitted by email.

Examples of updated FDA forms for your 510k submission

Expired forms are frequently submitted to the FDA because submitters are using templates that have not been properly maintained or the submitter modified a form that was submitted in a previous 510k submission. The most common examples include: FDA Form 3514 (i.e. Submission Coversheet), FDA Form 3881 (i.e. Indications for Use), and the RTA Checklist.

Where can you find updated FDA forms?

Recently one of our clients noticed that the 510k template folder we share with people that have purchased our 510k course included obsolete templates for Financial Disclosure. There are three financial disclosure forms that can be used for a 510k submission or De Novo Classification Request:

FDA Form 3454, Certification: Financial Interest and Arrangements of Clinical Investigator (PDF)
FDA Form 3455, Disclosure: Financial Interest and Arrangements of Clinical Investigators (PDF)
FDA Form 3674, Certification of Compliance, under 42 U.S.C. , 282(j)(5)(B), with Requirements of ClinicalTrials.gov (PDF)

We normally update these FDA forms as soon as the new form is released, but this financial disclosure forms are only used in about 10-15% of 510k submissions.

The current version of most FDA forms can usually be found by simply conducting an internet search for the form using your favorite browser. However, sometimes you may find a copy of the document that was editted by a consultant to facilitate completion of the document as an unsecured PDF or Word document. Although this is convenient, you should not use these “bastardized” forms. You should use the original secured form provided by the FDA. These native forms require Adobe Acrobat to complete the form and save the content. The most current version of the FDA form can be found using the FDA’s Form search tool.

Editing and Signing FDA Forms

Most of the FDA forms are secured and you can only enter information in specific locations. If there is a location for a signature, usually the signature cannot be added in Adobe to the secured form. In these situations, our team will save the document as a “Microsoft Print PDF” format. Once the document has been saved in this “non-native” format, you can manipulate almost anything in the document. Then we will add signatures using the “Fill and Sign” tool in Adobe Acrobat or we will use the “Edit” tool. Editing also gives us ability to make corrections when the document has incorrect information filled in the form somewhere.

Another option for adding dates and signatures is for you to save the document as a non-secure PDF. Then using an electronic signature software tool like Docusign, you can request that another person add their electronic signature or you can add your own electronic signature. Some companies prefer to do this to ensure the electronic signature meets 21 CFR Part 11 requirements, but the FDA accepts scanned images of a signature that was added to the document without certification in a 510k submission. This is even true for the Truthful and Accuracy Statement for a 510k. That document can be attached as a PDF in an FDA eSTAR template or you can electronically sign the eSTAR template if the person preparing the eSTAR is also the person signing the Truthful and Accuracy Statement.

Tips and Tricks for maintaining templates

Our company is a consulting firm, and we do not have a formal document control process that would be typical of our clients. However, we do have a shared Dropbox folder where we maintain the most current version of 510k templates. Any obsolete versions we move to an archive folder. However, there are ways to improve this informal system. You can include a date of the document in the file name. For example, “Vol 4 001_Indications for Use (FDA Form 3881) rvp 2-7-2022.” This indicates that this file is the FDA Form 3881 which is the indications for use form used in Volume 4 of the 510k submission. The document is the first document in that volume. The date the form was revised and saved is February 7, 2022 and the author’s initials are “rvp.”

If you are saving 510k templates you might consider adding an expiration date to the file name. For example, “Vol 4 001_Indications for Use (FDA Form 3881) exp 06-30-2023.” This file name indicates that the form’s expiration date is June 30, 2023. The inclusion of an expiration date in the file name is a visual reminder of when you will need to search for an updated FDA form.

A third way to manage your FDA Forms is to include them in your documents of external origin. ISO 13485:2016, Clause 4.2.4, requires that you maintain control of documents of external origin. Therefore, if your company has a formal quality system, a list or log of documents of external origin is the best way to manage FDA forms. Your log should indicate the date the updated FDA form was created, any parent guidance documents should be cross-referenced, and the expiration date of the FDA form should be identified. By using a log of this type, you can sort the list by expiration date or by the date of creation if there is no expiration date identified. Sorting the list will help your team prioritize which documents need to be reviewed next for new and revised versions.

Additional 510k submission resources

The FDA will be updating the 510k guidance for the new FDA eSTAR template by September 2022. Medical Device Academy will be systematically updating all of our templates and training webinars related to preparation of 510k submissions. We will also be preparing for the transition from FDA eCopy submissions to electronic submissions via a Webtrader Account.

You can keep up-to-date on template revisions in one of two ways:

Purchase our 510k course, and you will receive access to the updated templates as they are created. We will send email notifications each time a template is updated.
Register for our New Blog email subscription for automated email notifications of when a new blog is released about updated FDA forms, templates, and webinars.
Register for our New Webinar email subscription for automated email notifications of when a new or revised webinar is scheduled and for email notification of our newest live streaming YouTube videos.

How to find updated FDA forms for a 510k Read More »

Feb 1 2022

Individual process audits or one full quality system audit, which is better?

3 Comments / ISO Auditing / By Robert Packard

You can conduct multiple individual process audits or you can conduct one full quality system audit, but which solution is better?

What are individual process audits?

There are 25 processes that require procedures for compliance with the US FDA quality system regulations and ISO 13485:2016 has 28 required procedures. Individual process audits focus on one of these procedures, the process it controls, the equipment and software used by that process, the work environment where the process is performed, the people responsible for the process, the records resulting from that process, and any metrics or quality objectives associated with that process. An individual process audit can be completed in remotely or on-site, and these audits will be much shorter in duration than a full quality system audit. Another way to think of an individual process audit is to realize that a full quality system audit is comprised of many individual process audits scheduled back-to-back. Auditing one process might be as short in duration as 30 minutes (e.g. control of records) but individual process audits can take as long as four hours (e.g. design controls and technical file audits).

What is a full quality system audit?

A full quality system audit is typically a single audit conducted annually to address all the requirements for conducting an internal audit of your quality system. In this type of audit, all of the procedures and processes should be covered. Therefore, full quality system audits are necessarily longer. If the person assigned to conduct the full quality system audit is an employee, that person cannot audit their own work. This can be addressed in two ways: 1) the audit can be a team audit, and the other team members can audit areas the lead auditor was responsible for; and 2) the process(es) that the lead auditor is responsible for can be audited as individual process audits by another auditor at another time.

If the person assigned to conduct the full quality system audit is a consultant from outside the company, there is still potential for conflicts regarding independence. If the consultant audited the company in the previous year, then the auditor cannot audit last year’s internal audit. In our consulting firm we address this issue in two ways: 1) we rotate who is assigned to audits so that the same auditor does not conduct a full quality system audit two years in a row, or 2) we assign another auditor in our company to conduct the audit of internal auditing as a team member.

How do you evaluate auditing effectiveness?

Some companies perceive that auditing is a necessary evil and they want to put as little effort and resources into the audit as possible. In this situation, auditing might be evaluated based upon whether it was completed on-time, by how much the audit cost the company, and the fewer nonconformities identified the better the perceived outcome. This perspective typically results in a single full quality system audit that is three days in duration or shorter if an auditor can manage to complete the audit in less time. Of course the shorter the audit is, the fewer records that an auditor has time to review. Therefore, shorter audits typically have fewer findings and management is pleased at the outcome because the audit required fewer resources and had little or no nonconformities.

The better approach is to look at auditing as a method for identifying areas that need improvement. Identifying areas where your quality system needs improvement is the intent of requiring internal audits. Therefore, the amount of time your company allocates to auditing should reflect the benefits for improvement that are identified. Top management of your company needs to identify which process areas they feel needs improvement. Only then can the audit program manager design an audit schedule that will focus on identifying opportunities for improvement and nonconformities in the process areas where management feels improvement is most needed. Ideally, this approach to auditing will focus on looking for inefficiency and metrics with negative trends. These findings result in preventive actions instead of corrective actions, because the process is not yet nonconforming. In general, the more opportunities for CAPAs that are identified the more valuable the audit was.

What advantages do one full quality system audit present?

Sometimes a single full quality system audit is easier to schedule, because it is only once per year. The rest of the year your company will not need to spend much time discussing audits or even thinking about them. If your company perceives audits as a necessary evil, then the less disruption caused by scheduling an audit the better.

Another advantage of conducting full quality system audits is that you can more easily afford to use external consultant auditors, because the travel costs for auditing are limited to one trip per year. If you had more than twenty individual process audits each year, and external consultant auditors conducted all of the audits, then you would have to pay for travel costs twenty times each year. Unless the consultant lives locally, these travel costs can be substantial.

What advantages exist for individual process audits?

Individual process audits are much easier for the auditor to complete within the time established in the audit agenda, because the auditor does not have another audit process immediately proceeding or immediately after the process they are auditing. There are also fewer people that need to attend an opening or closing meeting for an individual process audit, because only one process is being audited. Managers from other departments are seldom needed for participation in the opening or closing meeting. The combined benefits result in the auditor being more likely to start the opening meeting on-time and to start the closing meeting on-time.

The shorter duration of individual process audits is also an advantage. There are very few times in a year when none of your department managers will be traveling, sick, or on vacation. These rare weeks only happen a few times each year, and sometimes auditors must proceed with an audit even if someone is absent because they have no alternative. If you are preparing for an audit remotely, you face-to-face audit time is only 90 minutes, and your report writing time is also conducted remotely, then finding 90-minutes of available time in an department manager’s schedule is usually quite easy.

Can both approaches to internal audit scheduling coexist?

You can combine both approaches to audit scheduling in several possible ways. First you can schedule one full quality system audit each year in order to make sure that the minimum audit requirements are met, and then top management can review the results of the full quality system audit to decide which processes would benefit from individual process audits.

A second strategy would include conducting individual process audits for each process that resulted in a nonconformity during 3rd party certification audits or during the one full quality system audit. In this scenario, you might have a 3rd party audit in November, a full quality system audit in May, and top management might select 10 other individual processes to audit during the other 10 months of the year.

A third strategy would be to alternate between individual process audits and single full quality system audits each year. During “odd” years the audit program manager would only schedule one full quality system audit, and during “even” years the audit program manager would schedule multiple individual process audits.

A fourth strategy would be for top management to select a few processes that they would like the audit program manager to focus on with individual process audits, and all of the remaining processes would be incorporated into a single audit that covers the remaining 70% of the quality system.

Each of these four strategies for combining the two approaches to audit scheduling is viable and may result in multiple opportunities for improvement being identified. There is no regulation that favors one approach over another, but all four strategies require more time an effort on the part of the audit program manager and top management to discuss and plan the annual audit schedule.

Next steps if you would like to try individual process audits

If your company has always scheduled a single full quality system audit each year, you can test the concept of conducting an individual process audit by selecting just one process to audit. The best choice for this approach is to pick a process that has one or more CAPAs that are in progress or to select a process that top management feels is performing efficiently. The more frustration that top management experiences with a process, the greater the need is to identify opportunities for improvement. If the company has not already identified CAPAs to initiate for that process, you might just need an outsider to state the obvious: “I think we need a CAPA in this department.” The outsider might be a consultant, but it could also be a person from another department. If you would like a quote for an individual process audit, please visit our audit quote webpage.

About the Author

Rob Packard 150x150 Individual process audits or one full quality system audit, which is better?

Rob Packard is a regulatory consultant with 25+ years of experience in the medical device, pharmaceutical, and biotechnology industries. He is a graduate of UConn in Chemical Engineering. Robert was a senior manager at several medical device companies—including the President/CEO of a laparoscopic imaging company. His Quality Management System expertise covers all aspects of developing, training, implementing, and maintaining ISO 13485 and ISO 14971 certification. From 2009-2012, he was a lead auditor and instructor for one of the largest Notified Bodies. Robert’s specialty is regulatory submissions for high-risk medical devices, such as implants and drug/device combination products for CE marking applications, Canadian medical device applications, and 510(k) submissions. The most favorite part of his job is training others. He can be reached via phone 802.258.1881 or email. You can also follow him on Google+, LinkedIn or Twitter.

Individual process audits or one full quality system audit, which is better? Read More »

Jan 30 2022

Auditing Services Quote

Who quotes auditing services?

The form below provides us with the basic information we need to prepare an auditing services quote for your company. There are instructions below the form that explain exactly what information we are looking for in each section of the form. The quotation process is not automated. A real person (i.e. Lindsey Walker) will get back to you with a quotation. She is our audit program manager. She creates the audit quote and assigns the auditors based on availability and your auditing needs. Her email is sales@medicaldeviceacademy.com. The quotation will be automatically emailed from Freshbooks once she is finished, and then she will follow up with a manual email–just in case your spam filters prevent delivery of the automated email generated by FreshBooks. If Lindsey is on vacation, or out sick, the proposal will be prepared by Rob Packard. His email is rob@13485cert.com.

General pricing of auditing services

If you are looking for the cheapest auditing services you can find, don’t even bother filling in the form. Our goal is to help you improve your quality system and provide valuable consulting advice to achieve improvements. We specialize in helping start-up companies achieve initial ISO 13485 certification, MDSAP certification, and CE Certification. We will assign an experienced lead auditor with an hourly consulting rate of $275/hour. Typically, we will charge $2,750 plus travel expenses for a one-day supplier audit because we expect to spend 30 minutes on audit preparation, eight hours on-site actively auditing, and 2+ hours generating an audit report. Most quotations are flat-fee quotations so you know exactly how much you will be charged. We also request a 50% deposit for audits.

Name, Company, Email & Phone

The name you enter is the name we enter as the client contact in our database and the quotation will be addressed to that name. The company field should include the legal name of your company. The email you enter is the email that we will send the quotation. Although a phone number is not required, it helps us to be able to call you if we have questions about the information you provided.

What is the audit type?

Internal Audit – This is also called a “1st party audit,” and these are conducted to evaluate the effectiveness of your quality system. You are required to conduct an audit of the full quality system each year. If you select “Internal Audit,” we will assume that you want us to provide an audit quote for your complete quality system. If you only want a partial quality system audit of one or more process areas, then please select “Individual Process” and specify which process or processes in the text box labeled “Process Areas to Audit.”
Supplier Audit – This is also called a “2nd party audit,” and these are conducted to evaluate the effectiveness of your supplier’s quality system. Other reasons for a supplier audit include verifying compliance with contractual requirements or identifying the root cause of a quality problem (i.e. nonconforming product). Please provide the details of what processes to audit in the text box labeled “Process Areas to Audit.” We generally recommend focusing supplier audits on the activities you are outsourcing (e.g. manufacturing) rather than general quality system requirements (e.g. management review).
Individual Process Audits – This is also a “1st party audit,” however, we will focus on one or more processes that you identify in the text box labeled “Process Areas to Audit.” This type of audit is ideal when you do not have a qualified auditor that is independent to audit a process. Another scenario where this type of audit is valuable is when you recently made a significant change to a process and you want to verify that the employees are following the new process, or if you want to verify the effectiveness of corrective actions implemented for a specific process. For example, you want to verify the effectiveness of a CAPA related to an FDA 483 or Notified Body Nonconformity.

Process areas that need auditing

AKA Turtle Diagram Thumbnail 150x150 Auditing Services Quote

In this text box, we need you to identify the process areas you want us to audit. You can ask us to audit just one process or multiple processes. For example, if you are the Quality Manager and the only qualified lead auditor in your company, you might want us to audit your internal auditing, CAPA, management review, control of documents, and control of records. For a single process audit, we generally recommend remote audits via Zoom in order to eliminate the cost of travel. This is also a great way to test us before you engage our firm for a full-quality system internal audit. This is also known as the “audit scope,” and should not be confused with “audit criteria” discussed below. The scope can also include the location of the audit.

Location (remote or on-site) for auditing services quote

location 150x150 Auditing Services Quote

If you want us to conduct the audit remotely via Zoom, please enter “Remote” in the text box of the auditing services quote form. You can also specify another teleconferencing software of your choice. In general, we recommend that remote audits be split into 90-minute segments or less where one or two processes are covered during the 90-minute Zoom meeting. We explain this further in one of our blog articles: “Why remote audit duration should never exceed 90 minutes.” If you want us to conduct the audit on-site, please provide the address of the audit location and we will include the estimated travel costs in our proposal.

Desired Date or Dates

Please enter the date or dates that you want us to conduct your audit. You can also specify before a specific deadline (e.g. before June 30th). If you want us to conduct an audit of multiple processes remotely, it would help to know what dates and or times of day you would prefer. You can also enter a phone number and say “call me” next to the phone number. Then Lindsey or one of our assigned auditors will contact you to schedule a date and time for your audit.

What is the audit duration in hours?

Please enter the desired duration of the auditing services you want to be quoted. We typically expect at least 30 minutes of audit preparation to review the audit preparation documents that you provide and to create an audit agenda. In addition, we expect to spend approximately two hours of report writing time for each eight-hour day of auditing. Therefore, a typically one-day supplier audit will require a duration of ten hours, while a three-day on-site internal audit will require a duration of 30 hours.

Auditing criteria for auditing services quote

clipboard 6 150x150 Auditing Services Quote

It is important to specify the audit criteria for your auditing services quote, because otherwise, we might assign an auditor that does not have training on that criteria. Audit criteria are the standards, regulations, procedures, and contracts that may be used to evaluate your quality system or an individual process. Most of our audit team is qualified to audit against the following criteria:

21 CFR 820, 803, 806, and 830 – the US FDA regulations including medical device reporting, corrections and removals, and unique device identifier regulations
ISO 13485:2016/Amd 2021 – the international quality system standard for medical device manufacturers
Regulation (EU) 2017/745 – the European Medical Device Regulations
SOR 98/282 – the Canadian Medical Devices Regulation
MDSAP AU P0002.008 – the Medical Device Single Audit Program audit approach guidance document

Auditing Services Quote Read More »

Jan 23 2022

How to write Instructions for Use (IFU)

Never blindly copy your competitor’s Instructions for Use (IFU)

Copying is easy, and the US FDA’s substantial equivalence requirements for 510(k) clearance encourage company’s to copy competitor products. However, most new medical devices include small differences which are intended to be improvements over the current state-of-the-art that is available from competitors. Therefore, even though the FDA may require you to match the wording for the indications for use of a competitor product, you should not make the mistake of extrapolating the requirements for indictions for use to also include your instructions for use (IFU).

Instructions for Use (IFU) should include a detailed description of your device–including identifying the differences between your medical device and competitor products or previous versions of your own device. In addition, labeling requirements are constantly changing. ISO 15223-1 now includes new symbols and the standard for “information supplied by the manufacturer” (EN ISO 20416:2021) was released. There are also updated regulatory requirements. There may even be new guidance documents specifying warnings, precautions, and contraindications that you must include in your instructions for use (IFU). These requirements may be applicable to your device, but they may not be applicable to your competitors or your competitor may not have updated their labeling to the new requirements yet.

This is how you should manage the process for writing instructions for use (IFU)

When you write instructions for use (IFU), you need a systematic process for creating and organizing the content and format of the IFU. We are updating our procedure; SYS-030, Labeling Procedure; to include the latest labeling requirements. The new procedure includes and updated template and labeling checklists for each market. However, to supplement the procedure we created this webinar in order to help manufacturers systematically develop the content and format for their instructions for use.

EN ISO 20417:2021 Medical Devices – Information to be supplied by the manufacturer

The EN ISO 20417:2021 standard supersedes EN 1041:2008+A1:2013. This standard provides guidance for medical device manufacturers regarding the format and content for instructions for use (IFU) provided by the manufacturer to users and patients. This webinar will review the requirements in this new EN standard as well as regulatory requirements for the instructions for use (IFU) found in the following regulations:

US FDA – 21 CFR 801
Canada – SOR 98/282, Section 21 and 22
Europe – Regulation 2017/745, Annex I, 23.1-23.4

How to write Instructions for Use (IFU) Webinar

You can register for participation in the live presentation of this training webinar for a cost of $64.50. You will receive:

a link for login to the live webinar via Zoom
a native slide deck for the webinar (30+ slides)
a link to download a recording of the live webinar (~1 hour in duration)

This live webinar includes ~60 minutes of presentation slides and 10-15 minutes of answering questions submitted to through the live chat window or verbally. The presentation explains how to document design changes prior to design transfer, during design transfer and after the product has been commercially launched. After you update your procedure for design changes, you can show the recording of this webinar to your design and development team to ensure that design and development documentation is compliant and updates are efficiently maintained. All deliveries of content will be sent via Aweber emails to confirmed subscribers.

Q&A related to Instructions for Use (IFU)

If you have any questions regarding how to write instructions for use (IFU) or EN ISO 20417:2021, please email me at rob@13485cert.com. I will use your questions as material for webinars and future blogs. If you have company-specific questions, please send me a request to set up a private call to discuss your specific issues.

How to write Instructions for Use (IFU) – available for $129.00

IFU Webinar Graphic How to write Instructions for Use (IFU)

How to write Instructions for Use (IFU) Webinar

This one-hour webinar explains how to systematically write instructions for use (IFU) for your medical device. The webinar was hosted on February 28, 2022, and anyone purchasing the webinar after that date will receive a link to a recording.

Price: $129.00

The updated labeling procedure includes a copy of our updated template for Instructions for Use (IFU) – TMP-006 and updated labeling checklists for the US FDA, Canada, and European requirements.

VIEW OUR PROCEDURES – CLICK HERE OR IMAGE BELOW:

About the Instructor

Robert Packard is a regulatory consultant with 25+ years of experience in the medical device, pharmaceutical, and biotechnology industries. He is a graduate of UConn in Chemical Engineering. Robert was a senior manager at several medical device companies—including the President/CEO of a laparoscopic imaging company. His Quality Management System expertise covers all aspects of developing, training, implementing, and maintaining ISO 13485 and ISO 14971 certifications. From 2009 to 2012, he was a lead auditor and instructor for one of the largest Notified Bodies. Robert’s specialty is regulatory submissions for high-risk medical devices, such as implants and drug/device combination products for CE marking applications, Canadian medical device applications, and 510(k) submissions. The most favorite part of his job is training others. He can be reached via phone at 802.258.1881 or by email. You can also follow him on Google+, LinkedIn, or Twitter.

How to write Instructions for Use (IFU) Read More »

Dec 16 2021

Post-Market Surveillance Summary Report Webinar

Purchase the Post-Market Surveillance Summary Report Webinar Recording & Native Slidedeck

Post-Market Surveillance Summary Report Webinar

This live one-hour webinar was recorded on how to prepare post-market surveillance summary reports for compliance with SOR/2020-262. This new Canadian Regulation came into effect on December 23, 2021.

Price: $129.00

You may also be interested in our Post-market Surveillance Procedure (SYS-019). The procedure has been updated to include the summary report requirements for the EU and Health Canada.

Post Market Surveillance Post Market Surveillance Summary Report Webinar

SYS-019 Post-Market Surveillance Procedure/Form

Price: $299.00

About the Author

Robert Packard is a regulatory consultant with 25+ years of experience in the medical device, pharmaceutical, and biotechnology industries. He is a graduate of UConn in Chemical Engineering. Robert was a senior manager at several medical device companies—including the President/CEO of a laparoscopic imaging company. His Quality Management System expertise covers all aspects of developing, training, implementing, and maintaining ISO 13485 and ISO 14971 certification. From 2009-2012, he was a lead auditor and instructor for one of the largest Notified Bodies. Robert’s specialty is regulatory submissions for high-risk medical devices, such as implants and drug/device combination products for CE marking applications, Canadian medical device applications, and 510(k) submissions. The most favorite part of his job is training others. He can be reached via phone 802.258.1881 or email. You can also follow him on Google+, LinkedIn or Twitter.

Post-Market Surveillance Summary Report Webinar Read More »

Oct 20 2021

eSTAR draft guidance is here, and wicked eSubmitter is dead.

5 Comments / 510(k), eSTAR / By Robert Packard / 510(k), eSTAR, FDA

I hated the the FDA eSubmitter template which was discontinued May 30, 2021. Finally we have eSTAR draft guidance for the new eSTAR template. Note: the final FDA eSTAR guidance was released on October 2, 2023 and we published a new blog the day of release.

History of 510k electronic submissions

The FDA has experimented with a multitude of pilot 510k submission programs over the years to streamline and improve the 510k submission content, formatting, and to facilitate a faster review process. The Turbo 510k program was one of the first successful pilot programs. In 2012, I wrote one of my first blogs about how to improve the 510k process. In September 2018, the FDA launched the “Quality in 510k Review Program Pilot” for certain devices using the eSubmitter electronic submission template. The goal of the this pilot program was to enable electronic submissions instead of requiring manufacturers to deliver USB flash drives to the FDA Document Control Center (DCC). I hated the eSubmitter template, and the FDA finally discontinued availability of the eSubmitter template on May 30, 2021. During the past 15 years, the FDA gradually streamlined the eCopy process too. Originally we had to submit one complete hardcopy, averaging 1,200 pages per submission, and one CD containing an electronic “eCopy.” Today, the current process involves a single USB flash drive and a 2-page printed cover letter, but today’s eCopy must still be shipped by mail or courier to the DCC.

eSTAR Pilot Program is Launched

During the 15-year evolution of the FDA eCopy, CDRH was trying to develop a reliable process for electronic submissions of a 510k. CBER, the biologics division of the FDA, has already eliminated the submission of eCopy submissions and now 100% of biologics submissions must be submitted through an electronic submissions gateway (ESG). In February 2020, CDRH launched a new and improved 510k template through the electronic Submission Template And Resource (eSTAR) Pilot Program. The eSTAR templates include benefits of the deceased eSubmitter template, but CDRH has incorporated additional benefits:

the templates use Adobe Acrobat Pro instead of a proprietary application requiring training;
support for images and messages with hyperlinks;
support for creation of Supplements and Amendments;
availability for use on mobile devices as a dynamic PDF;
ability to add comments to the PDF; and
the content and logic mirrors checklists used by CDRH reviewers.

Medical Device Academy’s experience with the eSTAR Templates

Every time the FDA has released a new template for electronic submissions we have obtained a copy and tried populating the template with content from one of our 510k submissions. Unfortunately, all of the templates have been slower to populate that the Word document templates that our company uses every day. On May 16 we conducted an internal training for our team on the eSTAR submission templates, and we published that training as a YouTube Video (see embedded video below). Then nine days later the FDA released updates to the eSTAR templates (version 0.7). The new eSTAR templates are available for non-IVD and IVD products (ver 0.7 updated May 27, 2021).

Sharon Morrow submitted our first eSTAR template to the FDA in August and we experienced no delays with the 510k submission during the initial uploading to the CDHR database, there was no RTA screening process, and CDRH did not identify any issues during their technical screening process. Shoron’s first eSTAR submission is now in interactive review, which is a better outcome than 95%+ of our 510k submissions. I have several other eSTAR submissions that are almost ready to submit as well. The other 510k consultants on our team are also working on their first eSTAR submissions.

Finally the CDRH releases an FDA eSTAR draft guidance

On September 29, 2021 the FDA released the new eSTAR draft Guidance for 510k submissions. This is a huge milestone because there have not been any draft guidance documents created for pilot programs. The draft indicates that the comment period will last 60 days (i.e. until November 28, 2021). However, the draft also states that the guidance will not be finalized until a date for requiring electronic submissions (i.e. submission via an ESG) is identified. The draft indicates that this will be no later than September 30, 2022. Once the guidance is finalized, there will be a transition period of at least one year where companies may submit via an ESG or by physical delivery to the FDA DCC.

Are there any new format or content requirements in the FDA eSTAR draft guidance?

There are no new format or content requirements in the eSTAR draft guidance, but the eSTAR template itself has several text boxes that must be filled in with summary information that is not specified in the guidance for format and content of a 510k. The information requested for the text boxes is a brief summary of non-confidential information contained in the attachments of the submission. Therefore, these boxes can information that would normally be in the overview summary documentst that are typically included at the beginning of each section of a 510k. If your overview documents do not already have this information, then you may have some additional work to do in order to complete the eSTAR templates. An example of one of these text boxes is provided below:

Another example of additional content required by the eSTAR templates is references to page numbers. Normally the FDA reviewer has to search the submission for information that is required in their regulatory review checklist. In the new templates the submitter is now asked to enter the page numbers of each attachment where specific information can be found. The following is an example of this type of request for a symbols glossary:

Are there any changes to the review timelines for a 510k in the eSTAR draft guidance?

The eSTAR draft guidance indicates that a technical screening will be completed in 15 calendar days instead of conducting a RTA screening. I believe that the technical screening is less challenging than the RTA screening, but the FDA has not released a draft of the technical screening criteria or a draft checklist. I would imagine that the intent was to streamline the process and reduce the workload of reviewers performing a technical screening, but we only have guesses regarding the substance of the technical review and so far our performance is 100% passing (i.e. 1 of 1). The next step in the 510k review process is a substantive review. Timelines for the substantive review are not even mentioned in the new draft guidance, but the FDA usually has the review clock details in Table 1 (MDUFA III performance goals) and Table 2 (MDUFA IV performance goals) of the FDA guidance specific to “Effect on FDA Review Clock and Goals.” In both tables, the goal is 60 calendar days, and our first eSTAR submission completed the substantive review in 60 days successfully. The 180-day deadline for responding to an additional information (AI) request has not changed in the eSTAR draft guidance, but our first submission is now interactive review. I believe this suggests that companies may have a higher likelihood of having an interactive review with their CDRH lead reviewer instead of being placed upon AI Hold, but we won’t have enough submissions reviewed by the FDA to be sure until the end of Q1 2022.

Register for our new webinar on the FDA eSTAR draft guidance

We hosted a live webinar on Thursday, October 21, 2021 @ Noon EDT. The webinar was approximately 37 minutes in duration. In this webinar we shared the lessons learned from our initial work with the eSTAR template. Anyone that registers for our webinar will also receive a copy of our table of contents template that we updated for use with the eSTAR templates. Unlike a 510k eCopy, an eSTAR template does not require a table of contents but we still use a table of contents to communicate the status of the 510(k) project with our clients. Finally, we reviewed the eSTAR draft guidance in detail. If you would like to receive our new eSTAR table of content template and an invitation to our live webinar, please complete the registration form below.

About the Instructor

Rob Packard is a regulatory consultant with ~25 years of experience in the medical device, pharmaceutical, and biotechnology industries. He is a graduate of UConn in Chemical Engineering. Rob was a senior manager at several medical device companies—including the President/CEO of a laparoscopic imaging company. His Quality Management System expertise covers all aspects of developing, training, implementing, and maintaining ISO 13485 and ISO 14971 certifications. From 2009 to 2012, he was a lead auditor and instructor for one of the largest Notified Bodies. Rob’s specialty is regulatory submissions for high-risk medical devices, such as implants and drug/device combination products for CE marking applications, Canadian medical device applications, and 510(k) submissions. The most favorite part of his job is training others. He can be reached via phone at +1.802.258.1881 or by email. You can also follow him on YouTube, LinkedIn, or Twitter.

eSTAR draft guidance is here, and wicked eSubmitter is dead. Read More »

Aug 17 2021

Software Service Provider Qualification and Management

2 Comments / Cybersecurity, Software Verification and Validation, Supplier Quality Management / By Matthew Walker / cybersecurity, software service provider, Software-as-a-service, Supplier Quality Management

What is your company’s approach to qualifying a software service provider and managing software-as-a-service (SaaS) for cybersecurity?

The need for qualifying and managing your software service provider

Most of the productivity gains of the past decade are related to the integration of software tools into our business processes. In the past, software licenses were a small part of corporate budgets, and the most critical software tools helped to manage material requirements planning (MRP) functions and customer relationship management (CRM). Today, there are software applications to automate every business process. Failure of a single software service provider, also known as “Software-as-a-Service” or (Saas), can paralyze your entire business. In the past, business continuity plans focused on labor, power, inventory, records, and logistics. Today our business continuity plans also need to expand for the inclusion of software service providers, internet bandwidth, websites, email, and cybersecurity. This new paradigm is not specific to the medical device industry. The medical device industry has become more dependent upon its supply chain due to the ubiquity of outsourcing, and what happens to other industries will eventually filter its way into this little collective niche we share. With that in mind, how do we qualify and manage a software service provider?

Threats to software service providers (Kaseya Case Study)

Two years ago the WannaCry ransomware attack affected 200,000 computers, 150 countries, and more than 80 hospitals.

Kaseya isn’t a hospital. Kaseya is a software service provider company. So why is this example relevant to the medical device industry?

The ransomware attack on Kaseya was severe enough that both CISA and the FBI got involved, and it compromised some Managed Service Providers (MSPs) and downstream customers. This supply chain ransomware attack even has its own Wikipedia page. The attack prompted Kaseya to shut down servers temporarily. None of this is a critique of Kaseya or their actions. They were merely the latest high-profile victim of a cyberattack in the news. Now cybercriminals are attacking your supply chain. We want to emphasize the concepts and considerations of this type of attack as it pertains to your business.

What supplier controls do you require for a software service provider?

If you are a manufacturer selling a medical device under the jurisdiction of the U.S. FDA, you need to comply with 21 CFR 820.50 (i.e. purchasing controls). The FDA requires an established and maintained procedure to control how you are ensuring what your company buys meets the specified requirements of what you need. Many device manufacturers only consider suppliers that are making physical components, but a software service provider may be critical to your device if your device is software as a medical device (SaMD), includes software, or interacts with a software accessory. A software service provider may also be involved with quality system software, clinical data management, or your medical device files. Do you purchase software-as-a-service or rely upon an MSP for cloud storage?

You need to determine if your software service provider is involved in document review or approval, controlling quality records, Protected Health Information (PHI), or electronic signature requirements. You don’t need a supplier quality agreement for all of the off-the-shelf items your company purchases. For example, it would be silly to have Sharpie sign a supplier quality agreement because you occasionally purchase a package of highlighters. On the other hand, if you are relying upon Docusign to manage 100% of your signed quality records, you need to know when Docusign updates its software or has a security breach. You should also be validating Docusign as a software tool, and there should be a backup of your information.

21 CFR 820.50 requires that you document supplier evaluations to meet specified and quality requirements per your “established and maintained” procedure. The specified requirements for this supplier might include the following:

How much data storage do you need?
How many user accounts do you need?
Do you need unique electronic IDs for each user?
Do you need tech support for the software service?
Is the software accessed with an internet browser, is the software application-based, or both?
How much does this software service cost?
Is the license a one-time purchase? Or is it a subscription?

The quality requirements for a supplier like this may look more like these questions;

How is my information backed up?
Can I restore previous file revisions in the case of corruption?
How can I control access to my information?
Can I sign electronic documents? If yes, is it 21 CFR Part 11 compliant?
Does this supplier have downstream access to my information? (can the supplier’s suppliers see my stuff?)
Do I manage PHI? If so, can this system be made HIPAA compliant? What about HITECH?
What cybersecurity practices does this supplier utilize?
How are routine patches and updates communicated to me?

A risk-based approach to supplier quality management

ISO 13485:2016 requires that you apply a risk-based approach to all processes, including supplier quality management. A risk-based approach should be applied to suppliers providing both goods and services. For example, you may order shipping boxes and contract sterilization services. Both companies are suppliers, but in this example, the services provided by the contract sterilizer are associated with a much higher risk than the shipping box supplier. Therefore, it makes sense that you would need to exercise greater control over the sterilizer. Software service providers are much like contract sterilizers. SaaS is not tangible but the service provided may have a high level of risk and potential impact on your quality management system. Therefore, you need to determine the risk associated with SaaS before you can evaluate, control, and monitor a software service supplier.

First, you need to document the qualification of a new supplier. It would be nice if your cloud service provider had a valid ISO 13485:2016 certification. You would then have an objectively demonstratable record of their process controls and know that they are routinely audited to maintain that certification. They would also understand and expect to undergo 2nd party supplier audits because they operate in the medical device industry. Alternatively, a software service provider may have an ISO 9001:2015 certification. This is a general quality system certification that may be applied to all products or services. In the absence of quality system certification, you can audit a potential supplier. For some suppliers, this makes sense. However, many companies that are outside of the medical device industry do not even have a quality system because it is not required or typical of their industry. For the ones that do, though, you can likely leverage their existing certifications and accreditations.

Cybersecurity standards you should know

Most cloud service providers will not have ISO 13485 certification, because it is a quality management standard specific to the medical device industry. However, you might look for some combination of the following ISO standards that may be relevant to a software service provider:

ISO/IEC 27001 Information Technology – Security Techniques – Information Security Management Systems – Requirements
ISO/IEC 27002:2013 Information Technology. Security Techniques. Code Of Practice For Information Security Controls
ISO/IEC 27017:2015 Information Technology. Security Techniques. Code Of Practice For Information Security Controls Based On ISO/IEC 27002 For Cloud Services
ISO/IEC 27018:2019 Information Technology – Security Techniques – Code Of Practice For Protection Of Personally Identifiable Information (PII) In Public Clouds Acting As PII Processors
ISO 22301:2019 Security And Resilience – Business Continuity Management Systems – Requirements
ISO/IEC 27701:2019 Security Techniques. Extension to ISO/IEC 27001 and ISO/IEC 27002 For Privacy Information Management. Requirements And Guidelines

Does your software service provider have SOC reports?

The acronym “SOC” stands for Service Organization Control, and these reports were established by the American Institute of Certified Public Accountants. SOC reports are internal controls that an organization utilizes and each report is for a specific subject. SOC reports apply to varying degrees for SaaS and MSP Suppliers

The SOC 1 Report focuses on Internal Controls over Financial Reporting. Depending on what information you need to store on the cloud, this report could be more applicable to the continuity of your overall business than specifically to your quality management system.

The SOC 2 Report addresses what level of control an organization places on the five Trust Service Criteria: 1) Security, 2) Availability, 3) Processing Integrity, 4) Confidentiality, and 5) Privacy. As a medical device manufacturer, these areas would touch on control of documents, control of records, and process validation, among other areas of your quality system. Some suppliers may not share a SOC 2 report with you, because of the amount of confidential detail provided in the report.

The SOC 3 Report will contain much of the same information that the SOC 2 Report contains. They both address the five Trust Service Criteria. The difference is the intended audiences of the reports. The SOC 3 is a general use report expected to be shared with others or publicly available. Therefore, it doesn’t go into the same intimate level of detail as the SOC 2 report. Specifically, information regarding what controls a system utilizes is very brief if identified at all compared to the description and itemized list of controls in the SOC 2 Report.

Other ways to qualify and manage your software service provider

SOC reports will help paint a picture of the organization you are trying to qualify for. You will also need to evaluate the supplier on an ongoing basis. It is essential to know if the supplier is subject to routine audits and inspections to maintain applicable certifications and accreditations. For example, if their ISO certificate lasts for three years, you should know that you should follow up with your supplier for their new certificate at least every three years. On the other hand, if they lose certification, it may signify that the supplier can’t meet your needs any longer and you should find a new supplier.

There is a long list of standards, certifications, accreditations, attestations, and registries that you can use to help qualify a SaaS or MSP supplier. One such registry is maintained by Cloud Security Alliance (i.e. the CSA STAR registry). “STAR” is an acronym standing for Security, Trust, Assurance, and Risk. CSA describes the STAR registry in their own words:

“STAR encompasses the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM) and CAIQ. Publishing to the registry allows organizations to show current and potential customers their security and compliance posture, including the regulations, standards, and frameworks they adhere to. It ultimately reduces complexity and helps alleviate the need to fill out multiple customer questionnaires.”

Some of the questions your supplier qualification process should be asking about your SaaS and MSP suppliers include:

Why do I need this software service?
Which standards, regulations, or process controls need to be met?
What is required for qualifying suppliers providing SaaS or an MSP?
How will you monitor a software service provider?

ISO certification, SOC reports, and the CSA STAR registry are supplier evaluation tools you can use for supplier qualification and monitoring. When you use these tools, make sure that you ask open-ended questions instead of close-ended questions. Our webinar on supplier qualification provides several examples of how to convert your “antique” yes/no questions into value-added questions.

Your software service provider should be able to provide records and metrics demonstrating the effectiveness of their cybersecurity plans. Below are three examples of other types of records you might request:

Cloud Computing Compliance Controls Catalogue or “C5 Attestation Report”
System Security Plan for Controlled Unclassified Information in accordance with NIST publication SP 800-171
Privacy Shield Certification to EU-U.S. Privacy Shield or Swiss-U.S. Privacy Shield

The privacy shield certification may be especially important for companies with CE Marked devices in order to comply with the European Union’s General Data Protection Regulation (GDPR) or Regulation 2016/679.

A final consideration for supplier qualification is, “Who are the upstream suppliers?” It is essential to know if your new supplier or their suppliers will have access to Protected Health Information (PHI). Since you have less control of your supplier’s subcontractors, you may need to evaluate how your supplier manages their supply chain and which general cybersecurity practices your supplier’s subcontractors adhere to.

Additional cybersecurity, software validation, and supplier quality resources

For more resources on cybersecurity, software validation, and supplier quality management please check out the following resources:

Live Cybersecurity webinar – August 19

Software Service Provider Qualification and Management Read More »

Aug 3 2021

How much does a 510k cost?

2 Comments / 510(k) / By Robert Packard

How much a 510k costs is the most common question I receive from customers, and there are three parts to the cost of a 510k.

There are three parts to the 510k cost of submission:

Testing
Submission Preparation
FDA User Fees

The highest cost is testing

The testing cost is the most significant cost, but I think the average is around $100K for our clients. For devices that only consist of a software (i.e., software as a medical device or SaMD), the testing costs are less, but the cost of documenting your software validation and cybersecurity will be more extensive than the cost of preparing your 510k and the FDA user fee. The more you can do in-house, the lower the testing costs will be. Biocompatibility testing for a non-invasive device might be only $13,000, but a long-term implant can cost as much as $100,000 for implantation studies. Sterilization validation testing depends upon the method of sterilization and whether you are doing a single-lot method or a full validation. Typical costs for EO sterilization validation are around $15,000, and then you should add several thousand more for the shelf-life testing.

For devices that are powered and/or have software, you will need to perform software validation in accordance with IEC 62304 ed 1.1 (2015). There are also five FDA guidance documents that apply:

You can do all of the software validation in-house, but some firms outsource the software validation. In the long term, you need to learn this, and it pays to hire an expert in IEC 62304 to help your team learn how to document software validation if you have not done this before. Typically, software validation documentation will be between 300 and 1,000 pages long.

Electrical safety and EMC testing are often the most expensive part of the testing process for our customers. EMC testing should always be done first to ensure you can pass the immunity and emissions testing. If you must modify the device to pass the EMC testing, you must repeat any electrical safety testing. The total cost of this testing is typically $50-60K.

Performance testing is the last part of the testing process. Performance testing should be performed on sterile and aged products if your product requires sterility and claims a shelf-life. Most of the testing is benchtop testing only to demonstrate performance. This includes simulated use testing (e.g., summative usability testing), cadaver testing, and computer modeling. Benchtop performance testing typically takes tens of thousands of dollars to complete, but you might be able to do the testing in-house. If animal testing is required, this typically costs around $100K. Finally, if a human clinical study is required (i.e., ~10% of 510k submissions), you should expect to spend between $250K and $2.5 million. Some simple clinical studies (e.g., IR thermometers) cost less than $100K, but these resemble benchtop performance testing in many ways.

The second highest cost is the cost of submission preparation

Medical Device Academy has two different options for preparation consulting fees. Your first option is hourly consulting fees. The second option is a flat fee. As of July 2023, we are charging $3,500 for pre-submission preparation and $17,500 for 510k submission preparation.

510k cost #3 is the cost of the FDA user fee

You have three options for your FDA user fees:

Third-party review
FDA review (standard user fee)
FDA review (small business user fee)

The first option is to avoid the FDA altogether and submit to a third-party reviewer. We only recommend one third-party reviewer (i.e., Regulatory Technology Services), because the other companies do not have sufficient experience to have predictable review times and positive outcomes. The typical RTS third-party review cost is 6% more than the FDA Standard fee.

The second option is to submit directly to the FDA. The standard user fee for FDA review of a 510k is $21,760 for FY 2024.

The third option is to apply for small business status. For companies that have annual revenues of less than $100 million USD, the FDA will grant you small business status. For companies with small business qualifications, the FDA user fee is reduced to $5,440.

Reduce 510k cost by applying for small business status

Any medical device company with revenues of less than $100 million annually can apply, but you must apply each year. There is no application fee, but you must complete FDA Form 3602 if you are a US firm. The form must be completed for each subsidiary too. FDA Form 3602A must be completed for foreign firms, and the national tax authority must verify the accuracy of your income statement on the form to submit it to the FDA. If your national tax authority refuses to sign the form, you can justify it, but I don’t know anyone who has done this yet. The qualification review by the FDA requires 60 days. Therefore, you should apply every year in August for the next fiscal year (October 1, 2023 – September 30, 2024, is FY 2024). The form will request that you include your Organization ID #. A Dun & Bradstreet Number (DUNS #) is also required if your firm is located outside the USA. Finally, you need to attach a copy of your tax return. Therefore, you must file your tax return–even if your firm had a loss or had no revenues. You can also use R&D tax credits in the USA or Canada if you are a start-up device company developing a new device.

About the Author

Rob Packard is a regulatory consultant with 25+ years of experience in the medical device, pharmaceutical, and biotechnology industries. He is a graduate of UConn in Chemical Engineering. Robert was a senior manager at several medical device companies—including the President/CEO of a laparoscopic imaging company. His Quality Management System expertise covers all aspects of developing, training, implementing, and maintaining ISO 13485 and ISO 14971 certifications. From 2009 to 2012, he was a lead auditor and instructor for one of the largest Notified Bodies. Robert’s specialty is regulatory submissions for high-risk medical devices, such as implants and drug/device combination products for CE marking applications, Canadian medical device applications, and 510(k) submissions. The most favorite part of his job is training others. He can be reached via phone at 802.258.1881 or by email. You can also follow him on Google+, LinkedIn, YouTube, or Twitter.

How much does a 510k cost? Read More »

Jul 14 2021

Are you a little curious, or fascinated by competitive warning letters?

1 Comment / CAPA, FDA / By Matthew Walker

Did you know you can download competitor inspectional observations to learn which quality issues are likely to result in warning letters?

Not long ago the FDA published their Inspectional Observation Data Sets. They are Excel spreadsheets of the dreaded 483 inspection observations and warning letters that the FDA issues after performing inspection of manufacturers. There is a spreadsheet for each of the following topic areas, and we will take a look at the ‘Devices’ observations. A post-mortem data analysis or speculative data autopsy if you will… What can we learn when examining an FDA inspection observation?

Biologics
Drugs
Devices
Human Tissue for Transplantation
Radiological Health
Parts 1240 and 1250
Foods (includes Dietary Supplements)
Veterinary Medicine
Bioresearch Monitoring
Special Requirements
Total number of inspections and 483s

These are nonconformities written by the FDA to the Code of Federal Regulations, so there won’t be any statistics for ISO 13485:2016 or Regulation (EU) 2017/745. There will be lots of findings under the ‘QSR’ or 21 CFR 820. The good news, unlike an ISO Standard, is that the Code of Federal Regulations is publicly available online for free. It isn’t a pay-to-play game and we can share the full text of the requirement without violating any copyright licensing agreements.

The top 10 areas for inspection observations and warning letters are:

CAPA procedures
Complaint procedures
Medical Device Reporting
Purchasing Controls
Nonconforming Product
Process Validation
Quality Audits
Documentation of CAPA actions and results
Training
Device Master Record

Corrective and preventive action is the most common reason for warning letters

The winning quality system requirement that resulted in the most 483 inspection observations and warning letters was for Corrective and Preventive Actions under 21 CFR 820.100(a). This finding is listed when a manufacturer fails to establish a CAPA procedure or the procedure is inadequate. This finding was cited 165 times. In addition, CAPA activities or their results were not documented or were not documented adequately a total of 32 times under 21 CFR 820.100(b). This gives us a grand total of 197 observations for the CAPA process.

Corrective and preventive actions are either fixing an identified problem and making sure it doesn’t happen again, or stopping a potential problem from happening in the first place. It is both the reactive and proactive response for quality issues and product non-conformance. The text of the requirement is:

“§820.100 Corrective and preventive action.
(a) Each manufacturer shall establish and maintain procedures for implementing corrective and preventive action. The procedures shall include requirements for:
(1) Analyzing processes, work operations, concessions, quality audit reports, quality records, service records, complaints, returned product, and other sources of quality data to identify existing and potential causes of nonconforming product, or other quality problems. Appropriate statistical methodology shall be employed where necessary to detect recurring quality problems;
(2) Investigating the cause of nonconformities relating to product, processes, and the quality system;
(3) Identifying the action(s) needed to correct and prevent recurrence of nonconforming product and other quality problems;
(4) Verifying or validating the corrective and preventive action to ensure that such action is effective and does not adversely affect the finished device;
(5) Implementing and recording changes in methods and procedures needed to correct and prevent identified quality problems;
(6) Ensuring that information related to quality problems or nonconforming product is disseminated to those directly responsible for assuring the quality of such product or the prevention of such problems; and
(7) Submitting relevant information on identified quality problems, as well as corrective and preventive actions, for management review.
(b) All activities required under this section, and their results, shall be documented.“

We can see that under section (a) the requirement is that there is an established and maintained process control with a numerical list of required inputs and outputs of that process. The process control is easy, use a procedure. You have to establish a procedure and you have to maintain it. That is one part of the first 165 observations.

The second part is that the procedure needs to be ‘adequate’. That means that bullets (1)-(7) need to be addressed within that procedure. For example number (2) is “Investigating the cause of nonconformities relating to product, processes, and the quality system;”. This means that the procedure should be explaining not only that your quality system will be doing that investigation, but who will be doing it and how they will be doing it.

“The cause of nonconformities shall be investigated”, may not be an adequate process control. Yes, it addressed the need for a root cause evaluation, but does it do that adequately?

“The RA/QA Manager will complete or assign a staff member to complete the root cause evaluation of Corrective Actions utilizing methods such as a ‘5-Why Analysis’ by filling in section 2. Of the CAPA report form.” This wording is much closer to what is needed in a procedure. It explains who is doing what, roughly how they might do it, where that activity gets documented and identifies the record that the activity produces.

Which brings us to the extra 32 findings where the activities and their results either weren’t documented or were done so poorly. This is why identifying the input (Root Cause Analysis) and the output (Section 2. of the CAPA report) are important. It allows you, the inspector or an auditor to trace from the procedure to the record that part of the process produces to demonstrate conformity.

As the age old saying goes, “if it isn’t documented, it didn’t happen”. That record should show that yes you did a root cause analysis (the activity) and what the conclusion of that analysis was (the results of that activity). These types of records are so vital to your quality system that there is an entire process dedicated to the control of records. I’ll give you a hint, it is Subpart-M of the QSR.

This is also a great segway to show how the processes go hand in hand and CAPA is interrelated to Document Control, Record Control, and your Quality System Record. Your system processes will continually wrap back around to each other in this manner. For example, CAPAs are a required input into your Management Review process so if you don’t have a CAPA procedure you aren’t performing adequate management reviews.

A note on other systems

If your quality system is also ISO 13485:2016 compliant, Corrective Actions and Preventive Actions are separate items under separate sub-clauses. Corrective Actions are in 8.5.2., and Preventive Actions are in 8.5.3. Meaning if you have a mature quality system that has never had a preventive action, then your CA might be fine, but the PA of that process may be inadequate.

An industry standard for CAPAs is applying a risk based approach, and we have an entire webinar dedicated to the subject! How to create a risk-based CAPA process

Complaints are the second most common reason for warning letters

%name Are you a little curious, or fascinated by competitive warning letters?

The silver medal goes to complaints. Much like CAPA the biggest issue is no, or inadequate complaint handling procedures. This specific finding was cited 139 times (overall complaint handling has more but this specific issue was the most cited). Not to sound like a broken record but again, complaint handling is a specific process that requires an ‘established and maintained procedure”.

As a procedure it has to exist, it has to be maintained, and each process has requirements for inputs and outputs that must be outlined. Complaint handling is a little bit different in the QSR in that there isn’t a ‘complaint’ sub-part. Complaints are under Sub-Part M- Records, specifically 21 CFR 820.198 Complaint Files.

To compare, Complaints in accordance with ISO 13485:2016 are under Measurement Analysis and Improvement, specifically Sub-clause 8.2.2. Complaint Handling. It is sandwiched in between Feedback and Reporting to Regulatory Authorities. That had to have been done on purpose because those processes are inherently intertwined and their inputs and outputs directly feed into each other:

“§820.198 Complaint files.
(a) Each manufacturer shall maintain complaint files. Each manufacturer shall establish and maintain procedures for receiving, reviewing, and evaluating complaints by a formally designated unit. Such procedures shall ensure that:
(1) All complaints are processed in a uniform and timely manner;
(2) Oral complaints are documented upon receipt; and
(3) Complaints are evaluated to determine whether the complaint represents an event which is required to be reported to FDA under part 803 of this chapter, Medical Device Reporting.”

This sub-section of ‘Records’ may be less intuitive than what we saw under CA/PA. We can see that we have to maintain complaint files. We also need a procedure that covers receipt, review, and evaluation of complaints. Then we have to name a formally designated complaint handling unit to do all of that.

Further we need to make sure that complaints are handled uniformly and efficiently. It should be a cookie cutter process with a known timeline. Every complaint goes through the same review and evaluation within a specific time period. If it takes six months to review a complaint, that definitely is not a ‘timely manner’.

Not every complaint will be sent to you via certified mail with ‘Complaint’ written across the top in big BOLD letters. Sometimes people will simply tell you about a complaint they have verbally and your process needs to define how it is addressing these verbal communications. Otherwise your FDA inspection observation will be written, and you run the risk of receiving warning letters.

This of course begs the question, what is a complaint? How will I know if I received one? Fortunately 21 CFR 820.3 provides us with definitions, one of them being what exactly a complaint is “(b) Complaint means any written, electronic, or oral communication that alleges deficiencies related to the identity, quality, durability, reliability, safety, effectiveness, or performance of a device after it is released for distribution.”.

There is no quiz at the end of this but I would caution you that this will probably be on the test. Anytime you ask a question like that and the regulation provides a definition for it, then it’s a good idea to include that definition within your procedure. This is a way to make sure that there is uniformity in the understanding of a procedure. If you miss a complaint because you didn’t realize that it was a complaint then your process is not effective. Eventually an auditor will pick up on the deficiencies in the process, document a finding and you will be doing a CAPA to fix it.

Every complaint needs to be reviewed, but not every complaint needs to be investigated. This was a much less cited issue (5). You are allowed to decide that an investigation isn’t needed. However, if you do then you must keep a record of why you decided that and name the person responsible for that decision.

That isn’t carte’ blanche to just write off investigations whenever you want. There are some things that require an investigation and there is no accepted rationale for not performing one. An example is when there is a possible failure of a device, it’s labeling or packaging to meet any of their specifications. Those need to be investigated without exception. What your system is allowed to do though is if you have already done an investigation and you received related similar complaints, there is no need to repeat the same investigation for every complaint.

An important concept of complaint handling is that you should be triaging your complaints as you receive them. There are certain types of complaints that must be reported to the FDA. More information is actually found under 21 CFR 803, not the 820 that we have been examining. These special complaints need to be identifiably separate from your normal run of the mill complaints. These complaints specifically need a determination of;

Whether the device failed to meet specifications;
Whether the device was being used for treatment or diagnosis; and
The relationship, if any, of the device to the reported incident or adverse event.

Outside of those special reportable complaints, all investigations have certain required outputs. By addressing every complaint in a uniform repeatable manner, this can be boiled down to a form. In fact creating a specific complaint form makes sure that all of the required information has been documented. Each record of an investigation by your formally designated complaint handling unit has to be include;

The name of the device;
The date the complaint was received;
Any unique device identifier (UDI) or universal product code (UPC), and any other device identification(s) and control number(s) used;
The name, address, and phone number of the complainant;
The nature and details of the complaint;
The dates and results of the investigation;
Any corrective action taken; and
Any reply to the complainant.

Some companies and corporations sprawl across the globe and have many sites all over the place. Not every manufacturer is limited to containing all of their operations within a single building. There are times where the formally designated complaint handling unit may be somewhere other than where the manufacturing is taking place. That is acceptable as long as communication between the two is reasonably acceptable. The manufacturer needs access to the records of the complaint investigations performed. Just as everything must be documented, all of that documentation must be producible as well. If not, your inspector will produce FDA 483 inpsection observations and warning letters.

If the complaint handling unit is outside of the United States the records have to be accessible in the United states from either the place where the manufacturers records are normally kept or at the initial distributor.

Complaint Handling and vigilance reporting are topics that we often find stuck together like velcro. We find them so interelated that we have a combined Complaint Handling and Vigilance Reporting Webinar.

Medical Device Reporting is the third most common reason for warning letters

The bronze medal recipient shows a drop in sheer numbers of FDA inspection observations. A total of 68 were written for the fiscal year of 2020, and these findings have a high likelihood of resulting in warning letters because these incidents may involve serious injuries and death. We are slowing down, but this is still a topic that gets an FDA inspection observation almost every week.

But again part of the issue is no, or bad procedures to control this process. Not to be confused with the (EU) MDR since as an industry we love acronyms so much, Medical Device Reporting is referenced within the Quality System Requirements of 21 CFR 820. We took a peek above in Complaint Handling. What makes this unique is that MDR actually lives in 21 CFR 803 Medical Device Reporting. What makes it even more special is that Part 803 is further broken down into sub-parts.

We will take a look at Sub-part E which is the reporting requirements for manufacturers. Medical Device Reporting is a process and as such needs a procedure to control it and that procedure must be maintained.

Some key points to capture is that there are reporting timelines that are measured in calendar days from when you become aware of information that reasonably suggests that one of your devices;

“(1) May have caused or contributed to a death or serious injury or
(2) Has malfunctioned and this device or a similar device that you market would be likely to cause or contribute to a death or serious injury, if the malfunction were to recur.”

There are some crucial takeaways. First, the clock starts ticking down calendar days, not work days, and holidays count. You can’t hold off reporting that your device killed someone because it’s around the holidays and over a few weekends.

Second, is that reporting timelines vary, generally between 5 and 30 calendar days. That means it is important to know the specific timeline for the type of report you are making and what the authority having jurisdiction requires for a timeline. The FDA may differ from Health Canada which in turn may differ from the EU, etc.

Third is that the bar to meet is what would be ‘reasonably known’, and that is somewhat of an ambiguous requirement open to interpretation.

They help clarify this with,

“(i) Any information that you can obtain by contacting a user facility, importer, or other initial reporter;
(ii) Any information in your possession; or
(iii) Any information that you can obtain by analysis, testing, or other evaluation of the device.”

The first two are usually not an issue, but the one that tends to get less attention is deeper analysis, testing or evaluation of the device. Due diligence is required here to make sure that you actually do know the information that should be ‘reasonably known’ to you.

The burden of investigation and root cause determination is placed squarely on the shoulders of the manufacturers and that is a process that can take some time. What happens when the reporting timely is fast approaching but your investigation won’t be finished before the clock runs out? The short answer is to report it anyway.

The longer answer is to report what information you do have with an explanation of why the report doesn’t have all of the required information. Then explain what you did to try to get all of the information, and file a supplemental or follow-up report later to fill in the gaps. Only having a partial report ready is not an excuse to miss the reporting deadline. It is however, the perfect excuse to get an FDA inpsection observation or warning letters.

Are you a little curious, or fascinated by competitive warning letters? Read More »

Search Results for: 13485

Regulatory responsibilities related to device supply chain disruptions – Organized by Jurisdiction

How to prevent device supply chain disruptions

Why?

Future blogs about device supply chain disruptions…Shortage Reporting

About the Author

How do you know if the FDA form you are using is current?

What happens if you are using an expired FDA form?

Examples of updated FDA forms for your 510k submission

Where can you find updated FDA forms?

Editing and Signing FDA Forms

Tips and Tricks for maintaining templates

Additional 510k submission resources

What are individual process audits?

What is a full quality system audit?

How do you evaluate auditing effectiveness?

What advantages do one full quality system audit present?

What advantages exist for individual process audits?

Can both approaches to internal audit scheduling coexist?

Next steps if you would like to try individual process audits

About the Author

Who quotes auditing services?

General pricing of auditing services

Name, Company, Email & Phone

What is the audit type?

Process areas that need auditing

Location (remote or on-site) for auditing services quote

Desired Date or Dates

What is the audit duration in hours?

Auditing criteria for auditing services quote

Never blindly copy your competitor’s Instructions for Use (IFU)

This is how you should manage the process for writing instructions for use (IFU)

EN ISO 20417:2021 Medical Devices – Information to be supplied by the manufacturer

How to write Instructions for Use (IFU) Webinar

Q&A related to Instructions for Use (IFU)

How to write Instructions for Use (IFU) – available for $129.00

About the Instructor

Purchase the Post-Market Surveillance Summary Report Webinar Recording & Native Slidedeck

About the Author

History of 510k electronic submissions

eSTAR Pilot Program is Launched

Medical Device Academy’s experience with the eSTAR Templates

Finally the CDRH releases an FDA eSTAR draft guidance

Are there any new format or content requirements in the FDA eSTAR draft guidance?

Are there any changes to the review timelines for a 510k in the eSTAR draft guidance?

Register for our new webinar on the FDA eSTAR draft guidance

About the Instructor

The need for qualifying and managing your software service provider

Threats to software service providers (Kaseya Case Study)

What supplier controls do you require for a software service provider?

A risk-based approach to supplier quality management

Cybersecurity standards you should know

Does your software service provider have SOC reports?

Other ways to qualify and manage your software service provider

Additional cybersecurity, software validation, and supplier quality resources

The highest cost is testing

The second highest cost is the cost of submission preparation

510k cost #3 is the cost of the FDA user fee

Reduce 510k cost by applying for small business status

About the Author

Corrective and preventive action is the most common reason for warning letters

A note on other systems

Complaints are the second most common reason for warning letters

Medical Device Reporting is the third most common reason for warning letters