What is the De Novo review timeline?

4 Comments / De Novo / By Robert Packard

The new FDA goal is to reduce the De Novo review timeline to 150 days for 70% of De Novo submissions, but how long does it take now?

What is an FDA De Novo submission?

An FDA De Novo submission is an application submitted to the FDA for creating a new device product classification. There are three classifications of devices by the FDA: Class 1, Class 2, and Class 3. Class 1 devices are the lowest-risk devices, and they only require general controls. Class 2 devices are moderate-risk devices that require “Special Controls,” and Class 3 are high-risk devices that require Pre-Market Approval (i.e., PMA). De Novo applications can only be submitted for Class 1 and Class 2 devices, and most of the De Novo submissions require clinical data to demonstrate that the clinical benefits of the new device classification outweigh the risks of the device to patients and users. It’s the need for clinical data that is partly responsible for the longer De Novo review timeline.

What is the De Novo review timeline?

Initially, the FDA required that Class 2 devices must be first submitted as a 510k submission. If the device did not meet the criteria for a 510k, then the company could re-submit a De Novo Classification Request to the FDA. On July 9, 2012, the regulations were revised to allow companies to submit De Novo Classification Requests directly. This makes sense because some devices have novel indications for use, and submission of a 510k would be a complete waste of time in money. For example, the first SARS-COV-2 test had to be submitted as a De Novo by Biofire to obtain permanent approval for the test instead of emergency use authorization (EUA). This change in 2012 dramatically reduced the De Novo review timeline.

On October 4, 2021, the FDA published a final rule for De Novo Classification Requests. This new regulation identified the De Novo review timeline as 120 calendar days. Even though 120 days is 30 days longer than the FDA review clock for a 510k, the actual timeline to review De Novo submissions was much longer.

Every five years, when Congress reauthorizes user fee funding of the FDA, new MDUFA goals are established. The draft MDUFA performance goals (which impact FDA funding) were published recently. The specific performance goal to review De Novo submissions is:

FDA will issue a MDUFA decision within 150 FDA Days for 70% of De Novo requests.

There are two problems with this goal. First, the term “FDA Days” is based on calendar days minus the number of days the submission was placed on hold, and we don’t have any visibility into the number of days submissions are placed on hold. In the past, submissions could be placed on hold multiple times during the Refusal to Accept (RTA) screening process, and the “FDA Days” is reset to zero days each time the company receives an RTA hold letter. In addition, even after the submission is finally accepted, the FDA places the submission on hold when they request additional information (i.e., AI Hold). RTA and AI Hold periods can last up to 180 days, and during the Covid-19 pandemic, companies were allowed to extend this up to 360 days.

The second problem with the MDUFA goal is that we only have visibility into the outcome of De Novo submissions that were granted. More than 60 De Novo submissions are submitted each year, but the number of De Novo Classification Requests granted ranged between 21 and 30 over the past three years. Therefore, the 50%+ of De Novo applications denied could skew the % of submissions that meet the MDUFA goal for the De Novo review timeline.

What is the FDA track record in reviewing a De Novo?

Every CEO I speak with asks the same question: “How long does the FDA review take?” In preparation for a webinar I taught about De Novo Classification Requests in 2019, I researched the latest De Novo review timelines. I expected the review timelines to be close to 150 calendar days because the FDA decision goal was 150 FDA days. The 150-day goal was set in 2018 when Congress approved MDUFA IV. The 2019 data held two surprises:

only 21 De Novo requests were granted in 2019, and
the average review timeline was 307 calendar days (i.e., the range was 108 days to 619 days).

FDA days are not the same as calendar days. Only 23.8% of De Novo submissions were reviewed within 150 calendar days. The FDA doesn’t calculate the number of FDA days as calendar days, but there is no way to know how much time each De Novo spent on hold publicly. Upon seeing the announcement of a new decision goal for MDUFA V on October 5, 2022, I decided to revisit my previous analysis.

*Only 9+ months of data for 2022, because data was collected on October 17, 2022.

We can blame the Covid-19 pandemic for the slower De Novo review timeline during the past few years, but you would expect a longer average duration in 2020 if that was the root cause of the FDA’s failure to achieve the MDUFA IV target of 150 calendar days. You would also expect 2021 to have the longest review timelines. Instead, the review timelines are the slowest for 2022. The number of De Novo submissions remains small, and therefore it is hard to be conclusive regarding the root cause of the failure to reach the 150-day decision goal. In addition, the percentage of De Novo applications granted within 150 calendar days was lowest in 2021, as you would expect if the reason for delays is primarily due to the Covid-19 pandemic.

Is there any good news?

The FDA is allowing the new eSTAR templates to be used for De Novo Classification Requests. These new electronic submission templates standardize the format of all 510k and De Novo submissions for FDA reviewers. The eSTAR also forces companies to answer all questions in the FDA reviewer’s checklist to ensure the submission is complete and accurate before the new submission is submitted to the FDA.

The new eSTAR templates were first used in 2021, and our firm has observed shorter overall review timelines and fewer deficiencies identified by FDA reviewers when they submit an “Additional Information Hold” (AI Hold) to companies.

How can the FDA improve De Novo timelines?

The FDA, industry, and Congress seem to be taking the same approach pursued five years ago to improve the review timeline for De Novo submission. MDUFA V authorized additional user fees for De Novo submissions (i.e., 17.8% increase), and the FDA will be authorized to hire additional employees each year during MDUFA V if the performance goals are met. However, there are three other options that the FDA and industry should have seriously considered during the FDA-industry negotiations.

The first option that should have been considered is to allow third-party reviewers to review the elements of a De Novo that are identical to a 510k submission:

sterilization validation
shelf-life testing
biocompatibility testing
software validation
electrical safety testing
EMC testing
wireless testing
interoperability testing
benchtop performance testing
animal performance testing
human factors engineering

The above approach would require blended pricing where the FDA charges a smaller user fee than a Standard De Novo user fee, and the third-party reviewer charges a smaller fee than a 510k. The combined cost would be higher than the FDA Review of a De Novo, but this would reduce the number of hours the FDA needs to complete their review of a De Novo, and it would allow for pricing that is much lower than the De Novo standard user fee for qualified small businesses.

A second approach would be to pilot a modular review approach. A modular review would be similar to modular reviews for PMA submissions. In a modular review, the FDA can review most submission sections and provide feedback before the human clinical performance data is available. This would not help the few De Novo submissions that do not include human clinical performance data, but this would have a profound positive impact on most De Novo projects. First, the FDA would be able to complete the review of all sections in the submission except the human clinical performance data without delaying the final De Novo decision. Second, a successful review of non-clinical data by the FDA would give investors more confidence to fund pivotal clinical studies required to complete the De Novo submission.

A third approach would be for the FDA to force manufacturers to submit testing plans and protocols as pre-submissions to the FDA. This approach would give the FDA more familiarity with each device and the testing plan before reviewing the data. This approach would also reduce the hours FDA reviewers spend reviewing data that doesn’t meet the requirements and writing deficiencies. This approach would also give investors more confidence to fund De Novo projects for all V&V testing.

What is the De Novo review timeline? Read More »

May 24 2022

What is a CAPA Board? and Do you need one?

1 Comment / CAPA / By Robert Packard

A CAPA Board is a team responsible for making sure that all CAPAs are completed on time and the actions taken are effective.

Many of the medical device companies we work with have to open a CAPA for their CAPA process because they fail to implement all the actions that were planned, they fail to implement corrective actions as scheduled, or the actions implemented fail to be effective. When we investigate any process, we typically see one of five common root causes:

top management is not committed to the CAPA process (we can’t fix this)
procedures and/or forms are inadequate
people responsible do not have sufficient training
management oversight of the process is neglected
there are not enough resources to do the work

Creating a CAPA Board can address four of these potential root causes, but the CAPA Board needs to understand how to work effectively.

Creating a CAPA Board shows a commitment to quality

Sometimes top management only pays lip service to quality. Top management’s actions demonstrate that quality is a cost-center, and they do not view quality as contributing to the revenue of the company. Instead, quality is viewed as a “necessary evil” like death and taxes. If this describes your company, sharpen your resume and find a new job. Quality is essential to selling medical devices and quality is the responsibility of everyone in the company. The Management Representative is responsible for “ensuring promotion and awareness” (see Clause 5.5.2c of ISO 13485) of regulatory and quality system requirements. This person should be training others on how to implement best practices in quality system management. One person or one department should never be expected to do most of the work related to the quality system.

A CAPA Board should be a cross-functional team of managers that help each other maintain an effective CAPA process. This means: 1) corrections are completed on time, 2) corrective and preventive actions are completed on time, and 3) each CAPA is effective. In order to do this consistently, the CAPA Board needs to work together as a team on the CAPA process. The CAPA Board doesn’t look for someone to blame. Instead, the CAPA Board rotates their responsibilities regularly, everyone is cross-trained on the roles within the CAPA Board, and the team passes tasks from one person or department that is overloaded to another person or department that has the resources to complete the tasks effectively and on time. A professional team must anticipate holes in task coverage, and someone on the team needs to communicate to the rest of the team which hole they are addressing. You can’t wait until the coverage gap is obvious and then have everyone jump into action. If you do this, your effectiveness will resemble a soccer team of 9-year-olds.

Is your CAPA procedure the root cause?

In most companies, the problem is not the CAPA procedure. Clauses 8.5.2 and 8.5.3 of ISO 13485 are quite specific about each step of the CAPA process, and therefore it is easy to write a procedure that includes all of the required elements. The CAPA procedure is also one of the first procedures that auditors and inspectors review, and therefore any deficiencies in your procedure are usually addressed after one or two audits. If you feel that your CAPA procedure needs improvement, the above link explains how to write a better CAPA procedure. You might also consider asking everyone that is responsible for the CAPA process to provide suggestions on how to improve your procedure to streamline the process and clarify the instructions. The best approach is to have a small group (i.e. 3 to 5 people) of middle-level managers, from different departments, assigned to a CAPA Board with the responsibility of improving the CAPA process and procedure. If you have a large company, you might consider rotating people through the CAPA Board each quarter instead of having a larger group.

Does your CAPA Board have sufficient training?

Everyone can benefit from more training–even instructors will periodically engage in refresher training. Before someone is assigned to work on a CAPA, that person needs to be trained. Nobody should be assigned to a CAPA Board unless they are prepared to become an expert in the CAPA process. Some companies will only require people to sign a training record that states they read and understood the CAPA procedure. However, you must also demonstrate that your training was effective and the person is competent at the task assigned. Therefore, we recommend training people on CAPAs by training them with a CAPA training webinar and evaluating the effectiveness of the training by having each person complete a quiz. The use of a training webinar will ensure that each employee receives the same training, and the quiz will provide objective evidence that they understood the training (i.e. it was effective). If you have a CAPA Board, each person on the board should be involved in your CAPA training, and it is their responsibility to make sure people in their department have been trained effectively.

Competency is the hardest thing to demonstrate for any task. You can do this by verifying that the person has performed this task in one or more prior jobs (e.g. resume). If the person does not have evidence of working on CAPAs in their previous employment, then you will need someone that is already competent in the CAPA process to observe each person completing CAPAs and providing feedback. Once each person has demonstrated successful completion of multiple CAPAs, then the expert can attest to their competency in a training record with references to each of the successful CAPAs that were completed. If you are the person assigning a CAPA or individual tasks to people, do not assign the role of investigation, or writing the CAPA, to anyone that has not already demonstrated competency unless you are assessing them for competency. Everyone on the CAPA Board should either already be competent in the CAPA process or another expert on the CAPA Board should be in the process of training them to become a CAPA expert.

CAPA Boards are responsible for management oversight of the CAPA process

The most common method for management oversight of the CAPA process is to discuss the status of CAPAs at a Management Review. This information can be presented by the Management Representative, but assigning the presentation of CAPA status to another person on your CAPA Board will delegate some of the Management Review tasks and gives other people practice at presenting to a group. Some companies only conduct a Management Review once per year, but this makes it impossible to review CAPAs that were initiated immediately after a Management Review unless the CAPA takes more than a year to implement. Even if your company conducts quarterly Management Reviews, the review of CAPA status during a Management Review should focus on the most important issues rather than discuss every CAPA in detail. The impact on safety, the impact on product performance, and the economic impact of a specific CAPA are all criteria for deciding which CAPAs to discuss during a Management Review.

The CAPA Board needs a metric or metrics for monitoring the effectiveness of the CAPA process. The simplest metric is to monitor the average aging of CAPAs. If that average is steadily rising week after week, then new CAPAs are not being initiated, and existing CAPAs are not being closed. You can also measure the time to write a CAPA plan and the time to perform an investigation or monitor the on-time completion of tasks. The most important thing is for someone to take action when these metrics are not aligned with your quality objectives for the CAPA process. Taking action after 90 days of neglect is not good enough. You need to be monitoring the CAPA process weekly, and you need to take action proactively. Therefore, your CAPA Board needs to meet weekly and you need to show evidence in your CAPA records of what actions were taken by the CAPA Board.

Who should be assigned to the CAPA Board?

Top management does not need to be directly involved in the CAPA Board. Top management already reviews the status of CAPAs during Management Reviews. In a small company (i.e. < 20 people) you might have no choice but to have the same people that are assigned to your CAPA Board also be members of top management. As your company gets larger, you should assign middle-level managers and people that are new to management as members of the CAPA Board. Participating in the CAPA Board will teach those managers to work together as a team to achieve shared company goals and to persuade their peers to help them. The experience of working on a CAPA Board will also expose less experienced managers to other departments outside of their expertise. Ideally, participation in the CAPA Board will build friendships between peers that might not speak to one another. Each CAPA represents a team-building opportunity. The team needs to find a way to pool its resources to complete CAPAs on time and effectively. It is also important to rotate the assignment to the CAPA Board so that eventually all of your middle-level managers are trained in the CAPA process and each of them has been evaluated on their demonstration of team leadership and effectiveness in working with peers cooperatively. In large companies, it is common to assign one member of top management to the CAPA Board to show that top management is supportive of the CAPA process and to provide authorization for additional resources and funding for actions when needed. The top management representative should also be rotated to make sure that all of the top management remains competent in the CAPA process.

How does the CAPA Board manage the CAPA process?

The CAPA Board should never be blaming an individual or department for the lack of CAPA success. The CAPA Board should be anticipating when a CAPA is falling behind schedule or might not be as effective as it should be. Nobody on the team should be afraid to voice their opinion or to make a suggestion. Each member of the team has the responsibility of asking for help when they need it and asking for help as early as possible. The CAPA assignments should be shared between the team members, and one person should be responsible for chairing the meetings. If everyone is experienced in participating in CAPA Boards, then the role of the chairperson can be rotated each week. If one or more team members are inexperienced, the person on the CAPA Board assigned to training them should be teaching them how to participate in the meetings and prepare them for acting as chairperson.

Every CAPA Board meeting should have a planned agenda and meeting minutes. Every open CAPA should be discussed during the meeting, but the amount of time devoted to each CAPA should be adjusted for the risk of the CAPA failing to be completed on time or failing to be effective. If a CAPA is going smoothly, the discussion might only last seconds. Any discussion or actions planned that are specific to a CAPA should be documented in the individual CAPA record as well as the meeting minutes. This will ensure that the CAPA records are maintained as required by the ISO 13485 standard and the regulations.

What is a CAPA Board? and Do you need one? Read More »

Apr 26 2022

Is monitoring every procedure required?

1 Comment / ISO 13485:2016, ISO Certification, Quality Management System / By Robert Packard

Process monitoring is required but do you know whether monitoring every procedure is required by the FDA QSR or ISO 13485?

One of the elements that Medical Device Academy has incorporated into each procedure we created in our turnkey quality system is a section titled, “monitoring and measurement.” The purpose of this section is to force each process owner to identify a process metric for monitoring every procedure. In some cases, we suggest a metric that would be appropriate for most companies establishing a new quality system. In other procedures, we use the following default text:

“Enter a quality metric that you want to track for this process in accordance with ISO 13485:2016, Clause 8.2.5 and the procedure for Monitoring, Measurement, and Analysis (SYS-017).”

Where are the requirements for process monitoring in 21 CFR 820?

Some of the companies that have purchased our turnkey quality system have asked, “Is it required to monitor and measure something in every procedure?” In general, it is not a specific requirement to have a metric specified in each procedure. In fact, if your quality system is not ISO 13485 certified, there are actually only a few places where the US FDA requires monitoring. The FDA does not have a section specific to monitoring and measurement of processes, but there is a section of the regulations specific to statistical techniques (i.e. 21 CFR 820.250). However, it does not state in the QSR that statistical analysis is required for all processes. In fact, there are only six instances where the word “statistical” is used:

21 CFR 820.100(a)(1) – “Analyzing processes, work operations, concessions, quality audit reports, quality records, service records, complaints, returned product, and other sources of quality data to identify existing and potential causes of nonconforming product, or other quality problems. Appropriate statistical methodology shall be employed where necessary to detect recurring quality problems;”
21 CFR 820.200(b) – “Each manufacturer shall analyze service reports with appropriate statistical methodology in accordance with § 820.100.”
21 CFR 820.250 – “(a) Where appropriate, each manufacturer shall establish and maintain procedures for identifying valid statistical techniques required for establishing, controlling, and verifying the acceptability of process capability and product characteristics. (b) Sampling plans, when used, shall be written and based on a valid statistical rationale. Each manufacturer shall establish and maintain procedures to ensure that sampling methods are adequate for their intended use and to ensure that when changes occur the sampling plans are reviewed. These activities shall be documented.” Note: the other two instances are the title of 21 CFR 820.250.

The word “monitoring” is equally rare (i.e. 4x) in the QSR:

21 CFR 820.70(a) – “Each manufacturer shall develop, conduct, control, and monitor production processes to ensure that a device conforms to its specifications…Where process controls are needed…(2) Monitoring and control of process parameters and component and device characteristics during production.”
21 CFR 820.75(b) – “Each manufacturer shall establish and maintain procedures for monitoring and control of process parameters for validated processes to ensure that the specified requirements continue to be met…(2) For validated processes, the monitoring and control methods and data, the date performed, and, where appropriate, the individual(s) performing the process or the major equipment used shall be documented.”

Where are the requirements for process monitoring in ISO 13485:2016?

ISO 13485:2016 has a section specific to monitoring and measurement of processes (i.e. Clause 8.2.5). In addition, the word “monitoring” occurs 52 times in the standard and there are 60 incidents of some variant or the exact word. , but there is a section of the regulations specific to statistical techniques (i.e. 21 CFR 820.250). However, it does not state in the QSR that statistical analysis is required for all processes. In fact, there are only six instances where the word “statistical” is used. There are four Clause headings that actually include the word monitoring:

Clause 7.6, Control of monitoring and measuring equipment
Clause 8.2, Monitoring and measurement
Clause 8.2.5, Monitoring and measurement of processes
Clause 8.2.6, Monitoring and measurement of product

In Clause 1, Scope, and Clause 4.1.5, the Standard states that any outsourced processes remain the responsibility of the company and must be accounted for in the quality system by monitoring, maintaining, and controlling the processes.

Monitoring of risk is included in the definition of “risk management” in the Standard (i.e. Clause 3.18).

Clause 4.1.3 states that the organization shall, “b) ensure the availability of resources and information necessary to support the operation and monitoring of these processes…d) monitor, measure as appropriate, and analyze these processes.”

Clause 4.2.3 states that the contents of the Medical Device File (i.e. MDR or TF), shall include, “d) procedures for measuring and monitoring.”

Monitoring and measurement of processes and product are required inputs to the Management Review in Clauses 5.6.2e) and f).

Clause 6.4.1 requires a procedure for monitoring the work environment if it can have an effect on product quality.

Clause 7.1 requires the company to consider including monitoring in product realization planning.

Clause 7.4.1 requires a plan for monitoring suppliers.

Clause 7.5.1 requires monitoring production and service, including the monitoring of process parameters and product characteristics.

Clause 7.5.6 requires monitoring of validated process parameters.

Clause 7.5.8 requires identification of status with regard to product monitoring and measurement (i.e. inspection status).

Clause 7.6 requires monitoring and measurement of calibrated devices and validation of any computer software used to monitor calibrated devices.

Clause 8.1 states that companies shall plan and implement monitoring and measurement of processes.

Clause 8.2 is titled, “Monitoring and measurement.”

Clause 8.2.1 requires monitoring of customer feedback.

Clause 8.2.5 requires monitoring of processes to ensure planned results are achieved.

Clause 8.2.6 requires monitoring of products to ensure product requirements have been met.

Clause 8.4 requires data analysis of monitoring data from at least six different processes:

Feedback
Conformity to product requirements
Characteristics and trends of processes and products, including opportunities for improvement
Suppliers
Audits
Service reports, as appropriate

In summary, while not every single clause that requires a procedure includes a requirement for monitoring, there are a number of processes where the requirement to monitor the process is explicitly stated.

Why do all of our procedures include the requirement for metrics?

Medical Device Academy expanded the requirement for monitoring to all procedures for five reasons:

Quality objectives must be “established at relevant functions and levels within the organization.” Therefore, establishing monitoring requirements for each procedure ensures that top management has metrics for every process and a lack of data is never an excuse for not establishing a new quality objective when improvement is needed.
If every procedure has a requirement for monitoring, then employees don’t have to remember which processes require monitoring and which processes do not explicitly require monitoring.
The process approach to auditing includes metrics of the process as one of the seven items that are included in every process turtle diagram, and therefore, including metrics for each procedure facilitates the process approach to auditing.
If a company does not have a process metric already established, it is often difficult to perform an investigation of the root cause of quality issues. If a metric is already being monitored for the process, this facilitates the investigation of the root cause and you can use the baseline monitoring data to help you establish effectiveness criteria for the corrective action.
Finally, most companies struggle to identify preventive actions as required by Clause 8.5.3, and we have found that data analysis of monitoring data is the best source of identifying new preventive actions.

What are the disadvantages when you monitor and measure something in every procedure?

The primary reason for resistance to identifying a metric for monitoring in every procedure is that it will increase the workload for the employees responsible for that process. However, monitoring of data does not always increase workload. In fact, when process data is recorded in real-time on a run chart it is often possible to identify a trend much earlier than when data is simply recorded and subjected to monitoring.

Example #1: The automatic tracking of toner in a printer tells HP when to ship you a new toner cartridge before you need it. This ensures that there is no loss in productivity because you never run out of ink or the ability to print documents.
Example #2: Companies will use project management software (e.g. Asana) to monitor labor utilization. This will help identify when a specific resource is nearing capacity. When this occurs, the project manager can add time buffers to prerequisite steps and adjust the starting date of the resource-limited tasks to an earlier starting date. This ensures that more time is available to finish the task or to take advantage of resource availability at an earlier date.
Example #3: Monitoring the revision date for procedures helps the document control process owner identify procedures that should be evaluated for the need to be revised and updated. Often this is articulated as a quality objective of reviewing and updating all procedures within 2 years. This also ensures that procedures remain current and compliant with regulatory requirements.

What are the advantages of monitoring every procedure?

The phrase “what gets measured gets managed” is a popular business philosophy that implies measuring employee activity increases the likelihood that employees will complete a task or perform it well. In contrast, if a process is not monitored, employees may assume that it is not important and the tasks may be skipped or completely forgotten. Setting quantitative goals is also sometimes integrated with economic incentives or bonuses that are granted to individuals and teams.

FDA transition from QSR to ISO 13485

The US FDA is planning its transition from 21 CFR 820 to ISO 13485 as the quality system criteria. This will force companies to make adjustments to their quality systems and increase the amount of process monitoring performed. My general advice is to work with employees that are performing tasks to identify streamlined methods for monitoring those tasks without being overly burdensome. Then you and the employees you manage can analyze the data together and identify opportunities for improvement. When you do this, experiment with manual methods using whiteboards and paper charts that are visible in public areas first. Only implement automated solutions after you have optimized the data being collected and the frequency of data collection, and remember that not every process will benefit from automated statistical process control. Sometimes the simple approach is best.

Is monitoring every procedure required? Read More »

Apr 24 2022

Testimonials

“While searching for guidance on how to validate an IFU, I came across the webinar on ‘IFU Validation and PMS’ sponsored by Medical Device Academy. It was very helpful – not only did I get an understanding of validating an IFU but learned more about Post Market Surveillance. I have always found articles by Rob extremely well-written, practical, and always helpful. This webinar was a reasonable cost and the payback was invaluable.”

-Barbara Rinaldi, Dir QA, Tepha, Inc

“It was a great opportunity of learning when Mr. Rob Packard was available at our facility and spent 4 days on knowledge transfer. His skill to identify the gap between requirement and practice was admiring. His guidance strengthens the compliance practice. His advice on the effectiveness of corrective action, design control elements and process approach concept added value to our quality system”

– Abdul Raheem, QA Manager, UNIMED, KSA

“I really enjoyed meeting Rob and taking his 2-day lead auditor course, but the learning didn’t stop when the course was over. When he returned my graded exam he took the time to explain the correct answers to questions I got wrong. Providing the correct answers was very helpful. I wish my previous auditing instructor had done the same.”

– Tony Sapp, Medical Device Supplier Auditor

“We had our FDA inspection mid last year. Your webinar and prep tips were genuinely useful to me in our preparation activities. The war room was a great success! It was actually my first FDA inspection and a great learning curve for me and our site.”

– Brian Mulcahy, QA Manager; Ireland

“I conducted a thorough search for a senior consultant to conduct a project which required specialized knowledge of medical devices, ISO 13485, and European directives. Mr. Robert Packard was by far the most qualified among the candidates; he not only met the technical profile but I found his emotional intelligence skills remarkable. In simple terms, Mr. Packard was:

Expert in the areas of implantable medical devices, ISO 13485, and CE marking,
Methodical in his work,
Knowledgeable in the ways of the medical device industry, and
Most importantly, he was very easy to work with.

I highly recommend Mr. Packard and vouch for him.”– Zak Kouloughli, President, Tradeline Medical; Austin, TX“Robert is by far the best quality practitioner and “partner” with whom I’ve worked. He is an expert in Quality Assurance including Regulatory Affairs for ISO 13485 (medical devices). Perhaps Robert’s best attribute however is his ability and eagerness to transfer his knowledge. He has a knack for taking often complex methodologies and breaking them down into simpler terms using examples and analogies so that his audience walks away with a complete understanding of the topic. I’m continually amazed at Robert’s breadth of knowledge and his recall. Robert is highly recommended for training Quality related topics including but certainly not limited to ISO certification, Auditing, Supplier evaluations, CAPA, Root Cause Investigation, and complaint handling. You’ll walk away with a thorough understanding of the topic and thinking about which topic you’d like Robert to present next.”– Alan Frechette, QA Supervisor, PEXCO Medical Products; Athol, MA“Rob Packard has a unique and special ability to train individuals in a manner that not only do they learn, but they have fun doing so! He is able to take a topic that is “boring” and make it interesting. He has a wealth of product, quality, and auditing knowledge that gives him a balance that I have not seen with any other trainer. I have been in quality for 25 years and have been through several training classes; however, I have never experienced or walked away with as much knowledge as I did with his training class. He is awesome!”– Julee Bankes, QA Manager, SmartPractice; Phoenix, AZ“One thing is certain with Bob – you will not find anyone more versed, not only in the obvious Regulatory/Audit/Certification area but also in all facets of operations. This is the real reason why his expertise is so valuable. He cannot be fooled and he will talk the talk with the experts at your company with ease and insight. Almost all the “trainers” out there have serious limitations. Not so with Bob.”– Dennis R. Cote, Supply Chain Manager, CAS Medical Systems, Inc.; Branford, CT“Rob Packard is an excellent teacher whether it is in a classroom setting, conference room setting, or the shop floor. His detailed recall of the key quality standards in the industry today allows him to provide his students with accurate information that ensures they will always have the correct training to navigate the perils of an external audit from any organization or government body. What makes Rob unique is his ability to show his students or clients how to reduce the details and requirements of the quality standards into a world-class QMS for each of their employers. Each time I interact with Rob, I come away with specific ideas that I implement to improve the quality system and products manufactured by KaZaK.”– Brian J. Smith, Director of Engineering, KaZaK Composites, Inc.; Woburn, MA

Testimonials Read More »

Feb 15 2022

Device Supply Chain Disruptions

3 Comments / FDA, Supplier Quality Management / By Matthew Walker

What can you do to stay ahead of medical device supply chain disruptions and comply with reporting requirements of possible device shortages?

Device Supply Chain Disruptions Device Supply Chain Disruptions

Supply chain issues can be somewhat cyclical. As we approach the holiday season, we also approach the shipping season. Public shipping services such as FedEx and UPS see an increase in freight as the holiday seasons approach. Manufacturers need raw materials and components to stock the shelves with all of those holiday gifts. Since we are still living under pandemic conditions, I would be willing to bet there will be more care packages and mailed gifts in place of traditional gatherings. On top of the approaching increase in demand, staffing shortages can very quickly exacerbate supply chain bottlenecks. All the while importers are still expected to… well, import! If transportation affects all general industry you can bet it can also cause medical device supply chain disruptions.

So what does an overburdened mail service have to do with medical devices and quality systems?

Consider, how are your customers getting your product in their hands? How are you receiving raw materials and components? How about your contract manufacturer? Do they have supply chain redundancies? Does your supplier quality agreement address notifications for shipping disruptions?

Do you have a regulatory obligation to report a shortage/supply chain disruption or interruption of manufacturing to the FDA, or Health Canada? The FDA monitors for discontinuance and meaningful disruption of manufacturing certain devices and similarly Health Canada monitors their own list of devices for market shortages. Supply chain disruptions either through difficulty sourcing of raw materials and components, or through transportation breakdown of finished devices to market are just one way you could experience a reportable disruption or shortage.

Matthew did not choose the topic of medical device supply chain disruptions randomly. His signature brand of pessimistic cynicism is the reason we have him tasked with keeping his fingers on the pulse of global concerns and potential threats and risks. Potential supply chain disruptions will involve your quality staff in developing preventive actions and contingency plans in case there is an issue. Then, your regulatory team will be in charge of reporting and AHJ notification if you are an affected manufacturer (or importer in Canada!). Understaffed and overloaded shipping and transportation suppliers are about to be bombarded with seasonal freight. This makes them an attractive target for ransomware because, just like healthcare facilities, they will not be in a situation where they can afford any downtime.

U.S. FDA

The FDA requires reporting shortages and supply chain disruptions to CDHR of permanent discontinuance or interruption in manufacturing of a medical device in Section 506J of the FD&C Act. Especially so in response to the COVID-19 public health emergency. In part, the general public’s need for healthcare during the pandemic guides what devices the FDA needs notification about.

Currently, the FDA is concerned about specific device types by product code or any devices that are critical to public health during a public health emergency. For the most up to date list, the URL to the FDA website will show the specific product codes of the monitored device types;

Health Canada

As an Authority Having Jurisdiction, Health Canada also has reporting requirements for supply chain disruptions of specific types of medical devices. Health Canada is also an independent authority that uses a different device classification system than the U.S. FDA.

The table below shows the device types by their classification level that HC requires supply chain disruption notifications for. This information is current as of September 5^th, 2021, and the following link will take you to the HC webpage for the most up-to-date list.

Class I Medical Devices

Masks (surgical, procedure or medical masks) – Level 1, 2, 3 (ATSM)

N95 respirators for medical use

KN95 respirators for medical use

Face shields

Gowns (isolation or surgical gowns) – Level 2, 3 and 4

Gowns (chemotherapy gowns)

Class II Medical Devices

Ventilators (including bi-level positive airway pressure or BiPAP machines, and continuous positive airway pressure or CPAP machines)

Infrared thermometers

Digital thermometers

Oxygen Concentrators

Pulse Oximeters (single measurement)

Aspirators/suction pumps (portable and stationary)

Laryngoscopes

Endotracheal tubes

Manual resuscitation bags (individually or part of a kit)

Medical Gloves – Examination and Surgical (Nitrile, Vinyl)

Oxygen Delivery Devices

Class III Medical Devices

Ventilators (including bi-level positive airway pressure or BiPAP machines)

Pulse Oximeters (continuous monitoring)

Vital Signs Monitors

Dialyzers

Infusion Pumps

Anesthesia Delivery Devices

Class IV Medical Devices

Extracorporeal Membrane Oxygenation (ECMO) Devices

How to prevent device supply chain disruptions

Harden your supply chain with redundancies. Now is the time to qualify a second supplier as a contingency plan before it is too late…. Maybe even consider opening a Preventive Action? (HINT HINT for those ISO 13485 manufacturers that need to beef up their Clause 8.5.3. operations!)

Supply chains have both up and downstream functions. First, you likely need to source raw materials and components for production. Then you also need to ship those finished devices to distribution centers and your customers. Disrupt either of those and your ability to sell your devices is compromised or even completely halted.

Ask yourself, “Do I have a backup option for shipping?”, and “Do I have a backup option for raw materials and components?”.

Why?

Why go through all of that effort? Well, if you lose UPS and have to use FedEx instead, are their shipping procedures identical? Likely you will need a WI level document for each shipper to explain the process. It is easier to pre-qualify a contingency supplier and establish a WI now rather than in December when holiday shipping is at its peak. Consider if you also need to open accounts, etc. Scheduling pickup online may not be intuitive.

Just identifying a backup is important, but you can take that a step further and pre-qualify them. If they are a shipping and transportation supplier then give them a shipment or two in order to evaluate them. Hold them to the same standards you would for your primary supplier.

Did your shipment arrive on time? Was it damaged during transit? This is provisional, or pre-qualification. Did they perform adequately enough to use as a tentative supplier in the event the primary supplier is unable to perform? This is designed to make a full qualification of this supplier simple and easy… If you need to utilize them that is. Maintaining this pre-qualification should also be simple and easy as well. Once a year or so have them deliver a shipment for you.

That is just for importing or shipping finished devices. Do you have backup raw material or components suppliers identified? If not identifying or even pre-qualifying secondary suppliers might not be a bad idea either. You are probably tied down to a specific geographic area for shipping and transportation. You may not be for raw materials. If you need barrels of silicone consider a backup supplier from a different area than your primary supplier. Natural disasters create havoc for shipping. If your silicone comes from Company A, and they are closed down because of a hurricane then Company B ten miles away is likely affected as well.

For example, if you are in the U.S. and your primary supplier is in the Northeast then a backup supplier in the Southeast may be strategically important. Whereas a backup supplier from the Southwest may be cost-prohibitive.

What about your suppliers? Is your device high-risk enough that if your supply chain is disrupted, you have an obligation to report it to the FDA? In that scenario, if you use a contract manufacturer, it may be worth requiring supply chain contingencies and clearly identifying who owns what reporting responsibilities within your quality agreement with them.

There is an element of proactive responsibility in reporting these shortages, or projected shortages. In order to be able to predict medical device supply chain disruptions, there should be metrics that your quality system is monitoring. What is your monthly production capacity? How much raw material or components does your warehousing have on hand? How many units could you manufacture if the transport industry stopped right this second?

Determine what you need to track in order to identify a disruption before it occurs.

Prepare for notification now. This article looked at the problem from the point of view that transportation issues were the root cause of the supply chain disruption. However, many other things could be disruptive, such as natural disasters and supply availability. Therefore, develop a WI level document for conducting these types of regulatory reporting activities and train personnel before a disruption happens. It is easier to tackle these kinds of problems if you already have process controls in place and trained competent staff than if you wait until the reporting timeline clock is already ticking.

In the near future, we will be posting a new blog about 506J and Shortage Reporting. We will also have a work instruction and training webinar available soon.

Future blogs about device supply chain disruptions…Shortage Reporting

About the Author

Matthew came to us with a regulatory background that focused on OSHA and NFPA regulations when he was a Firefighter/EMT. Since we kidnapped him from his other career, he now works in Medical Device Quality Management Systems, Technical/Medical Writing, and is a Lead Auditor. Matthew has updated all of our procedures for He is currently a student in Champlain College’s Cybersecurity and Digital Forensics program, and we are proud to say that he is also a member of both the Golden Keys and Phi Theta Kappa Honor Societies! Matthew participates as a member of our audit team and has a passion for risk management and human factors engineering. Always the mad scientist, Matthew pairs his professional life in regulatory affairs with hobbies in the culinary arts as he also holds a Butchers/Meat Cutters certificate from Vermont Technical College.

Email: Matthew@FDAeCopy.com

Connect on Linkedin: http://www.linkedin.com/in/matthew-walker-214718101/

Device Supply Chain Disruptions Read More »

Jan 30 2022

Auditing Services Quote

Who quotes auditing services?

The form below provides us with the basic information we need to prepare an auditing services quote for your company. There are instructions below the form that explain exactly what information we are looking for in each section of the form. The quotation process is not automated. A real person (i.e. Lindsey Walker) will get back to you with a quotation. She is our audit program manager. She creates the audit quote and assigns the auditors based on availability and your auditing needs. Her email is sales@medicaldeviceacademy.com. The quotation will be automatically emailed from Freshbooks once she is finished, and then she will follow up with a manual email–just in case your spam filters prevent delivery of the automated email generated by FreshBooks. If Lindsey is on vacation, or out sick, the proposal will be prepared by Rob Packard. His email is rob@13485cert.com.

General pricing of auditing services

If you are looking for the cheapest auditing services you can find, don’t even bother filling in the form. Our goal is to help you improve your quality system and provide valuable consulting advice to achieve improvements. We specialize in helping start-up companies achieve initial ISO 13485 certification, MDSAP certification, and CE Certification. We will assign an experienced lead auditor with an hourly consulting rate of $275/hour. Typically, we will charge $2,750 plus travel expenses for a one-day supplier audit because we expect to spend 30 minutes on audit preparation, eight hours on-site actively auditing, and 2+ hours generating an audit report. Most quotations are flat-fee quotations so you know exactly how much you will be charged. We also request a 50% deposit for audits.

Name, Company, Email & Phone

The name you enter is the name we enter as the client contact in our database and the quotation will be addressed to that name. The company field should include the legal name of your company. The email you enter is the email that we will send the quotation. Although a phone number is not required, it helps us to be able to call you if we have questions about the information you provided.

What is the audit type?

Internal Audit – This is also called a “1st party audit,” and these are conducted to evaluate the effectiveness of your quality system. You are required to conduct an audit of the full quality system each year. If you select “Internal Audit,” we will assume that you want us to provide an audit quote for your complete quality system. If you only want a partial quality system audit of one or more process areas, then please select “Individual Process” and specify which process or processes in the text box labeled “Process Areas to Audit.”
Supplier Audit – This is also called a “2nd party audit,” and these are conducted to evaluate the effectiveness of your supplier’s quality system. Other reasons for a supplier audit include verifying compliance with contractual requirements or identifying the root cause of a quality problem (i.e. nonconforming product). Please provide the details of what processes to audit in the text box labeled “Process Areas to Audit.” We generally recommend focusing supplier audits on the activities you are outsourcing (e.g. manufacturing) rather than general quality system requirements (e.g. management review).
Individual Process Audits – This is also a “1st party audit,” however, we will focus on one or more processes that you identify in the text box labeled “Process Areas to Audit.” This type of audit is ideal when you do not have a qualified auditor that is independent to audit a process. Another scenario where this type of audit is valuable is when you recently made a significant change to a process and you want to verify that the employees are following the new process, or if you want to verify the effectiveness of corrective actions implemented for a specific process. For example, you want to verify the effectiveness of a CAPA related to an FDA 483 or Notified Body Nonconformity.

Process areas that need auditing

AKA Turtle Diagram Thumbnail 150x150 Auditing Services Quote

In this text box, we need you to identify the process areas you want us to audit. You can ask us to audit just one process or multiple processes. For example, if you are the Quality Manager and the only qualified lead auditor in your company, you might want us to audit your internal auditing, CAPA, management review, control of documents, and control of records. For a single process audit, we generally recommend remote audits via Zoom in order to eliminate the cost of travel. This is also a great way to test us before you engage our firm for a full-quality system internal audit. This is also known as the “audit scope,” and should not be confused with “audit criteria” discussed below. The scope can also include the location of the audit.

Location (remote or on-site) for auditing services quote

location 150x150 Auditing Services Quote

If you want us to conduct the audit remotely via Zoom, please enter “Remote” in the text box of the auditing services quote form. You can also specify another teleconferencing software of your choice. In general, we recommend that remote audits be split into 90-minute segments or less where one or two processes are covered during the 90-minute Zoom meeting. We explain this further in one of our blog articles: “Why remote audit duration should never exceed 90 minutes.” If you want us to conduct the audit on-site, please provide the address of the audit location and we will include the estimated travel costs in our proposal.

Desired Date or Dates

Please enter the date or dates that you want us to conduct your audit. You can also specify before a specific deadline (e.g. before June 30th). If you want us to conduct an audit of multiple processes remotely, it would help to know what dates and or times of day you would prefer. You can also enter a phone number and say “call me” next to the phone number. Then Lindsey or one of our assigned auditors will contact you to schedule a date and time for your audit.

What is the audit duration in hours?

Please enter the desired duration of the auditing services you want to be quoted. We typically expect at least 30 minutes of audit preparation to review the audit preparation documents that you provide and to create an audit agenda. In addition, we expect to spend approximately two hours of report writing time for each eight-hour day of auditing. Therefore, a typically one-day supplier audit will require a duration of ten hours, while a three-day on-site internal audit will require a duration of 30 hours.

Auditing criteria for auditing services quote

clipboard 6 150x150 Auditing Services Quote

It is important to specify the audit criteria for your auditing services quote, because otherwise, we might assign an auditor that does not have training on that criteria. Audit criteria are the standards, regulations, procedures, and contracts that may be used to evaluate your quality system or an individual process. Most of our audit team is qualified to audit against the following criteria:

21 CFR 820, 803, 806, and 830 – the US FDA regulations including medical device reporting, corrections and removals, and unique device identifier regulations
ISO 13485:2016/Amd 2021 – the international quality system standard for medical device manufacturers
Regulation (EU) 2017/745 – the European Medical Device Regulations
SOR 98/282 – the Canadian Medical Devices Regulation
MDSAP AU P0002.008 – the Medical Device Single Audit Program audit approach guidance document

Auditing Services Quote Read More »

Does your FDA inspection plan include the answers to these 15 questions?

Jul 20 2021

Does your FDA inspection plan need to be proactive first?

4 Comments / FDA / By Robert Packard

Maybe you need an FDA inspection plan. Does everyone in your company know what they need to do when FDA inspectors arrive at your facility?

Be proactive and don’t just let FDA inspections happen. You need to have an FDA inspection plan, and that plan needs to cover the roles and responsbilities for everyone. Below we have a list of 15 items that are in our FDA inspection work instruction (WI-009). If you already have a plan, try using the following checklist to assess your readiness for the next next inspection:

What will you ask and do when your FDA inspector calls the Friday before the inspection?
Who should be contacted by the FDA inspector if you are on vacation?
How will you communicate to the rest of your company that an FDA inspection is planned for Monday morning?
Who will greet the FDA inspector upon arrival, and what should they do?
Which conference room will the FDA inspector spend most of their time in?
Who will be in the conference room with you and the FDA inspector?
How will you track document and records requests, and how will you communicate that information to others?
How will you retrieve documents and records requested by the FDA inspector?
Who will conduct a tour of the facility with the FDA inspector and how will the tour be managed?
When quality issues are identified, how will you respond?
What will you do for lunches during the inspection?
Who will attend the closing meeting with the FDA inspector?
Should you “promise to correct” 483 inspection observations identified by the FDA?
How and when will you repsond to the inspector with corrective action plans?
If your company is outside of the USA, what should you do differently to prepare?

What will you ask and do when your FDA inspector calls the Friday before the inspection?

Most people begin their FDA inspection plan with the arrival of the inspector. However, you should consider including earlier events in your plan. Such as closure of previous 483 inspection observations, scheduling of mock-FDA inspections in your annual audit schedule, and details of how to interact with the inspector when they contact you just before an inspection. Most inspections will be conducted by a single inspector, but occasionally inspectors will be training another inspector. In this situation you can count on them following the QSIT manual more carefully, and you are more likely to receive an FDA 483 inspection observation. In the worst-case scenario, the lead inspector will split up from the trainee, and they will “tag-team” your company. This is not proper FDA procedure, but you should be prepared for that possibility. Therefore, make sure you ask the inspector if they are going to be alone or with another inspector when you speak with them on the phone. You should also get their name and phone number. You may even want to consider reviewing FDAZilla Store for details about your FDA inspector’s past inspection 483s and warning letters. Immediately after the call with the inspector, you should reserve a conference room(s) for the inspection and cancel your other meetings for the week. You should also verify that the person that contacted you is really from the FDA. You can do this by looking up their contact information on the Health and Human Services Directory. Your inspector should have a phone number and email you can verify on that directory.

Who should be contacted by the FDA inspector if you are on vacation?

You should always have a back-up designated for speaking with FDA inspectors, handling MDR reporting, and initiating recalls when you are on vacation. These are critical tasks that require timely actions. You can’t expect inspectors, MDRs, or recalls to wait you to get back in the office. It doesn’t matter what the reason is. Weddings, funerals, and ski trips should not be rescheduled. You need a back-up, and often that person is the CEO or President of your company. Make sure you have a strong systems in place (i.e. an FDA inspection plan, an MDR procedure, and a recall procedure). Whomever is your back-up needs to be trained and ready for action. This is also the purpose of conducting a mock-FDA inspection, including examples of MDRs in your medical device reporting procedure, and conducting mock recalls. This ensures you and your back-up are trained effectively.

How will you communicate to the rest of your company that an FDA inspection is planned for Monday morning?

Most companies have an emergeny call list as part of their business continuity planning, and after the past 18 months of living with a Covid-19 pandemic your firm should certainly have a business continuity plan. Your FDA inspection plan should leverage that process. Contact the same people and notify them of when the FDA inspector is coming. If you are unable to find a conference room available for the inspection (i.e. see below), then ask the manager(s) that reserved the designated room for FDA inspections to relocate to another conference room for the week. Make sure you tell them who the inspector will be, and you might even be able to provide a photo of the inspector (try seraching LinkedIn). Make sure that you remind everyone to smile, and to listen carefully to the question asked. Everyone should be trained to answer only the questions asked, and nobody should run and hide. There should also be no need to stop your operations just because an inspector is visiting. You might even include the name of the inspector on a “Welcome Board” if your company has one at the entryway or in public areas. The more an FDA inspection appears as “routine” the better your outcome will be.

Who will greet the FDA inspector upon arrival, and what should they do?

By the time an FDA inspector(s) actually arrives at your company, all of the managers in your company should already been notified of the inspection and a conference room should be reserved for the inspection. Therefore, when the person that is greeting people in the lobby comes to work on Monday morning, you (or their supervisor) need to communicate with them and make sure that they are prepared for arrival. There are four things that should be communicated:

the name of the inspector(s) that are arriving
the list of managers that should be notified when the inspector(s) arrives (possibly identical to the buisness continuity call list)
the conference room that is reserved for the inspection

If the person greeting the inspector(s) is also going to escort them to the conference room and help them get set-up, then they will need additional instructions. If that escorting inspectors to the conference room and helping them get set-up is delegated to a different person, then the following considerations should be included in that person’s instructions:

the location of bathrooms and emergency exit instructions in case of a fire
the information for wireless connectivity
recommendations for seating in the conference room based upon the expected participants (see below)

It is important that an escort for the inspectors is able to bring the inspector(s) to the conference room as quickly as possible. They should not be expected to wait more than a few minutes for an escort.

Does your FDA inspection plan identify a specific room for the inspector? Is there a back-up?

Some companies have a specific room that is designated for inspections and 3rd party certification audits. If your comapny can do that, it will be very helpful because it reduces the decision making that is required immediatley prior to the inspection. Having a specific room for the inspection also eliminates the need to tell everyone else in the company where the inspector will be. Instead the location of the inspection can be in the work instruction or written FDA inspection plan. You shouldn’t need a back-up plan if there is a specific room designated for an FDA inspection, but our firm has a client that will be hosting three notified body auditors simultaneouly for three days. In that situation, you might need more than one room.

Does your FDA inspection plan have assigned seating?

You might think that it really doesn’t matter where people sit in a conference room, but you will probably want consider the layout of charging cords and the flow of interviewees requested by the inspector. In your conference room, you will need room for at least the following people:

the inspector(s)
the management representative (i.e. you)
a scribe
an interviewee

If there is an inspector and a trainee, you will probably want to seat them together to facilitate them working together. You as the Management Representative also need to be in the room, and it may help for you to sit next to the scribe to facilitate communication between you and to make it easier for them to hand you documents after the scribe logs the documents into their notes. The scribe should probably sit closest to the door, because they will be receiving documents, logs, and records that are brought to the room. You will also need one more seat next to you, and probaby accross from the inspector(s), for interviewees. This person will rotate as different processes are reviewed. I also recommend having a location in the middle of the table for an “in box” where documents, logs, and records for the inspector are placed after being logged in. A second location in the middle of the table can be used for a “discard pile” as you finish using your copy of each document, log, and record. You may refer back to these copies later. The “discard pile” should be 100% copies rather than originals. Originals should never be brought into the room with the inspector.

Who is the scribe in your FDA inspection plan?

The perfect scribe would know the quality system well and they would have the typing skills of a professional stenographer. You might have someone that is an executive assistant in your company or a paralegal that could do this job, but you might also have a document control specialist that fits this requirement. Some companies will even hire a temp for the duration of the inspection that has this type of skill, but a temp is unlikely to know the jargon and quality system requirements well. I have taken on the role of scribe many times for my clients, because I type fast and know their quality system. I also don’t want to interferre with the inspection process. As scribe I can answer questions and offer suggestions when appropriate, but most of my time is spent taking notes and communicating by instant messenger with company members that are outside of the inspection room.

You should seriously consider using an application such as Slack as a tool for communication during the inspection. Then anyone in your company that needs to know the status of the inspection can be provided access to the Slack channel for the inspection. This can also act as your record of requests from the inspector. It’s even possible for people on the Slack channel to share pictures of documents to confirm that they have identified the document being requested. You could even invite someone to speak remotely with the inspector via Slack with Zoom integration. All the scribe needs to do is share the Zoom app with a larger display in the same conference room so the inspector can see it too.

Does your FDA inspection plan include provisions for document and record retrieval?

The most important part of document and record retrieval during an FDA inspection is to remember that inspectors should never receive the original document. Ideally, a copier would be located immediately outside of the conference room and three copies would be made of every document before it enters the inspection room. The originals can be stored next to the copier until someone has time to return them to the proper storage location. The three copies should all be stamped “uncontrolled documents” to differentiate them from the originals. When the three copies are brought into the room, they should be handed to the scribe. The scribe should log the time the copies were delivered in the Slack channel. Then the copies should be handed to you, the Management Representative. You should skim the document to make sure that the correct document was received. Then one copy would be given to the inspector and another copy would be made available to the interviewee. If only two copies are needed, the extra copy can be placed in the “discard pile.” Even if your system is 100% electronic, I recommend printing copies for the inspection. The paper copies are easier for inspectors to review, and it eliminates the ability for the inspector to hunt around your electronic document system. In this situation, the scribe may do all of the printing.

Does your FDA inspection plan indicate who will conduct a tour of the facility with the FDA inspector and how will the tour be managed?

I’m surprised by the number of companies that don’t seem to have a map of their facility. Medical device manufacturing facilities should have two kinds of facility maps. One should identify where pest control monitoring stations are located, and the second should indicate your evacuation route to exit the building. All guests should be shown the evacuation route map, probably within the first 30 minutes of arrival. The second map will be requested by the inspector eventually if you conduct manufacturing at your facility. Therefore, it would be helpful to use one or both of these facility maps as a starting point for creating a map of the route that inspectors should be taken on during a tour. I prefer to start with where raw materials enter the facility, and then I follow the process flow of material until we reach finished goods storage and shipping. If you can do this without back-tracking multiple times, then that will probalby be the preferred route. The purpose of planning the route out in advance is to help estimate how long the tour will take, and to make sure there is consistency. If someone starts the tour, and then another person takes over the tour, the new person should be aware of what the next location is and what areas have not been observed yet. There may also be safety reasons for avoiding certain areas during a tour and asking the inspector to observe those areas from a distance. Welding processes, for example, often fall into this safety category.

When quality issues (i.e. FDA 483 inspection observations) are identified, is this covered by your FDA inspection plan?

Third party certificaton body auditors will typically make you aware of nonconformities as they are identified, but FDA inspectors often will hold off on identifying 483 inspection observations until the end of the inspection in a closing meeting. However, you can typically identify several areas that may result in a 483 inspection observation during the inspection. You and the manager of that area may want to consider initiating a draft CAPA plan for each of these quality issues before the closing meeting. This would give you an opportunity to demonstrate making immediate corrections and you might be able to get feedback from the inspector on your root cause analysis and corrective action plan before the closing meeting. Sometimes this will result in an inspector identifying low-risk quality issues verbally instead of writing them out on FDA Form 483. I find the best way to make sure CAPA plans are initiated early is to have a debrief each day after the inspector leaves. All of the managers involved in the inspection should participate, and the debrief can be done virtually or in person. Virtually may be necessary, because often managers need to leave work before the inspector ends for the day. You should consider including this in your FDA inspection plan as well.

Does your FDA inspection plan include plans for daily lunches?

If your facility is located outside the USA, skip this paragraph and go to the section below about companies located outside the USA. If your company is locagted inside the USA, you can be certain that the FDA inspector will not eat lunch at your facility. They will leave for lunch on their own, and then they will return after lunch. Therefore, you may not have control of the timing of a lunch break but you will have time to take one. Most managers use the lunch break as a time to catch-up on emails. However, I think it makes more sense to change your email settings to “out of office.” You can indicate that you are hosting an audit and you will answer questions as a batch that evening or then next morning. You might use the lunch break to take a walk and relax, you might have short debrief meeting with other managers, and you might spend some time preparing documents, logs, and records that the inspector may have requested before they left. Most inspectors use this strategy of asking for a list of documents and records in advance. This is also a good strategy to learn as an internal auditor or supplier auditor. If you have a back-room team that is supporting you, don’t make them wait for a break. Have someone in your company take their lunch orders or arrange for a catered buffet lunch. This will keep your support team happy, and you should definitely remember to include lunch for the team and changing your email settings to “out of office” in your FDA inspection plan.

Does your FDA inspection plan state who will attend the closing meeting?

Most companies have every manager that was in the opening meeting attend the closing meeting. This is ok, but it is important for anyone that might need to initiate a CAPA to be present in the meeting so that they can ask the inspector for clarification if needed. Scheduling a closing meeting should be part of your FDA inpsection plan. However, the past 18 months of the Covid-19 pandemic has taught us that we can attend this type of meeting remotely via Zoom. Therefore, we recommend letting the managers go home early if they are no longer needed as auditees. Instead, ask them to call in for a Zoom meeting at the time the FDA inspector estimates for review of the 483 inspection observations with the company.

Should you “promise to correct” 483 inspection observations identified by the FDA?

During the closing meeting the FDA inspector will review 483 inspection observations with you and any of the other managers present at the closing meeting. The inspector will ask if you promise to correct the 483 inspection observations that were identified. You should confirm that you will, and the FDA inspector will add this to the Annotations in the Observations section of FDA Form 483 that you will recive at the closing meeting. By stating this, you are agreeing to create a corrective action plan for each of the 483 inspection observations. You could change you mind later, but the better approach is to perform a thorough investigation of the 483 inspection observation first. If you determine that corrective action is not required, you can explain this in your CAPA plan and provide data to support it. The only likely reason for not correcting an observation is that you determined the incorrect information was provided to the inspector. In that case, you may need to do some retraining or organize your records better as a corrective action to prevent recurrence in a future inspection. You might even make modifications to your work instruction for “Conducting an FDA Inspection” (i.e. FDA inspection plan).

How and when will you repsond to the inspector with corrective action plans?

Your FDA inspection plan should include details on how respond to FDA 483 inspection observations and when the response must be submitted by. The FDA inspector will give you instructions for submission of your corrective action plans by email to the applicable email address for your region of the country. This email address and contact information should be added to your work instruction as an update after the first inspection if you are not sure in advance. You should respond with a copy of your CAPAs with 15 business days. Regardless of what the inspector told you, there is always a possibility that the outcome of your inspection could be “Official Action Indicated.” This is because the inspector’s supervisor makes the final decision on whether a Warning Letter will be issued and regarding the approval of the final inspection report. You should also confirm what the 15-day deadline is, because your state’s holidays may be different from the US Federal holidays.

If your company is outside of the USA, what should you do differently to prepare?

The US FDA only has jurisdiction over companies that are located in the USA. Therefore, if your company is registered with the FDA, you can only be inspected if you agree to host the FDA inspector when they contact you. FDA inspectors will contact foreign firms 6-8 weeks in advance, and they will typically give you a couple of weeks to choose from. After you confirm the dates for the inspection, then they will make their travel plans. Therefore, you will know exactly when the FDA inspection is schedulea and you will have more than month to prepare. Therefore, you should do four things differently:

You should send the FDA inspector directions from the airport to your facility and provide recommendations for potential hotels to stay at. Ideally the hotels you recommend will provide transportation from the airport and managers that are speak passable English). The hotels should be appropriate for business travel–not royalty. If it is convenient, you may even offer to pick-up the inspector at the hotel each day to ensure they have no problems with local transportation.
You should offer to provide lunches for the inspector during the inspection. This should not be considered entertainment. The purpose is make sure the inspector has lunch (i.e. a light meal or snacks) and drinks (i.e. water and coffee) during the inspection so that they do not have to negotiate local traffic, struggle with ordering food in a language they don’t know, and to eliminate delays associate with having lunch off-site. Make sure you remember to ask about food allergies and dietary restrictions. You might even follow-up with a draft menu to obtain confirmation that your proposed menu is appropriate.
You should schedule a mock-FDA inspection immediately to verify that everyone is prepared and to identify any CAPAs that need to initiated before the FDA inspector finds the problems.
During the first day of the inspection, you may consider asking the inspector if they would like to go out for dinner one of the evenings with a couple of people from your company or if they would like any recommendations for restaurants to eat at. If you are not familiar with US customs and international travel, ask the hotel concierge for advice. When you are out to dinner, the conversation should remain professional and if you normally drink alcohol at dinner you may want to consider the “BOB” compaign in the Netherlands as a role model.

How are you going to train everyone in your company?

You need an easy way to train everyone in your company. Why not give them a video to watch? Next Monday, July 26, 2021 @ Noon EDT, we are hosting a webinar on how to prepare for an FDA inspection. It is a live webinar where you will be able to ask questions, and we are bundling the webinar with our new work instruction for “Conducting an FDA Inspection” (WI-009). If you register for the webinar, you will receive access to the live webinar, you will receive the native slide deck, and you will receive a copy of the work instruction. You can use the work instruction as an FDA inspection plan template for your company. The webinar will be recorded for anyone that is unable to attend the live session. You will be sent a link to download the recording to watch it as many times as you wish, and we recommend that you use the webinar as training for the rest of your company.

Does your FDA inspection plan need to be proactive first? Read More »

Jul 14 2021

Are you a little curious, or fascinated by competitive warning letters?

1 Comment / CAPA, FDA / By Matthew Walker

Did you know you can download competitor inspectional observations to learn which quality issues are likely to result in warning letters?

Not long ago the FDA published their Inspectional Observation Data Sets. They are Excel spreadsheets of the dreaded 483 inspection observations and warning letters that the FDA issues after performing inspection of manufacturers. There is a spreadsheet for each of the following topic areas, and we will take a look at the ‘Devices’ observations. A post-mortem data analysis or speculative data autopsy if you will… What can we learn when examining an FDA inspection observation?

Biologics
Drugs
Devices
Human Tissue for Transplantation
Radiological Health
Parts 1240 and 1250
Foods (includes Dietary Supplements)
Veterinary Medicine
Bioresearch Monitoring
Special Requirements
Total number of inspections and 483s

These are nonconformities written by the FDA to the Code of Federal Regulations, so there won’t be any statistics for ISO 13485:2016 or Regulation (EU) 2017/745. There will be lots of findings under the ‘QSR’ or 21 CFR 820. The good news, unlike an ISO Standard, is that the Code of Federal Regulations is publicly available online for free. It isn’t a pay-to-play game and we can share the full text of the requirement without violating any copyright licensing agreements.

The top 10 areas for inspection observations and warning letters are:

CAPA procedures
Complaint procedures
Medical Device Reporting
Purchasing Controls
Nonconforming Product
Process Validation
Quality Audits
Documentation of CAPA actions and results
Training
Device Master Record

Corrective and preventive action is the most common reason for warning letters

The winning quality system requirement that resulted in the most 483 inspection observations and warning letters was for Corrective and Preventive Actions under 21 CFR 820.100(a). This finding is listed when a manufacturer fails to establish a CAPA procedure or the procedure is inadequate. This finding was cited 165 times. In addition, CAPA activities or their results were not documented or were not documented adequately a total of 32 times under 21 CFR 820.100(b). This gives us a grand total of 197 observations for the CAPA process.

Corrective and preventive actions are either fixing an identified problem and making sure it doesn’t happen again, or stopping a potential problem from happening in the first place. It is both the reactive and proactive response for quality issues and product non-conformance. The text of the requirement is:

“§820.100 Corrective and preventive action.
(a) Each manufacturer shall establish and maintain procedures for implementing corrective and preventive action. The procedures shall include requirements for:
(1) Analyzing processes, work operations, concessions, quality audit reports, quality records, service records, complaints, returned product, and other sources of quality data to identify existing and potential causes of nonconforming product, or other quality problems. Appropriate statistical methodology shall be employed where necessary to detect recurring quality problems;
(2) Investigating the cause of nonconformities relating to product, processes, and the quality system;
(3) Identifying the action(s) needed to correct and prevent recurrence of nonconforming product and other quality problems;
(4) Verifying or validating the corrective and preventive action to ensure that such action is effective and does not adversely affect the finished device;
(5) Implementing and recording changes in methods and procedures needed to correct and prevent identified quality problems;
(6) Ensuring that information related to quality problems or nonconforming product is disseminated to those directly responsible for assuring the quality of such product or the prevention of such problems; and
(7) Submitting relevant information on identified quality problems, as well as corrective and preventive actions, for management review.
(b) All activities required under this section, and their results, shall be documented.“

We can see that under section (a) the requirement is that there is an established and maintained process control with a numerical list of required inputs and outputs of that process. The process control is easy, use a procedure. You have to establish a procedure and you have to maintain it. That is one part of the first 165 observations.

The second part is that the procedure needs to be ‘adequate’. That means that bullets (1)-(7) need to be addressed within that procedure. For example number (2) is “Investigating the cause of nonconformities relating to product, processes, and the quality system;”. This means that the procedure should be explaining not only that your quality system will be doing that investigation, but who will be doing it and how they will be doing it.

“The cause of nonconformities shall be investigated”, may not be an adequate process control. Yes, it addressed the need for a root cause evaluation, but does it do that adequately?

“The RA/QA Manager will complete or assign a staff member to complete the root cause evaluation of Corrective Actions utilizing methods such as a ‘5-Why Analysis’ by filling in section 2. Of the CAPA report form.” This wording is much closer to what is needed in a procedure. It explains who is doing what, roughly how they might do it, where that activity gets documented and identifies the record that the activity produces.

Which brings us to the extra 32 findings where the activities and their results either weren’t documented or were done so poorly. This is why identifying the input (Root Cause Analysis) and the output (Section 2. of the CAPA report) are important. It allows you, the inspector or an auditor to trace from the procedure to the record that part of the process produces to demonstrate conformity.

As the age old saying goes, “if it isn’t documented, it didn’t happen”. That record should show that yes you did a root cause analysis (the activity) and what the conclusion of that analysis was (the results of that activity). These types of records are so vital to your quality system that there is an entire process dedicated to the control of records. I’ll give you a hint, it is Subpart-M of the QSR.

This is also a great segway to show how the processes go hand in hand and CAPA is interrelated to Document Control, Record Control, and your Quality System Record. Your system processes will continually wrap back around to each other in this manner. For example, CAPAs are a required input into your Management Review process so if you don’t have a CAPA procedure you aren’t performing adequate management reviews.

A note on other systems

If your quality system is also ISO 13485:2016 compliant, Corrective Actions and Preventive Actions are separate items under separate sub-clauses. Corrective Actions are in 8.5.2., and Preventive Actions are in 8.5.3. Meaning if you have a mature quality system that has never had a preventive action, then your CA might be fine, but the PA of that process may be inadequate.

An industry standard for CAPAs is applying a risk based approach, and we have an entire webinar dedicated to the subject! How to create a risk-based CAPA process

Complaints are the second most common reason for warning letters

%name Are you a little curious, or fascinated by competitive warning letters?

The silver medal goes to complaints. Much like CAPA the biggest issue is no, or inadequate complaint handling procedures. This specific finding was cited 139 times (overall complaint handling has more but this specific issue was the most cited). Not to sound like a broken record but again, complaint handling is a specific process that requires an ‘established and maintained procedure”.

As a procedure it has to exist, it has to be maintained, and each process has requirements for inputs and outputs that must be outlined. Complaint handling is a little bit different in the QSR in that there isn’t a ‘complaint’ sub-part. Complaints are under Sub-Part M- Records, specifically 21 CFR 820.198 Complaint Files.

To compare, Complaints in accordance with ISO 13485:2016 are under Measurement Analysis and Improvement, specifically Sub-clause 8.2.2. Complaint Handling. It is sandwiched in between Feedback and Reporting to Regulatory Authorities. That had to have been done on purpose because those processes are inherently intertwined and their inputs and outputs directly feed into each other:

“§820.198 Complaint files.
(a) Each manufacturer shall maintain complaint files. Each manufacturer shall establish and maintain procedures for receiving, reviewing, and evaluating complaints by a formally designated unit. Such procedures shall ensure that:
(1) All complaints are processed in a uniform and timely manner;
(2) Oral complaints are documented upon receipt; and
(3) Complaints are evaluated to determine whether the complaint represents an event which is required to be reported to FDA under part 803 of this chapter, Medical Device Reporting.”

This sub-section of ‘Records’ may be less intuitive than what we saw under CA/PA. We can see that we have to maintain complaint files. We also need a procedure that covers receipt, review, and evaluation of complaints. Then we have to name a formally designated complaint handling unit to do all of that.

Further we need to make sure that complaints are handled uniformly and efficiently. It should be a cookie cutter process with a known timeline. Every complaint goes through the same review and evaluation within a specific time period. If it takes six months to review a complaint, that definitely is not a ‘timely manner’.

Not every complaint will be sent to you via certified mail with ‘Complaint’ written across the top in big BOLD letters. Sometimes people will simply tell you about a complaint they have verbally and your process needs to define how it is addressing these verbal communications. Otherwise your FDA inspection observation will be written, and you run the risk of receiving warning letters.

This of course begs the question, what is a complaint? How will I know if I received one? Fortunately 21 CFR 820.3 provides us with definitions, one of them being what exactly a complaint is “(b) Complaint means any written, electronic, or oral communication that alleges deficiencies related to the identity, quality, durability, reliability, safety, effectiveness, or performance of a device after it is released for distribution.”.

There is no quiz at the end of this but I would caution you that this will probably be on the test. Anytime you ask a question like that and the regulation provides a definition for it, then it’s a good idea to include that definition within your procedure. This is a way to make sure that there is uniformity in the understanding of a procedure. If you miss a complaint because you didn’t realize that it was a complaint then your process is not effective. Eventually an auditor will pick up on the deficiencies in the process, document a finding and you will be doing a CAPA to fix it.

Every complaint needs to be reviewed, but not every complaint needs to be investigated. This was a much less cited issue (5). You are allowed to decide that an investigation isn’t needed. However, if you do then you must keep a record of why you decided that and name the person responsible for that decision.

That isn’t carte’ blanche to just write off investigations whenever you want. There are some things that require an investigation and there is no accepted rationale for not performing one. An example is when there is a possible failure of a device, it’s labeling or packaging to meet any of their specifications. Those need to be investigated without exception. What your system is allowed to do though is if you have already done an investigation and you received related similar complaints, there is no need to repeat the same investigation for every complaint.

An important concept of complaint handling is that you should be triaging your complaints as you receive them. There are certain types of complaints that must be reported to the FDA. More information is actually found under 21 CFR 803, not the 820 that we have been examining. These special complaints need to be identifiably separate from your normal run of the mill complaints. These complaints specifically need a determination of;

Whether the device failed to meet specifications;
Whether the device was being used for treatment or diagnosis; and
The relationship, if any, of the device to the reported incident or adverse event.

Outside of those special reportable complaints, all investigations have certain required outputs. By addressing every complaint in a uniform repeatable manner, this can be boiled down to a form. In fact creating a specific complaint form makes sure that all of the required information has been documented. Each record of an investigation by your formally designated complaint handling unit has to be include;

The name of the device;
The date the complaint was received;
Any unique device identifier (UDI) or universal product code (UPC), and any other device identification(s) and control number(s) used;
The name, address, and phone number of the complainant;
The nature and details of the complaint;
The dates and results of the investigation;
Any corrective action taken; and
Any reply to the complainant.

Some companies and corporations sprawl across the globe and have many sites all over the place. Not every manufacturer is limited to containing all of their operations within a single building. There are times where the formally designated complaint handling unit may be somewhere other than where the manufacturing is taking place. That is acceptable as long as communication between the two is reasonably acceptable. The manufacturer needs access to the records of the complaint investigations performed. Just as everything must be documented, all of that documentation must be producible as well. If not, your inspector will produce FDA 483 inpsection observations and warning letters.

If the complaint handling unit is outside of the United States the records have to be accessible in the United states from either the place where the manufacturers records are normally kept or at the initial distributor.

Complaint Handling and vigilance reporting are topics that we often find stuck together like velcro. We find them so interelated that we have a combined Complaint Handling and Vigilance Reporting Webinar.

Medical Device Reporting is the third most common reason for warning letters

The bronze medal recipient shows a drop in sheer numbers of FDA inspection observations. A total of 68 were written for the fiscal year of 2020, and these findings have a high likelihood of resulting in warning letters because these incidents may involve serious injuries and death. We are slowing down, but this is still a topic that gets an FDA inspection observation almost every week.

But again part of the issue is no, or bad procedures to control this process. Not to be confused with the (EU) MDR since as an industry we love acronyms so much, Medical Device Reporting is referenced within the Quality System Requirements of 21 CFR 820. We took a peek above in Complaint Handling. What makes this unique is that MDR actually lives in 21 CFR 803 Medical Device Reporting. What makes it even more special is that Part 803 is further broken down into sub-parts.

We will take a look at Sub-part E which is the reporting requirements for manufacturers. Medical Device Reporting is a process and as such needs a procedure to control it and that procedure must be maintained.

Some key points to capture is that there are reporting timelines that are measured in calendar days from when you become aware of information that reasonably suggests that one of your devices;

“(1) May have caused or contributed to a death or serious injury or
(2) Has malfunctioned and this device or a similar device that you market would be likely to cause or contribute to a death or serious injury, if the malfunction were to recur.”

There are some crucial takeaways. First, the clock starts ticking down calendar days, not work days, and holidays count. You can’t hold off reporting that your device killed someone because it’s around the holidays and over a few weekends.

Second, is that reporting timelines vary, generally between 5 and 30 calendar days. That means it is important to know the specific timeline for the type of report you are making and what the authority having jurisdiction requires for a timeline. The FDA may differ from Health Canada which in turn may differ from the EU, etc.

Third is that the bar to meet is what would be ‘reasonably known’, and that is somewhat of an ambiguous requirement open to interpretation.

They help clarify this with,

“(i) Any information that you can obtain by contacting a user facility, importer, or other initial reporter;
(ii) Any information in your possession; or
(iii) Any information that you can obtain by analysis, testing, or other evaluation of the device.”

The first two are usually not an issue, but the one that tends to get less attention is deeper analysis, testing or evaluation of the device. Due diligence is required here to make sure that you actually do know the information that should be ‘reasonably known’ to you.

The burden of investigation and root cause determination is placed squarely on the shoulders of the manufacturers and that is a process that can take some time. What happens when the reporting timely is fast approaching but your investigation won’t be finished before the clock runs out? The short answer is to report it anyway.

The longer answer is to report what information you do have with an explanation of why the report doesn’t have all of the required information. Then explain what you did to try to get all of the information, and file a supplemental or follow-up report later to fill in the gaps. Only having a partial report ready is not an excuse to miss the reporting deadline. It is however, the perfect excuse to get an FDA inpsection observation or warning letters.

Are you a little curious, or fascinated by competitive warning letters? Read More »

May 7 2020

What’s the difference between PMS, PSUR, and PSR?

2 Comments / Post-Market Surveillance / By Matthew Walker

This blog is intended to help clear your justified confusion if you are wondering what the difference is between PMS, PSUR, and PSR.

The nine most terrifying words in the English language are, “I’m from the Government, and I’m here to help.” That quote is from a speech by President Reagan on August 12, 1986. One of the goals of the European Parliament and Council was “to ensure effective coordination of [competent authority] market surveillance activities and to clarify the applicable procedures.” After studying the new European MDR, I can confidently say that the European Parliament and Council have done their job well. My boss is a regulatory consultant with 30 years of experience, and he asked me to explain the difference between PMS, PSUR, and PSR.

To answer that question as objectively as possible, and cite my sources, I have included a copy and paste directly from Regulation (EU) 2017/745. Red text is my commentary, while the italicized text is a quotation from the most relevant article within the new EU regulations.

Under the New MDR, the only Class IIa, Class IIb, and Class III products are definitively required to have a Periodic Safety Update Report (PSUR). The PSUR needs to be updated annually for Class III and Class IIb implants, and the PSUR needs to be updated at least every two years for Class IIb (non-implants) and Class IIa devices. The PSUR must be available to your notified body, and upon request, the competent authorities. In contrast with the PSUR, Post-Market Surveillance (PMS) reports are required for Class I devices. Finally, a manufacturer’s Periodic Summary Report (PSR), relates to specific cases of Serious Incidents and Field Safety Corrective Actions (FSCA’s) based upon an agreement between the manufacturer and the competent authority or authorities instead of submitting individual FSCA reports. This is confusing because the PSUR also meets the requirements of a PMS Report as defined in Article 85, but we don’t call it a PMS Report.

“Article 83 – Post-market surveillance system of the manufacturer

1. For each device, manufacturers shall plan, establish, document, implement, maintain, and update a post-market surveillance system in a manner that is proportionate to the risk class and appropriate for the type of device. That system shall be an integral part of the manufacturer’s quality management system referred to in Article 10(9).”

In Matthew’s words, “Manufacturers are required to establish a PMS system for every device or device family.”

“Article 84 – Post-market surveillance plan

The post-market surveillance system referred to in Article 83 shall be based on a post-market surveillance plan, the requirements for which are set out in Section 1.1 of Annex III. For devices other than custom-made devices, the post-market surveillance plan shall be part of the technical documentation specified in Annex II.”

In Matthew’s words, “Article 84 requires you to have a PMS plan in your quality system.”

“Article 85 – Post-market surveillance report

Manufacturers of class I devices shall prepare a post-market surveillance report summarizing the results and conclusions of the analyses of the post-market surveillance data gathered as a result of the post-market surveillance plan referred to in Article 84 together with a rationale and description of any preventive and corrective actions taken. The report shall be updated when necessary and made available to the competent authority upon request.”

In Matthew’s words, “A Class I device requires a PMS report, while the other product classifications require a PSUR.”

“Article 86 – Periodic safety update report

1.1 – Manufacturers of class IIa, class IIb, and class III devices shall prepare a periodic safety update report (‘PSUR’) for each device and were relevant for each category or group of devices summarizing the results and conclusions of the analyses of the post-market surveillance data gathered as a result of the post-market surveillance plan referred to in Article 84 together with a rationale and description of any preventive and corrective actions taken. Throughout the lifetime of the device concerned, that PSUR shall set out:

(a)

the conclusions of the benefit-risk determination;

(b)

the main findings of the PMCF; and

(c)

the volume of sales of the device and an estimated evaluation of the size and other characteristics of the population using the device and, where practicable, the usage frequency of the device.

Manufacturers of class IIb and class III devices shall update the PSUR at least annually. That PSUR shall, except in the case of custom-made devices, be part of the technical documentation as specified in Annexes II and III.

Manufacturers of class IIa devices shall update the PSUR when necessary and at least every two years. That PSUR shall, except in the case of custom-made devices, be part of the technical documentation as specified in Annexes II and III.

For custom-made devices, the PSUR shall be part of the documentation referred to in Section 2 of Annex XIII.

For class III devices or implantable devices, manufacturers shall submit PSURs by means of the electronic system referred to in Article 92 to the notified body involved in the conformity assessment in accordance with Article 52. The notified body shall review the report and add its evaluation to that electronic system with details of any action taken. Such PSURs and the evaluation by the notified body shall be made available to competent authorities through that electronic system.
For devices other than those referred to in paragraph 2, manufacturers shall make PSURs available to the notified body involved in the conformity assessment and, upon request, to competent authorities.”

In Matthew’s words, “Barring specified exemptions, manufacturers of a Class IIa device would need to submit a PSUR and update it at least every two years.”

“Article 87 – Reporting of serious incidents and field safety corrective actions

9. For similar serious incidents that occur with the same device or device type and for which the root cause has been identified or a field safety corrective action implemented or where the incidents are common and well documented, the manufacturer may provide periodic summary reports instead of individual serious incident reports, on condition that the coordinating competent authority referred to in Article 89(9), in consultation with the competent authorities referred to in point (a) of Article 92(8), has agreed with the manufacturer on the format, content, and frequency of the periodic summary reporting. Where a single competent authority is referred to in points (a) and (b) of Article 92(8), the manufacturer may provide periodic summary reports following an agreement with that competent authority.”

In Matthew’s words, “Periodic summary reports (PSRs) refer to significant incidents (SIs) and field safety corrective actions (FSCAs). PSRs require an agreement between the manufacturer and the competent authority(s) for cases where there is a group of common, well-known, and documented SIs or FSCA’s with a known root-cause. PSRs are an alternative to submitting individual SI and FSCA reports.”

Additional Quality System Resources

My boss also asked me to update the procedures for post-market surveillance (SYS-019) and vigilance (SYS-036). The PMS procedure includes requirements for Articles 83-86. The vigilance procedure includes the requirements for Articles 87-92.

About the author

Matthew is a talented writer that missed his calling as a political satirist. Medical Device Academy is lucky to have him as a quality system expert and gap analysis guru. Matthew was asked to answer this question for a client in response to an email. He wrote the entire blog in less than one hour, but he didn’t think it was worthy of publishing. The boss disagreed. Please show Matthew some love with your comments below or by ordering the book from Amazon ($5 pre-order discount until August 28, 2020).

What’s the difference between PMS, PSUR, and PSR? Read More »

May 2 2020

Changes triggered by COVID19 in your quality system

3 Comments / Business Continuity Plan, Quality Management System, Remote Auditing / By Robert Packard

The 2020 global pandemic has changed life as we know it, but this article focuses on three crucial quality system changes triggered by COVID19.

Last night my daughter Gracie mentioned that her teacher assigned an essay to write about three changes triggered by COVID19 in her life. The three things that she felt had changed the most were: 1) she goes to bed much later, and sleeps in every day; 2) her school is closed, and she only talks to her teacher twice per week via Zoom, and 3) she misses her friends. I know that her story is similar to my son Bailey who is in his Freshman year of college, and I know that my personal story is quite similar. Coincidentally, I started writing this article earlier this week about three significant-quality system changes triggered by COVID19:

If you are going to conduct on-site audits, you need to ask about using personal protective equipment (PPE).
There needs to be a greater focus on business continuity plans and robust supply chain monitoring.
Remote audits are suddenly encouraged for 1st, 2nd, and 3rd-party audits.

Changes triggered by COVID19: #1 Use Face Masks

US FDA Issues EUAs

At the beginning of the COVID19 pandemic, the US FDA created several emergency use authorizations (EUA). The three EUA areas were IVD testing, ventilators, and face masks. The EUA for IVD testing is not surprising, because the FDA issues and EUA every time a new lethal and contagious virus emerges (e.g., Zika and Ebola). The EUA for ventilators was issued because the number of people with respiratory issues was expected to explode with the spread of the virus, and the supply chain for components of ventilators had already been disrupted by the initial spread of the virus in China. The EUA for face masks was issued because it is the second-best way to protect people from the virus, and existing infrastructure for face mask production could not possibly supply the entire world with face masks overnight.

Everyone in the World Gets a Face Mask

As soon as the EUA for face masks was issued, every regulatory consultant in the USA was inundated with urgent requests for help to complete EUA requests for masks. I also received similar requests for assistance with Canadian filings. The FDA did a great job of providing detailed information about the different types of face masks (i.e., face masks, surgical face masks, and N95 respirators). Testing companies created new website pages specifically for each of the different face mask tests, and every company with a sewing machine suddenly wanted to manufacture masks. I even read an article about an elderly woman making face masks for her entire family while she listened to The Beatles “HELP!” in the background.

Why aren’t you wearing your face mask?

Even after the world makes the first 7 billion face masks, not everyone will wear their face masks. Masks will protect us from touching our hands to our face–which spreads many germs in addition to the SARS-CoV-2 virus. Masks will also keep us from coughing on other objects and people if we have the virus. Finally, face masks protect us from the small droplets that carry the virus from one person to the next. Even though there are obvious safety reasons for everyone in the world to wear a face mask, most people don’t want to wear a face mask. This is no different from the argument to wear a seat belt, and unless our government creates a law or temporary order requiring us to wear face masks, most people won’t bother to wear one.

Changes triggered by COVID19: Auditors need to wear face masks

As a medical device auditor, I feel I must always follow the safety rules in every facility I visit. Lead auditors are supposed to contact the company ahead of time and ask about the safety policies as part of audit preparation and initiating the audit. I’m 6’6” (2.00m) in height, and my shoe size is 14. There is seldom gowning for me to wear that fits appropriately–especially in Southeast Asia. I squeeze into the garments, and they are uncomfortable and hot, but I wear the garments anyway. My job includes auditing clean rooms, and I can’t do my job without gowning up. By following the rules, I also eliminate the excuses for anyone in the facility I visit. Now that we have a global pandemic, you should be wearing a face mask in every medical device facility to protect yourself, people you work with, and users of medical devices. You should also consider carrying spare face masks with you to protect yourself on airplanes, in hotels, etc.

Changes triggered by COVID19: #2 Business Continuity Plans

Will business continuity plans be required now?

In addition to the cultural shift to wearing face masks, we will also need to make significant changes in our overall preparations for natural disasters, fires, and biological threats. Although there is no specific requirement for a business continuity plan in ISO 13485:2016, there are many places where an auditor can identify a requirement to maintain the effectiveness of a quality system (no exceptions):

Clause 1, Scope
Clause 4.1.1 & 4.1.3, General Quality System Requirements
Clause 5.3, Quality Policy
Clause 5.4.2, Quality management system planning
Clause 5.6.3, Management Review Output
Clause 6.1, Provision of resources
Clause 8.1, General requirements for Measurement, analysis, and improvement
Clause 8.2.4, Internal audit
Clause 8.5.1, General Improvement

Although any of these clauses could potentially be referenced as a requirement for a business continuity plan, the last clause would generally be the most appropriate. This clause states, “The organization shall identify and implement any changes necessary to ensure and maintain the continued suitability, adequacy and effectiveness of the quality management system…”. In this time of radical change, adding provisions to your business continuity plan for coping with a global biological threat seems obvious and urgently needed.

How to practice your business continuity plans

My sister is a teacher, and she is in the process of opening a new charter school in Maine. We were discussing her planning for the school, and the disruption of schools by the COVID19 pandemic has challenged all teachers to learn to use distance learning. My sister’s school focuses on teaching children about the environment, and she doesn’t like to spend lots of time on the computer. I was sharing some of the environmental studies my daughters are receiving via Zoom from their teachers. I suggested that she might want to pick one topic each week to teach via distance learning. The purpose of this would be to give her, and her students practice using distance learning for a variety of subjects. Therefore, when we experience another biological disaster, her students will already know precisely how to use distance learning to continue their education. My argument was that this routine use of distance learning would be a more effective preparation for emergencies than a once-per-month “fire drill.” Companies should use the same approach. Your company should create a schedule for practicing remote management meetings and working from home. This will ensure that systems are in place to keep your business running smoothly when disaster strikes again.

Changes triggered by COVID19: Expect regulators to require business continuity plans

The widespread shortage of face masks, ventilators, and other critical supplies needed during the COVID19 pandemic is going to result in new regulations requiring business continuity plans. This is a certainty born from the observation that every single medical device regulation we have resulted from severe public health threats. The COVID19 pandemic is the biggest global health crisis the world has experienced in 100 years. Therefore, we can expect corrective actions in the form of new regulations requiring companies to have a business continuity plan. Some regulators will act independently, but I would expect this also to be an action taken by the International Medical Device Regulators Forum (IMDRF). We can also expect there to be new laws requiring amendments to business continuity plans for public companies. The Sarbanes-Oxley Act of 2002 requires public companies in the USA to have business continuity plans. Despite this requirement, many public companies have been ruined by the COVID19 pandemic. Therefore, we should expect amendments to these requirements and revisions to the international standard for business continuity planning (i.e., ISO 22301:2019). We should also expect to see new interest in becoming certified to this standard.

Changes triggered by COVID19: #3 Remote Auditing

What are certification bodies doing about surveillance audits and re-certification audits?

Most of the companies that had initial certification audits scheduled for the first quarter of 2020 were forced to reschedule their audits because the employees must work from home, and the certification bodies must conduct at least some of their audits on-site. The FDA was also forced to cancel all foreign inspections temporarily. However, companies that already have certification need surveillance audits and re-certification audits to maintain the validity of their quality system certificates. Therefore, certification bodies now have plans for conducting audits remotely. For companies that virtual medical device manufacturers, certification bodies can conduct full quality system audits remotely. However, manufacturers with production activities on-site are only able to conduct partial audits. The certification bodies must still conduct on-site audits, but they are being permitted six months to conduct an on-site audit to cover the gaps remaining from the partial remote audits. Prior to conducting the partial remote audits, certification bodies are sending out questionnaires to all of their clients to gather information about whether the manufacturers can support a remote audit and to what degree.

Second-party audits conducted remotely

Second-party audits, also known as supplier audits, have always been of interest for manufacturers to conduct remotely–mainly if the supplier is located overseas. The US FDA regulations do not require companies to conduct supplier audits. However, if there are quality problems with suppliers, you are expected to conduct a thorough investigation to identify the root cause of quality problems, in most cases, that require an on-site audit. However, if your suppliers are providing good quality and they are ISO 13485:2016 certified, then you probably are using this as a justification for not conducting on-site audits or at least reducing the frequency of those audits. Now that most people are not able to travel, or because the people you need to speak with are working from home, manufacturers are being forced to conduct remote audits. This has always been permitted, but the effectiveness of remote audits is often questioned. Supply chain disruptions are now a global issue that is impacting the safety and effectiveness of our hospitals, and regulators will expect you to improve the rigor of your supplier evaluations–including conducting more supplier audits. Therefore, establishing more effective procedures for remote supplier auditing is urgently needed.

Changes triggered by COVID19: We need to develop procedures for remote auditing

Although most first-party audits are conducted on-site, especially if conducted by employees of your company, we will still need to establish procedures for remote auditing for internal audits. Some of our client’s scheduled internal audits for April and May that they had to cancel because they were unable to access the records needed for the audit while they were working from home. In addition, most of the US States have implemented stay-at-home audits that prevent our team from traveling to our clients. This is forcing our team to develop more robust procedures for remote auditing. We needed to change our audit agendas to accommodate eight 90-minute audit sessions in four days, instead of conducting two full days of on-site auditing. We are also doing more preparation before the audit to allow the auditees time to scan paper records so that we can review those records remotely. Finally, we are experimenting with techniques for collaboration as an audit team so that multiple auditors can simultaneously audit a client and complete a full quality system audit more quickly without forcing any one person to work for longer than 90 minutes in front of a computer. We are still perfecting these new methods, but we are writing a series of articles on this topic. You can order the book from Amazon ($5 pre-order discount until August 28, 2020).

Thank you & Future Articles

Thank you for reading. This is the longest article we have published on our site since 2012. This article also kicks off a ten-part blog series specific to remote auditing techniques:

Remote audit opening meeting – 4 changes – May 12
Audit team communications – May 19
Remote audit resources – software and hardware tools – May 26
How to apply a risk-based auditing approach to audits and remote audits – June 2
How to make a supplier questionnaire for remote auditing – June 25
Remote audit duration less than 90 minutes – June 30
Remote auditing work instruction – July 14
Planning partial remote audits – July 21
Remote audit invitations – 4 things to remember – August 4
Training new audit team members and lead auditors – August 11

There are also five new live webinars planned on related topics:

Opening Meetings Webinar (free) – May 14, 2020
Audit team communication during a remote audit (free) – June 4, 2020
How to qualify your supplier’s Webinar (pre-order by June 1) – June 25, 2020
Remote auditing techniques webinar (pre-order by July 1) – July 16, 2020
MDSAP Certification Body Interviews (free) – August 6, 2020

Changes triggered by COVID19 in your quality system Read More »

Search Results for: root cause

What is an FDA De Novo submission?

What is the De Novo review timeline?

What is the FDA track record in reviewing a De Novo?

Is there any good news?

How can the FDA improve De Novo timelines?

Creating a CAPA Board shows a commitment to quality

Is your CAPA procedure the root cause?

Does your CAPA Board have sufficient training?

CAPA Boards are responsible for management oversight of the CAPA process

Who should be assigned to the CAPA Board?

How does the CAPA Board manage the CAPA process?

Where are the requirements for process monitoring in 21 CFR 820?

Where are the requirements for process monitoring in ISO 13485:2016?

Why do all of our procedures include the requirement for metrics?

What are the disadvantages when you monitor and measure something in every procedure?

What are the advantages of monitoring every procedure?

FDA transition from QSR to ISO 13485

Testimonials

Regulatory responsibilities related to device supply chain disruptions – Organized by Jurisdiction

How to prevent device supply chain disruptions

Why?

Future blogs about device supply chain disruptions…Shortage Reporting

About the Author

Who quotes auditing services?

General pricing of auditing services

Name, Company, Email & Phone

What is the audit type?

Process areas that need auditing

Location (remote or on-site) for auditing services quote

Desired Date or Dates

What is the audit duration in hours?

Auditing criteria for auditing services quote

What will you ask and do when your FDA inspector calls the Friday before the inspection?

Who should be contacted by the FDA inspector if you are on vacation?

How will you communicate to the rest of your company that an FDA inspection is planned for Monday morning?

Who will greet the FDA inspector upon arrival, and what should they do?

Does your FDA inspection plan identify a specific room for the inspector? Is there a back-up?

Does your FDA inspection plan have assigned seating?

Who is the scribe in your FDA inspection plan?

Does your FDA inspection plan include provisions for document and record retrieval?

Does your FDA inspection plan indicate who will conduct a tour of the facility with the FDA inspector and how will the tour be managed?

When quality issues (i.e. FDA 483 inspection observations) are identified, is this covered by your FDA inspection plan?

Does your FDA inspection plan include plans for daily lunches?

Does your FDA inspection plan state who will attend the closing meeting?

Should you “promise to correct” 483 inspection observations identified by the FDA?

How and when will you repsond to the inspector with corrective action plans?

If your company is outside of the USA, what should you do differently to prepare?

How are you going to train everyone in your company?

Corrective and preventive action is the most common reason for warning letters

A note on other systems

Complaints are the second most common reason for warning letters

Medical Device Reporting is the third most common reason for warning letters

“Article 83 – Post-market surveillance system of the manufacturer

“Article 84 – Post-market surveillance plan

“Article 85 – Post-market surveillance report

“Article 86 – Periodic safety update report

“Article 87 – Reporting of serious incidents and field safety corrective actions

Additional Quality System Resources

About the author

Changes triggered by COVID19: #1 Use Face Masks

US FDA Issues EUAs

Everyone in the World Gets a Face Mask

Why aren’t you wearing your face mask?

Changes triggered by COVID19: Auditors need to wear face masks

Changes triggered by COVID19: #2 Business Continuity Plans

Will business continuity plans be required now?

Suggested content for your business continuity plan

How to practice your business continuity plans

Changes triggered by COVID19: Expect regulators to require business continuity plans

Changes triggered by COVID19: #3 Remote Auditing

What are certification bodies doing about surveillance audits and re-certification audits?

Second-party audits conducted remotely

Changes triggered by COVID19: We need to develop procedures for remote auditing

Thank you & Future Articles