FDA’s QMSR Final Rule Issued

January 31, 2024


FDA’s QMSR Final Rule Issued


FDA has issued its Final Rule on its new Quality Management System Regulation (QMSR) amending its device current good manufacturing practice (CGMP) requirements of the 1996 Quality System (QS) regulation (21 CFR Part 820) to harmonize and modernize it primarily by incorporating by reference ISO 13485:2016 3rd Ed., March 1, 2016, but with additional requirements and conforming edits to clarify the device CGMP requirements.  The Final Rule is scheduled to be officially published in the Federal Register this Friday, February 2, 2024.  It will have a generous two-year transitional period whereby the Final Rule becomes effective on February 2, 2026.


The Final Rule contains FDA’s formal responses to 83 comment groups. For those of us who had already performed gap assessments using the Proposed Rule, here is a summary of the changes between the Proposed Rule and the Final Rule:


  • Various non-substantive clarifications that won’t impact the gap assessments performed by my firm

  • More broadly citing (but not changing) the FD&C Act’s existing adulteration basis for refusal of entry of foreign devices

  • Vocabulary

  • Adding additional parameters to be met for granting of a statutory variance(s)

  • More prescriptive complaint handling and records

  • Packaging and labeling controls adjusted (to prevent, among other things, mixups rather than errors, and to allow inspection any time before use rather than immediately before use)


Remember that the foregoing explanation compares the QMSR Proposed Rule to the QMSR Final Rule.  It doesn’t compare the current outgoing Part 820 (which the remains in effect through Feb. 1, 2026) to the QMSR Final Rule.  Stay tuned for that ultimate comparison.

EU MDR Virtual Importers

January 25, 2024


EU MDR Virtual Importers


While I can see potential benefits of voluntarily creating an importer (along with the additional regulatory burden) to add a layer of compliance checks and balances, I strongly advise against the basis being an assertion that end users need regulation because they have, as one person said, “taken up responsibilities regarding safety and performance”. That in my opinion opens the door to more frivolous litigation against healthcare providers and/or manufacturers, and to more burdensome overregulation. It also seems to run contrary to a most fundamental tenet of Europe’s longstanding “common framework” and regulatory approach, which is to distinguish regulated economic operators and protect the public stakeholders on whom, or by whom, the devices are used.


If such a “virtual” (my terminology) importer is voluntarily invented/created by the stakeholders, then the manufacturer needs to remember that it will be required to execute a placing on the market of those devices to said virtual importer.  Specifically, the manufacturer and importer would be required to execute (and thereafter be able to prove) that there was an offer or an agreement (written or verbal) by the manufacturer to transfer ownership, possession or other property right concerning the product in question to the importer rather than the end user.  Again, such an arrangement could certainly be of value to reduce liability risk in those cases where the manufacturer has the bandwidth for such voluntary additional regulatory burden.  In fact, I have advised clients to do this at times, though not based on asserting that the end users had taken up responsibilities regarding safety and performance.

UK and EU End Users Are Not Importers

January 25, 2024


UK and EU End Users Are Not Importers


Generally speaking, end users are not considered to be importers.  This is the same for the UK and the MDD/MDR alike.  For example, the European Commission’s Directorate-General (DG) for Health and Food Safety advised me of that interpretation regarding the MDR, specifically saying, in part, that in both Regulations [(EU) 2017/745 (Article 2(33)) and (EU) 2017/746 (Article 2(26)], “importer” is defined as “any natural or legal person established within the Union that places a device from a third country on the Union market”.  And therefore that, if a manufacturer established outside the EU places a device on the EU market directly to a user, in such a case there is no importer, as there is no person established within the Union placing a device from a third country.


For the UK, end users don’t generally meet the UK regulations’ trigger for “supply” or placing on the market.  If instead the end user places the devices on the market or makes them further available on the market, then UK MDR regulatory obligations would ensue.  As long as the end user only uses the devices for their own particular end use, then they aren’t supplying or placing the devices on the market.

Are DoC Updates Required for Software Version Changes?

January 22, 2024


Are DoC Updates Required for Software Version Changes?


In general, yes.  I explain:


Remember that the MDR requires the manufacturer to “continuously update the EU declaration of conformity”.  For example, if the Technical Documentation (TD) is different for version 3.0 compared to 3.1 to 3.1.1 to 3.2, then the DoC needs to be updated accordingly along the way. Indeed, as soon as the TD is updated, the prior corresponding DoC is no longer valid.  The Blue Guide states that the DoC is specific to each individual product, even if they are manufactured in series. The Blue Guide also states that, in practice, the same version of the DoC may be applicable to many individual products (or versions) which are manufactured in series. However, as soon as any of the elements of the EU declaration of conformity changes, the version of the DoC will have to be updated.


But we do have some flexibility with the format of the DoC. Ultimately, multiple different devices or versions may be encompassed by a single DoC.  This is based on traditional precedent from the Blue Guide, EN ISO/IEC 17050-1, etc.  As long as all the required fundamental DoC contents/elements (e.g., per Annex IV of 2017/745) are clearly distinguished for each subject device or version, then multiple devices or device versions can be present on the DoC.

U.S. FDA 510(k) Clinical Data Requirements

January 19, 2024


U.S. FDA 510(k) Clinical Data Requirements


I always reminded clients that clinical data may not be required at all for a 510(k) subject device even though clinical data may have been required for the predicate.  A pre-sub(s) is generally a good idea and in all parties’ best interest for unusual scenarios rather than cutting corners, rushing, and/or guessing.


Ultimately, a 510(k) sponsor is expected to employ clinical data when necessary to meet the statutory “substantially equivalent” threshold compared to the predicate.  But that is easier said, than explained or done.  For example, FDA says that the need for 510(k) device clinical testing typically depends on many factors including device type, intended use, design, safety profile, and clinical experience. I’ll give some basic principles below.  But a careful expert regulatory analysis is needed for the exact subject device in order to help flush out the various attributes of each case.



In guidance, FDA explains that, while substantial equivalence is generally a “comparative” concept between subject and predicate rather than a PMA’s independent demonstration of the subject’s safety and effectiveness, FDA reminds us that the principles of safety and effectiveness still underlie the substantial equivalence determination in every 510(k) review.  FDA reminds us that its 510(k) review decision must reflect a determination of the level of control (e.g., clinical data) necessary to provide a “reasonable assurance of safety and effectiveness”.  Therein lies a junction where FDA’s requirements for clinical data (and/or increased non-clinical data) can be triggered for a 510(k) device.  Thus, the substantial equivalence concept can be awkward and ambiguous for all parties, as the goal of a 510(k) is not to show safety and effectiveness, yet, in a sense, actually is. In practice over the years, this underlying safety and effectiveness requirement for 510(k) devices appears to have caused 510(k)s to evolve into something more like mini-PMAs as compared to a few decades ago.  But I digress.


The simplest and most reliable way I can think of to explain when clinical data might be needed for an unusual 510(k) device is for us to approach it statutorily; a 510(k) is after all a statutory instrument.


Specifically, clinical data may be needed when the subject device has a different intended use and/or different technological characteristics that raise new questions of safety and effectiveness as compared to the predicate.  The expert regulatory strategy/analysis for each case needs to carefully draw out these considerations for the subject device as compared to the predicate.


FDA has a basic thought process it applies when reaching a decision that clinical data are needed for a 510(k) device. In a nutshell, it is when descriptive and non-clinical data are insufficient to meet the statutory substantial equivalence threshold.  FDA in guidance tries to bring further clarity on this threshold by giving some examples, including new or modified indications, technological differences, and limited or inappropriate non-clinical data.


We also need to be keenly focused on the output from the subject device’s design validation step.  The aforesaid purely theoretical/statutory principles need to be combined with the subject device’s own organic requirements as driven by its design control process.


I’ll pause here as the specifics of each case really do need to be known and expertly analyzed in order to derive the best regulatory strategy.

Notifying Your European Notified Body About Non-Significant Changes

January 11, 2024


Notifying Your European Notified Body About Non-Significant Changes


Europe’s Union MDR (Regulation 2017/745) includes legislative authority (e.g., in Annex VII sec. 4.9) for Notified Bodies (NBs) to require a manufacturer to notify the NB about certain kinds of changes [e.g., QMS, product range, device design (including labeling), intended use or claims, type, and chemical substances) without clear regard to significance. This is to enable the NB to assess the impact. Because that includes a concomitant requirement for the NB to have in place corresponding documented procedures and contractual arrangements, you should be sure you understand your particular NB’s change notification requirements by reviewing your NB contract to see about the possibility for negotiation and to double check that any of the NB’s related requests are within the parameters of the contract.  The best time to negotiate is before the contract is executed.  Once executed, it is more difficult to realize deviations if either party doesn’t like what’s in the contract.



Internally, you need to be sure your QMS has corresponding interfaces.  First is in your change management process whereby you need to screen changes against the NB’s notification requirements.  For those changes that meet the regulator’s (e.g., the NB’s or other agency’s such as Health Canada’s) notification thresholds, I have in the past set up a database and form to record such changes in a strategic way for presentation to the regulator for this context.  Then these strategic record(s) of change(s) are submitted to the regulator (e.g., the NB) in accordance with its applicable procedures and timelines that will be in your contract.

Difficulty Submitting Part 806 Report via FDA’s ESG Gateway

December 12, 2023


Difficulty Submitting Part 806 Report via FDA’s ESG Gateway


If for various reasons you are unable to submit your FDA Part 806 Report of Correction or Removal via FDA’s ESG Gateway, then another option is to have a third party submit your 806 report using the third party’s active ESG production account. For example, due to submitters’ various ESG account issues of late, my firm has had clients approach us to submit their ESG submissions using my firm’s valid account.  We’d be glad to do that for you too if you’d like to reach out to me further.


Regarding format, two typical choices regarding Part 806 reports are to use the eSubmitter, or to prepare the Part 806 report the traditional way with a word processer using a proven format.  My firm’s Part 806 format has been proven to lead to reliable recall closure concurrence from FDA and I’d be glad to discuss that further with you as well.  Or, if you already have an eSubmitter output file for your Part 806 report and the various attachments and data are sensibly associated with the body of the report via proper document publishing, labels and/or bookmarks such that the FDA recall coordinator can easily navigate the document, then you could also submit it that way directly to the recall coordinator’s contact point.

FDA U.S. Agent Services

December 8, 2023


FDA U.S. Agent Services


My firm regularly acts as the U.S. Agent for our international clients, so we have lots of experience with that.  In general, the foreign firm in its own FURLS registration records must first designate the U.S. Agent.  Then the prospective U.S. Agent receives a notification to either accept or decline that designation.  To accept or decline, the prospective U.S. Agent does so using the corresponding selection from within either the foreign firm’s FURLS record, or from within the prospective U.S. Agent’s own FURLS record.  My firm uses the latter approach as we have our own FURLS record separate from those of our clients.  Here’s an FDA page that might help you with more specific details.

Responding to a Form FDA 483

December 6, 2023


Responding to a Form FDA 483


One of my favorite types of work is responding to a Form FDA 483.


The specific nature and extent of an FDA 483 Observation(s) will influence FDA’s ultimate expectations for the response.  Thus, I will always need to see the exact Observation(s) to provide definitive advice.  But in general, the response needs to include, or promise to provide in scheduled course, the root cause assessment(s), a verification of effectiveness, and a plan to provide routine updates on your progress for the Corrective Action plans (among a number of other crucial elements) in order to neutralize FDA’s internal operating triggers for escalated compliance gestures like Warning Letters, your I explain further below.


FDA investigators often emphasize that the 483 response would be our planned corrective actions.  Yet my experience is that such emphasis is not to obviate us from providing implementation evidence, but rather to assure the firm knows that it doesn’t necessarily need to have all corrections and corrective actions fully closed within the 15-business-day timeline.


On that note, I’m not recalling any actual FDA regulation prescribing that we need to respond to FDA-483s within 15 business days.  But make no mistake, the 15-business-day mark is an FDA internal operating timeline built into FDA’s inspection management practices and regulatory procedures.  Specifically, FDA investigators are trained/instructed to advise the firm’s management that, if FDA receives an “adequate” response to the Form FDA 483, or other objectionable conditions, within 15 business days of the end date of the inspection, then it may impact FDA’s determination of the need for subsequent action.  This is driven by, and/or linked to, other downstream FDA internal operating procedures such as its Warning Letter trigger procedures directing FDA to make its Warning Letter decision/recommendation within fifteen working days after completion of the inspection.  Accordingly, steer clear of the notion that we don’t need to respond to an FDA-483, as such an assertion can be profoundly costly for your organization.


On the note of Warning Letters, I’ve first-hand seen repeated examples of Warning Letters and Untitled Letters that were issued wherein a cited key trigger was that the firm responded to the 483 but didn’t provide the actual evidence of completed corrections and/or corrective actions.  Here is an example of FDA’s usual language from a current active project I was hired to help resolve:


“…We reviewed your firm’s response where it’s stated that your firm will revise the firm’s CAPA procedures to include verifying or validating the corrective and preventive actions, and implementing and recording changes in the methods and procedures, in addition to perform a systemic (i.e., system wide) review of the firm’s CAPA procedures in order to identify other CAPA procedural nonconformities that may exist. However, the adequacy of your firm’s response and/or proposed actions cannot be determined at this time. Your response does not include supporting documentation to demonstrate that the corrections have been completed. These planned actions cannot be evaluated without supporting documentation...”


This type of FDA escalation is commonplace and pervasive when FDA-483 responses don’t ultimately provide actual evidence of implemented corrections/corrective actions.  Accordingly, be sure your response provides, or schedules to provide in due course, the actual implementation evidence (e.g., copies of revised procedures, copies of retrospective analyses, copies of revised/corrected documents like DHFs, complaints, CAPAs, etc., copies of training records, etc., etc.).


And don’t fall prey to the tempting notion that all of your promised corrections and corrective actions must be fully completed within the 15-business-day timeline.  That can actually increase the chances of FDA escalation when a firm makes unrealistic promises thereby showing FDA that the firm doesn’t truly understand the gravity of the issues.  The timeline for completion of your promised corrections and corrective actions needs to be done commensurate with risk and magnitude of the problems.  Urgency is certainly important; but sensibility about the true scope of the issues is also paramount for avoiding escalated FDA compliance gestures.


To further emphasize the importance of committing to give FDA (and following through) progress reports to FDA showing evidence of your completed corrections and corrective actions, remember FDA’s Warning Letter trigger consideration process for ongoing or promised corrective actions.  Specifically, FDA considers whether the firm’s 483 response contains, “…provisions for monitoring and review to ensure effectiveness…”, and, “…Whether documentation of the corrective action was provided to enable the agency to undertake an informed evaluation…”, and, “…Whether the timeframe for the corrective action is appropriate and whether actual progress has been made in accordance with the timeframe…”.  Put simply, this requires us to provide to FDA progress reports with evidence of our progress in order to help allay FDA’s Warning Letter trigger thresholds.


Regarding questions about showing FDA your root cause investigation: By regulation, FDA requires nonconformities (like those cited in your 483) to be properly processed as appropriate in accordance with the corrective action provisions of 21 CFR 820.100.  While FDA has said that not all nonconformities require corrective action, it is generally accepted best practice to automatically issue an official corrective action(s) covering each FDA-483 Observation.  And because of FDA’s aforesaid requirement for seeing the actual evidence of correction and corrective action in order to conclude that the objectionable conditions are resolved, then this consequently means providing copies of those CAPAs, which shall include the root cause investigation.


I won’t sidetrack this thread with the worn path about the pitfalls of the acronym “CAPA” other than to say that the “CAPA” acronym topic has been addressed ad nauseam in prior posts, and moreover to say that FDA is still pervasively using the “CAPA” acronym as my preceding FDA case quotation shows.  And similarly, regarding the trendy fad of declaring that there is no such thing as “root cause”, I would strongly advise against trying FDA’s patience and process with that questionable notion. I have posted extensively on this in the past where the criticality of finding the root cause(s) of a problem was previously discussed.


Also, be sure you don’t confuse or equate the standardized terms “correction” with “corrective action”.  They have distinctly different meanings and purposes for your FDA-483 response.  Convoluting or being careless about those terms in your quality system or 483 response is a perilous approach.


Don’t forget that an ultimate FDA compliance goal when receiving a Form FDA 483 is to thereafter receive from FDA what FDA has called a “VAI Letter”. The “VAI” acronym comes from FDA’s internal categorization ‘Voluntary Action Indicated’ that is generally given by FDA to inspections/investigations where no further regulatory [such as OAI (e.g., a Warning Letter)] action is expected.


A VAI Letter is issued where FDA has received and reviewed your response(s) to the 483 and does not have objections to your plan nor to the actions implemented to date. The FDA in the VAI letter will generally signal that it appears to FDA that your actions are on the right track, but will stop short of officially endorsing the adequacy/effectiveness of your actions, and that FDA will officially follow-up at the next regularly scheduled inspection.  My experiences have been that once a VAI Letter and the EIR are issued, then we are no longer expected to continue submitting the promised progress reports, though I generally confirm that to be true for each particular case before ceasing the progress reports.

“Declaration of Conformity” vs. “Certification of Conformity”

April 24, 2023

“Declaration of Conformity” vs. “Certification of Conformity”


There are different kinds of declarations and certifications germane to the medical devices sector.  And there is a proper distinction to be made between “declaration” and “certification”.  I give my further interpretations about that herein.


Ultimately, the precise context of each given scenario bears significantly on which vernacular is appropriate.  But also one’s real-world tolerance (or lack thereof) for longstanding entrenched tradition, vs. the strictest proper interpretation of these matters.  Indeed, this discussion reveals yet another example where there is tension between formally-established terminology vs. longstanding practice.  It can certainly be argued that the terminology like Certification of Conformity (CoC), Certification of Analysis (CoA), etc., isn’t the most correct language. On the other hand, it can also be argued that the CoC/CoA terminology isn’t wrong either.  Complicating the issue is that many organizations and agencies alike have organically woven the CoC/CoA terms into their paradigms.


For example, my experience is that the creation of such CoA/CoC by medical device manufacturers/suppliers is similar to analogous precedents from the pharmaceutical GMP sector like those modeled in the EMA Guideline on batch certification and in the EU GMP Guide Parts I & II.  This would not be the first time that I’ve seen pharma GMP concepts adapted into the medical device GMP sector.  Some more organic medical device precedents include those from the IMDRF (formerly the GHTF) and ISO/TC 210, who both acknowledge the use of the CoA/CoC vernacular.  For example ISO/TC 210’s guidance about the benefit of CoA/CoC for component (whether in-house or outsourced) traceability.


I think an insightful reference echoing (maybe even giving rise to) this terminology dilemma is ISO / EN ISO 17000 (as amended, and as applicable, covering vocabulary and principles, hereinafter “ISO 17000”).  Specifically, it fundamentally establishes the terms


  • “attestation” (i.e., a statement, based on a decision following review, that fulfilment of specified requirements has been demonstrated [emphasis added]),

  • “statement of conformity” (a generic expression used to include all means of communicating that fulfilment of specified requirements has been demonstrated, and conveying assurance that the specified requirements have been fulfilled [emphasis added]), and

  • “first-party attestation” (e.g., by a device manufacturer).


All of these, in my opinion, correlate with the CoA/CoC concepts.  For example, ISO 17000 says that, “…Instead of “assurance of conformity”, the term “attestation” is used…” [emphasis added].  Then the standard goes on to clarify that “declaration” is first-party attestation, while “certification” (e.g., notified body type test certification; other agency electrical safety testing certification, etc.) is a third-party attestation (thus bridging us over to the aforesaid ISO 17050-1 “declaration”).


So, the longstanding “CoA” / “CoC” terms don’t exactly fit nicely with these ISO 17000 terms.  Yet they aren’t exactly wrong either (in my opinion).  Because of this, and of the entrenched precedents for the “CoA” / “CoC” terminology (indeed, time and time again, I’ve seen organizations into whose operating infrastructure these terms are deeply woven, such that we’d be clanging gongs to try and strike down that language), I’m not ready to abandon/retire those terms just yet.   But when it becomes time to do that, I agree that the most standardized proper term is “declaration”.