Blog

Design Plans: Clearly Identify Design Team Members/Contributors

April 11, 2023

Design Plans: Clearly Identify Design Team Members/Contributors

 

It’s important to be mindful that ISO TC/210 and FDA expect the design team and its members’ roles to be very clearly defined (i.e., in the design plan).  FDA says that, “The importance of defining responsibilities with clarity and without ambiguity should be recognized.”  ISO TC/210 says, “It needs to be clear who has responsibility and authority for design and development. Generally, as different groups or functions within your organization are involved in design and development, clear and effective communication with distinct assignment of responsibilities across your organization is important….The design and development plan should identify the review, verification and validation methods to be used, including who is to carry them out…” [emphasis added].  This alludes to the pitfalls of arguing against a regulatory authority who seeks inclusion of the various personnel contributions as being part of the design team.

FDA ESG Digital Certificates

April 10, 2023

FDA ESG Digital Certificates

 

If you are having trouble getting FDA’s ESG portal to work for you because of rejected digital certificates, then there there are at least a couple of alternatives.  Specifically, you can seek expert third party assistance getting your digital certificate issues resolved; and/or in the meantime while your digital certificate issues are being resolved, you can have a third party submit the eMDRs on your behalf using the third party’s ESG account.  That is a service that ComplianceAcuity can offer.

 

During times of complete desperation, a less viable temporary option is to, as an interim measure, submit the MDR directly to FDA’s MDR Team with an explanation that you haven’t yet been able to get your ESG submissions to work.  Be aware that FDA will reject such a submission method and you will eventually still need to submit the eMDR via the ESG. But you will at least have shown in good faith your intent to inform the agency of the reportable adverse event.

 

And here are some pointers for getting your FDA ESG digital certificates to work:

 

  • The digital certificates authenticate the sender (kind of like a digital signature would).

  • The sender must have two certificates: a “Public Key” certificate (file type .cer) and a “Private Key” certificate (file type .pfx).

  • Together, these seem to meet the X.509 specification requirement.

  • These certificates expire and will need to be renewed on a periodic basis.

  • Keep your certificate files accessible at a known location on your computer.

  • To see if they are not expired, click on the .cer file and a window will pop up with certificate details.

  • If expired, then you will need to obtain new certificates.

  • Once obtained, export the Public Key and Private Key (the .cer and .pfx files) (see https://www.fda.gov/industry/about-esg/esg-appendix-c-digital-certificates).

  • Install them.

  • Update the Public Key (the .cer file) needs to be uploaded into your User Portal at https://esgportal.fda.gov/.

  • Once that upload is completed, then submissions should be accepted via your ESG production account.

  • Note that when making an actual ESG submission, the .pfx certificate file is the one that is linked/uploaded as part of the ESG submission, not the .cer certificate file, so be sure your linking the correct one, or the ESG submission will fail.

EU MDR Basic UDI-DI “essential design and manufacturing characteristics”

April 7, 2023

EU MDR Basic UDI-DI “essential design and manufacturing characteristics”

 

According to the MDCG (2018-1), the Basic UDI-DI is the main key in the database and relevant documentation (e.g. certificates, declaration of conformity, technical documentation and summary of safety and clinical performance) to connect devices with same intended purpose, risk class and essential design and manufacturing characteristics.  While this definition is a departure from the official definition in the EU MDR and IVDR, the Commission appears to have endorsed it nonetheless when the Commission used that definition in its 01/08/2020 ‘What you need to know!’ / FAQ document on UDI. I’ve also see notified bodies like BSI endorse the MDCG definition.

 

Since for this context the EU MDR and IVDR don’t actually define what is meant by “essential design and manufacturing characteristics“, we seem to be left with some liberty in how to interpret that phrase when approaching the Basic UDI-DI.  This becomes particularly important when grappling with whether a device change requires a new Basic UDI-DI.

 

ComplianceAcuity’s recommended approach is to assess the impact of a change on the Annex II Section 3 technical documentation (Design and Manufacturing Information).  If a device or manufacturing change is made that significantly affects that Section, then there is a good chance that a new Basic UDI-DI is needed.  I would also go further and say that if there is a significant impact on the conformity information used for Annex II Section 4 (General Safety and Performance Requirements) (e.g., in the GSPR checklist) with regard to the GSPR(s) related to device design and manufacturing, then that would also be an indication of an impact on the Basic UDI-DI.

Health Canada Medical Device System License Components Sold Separately

April, 6, 2023

Health Canada Medical Device System License Components Sold Separately

 

In general, components of a licensed medical device system can be sold separate from the system on the condition that the label of each component bears the system name. Also, strictly speaking based on Health Canada’s CMDR and guidance terminology and interpretations, additional conditions are that, to be covered by the Medical Device System license, here are some important rules regarding the System’s components:

 

  • “Component” means one of several possibly unequal subdivisions into which something is or is regarded as divided and which together constitute the whole. A component may also be referred to as a part or an accessory.

 

  • Components not sold under the System name cannot be licensed with the System, even when they are intended to be used together.

 

  • All the Components of a System must be listed on the license application by Medical Device Name and by Identifiers (e.g., Catalog Number, etc.).  This means they must also appear on the System license via those identifiers.

 

  • The application must provide documentation and information on all Components of the System.

 

But if one were aiming to deviate from these strict interpretations (for example by claiming that a subcomponent is just a replacement/consumable part), then it would be best to first consult Health Canada for permission regarding such deviations. Otherwise, such subcomponents will need their own dedicated Device License(s), either by way of amending the current System license to add the additional descriptors, or else by getting a new individual device license(s) depending on further details of the scenario.

Is that eQMS platform (such as SharePoint) fit for its purpose?

April 6, 2023

Is that eQMS platform (such as SharePoint) fit for its purpose?

 

I saw a question today wondering whether SharePoint is suitable for maintaining a medical device QMS documents system and record control. In a nutshell, SharePoint (or whatever other eQMS practice is proposed) may or may not be suitable for maintaining the QMS documents system and record control, or for other QMS operations, depending on the case.  Here are some key points to consider when figuring out whether a computer platform is suitable for QMS purposes:

 

  • ISO 13485:2016 (as amended; hereinafter “ISO 13485”) is intended (clause 0.1) to allow flexibility, rather than mandated uniformity, in the structure of different quality management systems.  Accordingly, ISO 13485 doesn’t out right prohibit the use of SharePoint, nor any other eQMS solution, to facilitate QMS operations.

 

  • ISO 13485 doesn’t really allow anyone to just “believe” that an eQMS approach is unfit.  Instead, we are expected to employ an impartial scientific method whereby we validate the software for its defined intended use per clause 7.5.6, fourth paragraph.  If the software fails that process, only then can we conclude it is unfit for its purpose.  Don’t be tempted to assert unfitness apart from that impartial scientific method.

 

  • The U.S. FDA’s eQMS software validation requirements [21 CFR §820.70(i)] reflect the same principles as described above for ISO 13485.

Don’t confuse FDA’s Part 11 with FDA’s software validation requirements of §820.70(i)

April 6, 2023

Don’t confuse FDA’s Part 11 with FDA’s software validation requirements of §820.70(i)

 

I oftentimes see narratives that state or imply that FDA’s security and integrity requirements for electronic records and signatures from 21 CFR Part 11 are the same thing as FDA’s quality system or manufacturing “software validation” requirements in 21 CFR §820.70(i) .  But these two things, though related, aren’t the same.  Specifically,

 

  • 21 CFR 820.70(i) requires (among a couple other things) that, whenever computers or automated data processing systems are used as part of the QMS, then the manufacturer shall validate computer software for its intended use according to an established protocol.  This is FDA’s primary medical device QMS software validation regulation. As an aside, it is generally understood in the software validation community that the OQ/PQ concepts from the process validation world aren’t proper fits regarding software validation.  This is because the OQ/PQ concepts, when deployed as intended, are focused on process development and repetition which aren’t generally germane for software validation.  Indeed, if a software validation protocol employs the OQ/PQ concepts, then it’s most likely that it isn’t actually real OQ/PQ that is being done.

 

  • Regarding 21 CFR Part 11, it’s important to remember and distinguish that its fundamental purpose is limited to, and focused on, when required records and signatures are kept in electronic format.  If so, then it demands the security and integrity controls of 21 CFR Part 11.  But two important points there:

 

    1. Don’t holistically equate Part 11’s coincidental validation requirements with the overarching software validation requirements of 820.70(i); and

    2. Remember in any event that FDA is currently employing Part 11 enforcement discretion as follows:

      1. fewer records are subject to Part 11 (FDA is only applying Part 11 if the required records or signatures are kept in electronic format instead of paper, or if one other similar condition is met);

      2. For those records that remain subject to Part 11, FDA is exercising enforcement discretion with regard to Part 11’s requirements for validation, audit trails, record retention, and record copying, yet while Part 11’s other requirements (e.g., limiting system access, use of various checks, etc.) continue to apply.

eIFU MDD & EU MDR Notified Body is Required (as applicable)

April 6, 2023

eIFU MDD & EU MDR Notified Body is Required (as applicable)

 

Both Regulation (EU) 207/2012 (the eIFU regulation for the MDD) and Regulation (EU) 2021/2226 (the eIFU regulation for the EU MDR) require that conformity with those regulations be reviewed by a European notified body where applicable (i.e., for those device classes/types requiring notified body involvement for conformity assessment).

Don’t Claim Device MR Compatibility Until You’ve Earned It

April 6, 2023

Don’t Claim Device MR Compatibility Until You’ve Earned It

 

For the United States, if a device doesn’t yet have FDA-cleared/approved MR labeling, then it would constitute misbranding (illegal labeling) if a letter or other promotional or instructional information is sent to customers stating that the device is MR safe.  In short, this is because a) such a customer letter meets FDA’s statutory definition of labeling; b) if a letter (or other labeling) promotes a device as being MR safe when in fact the sponsor hasn’t actually yet completed and vetted the required MR compatibility testing, then that constitutes an unsubstantiated claim thereby violating FDA’s labeling law, and c) MR labeling is an attribute that needs FDA premarket authorization [e.g., 510(k)-clearance, PMA approval, etc.] before being used for marketed devices.

 

FDA 510(k) Aggregate Change Analysis for Special 510(k)-Cleared Devices

April 5, 2023

FDA 510(k) Aggregate Change Analysis for Special 510(k)-Cleared Devices

 

A Special 510(k) is intrinsically by definition a 510(k) intended to detail only a 510(k)-cleared device modification(s) rather than to detail the 510(k)-cleared aspects that haven’t been modified.  This means that the subject device described in the Special 510(k) cannot be fully characterized and understood simply by what is stated directly in the Special 510(k) document submission.  Indeed, FDA itself says that [see the Special 510(k) guidance], in order to have a complete understanding of the device under review, the Special 510(k) is to a) detail the change(s) made that triggered the Special 510(k), and then also b) regarding the aspects that weren’t changed, “…state that no changes were made“.

 

So a properly written Special 510(k) will simply make such a generic statement for whatever 510(k)-cleared aspects haven’t been changed.  In other words, those unchanged aspects are “incorporated by reference”, and thus aren’t actually described directly in the Special 510(k) submission.  But this certainly does not mean that those unchanged 510(k)-cleared aspects are no longer part of the device’s current 510(k) clearance.  They are definitely there, specifically by way of their incorporation by reference into the Special 510(k).  Therefore, to fully understand those 510(k)-cleared attributes, one is forced to go to the 510(k) submission document where they were detailed.

 

Ultimately, it is in contravention of U.S. medical device law to assert that those unchanged 510(k)-cleared aspects are somehow nullified by their generic incorporation by reference into the Special 510(k).  Again, a Special 510(k) is intrinsically for detailing modifications that are to be paired with the various unchanged 510(k)-cleared aspects so as to represent the full 510(k)-cleared version.

FDA Medical Device Repackagers and Relabelers: A Regulatory Overview

April 5, 2023

FDA Medical Device Repackagers and Relabelers: A Regulatory Overview

 

When clients are pondering various business models and wondering if they are “possible”, I often tell them that the regulatory requirements will accommodate pretty much any business model you can invent.  So the answer is invariably, “Yes, we can do that”.  But the real question is whether the corresponding regulatory pathway/strategy will be feasible for the business plan.

 

Regarding medical device repackaging and relabeling, FDA has officially defined these terms.  And those definitions will dictate the applicable regulatory requirements.  Specifically, a repackager is someone who packages finished devices from bulk or repackages devices made by a manufacturer into different containers (excluding shipping containers).  A relabeler is someone who changes the content of the labeling from that supplied from the original manufacturer for distribution under the establishment’s own name. Yet a relabeler does not include establishments that do not change the original labeling but merely add their own name (e.g., by adding a sticker that doesn’t obscure the manufacturer’s labeling).  These terms are significant because FDA considers them to be forms of manufacturing operations, thus triggering the applicable regulatory requirements that, in general, apply to any manufacturer.

 

Specifically, if a firm’s business model involves doing true repackaging or relabeling, then key regulatory requirements include, but may not be limited to:

 

  • FDA Establishment Registration as a repackager and/or relabeler

  • Medical Device Listing(s) for the repackaged and/or relabeled devices

  • Submit for premarket authorization [e.g., 510(k), PMA, etc.] where applicable depending on device class

  • Comply with GMP here applicable depending on device class

 

If on the other hand the plan is to be a wholesale distributor who is just distributing another manufacturer’s devices that are private labeled for the wholesale distributor so that only its name and brand are on the product, then such wholesale distribution is exempt from the aforesaid regulatory controls, with one exception.  Specifically, as a general rule, any finished device contract manufacturer shall register, list, and comply with GMP.  So, if the wholesale distributor also happens to be the one repackaging and relabeling to realize the private label version of another manufacturer’s device and is doing so in accordance with that manufacturer’s DMR and under that manufacturer’s authorization and supervision, then that is a finished device contract manufacturing operation, thus triggering establishment registration, device listing, and GMP obligations.  However, the premarket authorization requirement [i.e. 510(k), PMA, etc.] still remains with the OEM.