One of the most important CGMP requirements for Vendors / Suppliers...

Change Control, documented, and reviewed agreed to prior to implementation by the customer(s).  This is a hard one to get vendor buy-in or enforce.  However, failure to do so will get the customer (contracting company)  into major trouble with the user / market and regulatory agencies.  Device changes have to be documented, validated, and compared to the last cleared 510(k) per two guidance documents (device itself, and device software / firmware) on  device changes and the 510(k) with analysis of the last change and the cumulative change since the last cleared 510(k) documented - usually done by the company, not the vendor.

-- jel@jelincoln.com 

 Q&A from a recent one of my VMP (Validation Master Plan[ing]) Webinars

Ques:  Using vendor developed/administered tests as part of a company's qualification for vendor-supplied production / test equipment.

Many times vendor templates are not meeting internal documentation requirements. For example all tests are not signed/checked individually; one signed at the end of page or document.

How to handle this when vendor documentation is not fulfilling internal requirements?

Ans:  As mentioned, you would have to "fill in the blanks" with supplemental verifications/testing, so the vendor's documentation and the additional verifications complete your company's SOP requirements for the validation.

 

Ques:  Risk based validation.

Is validation really risk based if it is based just on URS requirements. A Validation is checking just URS requirements and maybe some internal documents. Should there be a formal risk assessment on which validation is based?

 

Ans:  Risk, i.e., patient safety (ISO 14971, ICH Q9)-based Risk Management Reports/Files addressing the subject being validated, are used to direct the test cases focus, depth, size, sampling, design, et al - not just the URS.  The higher the risk based on the Risk Management File / ISO 14971:2019, the more detail, et al, included in the V&V Report's test cases as per an example test case in the webinar (the test case introduction / narrative ties that test case to specific references / line items on a Risk File document, e.g., FMECA) to define the patient risk associated with that test case.     

 

Ques:  Documentation practices.

Test should be signed individually and at right time (in real time).

In some cases multiple tests are on same page and only one signature at the end of the page. Is this really fulfilling the requirement of right time?

 

Ans:  It depends.  FDA's Guidance Document on Data Integrity on test data does not agree with different test's data being combined under one signature  (in my opinion).  However, if one signature is used  to certify the accuracy of the report, with supporting information and signatures for the individual reports readily available elsewhere, that may be allowable, depending...  And would have to be clearly stated how it can be viewed as allowable in an SOP which is then followed!

 

Ques:  Document templates. During the webinar  specific example test templates weren’t available. Are they now?

 

Ans:  No,  That would be a specific consulting project. Complete validation templates are very specialized / unique and I don't supply them in an "all-purpose" webinar.  I do develop them as part of a dedicated consulting project.  However, the basic /generic format / outline was provided a couple of times on the slides, as well as an example of an IQ check list, an OQ test case and a PQ multiple sample (n=10, n=30 ...) test case, which all also can vary.  A list of product tests / verifications was also included in the slides:

E.g., Basic Test Report Format:

• Control Number, Title
• Scope, Purpose
• Pre-Approval
• Test description, lay-out, drawings / pix...
• Pre-determined test acceptance criteria
• Test materials (P/N, Lot No., description, Qty...)
• Test equipment (asset no., S/N, Model, Description...)
• DQ, IQ, OQ, PQs -list or test cases
• Software 10 elements (see Blog, elsewhere) if applicable, Pt 11 (OQ), Cybersecurity (OQ, if applicable
• Results:  Filled-in test cases. data sheets
• Conclusions:  Compare test case results to pre-determined acceptance criteria
• Appendix:  Training Record copies, calibration ccs,  red-lined SOPs, etc.

-- jel@jelincoln.com  

 

 The New US FDA Predetermined Change Control Plans (PCCPs)

The US FDA is proposing a new addition to 510(k)s and PMA submissions:  Predetermined Change Control Plans (PCCPs) for devices requiring premarket approval (PMA) or premarket notification (510(k)).  A PCCP is the documentation describing what modifications will be made to a device and how the modifications will be assessed.

A recently published draft guidance, “Predetermined Change Control Plans for Medical Devices”, Draft Guidance for Industry and FDA Staff, for comment only, issued on August 22, 2024, provides FDA’s current thinking on the information to include in a PCCP.  It is also soliciting comments from stakeholders as to the proposals it discusses.  This draft guidance recommends that a PCCP describe the planned device modifications, the associated methodology to develop, validate, and implement those modifications, and an assessment of their impact.

FDA reviews the PCCP as part of a marketing submission for a device to ensure the continued safety and effectiveness of the device, without necessitating additional marketing submissions for implementing each modification described in the PCCP.  By including a PCCP in a marketing submission for a device, manufacturers can prospectively specify and seek premarket clearance / approval for intended future modifications to a device without needing to submit additional marketing submissions or obtain further FDA authorization before implementing such modifications – provided the changes are consistent with the PCCP that has been submitted and FDA-reviewed / cleared / approved.

Obviously this is a provision where future changes / models / improvements are basically known at the time of the original 510(k) or PMA submission.  For changes made to address unforeseen issues at the time of initial submission, the two guidance documents of changes to devices needing a new submission would apply instead.  

-- jel@jelincoln.com

US FDA and Device AI/ML

The US FDA has announced steps toward a new regulatory framework to promote the

development of medical devices that use advanced artificial intelligence / machine

learning algorithms - AI algorithms that can learn from and act on data. They have

already authorized some devices having AI capabilities. Their AI Good Machine

Learning Practice lists 10 “guiding principles” for ML/AI¹ to apply FDA’s current

authorities in new ways to keep up with the rapid pace of innovation and still ensure

device safety and performance.

The Agency is looking beyond elemental “locked” algorithm AI devices – devices that

don’t continually adapt or learn - to “true” AI - machine learning algorithms that

continually evolve, often called “adaptive” or “continuously learning” algorithms, that

learn through real-world use. The FDA is exploring a framework to allow modifications

to algorithms to be made from real-world learning and adaptation, while still ensuring

safety and effectiveness of the software required for premarket review. They include the

algorithm’s performance, the added concerns for AI / ML software verification and

validation, the manufacturer’s plan for modifications, and the ability of the manufacturer

to manage and control risks of the modifications, including the software’s

"predetermined change control plan".

¹ https://www.fda.gov/medical-devices/software-medical-device-samd/good-machine-

learning-practice-medical-device-development-guiding-principles

-- jel@jelincoln.com 

 Major FDA Changes – The Final Rule on LDTs (Lab Developed Tests):  Many companies who sell home test kits for STDs, drug abuse tests and similar OTC, e.g., on Amazon, CVS, Walgreens, etc., have relied heavily on the FDA’s tacit neglect under FDA’s “selective enforcement” of LDTs and their definition and legal requirements.  This now has changed radically with the issuance of the FDA’s Final Rule in the Federal Register (US law) on LDTs, on July 5, 2023¹.

 In their Final Rule, the FDA has brought LDT’s back to their original intent, i.e., a limited category of tests, manufactured / assembled by CLIA (Clinical Laboratory Improvement Amendments of 1988) labs, for which no viable alternative in IVT’s / other medical devices exist and for which “targeted selective enforcement” would be employed. All other “LDT” devices will be treated by the FDA as medical devices / IVDs. There will be a 5-stage 4-year phase-out² to full compliance. The phase-out dates start with the publication date of May 6, 2024. This Final Rule will pose major problems for current suppliers of so-called LDTs to clinicians, Amazon, CVS, Walgrens, etc.

 All LTV’s are medical devices, and now will be regulated as such, per the Final Rule, including company (commercial manufacturer / lab) registration, device listings, premarket review (510(k), PMA, IDE, De Novo) where applicable (Class II and III), adherence to the CGMPs for devices (21 CFR 820 / ISO 13485), FDA inspections, US FDA MDR reporting  (Medical Device Reporting), Labeling requirements, et al.  

 ¹Final Rule, LDTs:  https://www.federalregister.gov/documents/2024/05/06/2024-08935/medical-devices-laboratory-developed-tests

 ²Phase-out Schedule:  https://www.fda.gov/medical-devices/laboratory-developed-tests-faqs/phaseout-policy-and-enforcement-discretion-policies-laboratory-developed-tests-faqs

-- jel@jelincoln.com

 APQP - Advanced Product Quality Planning

APQP had its start with the auto industry (1980s).  Some of its basic principles are taken from ISO 9001, QS 9000, and IATF 16949 (International Automotive Task Force).  Its goal is to provide a guide to assist sharing of development and other key data between suppliers and automotive companies to meet "customer" requirements and support continuous improvement .  Focus is on design, specification compliance, production processes, QC, process capability, product testing  and training.  Obviously compatible with ISO 13485 for the US and EU / Asia.  APQP tools include the 8Ds, SPC, FMEA, 6 Sigma, GR&R+, V&V, design reviews, and similar (see also the US FDA Production and Process Control for devices, pharma, combination devices).  

Some are promoting key elements of APAP for the medical device industry. As you can see by the above, the key elements are already in the US QSR and new QMSR, as well as Europe's MDR / ISO 13485 (and now with the US as well).

jel@jelincoln.com

 eSTAR 510(k) Submission Elements / Templates:

   Submission Type

   Cover Letter / Letters of Reference 

   Applicant Information 

   Pre-Submission Correspondence and Previous Regulator Interaction 

   Consensus Standards

   Device Description

   Proposed Indications for Use (Form FDA 3881)

   Classification

   Predicates and Substantial Equivalence (includes matrix and discussion)

   Design / Special Controls, Health Risks, and Mitigations (special 

    510(k) only)

   Labeling (labels, IFUs) 

   Reprocessing 

   Sterility

   Shelf Life

   Biocompatibility

   Software / Firmware

   Cybersecurity / Interoperability

   EMC, Electrical, Mechanical, Wireless and Thermal Safety

   Performance Testing

   References (literature, if any)

   Administrative Documentation, e.g., executive summary (recommended), a Truthful and Accuracy   

   Statement, and a 510(k) Summary or Statement) 

   Amendment / Additional Information response (responses to Additional Information requests).\

  Note:  The US 510(k), IDE, De Novo, PMA submission is similar to the EU Technical Document  

  File, in basic content and purpose (proof of meeting regulatory marketing requirements).  

   -- jel@jelincoln.com 

 The New QMSR, the CGMPs for Devices

Consists of:

• ISO 13485:2016, included in its entirety by reference in  revised 21 CFR 820;
• ISO 9000:2015, clause 3 (definitions), included by by reference in 820;
• "Read only" copies of both the above are available on the web - addresses provided in the QMSR;
• Most of previous 21 CFR 820, including all of C-O subparts, have been removed and reserved;
• New Subparts A and B comprise the rest of the QMSR, 21 CFR 820.
• The FDA has stated they are not changing the scope of the QSR in the new QMSR.  So read ISO 13485 as if it includes all of the old QSR in general.  Areas of special emphasis are in the new QMSR / 820 subparts (to address the pertinent requirements of the US' FD&C Act not fully addressed in ISO 13485). 
• Basic changes are in some changes to definitions, the elimination of FDA's past policy of not reviewing a company's internal audits, quality reviews, vendor audits, increased emphasis on labeling beyond ISO 13485.  
• ISO 13485's emphasis on risk management to be ISO 14971's definition: to patient, to user/clinician, to use environment plus compliance risk.
• Corresponding changes to QSIT and applicable guidance documents and 21 CFR 4, Combination Products, will be made.
• Until a company completes the change, they will be required to follow and be inspected to the the old QSR. 
• FDA has settled on a two year transition period, until 02/02/2026.

The change will require a rewrite of a company's Quality Manual and QMS SOPs, primarily in terminology and reference citations, not in the specific functions addressed. Training in the same will also be necessary.

      -- https://www.fda.gov/medical-devices/quality-system-qs-regulationmedical-device-current-good-manufacturing-practices-cgmp/quality-management-system-regulation-final-rule-amending-quality-system-regulation-frequently-asked

      -- jel@jelincoln.com

Eliminated a typo on Subpart B and added reference to the US' Food, Drug and Cosmetic (FD&C Act). - JEL 05/01/2024

To clarify, the FDA has stated that it will not inspect to the new QMSR until the two year implementation period has ended, Feb 02, 2026. - JEL 10/08/2024  
     

I just received an FDA announcement that the new QMSR (21 CFR 820) which incorporates ISO 13485 by reference, is now, as of February 02, 2024 (when published in the Federal Register), in effect, replacing the previous version of 21 CFR 820, the QSR.  Companies have two years to complete the changeover.  Until changed, a company is responsible to be in compliance to the older QSR.  The Quality Manual, SOPs, terminology, a Device Risk Management File and QMS addressing patient safety / risk needs to be in place. This has always been required but now it's emphasized.

"FDA Issues Quality Management System Regulation: Final Rule Amending the Quality System Regulation

To ensure medical devices on the market are safe, effective, and of good quality, the U.S. Food and Drug Administration (FDA) issued the Quality Management System Regulation (QMSR) Final Rule.

The QMSR rule emphasizes risk management activities and risk-based decision making and aims to reduce regulatory burdens on device manufacturers and importers by harmonizing domestic and international requirements.

The rule amends the current good manufacturing practice requirements of the Quality System regulation in 21 CFR 820.

“This final rule is the latest action taken by the FDA to promote global harmonization in device regulation to help assure that patients and providers have timely and continued access to safe, effective, and high-quality medical devices both at home and abroad,” said Jeff Shuren, M.D., J.D., director of the FDA's Center for Devices and Radiological Health. “By harmonizing key areas of a medical device manufacturer’s quality management system with the international standard, the FDA is streamlining actions device manufacturers must take to meet requirements by multiple regulatory authorities.”

Device manufacturers and importers will have two years to modify their Quality Systems to meet the requirements of the QMSR rule by February 2, 2026. Until then, manufacturers are required to comply with the existing Quality System regulation."

  -- https://www.fda.gov/medical-devices/postmarket-requirements-devices/quality-system-qs-regulationmedical-device-current-good-manufacturing-practices-cgmp?utm_medium=email&utm_source=govdelivery

-- jel@jelincoln.com 

Start addressing the proposed FDA device QMSR now

Device risk is going to have major emphasis in the revised 21 CFR 820 (currently it's only mentioned casually under Design Control, 820.30) which will include ISO 13485 by reference, and add consideration of ISO 14971 Device Risk Management to it to further flesh out 820.  ISO 14971 defines risk as 1) patient, 2) user / clinician, 3) use environment safety, not financial, scheduling, compliance risk, et al.  ISO 14971 requires a device risk management file, and risk incorporated throughout a company's QMS.  While I have emphasized such risk management since 2003 -- when I was called to assist a company that had 3 FDA inspectors on site for several months overseeing the company generate risk management files and resolve outstanding CAPA files with complete Failure Investigation and Root Cause Analysis documentation, reviewing every completed document prior to allowing it to be added to the company's CGMP documentation / records.

Incidentally, the FDA includes cybersecurity issues as a part of patient safety, if systems affecting the patient are, or can be, networked.

The Device Risk Management File format the Agency approved was similar to the following (one file for each device 'family'):

1.  Narrative:  Device background / description, use environment, team (including a relevant clinician), assumptions, and similar;

2.  Hazard List (basic use hazards and severity to patient);

3.  Fault Tree Analysis (expanding upon the Hazard List);

4.  FMECA's:  Design-, Process-, and Use-FMECAs (also expanding upon the Hazard List);

5.  Problems from "Normal" use  (added later to address the one problem with FTA,       FMEA, and FMECAs being only focused on "Failures" causing problems. Note:       14971 requires that "Control" be included under "Probability" in any final version       of a FMECA (RPN = S x P (including C)). 

6.  Final "Report" / discussion of residual risk, and the Benefit / Risk analysis /               statement. 

Not only did this format pass the inspection of those three inspectors back in 2003, but it has since passed numerous FDA inspections, Notified Body audits, 510(k) and IDE submissions, 483 / Warning Letters' remediation's (with companies in the US, EU, and Asia) since then. 

Get a jump on the upcoming Device CGMP changes, and be in compliance now, by addressing your risk management files now.

Also, SOPs(and the QM) should start including not only references to the 820 regulation (in general), but also specific references to the appropriate ISO 13485:2016 citation(s).  I've been doing this for many years already for my clients. 

  -- jel@jelincoln.com  

 Project Management

• For most projects, I use a Gantt Chart. But I never work off "% complete" - too vague. I break the project down into discrete deliverables (milestones) and the steps necessary to achieve that deliverable (tasks). E.g., a part spec, an SOP, an equipment installation and validation, and so on., which are easier to evaluate as to completion. The more unfamiliar I am with the project, the more discrete milestones I include. With inspection resolution, each observation is it's own deliverable / milestone. When I have parallel activities to track, I supplement the Gantt (day-to-day management) with a network diagram (CPM, PERT) which is infrequently updated, to show the parallel activities and the critical path. -- jel@jelincoln.com

• 
  

• 
  

• 
  

•