Some 510(k) Q & A

Here are some questions I recently received by a company doing it's own 510(k), with my brief responses:

1.  Re:  Traditional 510(k), Section 10: Is it about summary of performance testing?   

     biocompatibility testing and bench  testing? 

     Ans:  Yes to all.  You either do any required tests or pay a lab to do them.  If you do them,   

     they have to be done per applicable standards.  E.g., Biocompatibility test requirements are    

     spelled out in ISO 10993.

2.  Design control?  How can I get that?

     Ans:  You should be currently developing your product under Design Control.  This means   

     doing it under 21 CFR 820.30, and addressing the 9 elements a 10th element is a Design Control       

     SOP; identical10 requirements in ISO 13485:2016 7.3, Design and Development Planning,  in your  

     documentation and systems:
     1) Design and Development Planning (e.g., Gantt chart or SOP-defined or ...; w/ "Start Date");
     2) Design input (requirements, standards, guidance documents, et al);
     3) Design output (drawings, specs, assembly / test SOPs, code, and similar);
     4) Design review(s) (to ensure past activities are complete, and lay out next actions; with an      
          impartial member of the review team);
     5) Design verification (I define by "working definitions" as testing, checking, inspection...);
     6) Design validation (I define as the collection of verifications);
     7) Design transfer (complete approved production-ready documents now in production);
     8) Design changes (the basic reason for Design Control - ensure changes are reviewed and 
          verified, then approved, all documented, prior to implementation during development);
     9) Design History File (DHF) (- proof that 1-8 were performed and the history of each).  
     As 820.30 requires, the results are documented in a DHF (Design History File).  
     If you haven't done so already, download the entire medical device  

     CGMPs, 21 CFR 820, from the fda.gov website.  You have to follow all of it, or your contract  

     manufacturer will follow much of it and you the rest.  Your  510(k) submission to the FDA is a

     tacit admission that you've done that, and you will later by audited by the FDA to ensure

     compliance.  That means also having SOPs and a QM (Quality Manual) that is also followed.

3.  About the CGMPs, I need to ask to the company whom I'm going to choose make my device   

     to show me the certification.

     Ans:  There is no legitimate US FDA CGMP (US 21 CFR 820) "certification".  If they are subject 

     to the US FDA CGMPs, they are registered with the FDA (as you will have to do), and subject

     to CGMP audit by the FDA.  You could ask to see copies of past FDA audits and the  

     company's responses.  And you can perform your own vendor audit to ensure their

     compliance, requiring you to get familiar with the CGMPs (or hire a consultant to perform   

     such an audit for your). This is for US sales.  For outside the US sales, the company would  

     have to have a quality management system (QMS) certified by a Notified-Body (BSI, TUV,

     DNV, UL ...), hired by the company, and that company's manufacturing system and product

     testing / lot release requirements / methods would also have to have an additional audit /

     certificate from their N-B.

As indicated above, a 510(k) is only one of many steps required by the U.S. FDA in order for a company to market devices in the U.S.

[note:  The FDA prefers the term "inspection" to "audit"]

-- John E. Lincoln,  www.jelincoln.com

Updated 09/06/2023.

CONTRACT  MANUFACTURING  ORGANIZATION  (CMO)  V&V  ISSUES

Some recent questions I received pertaining to CMO and equipment / process verification and validation (V&V), with my answers:

Ques 1.    In a CMO context, where very different process are run, should the PQ of the equipment be specifically performed for each manufacturing process?

Ans:  You could validate the equipment for it's general use(s), and/or expected uses.  Then have your V&V SOP(s) address a method to validate or verify the particular run for a client that adds the unique requirements of that client's lot(s).  Or add such additional V&V requirements by means of a 1st Article inspection (and/or other tests / QC) addressing the additional requirements.

Ques 2.    Is it possible to perform qualification of the equipment during the performance qualification of the process? In this case, could the critical parameters, defined for the process, be used for the PQ of the equipment? Or do they need to be specific for each piece of equipment?

Ans:  The approach I favor (and explained in my webinars, but by no means the only way) is to qualify / validated the equipment by means of the IQ, OQ, and PQs.  The critical parameters are addressed under the OQ, and can include DOE.  The PQs address the robustness, repeatability and reproduceability of the the equipment given all allowable worst case inputs (shifts, RM lots, etc).  Each piece of equipment needs to be so addressed.  I generally do a process V&V for such things as cleaning, etc.  However, I have done process V&V for the entire production process, in which case, I have separate verifications under the overall process validation, that address each piece of equipment, as explained in the webinar briefly.  Note the need to define terms per your company's "working" definitions, also emphasized throughout my applicable webinars.  

Ques 3.    Which is the criterion to define a piece of equipment as critical in a manufacturing process?

Ans:  The key criterion to such definition is the equipment's contribution to the "critical quality attributes" of the element of the final product it acts upon, especially as it relates to the end user, the patient / clinician.   This is an important point that I try to emphasize in my many webinars o V&V, and recommended tying such decisions in the V&V test cases / scripts to a Product Risk Management File / Report per ISO 14971 or ICH Q9.  It's possible to develop a generalized Risk document for a CMO, and then add some unique requirements to it in the batch record, tied to an additional analysis of the client's product.


Obviously 1 and 3 require obtaining some requirements as to quality attributes and safety / efficacy of the product's field use from the client, perhaps as part of the contract, a quality agreement, questionaire, or similar document.  Rather than being a burden, I think such a requirement might add to a company’s credibility in the eyes of its customers.

-- John E. Lincoln, jelincoln.com

DESIGN  REVIEWS  -- HOW  MANY?

I got an e-mail today asking a similar question.  It redirected the reader / was linked to a consulting company.  Basically it mentioned that one review is mandated by the regs - focusing on 21 CFR 820.30, medical device CGMPs on Design Control -  but the website recommended two, one after the Plan and one after V&V.  It also mentioned that additional ones may be advisable.

However, on the U.S. FDA's website, on a webpage dealing with design control guidance:

http://www.fda.gov/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm070627.htm

- note:  Figure 1; shows five such reviews.

So what is the actual requirement.  In short, "it depends".

The 820.30 simply states "that formal documented reviews of the design results are planned and conducted at appropriate stages of the device's design development."  To me this phrase is the key.

Moving beyond fulfilling design control requirements to avoid regulatory problems, to the positive of using such CGMP requirements because they improve a company's products, I recommend in my webinars and workshops that design reviews be used as product development "gates".  Such "gating" is described in the several 'fast cycle' development books that came out in the 1990's.  As such, I use them (and recommend their use) after each significant "milestone" on a Product Development Plan (my preference is a Gantt Chart), to review the completion of that milestone's tasks, and authorize the resources / budget to move on to the next milestone, when linear, or at critical junctures in the project, when reiterative.  Such formally scheduled design reviews are themselves a final task under each key milestone (and/or can also serve as the beginning task for the next milestone, if you're so inclined ).  Then design reviews make business sense, and are not just an exercise in compliance merely for the sake of compliance.

The CGMPs further require that the "participants at each design review include representatives of all functions concerned with the design stage being reviewed", and also include at least one member of the review team "who does not have direct responsibility for the design stage being reviewed", "as well as any specialists needed".  Of course each review - results, design ID, participants, and date, must be documented in the DHF.

-- John E. Lincoln,  jelincoln.com

AGILE  DEVELOPMENT  AND  AUTOMATED  SOFTWARE  TESTING

Here's my answers to two questions raised at one of my recent webinars on software / firmware V&V and documentation:

Ques 1:  Do you have experience working with Agile methodologies such as SCRUM? In your presentation, you mention that FDA suggests following a waterfall development cycle. Do you know what is the point of view of the FDA about iterative/incremental methodologies?

Ans 1:  My experience in Agile is limited, although, as mentioned its principles have been used in many companies before someone came up with the name Agile (as is true with many other "methodologies", e.g., 6 sigma). 

I showed the one slide to illustrate V&V (Verification and Validation), which showed a "waterfall" product development cycle.  It was used by the U.S. FDA, in the mid 90's and was focused on design control (21 CFR 820.30; see http://www.fda.gov/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm070627.htm
-- Figure 1 under "III. APPLICATION OF DESIGN CONTROLS").  It was used in conjunction with a process that typically is iterative / incremental -- device R&D to illustrate V&V for design control (21 CFR 820.30), and was not meant to show any FDA preference in product or software development, just how a series of device verifications lead to a device validation.  The FDA has no preference as to what development methodologies a company selects and uses, that I have seen to date -- they leave such decisions to the manufacturer, who must justify and prove / document their choices.  However, the FDA wants the documentation to prove defined processes were followed and that there was compliance to the regulations.  Hence my caution re: Agile, which manifesto on the Internet states that a key Agile goal is an implied minimization of defined processes ... and a reduction in documentation, to wit:
...
"Individuals and interactions over processes and tools

"Working software over comprehensive documentation..."  

-- http://www.agilemanifesto.org 

So just proceed with that caution in mind.

Ques 2: You haven’t discussed automated tests (for unit tests, integration tests, functional tests, performance tests). Wouldn’t it be the perfect tool to demonstrate reproducibility of a system? What is the point of view of the FDA on automated tests?

Ans 2:  There's nothing wrong with automated testing.  They are as mentioned, an excellent tool.  Much is done in software / firmware program development using such.  However, the automated test programs and hardware must themselves be rigorously validated in the same way as the webinar discussed (including 21 CFR 11; and see "SOFTWARE / FIRMWARE  V&V  "MODEL"" post below) before their data can be used in subsequent V&V activities.  So a discussion of automated testing is redundant to the subject of software testing as  discussed (see previous blogs on the subject).   Be aware that the FDA would look very carefully at such automated test equipment and programs, and their V&V, since they are then used for subsequent automated testing for V&V of other software on a repetitive basis.

-- John E. Lincoln, jelincoln.com

A  "SIGNATURE"  SOP

By "Signature SOP", I mean an SOP (Standard Operating Procedure) that defines what it means when a person signs their signature or initials on a document.  E.g:

o  An engineer signing for the engineering function, is only signing for the engineering portion of the document;

o  Marketing is only signing for approving marketing issues in the document;

o  Ditto Finance, Manufacturing, Operations ...;

o  Senior management is signing that the document meets company requirements and address the issues, based on reliance on the other signatures by function; and

o  QA is signing that the signatures are the latest after all iterations, that all elements mentioned in / required by the document have been addressed by the proper individual(s) / function(s), etc.


People have a hesitancy in signing a document dealing with subject matter they are unfamiliar with, may ask for unnecessary revisions, want additional clarification.  They are rightly concerned to be signing and "agreeing" to something that they don't understand, together with what they are involved with on the document.  

So such an  SOP would clarify what each functions' / individual's signature really stands for, and what it doesn't, and can assist in:
     1) getting the signatures, 
     2) defending a signature in an audit, and 
     3) defending a signature in court.

-- John  E. Lincoln, jelincoln.com

RISK  ANALYSIS

There seem to be several definitions of risk analysis, left unstated, in many on-line regulatory discussion threads, which can lead to incorrect focus and improper direction.   

The most important from a regulatory standpoint, either US FDA or EU MDD, et al, is product risk to the end user, the patient / clinician. For devices this is ISO 14971, for pharma it could be ICH Q9, which could include the d-, p-, and u-FME[C]A as well as other complementary methods recommended in those standards. 

IN ADDITION, a project leader may want to do risk analysis tied to project success, meeting budget and time deadlines, customer delivery commitments, etc. But those would be business / financial-related risks not the ones regulatory agencies mandate. And as mentioned, the earlier the better.  

So such risk analysis if performed on equipment would still have to trace any failure modes, malfunctions, or even correct functions that could cause problems, through to their effects on the end user / patient / clinician (an omission often cited for the disadvantage of using FME[C]A for patient / user risk analysis, although such can be compensated for by definitions and/or structure of such).

-- John E. Lincoln, jelincoln.com

RELATIONSHIPS:  DEVICE  DHF, DMR, DHR

Caveat.  There are many ways to meet the requirements of the Design History File (820.30); the Device Master Record (DMR, 820.1811); and the Device History Record (DHR, 820.184) required by the Device CGMPs.  The following is one field tested approach.

In addition to starting a new DHF for a new device, a requirement, many  companies start a new DHF for major changes to their existing devices.  If minor changes they handle under the CGMPs (Change Control, 820.40(b)).  
As with most of the points discussed herein, there are more than one correct approach.

Generally I recommend to my clients if they ask, that the DHF be used for major changes (with each new major change an addendum to the original DHF, or a new, cross-referenced DHF), which require some type of control of a series of development changes per 820.30.  For a minor / simple change, I recommend change control under  820.40(b), which at most companies is under a Change Request / Change Order (the CR when approved, can become the CO).  To it are attached the verification / test info'n / references, e.g., test report number / Lab Book Project no. etc, to justify the change, or in very simple changes, the actual data on the CR / CO.  The CO needs to have a block referencing a check for need to file a new 510(k) per Memorandum K97-1, and also tied to some kind of list / log of changes for a cumulative change review as well per that same K97-1.  All this is filed in Document Control, usually under QA (as would a closed out DHF, in many companies).  Of course this requires that document changes be defined in such a way to allow device changes (which are usually driven by a document change anyway, e.g., drawing change, specification change, etc.). 

When there is fielded software (firmware or software) and a revised version is created under change control, how does this affect the DMR and/or DHR?
Any change to a product, hardware or software, requires a change to the DMR (under change control, 820.40) for that product). Often the DMR includes a DHR template / blank (may be a "traveler" template /  blank, or in addition to a traveler), which would also be changed, or would at least drive a change to the DHR anyway, reflecting the new Revision / Release nos. of the software so changed (unless the Rev / Release No. entry is a fill-in blank). 
Consider the situation where a company has updated software that is then sent out to their customers.  In such a case, one possibility is that both (DMR and DHR) are updated (the DMR drives DHR content), assuming that the software is changed across the board.  If you're changing software for one customer at a time, then you're furnishing custom software, each program unique to each customer, and your entire CGMP system would have to be designed under that system.  My discussion is focused on the assumption that the software is a rev / rel where all customers for that particular software get the updates, new revs / releases. 
  
To clarify the role of the DHF, DMR and DHR:  The DHF shows the development of the device proving that the 8 other requirements of 820.30 Design Control have been met in its development from the "start" date.  The DMR is one result or design output from the DHF documented activities.  The DMR (820.81) is the device description, or "recipe": basically a list of all controlled records ("living documents") that define the device, to allow it's replication as defined in the FDA clearance (510(k)) or approval (PMA) documents.  The DMR might list device drawings, assembly work instructions / SOPs, test instructions / SOPs, BOM blanks (part numbers and part / component descriptions with blanks for quantity and lot numbers), blank travelers (which may list applicable validated / verified equipment settings with blanks to be filled in with the actual settings, operator or QC signatures and dates, and similar), reference other device specific SOPs, labels, Instructions for Use.  Some DMRs may list the generic SOPs that also apply to that device (and other devices), but don't have to. It would include the DHR template if additional to the above, e.g., traveler.

Additional on the DMR (the device "recipe"):  Although riskier, you could structure the DMR to list the device controlling documents without their current revision nos. / dates (e.g., list Drawing No. 0123, "current revision"; or SOP XYZ, "current revision” ).  Then the DMR would not always have to be updated when the device or software has minor changes, or even some major changes. However, the actual DHR template would have to be updated to reflect using the most current documents / settings / parts , et al, during manufacture of a lot.  All such changes would be under Change Control per 820.40.

The DHR (820.184) is the lot build history for one production lot; a record of how one lot / batch (lot number), or one serial number was built, quantities, RM lot nos, dates, personnel involved where appropriate, proving that that lot followed the "recipe" outlined in the DMR.  It would have the filled in / signed BOM, a filled / signed traveler (which could be a "DHR template blank"), samples of labels / IFUs included, sterile lot info (if sterilized), etc., showing / proving conformance to the DMR developed by the manufacturing process recorded in the DHF. Prior to release of that lot to the field, it would be reviewed and signed by QA, who would assure its accuracy and completeness of data and required enclosed documents.

In essence:   -- the DHF > DMR > DHRs.  See also "Definitions", 820.3.
The ultimate approach taken by a company must be defined by an SOP(s) and then followed!

-- John E. Lincoln, jelincoln.com

Note:  FDA's K-97 has been replaced by two FDA Guidance Documents  on changes to Devices / Software Requiring a new 510(k). JEL

Further updates: 06/20/2022 - JEL

Updated 2nd paragraph, first sentence: 12/27/24 - JEL

Can also add an addendum to the original DHF for subsequent changes. - JEL, 08/15/2025