Monday, January 3, 2022


The information provided in this blog is taken from sources and material which we believe to be reliable, and/or express the opinions of the writers and/or presenter. In such condensed and generalized form, the material certainly should not be considered a complete study or report on the subject mater, especially as to how it might relate to a specific company / user’s application. Conclusions are based solely on available data, and the judgments and analysis of technical factors offered are not intended to replace the utilization of additional research and/or appropriate professional counsel in adapting material to a specific application.

© 2022  by J. E. Lincoln and Associates LLC.  All rights reserved.  Reproduction in whole or in part without written permission is prohibited. 

Tuesday, November 9, 2021


Audit Core Matrix – Device CGMPs Documentation Review:  Systems, SOPs, records, et al, (references are to 21 CFR Part 820, Quality System Regulation:


Subpart                Description                                                     Reviewed (‘Y’ or ‘N’) / Comments


  A                           General (820.1, -.3, -.5)  

  B                           Quality System Requirements    (820.20, 

                                -.22, -.25)

  C                           Design Controls (820.30)                

  D                           Document Controls (820.40)       

  E                           Purchasing Controls (820.50)      

  F                           ID and Traceability (820.60,  -.65) 

  G                          P and PC (820.70, -.72, -.75)                                                        

  H                          Acceptance (820.80, -.86)              

  I                           Nonconforming Product (820.90) 

  J                           CAPA (820.100) 

  K                          Labeling and Packaging Control (820.120


  L                          Handling, … (820.140, -.150, .160-.170)                                                         

  M                         Records (820.180, -.181, -.184, -.186, -.198)                                                         

  N                          Servicing (820.200) 

  O                          Statistical (820.250)


Monday, November 8, 2021

The Virtual / Remote Compliance Audit

The following three posts address an approach to virtual / remote internal or vendor audits;  starting with the final report, then the conduct of the Audit, then back to the Audit Plan.  Use a video conferencing app, solicit key documents in e-form prior to audit.  Then follow the Audit Plan with a discussion of each element with the team, requesting any supporting documentation in e-format, or similar, camera pix, or similar.  

Remote / Virtual Audits - Internal or Vendor Audits -  The Final Audit Report











Prepared For: 









Site Audited (Remote / Virtual):











J.E.LINCOLN and Associates LLC                                                                                phone     435-840-0252

P O Box 2786                                                                                                                       

St George  UT  84771-2876                                                                                                                                                                                                                                     e-mail



 [page break]










AUDIT TEAM:           John E. Lincoln









[page break]


01.  INTRODUCTION:  [Background, scope, team, process, timing, approach …]






[Completed Matrix findings and expamded discussions of findings]  






Printed Name: John E. Lincoln









Attachments:                 1 – ISO 13485:2016, Filled-In Audit Matrix

                                       2 – Current Company SOP Listing.

                                       3 – Audit Plan

4 – Audit Flow Chart



Remote / Virtual Audits - Internal or Vendor Audits -  The Audit

Conduct per the Audit Plan, adjusted by any client / team feedback.

The Audit CGMP Sub-clause Matrix (ISO 13485 or 21 CFR 211, or 820, etc):



 The following are ISO 13485:2016, Quality Management Systems for Medical Devices clauses (may be used as an audit checklist):

Clause                   Description                                            Reviewed (‘Y’ or ‘N’) / Comments


   4                        Quality Management System

                              4.1  General requirements

                              4.2  Documentation Requirements

                                              4.2.1  General

                                              4.2.2  Quality manual

                                              4.2.3  Medical device file

                                              4.2.4  Control of documents

                                              4.2.5  Control of records                                         



    5                         Management Responsibility

                                5.1  Management commitment

5.2  Customer focus

5.3  Quality policy

5.4  Planning

                5.4.1  Quality objectives

                5.4.2  QMS planning

5.5  Responsibility, authority and communication

                5.5.1  Responsibility and authority

                5.5.2  Management responsibility

                5.5.3  Internal communication

5.6  Management review

                5.6.1  General

                5.6.2  Review input

                5.6.3  Review output


6              Resource Management

                6.1  Provision of resources

                6.2  Human resources

                6.3  Infrastructure

                6.4  Work environment and contamination 


                                6.4.1  Work environment

                                6.4.2  Contamination control


7              Product Realization

                7.1  Planning of product realization

                7.2  Customer-related processes

                                7.2.1  Determination of requirements 

                                           related to product

                                7.2.2  Review of requirements related 

                                           to product

                                7.2.3  Customer communication


Page 2 

Subpart                 Description                                                 Reviewed (‘Y’ or ‘N’) / Comments



                7.3  Design and development

                                7.3.1  General

                                7.3.2  Design and development planning

                                7.3.3 Design and development inputs

                                7.3.4  Design and development outputs

                                7.3.5  Design and development review

                                7.3.6  Design and development verification

                                7.3.7  Design and development validation

                                7.3.8  Design and development transfer

                                7.3.9  Control of design and development 


                                7.3.10 Design and development files

                7.4  Purchasing

                                7.4.1  Purchasing process

                                7.4.2  Purchasing information

                                7.4.3  Verification of purchased product

                7.5  Production and service provision

                                7.5.1  Control of production and service


                                7.5.2  Cleanliness of product

                                7.5.3  Installation activities

                                7.5.4  Servicing activities

                                7.5.5  Particular requirements for 

                                          sterile medical devices

                                7.5.6  Validation of processes for 

                                           production / Service provision

7.5.7  Particular requirements for validation 

          of processes for sterilization and 

          sterile barrier systems

7.5.8  Identification

7.5.9  Traceability


        Particular requirement for 

                              implantable medical 


7.5.10 Customer property

7.5.11 Preservation of product

7.6  Control of monitoring and measuring 


8              Measurement, Analysis and Improvement

                8.1  General

                8.2  Monitoring and Measurement

                                8.2.1  Feedback

                                8.2.2  Complaint handling

                                8.2.3  Reporting to regulatory 


                                8.2.4  Internal audit

                                8.2.5  Monitoring and measurement 

                                          of processes

                                8.2.6  Monitoring and measurement 

                                          of product

                8.3  Control of nonconforming product

                                8.3.1  General

                                8.3.2  Actions in response to

                                          non-conforming product

                                         detected after delivery

                8.4  Analysis of data

                8.5  Improvement

                                8.5.1  General

                                8.5.2  Corrective action

                                8.5.3  Preventive action     


                                                                                                #  #  #


Remote / Virtual Audits - Internal or Vendor Audits - Audit Plan

Audit Plan (published in advance of audit; for a one day audit' smaller company):


I plan for a basic one day remote / virtual ISO 13485 compliance audit to follow the ISO 13485:2016 International Quality Management Standard for Medical Devices, per your request.

Preliminary Schedule:

[Note:  If any of the following can be segregated or collected prior, it would facilitate the thoroughness of the audit].   Times are approximate.

Since this is a remote / virtual audit, much information will be by question and answer, e-copies and/or PDF’s of some documents, and possibly live camera shots of some areas, documents, etc.

8:00  AM         Approximate arrival by Zoom. 

8:05  AM         Meet with Company / Quality Management Team:

                        o  Review Audit Plan; make any desired changes in focus / emphasis

                        o  Review corporate history, relationship, management/Org Chart(s),                                      product line, registrations / certifications, marketing ads /claims.

8:30 AM        “Tour” of facility, review of physical activities, gathering of any forms,                     supporting documentation not previously obtained, develop rough                        flow chart -- preferably in the following order:

                        1. ‘Back office’/support staff activities (purchasing, customer service);

                        2.  Raw material, parts components receipt/  QC;

                        3.  Manufacturing/assembly/processing, test / QC, operations;

                        4.  Product shipment / QA;

                        5.  R&D;

6.  Engineering;

7.  QA/RA;

8.  Senior Management and documented involvement in QMS.

9:30 AM          Review all applicable ISO 13485 requirements per Check List.

10:30 AM       Detailed review of company QMS-related SOPs / written documentation    

and/or forms, Work Instructions, Quality Manual (SOPs and QM previously provided), e.g.:

                        1.  Purchasing/POs;

                        2.  Receiving documentation, Invoice verification/control;

                        3.  Inventory, non-conformance (rejects, damaged parts/product...) control;

                        4.  Product assembly, test procedures and/or work instructions;

                        5.  Packaging, shipping, servicing, returns...);

                        6.  Validation Reports;

                        7.  Design and Development Planning / Files;

                        8.  Device Risk Management Files, ISO 14971:2019;

                        9.  Use Engineering Files, IEC 62366-1:2015, if applicable;

                        10.  Other Audits (Internal, Vendor, Regulatory…);

All applicable activities addressed by SOP, WI, and followed, proved by documentation. 

12:00 Noon     Lunch Break (start draft report)

1:00  PM        Review any outstanding issues

 1:45  PM        Dismiss team;  Start drafting the Audit Report / Regulation Sub-Clause Matrix 

4:30  PM       Close-out meeting with QMS team/senior management (as available).

 5:00 PM        Conclusion.    

 Note:  Sequences approximate, based on areas requiring in depth review; but audit content will basically follow outline above.  In order to better benefit from this audit, the company’s QMS Team should review ISO 13485:2016 and our supplied Check List and Plan to get a flavor of the audit’s areas of emphasis.

After the Draft’s findings have been agreed to, a Corrective Action Plan will be drafted.

Assistance in Corrective Action is not part of this Plan.

The Final / Formal Audit Report will be mailed in approximately two weeks following audit’s conclusion. 


Wednesday, November 3, 2021

DHF, Risk Management, Use Engineering

One of the participant who attended the 6-Hour Virtual Seminar on The DHF, DMR, DHR, EU MDR Technical Documentation Similarities, Differences and The Future asked:

I would like to ask what I need to do for legacy medical devices (FDA Class 2).

My company has 510(K) clearance back in 2000. Since most of the requirements happened post 2000, may I know what I should for the legacy medical device related to:

  • DHF (should I remediate it?) – some of the info may not be available (i.e., design review/meeting minutes/decision, formal approval (no proper documents control before), other validation records)
  • ANS:  Where the DHF was complete in 2000 . it does not need remediation.  Areas of incompleteness can be added by researching old documentation, interviews, lab books, etc.  and added (not backdated) to the DHF with explanation. Known missing data can also be stated and a document / memo to file added (actually or as an addendum).  Subsequent changes are addressed in the DHF if your company keeps it open / controlled, but as I mentioned in the webinar, I don't recommend that.  I recommend changes controlled by 1) a new DHF if extensive, 2) an addendum to the old DHF if extensive, or 3) use the CGMP Change Order system, 820.40(b).  In all cases, a change, single or cumulative, must be evaluated / documented, as to the need to file a new 510(k). Remember to view the DHF through both regulatory and IP (intellectual property) "eyes".
  • Risk Management (RM) – DHF has been closed and now tracked under DMR – do I need to go back to update RM (per latest standard) during design stage which has been closed? Or update incremental to the latest standards? Or it’s OK to meet RM requirements at the time of design stage & no further work required (perhaps only periodical review post-market)?
  • ANS:  Although RM should be done as part of the Design (Design Control, 820.30, ISO 13485  7.3) process. since RM drives all device decisions throughout its lifecycle, the RM File must be a living / controlled document, updated as new applicable information becomes available (through CAPA, V&V, industry data, annual quality review, etc.). That's why I recommend in the webinar that the RM File and Use Eng'g File (if any) have a non-controlled copy in the DHF (or a pointer to it/ them), of the version used during the design phase, prior to Design Transfer , and the actual RM (UE) Files be active and controlled (change controlled). The new version of ISO 14971 adds the need to add systemic RM considerations to the QMS.  Any change in emphasis re: Device (not QMS) RM based on the new 14971 rev could be addressed during one of those reviews / file updates. 
  • IEC62366 – As it comes after 2000 which was not done before during 510(K) approval, do I still need to do it if no major changes to medical devices which have been shipped to market for ~20 years? I come across User Interface of Unknown Provenance (UOUP), what’s the minimum efforts that I need to take?
  • ANS:  You as a company need to decide based on novelty of your device and any user interface concerns that are still applicable 20 years later.  Human factors was a concern with the FDA in 2000, when they starting publishing documents on it.  If your product / family has minimal field problems due to design / interface issues, I personally haven't seen regulatory agencies raise an issue about it.
  • ANS:  If the use interface falls under UOUP, you should consider all 9 stages of 62366-1, and revisit those that don't appear to be addressed, and/or pose a high risk to the end user / patient; and document this evaluation - basically a Gap analysis. Some devices are so obvious as to use (or are subject ot med school et al training) that a UE analysis may not be justified, e.g., standard needles. Address in your applicable SOPs, and by a written rationale / letter to file.

Friday, September 24, 2021

FDA's "Backup" in Data Integrity

 Data integrity  Backup:

"How does FDA use the term “backup” in § 211.68(b)? 

FDA uses the term backup in § 211.68(b) to refer to a true copy of the original record that is maintained securely throughout the record retention period (e.g., § 211.180). Backup data must be exact, complete, and secure from alteration, inadvertent erasures, or loss (§ 211.68(b)). The backup file should contain the data (which includes associated metadata) and should be in the original format or in a format compatible with the original format. FDA’s use of the term backup is consistent with the term archive as used in guidance for industry and FDA staff General Principles of Software Validation. 

Temporary backup copies (e.g., in case of a computer crash or other interruption) would not satisfy the requirement in § 211.68(b) to maintain a backup file of data."

--   page 5

The key difference appears to be the accuracy, integrity, exact nature of the data, consistent  with the meaning of archived, and PERMANENT.  As opposed to temporary backup files kept for a period of time for reference and then overwritten, which don't meet the FDA definition of "backup" in the sense of data integrity.