In our last FDA FastStats series of the year, we look back at all FDA 483 Inspectional Observations for Fiscal Year 2014. 483s increased in foods from the prior fiscal year to 2476, an increase of 3.8%. However, medical devices and drugs were down -11.6% and -6.5%, respectively, from FY 2013. Interestingly, medical device 483s bucked their recent upward trend with the lowest number of observations since FY 2009.
In case you missed it, the FDA issued this update on UDI yesterday:
Having passed the first Unique Device Identification System compliance date of September 24, 2014 (for Class III devices and devices licensed under the Public Health Service Act), the FDA’s Center for Devices and Radiological Health (CDRH) would like to take this opportunity to summarize recent and upcoming UDI activities and deadlines. The next two compliance dates for UDI requirements are:
September 24, 2015 for non-class III implantable, life-supporting, and life-sustaining (I/LS/LS) devices
September 24, 2016 for class II devices
Global Unique Device Identification Database (GUDID) Data Submission:
In January 2015, we will begin accepting GUDID account requests from labelers of I/LS/LS devices. Later in 2015, we plan to accept GUDID account requests from labelers of class II devices. We strongly encourage all device labelers to take steps to ensure their readiness to meet UDI requirements well before actual data submission to GUDID. This will provide labelers with ample opportunity to assess their ability to meet requirements, including data submission to the GUDID, by their deadline and to work with us if they have any difficulties coming into compliance. Suggested steps are included on the UDI website.
Also in January, we will host a webinar to help Class II and I/LS/LS device labelers prepare to comply with the UDI rule. Notification of webinar specifics will be sent directly to these device labelers in early January. The webinar will include overviews of UDI requirements and how to get started with the GUDID.
We continue to work with industry on UDI implementation issues that surfaced in 2014, including GUDID data submission for contact lenses/IOLs and development of approaches to ensure the UDI is available at the point of use for non-sterile implants. We recognize there are several other policy issues that are of significant interest to industry; we hope to address a number them in 2015, such as UDI direct marking requirements, convenience kits, posting of decisions on UDI exceptions and alternatives, and issuance of additional Frequently Asked Questions (FAQs).
The use of National Health Related Items Code (NHRIC) and National Drug Code (NDC) numbers for devices is being phased out over a time period that corresponds with thecompliance dates for UDI requirements. Device labelers that want to retain the use of FDA-issued NHRIC or NDC labeler codes under a system for the issuance of UDIs were required to request such continued use by September 24, 2014. If you intend to retain the use of a previously issued FDA labeler code within your UDI system but have not made such a request, we urge you to do so as soon as possible.
UDI Adoption and Use:
We continue to collaborate with stakeholders, such as the Pew Charitable Trusts, the Office of the National Coordinator for Health IT (ONC), and the Brookings Institution to promote and facilitate UDI adoption in health care settings.
We are working with the National Library of Medicine (NLM) to give the public search and download access to published records in the GUDID in the spring of 2015. GUDID search will allow published GUDID data to be retrieved based on parameters of interest to the user. The GUDID download function will let users download all published GUDID data at once.
Finally, we’d like to reaffirm our plans to implement this important system over several years—and underscore the fact that we fully intend to be flexible during this time. Our main focus is getting the system implemented correctly and actively helping companies comply with system requirements. As with the implementation of many new systems, it can take time to understand and comply with new requirements—widespread, strict enforcement of associated deadlines and requirements is not necessarily the best way to achieve compliance at this time.
To date, industry has been very willing to work with CDRH, and we have experienced excellent efforts and strong feedback. We urge labelers that are having difficulty fulfilling UDI requirements to let us know through the FDA UDI Help Desk.
We will continue to work diligently to give the medical device industry, health care systems, clinicians and patients the assistance and information needed to implement and use UDI successfully. For additional information, please see www.fda.gov/udi or contact us at the FDA UDI Help Desk.
In our latest infographic analysis, today’s post highlights medical device warning letters with quality system deficiencies. Surprisingly, warning letters were actually down 12.2% from 2012. However, they are almost double the number (77) issued in 2009. Are we looking at a downward trend? The jury’s still out. The highest number of warning letters issued in the past 10 years was in 2012, with a total of 164. The lowest was 2007, with only 74 warning letters issued.
As we approach the end of 2014, we will take a look back at FDA’s stats on various topics sourced from their Case for Quality initiative. The FDA believes that the following type of information will:
- Help industry improve medical device quality by sharing common observations
- Identify possible areas of emerging concern, and
- Possibly help firms avoid warning letters
Our first in the series of infographics is 483 inspectional observations.
In our latest round-up, it was the District Offices turn to chime in on medical device company alleged shortcomings.
As expected, FDA is shifting more and more of its regulatory focus toward Medical Device Reporting (MDR). In an October 1 letter, the agency’s Baltimore District Office hit Baltimore-based Electronic Development Labs for not having an MDR procedure. Bad idea.
The company may not have recovered very well, either. “The adequacy of your firm’s response dated November 20, 2013, cannot be determined at this time,” FDA’s warning letter said. “Your firm’s response indicates that the development of an MDR procedure was added to a list of action items. In order to determine adequacy, FDA must receive a copy of the MDR procedure for review.” Electronic Develop makes the NervoScope.
The agency also gently encouraged the company to look into eMDR.
As we’ve noted before, FDA eMDR Final Rule requiring manufactures and importers to submit electronic Medical Device Reports (eMDRs) to FDA was published on February 13, 2014. The requirements of this final rule will take effect on August 14, 2015. If a firm is not currently submitting reports electronically, FDA politely encourages it look into it on FDA’s web page devoted to eMDR.
The FDA demonstrated its ongoing interest in CAPA in an October 7 letter from its Los Angeles Office to Alpha Medical, a maker of angiographic balloon catheters.
After Alpha tried to respond to a September inspection, FDA made it clear the reply needed some work. Example: “CAPA 104 was opened on January 10, 2013, concerning non-conformities regarding balloon extension air leaks. The CAPA report references multiple root causes for these leaks; however not all of these potential causes were analyzed and investigated.”
The agency went on, “Your records reference that personnel were retrained, but the corrective actions for which they were retrained were not documented. Additionally, this CAPA was closed on February 22, 2013 without documentation that an effectiveness check was performed.
In an October 10 letter from the Cincinnati District Office, local regulators challenged West Lake Enterprises, maker of medical gas pressure regulators and suction regulators, with CAPA and other violations, including installation that’s not in conformity with the Current Good Manufacturing Practice (CGMP) requirements of the Quality System (QS) regulation. The company responded, and FDA came back with additional questions.
The Denver District Office joined in with an October 28 letter to Xanacare Technologies, maker of SimulCare II, a therapeutic lamp/nerve stimulator/massager. The agency hit them for several issues, including problematic design control, device history records (DHR) and complaint handling. As of late October, the agency said it had not received a response from Xanacare.
If you have been procrastinating on setting up electronic submissions for your adverse event reports to the FDA, you might want to reconsider that decision. Earlier this year, the FDA published its final rule on MedWatch/eMDR reporting. Although not much has changed in this final rule in regard either to required content, the submission process, or submission timelines, the FDA has taken a large step closer to mandating 21st century technology. The final rule states that all required adverse events are to be submitted electronically by August 14, 2015. The clock continues to tick…
Not sure if you’re handling this new reality properly? Well, here’s a quick way to find out.
Are you (or your management) making any of these statements:
“The FDA always delays, we will just wait and see.”
FDA has shown no indications of changing or extending this electronic submission requirement timeline. Their hardline stance is mostly due to the fact that electronic submissions of the MedWatch form via electronic means (through their ESG) has been available for many years on a voluntary basis. Numerous manufacturers have taken advantage of this technology over the last number of years to streamline adverse event reporting. Soon, the electronic submission process for these reports becomes mandatory.
“We don’t submit a lot of complaints, we will just wait until we have something to report.”
Maybe your company does not have many adverse events to report…maybe only once in a blue moon (great for you!). However, if you wait until a complaint occurs (after August 14, 2015), and the complaint results in a reportable event that requires submission, you are caught in a very dangerous game of Russian roulette. You see, an electronic account is required to be set up prior to an eMDR submission. FDA has previously stated that the setup of an account takes between two-to-six weeks (not counting the form completion process and ensuring all was filled out correctly). Now, depending on the adverse event, you will have between five to 30 days to officially submit it to the FDA, electronically. With a two to six-week wait on an account, you will be caught in a waiting game that in all likelihood will make you non-compliant. That’s not a good place to be.
Don’t get caught in this game where you are most likely going to lose. There are options available to do this submission electronically in a secure, managed, workflow driven environment.
“Ok, I’m convinced, what options do I have for submitting electronically?”
If you already submit your adverse events to the FDA electronically, there is nothing you need to change. However, if you do not and are still submitting via paper/PDF, now is the time to start investigating your options. Although the FDA provides the eSubmitter tool to help you submit the reports electronically, it does not integrate with your electronic quality management system, provide electronic signature approvals, a workflow process, KPI measurements, or the like. In many cases users will be required to re-key or copy/paste data from their original source. This error prone, non-integrated solution leaves much to be desired, but it does serve as a quick and easy way to submit the completed report.
A better, more integrated business model is available, however. AssurX, a leading EQMS provider, has for many years offered a low cost standalone eMDR electronic submission solution. Furthermore, it can optionally be fully integrated into a complaints management workflow solution for your business, providing electronic reviews and approvals, tracking tasks, generating email notification and escalations, as well as identifying trends and tracking key performance indicators for your business. Either of these AssurX solutions can be implemented on premise, or in a privately hosted “cloud” solution that allows you to implement more quickly and with lower start-up costs.
It’s time. Get started now.
After years of decline, the speed of FDA device approvals has finally begun to hit the gas pedal a bit, says an interesting new report from the California Healthcare Institute (CHI) and Boston Consulting Group (BCG).
In hindsight, it appears FDA hit a bottom in 2010 when approval times averaged a staggering four years longer in the US than Europe. Those delays, the report argues, kept proven, life-saving technologies from American patients unless they traveled abroad. Worse, there’s no evidence the FDA’s snail-like approach to approvals made products used in the US any more effective or safe.
Congress and the FDA came together in 2012 to try and find ways to implement, and fund, new policies designed to improve regulatory clarity, consistency and predictability. Industry agreed to pay significantly higher users fees to help make it happen. The new approach was collected in the Medical Device User Fee Amendments of 2012 (MDUFA III).
The verdict? “Real improvements are evident, yet there are still areas of concern.”
It’s worth noting that CHI and BCG applaud the Center for Devices and Radiological Health (CDRH) for working hard to “get processes, internally and with industry, back on track.”
There’s some good evidence out there to support industry optimism. Report data suggests that, after a 2010 nadir, the PMA classes of 2011 and 2012 will show the best overall review-time performance of the device user fee era. Early returns for 2013 show even further improvement, though the study cautions that there are simply too many products awaiting a decision to make rock-solid claims just yet.
If PMA is part of the good news, the weather report in 510(k) land is far less sunny. Review times in 2012 were 60 percent longer than 2000, say CHI and BCG. But unlike the relative success with PMAs, today’s 510(k) review times “continue to remain far higher, and processes are still viewed as less predictable, than during the pre-device user fee era,” according to the report, Taking the Pulse of Medical Device Regulation & Innovation.
Another disheartening finding: The lag between FDA approval and faster action in Europe hasn’t changed much so far. Europe’s regulatory environment continues to lure US medical technology business away. “Only time will tell if recent improvements at the FDA ultimately have any impact on this gap,” the report summarizes.
Back in my elementary school days, most teachers took great pains to encourage a student who was genuinely trying — even if the results were not always so great. Maybe we should give the FDA a hearty pat on the back instead of a kick in the rear. It just might work.
The Food and Drug Administration (FDA) reported that there have been over 240 user accounts setup in the agency’s Global Unique Identifier Database (“GUDID”) since the rule’s effectiveness date, and from those accounts there have been over 33,000 Device Identification numbers entered into the GUDID. This was identified as a very good start by agency personnel at the 6th Annual UDI conference this week in Baltimore.
The deadline for all Class III Medical Device manufacturers has now passed and the agency thanked those that have worked so hard to get in compliance by last month’s due date. It also shared updates and lessons learned over the last 13 months since the rule was finalized and released.
The clock now starts ticking for manufacturers (FDA uses the term “labelers”) of Class II devices that are implants, life sustaining or life supporting in nature. These labelers must complete their UDI implementation and enter their Device information into the FDA’s GUDID by September 24, 2015.
However, FDA said that the labelers of these Class II life sustaining/supporting devices will not be granted user accounts until January of 2015, at the earliest. This does not mean that this group of manufacturers should stand around doing nothing, though. There are many preparatory and investigatory activities that this group should begin actively moving forward on. Some of these activities include developing a project team, reviewing current labeling processes and artwork, identifying/obtaining a DUNS number (if one is not currently defined for the labeler), and most importantly, ensuring upper management is aware and fully supports the UDI initiative in their organization in order to drive internal commitment and resources.
Attendees also were informed that all other Class II devices must be in compliance by Sept 24, 2016, and all Class I devices by Sept 24, 2018. Unfortunately, if the current practice remains in effect, those labelers in these other two groups will not be given account access to do any submissions until late 2015 or early 2016. For now, the FDA will focus only on Class III and Class II implants/Life Sustaining/Life Supporting labelers.
Other topics during the conference included recaps of the UDI Rule and GUDID system. One interesting update: the FDA’s UDI web interface will no longer be made available to the public/healthcare workers for directly accessing and searching the GUDID for medical device information. FDA’s UDI group has recently partnered with the National Library of Medicine, and will be integrating the GUDID with the NLM’s online system for public searches, database downloads, and web service access of medical device information stored in the GUDID. This will reportedly be available 1st Quarter of 2015.
Although the first phase of UDI compliance with Class III labelers has been deemed successful, it was reported that there have been several dozen extensions provided to members of this group. However, the FDA hasn’t said if extensions will be granted to Class II or Class I labelers, as well. So, if you haven’t already, it is in your best interest to start your UDI project soon.
If you are interested in seeing a low-cost solution for UDI record management that provides electronic submissions to the GUDID, and integration to other quality processes, such as complaints management, please request a demonstration.
The FDA will focus more on a device maker’s overall approach to ensuring cybersecurity rather than burrowing down and kicking the tires on each individual risk mitigation program, FDAs Abiy Desta said at an agency webinar Oct. 29.
That’s not to stay the agency is lightening up on its quest to make industry take device cybersecurity seriously. Rather, it appears to be the FDA’s way of reminding device makers to focus first on addressing the overall big picture with a sound rationale and then apply it to any number of potential risks down the decision tree.
In its Oct. 2 guidance “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” the agency laid out its basic requirements, though at today’s event the agency stressed it would accept other approaches — as long as their strategy was defensible.
That “alternate” approach must have controls in place, and be able to prove to the FDA that its program contains the proper response to those controls as outlined in the premarket submission.
Desta, Office of the Center Director at the Center for Devices and Radiological Health (CDRH), also urged industry to take advantage of the FDA’s posted consensus standards contained on page 7 of the Oct. 2 guidance. It’s available online. To use it, type “security” in the title search to find the current list of IT and medical device security consensus standards recognized by the FDA. It’s a handy reference.
He also outlined some of the core functions FDA wants to see addressed in a comprehensive cybersecurity program, including:
- Limiting access to trusted users by using layered privileges, appropriate authenticity, and strong passwords.
- Protecting users and data by terminating sessions after a period of inactivity, setting up physical locks, and limiting access ports.
- Detecting, responding and recovering by implementing features that tell a user if the device has been compromised, provide information on what to do when it occurs, implement features to preserve critical functions with the ability to reboot and recognize drivers, and provide methods for retention and recovery of device configuration.
- Establishing a hazard analysis program that clearly evaluates risk potential, provides information on control put in place and the appropriateness of those controls to mitigate an identified risk, and a matrix that links cybersecurity controls to the risk being mitigated.
Finally, the agency expects to be able to read a document that shows a plan to provide patches and updates as needed and that assures overall device integrity.
While FDA noted that cybersecurity is also the responsibilty of others in the chain including hospitals and patients, it made it clear that the first place it will look in the event of a breach is the device maker’s office.
Well, Halloween is approaching boys and girls. And while it’s fun to don a Dracula (or Miley Cyrus) costume and get some yucks faux scaring folks, the FDA is acting like a responsible parent by setting up a medical device cybersecurity educational seminar later this month in Arlington, VA. It appears to have filled up already, but a webcast recording will be made available.
Getting a tiny adrenalin rush when a nine-year-old Frankenstein jumps out at you in the dark is one thing; finding out some nineteen-year-old hacker has infiltrated your proprietary product and customer information isn’t the right kind of fright.
Seems like someone out there in the bureaucracy has a little sense of humor, because October is National Cybersecurity Awareness Month. FDA, along with the Department of Health and Human Services and the Department of Homeland Security, hope to bring together a wide swath of stakeholders, including medical device makers, to their Oct. 20-21 “Collaborative Approaches for Medical Device and Healthcare Cybersecurity.”
Participants will be encouraged to help regulators identify barriers to promoting medical device cybersecurity; discuss innovative strategies to address challenges that may jeopardize critical infrastructure; and enable proactive development of analytical tools, processes, and best practices by the stakeholder community in order to strengthen medical device cybersecurity. It’s shaping up to be a good agenda, but it’ll probably only be as strong as the attendees who show up to share war stories and discuss best practices with regulators and others.
Broadly speaking, the symposium hopes to help advance medical device cybersecurity by swapping information about the most current online threats, identifying gaps, advancing usage of the feds’ “Framework for Improving Critical Infrastructure Cybersecurity”, and developing tools and standards to build robust, comprehensive protection programs, among other areas of focus.
One of the topics will be the FDA’s new guidance “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” released Oct. 2. That guidance provides some helpful definitions (helpful in the sense that this is how the FDA views the world), and what kind of cybersecurity protection program the agency expects from medical device makers and their kin.
Some say the threat of medical device security hacks has been hyped up a bit. I’m no expert there. But a report issued earlier this year from a cyber expert at SANS Institute (sponsored by cybersecurity vendor Norse), says some 94% of medical institutions report being victims of some type of cyberattack. This isn’t a report specifically about medical device makers, and I’m certain the vast majority of the attacks were relatively small and easy to thwart. Regardless, those numbers deserve some attention.
Hyped or not, I don’t imagine you’ll see an attendee at FDA’s event getting a jump on Halloween and showing up dressed as a sophisticated hacker, though. That’s just too scary.