December 1, 2015

FDA Warning Letters Hit Device Makers Over CAPA, MDR Failures

Michael Causey, Editor-in-Chief, Association of Clinical Research Professionals

Michael Causey, Editor-in-Chief,
Association of Clinical Research Professionals

It’s been a little while since we checked the FDA’s outgoing mail tray to find out what inspectors are looking for – and often finding – during their visits in the first half of 2015

We start with a rather hefty June 12 letter to AG Industries in St. Louis, hit for a number of alleged 820-related shortcomings, including:

  • Failure to promptly review, evaluate, and investigate complaints related to a Medical Device Report (MDR) review and file an MDR with the agency for what it deemed one of perhaps several “serious complaints.” FDA found AG’s response “inadequate” because the firm labeled the incident to be not life threatening, where the agency clearly has some doubts.
  • Failure to adequately validate according to established procedures for a process those results can’t be verified by additional testing.
  • Failure to adequately establish procedures for finished medical device acceptance.

FDA says about ten percent of the nearly 210 complaints the firm has received since early 2013 are still open. Specifically, it called out a complaint that AG received in August 2013.

Note: Throughout the letter FDA says AG’s characterization of its CAPA problem as minor “appears inappropriate.”

fancyFDAlogoInsulin Management System manufacturer Insulet Corporation had a relatively easier time of it in a June 5 letter. FDA hit the firm for devices it alleges are adulterated because the methods used in, or controls of, the manufacture, packing, storage, or installation don’t meet FDA good manufacturing practice (cGMP) requirements of its Quality System regulation.

FDA fired back that the firms April 16 response was not adequate and advised the firm that “regulatory action” could be initiated without further notice unless the Massachusetts-based firm takes prompt action to correct violations FDA alleges in the warning letter.

In New Jersey, FDA called out Ultrafiler-maker Nephros for alleged failure to document evaluation of its suppliers. Like Insulet, the firm was also criticized in the May 27 letter for not including required info of complaint investigations.

Bothell, Washington-based Thorn Dental Laboratory LLC was challenged in a June 2 letter of a number of CAPA-related fronts, including:

  • An inability to produce CAPA procedures for review during the inspectors’ series of inspections in February.
  • Failure to establish and maintain procedures for receiving, reviewing, and evaluating complaints by a formally designated unit.
  • Failure to establish and maintain procedures to ensure that all purchased or otherwise received product and services conformed to specific requirements such as failing to maintain adequate documentation of suppliers, contractors and consultants.
  • Failure to establish and maintain procedures for finished device acceptance.
  • Misbranding its anti-snoring/sleep apnea devices.

Our final letter in this go ‘round’s review focused on Irvine, California-based Insightra Medical, maker of catheters and hernia implants. The agency said the firm’s devices are adulterated because Insightra failed to control its facilities in terms of manufacture, packing, storage, or installation.

Insightra was hit with a number of MDR shortcomings, including failure to establish internal systems that provide for “timely transmission” of complete medical device reports.


Medical Device Makers Express Optimism About Future — But QA Worries About US Regulatory Burden

Michael Causey, Editor-in-Chief, Association of Clinical Research Professionals

Michael Causey, Editor-in-Chief,
Association of Clinical Research Professionals

Crystal may be clear, but crystal balls, at least metaphorically, are certainly not. The late, great political columnist David Broder with The Washington Post used to run a column at the end of the year tallying up where he had guessed correctly – and where he’d missed the mark. Not many columnists have the guts to do that.

A survey taken earlier this year found that some 75% of more than 5,000 medical device professionals felt “very or somewhat positive” about business prospects for 2015. Those numbers are pretty much in line with the findings of the 2014 survey, conducted by our friends at The Emergo Group.

Taking a closer look at the 2015 numbers, it’s clear that domestic device makers feel better about their prospects than do counterparts in the EU – and this was before Greece really started to tank.

Casting eyes around the globe, it turns out device makers in Asia were even more optimistic than those in America. Still, confidence among Asian device makers fell to 77% in 2015, from 83% in 2014. It’s interesting to note that, even then, concerns about a slowing Chinese economy don’t reflect an increasing edginess about the state of things in the world’s most populous nation.

X-ray of hipIn the U.S., smaller companies actually felt a bit more optimistic than their big brothers and sisters. But mid-size and big shops were a little less thrilled about the future, likely due to “regulatory and pricing pressures,” Emergo notes.

The study burrowed down to quiz more than 2,000 QA/RA professionals for their thoughts on current and prospective regulatory trends. Just over one-third of American respondents said they expect the process of gaining regulatory approval will be tougher than it was a year ago. The study says about 3.5% think the regulatory process is getting easier, though I’ve personally never found or spoken to any of those people!

Not surprisingly, the QA/RA pros in the U.S. said their country was one of the toughest when it comes to regulatory approval. Even the FDA sometimes acknowledges that, as we noted in an earlier blog when FDA’s Center for Devices and Radiological Health Jeffrey Shuren noted the agency is sensitive to this and trying to make some pro-industry changes.

We’ll check back with Emergo – and Shuren – later in the year. Let’s see if we can find some of that Broder confidence where folks circle back and reassess their predictions.


Study: FDA 510(k) Approval Process Now Averages Over Six Months

Michael Causey, Editor-in-Chief, Association of Clinical Research Professionals

Michael Causey, Editor-in-Chief,
Association of Clinical Research Professionals

If you’ve got six months – and nerves of steel – here’s some good news: You have a 61% percent chance of getting your medical device approved by the FDA. That’s one nugget of interesting data to be found in a recent Emergo group report that analyzed some 15,000 device clearances between January 2010 and December 2014.

We’ve blogged about this quite a lot over the past four years or so, and it looks to be another case of the more things change the more they stay the same. Back in June 2011, we reported on an Emergo study which found that in 2006 it took about 96 days to get clearance. By 2010 that number had leapt to 132. Today, Emergo reports that “it now averages about six months.” Blame for this trend is slung around between industry and regulators – each time FDA says it’s made a big step forward, industry tends to toss these kind of stats back in the agency’s face.

FDA can’t exactly point to any kind of consistent improvement. It approved 3,173 devices working their way through the 510(k) maze in 2014, which was up nearly 5% from 2013, but pretty much in line with 2011 and 2012. Check back in a year or two to see if 2014 was the start of a positive trend.


Radiological and Orthopedic devices are usually the fleetest of foot in the race for approval, averaging about 140 days last year, that’s up from 135 in 2013. Overall, about 22% of devices are cleared within three months.

The study also finds that third party reviewers tend to work more quickly than internal agency reviewers. While not all devices qualify for this program, think about grabbing it if you can. Your device might clear in 68 days, on average, or more than 110 days faster than with an internal FDA reviewer.

Note: FDA doesn’t release data about submissions rejected, withdrawn or abandoned by the submitter. Emergo’s analysis doesn’t include devices subject to the Pre-Market Approval (PMA) process.

So, still trying to figure out how your new medical device might fare in today’s FDA climate?

A fun new tool from Emergo just might sweep aside some of the fog. Simply plug in (or look up) your device product code, then sit back and let the tool tell you an estimate approval time based on similar products that have gone through – and survived – the process.

Unfortunately, you probably don’t need any kind of online tool to tell you one thing: The FDA’s 510(k) approval process keeps getting slower and slower and slower…


FDA Moves UDI Initiative Further Down the Production Line

Michael Causey, Editor-in-Chief, Association of Clinical Research Professionals

Michael Causey, Editor-in-Chief,
Association of Clinical Research Professionals

We, and others, like to take the FDA to task for missing deadlines or behaving in ways that are sometimes difficult to fathom. But it’s only fair to give equal space to something when they seem to get it right. Take the Agency’s Unique Device Identification System (UDI).

Readers of this blog might have different experiences with it – and we’d like to hear about them, good or bad – but you’ve got to tip your hat to FDA because they’re trying to get it right.

Last month, FDA launched the Global Unique Device Identification Database (GUDID), a searchable website containing a listing of all UDIs. Expectations, both from industry and the agency, are high for this system implemented to simplify the identification of many regulated medical devices used by patients in the United States.

GUDIDThe complex infrastructure, which will be phased in over several years marked by a variety of deadlines that began in 2014 and are slated to wrap up in 2020, offers a number of potential benefits, including:

  • Speeding and improving the accuracy of the reporting, reviewing and analyzing of an adverse event.
  • A quicker means to identify a device and extract important information about it.
  • Enhancing analysis of devices on the market by providing a standard and clear way to document device use in electronic health records, clinical information systems, claim data sources and registries. A more robust postmarket surveillance system can also be leveraged to support premarket approval or clearance of new devices and new uses of currently marketed devices.

Ultimately FDA hopes its UDI can become a worldwide model, too.

It’s worth noting that FDA’s former point man for the initiative, Jay Crowley, continues to lead the bandwagon now that he’s ensconced in private practice with USDM Life Sciences. He’s led a number of webinars and given a number of talks that make a persuasive case for the positive impact UDI will have on the device industry. Sometimes, a former FDAer spends the next ten years of his or her career criticizing the very program they led. Not the case with Crowley and that bodes well for UDI.


Large Utilities Power Up with AssurX Enterprise GRC Solution

Tamar June

Tamar June, VP, Strategic Marketing, AssurX, Inc.

Increasingly complicated, and disparate, regulatory requirements and a demand for improved compliance management were driving forces for two major utility companies to find stronger enterprise governance, risk, and compliance (GRC) solutions, says a new report from Blue Hill Research.

The white paper, “Anatomy of a Decision,” looks at the search conducted by two utilities with nearly a million customers spread over multiple states. Subject to strict regulatory requirements from the North American Electric Reliability Corporation (NERC) and the Federal Energy Regulatory Commission (FERC), the size and distribution challenges are daunting, Blue Hill says. It’s arguably even tougher for one of the firms: it has fifty member entities  that must address more than a dozen different sets of requirements.

If one of the GRC carrots is increased efficiency and a stronger competitive posture in the marketplace, one of the sticks is serious regulatory fines for non-compliance. A utility can face $1 million/day fines per violation. That means testing and certification must be robust and demonstrable to meet compliance requirements.

BlueHill-AssurX-GRC-1In the Blue Hill report, two utilities kicked the tires of several solution providers during an extensive search, including IBM OpenPages, Oracle, and AssurX. The respective searches drilled down to six key factors:

  • Depth of understanding of business and regulatory requirements

  • Adaptability and configurability of the solution

  • Vendor’s willingness  to partner with customers

  • Amount of process change required by the implementation

  • Functionality included within the solution

  • Responsiveness and quality of customer support

Both utilities reported going with AssurX, in part, because “they concluded that the provider demonstrated deeper understanding of unique requirements and business operations” facing them compared to other vendors. In addition, the utilities tapped AssurX because of its “deeper out-of-the-box fit to existing processes and ease of configuration.”

For more information on the search and how the AssurX solution is positively impacting utility companies, request a copy of the full report here.


Congress Crawls Out of 20th Century to Push Bi-partisan ‘Cures’ Legislation

Michael Causey, Editor & Publisher,

Michael Causey, Editor & Publisher,

Just when we’d all decided Washington lawmakers couldn’t do much more than enjoy their own excellent health insurance coverage, tasty bean soup in the Senate cafeteria, and the best parking on Capitol Hill, it turns out they might actually unite to accomplish something pretty big after all.

It’s called the 21st Century Cures Act and its got a lot of device and drug makers excited. It’s been under development since April 2014. Amazingly, the version Congress released recently is almost 50% shorter than the earlier draft. In a city full of bureaucrats who write memos about memos, that’s a pretty incredible feat.

Fresh off a May 15 Congressional vote moving the law closer to passage, Mark Leahey, President and CEO of the Medical Device Manufacturers Association (MDMA), praised Subcommittee Chairman Joe Pitts and Ranking Member Gene Green for their bipartisan work “recognizing the importance of medical technology innovation in answering the pressing challenges facing America’s health care ecosystem.”

Joining AdvaMed, among others, Leahy applauded legislation he says “provides substantive proposals to improve the regulatory process, while addressing ongoing challenges in obtaining adequate reimbursement for the cures and treatments that patients need.”

Among a myriad of potential changes, the Act would clarify the standardization of eligibility information in, and spur the Department of Health and Human Services to forge ahead with additional public/private partnerships with grants to promote patient advocacy groups and research of disease causes, especially for rare diseases.

SixGroupsAccording to the folks at Hyman, Phelps and McNamara, the new version is broader in terms of Qualification of Drug Development Tools. For example, “it now addresses biomarkers, surrogate endpoints, and other drug development tools; the first discussion draft focused primarily on surrogate endpoints,” reports the firm’s Law Blog. “On the other hand, it is narrower because it does not affect devices. The section also removes many of the formal procedures and timelines from the first discussion draft and provides FDA with more discretion in the development of the program.”

There’s still a lot to dissect from the Act, and, while passage appears likely, some provisions could still be tweaked or cut entirely. But one this is clear: Congress is probably going to shock a lot of us by actually pulling together a relatively bi-partisan piece of legislation and placing it on President Obama’s desk before the end of the year.

Who’d have thought, right? Now, maybe these distinguished men and women can take a hard look at our nation’s infrastructure, tax code, and maybe a few dozen other issues that would also benefit from some good, old-fashioned bipartisan discourse.


Avoid Common Medical Device Software Development Life Cycle, IEC 62304 Pitfalls

Russ King, Managing Partner, Methodsense

Russ King, Managing Partner, Methodsense

IEC 62304, the international standard that defines software development lifecycle requirements for medical device software, was developed from the perspective that product testing alone is insufficient to ensure patient safety. It provides a common framework for medical device manufacturers to develop software components. Conformance with this standard demonstrates that there is a software development process in place that fulfills the requirements of the Medical Device Directive.

If your medical device has software that regulates its functionality in a way that contributes to Basic Safety or Essential Performance, then you will need to comply with IEC 62304. This standard requires all aspects of the Software Development Life Cycle (SDLC) to be appropriately managed to ensure patient safety, including:

  • Development and code reviews
  • Risk management
  • Configuration management
  • Incident and bug resolution
  • Validation
  • Maintenance

dnachainThe most common mistake medical device manufacturers make is failing to assess which elements of risk their software mitigates. These are the elements that must be addressed by IEC 62304. For example, what would happen if the creator of a hoist didn’t properly vet the software that signaled the hoist to lower the patient at a certain speed? If a patient were lowered too quickly – or not at all – there would be a risk management nightmare. Since software plays a role in the Basic Safety functions of the hoist, it must comply with 62304’s requirements.

Common software functionality manufacturers fail to recognize as IEC 62304 compliance issues include:

  • Alarms and Alerts often an Essential Performance requirement because they are intended to detect abnormalities
  • Speed & Position Sensors use of software to limit range of motion, speed and force, which are Basic Safety concerns
  • Algorithms remove the software and the device is no longer able to operate as intended, resulting in the algorithms being part of Essential Performance 

It is critical to have clearly defined processes for your company and your Software Development Life Cycle, in particular. IEC 62304 identifies several expectations related to the information that should be included in your SDLC procedures, including:

  • Documentation of your process – document management is essential for meeting compliance goals
  • Software of Unknown Pedigree (SOUP) – manage your SOUP appropriately
  • Document Development – make certain you are sufficiently resourced to support document development needs
  • Version Control & Updates – clearly define software updates and how software will be maintained in a validated state.

Medical device manufacturers frequently seek 3rd party software development assistance. However, the manufacturer remains responsible for the device software. Important areas to consider when contracting out your software development include:

  • Supplier Management Processconfirm that your software vendor complies with IEC 62304 and their processes are reviewed during vendor audit
  • Quality Agreement – confirm that:
    • It defines vendor responsibilities and IEC 62304 Deliverables
    • Vendor procedures used for software development will be provided to you and the test lab for review
  • Establish your SDLC – at minimum, your process will define acceptance criteria (i.e. IEC 62304 compliance and deliverables) from your vendor

Once you know you must comply with IEC 62304, how do you go about preparing? To start, know that compliance with this standard is defined as implementing all of the processes, activities and tasks identified in the standard in accordance with the software safety class. 62304 itself does not prescribe a particular organizational structure or specific format for documentation. Compliance is determined by a review of all required documentation, including the risk management file.

IEC 62304 file will be reviewed to ensure:

  • It contains all required documentation including a risk management file
  • Procedures meet the requirements of the standard
  • Each check list item is satisfied
  • A product review is conducted and further a review of the relevant software segments if it has been decided that the software performs Basic Safety or Essential Performance for your device

If you get caught in any of the above-mentioned pitfalls, you’ve probably got a problem. You will either not receive a report at all, or will receive a report that says you failed somewhere in IEC 60601-1 or IEC 62304.

Because the standards are voluntary in the US, you don’t necessarily have to make product changes. However, for each “fail,” you will be required to provide justification for each deviation. If you have valid justification, your device should still attain regulatory approval from the FDA, although developing this justification can be a lengthy process in itself. In the end, though, you may find it more efficient to comply with IEC 62304.

Download your IEC 62304 action list here. 

Russ King is President of Methodsense, a consulting firm that helps clients deliver medical and technological breakthroughs by effectively meeting the requirements needed to bring their products to market. He can be reached at (919) 313-3962 or


FDA FastStats: CDRH Shows Significant Growth in Electronic Submissions; Deadline Looming for eMDR

No more paper. That’s what the FDA requires from the medical device community starting August 14, 2015 with regards to electronic medical device reporting (eMDR). With the draft guidance initially introduced in 2009, and the final rule released in 2014, medical device manufacturers have a little over three months to comply. In the infographic shown below, CDRH submissions overall have dramatically increased through the years. Back in 2006, only 1,575 records were submitted electronically by CDRH to FDA. At year end 2014, electronic submissions to CDRH had reached a record high of 812,443 and are expected to continue to rise going forward.




FDA’s Action Plan Demands Some Industry Action, Too

Patrick Stone

Patrick Stone, President, TradeStoneQA

“The following Pharmaceuticals FY 2015 Action Plan (the Action Plan), developed by the Office of Regulatory Affairs (ORA), the Center for Drug Evaluation and Research (CDER), and the Center for Veterinary Medicine (CVM), is intended to facilitate operational and program alignment as FDA transitions to distinct commodity-based and vertically-integrated regulatory programs with well-defined leads, coherent policy and strategy development, and well-designed and coordinated implementation.

That’s the FDA’s plain Jane version of its 2015 Action Plan. But let’s look at some interesting wrinkles not necessarily contained in the document.

The Pharmaceuticals Inspectorate will change the way FDA inspectors conducts audits and how many audits will be conducted in a years’ time. There are some interesting things to note here: First, the Center for Biologics (CBER) is noticeably not included in this reorganization effort. Second, district offices will not be at the helm when it comes to which drug firms get inspected and how compliance OAI & VAI cases are handled. Third, CDER will be assuming the lead role and Center compliance teams will be responsible for industry corrective action plans.

prescription drugsTraditionally, the district compliance team for the drug company took the lead role in compliance strategy and remediation. But now, the inspectors conducting drug audits will be dedicated and certified to conduct inspections. This will reduce errors and enhance the quality of inspections domestically and internationally. This will also increase the number of observations (483 notice of observations), warning letters, and consent decrees.

When a generalist inspector conducts a drug audit they may miss a system wide failure or process control deviation due to a lack of training. By contrast, when a professional team of inspectors with dedicated drug training for a drug firms system conduct an audit, those same compliance issues are not usually missed. This is a positive step in the right direction however building the new drug teams and training them accordingly will take years.

Quality by design (QbD) implementation is looming so this will also affect the training requirements from a system based approach to a QbD approach.

Don’t be caught off-guard by this new way of doing things. The FDA is making some changes here, and regulated firms need to make sure they understand them.

Patrick Stone is the author of Bubble Gum Badge – An FDA His-Story. You can also follow him on Twitter.


FDA Plays Catch Up In Brave New World of Electronic Consent

Michael Causey, Editor & Publisher,

Michael Causey, Editor & Publisher,

Informed consent (IC) is more than getting a quick signature from a clinical trial participant, the FDA gently reminds industry in a new guidance addressing increasingly complicated electronic IC (eIC) issues. Issued almost simultaneously with Apple’s new ResearchKit tool which promises faster, cheaper access to potential trial participants, and unimagined data streams to boot, the guidance comes at an important time for the clinical trial world.

Never accused of being early adopters of technology, clinical trial folks need to heed the FDA’s new guidance. Used properly, it can serve as something of a roadmap as everyone veers into previously unchartered territory.

First, understand the FDA’s expectations as laid out in the new guidance. It expects subjects to receive enough information to allow for an informed decision and an easy way to ask questions and receive jargon-free answers.

When using an eIC, FDA requires it to contain all elements of traditional IC, but also that any interactive eIC program be easy to navigate, including the means for the subject to stop and return to it later. Further, eIC tools must meet any subject’s physical limitations, e.g. poor vision or impaired motor skills. Perhaps most importantly, the eIC “must be presented in a manner that minimizes the possibility of coercion or undue influence regarding the subject’s decision to participate in a study.

FDAlogoFDA requires an investigator to obtain the informed consent. However, if the investigator delegates the responsibility, it is their obligation to hire a surrogate with demonstrable credentials. Nothing new there. But it gets a little more complicated when it comes to eIC. For example, consent can be handled remotely. However, when the consent process is not personally witnessed by study personnel, the eIC should include a method to ensure that the person giving consent is the person participating, or the subject’s legally authorized representative. The subject must also have the opportunity to ask questions and receive answers before actually signing electronically.

A subjects’ questions can be answered in a number of ways, including text message, phone calls, and videoconferencing. The data and communications must be secure. Subjects should also be told in advance how and when they will receive answers to questions and given information on how to contact an appropriate individual with questions about the investigation, the subjects’ rights and whom to contact in the event that a research-related injury occurs.

FDA also issues some eIC direction to IRBs. “A critical part” of an IRBs responsibility is to ensure that there is an adequate informed consent process in place that protects the rights and welfare of subjects participating in clinical investigations. Further, the agency recommends, but does not outright require, that an investigator discuss plans for using eIC with the IRB before finalizing development of the eIC to ensure that the IRB agrees that a particular format may be used for obtaining informed consent.

The FDA remains neutral when it comes to archiving documents. That said, the agency does weigh in on “cloud” and other remote storage solutions. Data privacy laws and regulations that apply to the remote site, in addition to those that apply to the research site itself, “may apply and should be considered.”

Finally, the agency reminds us that when one of its cheerful investigators is waiting in your lobby, he or she will be expecting access to records and reports made by the investigator including site-specific versions of eICs, materials submitted to IRBs for review and approval, all amendments to the site-specific eICs, and all subject-specific signed eICs. Any updates to the documentation must also be available for review.

Comments on the guidance are due May 8. When submitting your input, refer to docket no. FDA-2015-D-0390