regulatory and quality system professionals | 919.313.3960
Accessory or Component and the FDA – The Fine Line Between Them

Accessory or Component and the FDA – The Fine Line Between Them

Determining if your product or innovation should be considered a component or an accessory is a critical early-life cycle inflection point. In fact, the distinction between the two terms has long been the subject of debate and interpretation. In August 2017, the FDA began a new effort to classify a “list of [medical device] accessories that the Agency believes are suitable for distinct classification into class I.”  However, this effort lead to even more questions and less understanding between the classification designations and the actual device. Let’s try to break this down to help with the clarification process: What does the FDA consider an accessory versus a component?An accessory is intended to support, supplement, and/or augment the performance of one or more devices, often called “parent devices”. It is considered a finished device—meaning it is ready for use or capable of functioning.A component (in 21CFR 820.3) is defined as “…any raw material, substance, piece, part, software, firmware, labeling or assembly which is intended to be included as part of the finished, packaged and labeled device.” In other words, it would serve no direct medical purpose by itself, in the form that you deliver, and you are not selling directly to patients/end users/health care providers.21CFR 807.65(a) explicitly exempts “a manufacturer of raw materials or components to be used in the manufacture or assembly of a device…”  This means the parts or sub-components that go into make a device are exempt from Registration. The creator of the final device bears the burden of Registration. Let’s talk about some possible scenarios where this designation is important. Company A makes sensors that are incorporated into a finished blood...
5 Questions to Evaluate your Records v. Documents Management Practices

5 Questions to Evaluate your Records v. Documents Management Practices

Documents, documents everywhere.  But which are the records, which are documents—what is the difference and why does it matter? Even start-up medical device companies are neck deep in documentation.  In addition to documents generated during the creation and production of a product or combination device, additional documentation is generated while working with the FDA Q-Subs, submissions, and Quality System Regulations. No question about it, it’s daunting….and often misunderstood.  One common confusion we hear frequently is the difference between a “document” and a “record”, and how each should be managed.  Keep reading for insights into the difference between the two and best practices to help you manage each. 1. Documents vs. Records:  What’s the Difference? In short, records are a subset of documents. More specifically: Document: For a medical device company, a Document satisfies a regulatory need or requirement and is most often called a “Controlled Document.”   A Controlled Document is a reference document, which through the course of its lifecycle may be reviewed, modified and distributed several times. Controlled Documents may include documents and information for public disclosure including, but not limited to, marketing, sales and promotional materials, training materials, clinical and technical information, labeling, and product related documents such as manufacturing procedures. Record:  For a medical device company a Record is a document created to demonstrate both quality system conformance to specified requirements and the effective operation of the Quality Management System (e.g. Change Requests, CAPAs, etc.).  They are documents that provide objective evidence of activity performed, or results achieved, during the design, development and production of regulated product(s). This can include verification, validation data sheets, DHR records,...
Cybersecurity’s Impact on Health Systems

Cybersecurity’s Impact on Health Systems

We are currently seeing significant technological advances in medical devices, hospital networks and patient care. As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect a device’s performance, functionality and safety to the patient. In recent years, researchers have demonstrated the potential threat of medical device and healthcare system hacking. They have been able to tamper with pacemakers, insulin pumps and other devices, which, if hacked, could cause serious harm, including death, to a patient. Recently, the FDA identified cybersecurity vulnerabilities in St. Jude Medical’s implantable cardiac devices and the corresponding Merlin@home Transmitter. These vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient’s physician, to remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. While no patients were harmed, this serves as a warning that similar devices containing configurable embedded computer systems can be vulnerable to cybersecurity intrusions and exploits, as well. To address these technological risks, in December 2016, the FDA finalized the guidance, “Postmarket Management of Cybersecurity in Medical Devices.” In reference to the guidance, Suzanne B. Schwartz, M.D., M.B.A., FDA’s Associate Director for Science and Strategic Partnerships, at the Center for Devices and Radiological Health stated that, “manufacturers should build in cybersecurity controls when they design and develop the device to assure proper device performance in the face of cyber threats, and then they should continuously monitor and address cybersecurity concerns once the device is on the market and being used by patients.” The new guidance...
What Happens When the FDA says, “I don’t know”

What Happens When the FDA says, “I don’t know”

The FDA is now trying to track what it’s calling “emerging safety signals.” Recently, a study found a possible link between reduced leaflet mobility in TAVRs and the incidence of stroke in the fall. When people turned to the FDA looking for insight, the agency responded with, “Limited available data do not allow us to fully characterize the causes, incidence, and short- and long-term risks of reduced valve leaflet motion, or to recommend appropriate treatment.” This basically equates to the FDA saying, “I don’t know.” The FDA has recently released a guidance, which will formalize its practice on notifying the public of situations when the agency is monitoring risks that have not yet been fully validated, and therefore, do not have FDA recommendations. Historically, the FDA has communicated important medical device post-market information after having analyzed available data and, in most cases, after having reached decision about relevant recommendations and about whether or not further regulatory action is warranted. According to the guidance, timely communication about emerging signals is intended to provide health care providers, patients, and consumers access to the most current information concerning the benefits and risks of marketed medical devices so they can make informed treatment choices based on all available information. Such communication may also reduce or limit the number of patients exposed to the potential risk while the issue is being further evaluated. Considerations for Determining FDA Public Notification will include: Seriousness of the adverse event(s) relative to the known benefits of the device Magnitude of the risk (e.g., likelihood of occurrence) Magnitude of the benefit Strength of the evidence of a causal relationship...
Colliding Cultures: Software Development and the Medical Device Industry

Colliding Cultures: Software Development and the Medical Device Industry

Part 1 – Medical Device Software, the FDA and the US Congress Preface: In any given 2-week period, an average of 15% to 20% of the applications on my smartphone have new versions to fix software bugs. Others I speak with experience similar statistics. And, that doesn’t include how often my smartphone software crashes while executing tasks it was intended to perform. We don’t complain about it. Instead, we accept this state of constant, almost continuous, software revision to fix bugs as a matter of “how things are.” We have come to terms with the fact that the normal state of software is for it to be broken, in need of repair and “acceptably” functional, while simultaneously defective. One might think, given the prevalence and importance of software, we would reject software disrepair as normal – especially for critical applications that impact safety. But, the evidence suggests otherwise. If you perform a search on the FDA Medical Device Recall Database from January 1, 2013 to August 14, 2015, you will see 500 device recalls reported. This is the maximum number of rows the FDA report supports in a single query (meaning more than 500 devices were recalled). Enter the keyword “software” into the search, and the query returns 344 recalls due to medical device software. Reviewing randomly through these notices confirms that software issues played an instrumental – or the only – role in the recalls. And, all but nine are Class I or Class II recalls in response to a risk of temporary or serious adverse health consequences due to software problems. Is software so difficult and challenging...
Cybersecurity – A Real Threat to Medical Devices

Cybersecurity – A Real Threat to Medical Devices

The FDA is Taking Notice of Medical Device Cybersecurity The FDA just issued a Safety Communication on cybersecurity vulnerabilities of the Hospira Symbiq Infusion System. The Hospira Symbiq Infusion System is a computerized pump designed for the continuous delivery of general infusion therapy for a broad patient population. The pump is mostly used in hospitals, or other acute and non-acute health care facilities, such as nursing homes and outpatient care centers. This infusion system can communicate with a Hospital Information System (HIS) via a wired or wireless connection over facility network infrastructures. Unfortunately, it appears that it’s possible to access this pump remotely through a network, allowing unauthorized users to control the pump and change the dosage it delivers. This can potentially harm the patient. While it doesn’t appear that any unauthorized access occurred with this particular product, and Hospira is no longer selling this product, cybersecurity is still a real concern. It will be critical for manufacturers to implement appropriate safeguards now that more and more devices are connecting remotely to healthcare networks. In June 2013, the FDA outlined good practices to follow in Cybersecurity for Medical Devices and Hospital Networks. In this communication, the FDA recommends that medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack. These attacks could be initiated by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks. As products rely more heavily on networked communication, medical device cybersecurity is going to become an even greater concern....