---
title: "Inside the FDA Regulatory Process"
type: white-paper
publisher: Ketryx
source: "https://www.ketryx.com/assets/inside-the-fda-regulatory-process"
content: text extracted from PDF (layout/tables/figures not preserved)
---

# Inside the FDA Regulatory Process

*Source: [https://www.ketryx.com/assets/inside-the-fda-regulatory-process](https://www.ketryx.com/assets/inside-the-fda-regulatory-process)*

---

Inside the FDA Regulatory Process Brochure

Former FDA Software Systems Safety Expert, Paul Jones, Shares His Insights Understanding the background and motivating factors for FDA’s Center for Devices and Radiological Health (CDRH) and the Office of Regulatory Affairs personnel will help you get a better understanding of how to prepare submissions, as well as what type of documentation you need in the event of an audit. FDA works to assure that medical devices placed on the market are safe and effective for their intended use. Recognizing that problems can develop post-market, FDA expects manufacturers to promptly address them. Their regulatory authority and oversight, written into law, is based on the premise that, through a Quality System, companies can consistently produce a quality product. Broadly, regulatory personnel within FDA are comprised of: ketryx.com 1 Personnel who review device submissions and authorize (or not) their placement on the market. Their focus is on device clinical evidence, safety, security, and performance. Personnel who inspect manufacturer facilities to assure that quality systems are in place to manage device development, production, distribution, and postmarket surveillance. Personnel who deal with manufacturers that are not in compliance with the regulations. Reviewers Inspectors (auditors) Compliance officers Note: FDA has many Centers of responsibility (Medical Devices, Drugs, Biologics, etc.). The reference to FDA here refers to the Medical Devices portion of FDA. Similarly, Inspectors (auditors) are independent of the different Centers and considered a separate entity within FDA (Office of Regulatory Affairs or ORA). FDA “auditors” like to be called “inspectors” because that term more closely defines what they do. For this document we will use the term “auditor.”

ketryx.com 2 What type of background do FDA Reviewers have? How are the Reviewers trained? How are the Auditors trained? FDA Reviewers comprise PhD Biomedical Engineers with a small mix of other engineering disciplines such as Electrical, Mechanical, Chemical, Industrial, Nursing, and Radiation Physicists. They usually come from different industry sectors, with varying backgrounds and experience levels. Reviewers are trained in-house on the regulations, FDA policy with senior mentors, and clinical safety issues for particular devices and devices with similar safety considerations. Auditors are trained in-house on FDA regulations and policies, including field work with senior mentors, and how to perform inspections. FDA Submission What are three elements that will likely result in a successful submission the first time around? 1. Provide the material requested in relevant FDA Guidance documents 2. Provide clinical data justified by unequivocal validated results 3. Provide quality design control documentation developed within a quality system What type of background do FDA Auditors have? FDA Auditors are typically non-engineers with a variety of backgrounds and experience, including biology, math, and chemistry.

ketryx.com 3 What are some of the most common areas of poor design controls that you’ve seen during your time at the FDA? What makes software so hard to review for a submission? • Lack of traceability among design details in documents • Lack of traceability between risk control measures and design documents • Lack of traceability between verification & validation specifications • No test case status (pass, fail) • Multiple risk analysis methods aren’t used • Weak security analysis • Weak safety analysis • Inadequate architecture information • Weak design requirement, specification properties • Poor descriptions of product (system) platforms • There is limited visibility into the QMS of the manufacturer • Software composition can be extremely complex—even in small systems • There is a growing reliance on SOUP/OTS products on which the device software is dependent, which can open up the software to safety issues and security vulnerabilities. • The Reviewer usually has around two weeks to understand what the manufacturer may have spent years building, i.e., short review times • You seldom know how comprehensive the V&V is, including metrics, such as coverage, MCDC 1 testing, etc. • Software has no physical properties to measure, i.e., weight, temperature, length, etc., so you’re forced to rely on documentation from a design control process. 1 MCDC stands for “Modified Condition/Decision Coverage and is used in software testing to test highly critical systems such as aerospace software.

ketryx.com 4 FDA Audit What are some of the best practices you’ve seen companies employ to ensure ongoing compliance with FDA regulations? What is the most common reason for an audit? And, what are some of the most common mistakes companies make during an FDA audit? They employ methods for uniquely identifying documents and their contents that facilitate traceability between the documents. They also have a good Configuration Management system using unique identifiers that support building products with the right components in the right baselines and right releases. They also have strong CAPA systems to manage changes internally and from the post-market environment. Many follow best practices for developing software, e.g., safe coding practices, use of static analysis, and proper interfaces to SOUP components. Usually, audits are performed routinely in local regions to make sure the quality systems aren’t going out of “spec.” An auditor might revisit a company once every year or so. Reasons for an audit include: • Routine audit: Audits conducted on some periodic basis; annually, every few years, etc. • Audit pre-post submission: Audit is performed before a device is authorized for sale on the market or after being allowed on the market. • Investigational audit: A serious accident has occurred. The most common mistake manufacturers make is not following up on problems or complaints in a timely manner or failing to follow their own SOPs.

ketryx.com 5 What are some of the most important things to keep in mind during an FDA audit? What documentation is typically requested during an FDA audit and how can a company ensure that it has all the necessary documentation in place? • If the auditor is performing a “routine” inspection and your personnel are following the company QA SOPs, just provide the auditor the information requested as quickly as possible. Don’t offer information not asked for as you could open yourself up to additional areas of inspection. • Expect the auditor to look at your problem reports and how they have been handled; in particular, the auditor may look for trends if there are a lot of reports. • Even if the auditor finds compliance issues, they will provide the specific issues that are out of compliance. Subsequently, they will work with you to get back into compliance. It’s generally not the end of the world if they find something and your business can continue operating normally. • If the auditor finds serious QA issues you can still work with them to develop a corrective action plan and execute the plan in a timely manner. • The auditor isn’t at your facility with the intent of shutting you down. They just want to see if your QMS is performing in the manner described in the QMS documentation. The documentation depends on the nature of the audit. For example, • Routine audit: The auditor will want to see issue/problem trending information and how this is being resolved. This information should be available via the QMS Corrective Action / Preventative Action (CAPA) process. • Premarket submission audit: The auditor will want to see the QA plan and associated SOPs and evidence that the SOPs are being followed. The best way to ensure that the necessary documentation is in place is by using relevant international standards as a framework for their QMS. • Investigational audit: The auditor will be looking for reasons why a product caused serious injuries or death, and why there has been an inadequate response to FDA communications on the matter. In this case, the auditor will be going through problem/complaint reports with a “fine tooth comb” , looking at trends, and how the problems/complaints were resolved, root causes; and/or if there was no action or inadequate corrective actions taken.

ketryx.com 6 What is the biggest misconception about the type of documentation you provide an Auditor? How can a company effectively communicate with the FDA during an audit? What are the biggest challenges with FDA auditing a manufacturer’s production system or production quality system? How is FDA auditing changing? How can a company ensure that it is staying up-to-date with changes in FDA regulations and guidelines? That a manufacturer can get by with weak, unconnected QA plans, SOPs, and Problem/ Complaint documentation. (Ultimately, one’s own QA documentation may result in market access denial or even removal.) Give the auditor what they ask for. At the close of the audit the auditor will provide a summary of their findings and contact information for how to resolve specified issues, if any. The manufacturer must validate both the production system and the production quality system. The biggest challenge for the auditor is evaluating the validation evidence for production and production quality systems presented by the manufacturer. Each piece of evidence is unique to a manufacturer’s product. The validation evidence presented must ultimately convince the auditor that no issues affecting device safety and effectiveness were introduced in the production process. More and more audits are being turned over to third parties like Underwriters Laboratories (UL), TUV, and other approved testing houses and conformity assessment organizations. FDA will accept certifications from these organizations in lieu of FDA doing the work itself. FDA provides a link to getting information about changes in FDA regulations, policies, and guidance: https://www.fda.gov/about-fda/contact-fda/get-email-updates

About the author Paul Jones is a world-renowned software safety expert who joined Ketryx following close to 25 years at the Food and Drug Administration (FDA). He helped create the FDA’s approach to safety-critical software and medical devices and founded the FDA’s software engineering lab. While holding committee positions with groups that handled medical software safety standards like ISO 13485, ISO/IEC 62304, and ISO 14971, he reviewed over 300 devices, carried out numerous inspections, and provided training to FDA staff on software quality, risk management, and software engineering. ketryx.com 7 About Ketryx Ketryx is the first and only Connected Lifecycle Management software for MedTech that seamlessly creates traceability across the application lifecycle. Compliant by Design, Ketryx embeds guardrails to eliminate the manual, error-prone cutting and pasting from traditional disconnected medical systems to reduce the risk of defects while delivering enhanced patient outcomes. © Ketryx Corporation, 2023.
