Warning Letter – 3CPM Inc.

Recipient: 3CPM, Inc.
Product: electrogastrogram (EGG) devices
Date: 325/10

6. Failure to establish and maintain procedures for the identification, documentation, validation or where appropriate verification, review, and approval of design changes before their implementation, as required by 21 CFR 820.30(i). For example:
b. When requested, no evidence that the changes made to the finished device or the research, research waterload, or waterload software versions were verified or validated to ensure that the changes are effective and did not adversely affect the finished product was provided.
c. When requested, no evidence to support the device software update from Research Version (b)(4) to Version (b)(4) was verified to meet design requirements as stated in the (b)(4) was provided.
d. When requested, no documentation to support that the changes to EGGSAS software were verified to demonstrate the functionality was provided. The EGGSAS version (b)(4) software is the software component for the EGG machine that is used in conjunction with the (b)(4) to provide a diagnosis of gastric motility disorders.

7. Failure to document all activities required under 21 CFR 820.100, Corrective and Preventive 21 CFR 820.100(b). For example:

a. Email correspondence between the dates of November 26, 2008 and December 1, 2008 discuss an install program for the 3CPM companion program, known as the Reader, and problems encountered during testing. The test methods are not identified, and the software used to test the program is not identified. The final email correspondence refers to a “problem” identified in the folder the program is run on. The program is not identified, nor is a resolution documented.
b. Email correspondence dated December 2, 2008 discuss the 3CPM companion programs known as the Reader and (b)(4) programs corrupting the EGGSAS software making the EGGSAS software “disappear” when the (b)(4) program was uninstalled. The emails discuss testing the Reader and (b)(4) programs to ensure the problem was fixed; however, no resolution is identified and/or documented.
c. Email correspondence between the dates of February 1 and February 3, 2009 discuss changes, upgrades, procedure/policy and software testing; however, the results of the testing or test methods are not documented.
d. Email correspondence on May 18 and 19, 2009 discuss the uninstall of EGGSAS software version (b)(4) on a Windows 98 notebook, which resulted in the uninstall of other programs on the customer’s computer (not related to 3CPM). In an email from , he stated support is not offered for older versions of the EGGSAS software; however, an exception would be made in this instance. The email ended with the offer to purchase new equipment to support the older version of software or to purchase the newer version of software. The email was closed, and no date is provided. There is no evidence of an investigation.

8. Failure to establish and maintain procedures that address the identification, documentation, evaluation, segregation, and disposition of nonconforming product, as required by 21 CFR 820.90(a). For example, there is no defined method of identifying, documenting and evaluating nonconforming product and any investigation associated with the nonconforming product. Specifically, email correspondence between the dates of June 29 and July 6, 2009, indicate the need to correct a problem with the data entry field on the waterload software version; however, no further documentation is available addressing this issue.

9. Failure to validate computer software for its intended use according to an established protocol when computers or automated data processing systems are used as part of production or the quality system, as required by 21 CFR 820.70(i). For example, when requested no validation documentation to support the commercial off-the-shelf program (b)(4) used to capture complaints, returned merchandise and service requests was provided.

11. Failure to establish and maintain procedures for identifying product during all stages of receipt,production, distribution, and installation to prevent mixups, as required by 21 CFR 820.60. For example, there is no procedure or mechanism for identifying individual equipment components, software or finished device. Specifically, there are three versions of the EGGSAS software all identified as Version (b)(4): (1) a waterload version; (2) a research – waterload version; and (3) a research version.

13. Failure to establish and maintain device master records (DMR’s), as required by 21 CFR 820.181. For example, when requested, no DMR for the EGGSAS software used in the three 3CPM Electrogastrogram versions: Research, Research Waterload, and Waterload was provided.

14. Failure to maintain adequate device master records that include, or refer to the location of, device specifications including appropriate drawings, composition, formulation, component specifications, and software specifications, as required by 21 CFR 820.181(a). For example, when requested, the software specifications for the software update that occurred in (b)(4) or the software updates that occurred between (b)(4) could not be located.

15. Failure to establish and maintain procedures to ensure that device history records (DHR) for each batch, lot, or unit are maintained to demonstrate that the device is manufactured in accordance with the device master record and the requirements of 21 CFR Part 820, as required by 21 CFR 810.184. For example:

a. When requested, no DHR for the research, research-waterload or the waterload software Version (b)(4) tested and distributed to customers was provided.
b. There is no record of device labeling.
c. Changes to the software are not documented in the Design History File and are not tracked and/or verified. There is no documentation listing the number and/or type of changes that were made.

FDA office: Baltimore District Office

About the author

Amy enjoys researching and writing about developments in medical technology and how that intersects with US law. She received her J.D. from the University of Florida Levin College of Law in 2020 and now works as a Regulatory Associate for SoftwareCPR®, a general-purpose regulatory consulting firm that is recognized globally for their expertise with standards and national regulations pertaining to medical device, mobile medical app, and HealthIT software.

SoftwareCPR Training Courses:

Being Agile & Yet Compliant (Public)

Our SoftwareCPR unique approach to incorporating agile and lean engineering to your medical device software process training course is now open for registration!

  • Agile principles that align well with medical
  • Backlog management
  • Agile risk management
  • Incremental and iterative software development lifecycle management
  •  Frequent release management
  • And more!

3 days virtual (Zoom) with group exercises, quizzes, examples, Q&A.

Lead Instructor: Mike Russell

Next public offerings:

  • Americas: 11-13 February 2025
  • EU/Eastern Europe/Middle East/Africa/Atlantic/eastern South America: 18-20 February 2025
  • Southern Central Northeastern Pacific: 24-26 February 2025
Register using form at this link:     Agile Course Post Promo

 

IEC 62304 and other emerging standards for Medical Device and HealthIT Software

Our flagship course for preparing regulatory, quality, engineering, operations, and others for the activities and documentation expected for IEC 62304 conformance and for FDA expectations. The goal is to educate on the intent and purpose so that the participants are able to make informed decisions in the future.  Focus is not simply what the standard says, but what is meant and discuss examples and approaches one might implement to comply.  Special deep discount pricing available to FDA attendees and other regulators.

3-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Brian Pate

Next public offering:  TBD

Call or email now to schedule a private, in-house class. The fall schedule is filling up!

Email training@softwarecpr.com to request a special pre-registration discount.  Limited number of pre-registration coupons.

Registration Link:

TBD

 


 

Medical Device Cybersecurity (Public or Private)

This course takes a deep dive into the US FDA expectations for cybersecurity activities in the product development process with central focus on the cybersecurity risk analysis process. Overall approach will be tied to relevant standards and FDA guidance documentation. The course will follow the ISO 14971:2019 framework for overall structure but utilize IEC 62304, IEC 81001-5-1, and AAMI TIR57 for specific details regarding cybersecurity planning, risk characterization, threat modeling, and control strategies.

2-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Dr Peter Rech, 2nd instructor (optional)

Next public offering:  TBD

Corporate Office

15148 Springview St.
Tampa, FL 33624
USA
+1-781-721-2921
Partners located in the US (CA, FL, MA, MN, TX) and Canada.