U.S. flag An official website of the United States government

U.S. Food and Drug Administration
  1. Home
  2. Inspections, Compliance, Enforcement, and Criminal Investigations
  3. Compliance Actions and Activities
  4. Warning Letters
  5. iRhythm Technologies, Inc. - 643474 - 05/25/2023
  1. Warning Letters

WARNING LETTER

iRhythm Technologies, Inc. MARCS-CMS 643474 —

Delivery Method:
VIA Electronic Mail
Product:
Medical Devices
Recipient:
Recipient Name
Mr. Quentin S. Blackford
Recipient Title
President and CEO
iRhythm Technologies, Inc.

699 8th Street, Suite 600
San Francisco, CA 94103
United States

quentin.blackford@irhythmtech.com
Issuing Office:
Center for Devices and Radiological Health

United States

WARNING LETTER
CMS# 643474


May 25, 2023

iRhythm Technologies, Inc.
6550 Katella Ave
Cypress, CA 90630

Dear Mr. Blackford,

During an inspection of your firm located at 6550 Katella Ave in Cypress, CA on July 25 through August 12, 2022, investigators from the United States Food and Drug Administration (FDA) determined that your firm is a medical device manufacturer of the Zio AT System. Under section 201(h) of the Federal Food, Drug, and Cosmetic Act (the Act), 21 U.S.C. § 321(h), this product is a device because it is intended for use in the diagnosis of disease or other conditions or in the cure, mitigation, treatment, or prevention of disease, or to affect the structure or any function of the body. As stated in the Zio AT System indications for use, the system is intended to continuously record and report patient symptomatic and asymptomatic cardiac events and continuous electrocardiogram (ECG) information. After wear, a final report of the entire ECG recording is generated. The ZEUS software system is a component of the Zio AT system and supports the capture, reporting, and analysis of arrhythmia events. The reports are provided to a reviewer to render a diagnosis. Therefore, the reports are components of the device system. Because Zio AT System (“Zio AT”) is intended for use in the diagnosis of disease, the Zio AT system, including its components, is a device within the meaning of section 201(h).

We received responses from you dated September 2, 2022, October 13, 2022, November 04, 2022, December 7, 2022, January 3, 2023, February 2, 2023, and March 1, 2023, concerning our investigator(s)’ observations noted on the Form FDA 483 (FDA 483), List of Inspectional Observations, that was issued to your firm. We address these responses below, in relation to each of the noted violations, and any additional responses will be reviewed as part of your warning letter response.

Unapproved Device Violations

You currently have clearance for the Zio QX ECG Monitoring under K163512 for the following indications:

The Zio QX ECG Monitoring System is intended to capture, analyze and report symptomatic and asymptomatic cardiac events and continuous electrocardiogram (ECG) information for long-term monitoring. While continuously recording patient ECG, both patient-triggered and automatically detected arrhythmia events are transmitted to a monitoring center for reporting. After wear, a final report is generated based on beat-to-beat information from the entire ECG recording. It is indicated for use on patients 18 years or older who may be asymptomatic or who may suffer from transient symptoms such as palpitations, shortness of breath, dizziness, light-headedness, pre-syncope, syncope, fatigue, or anxiety. The reports are provided for review by the intended user to render a diagnosis based on clinical judgment and experience. It is not intended for use on critical care patients.

Thus, your device was cleared under K163512 for long-term monitoring of arrhythmia events for non-critical care patients where real-time monitoring is not needed as reporting timeliness is not consistent with life-threatening arrhythmias. However, your marketing materials and other documentation, such as the document titled “Zio AT Notification Criteria,” and your website (https://www.irhythmtech.com/providers/zio-service/zio-monitors; last accessed February 28, 2023), state that the Zio AT Patch System is intended for “near real-time monitoring” as a “mobile cardiac telemetry monitor,” can provide notifications “immediately,” and that it is intended for “high-risk patients.” The claim that the device is intended as a mobile cardiac telemetry monitor implies this device is intended for high-risk patients and near real-time monitoring.1 As explained in Section A.1.4 of the guidance document Deciding When to Submit a 510(k) for a Change to an Existing Device2 (“510(k) Modifications Guidance”) in general, describing a new patient population “could significantly affect the safety and effectiveness…” and thus likely requires a new 510(k). Your firm’s labeling describes a new patient population, for example, by using the term “near real-time reporting” and “high-risk,” instead of non-critical care. This change could significantly affect the safety or effectiveness of the device because it suggests that the device is intended for a new patient population – high-risk patients. High risk patients need near real-time monitoring because they are more likely to have a life-threatening arrhythmia, which requires timely treatment to prevent serious injury or death. Accordingly, these changes required the submission of a new 510(k).

Your response dated September 2, 2022, stated that your firm opened several Corrective and Preventative Actions investigations. Based on the outcome of your CAPA investigations, your firm proposed several labeling changes, such as removing the term “high-risk,” and replacing the phrase “near real-time monitoring” with “near real time cardiac event monitoring.” Your responses are inadequate because, even with your proposed changes, your labeling still represents a major change or modification in intended use requiring submission of a new 510(k) under 807.81(a)(3). “Near real time cardiac event monitoring” implies that the device provides monitoring for high-risk patients that require clinically actionable, timely notification of life-threatening arrythmias to prevent serious injury or death.

Our inspection also revealed that your firm made changes to the device without submission of a new 510(k). In response to our inspection, your firm provided more detail on the changes made to the device. Based on the information in your responses, the following changes were made to the device that require a new 510(k) submission:

a. Your document titled “Zio AT (K163512) Design Changes, Brief Summary” and “(b)(4) Hardware and Firmware Design Changes” identifies hardware and firmware changes that raise new risks including, but not limited to, changes in the (b)(4), and updating (b)(4) of your device including the (b)(4). Specifically, these changes can affect the (b)(4) of the device (i.e., device (b)(4) and device (b)(4)) that would require new testing to support your assertion that the device’s safety and effectiveness is unaffected. These changes can result in potential (b)(4) and may affect the basic safety of the device. According to Table B (technology, engineering, and performance changes) in the 510(k) Modifications Guidance, Question B5.2 should be answered “yes” because these changes raised new or significantly modified risks. Because these changes would require new (b)(4) testing and could significantly affect safety or effectiveness, a new 510(k) must be submitted for this change.

b. “Zio AT (K163512) Design Changes, Brief Summary” describes a change to your device made in September 2019, “Improve (b)(4): the algorithm in the (b)(4) was adjusted based on available data to improve (b)(4) performance for (b)(4) events that meet (b)(4) criteria. There were no changes to the algorithm that would significantly affect any clinical outcome.” Changes to the (b)(4) algorithm can impact the accuracy of the detected arrhythmias, and testing would be needed to support that the algorithm’s performance is unaffected by the change. A change in the (b)(4) for the algorithm could significantly impact safety or effectiveness, such as through missed or incorrect detection of events or arrhythmias, which could lead to patient injury due to lack of treatment. Question B5 in the 510(k) Modifications Guidance should have been answered “yes” because the change was to performance specifications. Subsequently, question B5.3 should have been answered “yes,” because the modification to the algorithm necessitated clinical validation data in order to ensure the performance of the device was maintained, using relevant device-specific data from patients. Therefore, a new 510(k) must be submitted.

Your responses are inadequate because they fail to address how the above changes could not significantly affect the safety or effectiveness of the Zio AT System.

Therefore, the Zio AT System is adulterated under section 501(f)(1)(B) of the Act, 21 U.S.C. § 351(f)(1)(B), because your firm does not have an approved application for premarket approval (PMA) in effect pursuant to section 515(a) of the Act, 21 U.S.C. § 360e(a), or an approved application for an investigational device exemption under section 520(g) of the Act, 21 U.S.C. § 360j(g). The device is also misbranded under section 502(o) the Act, 21 U.S.C. § 352(o), because your firm did not notify the agency of its intent to introduce the device into commercial distribution, as required by section 510(k) of the Act, 21 U.S.C. § 360(k). For a device requiring premarket approval, the notification required by section 510(k) is deemed satisfied when a PMA is pending before the agency (21 CFR 807.81(b)). Therefore, the kind of information that your firm needs to submit in order to obtain approval or clearance for the device is described on the Internet at http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/HowtoMarketYourDevice/default.htm. The FDA will evaluate the information that your firm submits and decide whether the product may be legally marketed.

We also note that your responses identified other changes to the device. However, the level of information provided in your responses was insufficient to determine whether these changes to the device also require clearance in a new 510(k) submission. Please reach out to the FDA review team to discuss the changes identified in your previous responses. Further, please discuss with the FDA review team any other changes made to the device since K163512 not noted above.

Labeling Violations

The Zio AT System is also misbranded within the meaning of section 502(f)(1) of the Act, 21 U.S.C. § 352(f)(1), in that the labeling for the device fails to bear adequate directions for the purpose for which it is intended. The Zio AT System does not meet the criteria for an exemption from section 502(f)(1) of the Act under 21 CFR 801 subpart D. 21 CFR 801.109 expressly exempts a prescription device from section 501(f)(1) if the device meets certain criteria.

As a (b)(4), your firm implemented a transmission limit on how many times the Zio AT System transmits data. As a result, the device is only able to transmit 100 patient-triggered and 500 automatically detected arrhythmia events. Once the transmission limit is reached, the patient’s data stops being transmitted for review/reporting. Thus, when the transmission limit is hit, the device can no longer be used for its intended purpose of transmitting patient ECG for reporting. Further, when the transmission limit is hit, the device can no longer provide near-real time monitoring for high-risk patients.

The Zio AT System does not meet the requirements for exemption from section 502(f)(1) of the Act under 21 CFR 801.109 because the device fails to include adequate directions for use for the physician related to the transmission limit. Specifically, the directions for use fail to include information related to the “indications…[and]…methods,…under which practitioners…can use the device safely and for the purposes for which it is intended, including all purposes for which it is advertised or represented.” See 21 CFR 801.109. During our inspection, it was revealed that the labeling does not inform the physician of the existence of a transmission limit, when the transmission limit is reached, or include any information about the action a physician should take if the device reaches the transmission limit. While your firm does provide a small alert on the report when the device is nearing, or has met, the transmission limit, there is no description of the what the alert means, or next steps the physician should take. In your response, your firm explained that, when “a wireless transmission threshold is approached, the [healthcare provider] is notified and given the option to replace the patch for the remainder of the wear period.” This is not adequate because an understanding of the transmission limitations by the healthcare provider is needed prior to transmission limit being reached to effectively use the device as intended.

Further, there is no information provided to the patient that a transmission limit exists, no notification to the patient when the transmission limit is reached, and no information provided to the patient about what to do when the transmission limit is reached. In response, your firm proposed sending a new device directly to the patient in instances when the prescribing clinician could not be contacted. However, this proposed corrective action is inadequate to address the issue because there is still no information provided to the patient about the transmission limit, or what do with the newly acquired device. This information is needed for the patient to be able to use the device safely and for the purposes for which it is intended. See 21 CFR 801.5. Therefore, the Zio AT System is misbranded under section 502(f)(1) because its labeling fails to bear adequate directions related to the device’s transmission limit. Your response did not address this issue.

Quality System Regulation (QSR) violations

This inspection also revealed that these devices are adulterated within the meaning of section 501(h) of the Act, 21 U.S.C. § 351(h), in that the methods used in, or the facilities or controls used for, their manufacture, packing, storage, or installation are not in conformity with the current good manufacturing practice requirements of the Quality System regulation found at 21 CFR part 820. These violations include, but are not limited to, the following:

1. Failure to adequately establish and maintain procedures for implementing corrective and preventive action, as required by 21 CFR 820.100(a).

  A. You failed to identify the actions needed to correct and prevent recurrence of quality problems despite being aware of them for years. Specifically:

    i. You were aware of a negative trend or critical customer complaints since at least 2019 but failed to initiate a CAPA as provided by your CAPA procedures.

Section 6.3 of your firm’s Corrective and Preventive Action procedure states that a CAPA may be initiated for reasons including but not limited to, a negative trend or critical customer complaints. Within your CAPA procedures, critical is defined as “[a]ny nonconformance or noncompliance that will or already has adversely affected product performance meeting specifications, safety, therapeutic efficacy, or regulatory requirements.” Additionally, Section 6.1 states that the purpose of the CAPA procedure is to “[e]nsure nonconformity and quality problems that are systemic or critical in nature are promptly considered and addressed.”

Our inspection revealed that your firm knew that the device’s transmission limit, which was explained in the previous section, was resulting in data not being transmitted. Records reviewed during our inspection indicate that your firm has been aware of customer complaints related to this issue since at least 2019. Specifically, our inspection found a significant number of complaints regarding this issue, which revealed two deaths as well as significant arrythmias that were not reported to physicians. As designed, the device transmission limit should only be reached in rare cases. However, the customer complaints reviewed during the inspection reveal that the device was hitting the transmission limit more often than expected. When the transmission limit is reached more often than expected, it introduces a nonconformance. However, your firm failed to initiate a CAPA based on negative trends or critical customer complaints, to “[e]nsure nonconformity and quality problems that are systemic or critical in nature are promptly considered and addressed,” as required by your firm’s CAPA procedure.

Your response maintains this is a design limitation and not a nonconformance, and that no visual cues will be added. As noted above, when the design limitation is reached more often than expected, it introduces a nonconformance. In response, your firm initiated a CAPA. The adequacy of your firm’s responses cannot be determined at this time because they do not provide sufficient details to fully assess the adequacy of your corrective actions. Following our inspection, your firm initiated a CAPA and submitted a correction report under 21 CFR part 806 (806 report) to the Agency. However, the CAPA your firm provided as part of the 806 report lacked sufficient detail to determine whether the CAPA has been properly conducted. In response to this letter, please provide more detail on your firm’s CAPA.

Further, the cleared indications of your device include continuous recording of ECG information for monitoring, manual, and automatic transmission of arrhythmia events. As described above in the Unapproved Device Violations section, your current marketing materials indicate that the Zio AT System is intended for high-risk patients and near real-time monitoring. When the transmission limit is exceeded more than rarely, this introduces a nonconformance because the device is unable to transmit ECG information for monitoring and is not remotely capable of delivering near-real time monitoring for high-risk patients.

    ii. Your firm has known since 2017 that patient data is held inaccessible within your Zeus system, thereby not allowing it to be properly analyzed for potential corrective action and you failed to initiate a CAPA as provided by your CAPA procedures.

Section 6.3 of your firm’s Corrective and Preventive Action procedure states that a CAPA may be initiated for reasons including but not limited to, feedback that identifies problematic performance with process operations, or “product, process, or system nonconformance…”

However, your firm failed to initiate a CAPA when you were aware that patient data, including significant arrythmias requiring physician notification (see Z ticket3 records (b)(4) noting Atrial Fibrillation and (b)(4) noting Bradycardia), was being held inaccessible within your Zeus system. Specifically, your firm was aware that when the patient’s device registration is incomplete, the patient’s ECG information is still collected but cannot be read by anyone. When the patient’s data can no longer be analyzed and reported, the device can no longer be used for the purpose for which it is intended, which is a nonconformance. Since at least 2017, your firm has been aware of this issue where your clinical care team cannot access the patient’s data. Our inspection confirmed 39 examples from a list of over (b)(4) Z tickets where this problem occurred.

In your initial response, you claim that this is not a nonconformance because the patient registration information is required based on IDTF requirements related to Medicare billing. This does not address the nonconformance. As noted above, when quality data is held inaccessible within the Zeus system where it cannot be analyzed and reported, the device can no longer be used for the purpose for which it is intended.

The adequacy of your firm’s responses cannot be determined at this time because they do not provide sufficient details to fully assess the adequacy of your corrective actions. In your response, you noted that your firm initiated a CAPA. However, the CAPA your firm provided lacked sufficient detail to determine whether the CAPA has been properly conducted. For example, the provided CAPA investigation does not include an “identification of the actual failure (not to be confused with the reported observation),” as required by your CAPA procedure. Additionally, the provided CAPA investigation does not include distribution tracking, otherwise known as “(b)(4) information,” as required by your CAPA procedure. As your procedure notes, this information is necessary to capture “the known extend of the identified issue in order to contain or correct the issue.” In response to this letter, please provide more detail on your firm’s CAPA.

We also acknowledge that based on the outcome of that CAPA, your firm has committed to a voluntary recall that would provide notification to doctors that monitoring cannot begin until the patient registration is completed. On September 1, 2022, your firm initiated this recall. Your firm submitted an 806 report to the Agency on October 5, 2022. We provided a response to your 806 report separately. Please continue to provide status updates with respect to your recall (RES 90954) to oradevices3recalls@fda.hhs.gov.

B. You failed to conduct a health hazard evaluation (HHE) when required by your CAPA procedure.

Our inspection found that your firm did not perform an HHE when required by your CAPA procedure. When an unanticipated issue arises which affects product in the field, your firm’s procedure requires you to perform an HHE to evaluate the health hazard presented by the issue. “Unanticipated” is defined to include a new failure mode.

Your firm failed to perform an HHE when it became aware of the error titled “Activation Time Mismatch.” During a CAPA investigation, you identified the “Activation Time Mismatch” error, in which prior patient data was not fully erased from the device prior to the device’s reuse. The CAPA investigation showed that this issue has the potential for adverse effect on product quality and is a risk that is not identified in an existing risk assessment document. As this was an unanticipated risk identified in this CAPA record, an HHE was required.

We reviewed your firm’s response and concluded that it is not adequate. Your response states that your firm’s process about when to escalate a CAPA to an HHE was not clear. As such, CAPA procedural updates were made, and training was performed. Specifically, you updated your CAPA to include the statement, “The issue will be assessed… [in accordance with the Health Hazard Evaluation Procedure], to determine if the criteria for an HHE has been met, and whether field action is required.” Your firm also conducted an HHE for the Activation Time Mismatch error, as required by your CAPA procedures. In addition, your firm conducted several other HHEs. It is important that the HHE be performed in accordance with your firm’s Risk Management SOP (00010) because the outcome of the HHE is used to determine some of your firm’s corrective and/or preventative actions.4 However, based on FDA’s own calculations, these HHEs do not appear to be conducted in accordance with your Risk Management SOP (SOP0010). For example, when conducting HHE-(b)(4), it appears your firm failed to properly calculate the probability of occurrence of the potential safety issue.5 Your miscalculation underestimated the likelihood of someone being injured. According to your updated CAPA procedure, the difference in the occurrence rating for HHE-(b)(4) would have required an update to your risk documentation and the HHE shows that this was not selected. Further, when conducting HHE-(b)(4), your firm failed to apply the Health Risk Table in your Risk Management SOP (SOP0010).6 This miscalculation is significant because this HHE procedure is used to assess whether or not you will initiate field action.

2. Failure to adequately establish procedures for receiving, reviewing, and evaluating complaints by a formally designated unit, per the requirements of 21 CFR 820.198.

Events meeting the definition of a complaint under 820.3(b) were not reviewed or evaluated to determine whether the complaint represents an event which for which reporting is required under 21 CFR part 803, Medical Device Reporting. Specifically, a review of your Service Monitoring Z tickets found complaints regarding deficiencies in the reliability of your device that your firm failed to review or evaluate.

As the Zio AT System monitors a patient’s ECG, it may auto-generate tickets in your (b)(4) system (“Service Monitoring Z tickets”) for follow-up. You specified that Service Monitoring Z tickets are not reviewed or evaluated because they are not deemed a problem. However, some of the Service Monitoring Z tickets reviewed during the inspection meet the definition of a complaint under 820.3(b). Accordingly, they must be evaluated for potential reporting under Part 803, Medical Device Reporting.

The adequacy of your firm’s responses noted at the top of this letter cannot be determined at this time because your corrective actions are still in progress. Your responses acknowledge that your firm did not review or evaluate complaints for Service Monitoring Z tickets appropriately. Your investigation found that your firm failed to evaluate the Service Monitoring Z tickets. In response, you stated that procedural updates have been made and training has been conducted. You also stated that you have made necessary updates to the (b)(4) system and Z ticket template forms. Additionally, you committed to retrospectively review complaints per the newly established criteria and your March 2023 response estimates this may be completed by 8/31/2023. The verification of the effectiveness of your corrective action is also outstanding. A follow up inspection will be required to assure that your corrective actions are adequate.

3. Failure to validate a process to a high degree of assurance per the requirements of 21 CFR 820.75.

Specifically, when Gateway PCBAs were returned, they were reused, and per procedure Zio AT Gateway PCBA Initialize and Test, the memory needs to be cleared. However, the AT Gateway (b)(4) process did not include a verification step to confirm that previous patient data was successfully erased. This resulted in distribution of Zio AT product with prior patient data remaining on it, which led to a complaint.

Your firm’s response to this observation appears to be adequate. Your response acknowledges that the process validation failed to implement a (b)(4) that validates the complete erasure of the (b)(4), and that the manufacturing work instructions did not include a step to verify this erasure. Your response further states this deficiency extends beyond design changes and is a systemic issue with process validation and (b)(4) verification in general.

We acknowledge the findings from the testing you performed on the Gateway process, and that you have determined R peak data (i.e., data used to determine potential arrythmias) from a prior patient would not be stored on the PCB, (b)(4). We understand you committed to contain this issue by only using virgin Gateway PCBAs until the related corrective action is complete. As part of your CAPA, you developed and implemented a process to verify that all prior patient data is properly erased. You have updated related procedures and have revalidated this process. A follow up inspection will be required to assure that corrections and/or corrective actions are adequate.

Medical Device Reporting (MDR) Violations

Our inspection also revealed that your firm’s Zio AT system is misbranded under section 502(t)(2) of the Act, 21 U.S.C. § 352(t)(2), in that your firm failed or refused to furnish material or information respecting the device that is required by or under section 519 of the Act, 21 U.S.C. § 360i, and 21 CFR Part 803 - Medical Device Reporting. Significant violations include, but are not limited to, the following:

1. Failure to submit a report to FDA no later than 30 calendar days after the day that iRhythm Technologies, Inc., received or otherwise became aware of information, from any source, that reasonably suggests that a device that it markets may have caused or contributed to a death or serious injury, as required by 21 CFR 803.50(a)(1).

For example,

a. The information included for the MDRs 3007208829‐2022‐00041 (corresponding to Complaint COMP‐2021‐6388) and 3007208829‐2022‐00055 (corresponding to Complaint COMP‐2021‐6385) describes MDR reportable events where a patient passed away while using the Zio AT system. iRhythm Technologies, Inc., became aware of each of the two events on October 25, 2021. However, FDA did not receive these MDRs until September 24, 2022, and December 3, 2022, respectively, which is beyond the required the 30‐calendar day timeframe.

b. The information included for the MDR 3007208829‐2022‐00048 (corresponding to Complaint COMP‐2022‐2077) describes an MDR reportable event where the patient experienced ventricular tachycardia and syncope while using the Zio AT system and was hospitalized. iRhythm Technologies, Inc., became aware of the event on April 27, 2022. FDA did not receive this MDR until September 24, 2022, which is beyond the required the 30‐calendar day timeframe.

As noted previously in this letter, based on your marketing materials, website, and other documentation, the Zio AT System is intended for “near real-time monitoring” and “high-risk patients,” even though the Zio AT System is not cleared for these indications. When used in this patient population, the Zio AT System may cause or contribute to serious injury or death because life-threatening arrhythmias may not receive timely treatment.

We reviewed your firm’s responses dated September 1, 2022, October 6, 2022, November 4, 2022, December 7, 2022, January 3, 2023, February 2, 2023, and March 1, 2023, and they appear to be adequate. The responses indicate that your firm conducted a retrospective review of a total of 999,328 complaints received from March 1, 2019, through August 6, 2022, for reportability, resulting in the submission of 13 MDRs. Your firm’s response dated March 1, 2023, notes that your firm has completed all the planned corrective actions.

2. Failure to report an MDR for an event where your device has malfunctioned and is likely to cause or contribute to death or serious injury if this malfunction recurred, per the requirements of 21 CFR Part 803.50(a)(2).

Specifically, in complaints COMP-2021-1687, COMP-2021-2077 and COMP-2021-5397, similar to the complaints discussed in #1 above, the transmission limit was reached prior to occurrence of a significant arrythmia; therefore, these events were not transmitted to the prescribing physician until the final wear-period report was generated.

The Zio AT System malfunctioned when the Zio AT System hit its transmission threshold and stopped submitting data that is used to determine potential arrythmias. This failure meets the definition of a reportable malfunction, as defined in 21 CFR 803.3. This malfunction is likely to cause or contribute to death or serious injury for the reasons discussed in #1 above. However, these complaints were coded as unreportable malfunctions and no MDR was filed.

Each of the referenced malfunctions represents an MDR reportable event and a malfunction MDR for each complaint (COMP‐2021‐1687 and COMP‐2021‐5397) was required to be submitted within the 30‐calendar day timeframe.

We reviewed your firm’s responses dated September 1, 2022, October 6, 2022, November 4, 2022, December 7, 2022, January 3, 2023, February 2, 2023, and March 1, 2023, and we were unable to determine the adequacy of your response. The responses indicate that your firm conducted a retrospective review of a total of 999,328 complaints received from March 1, 2019, through August 6, 2022, for reportability, resulting in the submission of 13 MDRs. However, your firm failed to submit an MDR for the following complaints: COMP‐2021‐1687 and COMP‐2021‐5397. Your firm should submit the MDRs for the previously mentioned complaints and provide a rationale for why they were missed in your retrospective review.

3. Failure to adequately develop, maintain, and implement written MDR procedures as required by 21 CFR 803.17.

For example, the following documents were collected during the inspection and were reviewed collectively as iRhythm Technologies, Inc.'s MDR procedure:

• Document titled “Complaint Handling”, Document# SOP0021, Rev. 07, dated 02‐July‐2021, which applies to customer complaints regarding products provided by
iRhythm Technologies, Inc.

• Document titled “Adverse Event Reporting”, Document# SOP0023, Rev. 10, dated 05‐July‐2022, which defines the process for global post‐market reporting of adverse events and applies to all medical device manufactured by iRhythm Technologies, Inc. placed on the market.

After reviewing the MDR procedure, the following was noted:

A. Your MDR procedure fails to establish internal systems that provide for timely and effective identification, communication, and evaluation of events that may be subject to MDR requirements, as required by 21 CFR 803.17(a)(1).

For example, the procedure omits the definitions of the terms “serious injury” from 21 CFR 803.3 and “reasonably suggests” found in 803.20(c)(1). The exclusion of the definitions for these terms from the procedure may lead your firm to make an incorrect reportability decision when evaluating a complaint that may meet the criteria for reporting under 21 CFR 803.50(a).

B. The procedure does not establish internal systems that provide for timely transmission of complete medical device reports, as required by 21 CFR 803.17(a)(3). Specifically, the procedure does not include:

a. Instructions for how to obtain and complete the FDA 3500A form;

b. A process for submitting supplement or follow-up reports to FDA in an electronic format that FDA can process, review and archive in accordance with 21 CFR 803.12(a);

c. How your firm will ensure that all information reasonably known to you is submitted for each event. Specifically, your procedures do not indicate which sections of the Form 3500A will need to be completed to include all information found in your firm’s possession and any information that becomes available as a result of a reasonable follow-up within your firm.

We reviewed your firm’s responses and conclude that they are not adequate. Your firm’s response dated September 1, 2022, includes copies of the revised procedural documents titled “Complaint Handling”, Document# SOP0021, Rev.08, dated 29‐Aug‐2022 and “Adverse Event Reporting”, Document# SOP0023, Rev. 11, dated 26‐Aug‐2022. However, a collective review of each revised document noted the following:

1. The revised MDR procedure does not establish internal systems that provide for timely and effective identification, communication, and evaluation of events that may be subject to MDR requirements, as required by 21 CFR 803.17(a)(1). The revised procedure omits the definition of the term “reasonably suggests” found in 803.20(c)(1). The exclusion of the definition for this term from the procedure may lead your firm to make an incorrect reportability decision when evaluating a complaint that may meet the criteria for reporting under 21 CFR 803.50(a).

2. The revised procedure does not establish internal systems that provide for timely transmission of complete medical device reports, as required by 21 CFR 803.17(a)(3). Specifically, the procedure does not include:

a. Instructions for how to obtain and complete the FDA 3500A form.
b. How your firm will ensure that all information reasonably known to you is submitted for each reportable event. Specifically, your procedure does not provide instructions regarding which sections of the Form 3500A will need to be completed to include all reportable information found in your firm’s possession and any information that becomes available as a result of a reasonable follow‐up within your firm.

Your firm’s responses dated October 6, 2022, November 4, 2022, December 7, 2022, January 3, 2023, February 2, 2023, and March 1, 2023, didn’t provide any new information regarding the MDR procedural deficiencies listed above.

Your firm should take prompt action to address any violations identified in this letter. Failure to adequately address this matter may result in regulatory action being initiated by the FDA without further notice. These actions include, but are not limited to, seizure, injunction, and civil money penalties.

Other federal agencies may take your compliance with the FD&C Act and its implementing regulations into account when considering the award of federal contracts. Additionally, should FDA determine that you have Quality System regulation violations that are reasonably related to premarket approval applications for Class III devices, such devices will not be approved until the violations have been addressed. Should FDA determine that your devices or facilities do not meet the requirements of the Act, requests for Certificates to Foreign Governments (CFG) may not be granted.

Please notify this office in writing within fifteen business days from the date you receive this letter of the specific steps your firm has taken to address the noted violations, as well as an explanation of how your firm plans to prevent these violations, or similar violations, from occurring again. Include documentation of the corrections and/or corrective actions (which must address systemic problems) that your firm has taken. If your firm’s planned corrections and/or corrective actions will occur over time, please include a timetable for implementation of those activities. If corrections and/or corrective actions cannot be completed within fifteen business days, state the reason for the delay and the time within which these activities will be completed. Your firm’s response should be comprehensive and address any violations included in this Warning Letter. If you believe that your products are not in violation of the FD&C Act, include your reasoning and any supporting information for our consideration as part of your response.

Your firm’s response should be sent to: Jessica Mu, Director of Compliance Branch, at oradevices3firmresponse@fda.hhs.gov. Refer to CMS 643474 when replying. If you have any questions about the contents of this letter, please contact: Lauren Priest at
Lauren.Priest@fda.hhs.gov.

Finally, you should know that this letter is not intended to be an all-inclusive list of the violations at your firm’s facility. It is your firm’s responsibility to ensure compliance with applicable laws and regulations administered by FDA. The specific violations noted in this letter and in the Inspectional Observations, FDA 483, issued at the close of the inspection may be symptomatic of serious problems in your firm’s manufacturing and quality management systems. Your firm should investigate and determine the causes of any violations and take prompt actions to address any violations and bring the products into compliance.

Sincerely,
/S/

Bram Zuckerman, M.D., Director
OHT2: Office of Cardiovascular Devices
Office of Product Evaluation and Quality
Center for Devices and Radiological Health

/S/

Shari J. Shambaugh, Program Division Director
Office of Medical Device and Radiological Health
Division 3

Cc:
Mr. Mazi A. Kiani, Senior Vice President of Quality and Regulatory, mazi.kiani@irhythmtech.com
Mr. Mark W. Hughes, VP Manufacturing, mark.hughes@irhythmtech.com for

______________________

1 See e.g., (b)(4).

2 https://www.fda.gov/regulatory-information/search-fda-guidance-documents/deciding-when-submit-510k-change-existing-device.

3 Your procedures define a Z ticket as a detailed description of a customer’s feedback, problem, or question which are used to track and solve customer issues within (b)(4).

4 For example, Section 6.4 of your updated CAPA procedure states “If the risk is documented, to whether the analysis remains accurate. If changes are required (e.g., increase/decrease in severity, probability of occurrence, risk index), update to risk documentation will become an action of the CAPA plan. If determined that the risk is not documented (e.g., identification of a new process failure mode, hazard, harm, cause, etc.), update to risk documentation will become an action of the CAPA plan.” Additionally, Section 9.2 of your updated HHE procedure states that [b]ased on the outcome of the HHE, the Team provides recommendations for next steps. Included with these recommendations are either rationale, or a description of the actions being recommended, as appropriate.

5 Your firm provided the actual calculations used to explain the probability level chosen. In “HHE-(b)(4) Zio AT Registration,” you state “(b)(4) may experience a moderate injury.” This is incorrect; (b)(4) is (b)(4) or to convert to a percentage: (b)(4). When compared to your Risk Management procedure, using your Risk Level Matrix, your miscalculation led you to choose “Low” risk whereas the correct calculation would have led you to “Medium” risk category. More specifically, your original risk calculation was (b)(4) 2. However, if calculated correctly, it would have been (b)(4). This would have required an update to your risk documentation per your updated procedures.

6 Your firm’s SOP0010 procedure includes a Health Risk Table. This includes probability levels, which are associated with a range (e.g., (b)(4) (between (b)(4)). In contrast, the HHE probability levels of the hazards associated with use of the product shown in the Health Risk Table only specify a single probability of occurrence level, such as (b)(4). Furthermore, several of the levels do not correspond to those in SOP0010. For example, level (b)(4) of the HHE is described as (b)(4), whereas (b)(4) in SOP0010 is (b)(4). While (b)(4) is greater than (b)(4), this level does not adequately describe that the risk is for any probability that is greater than (b)(4). Therefore, the Health Risk Table defined by SOP0010 was not used in your HHE.

 
Back to Top