21 CFR 820.180 – Exceptions to the US FDA’s Record Requirements

This article provides practical advice for how to deal with records the FDA is not allowed to request during an inspection and FDA inspector tactics specific to 21 CFR 820.180 – exceptions. When I meet with a new consulting client, the phrase I dread hearing is “the FDA can’t see that.” Indeed, the FDA is not supposed to review the content of internal audit reports, supplier audit reports, and management reviews to encourage companies to use these tools to address quality problems without having to worry about the FDA beating them with their reports. This policy is officially stated in subsection C of 21 CFR 820.180–exceptions:

21 CFR 820.180 – Exceptions

“[21 CFR 820.180 – exceptions] does not apply to the reports required by 820.20(c) Management review, 820.22 Quality audits, and supplier audit reports used to meet the requirements of 820.50(a) Evaluation of suppliers, contractors, and consultants, but does apply to procedures established under these provisions. Upon request of a designated employee of FDA, an employee in management with executive responsibility shall certify in writing that the management reviews and quality audits required under this part, and supplier audits where applicable, have been performed and documented, the dates on which they were performed and that any required corrective action has been undertaken.”

The Problem with Hiding Records

The problem with the mentality of hiding things from the FDA is that it fails every time. The FDA can get to issues in your management reviews and your internal audits by asking, “Can I please see all the CAPAs resulting from audits and management reviews.” One client I spoke with said that they purposely don’t open any CAPAs from audits or management reviews for that reason. I was in complete shock, but I managed to keep my poker face and asked the client, “So what do you think the FDA will do when you say that you don’t have any CAPAs resulting from audits or management reviews?” Management responsibility is a frequent FDA inspection target. Most companies are subjected to a Level 2, QSIT inspection on a biannual basis. During these comprehensive inspections, the inspector reviews the four major subsystems: 1) management controls, 2) design controls, 3) CAPA, and 4) production and process controls. The FDA will ask open-ended questions to determine the effectiveness of the QMS. If the inspector is not going to look at the actual meeting minutes from the management review, you can expect them to look at the following apparent targets:

1. “May I see your procedure for Management Reviews?”
2. “May I please have a copy of your organization chart?”
3. “Could I see the agenda and attendees list from your last management review?”

The inspector could also ask for copies of inputs that are identified in the Management Review procedure, such as: “Could I have a copy of the most recent scrap trend analysis for production?” or “What is your threshold for taking corrective actions for rejects found in receiving inspection?” One Quality Manager told me a fascinating story about his local inspector. During a previous inspection, the inspector requested a copy of the management review. The Quality Manager showed him the cover page that indicated the agenda and the attendees. The Quality Manager refused to let the inspector see the rest of the meeting minutes. The inspector then proceeded to conduct a brutal 3-day inspection where a myriad of 483’s was written. Twelve months later, the inspector returned to perform a “Compliance Follow-up.” This time when the inspector asked to see the management review, the Quality Manager agreed to let the inspector see the entire meeting minutes. From that point onward, each time the inspector got close to identifying a new 483’s, the inspector would stop following the audit trail at the last moment before the nonconformity was identified. The Quality Manager said it was almost like the inspector was showing him that he could find all kinds of problems to write-up if he wanted to. Still, he was taking it easy on the company because the Quality Manager was cooperative. My philosophy is to create a QMS that is open for review by any customer, auditor, and even the FDA. No matter what they find, it’s just another opportunity to improve. This has worked well for me, but you need to follow a few basic rules when writing audit reports and management review meeting minutes.

Rules for Writing Audit Reports & Management Reviews

1. DO NOT write anything inflammatory or opinionated in your documents. My motto is, “Stick to the facts, Jack (or Jill).”
2. I ask other people in the management team to read and review the meeting minutes before they are finalized. The variety of perspectives in top management helps to make sure that the final document is well written and clear—especially to FDA inspectors.
3. I structure the documents as per a standard template that is a controlled document. This ensures that each report or management review was conducted as per the procedure. I typically reference the applicable clauses and sub-clauses throughout the document. For example, I will reference ISO 13485:2003, Section 5.6.2h) for the slide titled “New and Revised Regulatory Requirements.” I put the reference next to the slide title just to make it clear what requirement this slide is addressing.
4. If there is an area that I covered, but there was nothing to discuss, I write, “There was no further discussion on this topic.”
5. If there is an area that I did not cover, I make sure I do the following:
6. write a justification for not covering the area,
7. indicate the last time the area was covered (and the result at that time), and
8. document when the area will be covered in the future.

You can continue to listen to the advice of consultants that think of creative ways to hide things from the FDA, or you can follow the above advice. If you follow my advice, then you can spend the rest of your time working on the CAPAs for each area where you identified a weakness—instead of spending your time trying to hide your problems. If you need help preparing for an FDA inspection or responding to FDA 483 inspection observations or warning letters, please email Rob Packard. We have two people on our team that used to work for the agency.