Case Study Part 2: Packaging CAPA Preventive Action and Corrective Action

This article explains details of implementing a CAPA preventive action and corrective action for packaging issues. Specifically, containment measures, corrections, corrective actions, and preventive actions to address the root cause identified in part 1 of this case study.

Screenshot 2015 11 08 at 12.34.46 PM 1024x504 Case Study Part 2: Packaging CAPA Preventive Action and Corrective Action
Comparing Incoming Inspection Results as a CAPA Preventive Action

CAPA Step 1: Containment of Product with Defective Packaging

When you learn of a packaging complaint related to a specific lot, you also need to determine if another product associated with the lot is safe to ship to customers. You should not attempt a correction and removal of the product unless you have a reasonably high level of confidence that there is a packaging issue with the lot or a portion of a lot, but you might consider placing product from the same lot in your inventory on hold until your investigation is completed. If you confirm that you have an issue with a specific lot, lots, or portion of a lot, then you should initiate correction and removal of product to prevent potentially, a non-sterile product from being used. This type of problem could result in a Class 1 recall (i.e., the most severe of the three categories). Therefore, you need to act quickly and according to established procedures for corrections and removals.

CAPA Step 2: Correction(s) of Defective Packaging

If you find a problem, there is little you can do to fix the existing defective packaging other than to repackage the product. If the product has only been sterilized once, and you have revalidated the product for resterilization, then you can repackage, relabel and resterilize. To ensure traceability to the lot that has been reworked, you may need to revise the labeling (e.g., add an “R” to the lot number). If you have not revalidated the resterilization of the product, you may want to use this lot for validation of resterilization instead of throwing it out. However, sometimes your best option is to scrap the product.

Additional corrections may involve correcting the calibration of a testing device or performing a repair to sealing equipment. You might modify a specification on a drawing. You might correct a work instruction that did not have the correct, validated sealing parameters. All of these could be corrections.

CAPA Step 4: Corrective Action(s) for Packaging Issues

Investigation of root cause (CAPA Step 3) occurs in parallel with containment (CAPA Step 1) and correction (CAPA Step 2). Corrective actions (CAPA Step 4) prevent the packaging issues from recurring, and they occur after the first three steps because you can only implement corrective actions once you understand the root cause of the quality issue. The best tool for evaluating your current process controls and evaluating the implementation of new corrective actions is a process risk control plan. In order to do this, you need a process flow diagram and a process risk analysis. Each step of the process, from the raw material fabrication of film to the released product, needs to have potential hazards identified, risks evaluated, and risk controls implemented. You should use your process validation to verify the effectiveness of process risk controls quantitatively. If the process capability is greater than 95% for each parameter, and you have addressed every possible source of problems, then you probably won’t gain much from additional risk controls. However, many companies reduce their sampling or rely on certificates of conformity to ensure that the process is controlled adequately.

CAPA Step 5: CAPA Preventive Action for Packaging Issues

You already had a packaging issue with one lot of products, but you could have another issue with a different product or lot for the same reason or a different reason. If the product is the same, and the reason is the same, then the actions taken are corrective actions. If you take action to prevent the occurrence of this issue with a different product, or you prevent other potential causes of packaging issues by initiating more robust monitoring and process controls, then your actions are preventive. Often you will want to implement both types of actions.

In the box plot example provided in this article, Lot D was detected at incoming inspection as having peel test results that were outside the alert limit but acceptable when compared to the specification limit for peel testing. The alert limit was established during validation of the pouches and comparison of lots A, B, C, and D, demonstrate that Lot D is slightly lower in peel strength. The manufacturer may choose to use the lot, but the sampling plan for in-process peel testing may be altered, or the manufacturer may choose to place the new lot in quarantine while an investigation is performed. This is a CAPA preventive action.

Below I have listed six additional potential CAPA preventive actions to consider for your packaging process:

  1. Perform peel testing and/or bubble leak testing of packaging raw materials as part of the receiving inspection process and perform data analysis of the incoming inspection samples to determine if lower or higher alert and action limits should be established for the new lot of raw materials. The limits should be based upon the manufacturer’s seals as well as your seal.
  2. Retain remnants of in-process peel testing, include the remnants with the sterilization load, and then store the remnants for real-time aging.
  3. Consider implementing visual inspection tools that are able to detect sealing imperfections non-destructively.
  4. Increase the number of samples you test (e.g., 1 to 3 or 3 to 5) for each lot of product sealed to increase your confidence that the seals will be within specifications.
  5. Perform statistical analysis of in-process data for seal peel strength in order to identify potential lots with packaging issues prior to release.
  6. Evaluate the performance of the packaging at temperature and humidity extremes that may be higher or lower than the conservative estimates for ambient conditions (e.g., 30C vs. 25C).

Additional Resources

In addition to the previous article that was part 1 of this case study, I have posted ten other blogs specifically on the topic of CAPA. There is also a CAPA procedure you can download from this website.

Risk-based CAPA Webinar

If you are interested in learning more about a risk-based approach to CAPAs, then please click here.

Case Study Part 2: Packaging CAPA Preventive Action and Corrective Action Read More »

Risk Management Traceability for CE Marking Technical Files

How to use risk management traceability for CE Marking to cross-reference hazards, risks, and risk controls throughout your technical file.

Screenshot 2015 11 05 at 7.29.21 AM Risk Management Traceability for CE Marking Technical Files

This approach will more efficiently integrate risk management tools into your Design History File (DHF), post-market surveillance documentation, and clinical evaluation reports (CERs). The table above provides a simple template for the nomenclature of risk management elements that you need to cross-reference and provides risk management traceability throughout your technical documentation.

The table does not include a cross-reference code for verification and validation reports because there could and typically are multiple risk controls that are validated and verified for each risk. Many times they are applied across multiple product lines. Therefore, it is more efficient to simply reference the controlled document number for the verification report that is applicable to that risk control.

The basic concept of traceability

The concept of risk traceability is more than being able to identify the verification and validation study that was performed to verify the effectiveness of risk controls in your FMEA because it is in the same row of your table. The best practice is to number your hazards, risks, and risk controls so that you can cross-reference more easily throughout all your technical documentation [i.e., design requirements matrix, risk management file, clinical evaluation report, post-market surveillance plan/reports, and post-market clinical follow-up (PMCF) report].

Design Requirements Traceability Matrix (DRTM)

The design requirements traceability matrix (DRTM) is a combination of two documents that have been used for the past two decades by medical device manufacturers: 1) the design requirements matrix or IOVV (i.e., inputs, outputs, verification, and validation), and 2) the risk traceability matrix. The second document is less commonly used, but an example of one is provided in Figure 3 of the GHTF risk management guidance document SG3 N15R8.

The risk management summary table that is presented in Figure 3 of the guidance also provides cross-references to specific tests, and each test has an identification number for traceability. This approach is also used frequently in risk control plans–an excellent tool for production process controls and planning product realization before process validation.

Risk management traceability to post-market surveillance

I recommend that companies create a post-market surveillance plan for devices or device families during the design transfer process. This is NOT the post-market surveillance procedure. Your procedure should indicate the process you use for post-market surveillance. Still, your plan should be process-specific and identify specific risks that you intend to gather post-production data for. The post-market surveillance plan should provide traceability back to each risk in your risk management file (e.g., R1, R2, R3). You should include a post-market clinical follow-up (PMCF) protocol and report that also cross-reference to these risks and associated risk controls–or provide a justification for not conducting a PMCF study. In 2016, the new European Medical Device Regulations (EMDR) will require that both the protocol and the report be included in your post-market surveillance plan as a required section (see Annex II of the proposed regulations) of the technical file or design dossier. Finally, I recommend that you revise and update your risk management plan for post-production data collection at the time of design transfer. When you make this revision, I recommend moving the risk management plan from the design plan to your post-market surveillance plan as an integral part of the plan (i.e., one of the primary sections of the plan).

Risk Management Traceability for Your Clinical Evaluation Report (CER) 

In your clinical evaluation report (CER), if you simply said that “the clinical data reviewed addresses all of the residual risks identified in the risk management summary report,” you are not specific enough. Your clinical evaluation report (CER) should explain how the clinical study data you reviewed addresses each of the risks that you identified in your risk analysis. Personally, I like to have subsections in the discussion section of the clinical evaluation report (CER) for each of the risks identified in the risk management file. I also do this when I write my post-market surveillance plan. When I do this, I include a cross-reference to the applicable hazard in my design requirements matrix, risk analysis, and hazard identification summary report (e.g., “HZ1”, “HZ1” and “HZ3”).

Traceability to warnings & precautions

ISO 14971:2007 indicates that disclosing residual risks to users of your device is risk control. In Annex ZA, deviation 7 of EN ISO 14971:2012, indicates that you cannot claim to reduce the risks of your product by disclosing these residual risks–even though these are considered risk controls. You should still validate the effectiveness of the instructions for use, technique guide, and training through simulated use studies before product release. However, you cannot claim a quantitative risk reduction in your risk analysis as per deviation 7. Of course, there can be a reduction in overall risks when you train users, but you can’t claim it, and the prevalence of “use errors” demonstrates the limited effectiveness of IFUs and training.

Additional risk management references

I have published 14 previous blogs, specifically on the topic of risk management over the past couple of years. Please click here if you are looking for risk management training. You can expect many more blogs on this topic during the next six months because I will be presenting four presentations in Brussels at an international medical device conference scheduled for June 13-17, 2016.

Procedures & templates for risk management

If you are looking for a risk management procedure (SOP), SYS-010 meets the requirements of ISO 14971:2019 and Regulation (EU) 2017/745 for CE Marking.

Risk Management Traceability for CE Marking Technical Files Read More »

Device Description Template for US FDA and CE Marking

In this article, you will learn how we created a device description template that can be used for US FDA and CE Marking submissions.

Webinar Training

Medical Device Academy also created a webinar on completing this device description template.

Device Description Template 1024x889 Device Description Template for US FDA and CE Marking

This device description template addresses the FDA Refusal to Accept (RTA) guidance document requirements. The template also serves as a summary technical document (STED) for submission to a Notified Body for CE Marking. You would think that it’s tough to screw up the device description, but the FDA screening reviewer is completing a new refusal to accept (RTA) checklist. That checklist has specific requirements for a device description. If you copy the device description from your draft IFU, you will probably receive an RTA letter on Day 15 of the RTA screening process. The review “clock” is reset to zero, and you have to revise your device description and re-submit.

Note regarding changes in the device description template:

The RTA Checklist is no longer relevant for 510k submissions. 510k must now be submitted using the new FDA eSTAR submission templates. This template is your attachment to meet the “Comprehensive Product Description and Principles of Operation Documentation” requirement. However, the FDA now conducts a technical screening rather than completing the RTA checklist. The section numbers are also no longer applicable in a 510k submission.

There are four specific requirements (questions 9-12) in section “B” of the RTA checklist, which is titled “Device Description.” In addition, there are similar requirements for inclusion in a device description for technical files and design dossier submissions to Notified Bodies. Rather than creating two different device description documents, I prefer a template that addresses each regulatory requirement in a single controlled document. Therefore, I created a template for the 510k submission device description with the following headings for Section 11 of the 510k submission:

  • Product or Trade Name
  • General Description – The general description must be consistent with the device description in the labeling, and this section of the document is intended to address section 13 of the refusal to accept (RTA) checklist.
  • Indications for Use – We recommend keeping this separate section of the device description. You should copy the content of FDA Form 3881 verbatim, or the reviewer will indicate that your submission is inconsistent. In the eSTAR, the indications for use can be automatically populated in the 510(k) Summary from FDA Form 3881. We also have a webinar on indications for use.
  • List of Devices – A list and description of each device for which a 510(k) clearance is requested in the submission. The list may refer to models, part numbers, sizes, etc. This document section addresses section 14c of the refusal to accept (RTA) checklist. Combining this section with section 3 of the template may be helpful, providing a table with a UDI device identifier for each product listed (if available).
  • Intended Patient Population – The medical condition to be diagnosed and/or treated, and other considerations such as patient selection criteria.
  • Intended User(s) -Each potential user group should be identified, and it should be stated if the device is intended for use by a healthcare professional, a layperson or both. Finally, this section should indicate if the device is for prescription use, over-the-counter use or both.
  • Principles of operation of the device – This document section addresses section 14a of the refusal to accept (RTA) checklist.
  • Risk class and applicable classification rule – This is only required for CE Marking, and we typically exclude this from our device description in a PreSTAR or eSTAR submission for the FDA. If you are preparing a device description for CE Marking, the risk classification is based on Annex VIII (MDR) and MDCG 2021-24.
  • Conditions of Use (i.e., Environment of Use) – A description of proposed conditions of use, such as surgical technique for implants; anatomical location of use; user interface; how the device interacts with other devices; and/or how the device interacts with the patient. This section should also state where the product is used (i.e. home use or clinical use). This section of the document is intended to address section 14b of the refusal to accept (RTA) checklist.
  • Novel Features – This is required for CE Marking, but in a 510k submission, we are trying to demonstrate how the subject device is equivalent to the predicate instead of highlighting novel features. Therefore, any novel features in a 510k should be technological characteristics that you can provide a justification and/or testing to support. This section is not for marketing.
  • Components – Description of components, accessories, other medical devices, and other products that are not medical devices intended to be used in combination with the device. The 510k number should identify each component/accessory part of a previous submission. Any component(s)/accessory(s) that have not received prior clearance should also be identified. Sometimes, a side-by-side table for USA and EU markets is needed for accessories that are used in different markets. This document section addresses section 12a, b, and c of the refusal to accept (RTA) checklist.
  • Accessories – Description of accessories, other medical devices, and other products that are not medical devices, which are intended to be used in combination with the device. Each accessory that was part of a previous submission should be identified by the 510k number. Any accessory(s) that have not received prior clearance should also be identified. This document section addresses sections 15a, b, and c of the refusal to accept (RTA) checklist. In the eSTAR, there is a subsection at the end of the Product Description section titled “System/Kit Components and Accessories.” If your device is intended to be marketed with multiple system/kit components or accessories, then you must attach a list of those components or accessories in the PreSTAR or eSTAR (see screenshot below).

System Kit Components and Accessories 1024x261 Device Description Template for US FDA and CE Marking

  • Configurations/Variants – Description or a complete list of the various configurations/variants of the device that will be available
  • Functional Elements – General description of the key functional elements, formulation, composition, and functionality—including labeled pictorial representations (e.g., diagrams, photographs, and drawings)
  • Raw Materials – This section is a duplicate of the section included for biocompatibility. Any raw materials incorporated into components of the device that are intended to make direct contact with the human body or indirect contact with the body should be listed. Any colorants should be included in this list of raw materials.
  • Technical Specifications – Technical specifications of the device and any variants and accessories that would typically appear in the product specification are made available to the user, e.g., in brochures, catalogs, and the like.
  • Drawings, Schematics, Illustrations, Photos and/or Figures – Representative engineering drawing(s), schematics, illustrations, photos, and/or figures of the device. This document section addresses section 14d of the refusal to accept (RTA) checklist. These drawings, photos, videos, etc. can be attached to the PreSTAR or eSTAR using the button shown in the screen capture below. The FDA requests schematics, drawings, or photos of the product packaging as an attachment to the PreSTAR or eSTAR as well. The best thing to attach for this requirement is a work instruction that illustrates where labeling is applied to the device and the different levels of packaging. This will describe the packaging and how the device is packaged and labeled.

Product Pictures Videos and Illustrations 1024x100 Device Description Template for US FDA and CE Marking

  • Similar & Previous Generations of the Device – Reference to similar and previous device generations. Ensuring these devices are included in the clinical evaluation report is important. If submitting a 510k submission, you want to ensure that any devices are registered and listed with the US FDA in the same product category. Creating a table that organizes the “similar” devices by intended use and technological characteristics may be necessary for a device with multiple predicates.
  • Requirements Specific to the Special Controls Guidance Document – This template section addresses section 12 of the refusal to accept (RTA) checklist. When you complete the classification section of the PreSTAR or the eSTAR, the PDF template should automatically identify and Special Controls Guidance Documents that are applicable (see example below).

Classification of FLL product code 1024x572 Device Description Template for US FDA and CE Marking

The last section of the device description is for any unique requirements specific to the special controls guidance document for the product classification I am working on. However, most of the requirements for a device description are met by the previous items in my outline. Therefore, I created a table that outlines each requirement of the Special Controls Guidance Document, and I provided a cross-reference to the section of the outline that includes this requirement. If requirements are not covered elsewhere in the document, I address them in the table. If there is no Special Controls Guidance Document, then I state that no Special Controls Guidance Document exists for the product.

Device Description Template for US FDA and CE Marking Read More »

PMCF – Is a post-market clinical follow-up study required?

This article explains how to determine if your medical device requires a post-market clinical follow-up (PMCF) study for CE Marking. This is currently a non-existent requirement for most 510k submissions. Still, it is an area of emerging concern for all medical device regulations, and this article explains why substantial equivalence is not enough.

F1.large  PMCF   Is a post market clinical follow up study required?
Why post-market clinical follow-up is an area of emerging concern.

For CE Marking applications of medical devices, all medical devices must have evidence of a post-market clinical follow-up (PMCF) study protocol or a justification for why a post-market clinical follow-up (PMCF) study is not required. The biggest mistakes I see are that manufacturers refer to their post-market surveillance (PMS) procedure as the post-market surveillance (PMS) plan for their product family. They say they do not need to perform a post-market clinical follow-up (PMCF) study because the device is similar to several other devices on the market (i.e., substantially equivalent).

Why Substantial Equivalence Isn’t Enough

This rationale fails the technical review of most CE Marking submissions because although products can be approved for CE Marking based upon substantial equivalence, the manufacturer must continue to monitor the performance of the device after the product is launched to make sure of two critical things:

  1. Is the substantially equivalent device as safe and efficacious as the predicate device?
  2. Are there new risks that are identified when the device is used for a long duration (e.g., implanted) by a broader user population or to treat a broader patient population / broader indication for use?

A post-market clinical follow-up (PMCF) study MIGHT be needed

If you have a high-risk device that is implantable, has an innovative design, and you are using moon rocks for the patient contacting materials, you need a post-market clinical follow-up (PMCF) study. If you make a generic version of a sterile bandage with a cartoon character for decoration, you don’t need a post-market clinical follow-up (PMCF) study. Unfortunately, most products fall into the “might be needed” category rather than a “yes” or “no.” If you have any experience in regulatory affairs, you know that regulators love guidance documents and systematic evaluation methods. Here’s my systematic method of evaluation…

Step-by-Step Recommendations

Step 1 – Read MEDDEV 2.12/2.

Step 2 – Make a table with each of the 17 “might be needed” categories from the guidance document in the far left column.

Step 3 – In the second column, indicate whether the risk category from the table applies to your device–” yes” or “n/a.”

Step 4 – As with all valuable checklists, you must explain your non-applicability rationale wherever the category doesn’t apply. Enter your explanation in the third column next to the “n/a”…PS – nobody cares if the “n/a” is capitalized.

Step 5 – If you typed “yes” in the second column, then you need to provide a cross-reference to the information in your technical file that explains how you address this risk. There are three places you can look: 1) your design requirements trace matrix (if you have one that looks like mine), 2) as a risk control in your risk analysis that you performed during the design process before “design freeze”, and 3) in your clinical evaluation report. Ideally, you can easily cross-reference to a section of your controlled document that is in outline format.

Note: Now, you have another reason to make that document a controlled document with an outline format.

Step 6 – After you add a cross-reference to the risk control(s) in your table, you need to indicate whether the risk controls are adequate. “Yes” is probably the answer only if you can cross-reference to a state-of-the-art guidance document or harmonized standard that has been implemented as a pre-market risk control to evaluate the specific risk. The tests are seldom adequate for the longevity of implants, usability by all intended users, and patient satisfaction, while usability and patient selection are often only evaluated by clinical studies. If the tests and pre-market clinical studies are not adequate, then “No” is your answer, and you need to conduct a post-market clinical follow-up (PMCF) study to address that specific residual risk. 

Step 7 – If you indicate that your pre-market risk controls are adequate, then in your post-market surveillance plan, you can indicate “no post-market clinical follow-up (PMCF) study required.” However, if you cannot verify that your pre-market risk controls adequately address one of the 17 risk categories identified in MEDDEV 2.12/2, you may need a post-market clinical follow-up (PMCF) study.

When do existing products suddenly develop the need for a post-market clinical follow-up (PMCF) study?

Even products with pre-market clinical studies might require post-market clinical follow-up (PMCF) because the clinical studies may not cover changes to the device, accessories, and range of sizes. Additionally, specific risks of implantable products cannot be assessed during the average duration of a clinical study (e.g., how long will an implant last). MEDDEV 2.12/2 provides guidance on the requirements for post-market clinical follow-up (PMCF) studies. Still, most companies manufacturing moderate-risk devices do not have experience obtaining patient consent to access medical records to collect post-market clinical follow-up (PMCF) data–such as postoperative follow-up data. If you don’t have expertise in collecting this patient-specific data in a compliant way, you should consult a clinical research associate (CRA) or engage a clinical research organization (CRO). My procedure on clinical studies (SYS-009) explains some of the basics.

Additional Resources

I also wrote an article in BoneZone: “Post-Market Studies in Lieu of Clinical Studies”. This article emphasized the increasing need for clinical data for device approval and reimbursement, but it focused on using post-market clinical follow-up (PMCF) study data as an alternative to conducting a traditional, pre-market clinical study.

Procedures & Training Related to PMCF

The following procedures and training are available for purchase from our website:

  1. Post-Market Surveillance Procedure
  2. PMCF Webinar
  3. Clinical Evaluation Report (CER) Procedure

PMCF – Is a post-market clinical follow-up study required? Read More »

Avoiding Clinical Evaluation Report (CER) Pitfalls

This article explains the key steps to preparing a successful clinical evaluation report (CER) for the submission of a technical file for medical device CE Marking.

Photo for Clinical Evaluation Report Blog 1024x931 Avoiding Clinical Evaluation Report (CER) Pitfalls
Once someone shows you the most efficient path, climbing the wall no longer seems so challenging.

Essential requirement 6a, the clinical evaluation report (CER), is required for all medical devices that are CE Marked. Up until the Medical Device Directive (MDD) was modified in 2010 (i.e., 2007/47/EC), only high-risk devices required a clinical evaluation report. After the MDD was changed, a CER was needed for all medical devices–even Class I devices that do not require a Notified Body. To help manufacturers understand the expectations and comply with this requirement, a guidance document was released for clinical evaluations in December of 2009 (i..e., MEDDEV 2.7/1 rev 3). MEDDEV 2.7/1 indicates that are there are three options for preparing a clinical evaluation report:

  1. perform a clinical study and summarize the results,
  2. perform a literature search of clinical study articles, or
  3. a combination of the first two options.

Preparing clinical evaluations are tedious but not necessarily challenging. I like to compare the preparation of clinical evaluation reports to bouldering problems. Once someone shows you the most efficient path, climbing the wall no longer seems so challenging.

Literature Search Protocol (TMP-004)

Section 6.1 of the guidance document indicates that a literature search protocol should be used to identify, select, and collate clinical study articles for a literature search. Critical elements of your search protocol should include: which search databases you selected and why, intended use and indications for the use of the device, similar devices that are on the market and a comprehensive date range starting with the earliest clinical studies or the last date of a previous clinical evaluation. Your search protocol should specify inclusion and exclusion criteria, and you will need a systematic method for tracking your results.

I created a protocol template, TMP-004, which I use to perform clinical literature searches. The protocol includes suggested databases for literature sources, a list of adverse event databases, and a database for clinical investigations that should be included in your search. The protocol also includes criteria for evaluating the results of the search. Evaluation criteria should consist of the type of clinical study, the number of patients, the study design, etc.

Qualified Individuals

To conduct a clinical evaluation, you need a cross-functional team–as you should have for all post-market surveillance and risk management activities. One of the team members should be an expert in the design of the device or similar devices. Another person should be an expert in performing literature searches to ensure that the review of the literature is comprehensive. Finally, the team needs at least one person with a clinical research perspective to evaluate the clinical data critically. The qualifications of these individuals should be described in an appendix of your clinical evaluation report, and typically this is done by providing a copy of each person’s resume or curriculum vitae. The omission of these qualifications or the failure to rely upon clinical experts to review the data is a common nonconformity raised by technical reviewers from Notified Bodies.

Selection of Databases

When you are writing a literature search protocol, it is essential to specify why you selected certain search databases and to ensure that you include more than one database. Each literature search database has different strengths and weaknesses. Suppose you are not sure which databases to choose and why this is an indication that you need assistance with the literature search methodology. This is typically part of the process for teaching doctoral candidates how to prepare for writing their dissertation. Therefore academic credentials of the individuals contributing to the post-market surveillance activities are relevant.

Selection of Key Words

Often certain keywords are more common in the title of clinical study articles than others, and these keywords can help narrow the number of literature search results dramatically. Therefore, it is recommended to perform some preliminary searches with different keywords to get a sense of which terms will be the most efficient in helping you to identify the articles that meet your inclusion criteria. These terms can also be used to exclude large numbers of articles that are not relevant. For example, if there are a large number of porcine studies in the literature, you might exclude the term “porcine” to ensure that animal studies involving pigs are excluded from your search results.

Inclusion & Exclusion Criteria

Many times articles will mention a keyword or the name of a device, but the device is only mentioned as an accessory in a study rather than being the focus of the study. If the article only says the device but doesn’t include clinical data regarding its use, then the article should be excluded. Only human studies should be included in your results, and if there are a large number of published studies, you may purposely choose to exclude articles with the terms “case study” that may only include one or two patients.

Addressing Risks

Your clinical evaluation report (CER) is intended to assess the safety of your device by identifying any potential risks that you may have overlooked in your risk analysis and to help you estimate the severity of harm and the probability of occurrence for those harms. It is recommended to perform a preliminary hazard identification and risk analysis before conducting the clinical evaluation to identify the most likely risks associated with the device. Each of these risks should be mentioned explicitly in the clinical evaluation–even if the clinical study data does not identify the risk. If a specific risk is identified during your hazard identification with no clinical data to support the safety of the device related to that risk, then it may be necessary to conduct a clinical study or a post-market clinical follow-up (PMCF) study to evaluate the risk further.

Review of Post-Market Surveillance

When your device is first submitted for CE Marking, you may not have any clinical history with the device, and it is only possible to estimate risks. For this reason, it is important to include post-market surveillance information about similar products as an input to your clinical evaluation process. After your product is launched, you will have a complaint handling data and adverse event data specific to your device. Therefore, you should periodically review the post-market surveillance data and compare it with the initial risk estimates. If the results are similar, then the risk analysis does not need to be updated immediately. If the post-market surveillance results are substantially different from your risk estimates, you should update your clinical evaluation report earlier than planned and update your risk analysis. I recommend stating this conclusion in each report summarizing post-market surveillance data–including a specific recommendation to maintain the current plan for the frequency of conducting clinical evaluations or a recommendation to change the schedule.

Appraisal of Clinical Literature

Your appraisal of clinical literature needs to be systematic and documented. Technical reviewers expect clinical data that supports and detracts from the conclusion that your device is safe and effective for the desired indications. Therefore, you should not exclude articles simply because the findings are negative. You need to include appraisal criteria in your protocol to ensure that the evaluation of literature search results is objective and systematic. I have included a recommended grading system for clinical study articles in my procedure for clinical evaluation reports (i.e., SYS-041). The graded results of each article identified are then summarized in the Appendices of the clinical evaluation report (CER).

Review and Update of Clinical Evaluation Reports (CERs)

Preparing a clinical evaluation report (CER) is time-consuming, but the report is also a living document. Therefore, you need to have a post-market surveillance plan for each medical device or device family that specifies the frequency of performing a review and update of your clinical evaluation report (CER). Depending upon the nature of your device and the amount of clinical history you have with that device, you may also need to conduct a post-market clinical follow-up study (PMCF). Any post-market surveillance that you conduct should be included as an input to the clinical evaluation report. This is why my literature search protocol includes adverse event databases.

Procedures & Templates

If you are looking for a procedure and literature search protocol for preparing a clinical evaluation report (CER), please click here. If you are interested in learning more about post-market surveillance and post-market clinical follow-up (PMCF) studies, we also have a webinar on this topic.

Photos shown in this article are two of my sons, Alex Beshay (13) and Bailey Packard (14), at this weekend’s bouldering competition at PETRA Cliffs in Burlington, VT. Every member of our family is an avid rock climber, including my 3-year-old daughter.

Avoiding Clinical Evaluation Report (CER) Pitfalls Read More »

Biocompatibility for 510k Submissions vs CE Marking

asr 1 Biocompatibility for 510k Submissions vs CE Marking
Titanium is not biocompatible?!

This article compares the different documentation requirements of biocompatibility for 510k submissions with a technical file submission for CE Marking.

A couple of my clients recently received requests for additional information as part of their technical file submission for CE Marking. Both clients had titanium implants, and they submitted the same justification of biocompatibility for 510k submissions as they were now submitting for their technical file. They were providing a one-paragraph description of materials used and referencing the ASTM specification for implant-grade titanium. Both clients already had CE Marking for similar devices, and the wording of the justification for not conducting biocompatibility testing on the full device was identical to the previous submissions.

“Justifications are no longer permitted”

One of my clients questioned whether there was a new EN standard for implant-grade titanium that they might need to comply with. Their auditor told the other client that the Notified Body would no longer accept justifications for not conducting biocompatibility testing.

On behalf of my clients, I scheduled a meeting with their Notified Body to obtain clarification and to make sure that the policies for documentation of biocompatibility had not changed. The Notified Body had three important points to make:

  1. Justifications are PERMITTED as it states in EN ISO 10993-1:2009
  2. Competent Authorities noticed that some of the justifications accepted in the past were not sufficient
  3. What the FDA accepts for biocompatibility for 510k submissions is not sufficient for a technical file

FDA requirements of biocompatibility for 510k submissions

In 1995, the FDA published a biocompatibility guidance document. That guidance document includes a decision tree that asks a series of questions related to biocompatibility for 510k submissions that is intended to help manufacturers determine which biocompatiblity testing may be required for 510k submission of their new or modified device. The following questions are the critical items covered in that decision tree: 

  • Is the material the same as a marketed device?
  • Same manufacturing process?
  • Same chemical composition?
  • Same body contact?
  • Same sterilization method?
  • Is the material metal, metal alloy, or ceramic?
  • Does it contain any toxic substances (e.g., Pb, Ni, Cd, Zr)?
  • Does the master file have acceptable toxicology data?

In the past, I recommended that clients with titanium implants prepare section 15 of their 510k submissions by answering each of the questions above. 99% of the time, the predicate device is substantially equivalent to the 510k submission device with regard to the first five questions. Except in the case of coated implants, there was seldom a Device Master File to reference, and the metal was compliant with the ASTM standard for titanium implants–including the concentrations of heavy metals.

For other medical devices that were not made of just titanium or some other implant-grade metal, the manufacturer was forced into conducting biocompatiblity testing. In these cases, I directed the clients to follow the biocompatibility testing matrix published by the FDA.

New Draft Biocompatibility Guidance from the FDA

In 2013, the FDA published an FDA 2013 draft guidance document for biocompatibility with additional requirements for biocompatibility documentation and testing. The newer draft guidance appears to be the current expectation of the agency for 510k submissions, but the draft guidance has not been finalized yet.

The new 2013 draft guidance document from the FDA indicates that biocompatiblity testing reports must be provided with 510k submissions instead of merely summarizing the testing performed. The FDA clarifies in the draft that materials will not be evaluated alone, and the full device must be evaluated for biocompatibility instead. The FDA also specifies that the device evaluation must be for a sterilized device if the device is intended to be delivered in a sterile state to users/patients. This draft incorporates new ideas regarding toxic chemicals, such as colorants. The FDA also suggests that manufacturers discuss their testing plans with the FDA before starting the biocompatibility testing.

Despite the changes proposed in the 2013 draft guidance, there are no changes to the requirements of biocompatibility for 510k submissions if the device is a metallic implant that is substantially equivalent to a predicate device.

Technical File Differences for Biocompatibility

In theory, there should be very few differences between biocompatibility for 510k submissions and technical file requirements for CE Marking, because the FDA recognizes ISO 10993-1:2009, and the content of the standard is nearly identical to the European national version of the standard. For European CE Marking, the expectation is for the technical file to include documentation of conformity with the current state of the art for biocompatibility (i.e., EN ISO 10993-1:2009). Summary Technical Documentation (STED) is preferred by Notified Bodies to reduce the time and costs associated with the review of the technical documentation.

A STED that explains how your biocompatibility evaluation conforms to a harmonized European Standard is quite different from a justification based upon substantial equivalence. Notified Bodies expect you to review each of the elements of the harmonized standard and explain how you address it in the STED. In Clause 7 of EN ISO 10993-1:2009, there are seven elements recommended for a biological safety assessment:

  1. the strategy and program content for the biological evaluation of the medical device;
  2. the criteria for determining the acceptability of the material for the intended purpose, in line with the risk management plan;
  3. the adequacy of the material characterization;
  4. the rationale for selection and/or waiving of tests;
  5. the interpretation of existing data and results of testing;
  6. the need for any additional data to complete the biological evaluation; and
  7. overall biological safety conclusions for the medical device.

The fourth element of the biological safety assessment will undoubtedly include a reference to the implant-grade titanium that you are using. However, you also must address additional questions that are posed in Figure 1 of the standard. Issues that should be addressed in your biological safety assessment include:

  1. Are there any additives, contaminants, and residues remaining on the device?
  2. Are there any substances leachable from the device? 
  3. Are there any degradation components of the device?
  4. Are there other components, and how might they interact with the final product?
  5. What are the properties and characteristics of the final product?

 If you conducted a cleaning validation, you need to reference that process validation report. If you did the testing of EO residuals, you need to reference the ISO 10993-7 test report.

The message the Notified Bodies are sending you is that they agree that implant-grade titanium is biocompatible. Still, you need to systematically write a justification for not conducting the testing in accordance with the EN standard, and you have to cross-reference to your objective evidence throughout the STED. 

Biocompatibility for 510k Submissions vs CE Marking Read More »

Risk Management File Compliance for 510k and CE Marking

This article compares risk management file FDA requirements for CE Marking and 510k submission requirements.

Risk Management File Risk Management File Compliance for 510k and CE Marking

The FDA only requires documentation of risk management in a 510k submission if the product contains software, and the risk is at least a “moderate concern.” Even then, the 510k only requires the submission of a design risk analysis rather than your complete risk management file. Knee implants do not require submission of risk analysis, even though manufacturers are required to perform risk analysis in accordance with ISO 14971, because knee implants do not contain software. Therefore, it is not uncommon for a product that is already 510k cleared to receive audit nonconformities related to the risk management documentation during a technical file review by a Notified Body.

The FDA recognizes ISO 14971:2007 as the standard for risk management of medical devices. CE Marking also requires compliance with ISO 14971, but specifically the European national version of the standard (i.e., EN ISO 14971:2012). The most common technical file deficiencies related to risk management during a CE Marking application include the following:

  1. compliance with ISO 14971:2007 instead of EN ISO 14971:2012
  2. reduction of risks as low as reasonably practicable (ALARP) instead of reducing risks as far as possible (AFAP)
  3. reducing risks by notifying users and patients of residual risks in the IFU
  4. only addressing unacceptable risks with risk controls instead of all risks–including negligible risks

Each of these deficiencies is also explained in Annex ZA, ZB, and ZC of EN ISO 14971:2012.

7 Deviations you must address in your risk management file

Notified Body auditors are supposed to be reviewing your risk management process and sampling your risk management file(s) to verify that you conform with the requirements for a risk management file as defined in EN ISO 14971:2012 and the applicable European directive. Most manufacturers with CE Certificates have updated their procedures for compliance with the European National version, but the updates are not always complete or done correctly. Therefore, auditors need to be systematic in their review for compliance. I recommend creating a three-column table in your audit notes for each of the seven deviations. The first column would state the requirement from the applicable annex of EN ISO 14971:2012. The second column is used to document wherein the risk management procedure, and each of the seven requirements is addressed. Suppose you can’t find it quickly during your review–as the person you are auditing to find it for you. The third column is used to document which risk management file you sampled, and wherein the risk management file, the auditor was able to find compliance with one of the deviations. Risk management training of the cross-functional risk management team should also be sampled by the auditor. If the auditor can’t find an example of compliance in the procedure or the risk management file, then there is a minor nonconformity that needs to be corrected and recurrence needs to be prevented.

Note: Remember that auditing is about verifying compliance–not scouring 100% of the records for nonconformity.

Procedure review

The first step in responding to correcting deficiencies in your risk management process is to update your procedure. The following basic elements need to be included in the procedure:

  • risk management plan
  • hazard identification
  • risk analysis
  • risk control option analysis
  • verification of risk control effectiveness
  • risk/benefit analysis
  • risk management report

Many of the procedures I review focus on the risk analysis process, and the most common tool for risk analysis is a failure mode and effects analysis. This is an excellent tool for process risk analysis, but it is only one of many possible tools, and it is not ideally suited for design risk analysis. In addition, your procedure is not adequate as a risk management plan. You need risk management plans that are product-specific or specific to a product family. Your risk management plan must also change and adapt as products progress from the design and development process to post-market surveillance. Finally, many of the procedures only require a benefit/risk analysis to be performed when risks are not acceptable, while the European MDD requires that all CE Marked products include a benefit/risk analysis for each risk identified in the risk analysis and the overall risk of the product or product family.

Risk management plans

Risk management is required throughout product realization, but the activities are quite different during the pre-market and post-market phases. Therefore, I recommend including a risk management plan as part of the design and development plan to address pre-market needs for risk management. Once a product development project reaches the design transfer phase, then a post-market risk management plan needs to be written. I incorporate this plan into the post-market surveillance plan for the product or product family. This approach ensures that the risk analysis will be linked directly with post-market surveillance after the product is released.

Hazard identification

Many companies do create a specific document that identifies all the hazards associated with a product. This is an important step that should occur early in the design and development process before design inputs are finalized. During the development process, these hazards may need to be updated as materials and production processes are developed. Some companies may choose to identify hazards at a different time or in a different way. Still, the proposed European Medical Device Regulations (EMDR) require that the dangers are recognized as one of the essential requirements. The ISO 14971:2007 standard suggests that design teams should identify as many hazards as possible, estimate the risks, and then implement risk controls for any unacceptable risks. The EN ISO 14971:2012 standard requires that risk controls be implemented for hazards–regardless of acceptability. For this reason, I recommend companies restrict their identification of hazards to the most likely product malfunctions and hazards of high severity. This list should include any hazards already identified in the FDA’s MAUDE database.

Benefit/risk analysis & risk traceability matrix

To perform a benefit/risk analysis, you have to know the likelihood of potential hazards resulting in harm and the clinical benefits of a product. Unfortunately, reduced costs cannot be used to justify the acceptability of a device. Benefit/risk analysis must be performed for each risk and the overall residual risks. Therefore, it is important to identify the clinical benefits that outweigh each of the risks. I recommend using a risk traceability matrix in order to document each benefit/risk analysis. This can be a separate risk management document, or it can be incorporated into a design requirements matrix. It is also important to identify any warnings, precautions, or contraindications that should be documented in the information provided to patients and users when risks cannot be eliminated. This may be the last column of your risk traceability matrix.

Risk management report

The risk management report should be a summary technical document (i.e., STED). The STED should reference the procedure that was used and indicate all the risk management activities that were performed specifically to the product or product family defined in the scope of the risk management report. The dates of activities, changes made, and cross-references to any controlled documents should be included in the risk management report. I recommend maintaining the risk management report as a controlled document and revising the document to reference additional risk management activities when they occur. The bulk of details should be contained in the referenced risk management documents within the report.

Procedures and templates for your risk management file

We also have a procedure (SOP) for risk management (SYS-010).

Risk Management File Compliance for 510k and CE Marking Read More »

What is a Master Validation Plan and Do You Need One?

This article explains what a master validation plan is, when is it appropriate to have a master validation plan, and when you need one.

Process Validation Protocol What is a Master Validation Plan and Do You Need One?

Master Validation Plan

In the United States, there are two applicable regulations for medical device manufacturing process validation: 1) 21 CFR 820.75, and 2) ISO 13485, Clause 7.5.2. Neither the QSR regulation nor the ISO 13485, include any mention of a master validation plan. There is a requirement for product realization planning, and a master validation plan could be an essential part of that planning. However, master validation plans are not mentioned anywhere.

MDD – Master Validation Plan?

For companies that manufacture CE Marked products, the term validation appears in the MDD (93/42/EEC as modified by 2007/47/EC) a total of two times. Only one of those references is specific to process validation, but there is no mention of a master validation plan. The single mention of validation appears in Annex VII, and the reference is specific to the requirement for including a copy of the sterilization validation report in a technical product file.

CMDR – Master Validation Plan?

For companies that hold one or more Canadian Medical Device Licenses, “validation” appears in the Canadian Medical Devices Regulations (CMDR) a total of eight times (four times as part of the French translation). The first four references are part of the definition of validation, where the CMDR is referring to design validation. The remaining four references specifically mention the requirement for the inclusion of process validation and software validation in a medical device license application for Class IV devices. None of those references say of a master validation plan.

IQ/OQ/PQ Requirements?

Not only is there no mention of a requirement for master validation plans in any of the medical device regulations, but there is also no mention of installation qualification (IQ), operational qualification (OQ), or performance qualification (PQ). The only mention of validation protocol or report appears in 21 CFR 820.70 as it refers to using validation protocols for validation of software controlling automated equipment.

21 CFR 210 or 21 CFR 211 requirements?

The requirements for medical devices historically are derived from pharmaceutical regulations–which included the requirement for process validation. However, neither 21 CFR 210 nor 21 CFR 211 mention master validation plans (need to verify). They also don’t mention IQ/OQ/PQ requirements.

Where did the idea for Master Validation Plans Come From?

GHTF/SG3/N99-10:2004 is the guidance document that was created by the Global Harmonization Task Force’s Study Group 3 for guidance on process validation. The guidance even includes templates for a master validation plan, IQ, OQ, and PQ. The guidance indicates that the purpose of a master validation plan is to plan validation and revalidation activities. There are other planning documents that could be used instead. For example, design plans include process validation as part of the design transfer activities when a new product is being developed. Quality plans are used for facility expansions and construction of new facilities. Some companies even include validation and revalidation plans in their process validation procedure and/or sterilization validation procedure.

For companies that have equipment that requires validation, I like to use an equipment register that identifies calibration, preventive maintenance, validation, and revalidation requirements as part of the equipment register. This allows me to use one single document to manage all the planning of calibration, preventive maintenance, and validation. If there are no validation requirements, then the appropriate column of the equipment register will indicate “n/a.”

What is a Master Validation Plan?

A master validation plan (MVP) is simply a plan for your equipment and process validation activities. All the equipment, processes, and software requiring validation should be included in the MVP. The plan should reference the applicable protocol and report for each item in the plan. If there are revalidation requirements, the plan should indicate when the last validation was performed and what the frequency of revalidation should be. Ideally, similar equipment will use the same validation protocols that are controlled documents and pre-approved. Over time the number of reports referenced will increase, but the plan should only reference the most recent approved protocol(s).

Some companies include the rationale or triggers for revalidation in the plan–just as you would for a record retention table. However, other companies will include this detail in the validation protocol and/or in the process validation procedure. The rationale for revalidation only needs to be in one of three places, and duplication of the information just encourages errors and audit non-conformities.

Procedures & Templates

We also have a process validation procedure.

What is a Master Validation Plan and Do You Need One? Read More »

Strategic planning of a mock FDA inspection

This article shows you how to think strategically when you plan a mock FDA inspection to ensure that you successfully prevent an unpleasant FDA inspection.

strategic planning Strategic planning of a mock FDA inspection

For the past couple of years, several clients have asked me to conduct mock FDA inspections to prepare them for a potential FDA inspection. I am writing from Shanghai, China, where I am conducting a mock FDA inspection for a medical device client with another auditor from the company’s business unit in the USA.

The mock FDA inspections I conduct are internal audits and technically not an inspection because inspectors are looking for nonconformities, and I am looking for conformity with the FDA regulations (i.e., 21 CFR 820, 21 CFR 803 and 21 CFR 806). Inspections are conducted by FDA investigators that are conducting an inspection in accordance with the FDA QSIT manual (http://www.fda.gov/ICECI/Inspections/InspectionGuides/ucm074883.htm). I use the process approach to conduct audits of the four major quality systems that FDA inspectors focus on during an FDA inspection. Still, as an auditor, I have several advantages that an inspector doesn’t.

  1. I can evaluate auditees and coach them on how to respond to an FDA inspector more effectively.
  2. I can teach my client’s internal auditors and management team how to use internal audits and Notified Body audits as practice for their next FDA inspection.
  3. I can avoid any area that my client wants me to and focus on areas of concern.
  4. I can help my client identify the most likely product or product family to be targeted by the FDA.
  5. I can give my client advice and help them implement corrective actions.
  6. I can teach my client how to respond to potential FDA Form 483s to avoid a Warning Letter.

Opening meeting for a mock FDA inspection

FDA inspections are not planned, but it is important to make sure that the right people are available and present during a mock FDA inspection, or your “inspector(s)” may not be able to review the records or interview the most important people. Therefore, I provide an agenda ahead of time, indicating which processes I will be auditing on which days. My agenda for a mock FDA inspection begins with an opening meeting, but the purpose of this opening meeting is primarily training. I take advantage of having all the senior managers in one room as an opportunity to explain how they can benefit most from the audit, and to remind them of what to expect during a real FDA inspection.

CAPA Sources

After the opening meeting, I take a brief tour—unless I already know the facility well. Before I leave for the tour, I ask my client to be prepared for me to begin auditing nonconformities, complaint handling, MDRs, and recalls when I return to the conference room. I select these areas because the FDA always starts with the CAPA process, but they look closely at the sources of CAPAs at the same time. I believe that inspectors rarely take “random samples.” Instead, most inspectors use the sources of CAPAs to help them bias there sampling of CAPAs.

Production and Process Controls

The next major process in my agenda after CAPAs and sources of CAPAs is production and process controls. The sequence of my process for auditing this area is always the same: 1) request the Device Master Record (DMR) for the target product or product family, 2) request two or more recent Device Master Records (DHRs) that were associated with a complaint record or MDR (remember samples are never random), and 3) I then go to the production areas identified in the DHR, and I try to interview the people that produced the lot identified in the DHR—rather than the people the department manager feels are the most experienced. This process of working backward from complaint records and MDRs to the activities on the production floor often allows me to help companies identify a root cause that they missed when the complaint or MDR was initially investigated.

Design Controls

Auditing a Design History File (DHF) is about as exciting as watching paint dry for most auditors. Still, I am always fascinated with how things work, so I am more engaging with the design team members I interview during a mock FDA inspection. I also like to focus on aspects of the design that have proven to be less than perfect—by reviewing nonconformities, complaints, MDRs, recalls, and CAPAs first. For example, if I see several complaints related to primary packaging failures, I am going to spend more time reviewing the shipping validation and shelf-life testing, than I might normally allocate.

Management Processes

The FDA is somewhat limited in this area because, in accordance with 21 CFR 820.180(e), the records of internal audits, supplier evaluations, and management reviews are exempt from FDA inspections. During a mock FDA inspection, I do not have this constraint. Therefore, I will often look more closely at these three areas than an FDA inspector to make sure my client has effective management processes. While procedures and schedules are the focus of an FDA inspector, I will make sure that the problems I observed in nonconformities, complaints, MDRs, and recalls are being addressed by management. As a quality manager, this is not always easy to do. Still, as an independent consultant, I have the luxury of being blunt when a senior manager needs to hear from someone other than the typical “yes men.” I also can use this part of mock FDA inspections to benchmark best practices I have learned from the hundreds of companies against what my client is currently doing to manage their quality system.

When to schedule a mock FDA inspection

Scheduling a mock FDA inspection immediately after an FDA inspection is pointless, but there is an optimal time for scheduling your mock FDA inspection. The FDA target is to conduct inspections once every two years for Class II device manufacturers. However, some district offices do better or worse than this target. Therefore, it’s important to keep track of the typical frequency in your district and the date of your last inspection. If the FDA is on a two-year cycle, you want to conduct your mock FDA inspection approximately 6-9 months before the next FDA inspection to ensure that you have time to implement corrective actions before the FDA inspector arrives.

Additional Resources

If you are interested in learning more about this topic, I highly recommend watching and listening to my free webinar on how to prepare for an FDA inspection:

http://robertpackard.wpengine.com/how-to-prepare-for-an-fda-medical-device-inspection/

In addition to preparing for an actual inspection, every company must know how to respond effectively to an FDA 483 inspection observation:

http://robertpackard.wpengine.com/7-steps-respond-fda-483-inspection-observation/

In addition to my blog, I also have recorded a webinar on this topic:

http://robertpackard.wpengine.com/7-steps-respond-fda-483-inspection-observation-webinar/

Finally, every manager needs to be reminded that FDA 483s are just another opportunity to write a CAPA and improve their quality system. Therefore, do yourself a favor and watch my new webinar on creating a risk-based CAPA process:

http://robertpackard.wpengine.com/create-a-risk-based-capa-process/.

Strategic planning of a mock FDA inspection Read More »

21 CFR 820.180 – Exceptions to the US FDA’s Record Requirements

21 CFR 820.180 Exceptions to the US FDA’s Record Requirements 21 CFR 820.180   Exceptions to the US FDA’s Record RequirementsThis article provides practical advice for how to deal with records the FDA is not allowed to request during an inspection and FDA inspector tactics specific to 21 CFR 820.180 – exceptions. When I meet with a new consulting client, the phrase I dread hearing is “the FDA can’t see that.” Indeed, the FDA is not supposed to review the content of internal audit reports, supplier audit reports, and management reviews to encourage companies to use these tools to address quality problems without having to worry about the FDA beating them with their reports. This policy is officially stated in subsection C of 21 CFR 820.180–exceptions:

21 CFR 820.180 – Exceptions

“[21 CFR 820.180 – exceptions] does not apply to the reports required by 820.20(c) Management review, 820.22 Quality audits, and supplier audit reports used to meet the requirements of 820.50(a) Evaluation of suppliers, contractors, and consultants, but does apply to procedures established under these provisions. Upon request of a designated employee of FDA, an employee in management with executive responsibility shall certify in writing that the management reviews and quality audits required under this part, and supplier audits where applicable, have been performed and documented, the dates on which they were performed and that any required corrective action has been undertaken.”

The Problem with Hiding Records

The problem with the mentality of hiding things from the FDA is that it fails every time. The FDA can get to issues in your management reviews and your internal audits by asking, “Can I please see all the CAPAs resulting from audits and management reviews.” One client I spoke with said that they purposely don’t open any CAPAs from audits or management reviews for that reason. I was in complete shock, but I managed to keep my poker face and asked the client, “So what do you think the FDA will do when you say that you don’t have any CAPAs resulting from audits or management reviews?” Management responsibility is a frequent FDA inspection target. Most companies are subjected to a Level 2, QSIT inspection on a biannual basis. During these comprehensive inspections, the inspector reviews the four major subsystems: 1) management controls, 2) design controls, 3) CAPA, and 4) production and process controls. The FDA will ask open-ended questions to determine the effectiveness of the QMS. If the inspector is not going to look at the actual meeting minutes from the management review, you can expect them to look at the following apparent targets:

  1. “May I see your procedure for Management Reviews?”
  2. “May I please have a copy of your organization chart?”
  3. “Could I see the agenda and attendees list from your last management review?”

The inspector could also ask for copies of inputs that are identified in the Management Review procedure, such as: “Could I have a copy of the most recent scrap trend analysis for production?” or “What is your threshold for taking corrective actions for rejects found in receiving inspection?” One Quality Manager told me a fascinating story about his local inspector. During a previous inspection, the inspector requested a copy of the management review. The Quality Manager showed him the cover page that indicated the agenda and the attendees. The Quality Manager refused to let the inspector see the rest of the meeting minutes. The inspector then proceeded to conduct a brutal 3-day inspection where a myriad of 483’s was written. Twelve months later, the inspector returned to perform a “Compliance Follow-up.” This time when the inspector asked to see the management review, the Quality Manager agreed to let the inspector see the entire meeting minutes. From that point onward, each time the inspector got close to identifying a new 483’s, the inspector would stop following the audit trail at the last moment before the nonconformity was identified. The Quality Manager said it was almost like the inspector was showing him that he could find all kinds of problems to write-up if he wanted to. Still, he was taking it easy on the company because the Quality Manager was cooperative. My philosophy is to create a QMS that is open for review by any customer, auditor, and even the FDA. No matter what they find, it’s just another opportunity to improve. This has worked well for me, but you need to follow a few basic rules when writing audit reports and management review meeting minutes.

Rules for Writing Audit Reports & Management Reviews

  1. DO NOT write anything inflammatory or opinionated in your documents. My motto is, “Stick to the facts, Jack (or Jill).”
  2. I ask other people in the management team to read and review the meeting minutes before they are finalized. The variety of perspectives in top management helps to make sure that the final document is well written and clear—especially to FDA inspectors.
  3. I structure the documents as per a standard template that is a controlled document. This ensures that each report or management review was conducted as per the procedure. I typically reference the applicable clauses and sub-clauses throughout the document. For example, I will reference ISO 13485:2003, Section 5.6.2h) for the slide titled “New and Revised Regulatory Requirements.” I put the reference next to the slide title just to make it clear what requirement this slide is addressing.
  4. If there is an area that I covered, but there was nothing to discuss, I write, “There was no further discussion on this topic.”
  5. If there is an area that I did not cover, I make sure I do the following:
  6. write a justification for not covering the area,
  7. indicate the last time the area was covered (and the result at that time), and
  8. document when the area will be covered in the future.

You can continue to listen to the advice of consultants that think of creative ways to hide things from the FDA, or you can follow the above advice. If you follow my advice, then you can spend the rest of your time working on the CAPAs for each area where you identified a weakness—instead of spending your time trying to hide your problems. If you need help preparing for an FDA inspection or responding to FDA 483 inspection observations or warning letters, please email Rob Packard. We have two people on our team that used to work for the agency.

21 CFR 820.180 – Exceptions to the US FDA’s Record Requirements Read More »

Scroll to Top