Medical Device Academy-5 Proven Audit Approaches

This article, Medical Device Academy-5 Proven Audit Approaches, reviews how our clients benefit from our tried and true audit principles.  

5 benefits internal audits Medical Device Academy 5 Proven Audit Approaches

1. Process Approach 

I am an advocate for using turtle diagrams (i.e., the process approach) for auditing, instead of audit checklists. Beyond the obvious visual differences between using audit checklists and using turtle diagrams, these two tools result in very different types of observations. An auditor using a checklist typically starts with a regulatory requirement, and then the auditor samples record to verify if the records meet the requirement. Once this verification has been successful once, it is unlikely that the process will have a problem in the future.

Turtle diagrams and the process approach focus on inputs and outputs to a process–instead of specific regulatory requirements. For example, when an auditor uses the element approach to auditing, the auditor will sample one or more process validations from a master validation plan to ensure compliance with 21 CFR 820.75. However, step four of the process approach includes sampling process validation for each process being auditing. If there is a lack of process validation for any process, the auditor will identify the gap. Step four also involves verifying the calibration of devices used in the process and maintenance of any equipment. Therefore, the process approach is sampling requirements for process validation, calibration of measurement devices, and preventive maintenance for each process–instead of once for each regulatory element. 

2. Where Audits are Conducted

Most auditors spend an extraordinary amount of time in conference rooms. If I can audit your records in a conference room, I can also audit your records from my office in Vermont. Remote auditing eliminates the cost of travel. More than half of your quality system records can be effectively audited remotely. Therefore, when any auditor on our team visits your facility, they want to spend more time seeing you demonstrate production processes and interviewing people–instead of reviewing records in your conference room. This also happens to be the only effective method to audit production and process controls, which is one of the four major quality system processes the FDA focuses on during Level 2, comprehensive QSIT inspections. 

3. Read Less and Listen More

Most auditors like to start with a procedure and then look for compliance with the procedure. We begin with an interview of the process owner or a person performing a step in the process. Then we ask for a demonstration, and records and procedures last. I coach new auditors to ask people they are interviewing to show them where a requirement can be found in their procedure. This has several hidden benefits. First, auditors don’t have to spend a lot of time hunting for a requirement because the auditee will find it for the auditor. Second, the auditor will quickly learn how familiar the auditee is with the specific procedure. Finally, if the company is not following a procedure, the auditee is unlikely to be able to locate the requirement in its procedure. 

4. Start at the End with Problems

Most people prefer to follow a process from beginning to end. More specifically, the opening is step one of a procedure, and the end is a product and paperwork resulting from the process. Since most product and paperwork is done correctly, we seldom find anything wrong with a process if we start at the beginning. Alternatively, we can start at the end of a process with a cage of nonconforming material, or a log sheet of complaints. Then we can work our way back to the beginning of the process, and hopefully, we will see what went wrong in the process during our investigation. Therefore, my internal audit agenda often begins with a tour of the facility that will arrive at the location where a quarantined product is stored. Then I work my way back through the process to incoming inspection, then the purchasing process, and finally to the design controls process where specifications were initially created. Using this approach often results in the discovery of problematic processes that have the potential to cause other problems beyond the one example we found in the quarantine area. 

5. Focus on Effectiveness Checks

The last sub-clause of ISO 13485:2016, Clause 8.5.2, is specific to the requirement for verifying the effectiveness of corrective actions. This is not the same as verifying implementation. If an internal audit identifies that there are no maintenance records, then you might attempt to prevent recurrence by creating a procedure that requires maintenance records. A copy of the procedure, records of procedure review, and approval and training records are evidence of implementing the corrective action.

Effectiveness verification requires more ( You need to go back and verify that maintenance records are being created and maintained. Therefore, whenever we write an audit finding, we also review potential corrective actions with the client and suggest possible effectiveness checks to ensure corrective actions work.

If your company needs help with internal auditing and would like a quote, please email Matthew Walker. We also are teaching a lead auditor course in partnership with AAMI starting fall 2020.

How to Audit Your Labeling Process for 21 CFR 820 Compliance

This article reviews how to audit your labeling process for 21 CFR 820 compliance with the six requirements of section 820.120.

audit labeling How to Audit Your Labeling Process for 21 CFR 820 ComplianceThe most common cause of recalls is labeling errors. Therefore, one of the best ways to avoid a recall is to perform a thorough audit of your labeling process. Unfortunately, most auditors receive no specific training related to labeling. The primary reason for the lack of labeling-specific training is because most auditor training focuses on ISO certification requirements.

ISO 13485 Requirements for the Labeling Process

ISO 13485 only requires the following labeling requirements: “The organization shall plan and carry out production and service provision under controlled conditions. Controlled conditions shall include, as applicable…g) the implementation of defined operations for labeling and packaging.” ISO 14969 is the guidance document for ISO 13485, and the guidance includes additional recommendations for control of the labeling process to prevent errors. Unfortunately, auditors are trained to audit for compliance with regulations, while guidance documents are neglected almost entirely. ISO labeling requirements are vague. Therefore, auditors need to focus on the six requirements of 21 CFR 820.120–the section of the FDA QSR specific to labeling. Labeling process flowchart1 How to Audit Your Labeling Process for 21 CFR 820 Compliance Most auditors are taught to develop a regulatory checklist to verify requirements. However, the process approach to auditing is a more effective approach to identify ways that the labeling process can break down. Below examples of how the two approaches differ are provided for each of the six requirements:

1. Labeling Procedure

Most auditors, and FDA inspectors, request a copy of a labeling procedure to verify compliance with the first requirement. In their notes, they record the document number and revision of the procedure. The auditor may also review the procedure to ensure that the procedure includes each of the other five regulatory requirements listed below. The process approach to auditing also verifies compliance with the requirement for a procedure. Still, auditors using the process approach ask the process owner to describe the process, and the process description provided is compared with the procedure.

I also teach auditors to ask the process owner to identify where in the procedure, each requirement can be found. This eliminates the need to spend valuable audit time reviewing a procedure and forces the process owner to demonstrate their familiarity with the procedure.

2. Label Integrity

A lack of labeling integrity is seldom raised as an observation by auditors, unless labels are falling off of the product, or if the label content is illegible. During hundreds of audits, I have never noticed a label falling off the product, but I have seen customer complaints about labels falling off. Another way to assess if there is a problem with labeling integrity is to ask how the labeling specifications were established, verified, and validated. The user environment is frequently the determining factor for labeling specifications. For example,

  • Does the label need to be waterproof?
  • Is the print likely to be exposed to abrasion that could rub off the ink?
  • Are the storage conditions likely to include high heat and humidity that could cause the adhesive to fail? 

This type of approach links the labeling of products to customer focus and design inputs.

3. Labeling Process Inspection

The inspection of labeling is more than a visual examination. A thorough inspection requires a systematic review of the label content to ensure that the label information matches the requirements for the specific production lot. The requirements specify verification of:

  • correct expiration date
  • control number
  • storage instructions
  • handling instructions

There is also a requirement to document the date of inspection and the person that performed the inspection. An auditor can verify that the labeling inspection is being performed by reviewing records of the inspection, but you will rarely find an inspection record where the label is nonconforming. If you follow the process, you might ask the process owner where nonconforming labeling is recorded. The nonconforming material records should be an output of every inspection process. Auditors should also ask for metrics regarding a process. The frequency of labeling mix-ups and labeling errors identified during an inspection is an important metric that can be used as an indicator of weaknesses in labeling operations.

4. Labeling Storage

Most auditors will verify that labels are stored in a location to prevent deterioration or damage, but the highest risk is the mix-up of labels. Therefore, it is crucial to control the location of labels so that the incorrect labels cannot be accidentally distributed to the wrong manufacturing line. 

In 21 CFR 820.150, there is also a requirement to establish “procedures that describe the methods for authorizing receipt from and dispatch to storage areas and stock rooms.” Therefore, as an auditor, you might consider asking the process owner what the input to the labeling distribution process is (e.g., a work order) and which distribution records are created during the process. A labeling requisition and/or “pick list” from production planning is often used as an input to the labeling process, while the distribution of labeling to manufacturing usually requires a log entry for distribution from a stockroom, or assignment of a lot number to the batch of labels that must be entered in a log.

5. Labeling Process

It is insufficient to review DHRs for the labeling process. When you interview the process owner, you should determine who is responsible for creating and inspecting labels. Then, I coach auditors to go and view labeling operations at the source. By interviewing operators and asking them to demonstrate entry of variable data for labels and printing of labels, you can answer each of the following questions without even asking:

  • Is validated software is being used?
  • Are label templates protected from inadvertent changes?
  • How do operators ensure that labels from different lots are not mixed up?

Interviewing inspectors can determine if calibrated tools are being used to verify labeling dimensions and the proper placement of labels. You should also observe how inspectors ensure that variable data is correct.

6. Control Number

Most auditors will sample DHR records to verify that lot control numbers are recorded for each batch of products. However, when an auditor is focusing on records, the auditor is unlikely to identify any aspects of label handling that could result in mix-ups. To ensure that processing and segregation of different lots are adequate, an auditor has to observe line clearance procedures and to verify that each lot of labels is identified with regard to the lot number, quantity, and the released status if the identification information about the label is separated from the physical labels, the potential for labeling mix-ups increases.

One final aspect of labeling and control numbers to consider is the impact of new UDI regulations. Labeling will need to indicate the date of manufacture and expiration of the product. This information needs to be incorporated into the variable content of labels. Therefore, if labels are pre-printed, it may be necessary to reprint labels when the date of manufacture changes. This additional requirement is likely to force companies into on-demand printing of labels and automated software control systems. Auditors can verify the successful implementation of labeling process changes by auditing for compliance with the revised procedures.

UDI states that production identifiers (PI) consist of Manufacturing Date, Expiration Date, Lot/Batch Number, Serial Number. The rule also states that if a labeler does not use any of the listed PI, they do not need to have it on their labels. This will most likely apply to Class I device labelers only as Class II, and III labelers usually have one or more of the PI on their labels. Due to the variable nature of the PI, many labelers are adding in-line label verifiers to make sure their labels are readable by scanners.

Obtaining an FDA Certificate to Foreign Government for Medical Devices

certificate to foreign gov Obtaining an FDA Certificate to Foreign Government for Medical DevicesThis article explains how to obtain an FDA Certificate to Foreign Government when you are trying to submit an application for registration of a medical device to a regulatory body outside the United States (e.g., COFEPRIS approval for exports to Mexico).

What is an FDA Certificate to Foreign Government?

If you have a medical device that is registered and listed with the US FDA, then you can obtain a Certificate to Foreign Government from the US FDA. A Certificate to Foreign Government is a certificate issued by the US FDA verifying that your company may legally export the device, and the device may be distributed in the United States. Regulatory bodies in some countries request a “Certificate of Free Sale.” Still, these are issued by the US FDA for foods, while the agency issues Certificates to Foreign Governments for medical devices. The name of the certificate is not the same for all countries, and regulators use the terminology most familiar to their country. The US FDA has more information about the different types of certificates on the following FDA webpage:

How do you obtain a Certificate to Foreign Government?

The following page on the FDA website answers common questions about exporting medical devices. One of the most common requirements of foreign registrations is providing a Certificate to Foreign Government. If your product is currently registered and listed with the US FDA, you are managing your registration and listing using an FDA Unified Registration and Listings System (FURLS) account ( Through this account, you can access the new CDRH Export Certification and Tracking System (CECATS). CECATS allows manufacturers to request export documents, including Certificates to Foreign Governments, online versus paper submissions. CECATS reduces certificate processing time and will enable you to validate firm-specific data in real-time. You can also obtain a status update for your certificate request. If you have additional questions about CECATS or export certificates, the FDA also created an Exporting FAQs page:

How much does a Certificate to Foreign Government Cost?

Certificates to Foreign Government are product specific and cost $175 for the original certificate. Each additional copy (official copies from the FDA are usually required) costs $15 per copy. Up to 50 pages (including the certificate, manufacturer page, and attachment pages) may be submitted for the same product. Each time an increment of 50 pages is exceeded, an additional fee of $175 will be charged.

If the original is three pages long and you request an original and ten copies (33 total pages), then your charge will be $175 for the original and $150 for the ten copies–a combined total of $325. However, an original and 20 copies (63 pages) would exceed the 50-page limit, and you would be charged $175 for the first original and $225 for the first 15 copies. You would then be charged $175 for a second original and another $60 for four more copies.

Don’t wait until the last minute to request Certificates to Foreign Governments. I recommend ordering 5-10 copies when you first register a product in the FURLS database, instead of waiting until you need it. The same is true of other types of certificates, such as CE Marking certificates from your Notified Body.

Notified Body Unannounced Audits Have Begun

This article provides an update on the status of unannounced audits by Notified Bodies for CE Marking of medical devices.

unannounced audits Notified Body Unannounced Audits Have Begun

The EU Commission provided recommendations to Notified Bodies last Fall on how they should conduct three different kinds of audits: 1) product assessments, 2) quality system assessments, and 3) unannounced audits ( The recommendations do not propose any changes to existing practices for product assessments (i.e., review of CE Marking applications) that are being conducted in accordance with the European Directives, or quality system assessments that are being conducted in accordance with ISO 17021 ( The recommendation does, however, propose new auditing practices specific to conducting unannounced audits (

The recommendation is addressed to the Member States, rather than Notified Bodies because the intent is for Competent Authorities in each member state to enforce these recommendations when they are reevaluating existing Notified Bodies for renewal. The intent is that the EU Commission and the Member States will use compliance with the “recommendation” for unannounced audits as one of the criteria for deciding which Notified Bodies would retain their status when the new European Medical Device Regulations were approved in 2015. Therefore, all of the Notified Bodies are scrambling to complete a number of unannounced audits before the end of 2014.

Who will be audited in 2014?

In 2014, the primary targets for unannounced audits will be manufacturers of high-risk, Class III devices. The prime targets for unannounced audits are unlikely to contract manufacturers, because Notified Bodies may not have access to all the technical documentation while they are auditing a contract manufacturer. I expect each of the Notified Bodies to plan at least one unannounced audit of a contract manufacturer for a Class III device that is outsourced. Still, I don’t expect this to be the focus of unannounced auditing activities in 2014.

It is already July, and only a handful of unannounced audits have been performed as “pilots.” Most of the Notified Bodies trained auditors on how to conduct unannounced audits in May or June during their annual auditor training. Therefore, we can expect a dramatic increase in the number of unannounced audits during the remaining months of 2014. If your firm has recently had CE Marking compliance issues with a Class III device, you should expect an auditor soon.

4 Ways unannounced audits are different

Unannounced audits differ from traditional quality system audits in four ways.

1. Unannounced audits are truly unannounced–with no warning at all. Even the US FDA inspectors have the courtesy to call on Friday to inform manufacturers of their intent to visit the following Monday or Tuesday. To ensure that auditors can conduct unannounced audits as planned, Notified Bodies are asking manufacturers to provide information about when production activities will be shut-down.

2. Unannounced audits will always be conducted by an auditing team with at least one person that is qualified to review the technical documentation (i.e., Technical File or Design Dossier) and compare it to the actual production activities. This is similar in some ways to how FDA inspectors review a Device Master Record (DMR) and then compare the DMR to production and process controls they observe in manufacturing. However, the technical experts from Notified Bodies typically have a minimum of five years experience similar designing devices, and a two-person team can spread your resources dangerously thin if you are a smaller company that is used to providing a guide for only one auditor or inspector.

3. Unannounced audits will involve more time spent by auditors in production areas, instead of reading documents in conference rooms. You can expect brief opening meetings because auditors need to review critical processes as quickly as possible. Specifically, the auditors are required to use a risk-based approach to select two of the following processes:

  • design controls
  • establishment of material specifications
  • purchasing control and incoming inspection
  • assembling
  • sterilization
  • batch-release
  • packaging
  • product quality control

If a company conducts sterilization on-site, I would expect this to be a likely prospect for sampling. However, the two areas I hope to be sampled most frequently are: 1) purchasing control & incoming inspection, and 2) batch-release. These two processes are expected to be sampled frequently because these processes facilitate ad hoc sampling and demonstration of testing. This is important because Notified Bodies are expected to observe product testing.

4. Unannounced audits will be conducted at suppliers when critical processes are outsourced. Therefore, if Class III device manufacturers outsource final inspection, packaging, and sterilization–the suppliers providing these services may be unannounced audit targets for multiple Notified Bodies. ISO 13485 certified suppliers have enjoyed a decade of little direct involvement by regulators, but unannounced audits are about to change this.

How will unannounced audits change in the future?

In 2015 and beyond, unannounced audits will be conducted at contract manufacturers and manufacturers. Unannounced audits will also be conducted for all risk classifications of devices–unless the device does not have Notified Body involvement (i.e., Class I, non-sterile, and non-measuring devices). The number of unannounced audits will also increase, because Notified Bodies are required to conduct an unannounced audit for each client at least once during three years–and more frequently for high-risk, Class III devices.

What should be done to prepare?

Preparation for unannounced audits should be very similar to your preparation for FDA inspections ( Still, you will now need to evaluate your suppliers more rigorously to ensure they are also prepared for unannounced audits. The FDA rarely visits suppliers, and they are not allowed to review supplier auditing records. Notified Bodies will not have these restrictions. You will need to demonstrate a good balance between incoming inspection activities and other types of supplier controls. If your incoming inspection activities consist primarily of reviewing paperwork, then you need to balance this with supplier auditing ( and monitoring of in-process and final inspection nonconformities caused by supplier quality problems.

If you are interested in learning more about unannounced audits by Notified Bodies, please click on this link to pre-register for our webinar recording on the topic: Pre-registration pricing is $79, compared to our normal webinar price of $129. The pre-registration period ends on July 18.

9 Major Steps That Should Be In Your UDI Implementation Plan

steps udi 9 Major Steps That Should Be In Your UDI Implementation PlanIn the last blog, I started the discussion on UDI implementation and how it will impact nearly every area of your company.
Successful implementation will take careful planning and coordination throughout the organization, and in some cases, outside your company. As with every other FDA regulation, you will need to have resources available to maintain and update your systems; plus, you will need resources to update and maintain the Global UDI Database (GUDID). 

 What Comes Next?

The UDI regulation is a maze. In trying to solve a maze, it is often easier to start at the end. This same philosophy should be used to implement UDI in your company. Start your implementation process with the outcome in mind. It is more than simply meeting a timeline. UDI implementation should be viewed as a way to improve your business with the processes you use every day. It should help you standardize your daily processes, especially as it relates to data gathering, label design, and communication with your trading partners. This process will yield useful marketing information, which is one of the greatest values resulting from implementing a UDI system.

Create an Implementation Playbook

Creating a playbook or strategic plan is a necessary step. Without one, your hope of ever successfully implementing UDI requirements will be severely reduced. Your playbook should focus on solving real business problems within your organization. Issues such as, how will you collect missing data? Create a “label brand” through standardization? Are you able to develop a cross-functional team for implementation and beyond? Can you streamline your labeling and packing functions? What can other processes be improved? The playbook you develop needs to be tailored to solving your organization’s specific issues.

Now the Specifics

Implementing the strategic plan for your organization requires coordination of UDI-related activities from all impacted areas identified in your plan. In addition to having an overall UDI leader, each area should have a designated person responsible for ensuring the tasks assigned to their area are completed. The major steps of each plan should include:

1. Acquire missing data attributes and create a data management process

o   Develop a protocol for obtaining missing attributes

o   Determine who is responsible for compiling the information

o   Determine who is responsible for managing the collected information

    • Enter into Excel spreadsheet

o   Establish a verification and validation process

o   Determine who is responsible for validating the information

    • Review source documents against gathered information

2. Amend label/packaging composition and components; order by the device compliance date

o   Develop label template for the entire organization

o   Develop label sign-off process to include all impacted areas

o   ADIC Technology will work for you? Concatenated, Stacked, 2-D Matrix? What are the technical capabilities of your trading partners? 

o   What packaging changes are required to accommodate new labels?

o   Determine what the global considerations for label changes are. Do other regulatory agencies need to approve label changes? Did will amend or new device submissions be required?

3. Compose, create, administer and verify/validate software system changes and integrations

o   Does 21 CFR Part 11 apply to these changes?

4. Acquire new or upgrade existing labeling and packaging equipment and verify/validate

o   Does 21 CFR Part 11 apply?

5. Rehearse connectivity with GUDID and verify all systems are functioning correctly

o   Does 21 CFR Part 11 apply?

6. If required, plan for Direct Marking requirements

     o   Obtain etching equipment appropriate for your devices

7. Create/revise Quality System SOPs as needed and conduct process validation

8. Determine if, as part of your strategic plan, your company should invest in building inventory levels – using the three (3)-year extension period for inventory labeled before compliance date – to create a buffer in case implementation is delayed.

9. Develop training programs to train staff on new responsibilities in maintaining the UDI system. Whether the outcome of your implementation is successful or not, it is directly tied to how well your team plans and executes. Validation of the changes becomes a significant aspect of the implementation process and cannot be taken lightly. Remember the adage – “Garbage in, garbage out.” But in this case, there are serious ramifications for “Garbage in.”

UDI – the Forever Project

UDI is not a “one and done” project. The entire system will need continual maintenance. Computer systems will need constant updating, as changes to devices or new ones are developed. You will need to appoint someone with clear responsibility for maintaining your information in GUDID. Postmarket surveillance activities also feed into the post-implementation process, as device changes are made as a result of tracking and reporting activities. And you will find that you will continually need to train your staff on UDI requirements, especially with staff turnover.

The true value is not in the barcode; it is the DATA that will be generated as a result of using barcodes.   And finally, identify the appropriate value proposition for your organization, and remember in healthcare, there is no single answer for all situations.       

How Are EU Device Regulations Changing and When?

Screen Shot 2014 04 15 at 3.01.52 PM 238x300 How Are EU Device Regulations Changing and When?

This blog, “How Are EU Device Regulations Changing and When?” includes 9 of the most significant proposed changes and compliance deadlines. 

The CE Marking process for medical devices is currently defined in three directives:

  1. Medical Device Directive (MDD), 93/42/EEC (
  2. Active Implantable Medical Devices (AIMD) Directive, 90/385/EEC (
  3. In Vitro Diagnostics Directive (IVDD), 98/79/EC (

The EU Commission proposed revising the system from three directives requiring transposition by member states to two regulations: 1), and 2) The most significant proposed changes are:

  1. The Commission will have the opportunity to review recommendations for CE Marking before approval (i.e., the Scrutiny Process)
  2. The ability to create Common Technical Specifications will be expanded from IVDs to all devices
  3. A new class of “Special” Notified Bodies will be created
  4. Notified Bodies will be audited jointly by Competent Authorities
  5. Unannounced audits will be enforced
  6. Spinal implants, devices that control and monitor active implants, nanomaterials, apheresis machines, and combination products will be reclassified as Class III devices requiring a Design Dossier
  7. Most IVD products will require Notified Body involvement
  8. A Unique Device Identifier (UDI) system will be required for labeling, and the Eudamed database will be expanded
  9. Formatting of Declarations and Technical Files will be revised

When Will, the Final EMDR, be Approved?

The EU Commission took from February 2012 to September 2012 to write a proposal for new European device regulations. Parliament took 13 months (i.e., September 2012 to October 2013) to revise and fast-track its version of the new European device regulations, and the Council will probably take a year to finish their version of the regulations. Therefore, the real negotiations between Parliament and the Council will begin after the 2014 summer holiday. The final approval date is unknown, but my current guess is October 2015.

On September 12, 2013, Eucamed released the results of an industry survey ( stating that the proposed regulations are expected to increase the cost of regulatory approvals by 17.5 billion Euros for medical device manufacturers collectively. The details of the survey indicate that implementation of the UDI system improved labeling and clinical performance data will require a 7.5 billion Euro investment to implement new software systems to comply with the UDI regulations. Also, industry survey respondents indicated that an additional 2.5 million Euro investment would be required for each new Class III device that is required to undergo the proposed Scrutiny Process in Article 44. Financial implications and political pressures could force the Council and Parliament to make major revisions to the proposed regulations to reduce the cost of implementation.

Some key elements need to be in place before implementation of the proposed regulations can reasonably begin. First, Notified Bodies need more staff to conduct audits and review technical documentation–especially for high-risk devices. Second, the European Databank of Medical Devices (i.e., Eudamed) must be ready to implement UDI labeling and other documentation required by the EMDR ( Third, the European Commission plans to build a new centralized organization that will be responsible for oversight of the Notified Bodies. Each of these three elements will take more than a year, and planning has only just begun.

What Is The Compliance Deadline?

The original proposal, released in September 2012, indicated that there would be a three-year transition period for implementation of the EMDR from 2014 to 2017. This transition period would begin with the highest risk Class III devices first, and lower risk devices would be phased in over the three years. However, if the EMDR was finalized in October 2015, the implementation period will end at the end of 2018.

A complete review of the new regulations can be found at

4 Ways to Make the Best Use of Medical Device Remote Audits

This blog identifies how to use medical device remote audits effectively, save time and resources, and when you should not conduct audits remotely.remote audits blog 4 Ways to Make the Best Use of Medical Device Remote AuditsMost audits ISO 13485 are performed onsite at the location where the processes are being performed, and are the most effective approach to internal and supplier audits. But conducting an audit from your desk makes more efficient use of your time as an auditor. A large percentage of audits are conducted from conference rooms where the auditor spends an excessive amount of time reviewing documents and records, or waiting for documents and records to be delivered. 

In 2006, the first edition of the ISO 17021 standard for certification of quality systems by certification bodies was released. ISO 17021 requires that initial certification audits be conducted in two stages. Stage 1 has several requirements, but the first element of Stage 1 is reviewing quality system documentation. In most cases, Stage 1 and Stage 2 audits are conducted onsite. Still, if the auditee is located in a remote location (such as New Zealand), Stage 1 audits will sometimes be conducted via conference call. 

Prior to ISO 17021, a review of quality system documentation was the only task performed before the initial certification audit, and the documentation review was typically conducted remotely as a “desktop” audit. Desktop audits have been used for decades as a way of auditing quality system documentation without traveling. However, desktop audits can be much more than a review of quality system documentation. You can interview auditees on the phone, review records, even ask auditees to demonstrate activities in real-time using a web camera.

Documentation can also consist of much more than text. Raw data, statistical analysis, and photos can be used to communicate additional information. The more multimedia content provided to auditors remotely, the closer a remote audit becomes to auditing on site. The same requirements as certification bodies do not bound internal auditors and supplier auditors, and audits may be conducted onsite or remotely. The most recent version of ISO 19011 (2011), includes a comparison table for onsite and remote auditing in Annex B.

Medical Device Remote Supplier Audits

The use of remote audits to qualify suppliers is not recommended for four reasons:

  1. onsite visits facilitate the building of supplier-customer relationships
  2. touring facilities and watching a demonstration of processes improves understanding of a supplier’s processes better than reading documents and records can
  3. Cleanliness and capabilities of suppliers are best evaluated onsite, where camera angles can be used to crop out important details
  4. sometimes suppliers misrepresent their capabilities by showing photographs on their website of other companies.

After you have qualified a supplier, however, you may not need to audit them onsite regularly. If a supplier’s performance is good and risks associated with nonconforming components supplied are minimal, then you have a justification for conducting a remote audit. However, if a supplier’s performance is poor, you may want to use a remote supplier audit as a precursor to an onsite supplier audit to investigate the reasons for nonconforming components (i.e., a “for cause” audit). Regardless of the situation, the amount of time spent in your supplier’s conference room should always be by reviewing documents and records remotely. This will reduce the amount of time required at each supplier, and enables you to audit two suppliers during the same trip.

Medical Device Remote Internal Audits

It might not occur to you that there would be any need for remote internal audits. However, not all internal audits are performed by a person working at your location. Larger companies have multiple sites, and many of the internal audits are performed by auditors from corporate headquarters and other locations. In the case of internal audits performed by auditors from other locations, travel time can be minimized by performing part or all of the internal audits remotely. This approach can also work for consultants hired to conduct internal audits. There is no need to spend money on the cost of travel for a consultant if the consultant is only going to be auditing documents and records. The following are great examples of processes that can be audited remotely:

  1. CAPA
  2. Management Review
  3. Internal Auditing
  4. Supplier Controls
  5. Complaint Handling
  6. Adverse Event Reporting

Medical Device Remote Re-audits

21 CFR 820.22 indicates that re-audits may be required where corrective actions have been taken to verify the effectiveness of the actions taken: “Corrective action(s), including a re-audit of deficient matters, shall be taken when necessary.” However, if nonconformities identified during an audit are categorized as “high-risk,” it may be essential to conduct a verification of corrective action effectiveness as soon as possible.

Sometimes, effectiveness can be determined by reviewing quantitative metrics. Still, if a re-audit is needed, then a remote re-audit may allow the auditor to verify the effectiveness of corrective actions without the necessity of being onsite. If verification of corrective action effectiveness can be performed by reviewing documents and records, a remote re-audit is appropriate. Other corrective actions, especially those involving production and process controls, typically require onsite verification.

Remote Audit Team Members

Most medical device companies have a limited number of qualified auditors, and auditing is almost always a secondary job duty. However, audits often require specific technical knowledge that only one or two auditors may possess. Therefore, it may be extremely difficult to schedule a team audit when all the required auditors and auditees are available. There is another option to postponing your audit. You might consider having some of your auditing team members audit remotely from their desks, while the rest of the team conducts an onsite audit. For example, most lead auditors can conduct a process audit of incoming inspection, storage, and shipping. However, auditing surface mount assembly lines for the fabrication of printed circuit boards requires more technical knowledge of this type of process. Technical expertise is also needed to audit sterilization or CNC machining.

By working together, onsite audit team members can take directions from a technical subject matter expert working remotely and gather information needed to audit any process properly. This approach minimizes time requirements for subject matter experts, and remote audits by team members reduce the cost of travel.

If you are interested in learning more about Turtle Diagrams and the process approach to auditing, please register for our webinar on the process approach to auditing. If you are interested in learning more about how you can use remote audits to save time and money, please contact us. We can help you identify immediate opportunities.

5 Classic blunders that result in an fda warning letter from CDRH

FDA Warning 5 Classic blunders that result in an fda warning letter from CDRHThis blog reviews 5 of the most common reasons for why CDRH issues FDA warning letters, and preventive actions are suggested for each of the five reasons.

The following is a quote from an interview I conducted with a former FDA inspector:

“You’re in deep trouble if the [FDA 483] response is excellent, and the corrective actions are excellent, but when the FDA comes back, you never bothered to implement those corrective actions. Now you know that you have that warning letter coming at you.”

#1 – No actions implemented for CAPAs

The former inspector is describing one of the most common reasons for FDA warning letters. If an FDA investigator issues an FDA 483, you are required to respond with a corrective action plan ( However, you must implement your plan to close the FDA 483 inspection observation(s) during the next FDA inspection. CDRH’s QSIT inspection manual ( requires that the CAPA process be evaluated during every inspection–even during abbreviated inspections, where only two of the four major quality subsystems are sampled (i.e., “CAPA + 1”). Therefore, the FDA investigator will notice if no actions have been taken for CAPAs that were initiated since the last inspection. If the CAPAs are specific to the FDA 483–CDRH requires the FDA investigator to review those records first. To ensure that corrective actions are being implemented and documented, I recommend three ways of controlling the process:

  1. monitor the “aging” of CAPAs and establish a quality objective for average days aging
  2. have an independent expert perform a desktop audit of your CAPA process
  3. ensure that you carefully review each CAPA that is behind schedule during Management Reviews (which should be at least quarterly)

#2 – FDA 483 response submitted late

A second common reason for receiving an FDA warning letter is a failure to submit an FDA 483 response to the district office within 15 business days. The FDA has always involuntarily required a medical device firm to respond to an FDA 483 within 15 business days, but in 2009, a post-inspection review program ( was initiated where it became mandatory that response from any FDA 483 must be received by the Agency within 15 business days, or FDA warning letters are automatically issued. This is an automatic issuance that results in a very quick response from your CDRH district office. Therefore, you need to respond aggressively to FDA 483s with corrective actions and submit your response early.

Note: The FDA warning letters are only issued when inspection observations result in “Official Action Indicated” (OAI). However, inspectors will not tell you if the outcome is OAI or Voluntary Action Indicated (VAI). This determination is made by the District Office of the FDA. Therefore, all device manufacturers should assume that the outcome may be OAI. 

#3 – Submitting a response without evidence of implementing changes

This past Saturday, I recorded a webinar on the “7 Steps to Respond to an FDA 483 Inspection Observation” ( The title of the third slide in that presentation is “The FDA may be late…”. I mentioned that it is not uncommon for FDA warning letters to be issued six months after the actual inspection occurred. The following warning letter is an example (

I don’t personally know this firm, but I found this example by searching through the FDA warning letters database: The company received an FDA 483 with multiple inspection observations on November 4, 2010. The company was non-compliant in the following areas: CAPA (21 CFR 820.100), complaint handling (21 CFR 820.198), and design controls (21 CFR 820.30). The company responded to CDRH on November 23. This was 13 business days after the FDA 483 was received, and with FedEx shipping, it probably arrived at the FDA barely in time–November 29 (the Monday after Thanksgiving).

Unfortunately, the response did not include evidence of correcting the existing procedure deficiencies. The plan indicated changes were going to be made, but the FDA expects you to revise procedure deficiencies quickly (i.e., before you mail the response to the FDA 483). If it is not possible to make corrections in this timeframe, a risk-based approach is recommended. For example, the complaint handling process is the most critical of the three processes identified as deficient in the warning letter. Therefore, the company should have enclosed a revised complaint handling procedure and promised to revise the CAPA and design control procedures within a few weeks.

The FDA warning letter was not issued for this example until April 6, 2011–almost exactly six (6) months from the date of the FDA 483 issuance. CDRH offices are ghost towns in December. Therefore, it was important for the company to contact CHRH early in November and identify an email address and contact to send documentation regarding the implementation of corrective actions. The company could have revised the other two procedures in December and implemented all three procedures in December. Evidence of thorough implementation of corrections and corrective actions by email is often adequate to prevent FDA warning letters.

For international firms, this is extremely important because a second warning letter for an international firm results in a warning letter with automatic detention (i.e., the company cannot import a product into the USA). In this example, the second warning letter was issued on November 26, 2012 (

#4 – Failure to remove objectionable marketing communications

The FDA does not routinely visit companies that only manufacture Class 1 (i.e., low-risk) devices. However, they routinely visit companies that manufacture medium-risk, Class 2 devices. The FDA reviews websites and other marketing communications for marketing claims that are not within the scope of an issued 510k. Typically, the claims that are allowed are almost verbatim from 21 CFR (i.e., Title 21 Code of Federal Regulations). Therefore, many companies receive an FDA 483 indicating that they are claiming an indication for the use of which the device does not have clearance (i.e., a 510k) for. In these cases, the company is expected to remove the claims and/or submit a 510k. In these cases, often CDRH will wait a year or more before taking additional action to give the firm ample time to obtain clearance for the indications. Here is a link to an example of a warning letter of this type:

#5 – Design controls are not implemented at all

Design controls are the most common reason for the issuance of an FDA 483 ( If you read the blog, Medical Device Academy wrote on the data analysis of FDA 483 inspection observations issued in FY2013 by CDRH, and you may have wondered how design controls are the #1 most common FDA 483. Still, the highest individual clause reference is #8 [i.e., 21 CFR 820.30(i)]. If you review this next warning letter example (, it should become clear that some companies do not have a design control process implemented at all. In this situation, the FDA investigator is likely to issue a separate FDA 483 against each of the required elements:

  1. 21 CFR 820.30(e) – design reviews
  2. 21 CFR 820.30(f) – design verification
  3. 21 CFR 820.30(g) – design validation
  4. 21 CFR 820.30(h) – design transfer
  5. 21 CFR 820.30(i) – design changes

In this specific example, the FDA investigator issued the FDA 483 on August 16, 2012, and the warning letter was issued immediately after the FDA returned from the holidays–January 4, 2013. This firm had a narrow window of time between August and November to submit an FDA 483 response and then follow-up with documentation of completing the CAPA plan. The warning letter indicates that the corrective action plan was not adequate, but the FDA still took several months to issue the warning letter.

If you recently had an FDA inspection and received an FDA 483, make sure you don’t make any of the mistakes above. You might also want to take the webinar on this topic:

If it’s been a year since you received an FDA inspection, you might want to watch the video on this webpage:

7 Steps to writing an FDA 483 response

Responding in 15 business days is one of 7 steps on how to write an FDA 483 response, but do you know what should be in your response?7 steps fda 483 blog 7 Steps to writing an FDA 483 responseWhen an FDA investigator has an inspection observation, the investigator issues an FDA 483. “Form 483” is the FDA form number. If your company receives an FDA 483, it is critical to understand how to write your FDA 483 response in order to avoid a Warning Letter. In the words of a former FDA investigator, “Many, many times I have seen an [Official Action Indicated (OAI)] classified inspection that had been recommended for a Warning Letter by the compliance branch be set aside based upon the response of the firm.”

The best way for your company to write a FDA 483 response is to provide a brief cover letter and to use your CAPA process. Every 483 inspection observation needs to be addressed in the FDA 483 response as a separate CAPA. Make sure that your response includes the following seven steps below:

  1. respond within 15 business days (earlier is better)
  2. use your CAPA form and a cover letter–instead of a memo
  3. document the investigation that was conducted with a concisely stated root cause
  4. identify containment measures and corrections to address each specific observation by the FDA inspector
  5. identify corrective actions planned and the date(s) you expect to complete implementation
  6. Include documentation of containment, corrections and corrective actions that are completed at the time you submit the response
  7. follow-up with a memo confirming that all the corrective actions are complete and include all related documentation–including training for any new procedures or any new corrective actions that warranted training

Your FDA 483 response is required in less than 15 business days

The FDA has always involuntarily required a medical device firm, or any firm under FDA jurisdiction that received an FDA 483, to provide a written FDA 483 response to the District Office within 15 business days. As of two years ago (, it became mandatory that the Agency must receive a FDA 483 response within 15 business days, or an automatic Warning Letter is issued. You need to respond aggressively to FDA 483s with corrective actions, and submit your response early. The FDA has also modified the format of the response to require email responses.

Use your CAPA forms instead of a memo.

I have asked several former FDA investigators whether they would prefer to see firms submit responses in memo format, or by using their CAPA forms and a cover letter. Some told me that they prefer to see firms use their CAPA forms, while others don’t seem to have a preference. Nobody from the FDA has ever indicated a preference for a memo. I see no point in doubling your work and risking transcription errors. If you have an electronic system that does not have an easy-to-follow output format, go ahead and copy-and-paste the information from your electronic database to your memo. If the CAPA system output is easy to follow, just use a cover letter and copies of the forms.

Document the investigation and root cause

This is definitely my pet-peeve, but a one-sentence “root cause” is not enough for an FDA 483 response. Regardless of whether I am doing a mock-FDA inspection, an internal audit, or a supplier audit–I expect you to document how you determined the root cause ( If it’s trivial and obvious, then it must have been something important, or I would not have written a nonconformity. Therefore, you should be looking beyond the immediate scope of the FDA 483 to ensure that a similar problem cannot occur elsewhere. In the language of the FDA, this is a preventive action, because you are preventing occurrence with another process or product. Most ISO certification auditors are purists, and they won’t accept this as a preventive action. You will have to show the purists something special–maybe from your data analysis.

Don’t forget containment and correction

For every 483 observation, including the subparts, you need to identify if immediate containment is necessary and how you can correct the problem. Whenever possible, you should attempt to implement the containment and corrections during your FDA inspection. It would be fantastic to give the FDA inspector a copy of the new CAPA you initiated during the audit. The new CAPA would identify containment and corrections that have been or will be implemented–including any nonconformity(s) you initiated to quarantine product. You may still get an FDA 483 inspection observation, but you are likely to convert a possible Official Action Indicated (OAI) into a Voluntary Action Indicated (VAI). You can also modify the CAPA wording later in your FDA 483 response to include a cross-reference to the FDA 483 and quote the exact wording the inspector uses.

Explain the corrective action plans and timelines

Clarity, brevity, and realistic plans are critical in this section of your response. I prefer a table that looks like the example shown below.

7 steps 483 chart 7 Steps to writing an FDA 483 response

Show the FDA you have already taken action in your FDA 483 response

Whenever possible, you want to show the FDA that you are taking action without delay. If you revised the SOP for MDRs and scheduled a group training for July 15, then you should provide the FDA a copy of the revised procedure and a copy of the agenda for your planned training session. The only caution is to only commit to actions you are certain you will implement. You can always do more, but it will be much harder to explain why you did not implement an action you submitted in your FDA 483 response.

Follow-up with a second FDA 483 response before the FDA asks for it

The FDA’s compliance office will be looking for a response when an FDA 483 is issued, and they will review your response. The investigator will get a copy of the FDA 483 response, and the investigator will comment on the response. The compliance office and the investigator enter their comments into a CDRH database. Still, the comments are only general, as to whether the response is adequate or inadequate and will require additional review.

If you do not hear back from the FDA, do not assume that the compliance office or the investigator was satisfied. You should also follow-up several months later (earlier if possible) with a letter that includes evidence of the completed corrective actions, and your verification of effectiveness. If the verification is compelling and received in less than six months of the inspection, you may convince the compliance office to hold off a planned Warning Letter.

If you are interested in root cause analysis and improving your CAPA process, we have two related webinars:

The First 4 Steps of Unique Device Identification Implementation

fda udi clock The First 4 Steps of Unique Device Identification Implementation

This blog explains the first four steps of UDI system implementation.

UDI implementation will impact nearly every area of your company. Successful implementation will require careful planning and coordination throughout the organization and, in some cases, outside your company. You will need to assign resources to update and maintain your systems and the Global UDI Database (GUDID).

The Commitment to Begin is Step 1

The first implementation step is committing to begin. Unique Device Identification (UDI) systems have been used in healthcare for many years, especially for over-the-counter products (commonly known as “UPCs”). Many companies have already implemented UDI systems, using one or more of the Issuing Agencies protocols. They understood the benefits of moving forward with developing UDI capabilities in advance of any regulatory requirements. Customers also played a role in influencing early adopters of UDI. Customers told companies to employ standardized methods, such as UDI. Otherwise, they would stop buying their products. The fear of losing a customer is a powerful incentive, but early adopters also understood the additional benefits of being an early adopter of UDI–including:

  • Ability to control the pace of implementation without having to be concerned with mandated timelines
  • Becoming “easy to do business with”
  • Reduction in transaction errors
  • Decreased order-to-cash process time
  • Help customers ensure patients receive correct products
  • Reduce costs associated with product recalls and other business processes
  • Increase patient safety and satisfaction
  • Reduce waste through better inventory management throughout the supply chain
  • Increase revenue through greater product line exposure to the customer base
  • Increase the speed-to-market of new devices

FDA regulation has now mandated UDI implementation for most medical device labelers. Compliance dates are established. If you miss the date(s) relevant to your devices, you no longer can legally sell your medical devices. Why wait? Start the implementation process now.

Now what? The second step…

Since UDI implementation is a significant undertaking for any company, a UDI champion and implementation team should be created with members from all impacted departments before beginning the planning process. It is also important to involve top management because obtaining management support is critical to a successful implementation.

Step 3: Selecting an Issuing Agency

The next step of the UDI implementation process is to select an Issuing Agency that best meets your needs and the needs of your customers. The FDA accredited three organizations that assign Labeler IDs you can choose from GS1, Health Industry Business Communications Council (HIBCC), and International Council for Commonality in Blood Banking Automation (ICCBBA). GS1 and HIBCC assign Labeler IDs to “labelers) of medical devices, while ICCBBA is for medical devices of human origin (blood, cell, tissue, and organ products), also known as HCT/P. GS1 assigns Global Location Numbers (GLN), HIBCC uses Health Industry Numbers (HIN), and ICCBBA issues Facility Identification Numbers (FIN).

If your company is not already partnered with one of the Issuing Agencies, or still needs to select an Issuing Agency, you should survey your key customers to determine if they are implementing UDI systems, or already have UDI systems. You may find customers using all three versions of UDI labeling (GTIN from GS1, HIBC from HIBCC, and ISBT-128 from ICCBBA). If you don’t label blood, cell, tissue, and organ (HCT/P) devices, then you can rule out ICCBBA. Conversely, if you only sell HCT/P devices, you can rule out GS1 and HIBCC. Ultimately, the selection of an Issuing Agency is your company’s to make–and remember that you are allowed to enter two different Issuing Agencies for each medical device in the GUDID.

Step 4: Unique Device Identification Implementation Planning

Analyzing, strategizing, and planning are essential to determining if you will successfully implement UDI and the related GUDID submission. You need to have a full understanding of your devices, labeling/manufacturing locations, and packaging requirements. Study the UDI Regulation to comprehend which aspects you will need to comply with as you develop your plan. Specifically, these undertakings should be completed as part of the planning process:

  • Start with the end in mind. Understand the UDI maze. What outcomes do you want?
  • Create a playbook to focus on solving business problems. Standardize procedures as much as possible, and tailor solutions to your company and its needs.
  • Group your products by Device Class, Manufacturing Location, Packaging Requirements (sterile, kit, etc.) and any other criteria you need.
  • Perform gap analysis between the device information you have and what you need for submission to GUDID.
  • Determine if your data management system(s) can maintain GUDID information, and communicate UDI or DI information as required (sales orders, purchase orders, labeling, etc.).
  • Determine what changes need to be made to your existing quality system procedures.
  • Will revalidation of electronic records is required to comply with 21 CFR Part 11? (Note: Companies or third-parties using HL7 SPL for data submission to GUDID will need to validate the software used for this purpose.)
  • Determine early on what additional resources are needed (FTE or consultants).

This information gathering should be used to create a strategic plan and budget. The plan should include timelines, assignments, and identify strategic partners (outside vendors and customers). The plan should address changes required in your Product Lifecycle Management (PLM), Enterprise Resource Planning (ERP) and supply chain systems, labeling/packaging equipment and procedures. It should define the gateway to GUDID submission, and create plans of action for validation and compliance.

In my next blog post, I will discuss implementation and ongoing maintenance.

Scroll to Top