Did you know you can download competitor inspectional observations to learn which quality issues are likely to result in warning letters?
Not long ago the FDA published their Inspectional Observation Data Sets. They are Excel spreadsheets of the dreaded 483 inspection observations and warning letters that the FDA issues after performing inspection of manufacturers. There is a spreadsheet for each of the following topic areas, and we will take a look at the ‘Devices’ observations. A post-mortem data analysis or speculative data autopsy if you will… What can we learn when examining an FDA inspection observation?
- Human Tissue for Transplantation
- Radiological Health
- Parts 1240 and 1250
- Foods (includes Dietary Supplements)
- Veterinary Medicine
- Bioresearch Monitoring
- Special Requirements
- Total number of inspections and 483s
These are nonconformities written by the FDA to the Code of Federal Regulations, so there won’t be any statistics for ISO 13485:2016 or Regulation (EU) 2017/745. There will be lots of findings under the ‘QSR’ or 21 CFR 820. The good news, unlike an ISO Standard, is that the Code of Federal Regulations is publicly available online for free. It isn’t a pay-to-play game and we can share the full text of the requirement without violating any copyright licensing agreements.
The top 10 areas for inspection observations and warning letters are:
- CAPA procedures
- Complaint procedures
- Medical Device Reporting
- Purchasing Controls
- Nonconforming Product
- Process Validation
- Quality Audits
- Documentation of CAPA actions and results
- Device Master Record
Corrective and preventive action is the most common reason for warning letters
The winning quality system requirement that resulted in the most 483 inspection observations and warning letters was for Corrective and Preventive Actions under 21 CFR 820.100(a). This finding is listed when a manufacturer fails to establish a CAPA procedure or the procedure is inadequate. This finding was cited 165 times. In addition, CAPA activities or their results were not documented or were not documented adequately a total of 32 times under 21 CFR 820.100(b). This gives us a grand total of 197 observations for the CAPA process.
Corrective and preventive actions are either fixing an identified problem and making sure it doesn’t happen again, or stopping a potential problem from happening in the first place. It is both the reactive and proactive response for quality issues and product non-conformance. The text of the requirement is:
“§820.100 Corrective and preventive action.
(a) Each manufacturer shall establish and maintain procedures for implementing corrective and preventive action. The procedures shall include requirements for:
(1) Analyzing processes, work operations, concessions, quality audit reports, quality records, service records, complaints, returned product, and other sources of quality data to identify existing and potential causes of nonconforming product, or other quality problems. Appropriate statistical methodology shall be employed where necessary to detect recurring quality problems;
(2) Investigating the cause of nonconformities relating to product, processes, and the quality system;
(3) Identifying the action(s) needed to correct and prevent recurrence of nonconforming product and other quality problems;
(4) Verifying or validating the corrective and preventive action to ensure that such action is effective and does not adversely affect the finished device;
(5) Implementing and recording changes in methods and procedures needed to correct and prevent identified quality problems;
(6) Ensuring that information related to quality problems or nonconforming product is disseminated to those directly responsible for assuring the quality of such product or the prevention of such problems; and
(7) Submitting relevant information on identified quality problems, as well as corrective and preventive actions, for management review.
(b) All activities required under this section, and their results, shall be documented.“
We can see that under section (a) the requirement is that there is an established and maintained process control with a numerical list of required inputs and outputs of that process. The process control is easy, use a procedure. You have to establish a procedure and you have to maintain it. That is one part of the first 165 observations.
The second part is that the procedure needs to be ‘adequate’. That means that bullets (1)-(7) need to be addressed within that procedure. For example number (2) is “Investigating the cause of nonconformities relating to product, processes, and the quality system;”. This means that the procedure should be explaining not only that your quality system will be doing that investigation, but who will be doing it and how they will be doing it.
“The cause of nonconformities shall be investigated”, may not be an adequate process control. Yes, it addressed the need for a root cause evaluation, but does it do that adequately?
“The RA/QA Manager will complete or assign a staff member to complete the root cause evaluation of Corrective Actions utilizing methods such as a ‘5-Why Analysis’ by filling in section 2. Of the CAPA report form.” This wording is much closer to what is needed in a procedure. It explains who is doing what, roughly how they might do it, where that activity gets documented and identifies the record that the activity produces.
Which brings us to the extra 32 findings where the activities and their results either weren’t documented or were done so poorly. This is why identifying the input (Root Cause Analysis) and the output (Section 2. of the CAPA report) are important. It allows you, the inspector or an auditor to trace from the procedure to the record that part of the process produces to demonstrate conformity.
As the age old saying goes, “if it isn’t documented, it didn’t happen”. That record should show that yes you did a root cause analysis (the activity) and what the conclusion of that analysis was (the results of that activity). These types of records are so vital to your quality system that there is an entire process dedicated to the control of records. I’ll give you a hint, it is Subpart-M of the QSR.
This is also a great segway to show how the processes go hand in hand and CAPA is interrelated to Document Control, Record Control, and your Quality System Record. Your system processes will continually wrap back around to each other in this manner. For example, CAPAs are a required input into your Management Review process so if you don’t have a CAPA procedure you aren’t performing adequate management reviews.
A note on other systems
If your quality system is also ISO 13485:2016 compliant, Corrective Actions and Preventive Actions are separate items under separate sub-clauses. Corrective Actions are in 8.5.2., and Preventive Actions are in 8.5.3. Meaning if you have a mature quality system that has never had a preventive action, then your CA might be fine, but the PA of that process may be inadequate.
An industry standard for CAPAs is applying a risk based approach, and we have an entire webinar dedicated to the subject! How to create a risk-based CAPA process
Complaints are the second most common reason for warning letters
The silver medal goes to complaints. Much like CAPA the biggest issue is no, or inadequate complaint handling procedures. This specific finding was cited 139 times (overall complaint handling has more but this specific issue was the most cited). Not to sound like a broken record but again, complaint handling is a specific process that requires an ‘established and maintained procedure”.
As a procedure it has to exist, it has to be maintained, and each process has requirements for inputs and outputs that must be outlined. Complaint handling is a little bit different in the QSR in that there isn’t a ‘complaint’ sub-part. Complaints are under Sub-Part M- Records, specifically 21 CFR 820.198 Complaint Files.
To compare, Complaints in accordance with ISO 13485:2016 are under Measurement Analysis and Improvement, specifically Sub-clause 8.2.2. Complaint Handling. It is sandwiched in between Feedback and Reporting to Regulatory Authorities. That had to have been done on purpose because those processes are inherently intertwined and their inputs and outputs directly feed into each other:
“§820.198 Complaint files.
(a) Each manufacturer shall maintain complaint files. Each manufacturer shall establish and maintain procedures for receiving, reviewing, and evaluating complaints by a formally designated unit. Such procedures shall ensure that:
(1) All complaints are processed in a uniform and timely manner;
(2) Oral complaints are documented upon receipt; and
(3) Complaints are evaluated to determine whether the complaint represents an event which is required to be reported to FDA under part 803 of this chapter, Medical Device Reporting.”
This sub-section of ‘Records’ may be less intuitive than what we saw under CA/PA. We can see that we have to maintain complaint files. We also need a procedure that covers receipt, review, and evaluation of complaints. Then we have to name a formally designated complaint handling unit to do all of that.
Further we need to make sure that complaints are handled uniformly and efficiently. It should be a cookie cutter process with a known timeline. Every complaint goes through the same review and evaluation within a specific time period. If it takes six months to review a complaint, that definitely is not a ‘timely manner’.
Not every complaint will be sent to you via certified mail with ‘Complaint’ written across the top in big BOLD letters. Sometimes people will simply tell you about a complaint they have verbally and your process needs to define how it is addressing these verbal communications. Otherwise your FDA inspection observation will be written, and you run the risk of receiving warning letters.
This of course begs the question, what is a complaint? How will I know if I received one? Fortunately 21 CFR 820.3 provides us with definitions, one of them being what exactly a complaint is “(b) Complaint means any written, electronic, or oral communication that alleges deficiencies related to the identity, quality, durability, reliability, safety, effectiveness, or performance of a device after it is released for distribution.”.
There is no quiz at the end of this but I would caution you that this will probably be on the test. Anytime you ask a question like that and the regulation provides a definition for it, then it’s a good idea to include that definition within your procedure. This is a way to make sure that there is uniformity in the understanding of a procedure. If you miss a complaint because you didn’t realize that it was a complaint then your process is not effective. Eventually an auditor will pick up on the deficiencies in the process, document a finding and you will be doing a CAPA to fix it.
Every complaint needs to be reviewed, but not every complaint needs to be investigated. This was a much less cited issue (5). You are allowed to decide that an investigation isn’t needed. However, if you do then you must keep a record of why you decided that and name the person responsible for that decision.
That isn’t carte’ blanche to just write off investigations whenever you want. There are some things that require an investigation and there is no accepted rationale for not performing one. An example is when there is a possible failure of a device, it’s labeling or packaging to meet any of their specifications. Those need to be investigated without exception. What your system is allowed to do though is if you have already done an investigation and you received related similar complaints, there is no need to repeat the same investigation for every complaint.
An important concept of complaint handling is that you should be triaging your complaints as you receive them. There are certain types of complaints that must be reported to the FDA. More information is actually found under 21 CFR 803, not the 820 that we have been examining. These special complaints need to be identifiably separate from your normal run of the mill complaints. These complaints specifically need a determination of;
- Whether the device failed to meet specifications;
- Whether the device was being used for treatment or diagnosis; and
- The relationship, if any, of the device to the reported incident or adverse event.
Outside of those special reportable complaints, all investigations have certain required outputs. By addressing every complaint in a uniform repeatable manner, this can be boiled down to a form. In fact creating a specific complaint form makes sure that all of the required information has been documented. Each record of an investigation by your formally designated complaint handling unit has to be include;
- The name of the device;
- The date the complaint was received;
- Any unique device identifier (UDI) or universal product code (UPC), and any other device identification(s) and control number(s) used;
- The name, address, and phone number of the complainant;
- The nature and details of the complaint;
- The dates and results of the investigation;
- Any corrective action taken; and
- Any reply to the complainant.
Some companies and corporations sprawl across the globe and have many sites all over the place. Not every manufacturer is limited to containing all of their operations within a single building. There are times where the formally designated complaint handling unit may be somewhere other than where the manufacturing is taking place. That is acceptable as long as communication between the two is reasonably acceptable. The manufacturer needs access to the records of the complaint investigations performed. Just as everything must be documented, all of that documentation must be producible as well. If not, your inspector will produce FDA 483 inpsection observations and warning letters.
If the complaint handling unit is outside of the United States the records have to be accessible in the United states from either the place where the manufacturers records are normally kept or at the initial distributor.
Complaint Handling and vigilance reporting are topics that we often find stuck together like velcro. We find them so interelated that we have a combined Complaint Handling and Vigilance Reporting Webinar.
Medical Device Reporting is the third most common reason for warning letters
The bronze medal recipient shows a drop in sheer numbers of FDA inspection observations. A total of 68 were written for the fiscal year of 2020, and these findings have a high likelihood of resulting in warning letters because these incidents may involve serious injuries and death. We are slowing down, but this is still a topic that gets an FDA inspection observation almost every week.
But again part of the issue is no, or bad procedures to control this process. Not to be confused with the (EU) MDR since as an industry we love acronyms so much, Medical Device Reporting is referenced within the Quality System Requirements of 21 CFR 820. We took a peek above in Complaint Handling. What makes this unique is that MDR actually lives in 21 CFR 803 Medical Device Reporting. What makes it even more special is that Part 803 is further broken down into sub-parts.
We will take a look at Sub-part E which is the reporting requirements for manufacturers. Medical Device Reporting is a process and as such needs a procedure to control it and that procedure must be maintained.
Some key points to capture is that there are reporting timelines that are measured in calendar days from when you become aware of information that reasonably suggests that one of your devices;
“(1) May have caused or contributed to a death or serious injury or
(2) Has malfunctioned and this device or a similar device that you market would be likely to cause or contribute to a death or serious injury, if the malfunction were to recur.”
There are some crucial takeaways. First, the clock starts ticking down calendar days, not work days, and holidays count. You can’t hold off reporting that your device killed someone because it’s around the holidays and over a few weekends.
Second, is that reporting timelines vary, generally between 5 and 30 calendar days. That means it is important to know the specific timeline for the type of report you are making and what the authority having jurisdiction requires for a timeline. The FDA may differ from Health Canada which in turn may differ from the EU, etc.
Third is that the bar to meet is what would be ‘reasonably known’, and that is somewhat of an ambiguous requirement open to interpretation.
They help clarify this with,
“(i) Any information that you can obtain by contacting a user facility, importer, or other initial reporter;
(ii) Any information in your possession; or
(iii) Any information that you can obtain by analysis, testing, or other evaluation of the device.”
The first two are usually not an issue, but the one that tends to get less attention is deeper analysis, testing or evaluation of the device. Due diligence is required here to make sure that you actually do know the information that should be ‘reasonably known’ to you.
The burden of investigation and root cause determination is placed squarely on the shoulders of the manufacturers and that is a process that can take some time. What happens when the reporting timely is fast approaching but your investigation won’t be finished before the clock runs out? The short answer is to report it anyway.
The longer answer is to report what information you do have with an explanation of why the report doesn’t have all of the required information. Then explain what you did to try to get all of the information, and file a supplemental or follow-up report later to fill in the gaps. Only having a partial report ready is not an excuse to miss the reporting deadline. It is however, the perfect excuse to get an FDA inpsection observation or warning letters.