Featured Product
This Week in Quality Digest Live
FDA Compliance Features
Dario Lirio
Modernization is critical to enhance patient experience and boost clinical trial productivity
Alexander Khomich
Healthcare software opens up opportunities for clinics in both management and patient care
Gary Shorter
Pharma needs to adapt and evolve with the changing environment of life science data
Etienne Nichols
Quality management system regulation explained
The short answer: Standard weights, rigorous procedures, and state inspectors ensure measurements are fair and accurate

More Features

FDA Compliance News
First trial module of learning tool focuses on ISO 9001 and is available now
Free education source for global medical device community
Good quality is adding an average of 11 percent to organizations’ revenue growth
Further enhances change management capabilities
Creates adaptive system for managing product development and post-market quality for devices with software elements
VQIP allows for expedited review and importation for approved applicants that demonstrate safe supply chains
An invite from Alcon Laboratories
Intended to harmonize domestic and international requirements
Pharma quality teams will have performance-oriented objectives as well as regulatory compliance goals

More News

Jon Speer

FDA Compliance

Unannounced Audits

A survival guide for medical-device quality managers

Published: Wednesday, November 18, 2020 - 13:02

The medical device industry is one that requires preparation. Unlike less regulated industries, there’s an expectation in the industry around the possibility that an inspector or auditor can show up without notice and stop a business in its tracks.

That’s why, when Greenlight Guru released its “State of Medical Device Product Development and Quality Management Report,” readers were surprised to discover most medical device companies wouldn’t be prepared in the event of an unannounced audit.

In particular, we found that one of the most striking dividing lines between the prepared and unprepared was the use of best-in class-tools. Our research found that 40 percent of companies that invest in quality tools say they’re very confident they could pass a surprise audit; fewer than 20 percent of companies using legacy tools feel the same.

Here, we’ll explore possible ramifications of being caught unprepared for unannounced audits and inspections, and the actionable steps quality managers can take not only to survive these harrowing events but also thrive when it matters most.

The stakes are high if caught unprepared during an audit. It can take months to recover. If remediation efforts require the help of outside consultants, costs and timelines can soar. Risks can be even greater for FDA inspections, which can carry punitive measures that range from citations and fines to product recalls and potentially even litigation.

FDA inspections

From 2007 to 2017, there was a 46-percent increase in the number of device inspections per year. With inspections on the rise, preparation becomes even more important.

If the FDA finds a noncompliant process during an inspection—announced or unannounced—you will be issued a 483 Form. A medical device facility may receive a 483 observation, the FDA says, “When in the investigator’s judgment, conditions or practices observed would indicate that any food, drug, device, or cosmetic has been adulterated or is being prepared, packed, or held under conditions whereby it may become adulterated or rendered injurious to health.”

If you're the unlucky recipient of a 483 observation, you have 15 days to respond.

Depending on the severity of the noncompliance observed, a 483 observation can be escalated to a FDA warning letter. We’ve seen cases where companies invested millions of dollars in consulting services and spent months of unplanned project time to remediate FDA warning-letter findings.

It pays to be prepared. Moreover, it pays to invest in tools that enable effective preparation.

Data-driven research from our 2020 Industry Benchmark Survey found that 50 percent of FDA device-surveillance inspections are the result of quality system failures.

Correlating well with this is the fact that the same proportion, about 50 percent, of medical device companies are still using traditional paper or electronic document-based “paperless” systems to manage quality.

It’s important to adopt the best QMS software tools that have the guardrails in place to protect you in the event of an unannounced inspection—meaning you won’t always have time to duct-tape your legacy system tools before they walk through your door.

The FDA has always carried out both announced and unannounced inspections for the medical device industry. If you’re manufacturing Class II or Class III devices, an FDA inspector will typically make announced visits to your facility every two years or more as standard practice.

If the FDA has found issues in the past, however, or if your device is deemed high risk, inspectors may be more frequent guests of yours. The FDA usually announces pre-approval and routine inspections five calendar days before it conducts them.

Your company will need to account for those unannounced inspections, too. The FDA conducts quality system inspections only on an unannounced basis. Additionally, the agency doesn’t pre-announce follow-up inspections and “for cause” inspections.

ISO audits

In the past, auditing organizations and notified bodies would typically give advance notice of an upcoming audit. That’s since changed, though, and unexpected audits are now commonplace in the markets in which these organizations serve.

There are many differences between how FDA inspections and ISO audits are conducted, but the nature of the preparation rests on similar principles.

ISO 13485:2016 is a voluntary standard, not a regulation. To obtain ISO certification, a manufacturer’s quality management system (QMS) will undergo a conformity assessment audit to determine whether ISO 13485 requirements have been met.

Third-party audits don’t have the same enforcement mechanisms that FDA inspections do. The relationship is reversed: You pay these organizations to conduct the audit so that you can obtain ISO certification.

ISO certifications are applicable in many regulatory regimes around the world, so it’s useful to have and maintain that certification.

Ensure quality procedures will pass QMS inspection

Poor documentation of procedures is one of the biggest causes of regulatory citations from unannounced audits.

If your documentation isn’t in order, inspectors and auditors may become suspicious and start pulling at the proverbial thread to uncover potential issues that they have reason to suspect exist within your systems and processes.

When it comes to FDA inspections, the three most commonly cited sources of noncompliance include poorly documented procedures for corrective and preventive action (CAPA), complaint files, and medical device reporting (MDR).

CAPA procedures

The FDA’s regulatory requirements for CAPA procedures can be found in 21 CFR 820.100(a), all corresponding activities of which must be documented.

A medical device company must clearly document and adhere to the corrective and preventive action procedures it has defined in order to quickly and efficiently respond to issues by launching a CAPA investigation into the matter.

In the event that during an unannounced inspection it’s revealed your CAPA procedures have not been established or properly adhered to, there’s a strong possibility you may receive a 483 Form, which could then turn into a warning letter.

If this happens, there’s a good chance this won’t be your last surprise inspection for the foreseeable future.

Complaint file procedures

The FDA requires all medical device manufacturers to maintain complaint files that include, according to 21 CFR 820.198, “procedures for receiving, reviewing, and evaluating complaints by a formally designated unit.”

The purpose of complaint file procedures is threefold, in which manufacturers must:
• Process complaints in an efficient and standardized way.
• Document oral complaints as soon as manufacturers receive them
• Evaluate complaints to determine whether or not the company should report them

Medical device companies are required to document their decision to either investigate or not investigate the issue, and provide objective reasoning as to why. If an investigation is deemed necessary, the manufacturer must designate a person responsible for documenting and overseeing the complaint process.

Companies should ensure their complaint-file procedures are properly documented and comply with FDA quality system regulations. In the event of an unannounced inspection, these procedures are highly prone to close analysis by an inspector.

Medical device reporting procedures

The FDA requires manufacturers to maintain systems for identifying events that require medical device reporting (MDR), document a formal review process, and communicate reports to stakeholders.

Your documented medical device reporting procedures must be in compliance with the FDA regulations found in 21 CFR 803.17, which lists four types of documentation manufacturers must submit in a medical device report:
“(1) Information that was evaluated to determine if an event was reportable;
(2) All medical device reports and information submitted to manufacturers and/or us;
(3) Any information that was evaluated for the purpose of preparing the submission of annual reports; and
(4) Systems that ensure access to information that facilitates timely followup and inspection by us.”

If MDR procedures are found to be noncompliant following an FDA inspection, your company may be subject to 483 observations or other disciplinary actions.

Leverage document management tools

Controlling and managing documentation of your procedures is critically important in the medical device industry. If you’re relying on legacy tools to manage your quality processes, you could be inadvertently exposing your product and business to serious risks that would otherwise be nonexistent with purpose-built tools.

It’s important to choose a quality management solution that is built to enable and protect your medical device company. Modernized QMS tools offer medical device-specific quality management workflows that make documentation a nearly hands-off task.

With reliable document management software, medical device teams can:
• Determine which stakeholders need to sign off on new or changed documents
• Control and document revisions, including e-signatures and watermarks
• Assign permissions to the people who need access—and only them

By managing your documents electronically through an automated system, you can refocus efforts into enhancing your quality procedures instead of double- and triple-checking which file folder they’re located in and if it’s up to date.

When an inspector or auditor asks for a specific document, you can retrieve it upon request and rest assured knowing that it’s the most updated version, complete with the necessary signatures of approval.

Three steps to prepare for unannounced audits and FDA inspections

The FDA requires medical device companies to perform internal audits regularly.

The quality of preparation for that internal audit, how it’s conducted, and its takeaways can vary widely based on how the company structures these reviews.

With the right plan, however, you can audit your own systems and processes much more efficiently than an FDA inspector or auditor could, not to mention that you’ll give yourself peace of mind knowing that you’ll be prepared once they do come knocking.

Step No. 1: View your processes through lens of an inspector or auditor
After spending so much time working inside your own facility and developing your medical device processes, you’ve likely become overly familiar with your entire system. Aspects that may have once stood out to you may have already began to fade into background noise.

Ask yourself this: “What do our processes look like to someone who’s unfamiliar with them?”

Because of their training and inherent lack of familiarity with your organization, an auditor or inspector will not have the same assumptions or knowledge base you do. Before you conduct an internal audit, step back and view your processes through their lens.

Review your documents and procedures as if you were reading them for the first time. Read them aloud if that means slowing down and carefully looking at each word and its meaning. Don’t assume anything. Check and recheck that each referenced resource is accessible, and every implication is understood.

At the very least, and perhaps most important of all, critique how your processes look and function in relation to how you’ve defined the procedures in your QMS. What’s documented in your quality system and what exists in real life should be in sync.

Tip: To enhance the results of your internal audits, leverage the public database of warning letter reports published by the FDA. Search for medical devices similar to your own, and ask yourself whether an inspector would find similar flaws in your related processes.

Step No. 2: Conduct the internal audit
Armed with an outsider’s perspective, you can conduct a comprehensive and effective internal audit.

Consider implementing these three best practices for your own internal quality audits:
• Document your internal audit process, including the scope of the relevant regulations and which ones apply.
• Plan ahead so that you aren’t bound to hiring outside consultants.
• Treat your internal audits like opportunities, rather than compliance requirements.

These steps are important precisely because the role of an auditor or FDA inspector only goes so far. If you find issues, remediation is your responsibility.

Step No. 3: Leverage audit management tools
Conducting an internal audit can be intimidating, but it doesn’t have to be.

Audit management software built for medical device companies simplifies the internal and external audit experience. A dedicated medical device QMS (MDQMS) enables you to:
• Plan audits in advance and set notifications
• Assign audits tasks and track progress
• Ensure your QMS is fully traceable and fully auditable

A robust MDQMS offers purpose-built workflows for audit management that enable rigorous internal examination so that you can audit yourself better than anyone else can. Teams have full visibility into each document and every procedure, making it easy to establish a policy that everyone can follow in the event of an unannounced audit.

Stay ahead of auditors and your competition

Medical device leaders understand the importance of preparation, and their position in the market speaks for how it pays off.

Findings from our 2020 industry benchmark survey found that the majority (55%) of respondents from competitive market-leading companies believed it would take a week or less to prepare for an audit. In comparison, only 38 percent of noncompetitive organizations could say the same.

First published Aug. 16, 2020, on the Greenlight Guru blog.


About The Author

Jon Speer’s picture

Jon Speer

Jon Speer is the founder and vice president of quality assurance and regulatory affairs at Greenlight Guru, a software company that produces the only medical device quality management software solution. Device makers in more than 50 countries use Greenlight Guru to get safer products to market faster. Speer has served more than 20 years in the medical device industry having helped dozens of devices get to market. He is a thought leader and speaker, and regularly contributes to numerous industry publications. He is also the host of Global Medical Device Podcast.