In the books, the current Good Manufacturing Practices/QS Regulation and ISO 13485:2016 resemble each other in many ways with respect to the requirements for medical device manufacturing and design quality systems. The newest version of ISO 13485 is so much more like 21 CFR, Part 820 that it is almost uncanny. Despite the marked similarities, it is the interpretation and the approach of the investigator or the auditor that makes the experience of a U.S. FDA inspection very different than an ISO 13485:2016 quality system audit.
First, let’s make sure that we are on the same page: this article is about specifically-trained people, evaluative approach, regulation vs. standard, outcomes and attitude. FDA inspects the Quality System using investigators, and ISO registrars conduct audits using auditors. Inspections and audits are 180 degrees apart in intent and consequence. Investigators and auditors not only behave differently when they sit across the table from you, but they have a diverse modus operandi that enforces the law and complies with a voluntary standard, respectively.
When your company sells medical devices in the U.S., it is mandatory that FDA enforce the law (Food, Drug and Cosmetic Act) using the QS Regulations to judge your manufacturing and design operations. The ISO 13485 Standard is totally voluntary and, frankly, if your company doesn’t like the way that it is audited or the auditor that it chose, you can change auditors or, for that matter, change registrars rather seamlessly. And yet another healthy dose of regulatory and business reality, my friends.
FDA Doesn’t Perform Audits
Saying that “FDA conducted an audit of my company” isn’t accurate, and sitting directly “across the table,” ISO auditors do not conduct inspections. You could say that I’m being too finicky. And you’re right! It is a sore point with me. But make no mistake, these two actions are conducted and planned much differently.
When an investigator performs an evaluation of the Quality System, you experience a bottom-up inspection. He looks at one or more instances of quality problems, such as nonconforming device reports, complaints or the Device History Record, and works his way back up through the company’s quality system. This method zeros in on specific problems, and evaluates the company’s actions that relate to those problems. This practice is reactionary in intent, and usually has a reactionary type of outcome.
However, with the top-down approach, auditors look at the company’s Quality Management System to address quality processes before they actually look at specific quality problems. In the top-down approach, the auditor eventually will hit the proverbial “bottom” when she links observations of each of the subsystems and understand documents and then sample records, rather than works her way from records review backwards toward procedures. The top-down approach initializes each subsystem review with an evaluation of whether the firm has addressed the basic requirements in that subsystem by defining and documenting appropriate procedures. This is followed by an analysis of whether the firm has implemented the requirements of that subsystem. You could make a point at this juncture and say that this approach is aligned with the Quality System Inspection Technique (QSIT). Frankly, from my experience baseline, the QSIT approach is taught but not used to the extent as advertised.
The Authority and Logistics to Conduct an Inspection or an Audit of a Medical Device Company
Section 704(a) of the Food, Drug, and Cosmetic (FD&C) Act gives FDA the authority to conduct cGMP – QSR inspections of medical device manufacturers. During these inspections, facilities, manufacturing processes, records and corrective action programs are examined by an FDA investigator. The results provide information necessary to evaluate a manufacturer’s compliance with the device QS Regulation (21 CFR 820).
Quite honestly, the ISO audit is more of a business deal than a compliance hurdle. The registrar must meet the requirements of ANSI-ASQ National Accreditation Board and have an up-to-date certification before he steps foot in your facility. The results provide information necessary to evaluate a manufacturer’s compliance with ISO 13485:2016. Your company pays the registrar to conduct this audit; in turn, the auditor is paid and all expenses are reflected in the fee. An invoice is generated to consummate the deal. I still wonder about paying an auditor to examine your quality management system objectively. We should talk about that someday.
Anyone who manufactures or stores a medical device can be inspected by FDA. A manufacturer is any person who designs, manufactures, fabricates, assembles or processes a finished device. The definition of manufacturer includes but is not limited to those who perform the functions of contract sterilization, installation, relabeling, remanufacturing, repacking or specification development, and initial distributors of devices from foreign entities performing these functions. ISO 13485 is aligned with this edict but, as I indicated above, ISO Certification is voluntary and can be used to meet the requirements of CE Marking with the authority coming from the Medical Device Directives (MDD) and your budget.
Let’s Get Started
Properly managing an FDA inspection or an ISO audit is vital to realize success. Remember, not all FDA inspections and ISO audits turn out to be success stories. Believe me, if you’re not prepared, either one of these evaluation activities could fall flat. Knowing your company’s intrinsic limitations, upper-level management’s involvement and the final exit meeting where a “best foot forward” is essential can make or break the strategic outcome of an FDA inspection or an ISO Audit. Besides managing these logistical variables, your company also must put the best possible objective evidence in front of these evaluators. While there is no magic formula for handling this undertaking, common sense, preparation, a professional attitude and positioning the right people to give the correct answers go a long way to demonstrating QMS effectiveness in a compliant manner. For FDA or ISO, this holds true to form. Having inexperienced people talking to investigators or auditors spells FAILURE.
It is unfortunately true that some inspections are unannounced, but for the most part, FDA inspections, depending upon your relationship and history with the District Office, are conducted with prior notice. Announced or unannounced, there should be a coherent strategy and procedure in place (that everyone—yes, everyone—at the company reads and understands) to manage FDA inspections and ISO audits. It’s not a matter of luck and chance that your company will be a winner at the end of this inspection or audit. A planned, premeditated approach can be of some assurance to a good start.
Some company presidents and their staff tout that “they are ready every day to defend themselves” during FDA inspections (analogous to, “Bring it on”). I have not and will never believe that that type of false bravado instantly spells success. In fact, that approach to the investigator or the auditor usually means just the opposite. They’re only human! Because the business runs smoothly and you make money doesn’t mean that the QMS is in compliance, and it surely doesn’t mean that your employees are inspection-savvy or ready. Companies that drive fire trucks every day commonly have a hard time with FDA inspections and ISO 13485 audits.
Your ISO registrar and auditor relationship necessitates that you build and seek common understanding as to what the requirements are and the best approach to conduct the audit in a comprehensive and objective manner. There is communication with the registrar and the auditor prior to Day One. There could be requests by the auditor for certain procedures ahead of time. Logistics are spelled out in an audit plan, conversations are held about the best place to stay in the area and are there any good restaurants there. ISO audits are fairly social in nature, in comparison with the no-frills FDA investigator who arrives and then acts quite serious, (as she should).
Prior to the start of the FDA inspection, it is important that your company’s inspection team (cross-functionality is the correct formula for inspection participants) review the following and have objective evidence ready in the control room:
- The procedure for managing the inspection has been completed
- The appropriate people are now trained (including the receptionist)
- The FDA management team is identified, and a first meeting is orchestrated to discuss logistics and responsibilities
- A mock FDA inspection has been conducted that includes interviewing techniques
- Review has occurred regarding what FDA can review and what they should not review
- Document review has occurred of Standard Operating Procedures versus the appropriate Work Instructions
- Review complaints, any MDRs, Service Reports and Recalls going back at least three years. Link this review to Corrective and Preventive Actions taken and final resolve, if any. Review the corrective action log.
- Make sure that the president knows that having a lawyer as part of the inspection team is not necessary and often a negative factor during the inspection. The intimidation factor and the endless questions confuse
- Review the Risk Management File for each device and major processes to confirm accuracy, resolution and disposition
- Establish linkages between the Design History File, the Device Master Record and the Device History Records
- Conduct an assessment
The ISO auditor commonly has at least the quality manual and some procedures from the Stage One audit conducted just weeks before this Certification Audit. Your company’s preparation should include a review of all procedures by the perspective process owners (for accuracy and compliance) and have all of the first level, second level and some key work instruction level documents at your fingertips. Many companies use a computer and screen to project the documents for review, and will provide a hard copy if requested. My experience with FDA is just the opposite. FDA investigators commonly want hard copies stamped as uncontrolled.
Arrival of the Investigator and the Auditor
FDA investigators should arrive at the main lobby of the facility. At no time should the investigator be allowed access to any part of the building, other than the lobby area, without an escort. In cases where the investigator arrives at an entry or access point other than the lobby, the investigator should be escorted to the main lobby of the facility until the arrival of the appropriate coordinator or escort personnel. The receptionist or any other employee approached by the investigator, after ensuring that the investigator is in the lobby, will contact the president, management representative and the regulatory function. The receptionist will ensure that the FDA rep remains in the lobby until either one of these people arrives and escorts the investigator into the building, if necessary. An area should be set up as the inspection room, and a separate control room (some companies call this the war room) will act as a filter for all information coming and going to and from the investigator. Bringing in the wrong objective evidence should be avoided and frowned upon ahead of time.
On the other hand, the ISO auditor is usually welcomed by all in more of a social atmosphere, as I mentioned before. Arriving in the lobby is expected, and the management representative picks up the auditor to escort him to a conference room supplied with cold drinks, maybe bagels, a fruit plate, napkins, etc.
Do you get the drift, and see the differences evidenced so far? The FDA investigator commonly brings her own water bottle and goes out to lunch alone. When it comes to bias or favoritism, FDA is as straight of a group as you’ve ever seen. By the way, there is no need for a control room during an ISO audit, as you are commonly discussing what the best objective evidence will be to show that your company complies with the standard and your own procedures. ISO Audits can be care-fronting rather than confronting.
The Control Room (for FDA Inspections)
Qualified personnel with a strong systems’ background should operate in the Control Room. These people are or have:
- cGMP/QSR-savvy; familiar with the documentation flow
- Knowledge of gaps
- Been through FDA inspections in the past, if applicable
- Preferably not management
- Quick thinkers with inquiring minds
- Endurance (long pauses and quick starts)
- Knowledge of the right people to find information
During ISO audits, the management representative usually takes charge of the audit logistics and will have a well-spoken and congenial auditee in front of the ISO auditor. Process owners will commonly be interviewed by the auditor, and it usually comes across as a discussion and a fact-finding mission. As I said before, putting the wrong information in front of FDA could be dangerous. All procedures and records must be screened by knowledgeable people prior to the presentation of data to the FDA investigator.
Human Conduct and Behavior
In both the cases relative to the inspection or the audit, an opening meeting should be (and will be) held to introduce the participants and key personnel in your company. The scope and general approach to the audit is discussed using an audit plan in the case of ISO 13485 and the issuance of an FDA 482 to top management, outlining the purpose of the inspection and the scope. This is also the time to question anything that might be unclear and clarify the logistics for all participants involved.
Awareness of what is going on at all times by the contact person of the manufacturer during the inspection is important. Therefore, once started, the inspection should be given priority. If the contact person is distracted by other business, the inspection may be prolonged and the investigator’s questions concerning suspected deficiencies may be misunderstood or answered inadequately. Familiarity with the circumstances surrounding any deficiencies listed on form FDA 483 (the list of observations presented at the close of the inspection) is vital in discussion of these with the investigator.
If there are questions for which you don’t have immediate answers, promise to research the questions. A list of these unanswered questions is a reminder to get the answers and give them to the investigator. The investigator usually records the questions, and resolving unanswered questions may help avoid inaccuracies on the form FDA 483 and in the establishment inspection report prepared by the investigator at the end of the inspection.
In every case, forward requested documents to the control room first and then to the investigator, if allowed. This can be best explained as a screening process before initial viewing by the inspector. No documents or records shall enter the FDA inspection room unless initially reviewed, copied, recorded and released. The management representative ensures that a copy of these requested documents are retained for at least five years under document control.
There is always a safety-first policy for both FDA and ISO representatives. Your company must ensure that the investigator or auditor complies with all applicable safety and quality system requirements (e.g., safety glasses, cleanroom procedures, etc.).
If the FDA investigator requests product samples—R&D, production or finished samples—notify the investigator that the agency may be billed for any samples taken. All samples will be marked as such prior to issuance. Your company must ensure that duplicate samples are selected so that testing can be performed by your company, if necessary. The management representative ensures that samples are retained for “X” number of years—your call. ISO auditors commonly don’t request samples, but will request documents to use while writing the audit report in the hotel room or in the conference room at the end of the audit day. Copies of such non-proprietary documentation are readily given to ISO auditors for temporary use and review. As I said, they probably have retained the documents from the Stage One audit conducted previously.
Close-out or Exit Meeting
At the end of an FDA inspection or ISO audit, the investigator or the auditor conducts an exit meeting. It is usually held immediately after the ISO audit is finished. On the other hand, FDA may take a day or so at the District Office to compose and review the report, especially if it takes a long time to prepare form FDA 483. During this meeting, the investigator discusses with company management the observations recorded on form FDA 483 and other observations not listed that the investigator wishes to bring to management’s attention. The manufacturer should compare the form FDA 483 against notes taken during the inspection to confirm the accuracy and completeness of the investigator’s recorded observations. Close-out meetings present an opportunity for all parties to correct such misunderstandings. Inaccurate observations can be changed or deleted as appropriate. Top management should be present at FDA as well as ISO close-out meetings to provide information regarding any planned corrective actions to be taken and schedules for these actions.
The ISO auditor has a controlled format he will use based upon the registrar’s quality management system requirements. It is not uncommon to leave the ISO auditor alone for a couple of hours at the end of the audit to prepare and finish the report that day. During the close-out meeting, the auditor will go through the findings and, in many cases, give recommendations for improvement. This meeting is usually underpinned with civility and understanding, rather than a “you’ll correct this or else” approach to closing out deficiencies. In either, a formal response is necessary in a timely manner.
It is imperative that your company responds to any and all observations documented by the FDA investigator or ISO auditor. A written response to the FDA 483 or the Audit Report Findings, along with documentation to show how your company intends to remove or correct the objectionable conditions or practices, can assure FDA and ISO that these deficiencies will be corrected in a timely manner. Your company should prepare such a response post-haste to either the investigator or the auditor, and formally present your plan using the Corrective and Preventive Action process. To repeat, a plan of corrective action is very important.
Management should evaluate the FDA 483 or the Audit Report prior to issuance. What you say in these responses can make or break your chances for timely closure.
Inspection is most often associated with inspecting a product or a service to make sure it is compliant, and an audit is most often associated with a higher-level review of the system that is designed to produce and inspect the product or service. An audit of a manufacturing process wouldn’t just inspect the product; it would ensure (at a system level) that required inspections had already been performed on the product.
MidWest Process Innovation, LLC