While traversing the FDA’s Warning letters database, the doctor actually came across a warning letter violation that made old Dr. D chuckle. The observation was rooted in the performing of audits, or should the doctor say, lack of, and the assigning of individuals to audit their own areas of responsibility. Folks, you just cannot make this stuff up. Although there is never a viable excuse for not complying with the Quality System Regulation (QSR), the type of warning letter observation would be typical of a resource-challenged operation but not a subsidiary of a well-established multiple-national corporation. Additionally, when the agency identifies three out of the four responses as being inadequate, bad things are surely about to happen. Now upon receipt of this warning letter, Dr. D is absolutely sure the Chief Jailable Officer (CJO) was not going to break out into sore sort of crazy “saltation” (look-it-up). Me thinks some tears shed behind closed doors were probably more realistic. Enjoy!
Warning Letter – 30 April 2015
As stated in the introduction, this week’s offending device establishment received a warning letter with one of the observations premised on issues associated with their audit program. For example, failing to perform internal audits for Q3 and Q4 of 2014 and writing the rationale for the failure to perform audits on March 5, 2015. Please note, the FDA inspection, resulting in their winning a prized agency warning letter for this establishment, commenced on March 4, 2015. So this establishment’s written rationale for failing to perform audits was generated the day after the inspection started. Seriously? As Carlos Mencia (one of the doctor’s favorite comedians) likes to say, “dah, dah-dah!” Seriously people, if an internal audit or series of audits cannot be performed due to resource allocation issues (e.g., unannounced notified body audit, the notified bodies have to make their money), it is acceptable to postpone internal audits providing sufficient written rationale is placed into the audit file ASAP! If the reasons for not performing internal audits are, “We do not have enough resources or production comes first”, then the CJO will have some explaining to do when the FDA shows up for a cup of coffee and an inspection. You see, the FDA really could care less about an establishment’s production needs or excuses pertaining to a lack of resources. We are talking about medical devices people, and compliance with the QSR is mandated by law in the United States of America. In fact, the FDA can cite an establishment for failing to have adequate resources.
Observation Four (4) – “Failure to establish procedures for quality audits and conduct such audits to assure that the quality system is in compliance with the established quality system requirements and to determine the effectiveness of the quality system, as required by 21 CFR 820.22. We observed that (b)(4) scheduled internal audits (including audits of CAPA and design controls) were not conducted in Q3 and Q4 of 2014 as required by your procedure, Quality Assurance Internal Audit Program Doc # 1420018. Justification for the failure to conduct these audits was not documented until March 5, 2015. We also confirmed that (b)(4) internal audits ((b)(4) in Q4 2013 and (b)(4) in Q2 2014) were conducted by individuals whose normal scope of responsibility included the areas audited. This is contrary to your own procedures.”
Subpart B – Quality System Requirements
Section 820.22 – Quality Audit
“Each manufacturer shall establish procedures for quality audits and conduct such audits to assure that the quality system is in compliance with the established quality system requirements and to determine the effectiveness of the quality system. Quality audits shall be conducted by individuals who do not have direct responsibility for the matters being audited. Corrective action(s), including a reaudit of deficient matters, shall be taken when necessary. A report of the results of each quality audit, and reaudit(s) where taken, shall be made and such reports shall be reviewed by management having responsibility for the matters audited. The dates and results of quality audits and reaudits shall be documented.”
Compliance for Dummies
The doctor would like to begin the compliance piece with some good news. Establishments do not have to share the result of audits (internal or supplier) with the FDA, only “documented evidence” that the audits have been performed. If an establishment does not have the internal resources to perform these audits, then it is an acceptable practice to hire third-party auditing firms such as Devine Guidance International, Inc. However, if the establishment chooses to perform their own audits, the following bulleted points contain some of Dr. D’s words of wisdom.
- This first bullet is just plain-old common sense. The QSR requires that a procedure be established (define, document, & implement) for quality audits. Some of the elements to consider as part of the audit program are:
- Opening meeting
- Use of sign-in sheets (documenting interviews)
- Use of audit checklists
- The interview process
- Audit report content
- Categories of non-conformances (observation, minor, & major)
- Closing meetings.
- Make sure internal auditors are appropriately trained and qualified (recommend reading ISO 19011:2011 – Guidelines for Auditing Management Systems).
- An audit schedule should be created and subsequently reviewed and approved by management at the start of each year. The management representative owns this responsibility (sorry, management reps out there).
- Once the audit schedule is released, it is imperative that the audits are performed in accordance with the published schedule. Missing two quarters of audits and then providing written rationale after an agency inspection begins is always going to end badly.
- It is an acceptable practice to retain a qualified third-party firm to perform audits.
- Once an audit has been completed, ensure management (especially the manager/supervisor of the area audited) reviews a copy of the report.
- If discrepancies (non-conformances) are noted during the audits, ensure corrective action is pursued to remediate the issues identified.
- If the area audited is seriously screwed up, perform a re-audit or as many re-audits as appropriate until the issues are corrected. That includes showing incompetent individuals the door (contact your HR department first). Just kidding.
- Ensure a copy of the audit report and that the corrective actions taken are appropriately documented and retained. Remember, this documentation is needed as documented evidence of compliance. Your CJO will thank you.
- Finally, make sure the results of audits find their way into management review meetings. The management team needs to be knowledgeable of the ongoing issue impacting the organization.
Takeaways
For this week’s guidance, Dr. D will leave the readers with just one takeaway. One – always perform internal audits on time and in accordance with the published audit schedule. Please do not be that organization that fails to perform the audits and attempts to correct the issue after the FDA arrives. Believe the doctor when he says, “It’s too late baby, it’s just too late” (Carole King, 1971). In closing, thank you again for joining Dr. D, and I hope you find value in the guidance provided. Until the next installment of DG – cheers from Dr. D. and best wishes for continued professional success.
References
Code of Federal Regulation. (2014, April) Title 21 Part 820: Quality system regulation. Washington, D.C.: U.S. Government Printing Office.
Devine, C. (2011). Devine guidance for complying with the FDA’s quality system regulation – 21 CFR, Part 820. Charleston, SC: Amazon.
Devine, C. (2013). Devine guidance for managing key attributes of a FDA-compliant quality management system – 21 CFR, Part 820 Compliance. Charleston, SC: Amazon.
FDA’s enforcement page. (2015, April). FDA.gov Website. Retrieved May 11, 2015, from http://www.fda.gov/ICECI/EnforcementActions/WarningLetters/ucm445262.htm