Devine Guidance
The QSR Exceptions to the Rules

Dr. D hopes that each of my readers that celebrated Thanksgiving had a wonderful day with their families. Unfortunately, my soon-to-be son-in-law is an Oakland Raiders fan and the Raiders could not come up with a Thanksgiving Day victory, too bad.

For this week’ guidance, the doctor is going to explore the word “exception.” If the Raiders won, that would have been an exception. For those of you that spend most of your days in the medical device industry trenches, you are very much aware of the lack of exceptions in regards to quality and regulatory compliance. However, FDA has graciously given special dispensation to medical device establishments when it comes to three types of records: (a) management reviews; (b) internal audits; and (c) supplier audits. Go figure, the agency has granted exceptions.

Considering the doctor’s “propensity” for being “rectitudinous” (a double look-it up moment) as ever, this is one part of the quality system regulation (QSR) that has always surprised Dr. D. These exceptions prevent FDA from taking a good look into the overall effectiveness of management review, internal audits, and supplier audits. Considering these are problem areas that the doctor frequently cites as non-conforming during internal audits and supplier audits, Dr. D would think the agency would find these areas ripe for the issuance of Form 483 observations. Enjoy. 

Subpart M – Records
Section 820.180 – General Requirements
(c) Exceptions. This section does not apply to the reports required by 820.20(c) Management review, 820.22 Quality audits, and supplier audit reports used to meet the requirements of 820.50(a) Evaluation of suppliers, contractors, and consultants, but does apply to procedures established under these provisions. Upon request of a designated employee of FDA, an employee in management with executive responsibility shall certify in writing that the management reviews and quality audits required under this part, and supplier audits where applicable, have been performed and documented, the dates on which they were performed, and that any required corrective action has been undertaken.

Exceptions

Dr. D would like to emphatically state; “just because FDA has granted exceptions to the QSR, does not mean theses activities do not have to be performed.” In fact, FDA has the right to request that the Chief Jailable Officer (CJO) sign a declaration to the effect that these activities are being performed and the records are being collected and maintained. After all, the management review meeting minutes, internal audit results, and the results of supplier audits are considered quality records and fall under the FDA’s record retention requirement of two years. In fact, the doctor strongly recommends that the procedures for management review, internal audits, and supplier management, clearly reflect that: (a) management review meeting minutes; (b) the results of internal audits; and (c) the results of supplier audits are not to be shared with FDA.

Management Reviews

For management reviews, Dr. D strongly recommends keeping a separate agenda and sign-in sheet to support evidence of compliance. The doctor has always liked the way ISO 13485 spells out the management review inputs and outputs within Clauses 5.6.2 and 5.6.3. When FDA shows up on your doorstep for a cup of coffee and an inspection, the CJO can share the sign-in sheet and agenda for evidence of compliance. Never, never, never, share the contents of management review meetings with FDA. Besides, if a device establishment is racking up Form 483 observations during an inspection, the agency will quickly come to their own conclusions that management oversight is problematic. One final point the doctor would like to make is in regard to management review frequency. Although regulatory bodies accept the approach to holding management reviews annually, the doctor recommends a quarterly approach.

Internal Audits

Similar to management reviews, Dr. D strongly recommends that an audit agenda, audit sign-in/interview sheet, and audit plan be created to support the internal quality audit process. Additionally, an audit schedule will need to be constructed and approved at the beginning of each year. FDA will expect to see the audit schedule and evidence of compliance. The evidence of compliance can be in the form of the presenting the audit plan, agenda, and signed interview sheet. If internal audits are not being performed in accordance with the schedule or not being performed at all, the investigator(s) will quickly draw the conclusion premised in part on the number of Form 483 observations given. Can you say warning letter?

Supplier Evaluations

When it comes to supplier audits, similar to internal audits, an audit plan, agenda, and sign-in sheet are excellent documents to have to support claims of compliance. However, there is no requirement to physically perform on-site assessments of your supplier base. Now granted, Dr. D will always recommend assessments be performed on a device establishment’s critical suppliers such as: (a) contract manufacturers; (b) sterilization facilities; and (c) critical component or service suppliers. For just about everyone else, the collection of an ISO 9001, ISO 13485, ISO/IEC 17025, or AS 9100 certification should be adequate; even better, the completion of a mail-in survey accompanying the quality management system certificates. For your consultants and contractors (e.g., Dr. Christopher J. Devine), a resume and applicable training certificates should do.

The real trick becomes presenting sufficient information to FDA to support claims of compliance. For mail-in surveys, the doctor recommends having a first page that collects basic business information and the date the survey was completed. Similar mail-in surveys should be employed for consultants and contractors.  By employing this approach a device establishment can limit the amount of information given to FDA to support claims of compliance. By the way, do not forget to create a supplier audit schedule. FDA will ask to see the schedule if supplier audits are part of your organization’s approach to purchasing and supplier management.

Takeaways

For this week’s guidance, Dr. D will leave the readers with six takeaways:

  1. Do not look a gift horse in the mouth. Take advantage of the exclusions and ensure procedures scripted for management review, internal audits, and supplier management clearly state that: (a) management review meeting minutes; (b) the results of internal audits; and (c) the results of external audits are not to be shared with FDA. 
  2. Although this article is not about management responsibility, the doctor recommends holding management review meetings quarterly; once a year just does not cut it. 
  3. For management review meetings, make sure there is an agenda and sign-in sheet available to share with FDA as documented evidence of compliance. 
  4. For internal and supplier audits, makes sure an audit plan, agenda, and sign-in sheet is available to share with FDA as documented evidence. 
  5. Make sure management review meetings, internal audits, and supplier audits are placed on an annual schedule. 
  6. Without documented evidence of compliance, the CJO stands no chance of defending his or her medical device establishment during an inspection. Why? Because if activities are not documented in writing, in the eyes of the agency, the activities did not occur. 

In closing, thank you again for joining Dr. D and I hope you find value in the guidance provided. Until the next installment of DG – cheers from Dr. D. and best wishes for continued professional success. 

References:

  1. Code of Federal Regulation. (2013, April). Title 21 Part 820: Quality system regulation. Washington, D.C.: U. S. Government Printing Office.
  2. Devine, C. (2011). Devine guidance for complying with the FDA’s quality system regulation – 21 CFR, Part 820. Charleston, SC: Amazon.
  3. ISO 13485:2003. (2004, February). Medical devices – quality management systems – requirements for regulatory purposes (ISO 13485:2003).

About The Author

Exit mobile version