Linda Braddon, Ph.D., President and CEO, Secure BioMed Evaluations11.30.18
When I first started out in medtech, I did not have a good appreciation for quality systems. I was working as an engineer at the time, and I found quality systems quite a nuisance because any change I proposed was either restricted or not allowed due to a regulatory or quality burden. Now, after more than 20 years in the industry, I have become one of “those” people who I found quite annoying as a young engineer. I cringe when my engineers want to make changes to a product, and I’m skeptical when the team wants to “streamline” a process solely to make things easier. My resistance to change is clearly driven by my years of audit experience: If it is not written down, it doesn’t exist. If it is written in a process, that process must be strictly followed. If a process does not make sense, ask questions.
At SBME, one of the most valuable activities we provide clients is quality systems management and hosting both U.S. Food and Drug Administration (FDA) and Notified Body audits. Thus, one of our annual activities is reviewing what we’ve learned from our own audit experiences and determining if there are process and procedure improvements we should make. Another favorite activity is a review of FDA warning letters, since it is interesting to discover exactly how medtech firms are doing wrong by FDA’s standards.
Industry’s major transgressions for 2018 (at least, those resulting in FDA warning letters) are:
No. 10: No FDA approvals or clearances (multiple code sections). This ranged from not having a 510(k), PMA, IDE, or making claims not included in an original submission. I personally found this breach interesting because I was burned by this issue during a 510(k) submission several years ago. I spent a great deal of time making direct comparisons between my subject device and a similar device that was being sold in the United States. I assumed (and we all know what happens when you assume) that this particular model number was covered under the predicate company’s 510(k) number. But the FDA reviewer told me I needed to find another predicate device because the commercially available product that somewhat resembled the device in the predicate’s original submission was actually not cleared under a 510(k). This was a perfect example of a company using a letter to file inappropriately. It is essential that companies know when to write a letter to file and when to submit a new 510(k) application. Adding new claims or expanding the product line outside already approved boundaries is probably grounds for a new submission rather than internal documentation.
No. 9: Purchasing controls (21CFR820.50). Here’s a good rule of thumb for purchasing controls—know the buyer and always match the order to goods received. The most common wording regarding this violation was the lack of evaluation of supplier contracts and suppliers to ensure they meet specified requirements. In simple terms, this is all about supplier control. All suppliers must be qualified before they can be used, and these suppliers should be regularly reviewed to ensure they meet a company’s requirements. There are various ways to accomplish this, including supplier audits and yearly supplier reviews. Quality agreements also can help guarantee key suppliers are on the same page with their customers regarding quality expectations.
No. 8: Nonconforming Product (21CFR820.90). There are lots of things to pay attention to in this area. First, make sure there is a procedure in place. If a product is non-conforming, confirm there are sufficient controls to prevent this product from leaving the building. Non-conforming products that failed final inspection need a rework procedure to document any fixes before any repair work and re-inspection begins. Also, the root cause of the non-conformance should be tracked and investigated because redundant non-conformances are indicative of a bigger issue. In addition, be prepared to justify non-conforming products with an “accept as is” designation; accepting a non-conforming product for cost purposes (can’t afford to scrap it) will surely lead to a finding and could result in a warning letter.
No. 7: Complaints (21CFR820.198). Obviously, FDA cares about procedure. This should be low-hanging fruit. However, once there is a complaint and a procedure determining what to do with the complaint, an evaluation must be conducted to figure out whether the complaint is reportable. There are time restrictions on reportable events, so it is important to have a simple but effective process to determine reportability. I recommend identifying incoming issues as “feedback” and then deciding whether that feedback is a complaint. If it is feedback, take note and trend for management reviews because it may highlight areas that should be explored from a business perspective. Keep in mind, though, that customer feedback is not necessarily a complaint. In my experience, companies that call every issue about their product a “complaint” without conducting a proper evaluation tend to be overwhelmed with data. Time is of the essence with complaint handling, so ensure the process is manageable.
No. 6: Post Market Surveillance activities (21CFR822). If FDA requires a post market surveillance effort, do it. From our review, it seemed like the agency’s concerns often surrounded real-world vs. perception in equipment reprocessing. This is especially critical when the reprocessed devices are to be used on multiple patients and the reprocessing must decontaminate the product. If the reprocessing steps are complicated, there may be a significant disconnect between what needs to happen to ensure proper cleanliness and what actually will happen in the field. If this difference can possibly endanger patients, FDA will expect the manufacturer to understand what will really happen in the field with its device and guarantee its reprocessing instructions adequately reflect this.
No. 5: Production and Process Control (21CFR820.70). There are lots of places for mistakes to happen here. Common examples in the warning letters were:
No. 4: CAPAs (21CFR820.100). Certainly, some companies received warning letters for failing to establish and maintain procedures for CAPA. However, the big misses in this category were failure to trend complaints to determine if a CAPA is necessary, failing to conduct effectiveness checks once a CAPA was completed, and not evaluating the root cause reasons for rework as a feeder into a potential CAPA.
No. 3: Deviations in GLP studies (21CFR58). One of SBME’s jobs is to ensure testing is done for our clients. This one certainly piqued my interest because we often have so little insight into testing labs and we often assume they are doing all the right things. Companies that outsource testing services should review protocols, raw data, quality signatures, and final reports. They should question areas that don’t make sense, and they should also request the raw data to store with the report; by doing so, they will not be at someone else’s mercy if FDA questions the data.
No. 2: Medical Device Reporting (21CFR803). The violations in this category fell into two primary areas: 1) failure to develop, maintain, and implement a written MDR procedure, or 2) failure to report a malfunctioning device. I have been in more meetings discussing and debating (and sometimes arguing) about whether a complaint was reportable. The best way to ensure compliance is to conduct a health hazard risk assessment that will lead the evaluator through the proper line of questioning and eventually determine whether the event is reportable. Enlist help if necessary. Sometimes an unbiased party is necessary to highlight the strengths and weaknesses of the argument. And don’t hesitate to contact the FDA itself—the agency, believe it or not, is there to help.
No. 1: Design Control (21CFR820.30) This was the most common violation, probably because this category can overlap so easily into other areas. The design control violations ranged from not having a design control procedure to having design validation failures. Risk management also fell under the design control violation category—particularly, not having a risk management procedure. Another violation was not using a risk-based approach to design reviews (very ISO 13485:2016-like). In an earlier article I wrote this year, I stressed our company’s experience with taking a risk-based approach to design change. A risk-based assessment must be conducted to determine the impact of the change (i.e., defining “significant”). It’s very easy to get caught up in the mindset that a design change is an improvement and won’t negatively impact patients. Device firms should be ruthless in their risk evaluations. If there is a new risk that was not present in the cleared design, a new 510(k) is needed even if there is a way to mitigate that risk. Finally, the biggest difference between ISO 13485 and FDA requirements for design control is that FDA specifically calls out a Design History File. This violation can easily be avoided by making a comprehensive table of contents with pointers to all design history file records.
I hope this top 10 list helps guide medtech companies’ compliance efforts. By identifying the top issues, device manufacturers can employ a risk-based approach to evaluating their quality systems. Best of luck on the journey down the road of continuous improvement—may it result in fewer FDA warning letters in 2019.
Linda Braddon, Ph.D., is president and CEO of Secure BioMed Evaluations. She works with emerging and established companies to prove regulatory, quality, and technical support to both the medical device and biologics industries. Dr. Braddon has a Bachelor of Science degree in engineering from Mercer University along with a master of science degree and a Ph.D. in mechanical engineering with a specialization in bioengineering. Her 20 years of experience includes extensive work in orthopedics, dental implants, ophthalmology, respiratory, urology, hydrogels, dura mater substitutes, wound coverings, orthotic devices, and antimicrobial agents.
At SBME, one of the most valuable activities we provide clients is quality systems management and hosting both U.S. Food and Drug Administration (FDA) and Notified Body audits. Thus, one of our annual activities is reviewing what we’ve learned from our own audit experiences and determining if there are process and procedure improvements we should make. Another favorite activity is a review of FDA warning letters, since it is interesting to discover exactly how medtech firms are doing wrong by FDA’s standards.
Industry’s major transgressions for 2018 (at least, those resulting in FDA warning letters) are:
- CAPA
- Complaints
- Design Control
- Device History Record
- Device Master Record
- Document Control
- General
- GLP Studies
- Inspection, Measuring, and Test Equipment
- Management Responsibility
- Medical Device Reporting
- No Approval/Clearance
- Nonconforming Product
- Personnel - Training
- Post Market Surveillance
- Premarket Notifications
- Process Validation
- Production and Process Control
- Purchasing Control
- Quality Audits
- Receiving, In-Process, and Finished Device Acceptance
- Records and Reports
- Statistical Techniques
No. 10: No FDA approvals or clearances (multiple code sections). This ranged from not having a 510(k), PMA, IDE, or making claims not included in an original submission. I personally found this breach interesting because I was burned by this issue during a 510(k) submission several years ago. I spent a great deal of time making direct comparisons between my subject device and a similar device that was being sold in the United States. I assumed (and we all know what happens when you assume) that this particular model number was covered under the predicate company’s 510(k) number. But the FDA reviewer told me I needed to find another predicate device because the commercially available product that somewhat resembled the device in the predicate’s original submission was actually not cleared under a 510(k). This was a perfect example of a company using a letter to file inappropriately. It is essential that companies know when to write a letter to file and when to submit a new 510(k) application. Adding new claims or expanding the product line outside already approved boundaries is probably grounds for a new submission rather than internal documentation.
No. 9: Purchasing controls (21CFR820.50). Here’s a good rule of thumb for purchasing controls—know the buyer and always match the order to goods received. The most common wording regarding this violation was the lack of evaluation of supplier contracts and suppliers to ensure they meet specified requirements. In simple terms, this is all about supplier control. All suppliers must be qualified before they can be used, and these suppliers should be regularly reviewed to ensure they meet a company’s requirements. There are various ways to accomplish this, including supplier audits and yearly supplier reviews. Quality agreements also can help guarantee key suppliers are on the same page with their customers regarding quality expectations.
No. 8: Nonconforming Product (21CFR820.90). There are lots of things to pay attention to in this area. First, make sure there is a procedure in place. If a product is non-conforming, confirm there are sufficient controls to prevent this product from leaving the building. Non-conforming products that failed final inspection need a rework procedure to document any fixes before any repair work and re-inspection begins. Also, the root cause of the non-conformance should be tracked and investigated because redundant non-conformances are indicative of a bigger issue. In addition, be prepared to justify non-conforming products with an “accept as is” designation; accepting a non-conforming product for cost purposes (can’t afford to scrap it) will surely lead to a finding and could result in a warning letter.
No. 7: Complaints (21CFR820.198). Obviously, FDA cares about procedure. This should be low-hanging fruit. However, once there is a complaint and a procedure determining what to do with the complaint, an evaluation must be conducted to figure out whether the complaint is reportable. There are time restrictions on reportable events, so it is important to have a simple but effective process to determine reportability. I recommend identifying incoming issues as “feedback” and then deciding whether that feedback is a complaint. If it is feedback, take note and trend for management reviews because it may highlight areas that should be explored from a business perspective. Keep in mind, though, that customer feedback is not necessarily a complaint. In my experience, companies that call every issue about their product a “complaint” without conducting a proper evaluation tend to be overwhelmed with data. Time is of the essence with complaint handling, so ensure the process is manageable.
No. 6: Post Market Surveillance activities (21CFR822). If FDA requires a post market surveillance effort, do it. From our review, it seemed like the agency’s concerns often surrounded real-world vs. perception in equipment reprocessing. This is especially critical when the reprocessed devices are to be used on multiple patients and the reprocessing must decontaminate the product. If the reprocessing steps are complicated, there may be a significant disconnect between what needs to happen to ensure proper cleanliness and what actually will happen in the field. If this difference can possibly endanger patients, FDA will expect the manufacturer to understand what will really happen in the field with its device and guarantee its reprocessing instructions adequately reflect this.
No. 5: Production and Process Control (21CFR820.70). There are lots of places for mistakes to happen here. Common examples in the warning letters were:
- Control of environmental conditions
- Exceeding microbial action limits
- Failure to prevent equipment contamination
- Failure to validate software
- Measuring part and accepting part when measurement was out of specification
- Not following work instructions on the production line
- Not correctly measuring the width of a sterile seal
- Not sanitizing items that enter a controlled hood
No. 4: CAPAs (21CFR820.100). Certainly, some companies received warning letters for failing to establish and maintain procedures for CAPA. However, the big misses in this category were failure to trend complaints to determine if a CAPA is necessary, failing to conduct effectiveness checks once a CAPA was completed, and not evaluating the root cause reasons for rework as a feeder into a potential CAPA.
No. 3: Deviations in GLP studies (21CFR58). One of SBME’s jobs is to ensure testing is done for our clients. This one certainly piqued my interest because we often have so little insight into testing labs and we often assume they are doing all the right things. Companies that outsource testing services should review protocols, raw data, quality signatures, and final reports. They should question areas that don’t make sense, and they should also request the raw data to store with the report; by doing so, they will not be at someone else’s mercy if FDA questions the data.
No. 2: Medical Device Reporting (21CFR803). The violations in this category fell into two primary areas: 1) failure to develop, maintain, and implement a written MDR procedure, or 2) failure to report a malfunctioning device. I have been in more meetings discussing and debating (and sometimes arguing) about whether a complaint was reportable. The best way to ensure compliance is to conduct a health hazard risk assessment that will lead the evaluator through the proper line of questioning and eventually determine whether the event is reportable. Enlist help if necessary. Sometimes an unbiased party is necessary to highlight the strengths and weaknesses of the argument. And don’t hesitate to contact the FDA itself—the agency, believe it or not, is there to help.
No. 1: Design Control (21CFR820.30) This was the most common violation, probably because this category can overlap so easily into other areas. The design control violations ranged from not having a design control procedure to having design validation failures. Risk management also fell under the design control violation category—particularly, not having a risk management procedure. Another violation was not using a risk-based approach to design reviews (very ISO 13485:2016-like). In an earlier article I wrote this year, I stressed our company’s experience with taking a risk-based approach to design change. A risk-based assessment must be conducted to determine the impact of the change (i.e., defining “significant”). It’s very easy to get caught up in the mindset that a design change is an improvement and won’t negatively impact patients. Device firms should be ruthless in their risk evaluations. If there is a new risk that was not present in the cleared design, a new 510(k) is needed even if there is a way to mitigate that risk. Finally, the biggest difference between ISO 13485 and FDA requirements for design control is that FDA specifically calls out a Design History File. This violation can easily be avoided by making a comprehensive table of contents with pointers to all design history file records.
I hope this top 10 list helps guide medtech companies’ compliance efforts. By identifying the top issues, device manufacturers can employ a risk-based approach to evaluating their quality systems. Best of luck on the journey down the road of continuous improvement—may it result in fewer FDA warning letters in 2019.
Linda Braddon, Ph.D., is president and CEO of Secure BioMed Evaluations. She works with emerging and established companies to prove regulatory, quality, and technical support to both the medical device and biologics industries. Dr. Braddon has a Bachelor of Science degree in engineering from Mercer University along with a master of science degree and a Ph.D. in mechanical engineering with a specialization in bioengineering. Her 20 years of experience includes extensive work in orthopedics, dental implants, ophthalmology, respiratory, urology, hydrogels, dura mater substitutes, wound coverings, orthotic devices, and antimicrobial agents.