FDA Inspections are Different from ISO Audits, So Don't Treat Them the Same - OMTEC 2017

FDA Inspections are not ISO Audits

ISO Audits are not FDA Inspections

John Gagliardi MidWest Process Innovation, LLC

June 2017 OMTEC

3 Courtesy of MidWest Process Innovation, LLC

Audit – ISO 13485

Audit is an independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies or procedures. It is used to determine the authenticity and validity or to ensure that a process is being followed. Preparation for ISO Audits is essential.


Inspection – 21 CFR, Part 820

Inspection indicates that the regulatory authorities are checking documents, records, facilities and any other resources to verify a certain set of standards. It is the act of examining something, often very closely. Announced or unannounced, there should be a coherent strategy and procedure in place (that everyone…yes, everyone…at the company reads and can understand) to managing FDA Inspections. It’s not a matter of luck and chance that your company will be a winner at the end of this inspection.


FDA Inspection or an ISO Audit

…if you’re are not prepared for either one of these assessment activities, your company could “fall flat on it’s face.” Knowing your company’s intrinsic limitations, upper-level management’s involvement and handling the final exit interview where a “best foot forward” is essential can make or break the strategic outcome an FDA inspection or an ISO Audit.



Besides managing the logistical variables, your company also must put the best possible objective evidence in front of these evaluators



Having inexperienced people talking to investigators or auditors spells FAILURE. Choose an experienced Management Representative: 1. Detail oriented, analytical, good documentation 2. Understands the regulations (read preamble) 3. Can challenge the company for more resources 4. Provide adequate training for internal auditors 5. Make sure external auditors are competent 6. Re-audit when necessary 7. Perform adequate trending for management review 8. Knows how to handle FDA Inspections and ISO Audits


Top Ten Deficiencies Found by FDA

l Training process has not been [adequately] established ---------------------------10 l Design Change process has not been [adequately] established ------------------ 9 l CAPA activities and/or results have not been [adequately] documented -------- 8 l Process for quality audits has not been [adequately] established ----------------- 7 l Nonconformance process has not been [adequately] established ---------------- 6 l MDR procedures have not been [developed] [maintained] [implemented] ------ 5 l A process whose results cannot be fully verified has not been

[adequately] validated ------------------------------------------------------------------------- 4 l Purchasing control process has not been [adequately] established --------------- 3 l Complaint handling process has not been [adequately] established -------------- 2 l CAPA process has not been [adequately] established –------------------------------ 1

Establish means to define, document in writing and (then) implement


Lessons Learned from Inspections and Audits

l Opening meeting: get to the point and not a life story l A bulleted opening presentation is great for ISO and a frustration for FDA.

ISO Auditors like them in color with pictures. l Background about the devices and the company l Assign scribes to keep detailed notes, including context of requests for particular records.

These notes will be crucial for your response to the FDA. Likewise, keep a copy of all evidence that the FDA Investigator takes from the inspection.

l Be precise and directly answer all questions from the investigator Discussion is okay during an ISO Audit

l Clear summaries – particularly in reports/forms. l Avoid conversational language with the FDA investigator and

encourage conversation with ISO Auditor l Traceability of actions and actions completed l Keep records of inspection and audit communication l Training needs are clearly stated and supported by training records l Clear and accurate specifications are imperative l If it isn’t documented, it didn’t happen!


A diverse modus operandi

Investigators and auditors not only behave differently when they are sitting across the table from you, but they also have a diverse modus operandi that enforces the law and complies with a voluntary Standard, respectively.


…we don’t like our auditor vs. …we don’t like the investigator

The Auditor… The ISO 13485 Standard is totally voluntary and, frankly, if your company doesn’t like the way they are being audited or the auditor (that they “picked out of a hat”), you can change auditors or, for that matter, change Registrars rather seamlessly. It is costly $$. The Investigator... You could complain to the FDA District Office...I wouldn’t waste my time…and of course humans tend to “pay back”


FDA Quality System Inspection Technique (QSIT)

Inspection Level

Reason for Inspection

QSIT Subsystems Inspected

1 Abbreviated CAPA plus one subsystem

2 Baseline (Comprehensive)

The Four Major Subsystem

3 Compliance Follow-up

As directed by inspection guidance


FDA Quality System Inspection Technique (QSIT)

l Identifies 4 major subsystems to evaluate and states the purpose and importance of each subsystem

- CAPA - Production and Process Controls - Design Controls - Management

l Provides flowcharts and inspectional objectives to cover during inspection

l Offers advice – depends on the investigator l Provides tables for statistical sampling

of records for review


ISO 13485:2016 Quality Systems Audit - Frequency

l Stage One Audit – “Desk-top audit” on or off site.

1. The proposed scope of your registration 2. The status of implementation of your management system 3. The appropriate regulatory and legal requirements 4. Your management policies and objectives 5. Whether the system addresses the key areas of your business 6. Your site-specific activities – top level process review 7. Your key management elements, e.g. internal audits, reviews and complaints procedures 8. Your readiness to move onto Stage 2 of the audit, the Registration Audit.

l Stage Two Audit – This Registration Audit involves a full review of your management system, including relevant records and documents.

l Surveillance and Reassessment - At least once a year, the Registrar visits your company to ensure the management system is being maintained and is achieving its expected outcomes. During each visit, part of the management system is reviewed in depth. Certificates expire every three years, with the expiry date indicated on the certificate. Before that date, the Registrar does a detailed audit, reviewing the performance of the whole management system to make sure every element is performing satisfactorily.


Basic FDA Inspections - Frequency

Biennial: Class II and III manufacturers – Includes contract manufacturers, design specification developers, re-packagers, re-labelers and contract sterilizers • Reduced FDA Resources = risk-based approach. • Each year CDRH selects a few high risk Class I firms For Cause Inspections can be anytime or as a follow-up to an audit with a lot of observations to close-out in a timely manner


FDA giving Prior Notice isn’t a “for sure”

Class III > II > I l Pre-Market and Post-Market (PMA) l Initial inspections of Class III l Compliance Follow Up* l For Cause Inspections* l Consumer Complaint/Whistleblower* l Manufacturers of high risk devices* l Manufacturers of medical devices* *Inspections that don’t (always) require pre-announcement from FDA


Assumptions (that you can’t make with the FDA and ISO)

l I’m ISO certified; you won’t find anything l I’m a contract manufacturer; you don’t belong here l The last investigator only took a day l The last investigator said this… l That’s your subjective opinion; you can’t cite this! l All FDA investigators are created equal l …..a 180 – We had a successful FDA Inspection

so the ISO Audit will be “a breeze” l …..an FDA Audit l …..an ISO Inspection


Before the FDA Inspection - Investigator

l Can call five days before the inspection to pre-announce l Request procedures to review ahead of time

to facilitate inspection l The FDA Investigator provides notice (FDA Form 482) of

the inspection prior to the start of the actual evaluation. This document has to be signed by the highest authority in the company.

l Review firm’s inspectional history, MDRs, recalls, 510(k)s, PMAs, standards that apply to products, Registration & Listing information

l Can bring a friend (a trainee)


Before the ISO Audit - Auditor

l Scheduled months in advance – You’ll receive an audit plan l You know who your auditor(s) will be ahead of time l Every three years the Registrar will “change it up” with

another auditor for purposes of objectivity l Request procedures to review ahead of time to facilitate audit…..many

of the procedures have already been reviewed at the Stage One Audit (if it is your first audit)

l Review firm’s regulatory history, MDRs, MDVs, recalls, 510(k)s, PMAs, standards that apply to products.

l Communicate with the auditee by e-Mail or Telephone prior to the audit date. More social in nature.


Top-Level checklist to be addressed prior to the inspection:

l Procedure for managing the inspection is completed l The appropriate people are now trained (including the receptionist) l The FDA Management team is identified and a first meeting is orchestrated

to discuss logistics and responsibilities l Conduct a mock FDA Inspection that includes interviewing techniques l Review of what the FDA can review and what they (should not) review l Conduct a document review of Standard Operating Procedures versus

the appropriate Work Instructions. l Review complaints, any MDRs, MDVs, Service Reports and Recalls going back at least

three years. Link this review to Corrective and Preventive Actions taken and final resolve, if any. Review the corrective action log and responses.

l Make sure that the President knows that having a lawyer as part of the inspection team is not necessary and often a negative factor during the inspection. The intimidation factor and the endless questions can be confusing to all involved.

l Review the Risk Management File for each device and major processes to confirm accuracy, resolution and disposition

l Establish linkages between the Design History File, the Device Master Record and the Device History Record(s). Conduct an assessment.

l Let everyone at the company know that there will be an FDA Investigator on site – be ready


Top level checklist to be addressed prior to the audit:

l Procedure for managing the audit is completed...Process ownership roles are important l The appropriate people are now trained (including the receptionist) l The Management Representative and his/her team is identified and a first

meeting is orchestrated to discuss logistics and responsibilities l Review the results from the last audit and internal audits conducted since the last audit l Conduct a document review of Standard Operating Procedures

versus the appropriate Work Instructions. l Review complaints, any MDRs / MDVs, Service Reports and Recalls, etc. going back at least one

year. Link this review to Corrective and Preventive Actions taken and final resolve, if any. Review the corrective action log and responses.

l Review the Risk Management File for each device and major processes to confirm accuracy, resolution and disposition

l Make sure that the documents and documentation is available l All process owners should be ready to discuss their processes l Review the past three management reviews – make sure that they

are explainable and clearly formatted l Let everyone at the company know that there will be an ISO Auditor on site on these dates


Top Down vs. Bottom Up

FDA QSIT An FDA validated method for investigators to conduct medical device inspections Uses the “top down” approach – look at procedures and ask questions - then review records What actually happens is bottoms-up – lets see the record and by the way, do you have a procedure! ----------------------------------------------------------------------------------------- ISO Audits Uses “top down” approach with linkage thinking ISO Auditors tend to keep journals for the final report


Linkages during an ISO Audit

How Linkages Work during an ISO 13485 Audit

Purchasing Process Controls

Incoming N/C Product

Risk Management

Acceptance Activities CAPA

Evaluation and Monitoring


Arrival of Investigators and Auditors

Investigators and Auditors should arrive at the main lobby of the facility. At no time will the investigator or auditor be allowed access to any part of the building, other than the lobby area without a company escort. In cases where the investigator arrives at another entry or access point other than the lobby, the investigator will be escorted to the main lobby of the facility until the arrival of the appropriate coordinator or escort personnel…same with auditors.


FDA Arrives – Management Representative / Regulatory Affairs

The Management Representative and/or the Regulatory function will, upon arrival of the Investigator: l Meet with the Investigator and confirm identity and record the

Investigator's name, badge number and office address.

l Determine the purpose of the inspection and verify the legitimacy of the visit by telephoning the Investigator's office, as required and necessary. If the Investigator is from FDA, receipt of a Notice of Inspection form, FDA-482, must be obtained.

l Notify all employees of Company X that an FDA Inspector is on the premises. Call your customers if you are a contract manufacturer.

l Secure the Conference Room to be dedicated to this inspection for the duration.

l Organize an escort/support team made up of the Management Representative and the Regulatory function. This support team will be briefed by the Quality System Process Owner as to the purpose, scope and intent of this inspection.

Run It – Don’t Let It Run You


The Control Room

l A Control Room is to be set up to administrate the logistics and deliverables of the inspection. This room should be located near documents and records retrieval areas and have the following equipment in place:

l Telephone and fax to the Conference Room l E-mail accessibility l Internet accessibility l Flip charts l Copy machine access l Magic markers l Log book (hard copy or electronic) to keep track of all samples and

documents that have been given to or copied for FDA, respectively


The Control Room

The Control Room l Qualified personnel with a strong systems background

should be in the Control Room: - cGMP-QSR savvy - Very familiar with the documentation flow - Know where the gaps might be - Have been through FDA inspections in the past, if applicable - Not necessarily management (preferably not) - Linkages-savvy - Quick thinkers with inquiring minds - Endurance (long pauses and quick starts) - Know the right people and “what buttons to push” to find information


Conduct During the Inspection

Conduct During the Inspection l Awareness of what is going on at all times by the contact person of the

manufacturer during the inspection is important. Therefore, once started, the inspection should be given priority. If the contact person is distracted by other business, the inspection may be prolonged and the investigator's questions concerning suspected deficiencies may be misunderstood or answered inadequately. Familiarity with the circumstances surrounding any deficiencies listed on form FDA 483 (the list of deviations presented at the close of the inspection) is vital in discussion of these with the investigator.

l If there are questions for which you don't have immediate answers, promise to research the questions. A list of these unanswered questions is a reminder to get the answers and give them to the investigator. The investigator usually records the questions, and resolving unanswered questions may help avoid inaccuracies on the form FDA 483 and in the establishment inspection report prepared by the investigator at the end of the inspection.


Conduct During the Audit

Conduct During the Audit l Awareness of what is going on at all times by the contact

person of the manufacturer during the Audit is important l Therefore, once started, the Audit should be given priority l If the contact person is distracted by other business,

it might be considered disrespectful. l If there are questions for which you don't have immediate answers, you’ll talk

through them with the auditor…curt answers are not necessary l More of a social atmosphere l More discussion l Some auditors cross over the line and consult l Lunch is served l Business casual


FDA Close-out Meeting (exit interview)

l At the end of an FDA inspection, the investigator conducts an exit interview. It is usually held immediately after the inspection, but may take place a day or so later, especially if it takes a long time to prepare form FDA 483.

l During this meeting, the investigator discusses with company management the observations recorded on form FDA 483 and other observations not listed that the Investigator wishes to bring to management's attention.

l The manufacturer should compare the form FDA 483 against notes taken during the inspection to confirm the accuracy and completeness of the investigator's recorded observations.

l Close-out meetings present an opportunity for all parties to correct such misunderstandings. Inaccurate observations will be changed or deleted as appropriate. Top management should be present at the close-out meeting to provide information regarding any planned corrective actions to be taken and schedules for these actions.


FDA Classifies Inspection Reports

l NAI – No action indicated

l VAI – Voluntary action indicated – some deficiencies identified, but not serious

l OAI – Official action indicated – serious deficiencies identified and FDA must take action to assure correction


ISO Close-out Meeting

l At the end of an ISO Audit, the auditor conducts a close-out meeting. It is usually held immediately after the audit. You have been appraised of these findings throughout the audit so there are no surprises.

l During this meeting, the auditor discusses an overview of impressions, management commitment, how the audit went, next steps, thank you very much, etc.

l It can be rather social with many of the process owners in the room l Close-out meetings present an opportunity for all parties to correct such

misunderstandings. Inaccurate observations can be changed or deleted as appropriate.

l Top management should be present at the close-out meeting to provide information regarding any planned corrective actions to be taken and schedules for these actions. Impressions are important.


After the Inspection or the Audit

Completion of the inspection by the FDA investigator or ISO Auditor should signal the start of certain activities by the manufacturer, if these activities have not already been initiated, such as discussion of deficiencies with appropriate department employees and process owners to advise them of corrective actions to be made and time frames involved.


Next Steps - Inspection

l Respond in writing (as soon as possible) when a Form FDA 483, Inspection

Observation Form, is issued.

l Coordinate, with the Quality/Regulatory Function, all Company X correspondence to the FDA, to close out the inspection as appropriate.

l Ensure that a follow-up internal audit or internal review is conducted to ensure appropriate corrective action has been implemented and it is effective.

l Review the EIR (Establishment Inspection Report) and conduct a Quality Review Board Meeting

l Issue a report summarizing inspection results and provide a response when an inspection finding(s)is issued. The reports shall be disseminated, at a minimum, to the Management Representative and the President.

l


Next Steps - Audit

l Respond in writing (as soon as possible) when an audit report is issued.

Usually, the report is issued before the auditor leaves Company X.

l Coordinate, with the Management Representative, all Company X correspondence to the auditor, to close out the audit as soon as possible

l An NCR will be issued for each finding that includes stating the issue, root cause, action plan(s), corrective action – usually about thirty days to get back to the auditor and Registrar with the corrective action plans.


Thank You

John Gagliardi

MidWest Process Innovation, LLC 7736 Woodside Court

Maineville, Ohio 45039 [email protected] [email protected]

www.midwestprocessinnovation.com Cellular Telephone: 513.315.9820

Office Telephone and Fax: 513.573.0085 Alternate Telephone: 513.573.0519

mailto:[email protected]

mailto:[email protected]

http://www.midwestprocessinnovation.com/

Presentations & Public Speaking

FDA Inspections are Different from ISO Audits, So Don't Treat Them the Same - OMTEC 2017