Insights & Intelligence for Regulatory Leaders

The word “audit” can strike panic in poorly prepared medtech companies. However, audits serve an important purpose in ensuring a compliant and effective quality system and production of safe and effective medical devices. And organizations can limit the stress and risk around audits through proper preparation. 

The key to a positive audit is to ensure that your organization’s focus is on building and implementing quality processes and procedures that cover the entire product life cycle and are continuously evaluated and improved upon. Not only is it the right thing to do, but focusing too closely on simply passing an inspection or audit may leave gaps in your processes and present a false sense of compliance. This article covers audit basics, how to prepare for them, and what to do when you receive an audit finding.

What is an audit?

Per ISO 19011 an audit is a systematic documented and independent process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled. Audits can be internally conducted, externally conducted by interested parties (i.e., customers/ suppliers), and externally conducted by government agencies and notified bodies to ensure that product design, manufacturing, safety, and documentation requirements are being met. Audits will verify compliance with regulatory and quality system/GxP (Good Manufacturing Practices, Good Distribution Practices, etc.) requirements. GxP standards are dictated by the US FDA, European Medicines Agency (EMA), the UK Medicines and Healthcare Products Regulatory Agency (MHRA), and other regulatory bodies which rely on country-specific regulations as well as standards developed by the International Organization for Standardization (ISO). 

Audits are required regardless of device class, but audit requirements in the EU and US, along with most other markets, can be dependent on the device classification. For most medium to high-risk devices in the US and EU, the following audits take place:

• Audits by EU Notified Bodies: Audits by EU Notified Bodies focus on compliance with MDR 2017/745 or IVDR 2017/746. Notified Bodies are also responsible for certifying quality management systems (QSR) against the requirements of ISO 13485:2016. Periodic “surveillance audits” will also be performed, based on the classification of the medical device(s).
• FDA Inspections: The FDA will conduct inspections to ensure compliance with the quality system regulation, 21 CFR 820, and to confirm that a facility is capable of manufacturing the medical device. The FDA will conduct pre-approval inspections to verify data included in a market submission, along with periodic routine inspections, following the Quality System Inspection Technique (QSIT) as required by regulation (currently every two years for Class II and Class III USA-based device manufacturers and every five years for international device manufacturers).
• Unannounced and “for cause” inspections: Manufacturers in the US and EU, and many other markets, are subject to different types of inspections triggered by consumer complaints, reported non-conformities, or other issues. These “for cause” inspections may be scheduled or unannounced.

How to prepare for an inspection

Audit preparation is a continuous process that should be built into your quality system and regulatory processes. Some items to consider:

Internal Quality audits

The best way to prepare for an upcoming audit or inspection is to use the internal audit program to your benefit. The FDA QSR, FDA 21 CFR 820, calls for medical device manufacturers to perform regular internal audits of their systems and to provide evidence of these audits and their effectiveness. When possible, conduct internal audits as if you’re the regulatory body and take them seriously. Internal audits should find the issues before the regulators do. Issue nonconformances and address them in a timely manner.

Performing “mock” audits is another great way to prepare for external inspections/audits from the FDA, notified bodies, and other regulatory authorities. Mock audits are a rehearsal for your team to prepare them for the real thing. They can act as try-outs to determine who is equipped to handle being audited and those that are too nervous or offer too much information when asked a question, requiring additional training. Mock audits are typically separate from the internal audit program since they are conducted based on different objectives and for training purposes.

It’s common to contract an independent third party to perform mock audits. Consider conducting unannounced mock audits to get the truest picture of your company’s preparedness. In short, the tougher medical device manufacturers are on themselves while preparing for the audit, then the less stressful the actual audit will be.

Self-identify issues as they appear and do not wait for the internal audit. If an issue is identified during the audit preparation or mock audit, implement corrective and preventive actions (CAPA) to address the issue. This is vital to demonstrate that you are aware of an issue and have begun remediation or corrective actions if and when those issues are uncovered during the real inspection or audit.

Choose the right audit host

When you have an upcoming audit or inspection, you must choose the right company representative to host the auditor(s). The person you choose will represent your company, so be deliberate about selecting those who know the company, its quality management system, and its products well. It should also be someone you’re confident can perform well under pressure and remain mission-focused in managing the audit and not necessarily answering every question immediately. The audit host can significantly impact the audit for the better or worse, so be certain that you have the right person in place who will be able to represent the organization’s values and facilitate an efficient audit.

While the person or people working directly with the auditor(s) are often from your quality team, they will need to be supported by subject matter experts (SMEs) from other functions for the duration of the audit – this will include the regulatory, engineering, operations, and marketing teams – who can answer specific questions and gather requested documents. These SMEs must be pre-identified along with alternates as part of the audit preparation. They should be comfortable facing an auditor and answering the auditor’s questions.

Gather all the necessary documents

As part of the audit process, the auditor(s) will expect access to information that they need to determine your organization’s compliance with all quality system and regulatory requirements. Based on the requirements, audit guidance, and previous audits, commonly requested documents should be known. This documentation should be pre-identified, compliant, and available before the start of an audit. This can be in the form of hard copies or electronically through files or links. The goal is to have documents readily available to avoid audit delays.

"If it takes too long to get documents to the auditor when they ask for them, you’re not making a good overall impression that everything is under control, making things more difficult for the auditor(s). Auditors have schedules to meet and follow certain audit trails. The last thing you want is your auditor getting agitated because they are spending a lot of time waiting for information." - Bruce McKean, Rimsys Director of Regulatory Affairs

It is critical that all regulatory information related to your products is readily available during an audit, such as registration status, certificates, regulatory impact assessments, and essential principles, along with submission content and post-market data. A central RIM system that stores all regulatory data and links to (or references) the current versions of records from other systems, such as PLM, eQMS, and ERP systems, can smooth the audit process significantly.

During an audit

As an organization, you will want to manage as much of the audit process as possible. Your audit host will greet the auditor(s) and give them a brief overview or presentation of your company, and most likely conduct a facility tour. After this, while the auditor(s) will direct the process, the more your host can assist and guide them, the better.

In the case of unannounced inspections/audits, there must be a procedure in place that defines how to receive and handle these types of audits. This will include who is the primary contact during such an inspection (often a Quality Management team member or representative), as well as Executive Management, and alternates when those people are not available.

Ideally, you should have more than one company representative with the auditor(s) during the audit and auditors should not be left alone at any point. Most companies have a team in the “front room” with the auditor(s) led by the audit host. The main job of this team is to transcribe every question, answer, and activity that occurs during the audit. The “front room” team will communicate with other team members in the “back room” in real-time (often via instant messaging), relaying to them any open questions, requested documents, or queuing up SMEs the auditor(s) need to speak with.

Best practices for sharing information with auditors

During an audit, employees should be cooperative and helpful, but should only share information that is specifically requested by the auditor. If information is requested that seems outside the scope of the audit, such as corporate strategic or financial documents, employees should notify the appropriate executive before providing such information.

Auditor(s) should be given access to requested information through photocopies or limited computer system access. Original documents can be presented if requested, but should never be kept by the auditor(s). All information provided should be prepared, verified, and recorded in the “back room” and then passed through to the audit host so that it can be controlled. The “back room” should mark the copies “Confidential” or “Proprietary,” as appropriate. They should also make an extra copy for the audit file, so the exact documentation given to the auditor(s) is known for future reference.

Addressing missing or incorrect information

Ideally, any potential issues with the existing quality system and related procedures are identified before an audit and corrective actions are identified and put in place. Even in cases where an issue has not been fully resolved, being able to point to awareness and appropriate actions is important.

Some findings may be able to be corrected during the audit. These findings are typically isolated issues (one-offs) that do not pose significant risks. For instance, a missing revision number, missing signature, or outdated reference. If corrected during the audit, it may negate a finding, but the auditor may want to understand why the issue occurred and what actions you have or will be, taking to ensure that it does not recur.

In cases where you are unable to produce the information requested by an auditor, or when there are questions about the validity or accuracy of the information, your internal team should acknowledge the issue but should not immediately speculate on the cause or the effect of the missing or inaccurate information. A discussion of appropriate actions under the existing quality system may be appropriate.

What to do in case of a finding

Be prepared to receive findings from any inspection. Ideally, the auditors should be working to ensure that you are compliant with regulatory requirements and that your records accurately state what you do. However, “By the nature of the beast,” says Bruce McKean, “they’re there to find instances of noncompliance.” This means that auditors will be focused on documentation that can prove or disprove adherence to your stated procedures and policies.

All findings should be disclosed before the audit closing meeting. There should be no surprises. Ensure that the findings are understood by both parties. If they are not clear, perhaps the auditor misunderstood or did not see specific objective evidence and you should discuss or review the issue with the auditor as this may negate a finding. Be sure to debrief upper management before the closing meeting. At the audit closing meeting, there should be no debate over findings. Any finding, whether major or minor, should be addressed diligently.

Audit findings or observations will result in the regulatory body in charge of the audit issuing a document that lists those findings. In most cases, you will have limited time to respond with a satisfactory plan for correcting and preventing the recurrence of the identified issues.

In the case of the FDA, multiple enforcement actions are available to the agency, ranging from warning letters to criminal prosecution. Note that many regulatory agencies will not respond further to your actions if they agree with the actions you prescribe for addressing audit observations. However, additional actions may be triggered if your response is not found to be satisfactory.

Rimsys is a holistic regulatory information management system designed for and by regulatory affairs professionals. Rimsys makes it easier to create and track submissions, keep up with product registrations and certificates, and even share pertinent data across ERP, PLM, and eQMS software platforms to ensure data integrity. Learn more about how Rimsys can help you face audits with the confidence that you have all of your regulatory ducks in a row.

‍

The Therapeutic Goods Administration (TGA), under the Australian Department of Health and Aged Care, is responsible for evaluating, assessing, and monitoring products that are defined as therapeutic goods. They regulate medicines, medical devices, and biologicals to help Australians stay healthy and safe.

Manufacturers are responsible for generating, collating, assessing, and maintaining scientific and engineering evidence that shows that their devices comply with the Essential Principles. The evidence must be relevant to the device's intended purpose and must be objective, sufficient, and robust. Manufacturers manage this by having a solid, quality management system (QMS).

An ‘Essential Principle’ is fulfilled during the design and manufacturing of medical devices and IVD medical devices, to ensure that they are safe and perform as intended. A global adoption of a common set of fundamental ‘essential’ design and manufacturing requirements for medical devices provides significant benefits to, among others, manufacturers, users, patients/consumers, and to regulatory authorities. From a high-level perspective, three basic points make up ‘Essential Principles’:

• A device must be designed to be safe and perform effectively throughout its lifecycle.

• Device manufacturers must maintain all design characteristics.
• A device must be used in a way that is consistent with how it was designed.

Many countries use the term ‘Essential Principles’ (EP's) in regulations and guidance documents. ‘Essential Requirements’ is the terminology used in the EU MDD 93/42/EEC and AIMD 90/385/EEC. With the release of the MDR/IVDR, they are now referred to as GSPR's (general safety and performance requirements). Regardless of the terms used, Essential Principles are of similar nature and overlap many of the Essential Requirements in the new GSPRs.

Demonstrating Compliance

It is the manufacturer’s responsibility to demonstrate that their medical device is compliant. The TGA’s regulatory process does not necessarily dictate “how” a manufacturer must demonstrate compliance with the Essential Principles. However, there is a range of data points that are suggested to be used as objective evidence to show that your device complies with the Essential Principles. Listed below are some examples of the data you would want to track and list in your Essential Principles documentation, commonly referred to as The Essential Principles Checklist or GSPR’s.

Details of design and construction:

• a general description of the medical device and its intended purpose
• specifications, protocols, procedures, and details of design and development methods, and technologies used for manufacturing, packaging, storage, handling and distribution
• procedures for measuring and monitoring the safety, performance, and quality of your device
• procedures for servicing (if appropriate)
• procedures for assuring your medical device is sterile (if appropriate)

Risk management reports:

• risk analysis
• risk evaluation
• identification of residual risks
• controls of known and foreseeable risks

Demonstrate compliance with relevant, generally acknowledged state-of-the-art and best-practices:

• technical standards, guidelines, or other validated methods
• codes of practice
• monographs

Characterization studies:

• Verification and validation activities, including protocols, testing and analysis.
• Records of qualitative or quantitative information obtained through observations, measurements, and tests.

Clinical evidence:

• literature reviews that include information about the hazards and associated risks from the use and potential misuse of the device.
• information about the performance of the devices you are manufacturing, including a description of the techniques used to examine whether devices of that kind achieve their intended purpose or not.
• Collation and analysis of post-market data including complaints, adverse-event reports, vigilance reports, registry data and recalls/field corrections/advisory notices.

Additional information:

• Copies of labels, packaging, patient information, and instructions for use.
• Critical evaluation written report, by an expert in the relevant field, of data (including outcomes from literature reviews) about your device.

Essential Principles checklist

The checklist is a form template that the TGA created for medical device manufacturers. It lists all the necessary requirements that must be met, as part of the technical file, to demonstrate regulatory compliance. It’s structured in a table format with each general principle clearly stated with instructions on how to complete the form (Fig 1).  

The TGA follows the guidelines of the International Medical Device Regulators Forum (IMDRF). They were one of the founding members to take part in the IMDRF that was established in 2011, building off the groundwork of the Global Harmonization Task Force (GHTF). Today there are 11 countries that participate in accelerating international medical device regulatory harmonization. This group of regulators provide input to policies, offer guidance on strategies, create clear directions - all in an effort to help build a strong foundation for the safety of the medical device industry.  

For additional information on Australian medical device regulations and links to resources, see our Australia Regulatory Market Profile. For information on the use of essential principles in the EU, see The ultimate guide to the EU MDR and IVDR general safety and performance requirements (GSPR).

‍

Large medtech companies often have data stored in multiple ERP, PLM, and eQMS systems due to mergers, acquisitions, and siloed growth within product teams and departments. While segmented data can cause issues for everyone, it provides particularly concerning obstacles for regulatory affairs teams. RA teams in large organizations typically manage multiple product lines with various levels of classification across many global markets. When product and registration data is not centralized, regulatory teams will not only encounter significantly more complex processes related to managing and controlling data properly, but will also struggle to find and organize the data needed for submissions, license renewals, and other standard RA activities.

Regulatory data management issues without RIM

• Maintaining validation records for multiple systems: In the highly regulated world of medical technology, manufacturers are required to fully validate any system used to design, develop, or manufacture a medical device. Among other things, manufacturers must be able to demonstrate that only the current, approved version of a device can be manufactured. System updates and other changes trigger a re-validation process, which becomes increasingly complex as the number of systems increases. Not only does the system that is being changed need to be validated again, but any other system and process that is using data from the updated/changed system may need to be validated again as well. Issues with data integration between systems is a common finding during quality and regulatory audits.
• Ensuring data accuracy: As mentioned above, validating systems becomes exponentially more complex as the number of systems increases. In cases where the same data is stored in more than one system, the possibility exists that the data is not synchronized in real-time. Whether data is automatically transferred between systems or requires manual data entry or integration steps, each integration point is a possible point of failure.  Regulatory and quality teams need to ensure that they identify the “source of truth” for each piece of data that is duplicated and that they can demonstrate the processes that ensure data integrity is being maintained.  
• Managing user access: Managing user permissions in large systems, such as ERP solutions, often involves setting specific permission levels for a large number of detailed system functions. Users with access to information in one system may not have access to the same information in another system, causing auditing issues and creating difficulty in administering user credentials. For example, does a user have access to add regulatory documentation, such as EU MDR technical files or medical device certificates, into the system? If not, many companies end up circumventing their own systems by also using SharePoint or other shared drives to store updated files – where they may get lost or overlooked.  
• Establishing system-related processes: Establishing and maintaining processes for system issues, downtime, updates, and other regular maintenance is impacted by the number of systems and the ways in which they are integrated. Regulatory teams won’t control these processes for non-regulatory systems, but may require access to data in these systems for time-critical tasks.  

Regulatory workflow issues without RIM

Regulatory affairs professionals are familiar with the massive, color-coded spreadsheets that are often central to maintaining medical device registration information. While those spreadsheets work in some situations, without a centralized RIM system RA teams face two large challenges:

Software solutions not built for regulatory teams

• Spreadsheets are not the answer: While those large spreadsheets can be sufficient in smaller companies with a few products in a few markets, they quickly become unwieldy. Regulatory teams managing multiple submissions projects across global markets are compiling large amounts of information into specifically formatted portfolios for each country – a process that is difficult, at best, to manage with spreadsheets and pdf documents.  
• Non-compliance risks: Regulatory teams that are managing data without a centralized RIM solution also run the risk of identifying changes and expiration dates too late, leading to higher consultant costs and the risk of non-compliant products.
• Missed opportunities: Most regulatory teams do an amazing job keeping multiple projects on track, products in compliance across the globe, and their company prepared for audits and inspections. What if, however, regulatory teams had access to a centralized regulatory system that could provide them with the information, and the time, to contribute to strategic product marketing and staffing decisions? We believe that an organization with a revenue-aligned, strategic regulatory team has a competitive advantage in the marketplace. Read more in our ebook, Regulatory Strategy as a Competitive Advantage.

Regulatory data in multiple systems

We know that 70% of regulatory teams spend at least half of their time on repetitive administrative tasks. Much of this is because the data they need is stored in multiple systems across the organization, with the same data often being stored in multiple places. This leads to an increased chance of outdated information being used, required data being missed, and difficulties in proving that the data management processes in place are sufficient for ensuring accuracy.

The information required by regulatory teams comes from teams throughout an organization, including product data from the engineering team, production and supplier information from the manufacturing team, quality records from the QA team, clinical trial data from the clinical team, and more. This is all in addition to the regulatory submissions, changes, and agency communications managed by the RA team themselves. Without a centralized system to record and reference all of this data, regulatory teams are left to a lot of research, searching, and duplication of efforts across the team.

Data warehouses as an option  

In cases where there are multiple, enterprise-level systems sharing the same data, a data warehouse is often used. Data warehouses provide a centralized system in which to store data and maintain that single “source of truth” that all systems can pull data from. However, these systems can be extremely expensive and complex to set up and maintain. They normally require a team of consultants or internal staff to manage the setup and maintenance of the warehouse, including complex ETL (extract, transform, and load) workflows. These workflows are required because data stored in multiple systems will almost never be in the same format and will need to be “transformed” before being loaded into the data warehoused.

In addition, data warehouses are not typically updated in real-time and require that data cleaning and verification procedures run before data is uploaded. This makes a data warehouse a poor option for data that is needed for daily workflows and processes, such as UDI data management.

Regulatory Information Management (RIM) systems as a better option for master regulatory data management

Regulatory Information Management (RIM) systems, such as Rimsys, are designed to be the central source of truth for regulatory information. Purpose-built for regulatory teams, RIM solutions are powerful because they provide:

Centralized, product-centric, regulatory data

Information and data that is specific to regulatory activities can be stored and accessed directly in the RIM solution. This includes information such as submission documents, registration certificates, product references to standards and essential principles, and regulatory authority communications. The RIM solution is the original “source of truth” for this information.

As a result, RIM solutions provide regulatory teams with control over critical data, such as “available to sell” flags at a product version and country or market level. This ensures that the regulatory team is managing a product’s availability to be sold, market-by-market, based on its regulatory status in each market.

Integrated data

Regulatory teams require data from across the organization to manage submissions and other regulatory activities. A strong RIM solution will provide for integration with PLM, eQMS, eDMS, ERP, and other solutions that typically house information used by regulatory teams. For example, the design and engineering teams will likely utilize a PLM system to manage product details and revisions. While that data is needed by the regulatory team, it is owned by the design and engineering teams and belongs in their PLM system.

Rimsys provides secure API endpoints that simplify integration with nearly any system with a REST API.

‍

Rimsys also simplifies compliance with 21CFR part 11 and other regulations by providing complete and easy-to-read activity logs for all actions taken within the software.

To learn more about how Rimsys can be your master data management system, schedule a time with one of our product experts to see Rimsys in action.

‍

There are 27 member states that belong to the European Union (EU), along with additional countries that participate in the European Economic Area (EEA) and the EU’s single market. One of the benefits of belonging to the EU is the unification of regulations for medical devices and in-vitro diagnostics. As you know, registering medtech devices (ultimately known as applying the CE Mark) is a complex process. Applying the CE Mark allows your devices to easily be imported and sold throughout Europe.

Some of the member states and those participating in the single market require additional registration steps beyond those required by the EU for class IIa, class IIb, and class III medical devices. In general, a medical device manufacturer is required to submit a registration form and/or enter information in the online database before placing the product on the market. Typically, this notification includes the upload of a localized label, instructions for use, Declaration of Conformity, and the CE certificate.  

The additional registration requirements apply to manufacturers outside of the EU who wish to market devices in an EU member country. Most markets will also have additional or different registration requirements for local Authorized Representatives and Manufacturers. Once EUDAMED is fully implemented, the assumption is that most of these country-specific registration requirements will be removed.

The table below lists all 27 EU member states, along with additional countries that participate in the EU single market. This table is for reference only – Regulatory professionals are urged to consult country Competent Authority websites for country-specific requirements.

* Countries not in the EU

+ Devices supported by Finnish distributors to hospitals and retailers require notification.

++ Registration may be required if an importer, authorized representative, or manufacturer located in Germany is placing the product on the market for the first time.

Note: Specific requirements for local economic operators are not included here and may include both additional entity and device registration requirements.

New guidance

The FDA has issued two final guidance documents intended to assist with transition plans for medical devices that are currently being distributed under emergency use authorizations (EUAs) or that fall under specific policies issued to support the response to the COVID-19 pandemic. The agency states that they recognize that it will take time for manufacturers and others to adjust to “normal operations” as policies adopted during the pandemic come to an end. However, they are recommending that organizations move quickly to plan their regulatory strategy and engage with the agency where necessary.

The two guidance documents are:

• Transition Plan for Medical Devices Issued Emergency Use Authorizations (EUAs) Related to Coronavirus Disease 2019 (COVID-19) Guidance
• Transition Plan for Medical Devices that Fall Within Enforcement Policies Issued During the Coronavirus Disease 2019 (COVID-19) Public Health Emergency

Transition periods

Advance notices will be published in the Federal Register for each EUA declaration 180 days prior to the termination of the EUA.  

For devices that fall within enforcement policies issued during the COVID-19 public health emergency (PHE), a 180-day transition period is also available and will begin following the expiration of the section 319 PHE declaration. Manufacturers should refer to the following “list 1” COVID-19 public health emergency enforcement policies for more detail:

• Digital pathology devices
• Imaging systems
• Non-invasive fetal and maternal monitoring devices
• Telethermographic systems
• Treating psychiatric disorders ‍
• Extracorporeal membrane oxygenation and cardiopulmonary bypass devices

The FDA’s stated intent with this guidance is to, among other things, “help avoid disruption in device supply and help facilitate compliance with applicable FD&C act requirements after the termination of the relevant EUA declaration…”

Guiding principles

The following guiding principles are taken directly from the guidance documents listed at the beginning of this article, and they are the same in both documents.

• This guidance is intended to help facilitate continued patient, consumer, and healthcare provider access to devices needed in the prevention, treatment, and diagnosis of COVID19.  
• FDA believes the policies and recommendations in this guidance will help to ensure an orderly and transparent transition for devices that fall within the scope of this guidance. FDA’s policies and recommendations in this guidance are consistent with the Agency’s statutory mission to both protect and promote the public health.
• FDA’s policies and recommendations follow, among other things, a risk-based approach with consideration of differences in the intended use and regulatory history of devices, including whether the device is life-supporting or life-sustaining, capital or reusable equipment, a single-use device, and whether another version of the device is FDA cleared or -approved.  
• As always, FDA will make case-by-case decisions regarding the enforcement of legal requirements in response to particular circumstances and questions that arise regarding a specific device or device type. This may include FDA revising or revoking an EUA,29 requesting a firm initiate a recall (see 21 CFR 7.45), or taking other actions, including an enforcement action. Moreover, FDA may revise the enforcement policies and recommendations in the guidance, as appropriate.

Do not wait to submit marketing submissions

Manufacturers who intend to seek market authorization for devices currently under COVID-19-related EUAs should begin working on their market submission and transition implementation plan as soon as possible. The CDRH is encouraging organizations that want to continue marketing their device, and need a marketing submission, to take advantage of the full transition period, including submitting a pre-submission if needed. The pre-submission process allows for early interactions with the CDRH.

‍

Defining nonconformance

Very simply, a nonconformance occurs when a specification is not met. The FDA defines a specification in 21 CFR 820.3 as “any requirement with which a product, process, service, or other activity must conform,” and ISO 13485:2016 as a “need or expectation that is stated, generally implied, or obligatory.”

While managing nonconformance starts with fully defining specifications; it is the identification, tracking, and resolution of nonconformance that is a focus of medtech quality and regulatory teams and a requirement of both ISO 13485:2016 and the FDA’s 21 CFR Part 820 quality system regulation.  

Identifying nonconformance occurrences

As part of a compliant quality system, medical device manufacturers should implement procedures to identify and address both major and minor non-conformances. Nonconformances may be identified through processes found in multiple subsystems that are part of an overall quality management system within the organization.

The systems and subsystems in which nonconformances are identified typically include:

• ERP
• Regulatory information management (RIM)
• Product lifecycle management (PLM)
• Document management
• Customer service / customer management  
• Complaint handling
• Device history records
• Audit management
• CAPA
• Training/learning management  
• Calibration/preventative maintenance
• Development change management

Evaluating nonconformance

Once a nonconformance is identified, it should be evaluated in a timely manner, and a determination made as to the disposition of any affected products. Requirements for additional investigation and reporting should also be identified. Based on the severity of the nonconformance and its effect on the safety and efficacy of devices being manufactured or already in the market, a CAPA (corrective/preventative action) record may need to be created. In the U.S., this is defined in the quality regulation 21 CFR Part 820.100.

To disposition a nonconformance, consider the following:

• Will the existing system detect the nonconformance if it recurs in time for remediation?
• How likely is it that this issue will recur?
• What is the impact of the non-conformance (i.e., could it affect patient health)?

Issues that are more severe or are more likely to recur should trigger a more immediate and comprehensive response.

Nonconformances that are escalated and handled under CAPA are based on risk and can include those that have or could have an impact on a product or process that is:

• Not easily corrected
• Recurring
• Severe

In addition, nonconformances that rise to the level of a CAPA require significant resources and typically result in a full project to identify root cause(s), containment, and corrective actions, and monitoring for effectiveness.  

Nonconformances that don’t require a CAPA have simpler resolutions that include documenting actions taken to correct the issue (or justification for no action). If the issue is not recurring, there may be no other action required. For example, a nonconforming material received from a vendor may be a singular issue that was easily identified through existing inspection procedures and is not expected to recur. In this case, the material is returned to the vendor and no additional action is required.

Processes that are out of conformance are often resolved through improved documentation and/or additional user training. However, be sure that the true root cause of the nonconformance is identified as procedural nonconformances can signal additional issues.

Documenting nonconformances

An important part of nonconformance procedures is the nonconformance report (NCR) or other documentation procedures.  Nonconformances are typically documented within the subsystem in which they were identified. Some organizations will have a nonconforming system in which issues originating from all subsystems are documented. Centralized nonconformance systems allow for trending and other analysis across all subsystems, the results of which may generate CAPAs.  

The requirements for documenting a nonconformance may vary by subsystem. In general, however, nonconformance documentation records:

• The requirement/specification that was not met.
• The objective evidence supporting the determination.
• The action that is being taken to address the nonconformity.

Nonconformances are a common point of focus during quality audits by regulatory bodies, including the FDA, and should follow a well-documented process. Auditors will often try to determine if the quality system is functioning effectively by looking at self-identified nonconformances and comparing them to externally reported nonconformances. This is to ensure that nonconforming products were not released, or that the appropriate actions were taken to resolve issues in the field.

The importance of nonconformance reports

Nonconformances related to distributed products of higher risk result in nonconformance reports issued to government authorities through vigilance reporting, medical device reporting, and field action/recall reports. For example, the FDA requires that a medical device report be submitted within 30 days of a serious adverse event (see 21 CFR Part 803 Subpart E). Strong reporting procedures for nonconformances of all types are important in identifying trends, addressing issues before they become critical, and as part of a complete quality management system.

A nonconformance reporting procedure is only part of a strong quality system. Read An overview of 21 CFR part 820 and ISO 13485 overview for more information on establishing quality systems for medtech companies.

‍