For those of you that frequent Dr. D’s column, you are going to realize that the old doctor is on a basic blocking and tackling kick. After all, football season is upon us. It is Dr. D’s humble opinion (you can scratch the humble part) that the execution of an effective internal audit program falls into the basic blocking and tackling bucket. Why? For starters, device establishments are mandated by the Quality System Regulation (QSR) to perform quality audits. Having a functional internal audit program is a viable tool needed to drive continuous improvement of the Quality Management System (QMS). If an establishment has a dysfunctional (a.k.a., crappy) internal audit program, then the Form 483 Observations, noted during an inspection, will probably be a significant number. The good news is that the results of these audits never have to be shared with our dear friends from the Agency. In accordance with 21 CFR, Part 820.180(c) (exceptions); the Chief Jailable Officer (CJO) can certify, in writing, that: (a) audits have been executed; (b) documented (please don’t forget the date(s) the audit(s) were performed) in writing; and (c) corrective action has been undertaken (if deemed to be applicable). Device establishments do not have to share the actual content of these audits with the FDA or other regulators (with the exception of your notified body). That being said, what possible excuse could a CJO have for not performing audits, when sitting across from a FDA investigator, during an establishment inspection? Any CJO that is reasonably “conversant” (look-it-up) in the nuances associated with 21 CFR, Part 820, would quickly realize that no documented evidence to support the performing of internal audits is going to end badly. Can you say Form 483 Observations or worse? Enjoy!
Warning Letter – 04 August 2017
The warning letter recipient cited in this week’s Devine Guidance (DG) managed to rack up ten Form 483 Observations during a four-day inspection performed in March of this year. Additionally, the recipient received that ever popular “Our inspection also revealed that your firm’s devices are misbranded under section 502(t)(2) of the Act, 21 U.S.C. § 352(t)(2), in that your firm failed or refused to furnish material or information respecting the device that is required by or under section 519 of the Act, 21 U.S.C. § 360i, and 21 CFR Part 803 – Medical Device Reporting.” Ouch, Ouch and another Ouch! Usually, double-digit Form 483 observations are enough for the awarding of that prized agency warning letter. However, the failing or refusing to provide the FDA with requested information, well that is just asking for that proverbial crap sandwich with all of the topping.
Warning Letter Excerpt
Observation Nine (9) – “Failure to establish adequate procedures for quality audits and conduct such audits to assure that the quality system is in compliance with the established quality system requirements and to determine the effectiveness of the quality system, as required by 21 CFR 820.22. For example, your firm has not implemented its internal quality audit procedure “Procedimento Para Auditoria Interna Da Qualidade”, PQ 1-1, Rev. 3, dated 08/01/2016, Section 4.2 of “internal audits should be conducted periodically (at a minimum every 6 months)” and Section 4.3.1 “Areas of firm to be audited – Quality Management, Production, Human Resources, Purchasing, Quality Control, Storage, Sales, Administration Structure, Laboratory, and Sterilization.” Your firm has not conducted internal quality audits at a minimum of every six months to ensure that the quality system is in compliance with the quality system requirements. The last internal quality audit was performed seven months ago on 08/18-19/2016 and previous to that audit it was performed on 12/03-29/2015, also more than six months from the previous audit. In addition, the audit on 12/03-29/2015 did not cover Laboratory.”
21 CFR, Part 820.22 – Quality Audit
“Each manufacturer shall establish procedures for quality audits and conduct such audits to assure that the quality system is in compliance with the established quality system requirements and to determine the effectiveness of the quality system. Quality audits shall be conducted by individuals who do not have direct responsibility for the matters being audited. Corrective action(s), including a reaudit of deficient matters, shall be taken when necessary. A report of the results of each quality audit, and reaudit(s) where taken, shall be made and such reports shall be reviewed by management having responsibility for the matters audited. The dates and results of quality audits and reaudits shall be documented.”
Compliance for Dummies
Complying with the quality (internal) audit requirements is probably one of the more straight-forward requirements mandated by FDA. For starters, please remember entering devices into commerce in the United States requires participating establishments to play nicely in FDA’s sandbox. It is the Agency’s sandbox, so their rules (a.k.a., the QSR) apply. This is not negotiable. That being said, the requirements for complying with §820.22 are eloquent in their simplicity.
- Script a procedure and make sure all deliverables identified in §820.22 are addressed.
- Make sure auditors are appropriately qualified (use ISO 19011 as guidance).
- Make sure auditors are not auditing their own functional areas.
- Create an audit schedule at the start of each year and stick to it.
- Make sure audits are appropriately documented in a written report, including dates performed.
- Make sure audit non-conformances are mitigated through the corrective action process.
- Best practice is to script an audit plan and agenda prior to the audit.
- Hold opening and closing meetings for each audit.
- Use an attendance sheet to collect signatures of auditors and auditees.
- Make sure the functional area manager receives a copy of the audit report, including copies of non-conformances noted.
- Make sure audit results find their way into management review.
- Make sure problem areas are re-audited. It is an acceptable practice to increase audit frequency if problems noted necessitate more oversight.
- Never share the results of audits with FDA or other regulatory bodies. However, the CJO must provide documented evidence that audits are being performed. Dr. D recommends sharing the audit plan, agenda, and signature sheet.
For this week’s guidance, the doctor will leave the readers with just two takeaways. One – device establishments never have to share audit content with FDA or other regulators, only documented evidence that they are being performed. Two – if audits result in non-conformances being noted, it is imperative that the issues noted actually be mitigated through CAPA. Rubber-stamping internal audits will provide zero value when it comes to driving continuous quality improvements. In fact, if an FDA investigator quickly identifies double-digit Form 483 observations, he or she will quickly realize that the internal audit program is irrevocably broken. In closing, thank you again for joining Dr. D; and the doctor hopes you found value (and some humor) in the guidance provided. Until the next installment of DG – cheers from Dr. D. and best wishes for continued professional success.
- Code of Federal Regulation. (2017, April). Title 21 Part 820: Quality system regulation. Washington, D.C.: U.S. Government Printing Office.
- Devine, C. (2011). Devine guidance for complying with the FDA’s quality system regulation – 21 CFR, Part 820. Charleston, SC: Amazon.
- Devine, C. (2013). Devine guidance for managing key attributes of a FDA-compliant quality management system – 21 CFR, Part 820 Compliance. Charleston, SC: Amazon.
- FDA’s enforcement page. (2017, August). FDA.gov Website. Retrieved September 08, 2017,