Design Controls start from the moment in brainstorming when it is decided to pursue a particular idea to see if it can work (initial feasibility of concept). The most important part at this initial feasibility of concept is to capture any decisions made regarding the concept to ensure that, once the decision to move forward with the concept is made, the documentation has already been started to support the initial concept design.

Design controls do not include ideas and early concepts that are not approved to move forward. In addition, Class I medical devices are not required to follow design control regulations. Any idea that is still on the drawing board or is in the research phase is excluded from formal Design Control requirements.

The most important capability to present to a regulator or auditor is that you are in full control of your systems. A front room establishes who is directly interfacing with the auditor and the specific information being presented. Having a back room allows you to have a staging area to prepare documentation and to prepare interviewees for interfacing directly with auditors or inspectors. In addition, having a back room coordinator will ensure a quick response to any documentation or data requests as you have someone ready to immediately respond to requests for information.

As with Question #3, presenting a “controlled” front to the inspector demonstrates that you are in full control of your internal processes. Quality documentation should never be presented in its original form as the inspector/auditor may actually use the documentation to write notes on. Also, copies marked “confidential copy” or “for reviewing purposes only” ensures that the auditor/inspector will know that these copies are only for their reviewing purposes and are not going to be circulated to others, especially if a problem is found.

It is important to know that FDA Inspectors (as opposed to any other auditor) are law-enforcement officers. This means that they have the authority to exercise search and arrest warrants. Typically, the FDA will delegate these activities to the Federal Marshals, but they do not have to in the event that they directly witness illegal activities; they are authorized to perform arrests on the spot. In addition to these abilities, since FDA inspectors are law enforcement officers, they are also recognized legal entities, just like a judge, so that anything that is said to them can be used in a court of law against you. Therefore, it is extremely important to recognize your rights during a verbal interview.

Keep your responses, as much as possible, to simply answering the question that is asked. If the question can be answered with a simple “Yes” or “No,” it is best to keep the answer to that single word. Do not speculate and do not guess. If you don’t know the answer to a question, simply state that you don’t know. If you do know the answer to a question, answer the question, but do not offer extraneous information to try to “soften” the answer. This response actually tends to call more attention to the question than a simple response will do. If the inspector wants more explanation, allow them the opportunity to request more information, but do not volunteer information.

Always speak truthfully. Any untruths spoken to an FDA interviewer are actually subject to perjury laws. This means that if an individual knowingly speaks an untruth to an FDA interviewer or a Federal Marshal, they may be subject to prosecution for felony perjury.

FDA investigators are trained interrogators and may intentionally work to create an environment that will make the interviewee wish to volunteer information. With this in mind, during an FDA interview, leave the empty silences empty; do not attempt to fill them with additional information out of your own nervousness. Take a deep breath and simply wait for the next question.

Beyond ensuring that you have all of the elements in place for an inspection/audit (scripts for your first contacts, call lists for immediate responders, compliant quality systems, etc.), run drills to ensure that everyone knows what they are supposed to do and how they are supposed to act. If you don’t have time to run a “full” inspection drill, run partial drills such as enacting a regulator first entering the building and appropriate responses or conducing role-playing scenarios for FDA interviews. In this way you can ensure that your people are always ready, and always comfortable with their roles in an inspection.

Surveillance audits are your routine audits. These audits are not “for cause” which means the inspectors are there to just generally get an overall look at your quality system and manufacturing facilities (if applicable). Unless the inspectors find something during the inspection, these audits generally do not require any special items and typically taken only a few days.

The first most commonly requested items are your complaints and CAPAs. Have a log for 12-18 months of each ready and be prepared to discuss escalation tactics for complaint reportability and CAPA conversions. Ensure that all of your complaints have appropriate risk analyses performed and that all CAPAs have been checked for effectiveness. They will also look at your Quality Manual and Quality Policy. Finally, they will typically look at your Quality Control activities (incoming inspection, in-process inspections, and final product releases). Inspectors are, of course, individuals and each individual may ask for different things based on their own peculiarities, but the list here is the most typical for all surveillance audits. Generally speaking, if all of the items inspected are clean, the auditors will not necessarily progress any further unless they have evidence of prior inspections that they need to recheck or the interviews provided additional information that concern them.

This may vary from company to company, but generally speaking, your Management Representative (Mgmt Rep) must be present during all interactions with the inspector. It is advised to have a scribe present at all times with the inspector as well. This scribe can keep a log of all information provided to the inspector and summarize all interviews and conversations. It is recommended that this scribe not be the Mgmt Rep as the Mgmt Rep may very well be answering questions and miss some of the details of what the inspector is actually doing during the interactions.

For Cause audits are almost always unannounced. They are generally conducted because the FDA has become aware of allegations of behavior that differs from accepted regulatory requirements. Occasionally, a reported complaint (escalated to an MDR) that may potentially affect public health, a high number of complaints, or anonymous reports in addition to insufficiently resolved 483s or Warning letters may stimulate a For Cause audit. These audits should be treated exactly like a surveillance audit; however, there will often be more than one inspector and they may stay for an extended period of time (typically anywhere from 1-6 months depending on their findings). They will almost always bring a subject matter expert on your product type with them to these types of inspections.

First and foremost, your receptionist should have an emergency call list prepared for this. S/he should seat them and call the first person on the list and keep calling down the list until s/he reaches an actual person. The inspector should then be announced through whatever method for notifying the entire company that you use (e.g., overhead intercom, group email, group text, etc.). The receptionist cannot accept any paperwork, nor escort the FDA inspector anywhere. Preferably, the Management Representative is the person that will be the primary point of contact and the first person to actually escort the inspector into the facility. The only exception to this is if the inspector shows up with a search warrant. In this case, the Management Representative and the primary Legal Counsel should both be notified and presence requested. Depending on the terms of the warrant (if applicable), the receptionist may not be able to hold the inspector in the reception area until a responsible person shows up, but every reasonable effort should be made to keep them in the front lobby.

For the U.S., Management Representatives must be authorized to make changes to the quality policy and quality systems. This requires an individual that is actually a middle manager-level of above; unless upper management has delegated the authority to an individual contributor. International standards for the EU only require that the Management Representative report the status of the quality system, document the status of the quality system, and promote awareness of regulatory and quality requirements throughout the organization. No actual “authority” to make decisions are required. Brazil has a similar requirement to the ISO standards. Japan does not specify an individual as being responsible for the quality system, but points out that top management must ensure the quality system adequacy as well as ensuring that all other requirements are met.

Management Representatives are not responsible for all decisions regarding quality in the company. Quality Goals and Human Resources are the responsibility for all management.

To be clear, only the U.S. FDA requires an individual with authority to be identified as the Management Representative. All other most common regulatory requirements only require that an individual be made responsible to identify and notify the quality system status and/or all management is held responsible for making decisions regarding the quality system.

You are perfectly within your right to protect intellectual property and proprietary information. To be clear, however, many data that individuals consider to be proprietary does not actually meet that classification, as far as the FDA is concerned. Any information that is published anywhere for the general public to see (e.g., websites, printed product literature, etc.) is not considered proprietary. Warning letters are considered proprietary or confidential and are published on the FDA’s website. Any FDA inspection findings may be requested by any individual under the Freedom of Information Act and cannot be refused as proprietary or confidential. Intellectual property is any information protected by patent law and is not privy to review by the FDA except in cases of legal action (e.g., legally executed search warrant).

You are legally allowed to refuse photography and/or recording equipment in your facility. To be clear, you cannot “relieve” the FDA inspector of any equipment, but you are certainly allowed to ask them not to record any information (voice, video, and photo) while they are there without your express written permission. This request will be refused in the case of a legally executed search warrant that stipulates the use of electronic surveillance or evidence gathering tools.

If the FDA inspector removes any documentation from your facility (again, except in the cases of legally-executed search warrants), ensure that there are no originals leaving your facility and that all copies are stamped as confidential or copy.

Proprietary information is considered a trade secret and may be a product or process that is specific to one manufacturer or intellectual property owner. Proprietary information may or may not be protected under patent or trademark law (this is a question for a lawyer). Generally speaking, proprietary information is the opposite of public information and must be kept confidential to the information owner in order to protect tangible or intangible assets. Typically, proprietary information is not known in the industry and is only known by one legal entity. If the information is common to an industry, it is not considered proprietary. Proprietary information is not necessarily shared with the FDA except in cases of legally-executed search warrants. The only exception to this is if the proprietary information is required to obtain regulatory clearance for the product or process submitted.

Confidential information is information that is generally not shared with the general public, but special information specific only to the process or product owner. Many manufacturing processes are not considered proprietary because they are general within a given industry, but they may be considered confidential if there are multiple types of manufacturing processes available, but the specifics to each business entity are confidential. Confidential information cannot be withheld from the FDA and may actually even be part of the regulatory submission paperwork.

Inspectors are permitted to inspect/review any relevant areas (other than proprietary info – See #13 above) for the purpose of their visit. Surveillance audits may generally see any area that is the subject of the particular products or processes for which they are ensuring continued compliance (products or processes already approved/pre-approved by the FDA) or in a For Cause audit, any area that is the subject of the FDA Form 482, Notice of Inspection.

Personal items, lockers, vehicles, and individuals themselves are not typically subject to search under an FDA Form 482. A legally-executed search warrant is required to search these areas/items. The only exceptions will be workstations and/or desks that are unlocked and in areas that are within the scope of the inspection, company-owned vehicles, and/or vehicles containing products (this includes personal vehicles, if the products of interest are stored in or transported by these vehicles). Storing products in a personally-owned car or company locker does not exempt these items from an inspection.

ISO 14971 has always been a supporting standard for ISO 13485. The new revision of ISO 13485 (2016) requires that risk management be performed at all levels of the QMS and not just for the product development lifecycle (see ISO 13485:2016§4.1.2(b)). Many companies are familiar with risk management programs for their product development lifecycle (design controls in medical devices) and have incorporated excellent risk management programs for this. There are a number of companies, however, that have not established clear-cut risk management processes for the remainder of the quality system such as risk/benefit analyses for decision-making processes and internal remediation efforts.

Risk controls are comprised of three elements (1) “Hard”/design controls or designing-out risk from a product or process; (2) “Soft” controls that may be the placement of safeguards to prevent risky behavior from resulting in immediate harm; and (3) labeling or knowledge controls (including training) that help to educate the user or operator to ensure they are aware of risks that exist and how to help prevent themselves from being harmed. A very important part of risk controls lies in the identification of which types of risks require which type of control element and how these are handled and calculating the remaining risk and performance of a risk/benefit analysis. Very often, these last two elements may be missing or insufficient to meet risk management program requirements.

Ultimately, buy-in by all personnel is gained by sharing an understanding of what is needed, how it benefits the participants, and why the organization needs it to happen. That being said, it is unlikely that all risk control measures will reach a 100% level of satisfaction by all participants, but clear communication and information sharing will help.

All potential risks that affect product or quality processes are required. In addition, potential operational risks must be assessed (for internal personnel; including safety issues). The risks that are not required by the ISO standards are those that fall under the umbrella of Business risk (e.g., cost/benefit analysis) as financial risk to the company is irrelevant to the risk assessments required by the U.S. FDA and ISO standards. For instance, manufacturers can no longer use financial impact as a reason to not implement a risk mitigation. Basically, the financial impact is of no concern to regulators when manufacturers are assessing risk and, therefore, disallow the use of financial risk when deciding which risk controls to implement.

Another way of putting this is that the ALARP term (as low as reasonably practicable) is losing favor with regulatory agencies when determining what mitigations to implement to alleviate or lower risks. AFAP (as far as possible) or ALAP (as low as possible) are becoming more and more accepted. One thing to take into consideration when determining risk, of course, is overall risk of the device itself within the user population. For instance, if you are already dealing with a low-risk device (basic monitoring) that has no impact on diagnosis, treatment, or is life-sustaining may find that most of its risks are already within the AFAP/ALAP area.

The FMEA/FMECA tools, while being used more and more in medical device and pharmaceutical manufacturing is only one tool out there. Other risk management tools such as fishbone diagrams, fault-tree analysis tools, etc. are certainly also usable.

Despite this fact, however, companies must be sure that their risk analysis tools are robust and cover all the elements of risk analysis including identification, analysis, and controls. Since FMEA/FMECA tools are well-spread throughout the healthcare industries, one might even state that these are “best practice” and must ensure that the methods that they use are as robust and well documented as these tools that have been in use for more than 50 years in almost all manufacturing industries (including automotive, aerospace, and transportation).

Many companies, unfortunately, make use of the brainstorming method to determine how to assign risk rankings to complaints. For low-risk products, this is probably sufficient. However, for higher-risk products (certainly FDA Class III), companies may find that their risk rankings are determined to be insufficient for their risk-level by many regulators. Most commonly, a subject matter expert or medical professional is needed to determine risk rankings in relation to the end user population. These SMEs or medical professionals will have first-hand knowledge of the potential harms from the use of given products and are considered to be qualified to make such an assessment. Generally speaking, engineers do not have the first-hand experience in the real world to have this subject matter expertise, according to regulators. In the case of medical devices, for example, a mechanical engineer will have no knowledge of the risks with a particular surgical device when actually used in a surgical operation; only a surgeon or surgical specialist will know what other items in the environment or the procedure itself can be affected by or will affect the product.

Per 21 CFR 820.198 requires that all complaints are evaluated. This can be interpreted as many things, but most commonly it can be seen that evaluations must include some form of failure analysis. This does not include having to perform a failure analysis for every complaint. For instance, in the case of a number of complaints for essentially the same reason, only one failure analysis is needed for all. This analysis (depending on risk level) may be as simple as a document review and statistical analysis for a number or percentage of complaints.

The most important components for all complaints is risk analysis and determination of reportability. If a risk level warrants, then failure analysis and corrective actions may be required. After determining reportability, all reportable complaints then require a failure analysis and may require corrective actions, should the risk level warrant it. In the most extreme complaint case (report of death), the complaint must be reported, must be analyzed fully, and a corrective action evaluation performed. This corrective action evaluation must take into consideration whether or not the product contributed to or caused the death. If it did, then strong corrective action is absolutely required. If analysis and documentation can prove that the product did not contribute or cause the death, then the analysis may be sufficient without implementing corrective actions.

CAPAs are generally reserved for high-risk issues that require a full-blown root cause analysis and implementation of formal corrective actions. Corrections (immediate fixes to issues) may or may not fall under the CAPA program. CAPAs are generally reserved for systemic issues or large-scale issues that require the formalized system to ensure corrective actions are implemented and are effective at preventing further occurrences of a given issue.

A Preventive Action cannot spur off of a known issue. If an action spurs off of a known issue, then it is a Corrective action, not a preventive one. Prevention is something that ensures that a theoretical issue does not happen.

When it is a process improvement. Process improvements by many companies are managed under their CAPA programs and, typically, that is an incorrect use of the CAPA system. Best-practice companies have separate Continuous Improvement or Quality Improvement programs to take care of improving their processes or products. While the CAPA program is a great, formalized system and tracks every phase of a corrective or preventive action; some of the steps required for CAPAs are not needed in a Continuous or Quality Improvement project. Continuous Improvement projects may spur off of the need to increase manufacturing throughput or reduce resource needs and it is not a problem that needs to be prevented or corrected.

A MRB is most commonly used by best-practice companies to ensure that higher-level management is aware of the decisions made regarding nonconformance dispositioning. The reason that this is important is that the MRB is not only responsible for ensuring where nonconforming materials are dispositioned (which is extremely important), but for making decisions regarding when additional actions are required. This would be necessary when, for instance, a new manufacturing line has a much higher than normal scrap rate and a full investigation must occur to determine what is causing the higher than normal scrap rate.

From the dispositioning stand-point, the most important disposition is “Use-As-Is.” Regulators do not like it when an individual makes a decision to use nonconforming materials as if they were not nonconforming. Robust processes to use nonconforming materials must be backed up with scientific and/or engineering knowledge as well as risk assessment by Quality individuals. Simply putting something back into manufacturing because the Line Manager decided to will more than likely result in regulator reaction.

The simplest process is to create a red label that states that the material to which it is attached is nonconforming and place the nonconforming material in a segregated area (room or locked cage). This is the simplest, but can be cost prohibitive in some companies where square footage is at a premium. The most important issue is to have the nonconforming material labeled in such a way that it can be clearly seen by everyone and will not inadvertently get mixed in with conforming materials.

The answer to this question can vary from company to company, but in general, nonconformance handling ends when the manufacturer no longer has control of the product and is in the hands of the end users. Complaint handling begins when the product, out of control of the manufacturer, is in the hands of the end users.

The differences arise when products do not go straight from the manufacturer to the consumer. Very often companies use distributors for their product or their devices are installed and serviced by other companies. Essentially, anything outside the manufacturer (consumer, distributors, and service vendors) are generally entered as complaints. The other scenario, where the distribution centers are owned by the manufacturer, might mean that any issues may be reported as nonconformances, rather than complaints.

A nonconformance is a material, subassembly, assembly, or product that does not meet the specification or is not operating as intended. A product that is discolored, and color is not specified, is not nonconforming. A discolored product where color is specified would be a nonconforming product. In addition, a product that doesn’t perform as expected would be considered a nonconforming product (even if the product meets all specifications). User expectations are a requirement, even if they are not specified. Users, in this case, would be in-house users or testers; not consumers. Consumer reports of issues would fall under the complaint umbrella.

Deviations are needed when a product is still in the manufacturer’s control and a short-term, planned nonconformance is needed. This may involve a nonconformance in the accepted process for creating a product, a raw material, etc. Deviations must be planned in advance and require both risk and impact assessments. In some cases, they may require in depth form-fit-function analysis by numerous disciplines (e.g., mechanical engineering, electrical engineering, quality, and manufacturing).

Nonconformance is the generic term for anything that does not conform to product requirements. Nonconformance is generally used for incidents when the nonconformance is discovered after the fact. Deviations are planned nonconformances. Deviations have analytical input prior to being entered into manufacturing and have approval. They are also short-term and have an expiration date. In short, deviations are planned nonconformances.

When it is a request for additional materials or information. In addition, a request for improved functionality is not a complaint if the actual functionality did not cause the product to perform in a manner different from user expectations. A product differing from what the user expects is a complaint because the user expectations are set by the manufacturer in their marketing materials and information for use. It is important that these user expectations are clearly communicated to the user so that a product performing in a manner not expected by the user, but communicated clearly as a projected, real-world user expectation, may not be a complaint.

A customer not liking the color of a product, when color is a specified requirement, may actually be a complaint. Market and competitor analysis is very important when determining product requirements to manage these types of potential complaints. In addition, a user requesting additional materials may also constitute a complaint if the materials given to the end user were insufficient for the user to understand the function or use of the product. Complaints about user guides are still complaints.

In short, all complaint types must be analyzed. Whether a failure or root cause analysis needs to be performed would depend on many factors including risk.

Complaints must be reported to all regulatory agencies (not just the ones for the country in which the complaint originated) whenever there is a death or serious injury. Serious injury is essentially defined in 21 CFR 803 as an injury or illness that is life-threatening, results in permanent impairment, or necessitates medical/surgical intervention to prevent permanent impairment. The only exclusion is for “trivial impairment or damage.” Many medical professionals define the trivial impairment as something that does not require the services of a medical professional. For instance, if a lay person could treat an injury with Neosporin® and a Band-Aid®, then it could be considered trivial. Anything requiring medical professional services such as (at a minimum) stitches, might be considered a serious injury. This is where it is important, for many manufacturers, to have a medical professional that is a subject matter expert on their user population to be employed, or on call to help answer these types of questions specific to their scenario.

In addition to actual death and injury cases, all incidents that could potentially lead to death or injury, should the incident recur, would also be reportable. This “potential” must be evaluated by a subject matter expert for the user population and not just through a brainstorming exercise with quality, regulatory, and engineering personnel. Regulators are responsible for ensuring the public health and safety and, as such, have their own SMEs available to determine if the “potential” or near-miss cases are being reported adequately.

Most risk management programs follow the ISO 14971 standard. This standard is recognized by, not only EU countries, but by the U.S. FDA as well. Within a risk management program, the use of FMEA/FMECA are considered best practices across a wide variety of agencies for risk identification, analysis, and controls. These tools, however, have a shortcoming in that their use alone does not meet the full Risk Management Program required by the FDA and Internal regulators. Specifically, these tools do not have a method for performing a risk/benefit analysis and do not necessarily identify residual risk.

Do not attempt to answer a question when you are not sure of the answer. You may answer incorrectly and FDA investigators are law-enforcement officers and, therefore, everything you say has the weight of law. It is important to only make statements for which you are directly responsible or actually know the answer. It is perfectly acceptable to answer a question with a response of “I don’t know.”

Generally speaking, anyone that is asked a question of an FDA investigator must answer the question, if they know the answer. However, that being said, some temporary employees may not have the authority to answer a question, even if they do know the answer. Make sure that every individual in your organization knows their responsibility regarding responding to investigators and auditors.

Design Controls (specific to U.S. manufacturers) are not applicable to Class I devices (see 21 CFR 820.30 for details). Manufacturers that distribute to the countries covered under ISO 13485, however, are required to follow the ISO 13485 standard for design controls. Therefore, even if the U.S. does not require a Class I manufacturer to follow design controls, the European counterparts may. It is important to identify which countries you market to and to understand the regulations and standards for every country or geographic location.

Overall, anyone employed by a medical device, pharmaceutical, or biologics company should have some basic GMP/GCP/GLP training specific to their company/market. Annual GxP courses are required for all individuals involved in GxP activities (and may exclude finance, human resources, and legal). However, for individuals that are new to the GxP environment, no matter what department they work in, could benefit from some familiarity with the regulatory requirements.

There are three elements of a best-practices training program (1) Training Plans (for individuals), (2) Training Matrix (for job functions), and (3) Training Records to provide evidence of completed training. Essentially, the requirement is to sufficiently document the training that is needed and the training that was performed for every individual involved in GxP activities. This information helps to prove that the individuals are competent to perform their required duties.

A training record containing the records for what training is required and what training is completed for each individual should be kept in a generalized location (generally Human Resources or a Training Coordinator). There must be appropriate assignment of training (by the individual’s manager, a training coordinator, and procedures) to ensure the individual is appropriately assigned training for their role in the organization. In addition, there must be formal documentation for all of the completed training to ensure that the requirements for training are all met. These are the two most important elements in a Training Record. These training records must cover all individuals in the company that are involved in GxP operations (including temporary employees). These regulations may also apply to contract organizations that are following the manufacturer’s processes.

Employee training records are not Human Resource records. There should be no information regarding pay rate, special employment status, benefits, or personal information (address, emergency contact, tax info, etc.). While HR can maintain training records and they may be retained in the same filing area, they should be completely separate from the HR records.

The easiest method for implementing a training matrix is to identify job functions by title and assign the training matrix by job function. In this manner, it will be consistent throughout the organization. Multiple job functions may be assigned to one individual (e.g., a manufacturing supervisor may fall under three categories: manufacturing operator, GMP operations, and management). Assigning multiple job functions would mean that the individual must train to all applicable job functions. A manufacturing manager (following the example) may train to GMP operations and management, but not train to manufacturing operator job category; especially if they are not required, at any time, to perform manufacturing operations duties.

The first step is to carefully read all five findings. They should not necessarily be related and would require different corrective actions; this is how the FDA typically consolidates findings. However, that is not always the case. After analyzing all five findings it is important to determine if they are “valid” findings. There can often be findings issued due to the investigator’s unfamiliarity with the manufacturer’s processes. If some of the findings can be addressed with an in depth explanation and conclusion, address these first because then you can focus on the more complex findings.

You have 15 working days (three weeks) from the issue of the 483 findings to respond to the FDA with a corrective action plan. Let me reiterate, a Plan is required; not the actual corrective actions. While you are posing a plan, do not wait for the FDA’s response to actually begin work on your corrective actions. Develop a robust plan, submit the plan to the FDA and proceed ahead with remediation efforts. If the FDA does not like your plan, they will follow-up with you at a later date to tell you that your plan is insufficient and will provide additional guidelines about what they need to see from you.

Very often 483s are given the weight (by a manufacturer) of a Warning Letter. 483s are simply observations or findings from an audit. These are not typically seen in For Cause audits, but result from Surveillance audits. These do not carry prosecutorial weight. These are equivalent to an auditor’s findings (major or minor), but generally cannot result in legal action as long as they are not repeat findings. Repeat 483s may result in a 483 for a second time, but will more than likely escalate to a Warning letter if found a third time. Warning letters, on the other hand, do carry prosecutorial weight. These findings can and do result in legal action from the FDA if their directions are not carried out. For more in depth information regarding Warning Letters, see Regulatory Affairs FAQ, Question #1.

483s must be addressed, but regulators allow quite a bit of leeway in how to address these findings. A sufficiently justified corrective action will rarely be challenged by the investigator as long as they felt that an appropriate risk analysis was performed during the analysis of these findings to ensure that responses are appropriate for the risk level.