Tuesday, November 9, 2021

Audit Core Matrix – Device CGMPs Documentation Review: Systems, SOPs, records, et al, (references are to 21 CFR Part 820, Quality System Regulation:

Subpart Description Reviewed (‘Y’ or ‘N’) / Comments

A General (820.1, -.3, -.5)

B Quality System Requirements (820.20,

-.22, -.25)

C Design Controls (820.30)

D Document Controls (820.40)

E Purchasing Controls (820.50)

F ID and Traceability (820.60, -.65)

G P and PC (820.70, -.72, -.75)

H Acceptance (820.80, -.86)

I Nonconforming Product (820.90)

J CAPA (820.100)

K Labeling and Packaging Control (820.120

-.130)

L Handling, … (820.140, -.150, .160-.170)

M Records (820.180, -.181, -.184, -.186, -.198)

N Servicing (820.200)

O Statistical (820.250)

-- jel@jelincoln.com

Monday, November 8, 2021

The Virtual / Remote Compliance Audit

The following three posts address an approach to virtual / remote internal or vendor audits; starting with the final report, then the conduct of the Audit, then back to the Audit Plan. Use a video conferencing app, solicit key documents in e-form prior to audit. Then follow the Audit Plan with a discussion of each element with the team, requesting any supporting documentation in e-format, or similar, camera pix, or similar.

Remote / Virtual Audits - Internal or Vendor Audits - The Final Audit Report

ISO 13485 COMPLIANCE AUDIT REPORT

CONFIDENTIAL

Prepared For:

Site Audited (Remote / Virtual):

___________________________________________________________________________

J.E.LINCOLN and Associates LLC phone 435-840-0252

P O Box 2786

St George UT 84771-2876 www.jelincoln.com e-mail jel@jelincoln.com

[page break]

COMPLIANCE AUDIT REPORT

CONFIDENTIAL

SITE:

AREA(S) AUDITED:

AUDIT TEAM: John E. Lincoln

DATE(S) OF AUDIT:

DATE OF REPORT:

PERSON(S)

CONTACTED:

[page break]

01. INTRODUCTION: [Background, scope, team, process, timing, approach …]

03. MAJOR FINDINGS AND OBSERVATIONS:

[Completed Matrix findings and expamded discussions of findings]

04. RECOMMENDATIONS:

Signed:

Printed Name: John E. Lincoln

Date:

-- END OF AUDIT REPORT BODY –

Attachments: 1 – ISO 13485:2016, Filled-In Audit Matrix

2 – Current Company SOP Listing.

3 – Audit Plan

4 – Audit Flow Chart

-- jel@jelincoln.com

Remote / Virtual Audits - Internal or Vendor Audits - The Audit

Conduct per the Audit Plan, adjusted by any client / team feedback.

The Audit CGMP Sub-clause Matrix (ISO 13485 or 21 CFR 211, or 820, etc):

EU ISO 13485:2016 COMPLIANCE AUDIT MATRIX

The following are ISO 13485:2016, Quality Management Systems for Medical Devices clauses (may be used as an audit checklist):

Clause Description Reviewed (‘Y’ or ‘N’) / Comments

4 Quality Management System

4.1 General requirements

4.2 Documentation Requirements

4.2.1 General

4.2.2 Quality manual

4.2.3 Medical device file

4.2.4 Control of documents

4.2.5 Control of records

5 Management Responsibility

5.1 Management commitment

5.2 Customer focus

5.3 Quality policy

5.4 Planning

5.4.1 Quality objectives

5.4.2 QMS planning

5.5 Responsibility, authority and communication

5.5.1 Responsibility and authority

5.5.2 Management responsibility

5.5.3 Internal communication

5.6 Management review

5.6.1 General

5.6.2 Review input

5.6.3 Review output

6 Resource Management

6.1 Provision of resources

6.2 Human resources

6.3 Infrastructure

6.4 Work environment and contamination

control

6.4.1 Work environment

6.4.2 Contamination control

7 Product Realization

7.1 Planning of product realization

7.2 Customer-related processes

7.2.1 Determination of requirements

related to product

7.2.2 Review of requirements related

to product

7.2.3 Customer communication

Page 2

Subpart Description Reviewed (‘Y’ or ‘N’) / Comments

7.3 Design and development

7.3.1 General

7.3.2 Design and development planning

7.3.3 Design and development inputs

7.3.4 Design and development outputs

7.3.5 Design and development review

7.3.6 Design and development verification

7.3.7 Design and development validation

7.3.8 Design and development transfer

7.3.9 Control of design and development

changes

7.3.10 Design and development files

7.4 Purchasing

7.4.1 Purchasing process

7.4.2 Purchasing information

7.4.3 Verification of purchased product

7.5 Production and service provision

7.5.1 Control of production and service

provision

7.5.2 Cleanliness of product

7.5.3 Installation activities

7.5.4 Servicing activities

7.5.5 Particular requirements for

sterile medical devices

7.5.6 Validation of processes for

production / Service provision

7.5.7 Particular requirements for validation

of processes for sterilization and

sterile barrier systems

7.5.8 Identification

7.5.9 Traceability

7.5.9.1 General

7.5.9.2 Particular requirement for

implantable medical

devices

7.5.10 Customer property

7.5.11 Preservation of product

7.6 Control of monitoring and measuring

devices

8 Measurement, Analysis and Improvement

8.1 General

8.2 Monitoring and Measurement

8.2.1 Feedback

8.2.2 Complaint handling

8.2.3 Reporting to regulatory

authorities

8.2.4 Internal audit

8.2.5 Monitoring and measurement

of processes

8.2.6 Monitoring and measurement

of product

8.3 Control of nonconforming product

8.3.1 General

8.3.2 Actions in response to

non-conforming product

detected after delivery

8.4 Analysis of data

8.5 Improvement

8.5.1 General

8.5.2 Corrective action

8.5.3 Preventive action

# # #

-- jel@jelincoln.com

Remote / Virtual Audits - Internal or Vendor Audits - Audit Plan

Audit Plan (published in advance of audit; for a one day audit' smaller company):

AUDIT PLAN

I plan for a basic one day remote / virtual ISO 13485 compliance audit to follow the ISO 13485:2016 International Quality Management Standard for Medical Devices, per your request.

Preliminary Schedule:

[Note: If any of the following can be segregated or collected prior, it would facilitate the thoroughness of the audit]. Times are approximate.

Since this is a remote / virtual audit, much information will be by question and answer, e-copies and/or PDF’s of some documents, and possibly live camera shots of some areas, documents, etc.

8:00 AM Approximate arrival by Zoom.

8:05 AM Meet with Company / Quality Management Team:

o Review Audit Plan; make any desired changes in focus / emphasis

o Review corporate history, relationship, management/Org Chart(s), product line, registrations / certifications, marketing ads /claims.

8:30 AM “Tour” of facility, review of physical activities, gathering of any forms, supporting documentation not previously obtained, develop rough flow chart -- preferably in the following order:

1. ‘Back office’/support staff activities (purchasing, customer service);

2. Raw material, parts components receipt/ QC;

3. Manufacturing/assembly/processing, test / QC, operations;

4. Product shipment / QA;

5. R&D;

6. Engineering;

7. QA/RA;

8. Senior Management and documented involvement in QMS.

9:30 AM Review all applicable ISO 13485 requirements per Check List.

10:30 AM Detailed review of company QMS-related SOPs / written documentation

and/or forms, Work Instructions, Quality Manual (SOPs and QM previously provided), e.g.:

1. Purchasing/POs;

2. Receiving documentation, Invoice verification/control;

3. Inventory, non-conformance (rejects, damaged parts/product...) control;

4. Product assembly, test procedures and/or work instructions;

5. Packaging, shipping, servicing, returns...);

6. Validation Reports;

7. Design and Development Planning / Files;

8. Device Risk Management Files, ISO 14971:2019;

9. Use Engineering Files, IEC 62366-1:2015, if applicable;

10. Other Audits (Internal, Vendor, Regulatory…);

All applicable activities addressed by SOP, WI, and followed, proved by documentation.

12:00 Noon Lunch Break (start draft report)

1:00 PM Review any outstanding issues

1:45 PM Dismiss team; Start drafting the Audit Report / Regulation Sub-Clause Matrix

4:30 PM Close-out meeting with QMS team/senior management (as available).

5:00 PM Conclusion.

Note: Sequences approximate, based on areas requiring in depth review; but audit content will basically follow outline above. In order to better benefit from this audit, the company’s QMS Team should review ISO 13485:2016 and our supplied Check List and Plan to get a flavor of the audit’s areas of emphasis.

After the Draft’s findings have been agreed to, a Corrective Action Plan will be drafted.

Assistance in Corrective Action is not part of this Plan.

The Final / Formal Audit Report will be mailed in approximately two weeks following audit’s conclusion.

-- jel@jelincoln.com

Wednesday, November 3, 2021

DHF, Risk Management, Use Engineering

One of the participant who attended the 6-Hour Virtual Seminar on The DHF, DMR, DHR, EU MDR Technical Documentation Similarities, Differences and The Future asked:

I would like to ask what I need to do for legacy medical devices (FDA Class 2).

My company has 510(K) clearance back in 2000. Since most of the requirements happened post 2000, may I know what I should for the legacy medical device related to:

DHF (should I remediate it?) – some of the info may not be available (i.e., design review/meeting minutes/decision, formal approval (no proper documents control before), other validation records)
ANS: Where the DHF was complete in 2000 . it does not need remediation. Areas of incompleteness can be added by researching old documentation, interviews, lab books, etc. and added (not backdated) to the DHF with explanation. Known missing data can also be stated and a document / memo to file added (actually or as an addendum). Subsequent changes are addressed in the DHF if your company keeps it open / controlled, but as I mentioned in the webinar, I don't recommend that. I recommend changes controlled by 1) a new DHF if extensive, 2) an addendum to the old DHF if extensive, or 3) use the CGMP Change Order system, 820.40(b). In all cases, a change, single or cumulative, must be evaluated / documented, as to the need to file a new 510(k). Remember to view the DHF through both regulatory and IP (intellectual property) "eyes".

Risk Management (RM) – DHF has been closed and now tracked under DMR – do I need to go back to update RM (per latest standard) during design stage which has been closed? Or update incremental to the latest standards? Or it’s OK to meet RM requirements at the time of design stage & no further work required (perhaps only periodical review post-market)?
ANS: Although RM should be done as part of the Design (Design Control, 820.30, ISO 13485 7.3) process. since RM drives all device decisions throughout its lifecycle, the RM File must be a living / controlled document, updated as new applicable information becomes available (through CAPA, V&V, industry data, annual quality review, etc.). That's why I recommend in the webinar that the RM File and Use Eng'g File (if any) have a non-controlled copy in the DHF (or a pointer to it/ them), of the version used during the design phase, prior to Design Transfer , and the actual RM (UE) Files be active and controlled (change controlled). The new version of ISO 14971 adds the need to add systemic RM considerations to the QMS. Any change in emphasis re: Device (not QMS) RM based on the new 14971 rev could be addressed during one of those reviews / file updates.

IEC62366 – As it comes after 2000 which was not done before during 510(K) approval, do I still need to do it if no major changes to medical devices which have been shipped to market for ~20 years? I come across User Interface of Unknown Provenance (UOUP), what’s the minimum efforts that I need to take?
ANS: You as a company need to decide based on novelty of your device and any user interface concerns that are still applicable 20 years later. Human factors was a concern with the FDA in 2000, when they starting publishing documents on it. If your product / family has minimal field problems due to design / interface issues, I personally haven't seen regulatory agencies raise an issue about it.
ANS: If the use interface falls under UOUP, you should consider all 9 stages of 62366-1, and revisit those that don't appear to be addressed, and/or pose a high risk to the end user / patient; and document this evaluation - basically a Gap analysis. Some devices are so obvious as to use (or are subject to med school, et al, training) that a UE analysis may not be justified, e.g., standard needles. Address in your applicable SOPs, and by a written rationale / letter to file.

-- jel@jelincoln.com