Two Major CGMP Non-Conformances - CAPA and "Risk"
I have recently completed US FDA remediation assistance with two companies outside the US, manufacturing product sold in the US - one in Europe, one in India. They had had several Notified-Body inspections of their QMS to ISO 13485, with great results. However, they failed their first CGMP inspection by a US FDA CSO.
The key reason for failures in both cases, both resulting in Warning Letters (primarily due to CAPA) were:
1. Poor CAPA systems and lack of trending; and
2. Wrong definition of risk, as in "risk-based" activities.
Let's focus on the second (for information on CAPA trending, see post of 08.04/2020; for CAPA problems leading to 483 Observations, see FDA's Inspectional Observations DB at fda.gov -
https://www.fda.gov/inspections-compliance-enforcement-and-criminal-investigations/inspection-references/inspection-observations ).
I find that outside the US, many companies adhere to the basic premise of ISO 31000, i.e., risk is business risk, legislative risk, regulatory risk, schedule risk, financial risk, budget risk, etc. And these are real risks to a business, and have to be considered. But - the key point of this blog - those other legitimate definitions of risk aren't what the FDA is focused on when it talks "risk".
This broader definition of risk exists in US companies selling to the US market as well, but it's not supported by or allowed to perpetuate in the QMS by regulatory inspections, which in these cases are US FDA- administered. Any confusion over definitions is quickly addressed by the first FDA inspection, and is not supported by any alternate QMS inspection paradigm (unless the company is also selling product outside the US, and thus subject to Notified-body audits as well) as was the case with those companies in Europe and Asia .
When the FDA talks "risk-based", they're talking about ISO 14971 risk ONLY, i.e., per ISO 14971:2019, "Introduction", pg. vi, para 3:
1. Risk to patient (safety of the patient in use of the product);
2. Risk to the clinician (facilitating the patient's use of the product); and
3. Risk to the use environment.
Nothing else!
Such a definition of risk must permeate the company's QMS / CGMP system, must be part of the product design process (ISO 14971 for devices under Design Control, 21 CFR 820; and ICH Q9 for pharma), and must be part of the Failure Investigation / Root Cause Analysis process in CAPA resolutions, Verification and Validation issues, and similar.
Note: Another key reason for 483 observations, not part of the above discussion, is failure to follow one's own company's SOPs / WIs, leading to "adulterated" product.
- jel@jelincoln.com
Updated 06/20/2022 - JEL
Further update: Recently the FDA has added security risk (i.e., cybersecurity) in it's use of "risk-based". So based on the FDA's use of the word and its context, FDA risk can mean either 1) patient/user/use environment safety risk (ISO 14971 / ICH Q9), or 2) cybersecurity risk (see their Guidance Documents on the subject), which ultimately translates into patient, et al, risk as well.
One such Guidance Document: "Cybersecurity in Medical Devices: Quality Systems Considerations and Content of Premarket Submissions", Draft of April 2023, beginning at line 304:
"The process for performing security risk management is a distinct process from performing safety risk management as described in ISO 14971:2019. This is due to the scope of possible harm and the risk assessment factors in the context of security may be different than those in the context of safety. Also, while safety risk management focuses on physical injury or damage to property or the environment, security risk management may include not only risks that can result in patient harm but also those risks that are outside of FDA’s assessment of safety and effectiveness such as those related to business or reputational risks." . - JEL 08/11/2023