5 Tips to Pass Your FDA or ISO Audit with Confidence
Why passing an FDA audit is crucial
An FDA or ISO audit is a necessary and potentially difficult part of doing business for any medical device manufacturer. For startup medical device manufacturers the first audit of your processes can be as nerve-racking as the first time you defended your business plan before venture capitalists, submitted your first 510(k) application, or delivered your product to market. Maybe more so, because you know that finding yourself on the FDA watch list could frighten away potential customers and investors, and perhaps severely handicap your hard work and company goals.
FDA and ISO Audit stories from medical device startups
We spoke with three startup manufacturers of Class II medical devices who had passed their first post-market FDA and ISO inspection audits. At the time of these audits, none of these manufacturers offered predicates of their own devices, so their future business viability hinged on a successful audit of their sole product line. To ensure candid responses and to safeguard corporate information, the actual names of the companies, their products, and their representatives have been changed.
Perform a mock FDA audit
John, the director of quality assurance and regulatory affairs for a company that makes laser-based instruments for optical surgery, knew that they were overdue for both their FDA and state audits and he was worried. He had issues with some of the processes at his company but was not certain his concerns were warranted. He determined that a mock audit of their process by a third party would provide the answers he needed.”
“The mock audit went very poorly,” says John, “which was a good thing. It really shocked us into realizing that we needed to improve our quality processing system and our validation processes.”
Digital signatures were one of the areas of the validation process that the mock auditor hammered John on. “We had not been formally documenting our digital signature process,” says John. “We were using a one-paragraph form that people signed to indicate their understanding of 21 CFR Part 11.
As a result of the mock audit, we really beefed up that part of our process with a complete form and fully trained our employees on why electronic signatures are so important to our company’s success and what their responsibilities are when they use their electronic signatures. Telling them that they’ll be fired immediately for misusing their electronic signature focused their attention.”
“I definitely believe that a hired gun is a good training process not only for individual staffers to know how to react and practice responding to auditors but it also helps you understand additional procedures that may not be required but would be beneficial to have,” says John. “The initial evidence you get from the mock auditor helps you impress upon and train employees that their work — without exception — needs to be of the highest quality possible.”
Empower your internal auditor to make changes
Nolan is the manager of quality engineering for a small manufacturer of instrumentation for phlebotomy procedures. He told us that his company’s first audit and its recently completed second FDA audit both produced no findings. He credits his company’s total commitment to quality and its roaming internal auditor, a full-time employee, for this success.
“Our internal auditor rotates around the company and does pre-audits all the time,” says Nolan, citing one of the two keys to how the internal auditor, a former FDA inspector, operates. The second key is that the company has empowered the auditor to force changes to its processes rather than just generate a report with recommendations. In theory, although it has never happened, the auditor can even shut down a department if he feels the situation merits it.
The internal auditing process works like this according to Nolan: The auditor prowls around the company inspecting individual departments, probing into what employees are doing, and ensuring that all actions comply with the company’s standard operating procedures (SOPs). If he finds something at variance or in need of improvement, he develops a remedial action program in collaboration with the departmental managers.
Nolan stresses that having an internal auditor, no matter how thorough, is no reason to avoid preparing for an audit. “We spent the summer really going through our quality system, reviewing every SOP, and making any appropriate changes before our last audit,” says Nolan. “We did a risk assessment and focused on those areas where we thought we needed to improve. This took a couple of months.”
Show the auditor you do what you say
Ken, a 20-year veteran of the medical device manufacturing industry, knows about audits at a startup. His three-year-old company, a developer of endoscopic video systems and components, has been audited three times by its own consultant auditor, twice by its biggest customer, and by ISO auditors, the FDA, and the state. None of the audits uncovered any major findings, and Ken asserts that’s because the company has tight control over all its documents and data, which in turn gives them tight control over their processes.
Ken’s company started out by making sure that it had its data logically arranged and its processes well organized so that they would not encounter any trouble with auditors. “We broke up our quality system into manageable objects correlated to the appropriate standards,” says Ken, the company’s vice president of engineering.
Ken cites digital signatures as an example of the effort they put into getting their processes right. “We spent the time and expense to learn what it is that a company and its employees must do to execute 21 CFR Part 11 correctly. We then trained every employee thoroughly in their responsibilities. It really wasn’t hard. The guidelines are good.”
“We believe that process is the shortest distance between two points,” says Ken. “So, we stick to our process aggressively. Our prime directive is ‘say what you do, and do what you say.’ We’ve written down our SOPs and trained our people to implement the protocols. We continually review results, solicit feedback, and hone our system. I never wake up at night wondering if we missed something in our quality processes.”
Five Tips for Passing Your FDA Audit with Confidence
Passing a regulatory audit is the first priority of any manufacturer of medical devices. It can be an especially scary time for startup firms. All three medical device startups agree that if you take the time to organize your procedures, documents, and data in a clear, logical order, facing an audit doesn’t have to be so frightening. Here are their five tips to help you prepare for your next audit.
1. Document Your Standard Operating Procedures (SOPs)
Always “say what you do” in your SOPs. Capture the overall requirements of your procedures in sufficient detail to thoroughly document your activities. But do NOT record the specifics of every action within a given procedure — you will trap yourself. Too much detail in your SOPs makes it easy for an auditor to find you in noncompliance with what you say you do. Remember to solicit feedback from your staff regularly and to review and update your procedures often. Frequent reviews will keep your SOPs current and in sync with your processes as you fine-tune them over time.
2. Train Your People
Spend time and effort to thoroughly understand the regulatory standards that govern your business. Then, budget sufficient time and money to train your team so that they understand and comply with the regulatory standards completely. Establish and maintain complete training records for each employee to prove to an auditor that your staff is well trained and that they do what you say they do.
At regular intervals, review the regulatory standards that govern your business and revise and update employee training in response to changing standards as needs require. To prevent complacency from slowly creeping into your process and to demonstrate your on-going commitment to quality, hold occasional training sessions that refresh the skills of your employees.
3. Control, Track and Manage Your Data Electronically
By maintaining complete digital records of your processes, design history file (DHF), device master record (DMR), and bills of materials (BOMs), you demonstrate your commitment to quality, accuracy, and thoroughness. With your SOPs and product data in a secured electronic repository, you can respond to an auditor’s request for any document or record at a moment’s notice. Make sure to implement a proven system for electronic data and document management to maintain data integrity. Auditors will suspect the reliability and security of a home-grown data and document control system.
4. Audit Yourself
Empower your internal auditors to change processes, not just make recommendations. Keep senior management involved in process improvements and ensure that remedial actions happen on time and on schedule. Strengthen your internal auditing processes by hiring external, third-party auditors to perform vigorous mock audits. Not only will this provide you a fully objective analysis of your company’s performance and procedures, but your team will also get real-life training in what to expect during a formal audit.
Remember that third-party auditors can have a wealth of experience that can help you improve your company’s processes in many ways beyond passing your audit. Make sure to solicit their input and suggestions for insights on how you can become a better organization.
5. Have the Proof at Your Fingertips
Do not try to evade an auditor’s request for a document or say that you have data you do not have. If you do not have what an auditor wants, admit it. Auditors believe evidence and not people. The faster you can produce evidence that satisfies your auditor, the better the impression he or she will have of your business.
Create complete product history files with all the documents and information — SOPs, BOMs, ECOs, authorizations, reports, reviews, and hurried notes — that prove to an auditor that you “do what you say.” Be able to access your data and documents quickly and easily to demonstrate that your company has tight control over its processes and procedures.
Face your audit with confidence
Arena QMS enables medical device manufacturers of Class I, II, and III devices to address FDA regulations 21 CFR Part 11, 21 CFR Part 820, and ISO 13485 requirements. Using Arena QMS you can confidently face audits, gain control of your device master record (DMR), and design history file (DHF) and efficiently manage your quality and compliance documentation.