Medical devices have been responsible for more than 80,000 deaths since 2008, according to STAT. The total number of complications resulting from faulty devices would be difficult to count.
One hernia mesh manufacturer now faces over 1,800 federal lawsuits related to complications from the use of its products. So, it's no wonder that FDA and ISO regulations are strict. The bodies are taking action to protect patients from preventable death and injury by introducing stricter standards for medical device manufacturers.
By dodging some of the most common medical device compliance problems, you can not only ensure you pass the regulations, but safeguard your company from some of these catastrophic possibilities.
5 Destructive Medical Device Compliance Problems
Compliance isn’t simple for medical device manufacturers. It’s impossible to align your organization with FDA requirements if you lack visibility into your quality management systems. Device manufacturers received 1,033 483 observations last year for QMS breakdowns which resulted in inconsistent CAPA, complaint handling, data integrity procedures, and other issues. Transparency is key to manage and monitor product quality throughout the device lifecycle.
Using a simple eQMS makes for better compliance across the whole organization. If quality compliance is hard, people won't do it. Avoid the most common and destructive medical device compliance problems with a cloud-based QMS like Qualio, which is built in accordance with FDA standards for manufacturers to avoid breakdowns in your quality processes.
Our software is built with the specific needs of young companies with 5 to 500 employees in mind. We've prioritized simplicity, scalability, and world-class support and onboarding to help startups and scale-ups get to market quickly and maintain a constant state of audit-readiness. Learn more about our eQMS here.
Problem #1: Risk Management
In April 2018, a device manufacturer received an FDA observation for several instances of risk management non-compliance, including incomplete and inconsistent documentation. Despite the fact that inadequate product packaging was a life-threatening infection risk, the manufacturer left this field blank on the input-output risk table.
Earlier this year, an Indian-based manufacturing form was placed on import alert by the agency for several large-scale risk management failures. “Our investigator observed vermin, such as birds and insects, in the facility near open equipment used for drug manufacturing,” the FDA said. The organization failed to complete both product and contamination risk assessment.
Most risk management pitfalls aren’t nearly as egregious as the second manufacturer’s failure to protect the production environment from insects or birds. More often, organizations fail to document risk consistently throughout the QMS, like the first manufacturer. Common risk management pitfalls which result in compliance challenges include:
- Failure to reduce risks as far as possible, instead of to a perceived acceptable threshold
- Failure to establish risk control measures, especially for unacceptable risks
- Complete, accurate risk/benefit analysis for all risks
- A lack of risk management in design control processes
- Over-reliance on FMEA, to the detriment of ISO and compliance requirements
- Treating risk management as a checkbox, instead of a cultural objective
Problem #2: Staff Training
Last year, the FDA issued 46 warnings to device manufacturers about staff training. Nearly five percent of warnings cited “procedures for training and identifying training needs have not been adequately established.” An additional 40 warnings cited organizations who didn’t document training activities or inadequately trained personnel.
While training didn’t officially crack the top five reasons organizations received compliance warnings from the FDA, the data doesn’t tell the full story in this case. Nearly every 483 observation has a training component. When organizations fail to follow procedure, there was a training breakdown.
Getting your training down is the first step to compliance, and it should take place long before an FDA inspector sets foot in your facility. Every member of your organization needs training on FDA and ISO standards, and this training should be captured and documented in your eQMS software. Verify that your training isn’t a barrier to other compliance risks by ensuring you meet all of the following best practices:
- Do SOPs and guidance documents capture cGMP requirements and quality expectations?
- Do all personnel have the necessary knowledge and training to perform their role?
- Have all requirements been translated into training, assigned, and tracked?
- Does every member of the workforce understand the “big picture” importance of SOPs?
Problem #3: CAPA
Nearly half of all 483 observations issued to device manufacturers last year cited inadequate or inconsistent CAPA. One warning letter to an Indian life sciences company cited several examples of deviations from cGMP for corrective and preventive action.
- After discovering a defective input, only a small portion of products were tested. Non-tested products were assumed non-defective.
- The company tested only products with visible defects after receiving complaints. Invisibly defective products were shipped, leading to a product recall.
Other companies have been cited for CAPA failures related to documentation or data analysis breakdowns. These include failure to analyze complaints or non-conformances to discover patterns. Other manufacturers have been cited for closing CAPA investigations early or failing to validate and document corrective actions.
The agency expects manufacturers to comprehensively assess their systems for investigations of deviations, atypical events, complaints, out-of-spec results, and failures. When a root cause investigation results in preventive or corrective action, manufacturers must assess the CAPA to ensure it’s effective.
Problem #4: Complaint Procedures
A July 2017 483 observation cited a manufacturer's failure to take appropriate action on customer complaints received and logged via phone lines. SOPs didn’t designate the call log as a possible complaint source, which resulted in a process breakdown. The firm “failed to adequately review entries recorded by the technical service department,” among other issues cited by the agency.
Another late 2017 observation at a major life sciences enterprise found critical breakdowns in how complaints were handled. 129,736 complaints (97% of total) were closed “based only on the assigned... code” without proper investigation. 104 complaints were assigned a code which signified potential serious injury or death, but only 49% of these high-risk complaints were escalated.
The FDA requires device manufacturers to properly investigate and report complaints on any devices that are sold within the US. It’s easy to overlook complaints or investigations, especially when you’re dealing with process breakdowns. In the case of the two manufacturers profiled above, improper process and technology lead to massive oversights.
21 CFR 820.198 and ISO 13485:2016 section 8.2.2 require investigation of all received complaints. This includes documenting:
- Device name
- Complaint date
- Device identification data
- Contact information
- Corrective action
- Complainant follow-up
Replicating investigations isn’t necessary if a second complaint is received, but every unique complaint needs to result in a comprehensive investigation, and if necessary, reporting and corrective action. Organizations need a standardized process and transparent systems to comply with cGMP for complaint handling.
RELATED READING: The 6 Most Common Warnings for FDA 21 CFR 820 Noncompliance
Problem #5: Data Integrity
An August 2018 FDA warning to a Japanese manufacturer cited many instances of data integrity non-compliance. The manufacturer retested and manipulated data results and had an operating environment in which “test data could be easily manipulated.” Other observances at the same manufacturer included:
- Failure to prevent unauthorized access or changes to data in computerized systems
- Failure to control against the omission of data
- A lack of audit trails in software system
- No unique usernames and passwords
- Uncontrolled, unvalidated Excel worksheets for statistical evaluations
There are clear compliance, safety, and ethical issues when it comes to manipulating data. Your company has much bigger issues than compliance if you’re knowingly “massaging” your quality data to produce a different outcome than the truth. However, deliberate manipulation isn’t the only reason companies can fall outside cGMP for data integrity. The Japanese manufacturer’s computer system issues are a clear example of unintentional failures.
Data integrity requires traceability and information security in your quality management system. Auditors need to be able to clearly see, based on access controls and digital signatures, who created data and who approved it. This is nearly impossible if you’re relying on spreadsheets or shared usernames for an eQMS. A cloud-based 21 CFR Part 11 compliant software can streamline data integrity compliance and provide clear traceability for quality data.
Moving Beyond Compliance Focus to a Quality-Driven Culture
Firms in highly regulated industries have been warned for years to avoid a “checkbox mindset” to compliance. Recent FDA warning letters prove that a quality-driven culture is the only way to guarantee survival in a tough compliance ecosystem. Organizations need to close the loop on product data by proactively monitoring and responding to non-conformances throughout the lifecycle to avoid medical device compliance problems and lead the market in quality.
You can mitigate many of the most common and damaging compliance risks with smarter tools for transparent quality management. While some device firms are guilty of egregious quality issues, many others experience a simple process breakdown that resulted in a 483 observation. It’s easy to have inconsistent documentation or miss customer complaints if you lack company-wide visibility or tools for simple compliance.