Common Medical Device Quality System Pitfalls — And How To Avoid Them, Part 2

In Part 1 of this article, we looked at five mistakes medical device companies make during the quality management review process. In this installment, we turn our attention to measurement, analysis, and improvement activities — where several problems can occur and what you can do to prevent them.

Pitfall #6: Inadequately documenting nonconforming product investigations
Another area where manufacturers often struggle is in documenting nonconforming (NC) product investigations. If a manufacturing facility produces a product that is out of spec — say they received materials from a supplier that were unacceptable — they need to first segregate those products and conduct an investigation into why the problem happened before the product is released.

Some medical device companies run into problems because they fail to document their NC product investigations sufficiently. Even if the investigation concludes that that everything was fine with the product, you need to have written evidence to support that claim. The documentation must clearly show that the investigation took place as stipulated in your procedures (e.g. that the parties who were supposed to be involved actually participated), and that the investigation found that the product was still acceptable throughout all production stages before release.

For example, it is not acceptable to say, “We did some rework for this product, because we found it was a little bit different than what we expected when we did the testing.” This lack of specificity will raise a host of questions in the mind of an inspector. Was that rework approved? Was it validated? Is there enough data to conclude it is acceptable? Was it actually different than what was originally approved and validated? Did the appropriate personnel review and approve the rework?

Not having this documentation in place would make an auditor or investigator question whether the quality system was followed or shortcuts were taken to put the product into the field. You will invariably run into problems with regulators if you don't have good documentation to show how you control any nonconforming materials and products.

Pitfall #7: Waiting too long for supplier responses to nonconforming product inquiries
In NC product cases like the one described above, it can often take some time for suppliers to respond to requests for information. They may be located in another country. They may be a small supplier that is unfamiliar with conducting root cause analysis. You may need to spend a great deal of time educating them and figuring out a way to get the information in a timely manner, so you can resume production.

Regulators will be unsympathetic if your explanation is “we are still waiting to hear back from the supplier” when they inquire about such delays. They will undoubtedly ask you questions like: If this supplier is unresponsive, why are you still buying from them? If it takes them this long to conduct an investigation, what are you doing to expedite that process?

You may need to contact a supplier’s quality managers or get on site to help speed things along in such cases. Better still, you should have previously defined quality agreements with them, especially if it is a critical supplier. Such agreements may stipulate, for example, that they have a week (or whatever you define as acceptable) to respond to NC product inquiries in the event that they supply a defective component.

In fact, regulators will ask about your service levels with your supplier. And if a supplier consistently fails to meet them, manufacturers are expected to take appropriate actions. It is up to the organization to determine what those actions would be, from canceling orders or increasing supplier audits to disqualification of those suppliers.

Pitfall #8: Not keeping a good internal audit trail
Periodic internal audits are a requirement of almost every regulatory body around the world. One thing I often see companies struggle with is having a robust system in place to capture internal audit findings. It is really important to have all aspects of your audit process clearly documented to show that you are doing a thorough job. Before closing out a finding, you have to verify and document the effectiveness of your corrective actions to demonstrate that the controls that were put in place will prevent the problems from recurring.

You may determine, for example, that an audit will focus on a specific section of the standards, and even assign the right people to conduct the audit. But do you produce enough documentation to show that you actually followed through with all the applicable requirements? What questions did you ask to show that you are covering all sections of a particular regulation or standard? Audit plans and reports must be able to demonstrate that you are covering the regulations applicable to the countries where you are commercializing your devices.

It is important to keep good audit trails. The more detail that you and your auditor can provide, the better, because then you have more objective evidence to prove that your audits are robust.

Pitfall #9: Allowing the appearance of bias
When selecting employees to handle different elements of your internal audits, you need to be careful to avoid possible conflicts of interest. You have to make sure there is independence.

You don’t want to have a person auditing their own work — or their team’s work. For example, you would never have a quality manager auditing quality elements of the process. You also wouldn’t want someone auditing their manager’s work, since this could give the impression that they would avoid reporting information that would paint their boss in a bad light.

Pitfall #10: Failing to use a risk matrix for internal audit scheduling
International standards require that you audit critical processes more often than those of lesser importance. For example, say you have a Class III device that requires several sterilization cycles, and you have had issues with sterilization in the past. Regulators will want to see that you are auditing the sterilization process more frequently than your purchasing process, since sterilization is a critical process within your organization.

And if you don't have that prioritization documented, it could end up becoming an observation or a finding for some regulators. You need to use some kind of a risk matrix to show that you evaluated the significance of each process, and based on that risk evaluation applied an appropriate frequency to your internal audit schedule. Regulators will definitely want to see that you are using this important risk management tool.

Pitfall #11: Improperly auditing your audit program
You are also required to audit your internal audit program, to ensure it is doing what it's supposed to.

One of the challenges in conducting an audit of the audit process is establishing who is going to be involved. Auditors need to be “qualified,” and it’s up to you to define how they become qualified. Do they need to take a class outside of the facility, like a lead assessor class? Does it have to be an 8-hour class, a 16-hour class, or some other duration? Should they have a specific combination of class time, a certain number of years’ experience, and time spent observing audits? These kinds of questions always come up, and if you don't have these requirements very well defined, it could be a problem.

Standards or regulations do not prescribe how to do this, but they state that you have to define “competence” for those auditors and conduct audits frequently. It's really up to each manufacturer to define what they think is appropriate for their product.

However, you have to justify your decisions. Typically this takes the form of a procedure that explains the rationale behind auditor choices. It is important to have these things defined ahead of time.

For example, you may want to have the microbiology department audit the audit program, or bring in someone external, to avoid any bias. An approach like this can demonstrate that the program is meeting expectations without any prejudice.

Pitfall #12: Having poorly defined CAPA timeframes
Often, a corrective and preventive action (CAPA) investigation will reveal problems that will take months to fix properly. Perhaps you need to hire additional employees, buy new equipment, install new systems, or perform other time-consuming tasks to correct the issue.

While this is perfectly acceptable, you must clearly define how long each phase of your CAPA will take, provide appropriate rationale for activities that will take a long time to implement, and explain what you plan to do if you go beyond the specified timeframe. It is important to have defined timeframe criteria for CAPA resolution as part of your CAPA procedures. Regulators don't want to see CAPAs staying open forever without resolution and management support.

Your CAPA resolution plan should also allow for exceptions, in case things do not go exactly as planned.

Pitfall #13: Allowing a disconnect between root cause and corrective action
In some cases, manufacturers identify the root cause, but their corrective action ultimately has nothing to do with it. This sounds very trivial, but it is a common mistake.

Why does this happen? Perhaps the problem is extremely complex — there are too many people involved and too many things that could have contributed to the root cause — and you end up focusing on only one of the five actions you need to do. Or maybe you end up with two root causes, and you come up with a plan for one but not the other. The owner could have inherited CAPA actions from someone else without the necessary context, or it just got lost in translation. Sometimes, the owner simply loses sight of the root cause.

You need to be vigilant about this. Many companies have CAPA boards that scrutinize root causes and corrective actions. They look at them from an auditor or regulator perspective. Those boards are typical cross-functional, so you have representation from different areas and everybody's really thinking outside the box to ensure the CAPA will be robust enough.

Have you experienced these pitfalls at your organization? What steps have you taken to correct and prevent them? What other issues have you encountered that others should avoid. Please share your thoughts in the Comments section below.