When you talk about "regulatory compliance" in the context of Medical Systems, in addition to the well-known aspects of GMP/GCP/GLP FDA and the equivalent EU / Canada / Japan / China / etc. compliance standards, one must consider other, broader aspects of compliance such as the ones related to contracts, payments, anti-kickback, foreign corrupt practices, sustainability, carbon emissions, ROHS, OSHA, etc.
Since the state of compliance is generally determined by an external third party (through a regulator or an authorized contractor audit), an activist regulatory affairs group would make a case for going all out and implementing any and all published guidance and best practice details in an attempt to "audit-proof" your quality system. Unfortunately, the cost of adopting such a "worst case scenario" strategy will be punitive to the bottom line, potentially impacting not just margins but also time to market and / or competitive feature sets.
A more minimalistic mindset (found most prevalently in startups and smaller companies) would lobby for implementing only what is absolutely necessary to pass a superficial, high level external audit -- and nothing more. Unfortunately this approach is akin to playing Russian roulette - just because you passed an external audit yesterday does not necessarily mean that you will pass another one tomorrow; it only means that you were lucky that the auditor did not probe in the areas of your weakness (yet).
So, how do you decide to what level of detail & intensity you should develop procedures and ensure "compliance" (as defined by the average external auditor probing at random) in each of these areas?
The key insight is that, to the regulator, adequacy of compliance is judged based on the perceived level of risk to society (the general population) a company and / or its marketed products might pose.
Based on this key insight, the right approach then would seem to be to establish and maintain a dynamic cost-optimized balance of the level of detail within each compliance related area based on the potential level of risk the company and its product(s) can pose in the market(s) where it competes, the regulation(s) which are applicable, and the state of compliance of its main competitors similar in size and which sell in the same or similar markets.
Are you doing this already? If so, how is it working for you?
Wednesday, August 31, 2011
Tuesday, May 17, 2011
Top 7 Due Diligence Pitfalls – How To Avoid?
So you are contemplating the acquisition of a small company with an exciting product and technology that seems to complement your own. The few early adopters seem relatively pleased, your marketing team is quite excited about the market potential, and the financial model (based on the proverbial “hockey stick” sales forecast) seems to work out. Your legal team gives you the green light as well.
Two weeks before the closing, you send your due diligence team on location. Based on the initial conversations with the target, you already have a very good feel about this. Looks and sounds like a done deal, right?
Well, studies show that more than 85% of such acquisitions fail to deliver against initial expectations, and most by a wide margin. A post-mortem analysis study on small company acquisitions by large corporations that ended in a significant (80% and greater) capital loss to the acquirer point to discounted issues already found in due diligence as the main drivers of the ultimate financial non-performance.
Let’s examine the 7 top reasons why, and how you could save millions just by avoiding these pitfalls.
1. The underlying technology is a solution looking for a problem. Many “groundbreaking innovations” have failed spectacularly even if there were a few early adopters and technology enthusiasts. The “hockey stick” never materializes. Perhaps the product was developed as a custom solution for a few people and then packaged and sold to you as the “next revolution”?
2. Ignoring manufacturability sourcing, quality, and yield issues. The “dream product” works well as a prototype and perhaps even in small batch manufacturing, yet you are planning to ramp up significantly and the design is not mature and robust enough for that. The risk is identified; however it is discounted as a “manageable issue”. Even when it’s clearly not.
3. The product design is “almost done”. The product development team is ironing out a few last details, and the product will launch in a few short months. Be very circumspect in such situations. It is very likely that the remaining issues are not trivial, and they will not be “ironed out” without a significant additional investment, time, or both. The stability and market acceptance of a product can only be proven within six months or more after launch. It is almost always best to wait until “almost done” becomes “verifiably done”.
4. Ignoring quality systems and regulatory compliance scaling. The level of regulatory scrutiny correlates with the size of the company. The post-acquisition cost of bringing the state of compliance up to the acquirer’s standards is often misunderstood and minimized in due diligence, yet it becomes abundantly clear at the very next regulatory agency audit. In some extreme cases, the cost of the resultant remedial action can negate the entire financial upside – and then some.
5. Most of the key patents are either provisional or pending. The trap here is that there might be prior art and / or potential infringement issues in the space which might block your acquired product’s commercialization – or make it extremely expensive. There is usually not enough time to conduct a comprehensive claim analysis and prior art search in due diligence, so this is usually chalked up to the “risk bin” -- with no corresponding financial model impact as well.
6. Treating the earned-out agreement as a proxy for risk control. Yes, this will cover some of the risk as you will not incur some (or most of the) acquisition cost when sales do not materialize. However, this will not cover your opportunity costs and the additional personnel and operational resources you will have to provide for the post-acquisition integration and the subsequent manufacturing, marketing, and sales ramp-up.
7. Treating technical and regulatory due diligence as confirmatory. Good engineers are an introverted bunch, with a great deal of respect for authority. If the task is to confirm a decision already made, they know that they will encounter a great deal of resistance from their boss if they come up with hard reasons to stop the deal. So they will list the showstopper issues as “potential risks” and side with the team in recommending a “conditional go”. The “risks” are soon forgotten, until (most often than not) they end up materializing several years later at a great cost to you to either continue with the venture or to divest and write it off.
To get assistance in identifying and quantifying these “hidden” areas of risk in due diligence, based on your specific timing and situation, please visit www.priusmedical.com for more information.
Thursday, May 12, 2011
FDA audit next week – how to prepare? Five easy steps
You are a medical device manufacturer or service provider and you have just received a FDA Form 482 (Notice of Inspection) stating an inspection start date a week from today. What can you do to improve your odds of success?
Step 1. Determine the type of audit – pre-announced inspections (like this one) can be of two main types:
1. Routine Audits – these are audits conducted at random (periodically) to sample your state of compliance; most firms should expect a routine audit once every 2-6 years, depending upon its size and its potential impact on the public’s health & safety
2. For-Cause Audits – these are audits triggered by significant adverse events in the market: product recall(s), MDR(s), customer complaints to the FDA, etc. If this was the case, you would expect this audit since these events almost always trigger for-cause audits.
Step 2. Most auditors will request a copy of your firm’s Quality Policy and high level Procedures (including Management Review), Quality Manual, Quality Plan, or equivalent to better prepare for the audit. You are not required by law to provide the information prior to the audit, however:
- If your high level quality documents are solid, in the spirit of cooperation (and to start the audit off the right foot) you might consider sending them to the auditor as requested.
- If you suspect that there might be gaps in your top level quality documents, assert your right to not send the information ahead of the audit as you do not have to provide a reason. The downside is that you might raise suspicion and possibly even antagonize the auditor, so weigh this option carefully.
Step 3. The FDA’s Guide to Inspections of Quality Systems – Quality System Inspection Technique (QSIT) identifies the following 4 major areas of focus in an inspection:
1. Management Control
2. CAPA (includes MDR, Corrections & Removals, and Medical Device Tracking)
3. Design Controls
4. Production & Process Controls (includes Sterilization Process Controls)
Other areas of interest might include Facility & Equipment Control, Material Control, and Records / Documents / Change Control.
Conduct a thorough review of your Quality System (best with the help of an impartial external consultant) in all the areas listed above (as applicable to your business) and list all potential gaps at every level of your Quality System: Policy, Procedures, Work Instructions, Records.
As you will spend most of your time with records, prioritize -- the auditor is most likely to request samples related to the audit trigger (recalls / MDR / complaints to the FDA) in a for-cause audit, and the latest released products or services in a routine audit. They will also follow up on previous findings and promises to correct that you have made in previous responses to 483(s) and warning letters, so be prepared to have a solid story on those as well.
The method that works best to conduct this gap analysis is to use a visual mapping approach that matches the top-down and the bottom-up QSIT methodology that the auditor will use. Get all the interested parties in a conference room and map your Quality System elements hierarchically (top-down) on a whiteboard. Discuss and the procedural gaps will become evident.
For the “bottom-up” component, in a for-cause audit start with the “problem children” low level records that relate to the recall, MDR, or customer complaint which most likely will have triggered the audit and work your way up and across through your other components of your Quality System – was this complaint analyzed, was its root cause found, did it trigger a CAPA, do you have a CAPA plan, where is the CAPA now, did it trigger a correction or a removal, if so did you perform a Health Hazard assessment, did you send out a customer letter, did you inform the FDA if and when required, etc.
If this is a routine audit, follow the same steps above, starting with the most potentially impactful complaints, recalls, field defects, etc. related to the most likely targeted (newest on the market or linked to previous 483s or warning letters) products or services.
Make a list of gaps, prioritize based on severity and risk, assign a person responsible, and then have the team decide on a disposition: fix prior to the audit, put a plan in place (to be shared with the auditor only if the gap is found during the audit), or document the rationale for postponement (acceptable rationales are based on low impact probability and / or low risk to the public health)
Step 4. Rehearse the audit. This is best done with an external (impartial) consultant playing the role of the FDA auditor, and steering the lines of questioning across the most likely paths based on the type of the audit and the information that is believed to be known by the FDA externally. These lines should include a good mix of top-down and bottom-up threads, especially around the most important potential vulnerabilities as highlighted by the gap analysis.
As per the best practices for an FDA audit, set up a “front room” (where your regulatory affairs representative(s) will interface with the auditor and present copies of the requested documents) and a “back room” (where you would have your technical experts discuss the auditor’s questions and requests for document, and provide the appropriate information to your “front room” team).
Your “front room” team should include people with experience in interacting with regulatory agencies, skilled both from a legal standpoint and from a human interaction standpoint. They should be trained in answering the auditor’s questions promptly and sincerely, limiting the information provided to just the response to the direct question, never contradicting themselves or each other, and having a likeable personality to maintain a pleasant working atmosphere with the auditor at all times.
Step 5. Iterate and improve. Have the mock auditor take copious notes during each rehearsal. Examine and discuss the image presented to the auditor. Are you able to respond quickly and in a satisfactory manner? Are your answers and the information provided relevant and complete? Are you controlling the information flow to just the items related to the auditor’s requests? Unbeknownst to you, are you leading the auditor in other areas not related to his or her line of questioning? Are you courteous and polite? Would he or she have reasons to suspect insincerity or cover-ups? Repeat until you are happy with the results or until the audit starts (whichever occurs first). Unfortunately there is a hard deadline on this one.
Remember, you can’t fix all the gaps in the short time until the audit. Outside of the things you promised the FDA that you will do (and which you will still be held responsible for), if you know what the other gaps are and if you can show the FDA that you have reasonable remedial plans in place, then you should do reasonably well in the audit.
Each situation and each company is, of course, different. To address your specific situation, please visit ww.priusmedical.com for further details.
Each situation and each company is, of course, different. To address your specific situation, please visit ww.priusmedical.com for further details.
Wednesday, May 11, 2011
How to verify CAPA QSR compliance - 5 key elements
CAPA-related QSR requirements are quite far reaching. If you are coming from a manufacturing background, CAPA is conceptually similar with Six Sigma’s DMAIC methodology (Define / Measure / Analyze / Improve / Control) with a few key differences.
Under Six Sigma or Lean, the ultimate goal is usually a desired improvement in capability, cost position, or operational effectiveness. Under 21 CFR Part 820 (QSR), the goal of CAPA is to ensure early identification, removal, and preemption of systematic process non-conformances potentially affecting safety and / or effectiveness of clinical therapy, monitoring, or diagnosis. In other words, Six Sigma drives operational profitability (immediate shareholder focus) while CAPA drives safety and clinical effectiveness (immediate regulatory focus) -- arguably still a path towards profitability, although not necessarily in and of itself.
Back to the question - to be compliant with the QSR, your CAPA system must have adequate procedural and operational coverage for the following five key elements:
1. Comprehensive “data feeders” covering your company’s entire set of “touch points” with the external environment (or their proxies): complaint logs, MDR investigations, service, manufacturing, industry publications, internal or external audits, previous CAPAs, engineering reviews, supplier audits, incoming inspection of parts and materials, customer call rates, Top X rates, etc. with specific triggers (or “normal limits”) defined for each feeder.
2. Feeder status reviews (monthly?) to identify deviating trends early. Data mining and cross-correlation analysis are useful tools that should be considered. Once a trend indicating a possible non-conformity is identified, what is the risk to safety and / or clinical effectiveness? Based on the identified trend and specific risk, should a CAPA be raised? Should a recall be initiated? Should a customer letter be triggered?
3. Formal CAPA planning process with the following activities:
a. CAPA definition, symptoms, risk assessment, impact assessment
b. Formal Root Cause Analysis. FMEA, FMECA, FTA, etc. are all useful tools to be considered.
c. Corrective Action to eliminate the non-conformance. Might be procedural, training, labeling, design-based, process change, etc. Might include verification and validation activities as appropriate.
d. Preventative Action to prevent this and similar non-conformities from occurring in the future.
e. CAPA Effectiveness study to evaluate the effectiveness of the removal of root cause and of the prevention of this and similar non-conformities from reoccurring.
4. CAPA management and aging review at the most senior level possible, to ensure visibility, resource availability, and prioritization for a risk-adjusted timely resolution of all active CAPAs
5. Formal CAPA documentation process to capture and document all CAPA-related activities executed, inclusive of management reviews
Each situation and each company is, of course, different. To address your specific situation, please visit ww.priusmedical.com for further details.
Under Six Sigma or Lean, the ultimate goal is usually a desired improvement in capability, cost position, or operational effectiveness. Under 21 CFR Part 820 (QSR), the goal of CAPA is to ensure early identification, removal, and preemption of systematic process non-conformances potentially affecting safety and / or effectiveness of clinical therapy, monitoring, or diagnosis. In other words, Six Sigma drives operational profitability (immediate shareholder focus) while CAPA drives safety and clinical effectiveness (immediate regulatory focus) -- arguably still a path towards profitability, although not necessarily in and of itself.
Back to the question - to be compliant with the QSR, your CAPA system must have adequate procedural and operational coverage for the following five key elements:
1. Comprehensive “data feeders” covering your company’s entire set of “touch points” with the external environment (or their proxies): complaint logs, MDR investigations, service, manufacturing, industry publications, internal or external audits, previous CAPAs, engineering reviews, supplier audits, incoming inspection of parts and materials, customer call rates, Top X rates, etc. with specific triggers (or “normal limits”) defined for each feeder.
2. Feeder status reviews (monthly?) to identify deviating trends early. Data mining and cross-correlation analysis are useful tools that should be considered. Once a trend indicating a possible non-conformity is identified, what is the risk to safety and / or clinical effectiveness? Based on the identified trend and specific risk, should a CAPA be raised? Should a recall be initiated? Should a customer letter be triggered?
3. Formal CAPA planning process with the following activities:
a. CAPA definition, symptoms, risk assessment, impact assessment
b. Formal Root Cause Analysis. FMEA, FMECA, FTA, etc. are all useful tools to be considered.
c. Corrective Action to eliminate the non-conformance. Might be procedural, training, labeling, design-based, process change, etc. Might include verification and validation activities as appropriate.
d. Preventative Action to prevent this and similar non-conformities from occurring in the future.
e. CAPA Effectiveness study to evaluate the effectiveness of the removal of root cause and of the prevention of this and similar non-conformities from reoccurring.
4. CAPA management and aging review at the most senior level possible, to ensure visibility, resource availability, and prioritization for a risk-adjusted timely resolution of all active CAPAs
5. Formal CAPA documentation process to capture and document all CAPA-related activities executed, inclusive of management reviews
Each situation and each company is, of course, different. To address your specific situation, please visit ww.priusmedical.com for further details.
Friday, May 6, 2011
My program is late – yet again. What to do?
There are always good reasons. The engineering estimate was overly optimistic. The requirements were not well defined. Your key piece of technology needs a little more “tweaking”. The contractor you hired works too slow and their output needs too much rework. And so on.
Your program manager seems to be an intelligent, personable, and articulate person. He is PMI PMBOK-certified and has great credentials. Yet the surprises keep coming -- this is the third 6-month delay he announced since the start of the program a year ago. Now there is talk from marketing to cut back on scope so you can launch something before the trade show this fall, even if it would be much less than the competition has on the market already.
If you were to believe the new estimates, then your program’s financial model would barely still make sense. And if the surprises were to continue, then your CFO would have a fit since you would either lose money if you would choose to go on, or you would take an immediate hit on the P/L if you were to cancel the program and reverse the capitalization of R&D expenses to date.
At this point, most executives would be tempted to make a “go / no go” decision based on their intuition. And it is possible that they would make the right decision. You could, however, take a more quantitative approach and decide based on facts and numbers, not just “gut feel”. For example, here is how our OnTrack (SM) program appraisal methodology works:
1. Determine the root cause(s) for the delays
a. How were the requirements captured? Was the technical approach selected before the requirements were captured?
b. How were the estimates determined? Top-down or bottom-up? By edict or by consensus? Were they benchmarked against other similar programs as a sanity check?
c. Do all the team members buy into the published estimates? Why or why not?
d. How were the risks captured? Was the impact and probability of each element of risk captured into the project plan?
e. How predictable is your product development process?
f. How capable are your engineers relative to the technical approach chosen? Your contractors?
2. Review and clarify your program’s scope. Tie it to the business value expected from commercialization (new sales or defending market share). Re-prioritize.
3. Review and refine your detailed requirements. Engage your system architects, integrators, and key suppliers. Fill in the gaps where needed.
4. Review your technical approach with your system architects and integrators.
5. Assess your extended team’s capability level – employees and contractors included. Use a defined, quantitative framework (like the SEI CMMI) as a basis for your assessment.
6. Re-examine your project risks. Do you have any key pieces of technology, uniquely skilled employees and contractors, key suppliers or regulators that can preempt or delay your program? If so, define and quantify (impact, branch, and probability).
7. Rework your schedule by taking possible resource bottlenecks into account. A good formal methodology to follow is the Critical Chain Project Management (CCPM) model based on the Theory of Constraints (ToC).
8. Determine your desired and alternate scenarios and the associated probability trees
9. Review your program’s WBS and task lists for completeness and alignment with the technical approach chosen. Break down tasks to a resolution of between 8 and 80 man-hours per task.
10. Re-evaluate your individual task estimates. Engage the people who will have to actually execute. Capture each estimate at 2 levels of probability (50% and 80% are the most common)
11. Apply the capability correction factors determined at step 5 to the estimates determined at step 10 and to the probability trees determined at step 8
12. Assemble a statistical predictive model including all the elements determined above. The output of this predictive model will be outcome probability curves for delivery dates and program cost.
Using these statistical predictive curves, you can now answer the following questions:
- What is the probability that my program will be finished by November 21st, 2011?
- With a 90% confidence level, what will this program cost us?
- With a 85% confidence level, on what date will this program be delivered?
These quantitative answers can now drive your financial model, and you and your team will have the visibility to determine whether continuing to invest in the program makes sense, or stopping the program at this point would bring more value to the firm.
Each program is different, and they all have their own sources of uncertainty. By using our OnTrack(SM) program appraisal methodology, we have saved mid-tier companies tens of millions of dollars in unnecessary spending. If you would like urgent assistance with your specific program, please visit www.priusmedical.com for details.
Monday, May 2, 2011
How to best respond to an FDA 483 letter?
Let’s face it, receiving a Form 483 letter (Notice of Inspectional Observations) from the FDA has never been much fun. And since the September 2009 change to the statutory response time (now 15 days) there isn’t that much time to react. What to do?
1. Don’t panic. I know, I know – these words usually have the opposite effect. Beyond the cliché, however, you will find that keeping a detached attitude and cool head, even if the response deadline is so short, will help you in the long run. The 483 letter wording will cite specific observations and then generalize non-compliance back to the high level provisions of the Code of Federal Regulations (21 CFR Part 820, Part 11, etc.) Even though this might imply that your firm is completely out of control in those areas, in reality it just puts the onus on you to argue to the FDA’s satisfaction that the letter’s implied inference was incorrect as the inconsistencies (if accurate) will be removed in a timely fashion. And that is the purpose of the response letter.
2. Immediately appoint a “Response Manager” (RM) and assemble a response team. Your response team should include representatives from all the functional areas cited (manufacturing, operations, engineering, etc.), quality / regulatory leadership staff, external consultants, etc.
3. Your RM should prepare a tracking spreadsheet with the following content:
a. The observation as worded in the 483 letter
b. Name of responsible individual
c. Due date for response draft
d. Summary of the internal investigation
e. Root cause (if applicable) related to each of the specific observation(s)
f. Plan to eliminate root cause (action items, people responsible, due dates)
g. Systemic issue (if applicable) related to the result of the internal investigation
h. Plan to implement systemic change to prevent similar non-conformances in the future
i. Plan to verify the effectiveness of the correction and of the systemic change
j. The response as worded in the response letter
4. Some 483 observations might be related to FDA recommendations and might not cite violations. You might want to consider improvement plans in those areas, or explain why not based on a documented risk assessment (or other viable considerations).
5. For observations which you believe were based on incomplete or inaccurate evidence, it is best to prevent such observations during the audit if at all possible (how to prevent inaccurate 483 observations during an audit is the topic for another discussion). Failing that, however (and if you still believe that the observation is inaccurate), you can try to argue your point in the response letter, but only if you can produce new factual evidence that supports your claim. You should include copies of the factual evidence as attachments to your response.
6. Your correction and improvement plans will be much more believable to the FDA if you retain the assistance of qualified external consultants to plan, manage, and / or execute the action items contained therein. After all, if your employees had the requisite knowledge and expertise already, why did your firm exhibit the non-conformance(s) in the first place?
7. Your RM should start assembling a Proof Book to show the FDA when they return, with the following entries:
a. A copy of the original 483 letter
b. A copy of your response and any subsequent correspondence with the FDA
c. Proof of remedial activity (plans, dates, status reports, protocols, decisions, training records, proof of task completion, internal audit reports, proof of effectiveness, etc.)
d. Traceability of findings to responses, plans, CAPAs, recalls, customer letters, etc.
8. Your quality system might require that a CAPA and / or a complaint be raised for each 483 observation, or just for the ones with a higher level of risk. Make sure to follow all your internal procedures as well.
9. Your action plans should be believable, achievable for your level of corporate resources, and timely. Have your Legal department (or your external legal counsel) review your response letter before you send it in. Your response letter is a legal document and you will be held to it when the FDA returns.
10. Send your response to arrive no later than 1 day before the deadline via a traceable delivery system with proof of delivery. USPS Express Mail overnight usually works best, FedEx overnight a close second.
Each regulated area is different, and not all consultants and consulting companies are equally qualified in all areas of compliance (even if you or someone you know did business with them in the past). If you would like urgent external assistance and you are not sure who to call, we can help you quickly locate the best consultant or consulting firm for your very specific situation. Please visit www.priusmedical.com for details.
Tuesday, April 26, 2011
Risk Based Compliance - A Panacea?
Risk-Based Compliance (RBC) seems to be the new buzzword in compliance circles these days. Touted by consultants to minimize compliance costs, improve compliance outcomes, and secure greater management support for compliance activities, RBC looks, feels, and sounds like a good idea.
Should we all jump on the bandwagon then? Let's see...
Most RBC strategies include the following (or similar) tactical steps:
1. Identify the risks of non-compliance: what can happen? when? where? how? why?
2. Determine the level of each risk: what is the short term and the long term impact, in real dollars (fees, penalties, recalls) as well as in soft costs (lost sales, lost opportunities, and loss of customer trust)
3. Prioritize risks based on the level of risk and on the estimated probability of risk realization. Decide on which risks to address.
4. Identify and select the best suited compliance measures to address the selected risks
5. Plan and implement the chosen compliance measures
6. Monitor, review, and report progress (status, costs), and compliance levels (internal audits, external audits, etc.)
While it is true that implementing a RBC strategy might improve the state of our firm's regulatory compliance in some cases, let's also consider the following thoughts:
“Our analysis leads us to believe that the risk of not validating a computerized system controlling a manufacturing line for a Class III medical device is low since the device is 100% tested at the end of the line.”
Yet due to an unforeseen side effect of a recent software upgrade, excessive torque gets applied to a mounting screw and the device casing cracks under stress exposing the patient to a potential air embolism. Customers complain and the subsequent FDA audit drill-down exposes the lack of validation as the root cause. A recall is initiated. A CAPA is launched. Total cost: $5 million.
“Since it has not been brought up in any regulatory audits in the past, why should we be concerned with adding a Human Factors analysis step in our design process? We believe the risk of non-compliance (for us) to be less than 1%.”
“We are a small firm; therefore we believe that the best way for us to keep track of customer complaints is to log them into an Excel spreadsheet that we all share on our internal corporate LAN”
Should we all jump on the bandwagon then? Let's see...
Most RBC strategies include the following (or similar) tactical steps:
1. Identify the risks of non-compliance: what can happen? when? where? how? why?
2. Determine the level of each risk: what is the short term and the long term impact, in real dollars (fees, penalties, recalls) as well as in soft costs (lost sales, lost opportunities, and loss of customer trust)
3. Prioritize risks based on the level of risk and on the estimated probability of risk realization. Decide on which risks to address.
4. Identify and select the best suited compliance measures to address the selected risks
5. Plan and implement the chosen compliance measures
6. Monitor, review, and report progress (status, costs), and compliance levels (internal audits, external audits, etc.)
While it is true that implementing a RBC strategy might improve the state of our firm's regulatory compliance in some cases, let's also consider the following thoughts:
1. RBC parameters are internally determined (perhaps with the help of consultants), while the “state of regulatory compliance” is externally determined (by regulatory agencies).
Yet due to an unforeseen side effect of a recent software upgrade, excessive torque gets applied to a mounting screw and the device casing cracks under stress exposing the patient to a potential air embolism. Customers complain and the subsequent FDA audit drill-down exposes the lack of validation as the root cause. A recall is initiated. A CAPA is launched. Total cost: $5 million.
2. RBC probabilities of occurrence for each risk are either determined intuitively, or based on past history.
“Since it has not been brought up in any regulatory audits in the past, why should we be concerned with adding a Human Factors analysis step in our design process? We believe the risk of non-compliance (for us) to be less than 1%.”
Yet due to an unforeseen side effect of a mold change for our infusion pumps, nurses have a tendency to confuse Start with Stop which can lead to non-delivery of medication and potential Adverse Events. A recall is initiated. A CAPA is launched. Total cost: $12 million.
3. The criteria used to decide which compliance measures are “best suited” are highly influenced by internal biases and constraints.
“We are a small firm; therefore we believe that the best way for us to keep track of customer complaints is to log them into an Excel spreadsheet that we all share on our internal corporate LAN”
Yet due to the inability of such a simplistic system to avoid multiple update conflicts, 2 complaints logged by one customer support representative are lost when the shared file is updated by another. A subsequent FDA audit finds that one of the complaints that was lost should have triggered an MDR, and the company is assessed a $430,000 fine for adverse event reporting violations.
While following an RBC strategy seems to help optimize the cost of regulatory compliance, we also have to realize that, just like with any model based on a set of implicit assumptions, there might be significant pitfalls [you might want to hopefully avoid] if, when, and where these assumptions might not hold true.
What do you think?
Thursday, April 21, 2011
Are SOPs always needed for 21 CFR Part 820 compliance?
A QA consultant I know made the case that SOPs are not always needed for QSR compliance. As an example, his client is a small Class II Medical Device contract sterilization services company which has executed the validation of the computerized system controlling its sterilization line with a validation plan, test protocols, and a validation report. There is no SOP in place to ensure the consistency of validation for similar systems; however, the company seems to have passed all its FDA audits in the past 6 years with no major or minor findings.
GAMP-5 specifies: “It is the responsibility of regulated companies to establish policies and procedures to meet applicable regulatory requirements”
§ 820.75 Process validation from 21 CFR Part 820 specifies: “(a) Where the results of a process cannot be fully verified by subsequent inspection and test, the process shall be validated with a high degree of assurance and approved according to established procedures”, and
§ 820.3 Definitions from 21 CFR Part 820 further clarifies: “(k) Establish means define, document (in writing or electronically), and implement.”
What do you think?
GAMP-5 specifies: “It is the responsibility of regulated companies to establish policies and procedures to meet applicable regulatory requirements”
§ 820.75 Process validation from 21 CFR Part 820 specifies: “(a) Where the results of a process cannot be fully verified by subsequent inspection and test, the process shall be validated with a high degree of assurance and approved according to established procedures”, and
§ 820.3 Definitions from 21 CFR Part 820 further clarifies: “(k) Establish means define, document (in writing or electronically), and implement.”
What do you think?
Optimized Regulatory Compliance - a Tautology?
At the end of the day, businesses are in business to make money. So where does regulatory compliance fit within your business model? Let's go ahead and examine the two main cost components of compliance:
- Cost of submissions. According to the law, you must obtain regulatory approval as a precondition to market your product. This is usually obtained in response to an active submission to the appropriate regulatory agency. Can't cut any corners here, the success of your submission will gate short term sales performance. Hire the best regulatory consultants you can afford.
- Quality system costs. To keep your product on the market, the law says that you must implement and maintain a quality system compliant with the regulations. This is an ongoing operational cost. Your "state of compliance" is sampled at the regulatory agency's periodic audit event, usually every 2-4 years (on average). Do we have an opportunity here?
The answer, in most cases, seems to be yes. The key word is how to "manage the enforcement risk" and this thinking is most prevalent in small firms, perhaps even with the tacit cooperation of regulatory agencies which seem to be a lot more lenient in their inspections when dealing with small entities.
So the microeconomic behavior in relation to Item 2 seems to go like this:
1. Implement a "de minimis" quality system. Hope for the best.
2. When audited, hire a smart regulatory consultant that can successfully argue with the auditor that your quality system's level of depth is commensurate with your product's level of risk
3. If and when cited in the regulatory agency's audit report, address the specific finding(s) and move on
Adopting this strategy would automatically "optimize" your regulatory compliance costs. Or would it?
Perhaps in the short term the answer could be yes. To be viable over the long term, however, you might want to consider the following additional elements:
a) Worst case scenario, what is the impact of non-compliance? Might range from massive documentation rework, consent decree, or total product recall.
b) Given the current trends in regulatory enforcement, what is the probability that your firm will be found non-compliant, even if you successfully passed all regulatory audits in the past?
c) Will your firm be acquired by a larger firm in the near future? If so, are you prepared to "raise the bar" on your quality system compliance just before or after the acquisition?
d) Do you have safety issues in the field (like patient injuries or deaths associated with your product) that might trigger unwarranted attention from the regulators?
e) Are you a supplier, OEM, or a contract service provider of a company that was involved in a recent safety recall, consent decree, or associated with adverse events related to patient injury or death?
The major hidden "hard" cost of long term non-compliance is the cost of rework. This includes the cost of reverse engineering device designs, revalidating products, fixtures, and manufacturing lines, and the cost of recalls.
The more important hidden costs, however, are the "soft" ones: losing out market share due to negative customer image, inability to respond to your competitors' newest feature offerings, and loss of revenue while your product is put "on hold" by the regulatory body until remediation is complete.
Each company, product, and market is different. To find out more, visit http://www.priusmedical.com/ and contact us for a personalized assessment.
- Cost of submissions. According to the law, you must obtain regulatory approval as a precondition to market your product. This is usually obtained in response to an active submission to the appropriate regulatory agency. Can't cut any corners here, the success of your submission will gate short term sales performance. Hire the best regulatory consultants you can afford.
- Quality system costs. To keep your product on the market, the law says that you must implement and maintain a quality system compliant with the regulations. This is an ongoing operational cost. Your "state of compliance" is sampled at the regulatory agency's periodic audit event, usually every 2-4 years (on average). Do we have an opportunity here?
The answer, in most cases, seems to be yes. The key word is how to "manage the enforcement risk" and this thinking is most prevalent in small firms, perhaps even with the tacit cooperation of regulatory agencies which seem to be a lot more lenient in their inspections when dealing with small entities.
So the microeconomic behavior in relation to Item 2 seems to go like this:
1. Implement a "de minimis" quality system. Hope for the best.
2. When audited, hire a smart regulatory consultant that can successfully argue with the auditor that your quality system's level of depth is commensurate with your product's level of risk
3. If and when cited in the regulatory agency's audit report, address the specific finding(s) and move on
Adopting this strategy would automatically "optimize" your regulatory compliance costs. Or would it?
Perhaps in the short term the answer could be yes. To be viable over the long term, however, you might want to consider the following additional elements:
a) Worst case scenario, what is the impact of non-compliance? Might range from massive documentation rework, consent decree, or total product recall.
b) Given the current trends in regulatory enforcement, what is the probability that your firm will be found non-compliant, even if you successfully passed all regulatory audits in the past?
c) Will your firm be acquired by a larger firm in the near future? If so, are you prepared to "raise the bar" on your quality system compliance just before or after the acquisition?
d) Do you have safety issues in the field (like patient injuries or deaths associated with your product) that might trigger unwarranted attention from the regulators?
e) Are you a supplier, OEM, or a contract service provider of a company that was involved in a recent safety recall, consent decree, or associated with adverse events related to patient injury or death?
The major hidden "hard" cost of long term non-compliance is the cost of rework. This includes the cost of reverse engineering device designs, revalidating products, fixtures, and manufacturing lines, and the cost of recalls.
The more important hidden costs, however, are the "soft" ones: losing out market share due to negative customer image, inability to respond to your competitors' newest feature offerings, and loss of revenue while your product is put "on hold" by the regulatory body until remediation is complete.
Each company, product, and market is different. To find out more, visit http://www.priusmedical.com/ and contact us for a personalized assessment.
Subscribe to:
Posts (Atom)