J. Glenn George
A medical device firm posted signs at strategic locations throughout its manufacturing area that stated, “Follow the SOPs and tell other departments about problems; the pacemaker you're working on may be the one you get.”
On the surface, such an action appears to indicate that this firm is committed to regulatory compliance and to quality. Many medical device companies post such messages routinely. Yet in a survey conducted by Compliance-Alliance in July 2006, 21% of the responding medical device firms said they would characterize their firm's quality, regulatory, and compliance function as mediocre. Another 3% characterized it as weak. The survey was sent to 258 quality and regulatory professionals at medical device companies.
The fact that nearly a quarter of the officials participating in the survey described their compliance function as mediocre or weak is troubling, especially considering that these companies make products intended to save lives, diagnose and treat diseases, and improve the quality of life for people worldwide.
Although all 258 professionals responded to the survey, this article uses the responses of the 197 professionals who characterized their quality and regulatory compliance functions as strong or superior.
These respondents worked for firms that varied in both size and in the types of medical devices designed or manufactured. Respondents represent firms that manufacture Class I, Class II, and Class III devices. With the exception of the number of personnel employed in specific functions, there were no significant differences among the answers based on the size of the firm. Table I shows the mean number of personnel employed for various-sized organizations.
Firms in the medical device industry range from small entrepreneurial companies with a single facility to large multinational corporations with many sites employing thousands of people.
Table I. (click to enlarge) Mean number of full-time equivalent personnel employed by various functions at the 197 respondents' medical device companies.
Regardless of the size of the firm, top management creates the mission, quality policy, and quality objectives. From there, management designs the quality system architecture by assigning groups of people (usually in departments, divisions, or business units) to carry out specific activities in support of the firm's strategic quality and compliance objectives.
Who Is Responsible for Which Activities?
Many activities are involved in the design and manufacture of medical devices. There is no single recipe as to how firms should structure their organization. In fact, the responses to the survey varied widely regarding the question of “Who is the responsible party for each function?” The common responses indicated the following:
- Quality generally has responsibility for corrective and preventive action (CAPA) management; document control; equipment calibration; external audits; final inspection; incoming inspection of raw material; in-process inspection; internal quality audits; management representative, product, and GMP audits; product complaint management; product releases; process validation; risk management; sterilization; supplier program management; and supplier qualification.
- Regulatory generally has responsibility for adverse-event reporting, annual product releases, facility registration and licenses, production registration and certification, product regulatory submissions, and recalls.
- Compliance and other groups generally have responsibility for a business code of conduct, environmental program management, health and safety program management, preventive maintenance, and training.
Using the feedback from the respondents who described their firm's quality and regulatory functions positively, this article provides some recommendations. These suggestions can help management at medical device companies establish an effective organizational structure that can achieve its quality, regulatory, and compliance objectives.
Create a Transparent System
A lack of uniformity in the responses and the fact that many respondents chose more than one discipline highlights the challenge that organizations face in defining roles, responsibilities, authorities, reporting relationships, and accountability for quality and regulatory compliance. Each firm has its own culture, organization, and performance needs that require cross-functional interactions to manage a compliant quality system.
In the past, the accepted practice was for companies to make quality and regulatory compliance the primary responsibility of a specific department or function. However, it has become increasingly clear that firms need to be structured such that management is fully engaged in a transparent and systems-based approach to compliance.
Management with executive responsibility needs to legitimize the regulatory affairs (RA), quality assurance (QA), and compliance functions. This means providing the infrastructure, resources, and systems necessary to operate successfully. In addition, management must view, use, and support these functions as strategic partners in the company's success.
The real goal is not just compliance. Rather, it is establishing solid practices and providing adequate resources that drive the business toward success. Compliance is icing on the cake.
Identify the Requirements
Compliance is more than just satisfying elements of a regulation or a standard. Top management needs to identify all of the governing requirements that apply to a functioning quality system, including links that exist between regulations and standards, especially the following:
- 21 CFR 803, medical device reporting.
- 21 CFR 806, reports of corrections and removals.
- 21 CFR 801, labeling.
- 21 CFR 820, quality system regulation.
- ISO 13485, “Medical Devices—Quality Management Systems—System Requirements for Regulatory Purposes.”
- ISO 14971, “Medical Devices—Application of Risk Management to Medical Devices.”
Management should also identify those members of the firm's management team that would be considered as having the duty and power to act as responsible individuals to take the following three actions:
- Detect a failure to meet a specified requirement.
- Correct a failure to meet a specified requirement.
- Prevent a failure to meet a specified requirement.
If top management of an organization does not establish (define, document, and effectively implement) adequate metrics, it will be unable to determine the true state of compliance or be able to improve the quality system.
Hold Individuals Accountable
Compensation must take compliance into consideration. The compensation of a president or vice president of a business unit or division should not be based solely on the volume of product being sold. The head of the business unit must be accountable for the consequences associated with failing to meet requirements that result in the correction or removal of a product from market. If management does not hold these individuals accountable, they have no incentive to improve the firm's bottom-line performance by allocating funds to achieve quality and regulatory compliance.
To show respect for quality and regulatory compliance, individuals in these functions should be recognized and rewarded at the same level as those responsible for achieving productivity and financial success. Quality and regulatory functions must be applied strategically and tactically as a value-added means of achieving the business, compliance, and quality objectives of the overall organization.
Make Compliance and Quality Everyone's Responsibility
In the survey, most respondents indicated that CAPA management was a quality responsibility. However, a review of recent FDA warning letters suggests that inspectional observations relating to CAPA occur in many cases because the users of CAPA aren't fulfilling their responsibilities for compliance, including with the firm's own policies. Frequently, companies suffer from a failure of top management to discover noncompliant practices, to allocate the appropriate resources, and to initiate systemic actions that result in sustainable solutions. Some observations include the following:
- Failure to establish and maintain procedures for implementing a CAPA system, as required by 21 CFR 820.100(a).
- Failure to adequately investigate the cause of nonconformities relating to product, processes, and the quality system, as required by 21 CFR 820.100(a)(2).
- Failure to identify the actions needed to correct and prevent recurrence of nonconforming product and other quality problems, as required by 21 CFR 820.100(a)(3).
- Failure to verify or validate CAPAs to ensure that action taken is effective and does not adversely affect the finished device, as required by 21 CFR 820.100(a)(4).
CAPA Systems. CAPA systems are affected by many provisions of 21 CFR 820. When looking at CAPA-related inspectional observations, firms need to look past the specific element being cited (in this case 21 CFR 820.100) to examine management's responsibility to ensure that the firm has established and maintains a suitable and effective quality system, as required by 21 CFR 820.5.
Table II. (click to enlarge) An effective CAPA system might include these provisions of 21 CFR 820.
Other requirements that could contribute to the underlying root cause of a failure to implement an effective CAPA system might include, for example, some or all of the provisions of 21 CFR 820 listed in Table II.
Translate Requirements into Practices
Quality is usually the function that tracks, trends, and administers the CAPA system; however, executive management must use this information to determine how to manage the system and maintain good practices. A CAPA system needs to detect, correct, and prevent quality system problems in a timely manner. The CAPA system must also go beyond the more traditional approach of correcting nonconforming product that result from production- and acceptance-related activities. The system should receive cross-functional inputs from all parts of the organization.
Good CAPA management practices should include conducting root-cause analyses to ensure that the system-level issues are addressed as well as an immediate nonconformity. For example, if a firm finds that many documents have errors or are incomplete, it should correct those specific documents. However, if the root cause, which may be a training issue or lack of management oversight, is not identified and addressed, future documents will have similar problems.
The bottom line is that firms don't always know what they don't know. In fact, a firm might have a false sense of security regarding the quality of its products and its state of regulatory compliance. All too often, the focus is on performing immediate tasks, and it is not always recognized that a process is not being managed. This can result in issues affecting quality and regulatory compliance.
Management must be willing to take a long, hard, and sometimes painful look at the state of the quality system. Management must also be prepared to accept the sometimes-brutal truth that serious issues exist and that substantial improvements are necessary.
Identify the Responsible Parties
One of the most important aspects of establishing and maintaining a quality system involves the process of quality planning, which includes defining the firm's quality practices, resources, and activities. That process, in turn, includes specifying the following:
- Who is strategically and tactically responsible for implementing the cross-functional management of the quality system or process?
- Who is responsible for ensuring that supporting tasks and activities are resourced and completed?
- Who is responsible for detecting, correcting, and preventing quality- and compliance-related events, issues, or problems?
- Who is responsible for tracking, trending, and reporting quality system effectiveness metrics?
- Who represents management with executive responsibility? This person is accountable for providing the organizational freedom and the resources to ensure that a system or process has been established, that it is suitable and effective, and that it is being managed, sustained, and improved over time.
- Who are the stakeholders that play a role in the cross-functional interactions that include performing specific tasks or activities and contributing to fact-based decisions?
- Who needs to be consulted or otherwise participate in two-way communications prior to actions being taken or final decisions being made that affect quality and regulatory compliance?
- Who needs to be kept informed when or after decisions are made that have quality, regulatory, or compliance implications?
When these questions are answered, top management can work with the responsible individuals to institute controls to improve the performance of systems and processes, including quality and regulatory compliance.
FDA and Responsible Parties. During an inspection, FDA investigators seek to identify those individuals within the firm who have responsibility and authority. Therefore, during the training and qualification of personnel, firms should know and understand FDA's Inspection Operations Manual, which states that the “identification of those responsible for violations is a critical part of any establishment inspection, and as important as determining and documenting the violations themselves. Responsibility must be determined to identify those persons to hold accountable for violations, and with whom the agency must deal to seek lasting corrections.”
FDA procedures instruct investigators to obtain objective evidence that provides answers to the following questions regarding violations:
- Who knew of the conditions?
- Who should have known of the conditions because of their specific or overall duties and positions?
- Who had the duty and power to prevent or detect the conditions, or to see that they were prevented or detected?
- Who had the duty and power to correct the conditions or to see they were corrected? What was done after such persons learned of the conditions? On whose authority and instructions? (Be specific.)
- What orders were issued (when, by whom, to whom, and on whose authority and instructions)?
- What follow-up was done to see whether orders were carried out (when, by whom, and on whose authority and instructions)?
- Who decided that corrections were or were not complete and satisfactory?
- What funding, new equipment, or new procedures were requested, authorized, or denied in relation to the conditions; who made the requests, authorizations, or denials?
Create Meaningful Job Titles
Firms create job descriptions and organizational charts so that workers know who reports to whom. Job titles often reflect the power and status that various employees have within an organization. The responses to the survey indicate that there is a wide variation as to the title of the top official for the quality, regulatory, and compliance functions. The most common titles were vice president or senior vice president.
Although a senior title can help an individual pursue a particular agenda, in reality a title is simply a label. The real question is whether the position commands respect throughout the firm, as well as commitment and support at the highest levels of management. This requires not only understanding the value of quality and regulatory compliance, but also the consequences associated with failure to comply.
There is, however, validity to ensuring that the heads of the quality, regulatory, and compliance functions have the same title as the other top executives. An equal title helps to establish the credibility of these functions. It also demonstrates that quality, regulatory, and compliance personnel are peers rather than subordinates to those with line functions within the organization.
Keep Top-Level Management Well Informed
Most of the respondents said that their quality, regulatory, and compliance officials report directly to the president of the firm. Generally, presidents of medical device firms do not have a background or experience in quality and regulatory compliance. They tend to come from fields such as finance or marketing, and occasionally engineering. Some are physicians. In most firms, these individuals lack the practical experience that a quality, regulatory, and compliance professional has in the interpretation and application of codes, regulations, and standards.
Therefore, senior officials in these functions should play an important role as advisers to members of executive and senior-level management. To optimize their effectiveness, these officials should report directly to the CEO or president and should be on the same level as other executive and senior staff members.
A majority of firms (60%) responded that their senior quality, regulatory, and compliance functions periodically deliver presentations to the board of directors. A firm wanting to maintain quality and regulatory compliance needs to ensure that meaningful and relevant information is being communicated among all levels of management. This communication should be both horizontal and vertical and should include various stakeholders and other interested parties such as the board of directors.
Empower Those Responsible
A majority (90%) of the responses to the survey highlighted the need for the top quality and regulatory personnel to be able to stop production and even order a product recall. Top quality and regulatory personnel need the power to act on internal and external events that exhibit a failure to meet specified requirements.
Use Risk Management
The majority of respondents indicated that their firms are using risk management principles throughout their quality system. Specifically, they reported the following:
- 96% use risk management in the design control system.
- 78% use it in their CAPA system.
- 68% use it in their complaint management system.
- 56% use it in their process control procedures.
- 55% use it in their management review procedures.
Unfortunately, too many firms consider that by using the basic tools of hazard analysis and risk analysis, they have already integrated the principles of risk management into their organizations. However, the systematic process of managing risk requires the performance of a series of activities that include assessment, control, communication, and review of risk throughout the life cycle of a product, as well as its supporting systems and processes. Good risk management practices need to be an integral part of management controls that result in decisions that are based on scientific knowledge.
Risk management goes beyond hazard analysis, fault trees, and failure modes and effects analysis. It can and should be integrated into all aspects of quality and regulatory compliance. Examples include the following:
- Identifying, evaluating, and communicating the effect of a failure to meet specified requirements associated with products, processes, and systems.
- Selecting, interpreting, and trending data related to product, process, and system performance.
- Evaluating the effect on the quality system as a result of changes involving facilities, equipment, utilities, etc.
- Assessing the legal and regulatory significance of field actions, corrections and removals, and quality audits or inspectional findings.
- Designing the process flow associated with materials and personnel within a building or facility so that contamination is minimized.
- Evaluating and qualifying suppliers as an integral part of purchasing controls.
Risk management must be used to make fact-based decisions, taking into consideration quality, safety, regulatory, and business risks. Stakeholders at all levels of the organization need to know and understand that decisions are not only based on the degree of probability and acceptability of the risk; they also must be aware of the consequences of a process that goes wrong.
Many firms fail to realize that quality and regulatory compliance is more than the job of a single individual or department. For a quality system to be effective, top management needs to establish a systems-based approach in which management at all levels is accountable for achieving business, quality, and compliance success. The system must include clearly defined roles, responsibilities, authorities, and reporting relationships.
The example in which the medical device firm posted signs throughout the manufacturing area clearly delivered a message. The message was that the firm valued quality and regulatory compliance, and the sign further encouraged everyone in the organization to be part of the process.
Management responsibility can be summarized by the following basics:
- Being knowledgeable about applicable regulations and requirements.
- Taking responsibility for compliance and holding the entire organization accountable.
- Establishing and monitoring effectiveness metrics.
- Prioritizing projects and issues based upon risk.
- Allocating or reallocating resources.
Achieving business, compliance, and quality success requires more than posting a sign or developing a procedure. It involves the firm's management not only stating its commitment, but also demonstrating it by becoming fully engaged in a process of translating requirements. That includes translating the firm's own policies into practices.
J. Glenn George is founder and president of QRC Associates LLC (Bedminster, NJ). Kenneth Immler is senior vice president of regulatory affairs and quality assurance for Arrow International Inc. (Reading, PA). Nancy Singer is president of Compliance-Alliance LLC (Arlington, VA) and can be contacted at [email protected].