If you’re a medical device company selling or planning to sell into the US market, you should be familiar with FDA's 21 CFR Part 820 Quality System Regulation (QSR).
Manufacturers are expected to follow the quality system regulation requirements by FDA that govern the design, manufacture, packaging, labeling, storage, installation, and servicing of medical devices intended for human use. The requirements in 21 CFR Part 820 are meant to ensure the safety and efficacy of medical devices sold in the US marketplace.
FDA conducts regular inspections of medical device manufacturers to ensure compliance with these regulations. The inspection process, known as the Quality System Inspection Technique (QSIT), evaluates a company’s internal quality processes to determine whether they are in alignment with or in violation of these regulatory requirements. If any violations are discovered, the inspecting agent from FDA will issue penalties in the form of 483 Inspectional Observations and Warning Letters.
What we've found is that there are some common offenses taking place amongst device makers that result in costly mistakes and contribute to these violations. We've compiled a list of the eight most common processes of 21 CFR Part 820 where mistakes are had, and how you can avoid these pitfalls at your own company.
Here are the most common mistakes companies run into with FDA 21 CFR Part 820:
- CAPA Procedures and 21 CFR Part 820.100(a)
- Complaint Handling and CFR Part 820.198(a)
- Nonconforming Product and CFR Part 820.90(a)
- Purchasing Controls and CFR Part 820.50
- Process Validation and CFR Part 820.75
- Quality Audit and CFR Part 820.22
- Device History Records and CFR Part 820.184
- Design Validation and CFR Part 820.30(g)
Let’s go through these issues one by one and our best practices for managing them when they do arise, starting with the most common problem: CAPA procedures.
#1. CAPA Procedures and 21 CFR Part 820.100(a)
Companies have long struggled, and continue to struggle, with corrective and preventive action (CAPA) procedures, which is the leading cause of warning letters and observation letters from the FDA. This risk-based process requires a lot of oversight, and Part 820 outlines a number of protocols to follow.
If we look at Part 820.100(a) of the regulation, FDA states that,
Each manufacturer shall establish and maintain procedures for implementing corrective and preventive action.
There are seven subparts of requirements that follow, which must be included within all CAPA procedures, in addition to the subsequent requirement found in 820.100(b) of documenting all CAPA activities and their results. Needless to say, this is one of the trickier requirements from the QSR, which might explain how it landed number one on this list.
It’s important to remember that CAPAs are often seen as a determining factor of the overall health of a quality system. If CAPA procedures are not being followed according to the QSR, then an inspector will be quick to suspect other areas that could be also be suffering from similar poor quality practices.
Some specific areas most notable for CAPA bad practices to take place include:
- Document controls (or lack of documentation) not being followed by recording all CAPA activities and their results
- Not following company SOPs established for CAPAs (or being able to provide evidence that procedures were followed)
- Poor root cause determination
- Underuse and/or overuse of CAPAs
#2. Complaint Handling and CFR Part 820.198(a)
Complaint handling is the second most common area that breeds mistakes for device makers when implementing 21 CFR Part 820. All complaints must be documented, evaluated and investigated in a timely manner. According to Part 820.198(a) of the QSR,
Each manufacturer shall maintain complaint files. Each manufacturer shall establish and maintain procedures for receiving, reviewing, and evaluating complaints by a formally designated unit.
As an industry, we have some work to do with improving the way in which we manage complaints. This is an area of our industry that receives most of the negative attention in the press.
There have been documentaries, patient advocacy groups and websites dedicated to highlighting the improper handling of complaints related to medical devices, particularly raising the concern that not enough is being done to resolve the issues.
Would these news stories even make headlines if complaints were collectively being well-managed in the first place? Probably not.
I read an article in an industry publication recently about an adverse event that took place. When the company learned of their first adverse event, they took no course of action. Fast forward a few months later, they received a second adverse event report, similar in nature to the first.
These two reports prompted an internal investigation, but the company waited another nine months before finally reporting it to FDA--an egregious deviation from what is required.
An adverse event is one of the most serious things a medical device company can deal with, and it needs to be given swift attention. 21 CFR Part 820 mandates that adverse events must be reported to FDA within 30 days, unless it’s found to be a systemic issue with risk of serious harm to the patient population, in which case the reporting requirement is within five days of discovery.
#3. Nonconforming Product and CFR Part 820.90(a)
Control of nonconforming product is the third most common area that causes mistakes by device makers. 21 CFR Part 820 outlines the expectations for manufacturers' nonconforming products in Part 820.90(a):
Each manufacturer shall establish and maintain procedures to control product that does not conform to specified requirements. The procedures shall address the identification, documentation, evaluation, segregation, and disposition of nonconforming product. The evaluation of nonconformance shall include a determination of the need for an investigation and notification of the persons or organizations responsible for the nonconformance. The evaluation and any investigation shall be documented.
Every medical device must be accompanied by a device master record (DMR), which I refer to as the “recipe” for your medical device. It defines all of the dimensions, specifications, materials, and manufacturing instructions. When a manufactured product fails to meet the DMR specifications, it should be captured as a nonconformance.
Anecdotally, I know some companies that have tried to make adjustments to correct a nonconformance, but neglected proper documentation of those corrective activities. By not documenting these critical details, it makes it all the more difficult to determine whether systemic issues exist, thus preventing companies from finding the real root cause.
The best practice here is to implement document controls as early as possible in your device development process. Many companies only begin this process at the design controls stage, but doing it earlier can establish good document control habits that feed into your later work. This comes down to adopting a strong quality culture, and we’ve written more extensively about that topic here.
#4. Purchasing Controls and CFR Part 820.50
Purchasing is a broad area, generally speaking, that also includes the fourth most common area ripe for mistakes in 21 CFR Part 820: supplier management. The requirement found in Part 820.50 states that,
Each manufacturer shall establish and maintain procedures to ensure that all purchased or otherwise received product and services conform to specified requirements.
Supplier management is an area that could use some increased due diligence from medical device companies. It is common practice for companies to purchase materials or even outsource the entire manufacturing process itself from third-party suppliers.
Consultants and third-party contractors can be valuable resources. However, for both 21 CFR Part 820 compliance and quality management in general, you need to take ownership of third-party activity in your organization.
When bringing a new, independent party into your operation, it is beyond critical that you are selective in your criteria to qualify those suppliers and monitor them for compliance. The bottom line is that you, as the manufacturer of records, are responsible - you can’t “outsource” compliance to a third party.
We recommend using a supplier survey in these cases, a useful tool that many companies use during the qualification process. This form can give you valuable information about the supplier, whether they’re certified, and the level of emphasis they put into their quality systems.
Taking the time to carefully evaluate each third party will allow you to implement 21 CFR Part 820 without running into unforseen quality issues.
#5. Process Validation and CFR Part 820.75
Process validation encompasses any of the processes used within a medical device company, from manufacturing to the types of software that you use.
The requirements relating to this process can be found in Part 820.75 of FDA's QSR, and are broken out into two parts. Subsection (a) of Part 820.75 states,
Where the results of a process cannot be fully verified by subsequent inspection and test, the process shall be validated with a high degree of assurance and approved according to established procedures. The validation activities and results, including the date and signature of the individual(s) approving the validation and where appropriate the major equipment validated, shall be documented.
Part (b) of 820.75 requires that,
Each manufacturer shall establish and maintain procedures for monitoring and control of process parameters for validated processes to ensure that the specified requirements continue to be met.
The idea is that you need to be able to prove that your processes are replicable, to give you the same expected quality every time. Process validation is the fifth most common mistake when implementing 21 CFR Part 820. This could indicate that companies aren’t putting the required time into validating their processes. It could also they are simply unsure of how to interpret the regulation.
Greenlight Guru comes with pre-validated components vital to device development, including templates and workflows that have passed countless audits in the MedTech business. Our product is the only medical device quality management system (MDQMS) on the market.
This solution includes industry-specific features like auditing tools, CAPA management options, and SOP templates. To learn more about how Greenlight Guru can help companies get to market, take a look at our case studies archive or view a demo.
#6. Quality Audit and CFR Part 820.22
The quality audit regulation can be found within Part 820.22 of the quality system regulation guidelines.
Each manufacturer shall establish procedures for quality audits and conduct such audits to assure that the quality system is in compliance with the established quality system requirements and to determine the effectiveness of the quality system.
21 CFR Part 820 states that companies are expected to conduct internal quality audits and this is where many get caught up, landing this process at the number six spot on our list. You need to establish a schedule and stick to it. Audits are a way of assessing your resources, policies and procedures. They provide a means for continuous improvement within your company.
Yet many companies still treat quality audits as checkbox activities - they go through the motions, but they don’t get value out of them. This is where many tend to struggle - it’s a reactive approach rather than a proactive approach.
There is not a one size fits all approach to conducting internal audits. Every company is unique, and so too are their internal processes. The schedule you decide to put in place should reflect the criticality of the process being audited, of which should then be documented in your SOPs.
Some processes may require audits at least once a year, others may receive less weight and be justified to only be audited every other year. Right-sizing your QMS to manage the level of quality auditing needed for your company will allow you to implement this part of 21 CFR Part 820 in an efficient, scalable manner.
#7. Device History Records and CFR Part 820.184
Each manufacturer shall maintain device history records (DHR's). Each manufacturer shall establish and maintain procedures to ensure that DHR's for each batch, lot, or unit are maintained to demonstrate that the device is manufactured in accordance with the DMR and the requirements of this part.
Where the device master record (DMR) is the recipe for your device, the device history record (DHR) is the proof that you followed that recipe. In short, companies are required to have documented proof of the manufacturing efforts for their device.
There should always be an up to date and easily accessible record for all versions of your device in the DHR. From a regulatory perspective, remember that the term “manufacturer” still applies to you if you’re a medical software company.
One area I think we could lend a better focus to is requiring “proof” from our contract manufacturers. With the device ultimately falling under your company name, it’s your responsibility to request and obtain this information.
You must practice due diligence to ensure the manufacturer is updating the DHR when necessary and you’re conducting regular reviews it.
#8. Design Validation and CFR Part 820.30(g)
The main challenge companies struggle with is properly documenting their design validation activities. For this reason, it made our list as a process where companies commonly make mistakes.
You’ll find design validation under the design controls regulations in Part 820.30(g):
Each manufacturer shall establish and maintain procedures for validating the device design.
Remember, validation is evidence that the product meets the needs of the end user. This means showing the right sort of objective evidence as proof that that in fact is the case. A question you can always ask yourself during the design validation phase is, “Did I design the right device?” Your response is determined by whether you have effectively demonstrated that your medical device meets your user needs.
It also means having appropriate risk management controls in place, which is another area where companies often need improvement. You can find our previously published list of the five most common mistakes made with ISO 14971, if you want to learn more.
Greenlight Guru was specifically designed to comply with CFR Part 820. Our software solution is aligned with ISO 14971 to facilitate medical device risk management. It has built-in audit workflows, CAPA management features, and traceability matrix templates. You can view a demo of our solution here.
Expected changes to 21 cfr part 820
In 2018, FDA announced plans to blend its quality system regulation 21 CFR Part 820 with ISO 13485:2016, an international standard for medical device quality systems. The agency explained its rationale by pointing out that many other countries follow ISO 13485:2016, adding that “one globally harmonized system will allow for opportunities to work closer with foreign regulatory authorities and facilitate regulatory convergence on QMS.”
FDA also pointed out that future changes to Part 820 will make the regulation “more robust,” and more aligned to ISO 14971 risk management best practices. 21 CFR Part 820 will, as such, incorporate the ISO guidelines and become more modernized at the same time.
The changes were expected to take place at the end of this year, but may take up to five years to fully implement, with the FDA citing a number of issues and affected areas that must first be addressed.
These areas include training and transitioning companies from 21 CFR Part 820 to the new standard, as well as introducing a new inspection model aimed at streamlining the process for FDA inspectors.
Kim Trautman, author of the FDA’s QSR, stated that the guidelines on CAPA were one of the main pain points to be addressed with the regulatory changes. Trautman added that “820.100 could be best brought up to date with current quality-process thinking, by more closely aligning it with 13485.”
Other likely areas of focus for the changes to 21 CFR Part 820 include the sections on design controls, quality planning, and purchasing controls. The main takeaway here is that the FDA’s changes aim to make compliance with 21 CFR Part 820 easier, not harder.
Part 820 already closely aligns with the ISO 13485 standard, which should make the transition process fairly straightforward. While there are likely a few more years before the regulation is updated, the transition process is something worth keeping an eye on to prepare for future changes.
The eight processes listed in this article account for the most common mistakes medical device companies are making when implementing FDA’s 21 CFR Part 820. Addressing the first half of these items alone will help companies to take a more proactive approach to building safe, effective medical devices.
Each and every one of the processes named play an integral role in the product lifecycle, and we must take it upon ourselves to improve these areas that need improvement.
That’s what it really comes down to. It’s not about having a punitive or burdensome regulatory environment, it’s about the fact that we make products for real people to use. As a whole, the medical device industry can do better.
You have many tools and resources at your service to help you manage these key processes. With a robust quality management system, such as Greenlight Guru’s medical device QMS software, you have full visibility into every quality process you implement from FDA 21 CFR Part 820.
The purpose-built software allows manufacturers to easily keep records up-to-date and traceable throughout the entire product lifecycle, reducing risk and enabling the production true quality medical devices.
Looking for a design control solution to help you bring safer medical devices to market faster with less risk? Click here to take a quick tour of Greenlight Guru's Medical Device QMS software →