QSR Author Kim Trautman Predicts What A Mash-Up Of FDA's Quality System Regulation And ISO 13485 Might Look Like
Executive Summary
US FDA will face high hurdles as it works to write a new rule that would merge the agency's Quality System Regulation with international quality systems standard ISO 13485. That's according to Kim Trautman, a longtime industry insider who wrote the QSR in the early to mid-1990s. "It’s a clear heavy lift from a regulatory policy perspective" that could take as long as five years to complete, she says. In the meantime, Trautman offers some insight into what device-makers might see in a new hybrid quality systems regulation from FDA. She addresses everything from corrective and preventive action (CAPA) to labeling, and complaint handling to risk management – and more.
The author of US FDA's Quality System Regulation says the agency's plan to devise a new rule by merging the QSR with ISO 13485 will be an arduous – yet necessary – task that could take until the mid-2020s to complete.
"It's a heavy lift, OK?" Kim Trautman told Medtech Insight in a July 31 interview. "It’s a clear heavy lift from a regulatory policy perspective to get it through all the different layers of review, and the comment periods, and the comments."
And that's just the tip of the regulatory iceberg. She said FDA will have to perform economic impact analyses, update guidance documents, make changes to its compliance and enforcement programs, and reinstate the vacant GMP Advisory Committee – the agency body that reviews regulations – just to name a few very high hurdles.
"It would be a good project plan to realistically say that it would take three to five years" to retool the QSR, Trautman said.
She would know. It took Trautman five years to write the QSR when she was FDA's quality systems guru. The rule, along with its preamble – the agency’s elaboration on the regulation – was published in 1996. After eventually moving into more senior roles at FDA, she left the agency in 2016, joining consulting firm NSF International as its executive VP of medical device international services.
CAPA is seen by some as the poster child for why the Quality System Regulation needs a facelift.
The redo of the QSR was announced by FDA Commissioner Scott Gottlieb in an early May blog post, and the agency has added the rule's revision to its official regulatory agenda. In the agenda, FDA explains that the QSR will be combined with quality systems standard ISO 13485 from the International Organization for Standardization. (Also see "US FDA Commissioner: Agency Will Propose New Rule That Blends Quality System Regulation, ISO 13485" - Medtech Insight, 9 May, 2018.)
"The revisions are intended to reduce compliance and recordkeeping burdens on device manufacturers by harmonizing domestic and international requirements," the agency wrote. "The revisions will also modernize the regulation."
Device-makers use ISO 13485 to ensure quality systems compliance with regulators in a variety of countries, including Canada, Japan, Australia and the 28 member states of the European Union.
In addition to drafting the QSR, Trautman also sits on ISO Technical Committee 210, Working Group 1 (WG1), which oversees ISO 13485, including its recent 2016 revision. (Also see "It's A Green Light For ISO 13485: Revised Global Quality Systems Standard Finally Published" - Medtech Insight, 26 Feb, 2016.)
Mapping The QSR & ISO 13485
To help FDA along its journey toward regulation revision, a key working group, ISO TC 210, WG1, is crafting a tool that compares and contrasts the Quality System Regulation and ISO 13485.
"That will be just one input into the agency as it considers how best to change the QSR," NSF's Trautman, who sits on the working group, said, noting that the chart will be similar to two free tools her consulting firm recently released online, found at https://bit.ly/2nF0vSh and https://bit.ly/2vThOnt.
ISO 13485 is copyrighted; therefore, NSF was unable to use language from the standard in its online tools. But copyright laws won't be an issue for TC 210, WG1, as it makes its own chart.
Looking Ahead: A Blended QSR/ISO 13485
While it could take years to publish a final quality systems rule, it's never too early to begin speculating on what a blended QSR/ISO 13485 might look like. Below, Trautman makes some predictions.
Corrective and preventive action. Found under QSR Sec. 820.100, CAPA is seen by some as the poster child for why the Quality System Regulation needs a facelift.
"CAPA is one area that would definitely benefit, in my opinion, from a revamp," Trautman said.
That's because device-makers consistently flub up CAPA activities – in fact, it's one of the most oft-cited observations found on agency warning letters sent to manufacturers. Trautman conceded that one of the reasons why firms fall down in this area is because of how the QSR is worded.
"Criticizing my own work, effectively, I would have to say yes," that Sec. 820.100 has played a role in CAPA confusion in industry, she said.
"The way I wrote 820.100, it starts off with the need for CAPA procedures. Then it goes right into 820.100(a)(1), which is the analysis of data sources, and then it goes right into investigating the cause [820.100(a)(2)] – all of which gives the impression that every single thing that comes out of those analyses must be escalated to the same degree," Trautman said.
Companies that do that can clog up their CAPA systems, preventing them from finding the root causes of problems.
"What firms are doing now is, they'll have 500 of what they call 'CAPAs' in their system, which is ridiculous, because only probably 10 or 20 of them probably truly meet the risk threshold" of being a corrective or preventive action, she said.
Meanwhile, "ISO 13485 does a much better job of really getting into measuring and analysis, and talking about how to measure and analyze, and then having a mechanism to escalate" than does the QSR, Trautman said.
For corrective and preventive actions, she said "ISO 13485 is stronger, more current and provides a better framework for a true process improvement escalation."
The standard's approach to escalating corrective and preventive actions "is where 820.100 could be best brought up to date with current quality-process thinking, by more closely aligning it with 13485," she noted.
And unlike the QSR, ISO 13485 addresses corrective actions and preventive actions separately, in Secs. 8.5.2 and 8.5.3, respectively – an approach that Trautman advocates.
"I would love to do away with the term 'CAPA.' It's is so misused and abused," NSF International's Kim Trautman says.
ISO 13485 didn't exist when the QSR was drafted; the standard's first iteration came in 1996, the same year FDA published its rule. Therefore, when writing the QSR, Trautman tried to harmonize Sec. 820.100 as much as possible with the 1994 version of ISO 9001.
ISO 9001, last revised in 2015, is the general quality systems standard applicable to all industries and is the base standard of ISO 13485.
ISO 9001:1994 smashed corrective actions and preventive actions together into one process. That's why CA and PA are holding hands in the Quality System Regulation – and in the minds of quality and regulatory professionals who've been using the "CAPA" acronym for the past 22 years. (ISO 9001 no longer lumps together corrective actions and preventive actions.)
That's why it's vital for industry to drop the acronym from its vocabulary, Trautman said, so firms understand that corrective actions and preventive actions don't have to be rolled into one.
"I would love to do away with the term 'CAPA.' It's is so misused and abused," she said.
And she's not the only one who wants a name change.
Luann Pendy, senior VP of global quality for device giant Medtronic, is leading an initiative through the joint US FDA/MDIC Case for Quality that will look at ways to streamline and modernize corrective and preventive action. (Also see "With New Initiatives, Case For Quality Embarks On Mission To Create 'Safe Space,' Engage CEOs, #makeCAPAcool" - Medtech Insight, 29 Jun, 2018.)
"What is the four-letter word that we use to solve problems? 'CAPA.' But engineers hate CAPAs," she said at a Case for Quality open forum in Washington, DC, in June.
"My conundrum at [Medtronic] is, how do I get our 10,000 engineers to help me solve problems? I figured out that the way I need to do that is to get rid of CAPA. Blow it up. Change the name. Do whatever needs to happen to make that happen, because it's not working," Pendy said.
Pendy's group plans to leverage best corrective and preventive action practices across different industries as part of its work, including automotive, aviation and aerospace.
Trautman said she has spoken with Pendy about her Case for Quality project and is extremely supportive. "The device industry would do a lot of good for itself if it shared common practices, looked across other industry sectors like automotive, telecommunication and aerospace, and did some things in this area [of corrective and preventive action] so we can get back to what the original intent was, and to break that mindset that people have of what they think is expected from a corrective action or preventive action," she said.
Risk management. Despite being essential to the production of safe and effective devices, risk management is only mentioned once in the Quality System Regulation.
QSR Sec. 820.30(g), "Design Controls; Design Validation," notes that "design validation shall include ... risk analysis, where appropriate."
However, the QSR preamble provides a bit more detail. "When conducting a risk analysis, manufacturers are expected to identify possible hazards associated with the design in both normal and fault conditions," it states. "The risks associated with the hazards, including those resulting from user error, should then be calculated in both normal and fault conditions."
ISO 13485 is riddled with mentions of risk and the importance of conducting adequate risk analysis activities.
"The preamble shows the proper intent [for risk management], but as it's manifested 20 years later, it has taken on a life of its own," Trautman said, noting that most firms don't even know that risk management is discussed in the preamble.
"Unless I preach to them, people don't go back to the preamble anymore because it's 20 years old, so they forget that risk management is in there," she said.
FDA recommends that companies use ISO 14971:2007, the voluntary international standard on how to put together a risk management program. (ISO 14971 is currently undergoing a revision by ISO TC 210, WG1; it will likely be published in 2019.)
Although the agency cannot require manufacturers to implement ISO 14971, it nevertheless strongly endorses the standard's risk management guidelines.
On the flip side, ISO 13485 is riddled with mentions of risk and the importance of conducting adequate risk analysis activities. Because of that, device-makers should expect much more talk of risk management in a revamped QSR.
"Our industry has advanced so much more in risk management since the '90s," Trautman said. "There's just so much that has changed, including the advent of us becoming, as an industry, more mature with risk management."
Complaint handling. Until its 2016 iteration, ISO 13485 didn't include specific complaint handling requirements. The Quality System Regulation has historically been the stronger document when it comes to complaint handling, under Sec. 820.198.
"This is the first time, in the 2016 version of ISO 13485, that there's an actual specific section for complaint handling [Sec. 8.2.2] with some specific requirements, which are very closely tied to what is in 820.198," Trautman said.
Where there is the biggest divergence between the two documents is that while ISO 13485 simply states that regulatory reporting requirements must be met, the QSR is more prescriptive under Sec. 820.198(d). That part of the regulation directs firms to investigate complaints and report them as appropriate to FDA under its Medical Device Reporting rule, 21 CFR, Part 803.
When the agency rewrites the QSR's complaint handling section, it's quite possible that it will "harmonize the general requirements to be identical to 13485, and then add a section that would include the particular requirements that tie to Part 803," Trautman said.
"Or, the harder thing to do would be to pick those requirements out of 820.198(d) and open up 803, and revise the 803 regulation," she said. "But that's very burdensome and would go well beyond the purview of the [QSR rewrite] initiative."
Labeling. The QSR's rules governing labeling under Sec. 820.120 might go the way of the dodo, Trautman suggests.
"There are still remnants, if you will, in 820 from the original 1978 device GMP regulation that are no longer serving much of a purpose. Exhibit A is labeling," she said, noting that FDA's requirements are too prescriptive.
"Look at all the different particular requirements in [820.120]. It is so specific: label integrity, label inspection. And not that that’s not still expected practice, but the level of prescription here is not necessary," Trautman said.
ISO 13485 is more hands-off. It simply notes under Sec. 7.5.1 that, "as appropriate, production controls shall include … implementation of defined operations for labeling and packaging."
"A general wording like you have in 13485 that basically says a manufacturer must control labeling would be sufficient" for the revamped QSR, Trautman said.
Records. One of the bigger fights that FDA may have on its hands as it retools its regulation is moving away from a records exception under QSR Sec. 820.180(c).
That section says device-makers aren't required to share results from internal audits, supplier audits and management reviews with agency investigators when they inspect a facility. When it comes to having such an exception, FDA is unique amongst regulators.
"The regulatory auditors in all the other jurisdictions have been looking at [those types of documents] for years, and nobody’s really gotten any hair raised. And I can tell you, auditors definitely look at them during MDSAP audits," Trautman said.
Under the Medical Device Single Audit Program – created by the International Medical Device Regulators Forum (IMDRF) – manufacturers undergo one audit by an accredited third party to satisfy quality regulations for five countries: the US, Canada, Brazil, Japan and Australia.
"So, my question to firms is, what’s the big fear?" Trautman asked, pointing out that the internal audit exception is a holdover from the 1978 GMP regulation.
"In my opinion, the exception should just go," Trautman says.
"Back in the '70s there was the thinking that manufacturers wouldn’t want to expose their own faults. But that was before the time of the corrective and preventive action system," she explained.
"When we moved to the '96 [QSR] regulation and finally had the concept of corrective and preventive action, I would tell manufacturers, 'It really doesn’t matter that a problem happened. What matters is that you found it. Whether you found it in internal audits, or you found it in nonconforming product, or you found it in a complaint – it really doesn’t matter. If it needs to be raised to a CAPA, then it needs to be raised to a CAPA,'" Trautman said.
And because the QSR preamble says FDA investigators can see CAPA documentation, that means outcomes from internal and supplier audits, as well as management reviews, will likely be looked at anyway.
"That's why, in my opinion, the exception should be taken out of the regulation – but that's a decision the agency will have to make," Trautman said. "Like labeling, the exception is one of those legacy things that is probably more baggage than benefit."
Odds & Ends
Here's what Trautman had to say about three other distinct sections of the Quality System Regulation, and how they might be affected by ISO 13485:
Design control. "Design control [Sec. 820.30] is probably one of the most harmonized sections, actually. The only thing is, because device classifications aren't going to be harmonized, FDA’s class I, II, III is just not going to be harmonized one-for-one to the class I, IIa, IIb, III, IV concept. So, that’s just going to be an area where country-specific requirements are going to be needed. Otherwise, the design control requirements are very, very harmonized, and that’s actually a very good example of how closely [the QSR and ISO 13485] can be tied." ISO 13485's design and development requirements are found in Sec. 7.3.
Quality planning. "The way quality planning was written in 820.20(d), it talks about the fact that each manufacturer 'shall establish a quality plan,' making it sound like, because there’s an 'a' there – 'a' quality plan – that there’s only one quality plan required. But there’s no one quality plan. There’s quality planning that happens throughout. This is just another example of how harmonizing to 13485 would be beneficial." ISO 13485 has a section dedicated to planning quality objectives and quality management systems under Sec. 5.4.
Purchasing control. "Both ISO 13485 and 820.50 have evolved. They’re closely related, but both have evolved over the past couple of years to be closer to guidance from GHTF [the Global Harmonization Task Force, the precursor to IMDRF]. There’s a lot of good stuff in 820.50, but I think it would definitely benefit from the clearer words found in 13485 regarding supplier monitoring, evaluation and re-monitoring. It's just the science has evolved, and I don’t think it would cause too much heartburn." ISO 13485's purchasing requirements can be found in Sec. 7.4.