Medical Device Link.

Originally Published MX May/June 2002

GOVERNMENTAL & LEGAL AFFAIRS

Jeffrey N. Gibbs

Surprise parties and unexpected visits may be either pleasant or unwelcome, according to the eye of the beholder. But when regulatory surprises befall medical technology companies, they are nearly always unpleasant.

On occasion, a product will perform better in clinical trials than anyone anticipated. And once in a while, FDA will clear a device with unexpected rapidity. But generally speaking, surprises connected with the regulatory status of medtech manufacturers and their products are both unpleasant and undesirable.

Such regulatory surprises can manifest themselves in a variety of unwanted forms, such as FDA warning letters objecting to a company's advertising claims, product failures that necessitate a recall, or clinical investigators whose sloppy recordkeeping jeopardizes a company's product approval. Whatever their shape, they are virtually always unwelcome guests.

Unfortunately, such regulatory surprises cannot be entirely eliminated. The regulatory world for medical devices is too complex, with too many variables and too many random events, to be completely free of unanticipated adverse events. Indeed, FDA regulations expect that the unanticipated will occur, and agency regulations require that manufacturers report such unanticipated adverse device effects.¹

Although company executives cannot eliminate regulatory surprises, they can undertake measures to reduce the frequency and severity of such occurrences. One of the most important steps that a company can take is to implement an effective compliance audit program.²

Of course, audits by themselves are not enough. As the recent Enron debacle illustrates, an effective audit program means not only ferreting out problems, but also taking corrective action once such problems have been identified. This article discusses some of the key issues relating to the creation of a beneficial internal-compliance auditing program.

Why Audit?

Companies can be reluctant to conduct regulatory compliance audits because of the costs they impose. Paying outside auditors, for instance, is a direct cost that many companies would prefer to avoid. In addition, there are costs associated with the time spent by employees to answer auditors' questions, and the management time to deal with the audit findings. And audits can be distracting to employees. While participating in auditing and being audited, employees are not producing new devices or engaged in any other revenue-generating activity.

In spite of such direct and indirect costs, there are several good reasons for conducting broad-based audits. One compelling reason is that FDA requires companies to perform at least some auditing. FDA's quality system regulation (QSR) states that manufacturers "shall establish procedures for quality audits and conduct such audits to assure that the quality system is in compliance."³ However, this requirement covers only QSR compliance, not the entire gamut of regulatory activities. There are many other potential sources of regulatory surprises.

But companies that conduct audits merely to meet FDA requirements are missing the essential point. Device manufacturers should conduct regulatory audits because it makes good business sense to learn about regulatory deficiencies—and cure them—as early as possible, before they become major crises.

Sporadic or isolated instances of regulatory noncompliance are to be expected. Those situations, however, tend to present smaller risks to the company than recurrent noncompliance. One-time problems can be more easily resolved to FDA's satisfaction.

The more serious regulatory problems—those with the potential to be most damaging to a company—are rarely of a sort that arises overnight. Often such problems take years to manifest themselves, while noncompliance spreads through the company like a slow-growing cancer. Left unchecked, such violative conduct can become an ingrained habit that can result in such serious deviations from the law as repeated QSR violations, a pattern of improper promotional activities, or continued failure to submit medical device reports.

The repetition of regulatory violations is itself significant to FDA. Generally speaking, the rigor of FDA's regulatory action correlates to the prevalence of the violations.⁴ The greater the number of violations, or the longer they persist, the greater the likelihood that FDA will seek a more serious penalty.

When a company experiences a substantial instance of noncompliance, it is critical that management learn about this failure promptly. Audits are a key—though far from exclusive—source of this information. Armed with knowledge, management can take effective corrective measures. Without this information, management is less likely to intervene before regulatory disaster strikes.

Audits can also demonstrate to employees that the company is committed to compliance, and can assist in training employees to do their jobs better. Audits are sometimes viewed as a type of "gotcha" exercise, where the perceived goal is to catch and punish offenders. Properly implemented, however, audits can serve as a tool to reinforce the corporate commitment to compliance and training. Once shortcomings have been identified, employees can be given focused training to address their weaknesses and systems can be fixed.

Viewed more paternalistically, audits can play a deterrent role. Some employees are motivated to do a better job if they know that their work is subject to periodic inspection. If necessary, employees can be sanctioned or terminated.

Ideally, when a company implements all of these elements at once—developing a corporate culture that stresses compliance; carefully selecting, training, and, when necessary, terminating employees; and taking corrective measures—significant regulatory problems should never arise.

But even if the audit program is unable to completely stop violations from occurring, the fact that the company has conducted audits may help to mitigate the consequences of regulatory violations. They may be useful in tempering the wrath of the government.⁵

In summary, while not a panacea, compliance audits are a valuable method of risk management.

Where to Audit?

The basic answer to the question of where to audit is simple: start with the company itself. External audits can be important, particularly for outside vendors or clinical sites. But the focus of a compliance audit program should be inward looking.

The trickier question is where, within the company, should auditors focus their attention. The answer depends in large part on the company's operations. Device companies vary considerably in size, scope, and the nature of their regulatory obligations. An internal audit program for a large, integrated manufacturer-distributor-marketer would be excessive for a small company that outsources most functions.

The focus of audits is typically on the manufacturing function. Most audits are oriented toward assessing QSR compliance. Given the critical role played by manufacturing operations in maintaining regulatory compliance, that is an appropriate allocation of resources. More warning letters are issued to device companies for QSR noncompliance than for any other reason, and manufacturing problems are the primary causes of recalls and other corrective actions.

QSR compliance, however, is only one of many areas deserving audit. For example, underreporting of events that should be filed as medical device reports (MDRs) can lead to significant enforcement action. FDA has brought injunctions or criminal prosecutions against companies it believed had repeatedly failed to file MDRs. Companies should periodically have a person who is not involved in the MDR decision-making process audit MDR files to ensure that nonreporting decisions are correct—or at least justifiable and documented.

Another area that warrants close scrutiny is the company's process for determining whether product changes require new premarket notifications (510(k)s) or premarket approval (PMA) application supplements. A new 510(k) is needed if the change could significantly affect the safety or effectiveness of the device, or if there is a major change in its intended use.⁶ Changes to a PMA device or its labeling may require the filing of a new PMA supplement.⁷ The consequences of guessing wrong on whether a new clearance is needed can be significant. For instance, FDA may not allow the product to continue to be marketed in its new form.

Yet the regulatory criteria for determining when to submit a new application are not free from ambiguity. An independent review of the files supporting decisions not to submit can evaluate both the accuracy of those decisions and the rigor of the reviews. Ordinarily, FDA will not take strong regulatory action if it believes the decision not to refile for a modification of the product was erroneous but made in good faith.

Advertising materials are another area that should be audited. Are there standard operating procedures to ensure review of promotional materials? Are they broad enough? Are they followed? Are promotional materials added to the company's Web site without going through the review process? Given that promotional materials can lead not only to regulatory problems but also to product liability suits and unfair-competition suits by competitors, they deserve to be audited carefully.

Companies should look at other types of regulations as well. For example, manufacturer compliance with FDA's electronic recordkeeping regulation, which is not a recent rule, is an area that is generally lagging.⁸ More recently, FDA has adopted new regulations for exports.⁹ For many device companies, these new policies will require new documentation and recordkeeping procedures. Does the company have procedures for evaluating corrections and removals?¹⁰ If the company uses tissue-based materials, is it in compliance with the National Organ Transplant Act?

Thus, the answer to the question of where to audit is essentially any aspect of company operations subject to FDA regulation. While the frequency of audits will be affected by the relative risks, virtually all FDA-regulated areas should be scrutinized at least occasionally.

Who Should Audit?

Selection of the auditor or auditors is a key element in developing a productive audit program. In choosing an audit team, company management should ensure that there is a good match between the substantive knowledge of the auditors and the areas that are being audited. Expertise in QSR compliance may translate into successful audits for compliance with good laboratory practices or other analogous regulations, but may not translate well into such very different arenas as reviewing promotional practices. Thus, a company planning to audit a wide variety of company functions may need to use different auditors with complementary areas of knowledge and experience.

In addition to being knowledgeable, the compliance auditor needs to be able to assess relatively rapidly the company's regulatory status. Compliance audits should not be designed to find all violations. Nor should they be unduly prolonged. Longer audits may find more issues, but at a corresponding cost in time, money, effort, and disruption.

At some point, most audits hit a point of diminishing returns. Extra inquiry is rewarded by relatively little extra knowledge. The auditor needs to be able to recognize when the marginal gains are negligible, and when the audit can cease.

The auditor's personality can also affect the ability of an audit to detect problems. In many cases, evidence of a violation will be documented—or will be clear by the absence of documentation. Even so, an audit is not simply a paper exercise; it is extremely helpful to develop some rapport with employees. They can make the audit far more productive by candidly discussing problems or helping to identify a record that might otherwise be a needle in the proverbial haystack. Auditors who rely on intimidation will be less successful, and may also bruise the feelings of employees who feel that they have been attacked.

An important caveat is in order: audits should never be vehicles for personal vendettas. A company should not permit anyone to audit a function run by someone else where there is a history of personal animosity, whistleblowing, allegations of sexual harassment, or other bad blood. Giving an employee the power to attack a rival through an audit can be a prescription for disaster. The consequences can include nightmares for the human resources department, claims of retaliation, lawsuits, whistleblowers, and an audit report that contains the kind of inflammatory language that tantalizes both FDA investigators and plaintiffs' lawyers.

One other important caveat involves the relationship between the choice of auditor and the ability to protect records. A common misconception is that records of internal audits are exempt from disclosure. While it is true that FDA generally does not ask to see audit records, there is no per se exemption disclosure from audit records. (Companies have argued that there should be a self-auditing privilege, but those efforts have mostly failed in court.) Unless otherwise protected, audit reports can be obtained by FDA, other government agencies, and even private litigants. Thus, in situations where confidentiality is particularly important, the company should consider having the audit performed by counsel or under the direction of counsel.

When to Audit?

The scheduling of compliance audits is influenced by several factors, such as the company's regulatory history (if a company has a checkered history, the frequency should be increased), the size of the company, the complexity of the regulatory tasks, and the regulatory risks associated with the various functions.

No single schedule fits all companies. However, it is desirable to conduct compliance audits on a regular, scheduled basis. Conversely, it will be counterproductive to schedule audits but not conduct them. Failing to conduct audits according to plan may lead FDA to question the company's commitment to regulatory compliance. Thus, any audit schedule should consider the resources available, and not be unrealistically ambitious.

In addition to scheduled audits, device companies should be prepared to conduct for-cause compliance audits under special circumstances. Examples of events that could trigger additional audits include the following.

• A credible allegation by a whistleblower or potential whistleblower that the company has violated the Federal Food, Drug, and Cosmetic Act (or other regulatory provisions).
• A sudden increase in the incidence of regulatory deviations, or reports of several significant violations.
• Complaints by regulatory affairs staff that the regulatory perspective has been given short shrift during internal debates.
• Credible evidence that there has been fabrication, falsification, or other serious misconduct.
• A new FDA regulation imposing new regulatory requirements is taking effect.

A company should not await proof that a serious violation has occurred, such as fraud in a clinical study, before conducting a special audit focusing on the potential problem area. Rather, the audit should commence sooner, so that the company can learn, as quickly as possible, what its exposure is and what corrective action, if any, needs to be taken.

An early for-cause audit can result in an investigation that reveals no compliance problem. While conducting a special audit that gives a clean bill of health may seem like wasted effort, that may be the price that needs to be paid to avoid being caught off guard by a complaint that turns out to be valid. A device manufacturer has far more flexibility in developing a strategy if it—not FDA—uncovers a serious violation through its own efforts. If FDA finds the violation first, the company will find itself stuck in a reactive posture.

Given the sensitive nature of such for-cause audits, it may be particularly important that they be conducted by, or under the auspices of, counsel. This affords the greatest likelihood that the audit report will be protected from involuntary disclosure.

Regardless of who conducts the audit, the written report should avoid certain mistakes. (Even an audit report protected by the attorney-client privilege can be leaked.) For example, the report should avoid ad hominem attacks. The report can accurately describe violative conduct without resorting to personal assaults.

Reports should also avoid inflammatory, highly quotable language. An auditor can convey his or her findings without using words such as appalling, shocking, or deplorable.

There should be some balance to the report. By their nature, audits focus on the negative. However, even if the report emphasizes the negative, the auditor can—if appropriate—note positive features as well.

Management should not undercut the auditor's independence. If an auditor finds a problem, the company should address the problem, not fire the messenger. If an auditor writes a report that uses inappropriate terminology, however, a company can take responsive measures. (Of course, this has to be done carefully, to avoid charges of retaliation.) An auditor who finds a significant problem can be commended; an auditor who couches that finding in vituperative language has not done his or her job properly.

What to Do with an Audit Report?

Not conducting compliance audits presents risks. Even worse, though, is conducting a compliance audit and then not following through. If an audit finds significant problems, it is imperative that they be addressed.

Enron's collapse provides many lessons. While financial and accounting issues have drawn the bulk of the attention, another singular cautionary tale relates to management's response to the warnings it had. It is not as though the financial issues had lain undiscovered until the end. A lack of response to warnings and alerts has been at the heart of many of the criticisms leveled against Enron's management.

Thus, management needs to have a structure in place to review audit findings and ensure that remedial measures are implemented. This can also involve board participation. Some FDA-regulated companies have board subcommittees with responsibility for regulatory oversight. Many boards already have compliance subcommittees that consider accounting matters; FDA regulatory compliance warrants similar careful consideration.

Ultimately, correctly answering the question of what to do with an audit report is at least as important as any of the other questions posed. A diligent, thorough audit resulting in a well-written audit report by a knowledgeable auditor is worse than useless if it languishes in a bureaucratic purgatory. Management ignores auditor warnings only at its peril.

1. 21 CFR 812.3(s).

2. JN Gibbs, "Regulatory Due Diligence: An Ounce of Prevention," Medical Device Executive Portfolio (June/July 2000): 124–129.

3. 21 CFR 820.22.

4. "FDA Warning Letter Review Suggests Aggressive Action Needed, Troy says," The Pink Sheet 64, no. 8 (February 25, 2002): 21–22.

5. DB Farquhar, "Corporate Compliance Programs almost Never Result in Reduced Sentences for Convicted Organizations," FDLI Update 2 (1998): 1–2, 13.

6. 21 CFR 807.87(a)(3).

7. 21 CFR 814.39.

8. 21 CFR 11.

9. Federal Register, 66 FR: 65429 (December 19, 2001); 21 CFR 1.101.

10. 21 CFR 806.

Jeffrey N. Gibbs is a partner in the law firm of Hyman, Phelps & McNamara (Washington, DC).

Illustrations by Barton Stabler

Copyright ©2002 MX