Change Control: Handle Regulatory Transitions Without Breaking Your QMS

Christian Reyes (00:00)
Welcome back to the QT9 QCast, the show where we turn quality and compliance from a cost center into a competitive advantage. I'm your host, Christian Reyes, and today we're talking about one of the most common ways quality teams accidentally create pain for themselves, reacting to regulatory change with too much motion and not enough control.

My guest today is Phil Guarino, VP of Quality for SCIE Solutions. Phil has more than 30 years of experience working in regulated industry, successfully implementing and managing quality management systems for both established as well as startup clients, executing QMS audit finding remediations, as well as performing internal and supplier audits as a certified lead auditor, both domestically and internationally. Phil brings a broad quality background,

and a practical perspective on what strong systems actually look like under real world pressure. Phil, thank you so much for joining me today.

Phil Guarino (00:51)
Thanks for having me.

Christian Reyes (00:52)
Let's start with the real world problem. When a new requirement or a standards change lands, why do so many companies immediately act like they need to overhaul half of their QMS?

Phil Guarino (01:02)
Well, I could say that the overreaction usually comes from a few things. Firstly, when there's a new requirement, I think people get bombarded online with opinions, white papers, you know, the old, you ready for the new requirements posts from consulting firms, advertisements, almost causing kind of a panic.

I think when you don't have the compliance experience to evaluate those changes, or you don't have the confidence that the current QMS is effective, the thought is we need to overhaul the entire QMS, which I can tell you is almost never the case for companies with even a reasonably current compliant QMS.

Christian Reyes (01:37)
Yeah, yeah, it's a very timely topic that we've got because this year, especially, it seems like there's there's so many changes happening across different industries.

Phil Guarino (01:48)
especially the QMSR, you know.

If you have ISO certification, certainly you're a long way to being compliant to that, but there are still requirements that if your QMS was not strong beforehand, it is something to consider that risk, the risk-based approach to all aspects of the QMS is really what is driving the new change in my opinion.

Christian Reyes (02:11)
Yeah, yeah, absolutely. And from my understanding, the QMSR, which started being enforced in February, I believe, it brings a little bit of that ISO 13485 flavor to what was QSR. But even if it's not like because you're 13485 certified, you're good to go on QMSR, there still has to be some sort of risk.

Phil Guarino (02:19)
Correct.

it.

Christian Reyes (02:36)
you you realize that a standard's going to change in some amount of time, not necessarily the near future.

What's the biggest first mistake that you see quality teams make?

Phil Guarino (02:44)
I'm procrastinating, to be honest with you. I've seen over the years, just recently since we knew the QMSR was going to be in place, I've seen just companies procrastinating, not creating a plan.

Waiting until, you know, oh, we have time, we have time. You don't have time sometimes. And I strongly recommend creating the plan, assess the current QMS versus the new requirements. And having a plan helps to avoid waiting until the last minute to assess and make updates, which only creates stress if you do that. And it really creates an opportunity for the team to miss important things because everything's a rush, a rush, a rush. And you end up missing things.

gaps and not address them appropriately.

Christian Reyes (03:28)
Yeah, absolutely. you're working in a time crunch, it's just inherent to how you're approaching that scenario. ⁓ Now, from your experience, what have you seen that usually breaks first when organizations overreact?

Phil Guarino (03:38)
Yes.

The first thing to break is usually consistency. Because people are always, they're in a rush to do something. So changes get implemented without clearly documenting why are we making the change. Later when an auditor, for instance, asks for justification, no one can reconstruct the logic. At that point, even correct decisions,

you're making start to look non-compliant as people second-guess themselves. So, poorly managing responses, managed responses prioritize speed and the volume of change over the integrity of the change and subsequent clients of the QMS. So, once that consistency is gone, you the validity of the entire QMS can be called in the question and considered to be no longer trustworthy. And that could, that may well not be the case.

but that's the way it appears. Could appear.

Christian Reyes (04:37)
Yeah, yeah, that's a really good point. Now, is this mostly a quality problem from what you've seen, or is it usually, does it come down to a leadership problem?

Phil Guarino (04:45)
No, this is, you know, maybe I have my quality hat on too tight, but I'm, I'm a big fan of that. It's a leadership and governance issue. I think it well functioning quality management system under the framework of, instance, ISO 13485, it doesn't decide how the organization interprets risks or prioritizes work or, or even allocates resources. Leadership does this. So quality issues show up downstream, as a result of the poor planning, poor

leadership. So leaders that signal speed or optics, that matters more than accuracy to them, whether intentional or not. But in the end, governance defines really how decisions should be made. Leadership reinforces what behaviors are rewarded, then the quality system executes and documents those decisions.

So yeah, I definitely think you need, really need to have ⁓ your upper management understanding, and that comes from creating a plan and presenting a valid plan. And even, what are the ramifications if we don't complete the plan? I think that's how management reacts. They need to hear these things, but then I think there needs to be pushback when it's just a QA process. I've seen too many times where it's only quality assurance is doing,

managing the plan, quality assurance is hosting audits, quality is everyone's responsibility. And I'm a big fan of getting, know, for having going to have a plan, get, get a team involved, get people from operations. You know, if we're, if quality does procedures or updates in a bubble and then hands them over to operations and says, okay, now do it, just, it just creates animosity to be honest. And operations doesn't, didn't have a chance to, to give their opinion on the change.

or things that they may needed to see as part of what they've interpreted from the change. So again, it just comes down to leadership.

Christian Reyes (06:33)
said earlier on that it's rarely ever the case with a new standard revision that you need to overhaul everything. You need to overhaul the entire QMS.

So if panic and paperwork churn are the wrong response, you started talking about it, but let's get into a little bit more of what the right response looks like. ⁓ So if you were advising a quality leader, you know, the day after a major regulatory or standard shift, what are the first things they should assess before they touch a single SOP?

Phil Guarino (06:53)
Sure.

I think you should probably notify them way before the deadline for the...

for the new standard, for the new QMSR as an example, but I do advise quality leaders. And the first thing I tell them, understand the changes. Create an initial quality plan, get buy-in for the plan, define who the players will be and their responsibilities, but the first task should be a gap assessment to determine adherence of the QMS to the new regulations and standards. See where you stand first and then create your plan. Because once that's completed, then you

update your plan. You have your plan, you found some new things. A quality plan could be a living document. Yeah, so that's, I hope I answered your question.

Christian Reyes (07:51)
Absolutely. No, you absolutely did.

So what does a mature, controlled response to regulatory change like this, what does that actually look like in practice?

Phil Guarino (08:01)
you

Again, keep saying don't panic first. And then we need to interpret any changes or a particular change by determining what has changed and what the intent of the change is. So it could be, it's not always enough to just know what's changed, but what's the intent of the change? You know, when we say, know, risk assessment has changed or really a focus on risk assessment and people say, okay, let's just update our risk assessment procedure without looking outside the box and saying,

What other aspects of our QMS really need to incorporate change? And sometimes people don't actually understand.

how a risk-based approach works for all aspects of the QMS. And it really does. If you go through, even you could have something as simple as doc control, a risk-based approach is putting in the reason for a change. If you could put in the reason for a change and a document change, then somebody who's reviewing it has a better sense of what they're approving at that time.

So anyway, back to the response to a regulatory change, we don't just jump in, as I said, start making changes without determining where the change applies and where it doesn't. So getting that gap analysis first, then you make your changes. And also, the decision should be documented either in the plan or a CAPPA. I say plan, but a CAPPA could also be a plan as well.

People have a strong corrective and preventive action system that actually helps them build risk into the process as, you know, do we introduce risk by updating this process? So, CAPA is also a pretty good tool to use, for sure. And then, it's creating a team, I think. I think that's a mature response. Getting everybody involved.

Years ago, I can tell you, I'm not gonna name the company, but I worked in quality and we had our operations group and we would go for a meet and greet or just drinks after work and go to a big bar and everyone from QA would be on this side of the bar.

Everyone from operations is on the other side of the bar and nobody talked to each other. And that was the culture that we lived in. You know, and that's that those times are done. We cannot do that. Quality is everyone's responsibility. So depending on the remediation, you absolutely shouldn't include a team. So even people that are pushing backs and know you're going to be on this team, we want your input. And I have found over the years, even though I may implement a process

Christian Reyes (10:14)
you

Phil Guarino (10:40)
and it's going to come out exactly as I plan, letting somebody else review it or have their input to it, it makes them feel inspired by what they're doing hopefully. And they can certainly feel like they've contributed. I think that's a huge thing. So I'm a big fan of creating a team and you know what, may just be they're in it for just a small portion of the...

any of the updates that need to be done but still at least they know they're part of that plan and then somebody knows they're part of a plan and the plan needs to be executed hopefully they're really you know really paying attention to that and will really facilitate and contribute to the team so that all these updates aren't done on a bubble QA can't update everything they have to have input to make sure what we're updating

is going to, everyone's gonna be okay with that. You know, I always say, you know, people say, could you write me a procedure? And I say, I don't write procedures. I implement processes. Procedures write themselves. So what I wanna see is people doing a process. They are happy with the process from the plan. Here's what we need to do. Let's update our process. Let's look at it. Get them involved. Does this process work for you? Yes, good. Then we create a procedure for it. Once we have the procedure,

it's a no-brainer because if somebody is actually doing a process that's in a procedure and they don't have to look at the procedure which is always there for them to review I think they're just going to be inspired to to do the right thing. Absolutely.

Christian Reyes (12:13)
Absolutely,

By involving folks in the planning to areas that are relevant to them, it gives them a real sense of ownership to a certain degree over that process. And they'll be more likely, I would assume, to follow it through and make sure that it's continued in terms of how the.

Phil Guarino (12:30)
Thanks.

Exactly,

exactly the follow through. Yeah, because I mean, I've seen it go horribly wrong where, you know, another example would be a company, an overseas company, I was working in the United States, but they had a mandate that came down and said, you will use all of our procedures now that we've developed in another country, and you'll start using them, which was horrific. It didn't apply to the site that they sent the procedures to.

I mean talk about disheartening. So right there, management's to blame. That's not the way to do it. Just creating procedures in a vacuum or a bubble and then to have people here do, now do. That does not work. I've never actually seen it work effectively. It just causes animosity. I've seen people walk out because of that. This is exactly the example I'm giving you. Two people walked out of that company within a week.

So yeah, that was a long time ago, hopefully things like that. Just an example of what I've seen for that.

Christian Reyes (13:26)
Wow.

Yeah, yeah, absolutely. And I think another interesting point you brought up was the example right before that, ⁓ where you went out to a bar and you had your quality folks on one side and your operations folks completely on the other. And that is, you know, a classic or quote unquote cliche, dynamic that exists in many companies out there where operations is, you know, trying to get things done and

Phil Guarino (13:43)
where you went to up.

Well, sure, I'm going...

Christian Reyes (14:02)
the way that they

Phil Guarino (14:02)
Yep.

Christian Reyes (14:03)
view quality historically has been, why are you trying to make my job harder? you know, why are you trying to tell me what to do? ⁓ Where as the new standards are coming out, as they're revised, I think they're doing a better job of forcing the other parts of the organization to become involved. Because you said it yourself, quality.

Phil Guarino (14:05)
I'm

Exactly.

Christian Reyes (14:23)
is in everything. Quality is a part of everything. It's not just a separate department with its own list of check boxes that you check off to make sure you're good to go. It at its best is touching every part of the company.

Phil Guarino (14:36)
as a quality person, I've actually heard this from people higher up than me that say, you don't make anything. You guys are just a liability. You don't make anything. You don't generate income for us. You're costing us money.

What's the cost of not having quality?

look at it this way you have a good quality group that can handle an audit really well do a good job the cost of the cost of a warning letter is going to be greater than

Who knows how much production you have to do. When you can have your quality group really focus on the QMS and do a really good job, it's inevitably a cost savings. Any way you look at it.

Christian Reyes (15:16)
Absolutely.

I believe that, correct me if I'm wrong, but you'd found QT9 in the wild during an audit that you were performing, correct?

Phil Guarino (15:27)
Yeah, I did. I was auditing a medical device company who was using QT9. It's just a general supplier audit for one of my clients. I just was, wow, the guy was just flying through, finding documents really quickly.

I just couldn't believe how easily he was able to pull up anything I asked for. And we did everything online. We didn't have to print anything else out. And I love the fact that they had so few forms because, know, QT9 captured everything from an approved supplier list. I mean, so many people have an ASL proof supplier list. They have another list. QT9 does that for you.

It has an approved supplier list. So the minimal number of forms was great. I love the fact that the user-defined elements of the system really helped to...

to not be able to move forward until those were addressed, which I liked. And yeah, I just think it was really, it was just really effortless to navigate. And really we did the review in a super timely manner and I was out of their hair, know, no one wants to be audited.

Christian Reyes (16:35)
Yeah.

Phil Guarino (16:36)
I immediately went back to...

to the group and I said, look, I think I found something that's really cost effective and probably better than some of the other programs I've seen as well. And sure enough, everyone really liked it and we ended up implementing it for a few clients.

Christian Reyes (16:53)
Well, we love to hear that. We love to hear that. And I've spoken with our implementation team on the QMS side that you've worked with

we've got over 1300 customers and we work with a number of different consultants over the years. So they have a lot of experience in that realm and they love working with you and working with SCIE. So it goes both ways. It definitely goes both ways.

if someone listening right now is staring down a major regulatory change or standard shift this year, what are the first three things that they should do and what's one thing that they absolutely should not do?

Phil Guarino (17:29)
⁓ Let's see, so I would say the first three things are A, don't panic is number one. Two is really investigate and understand the changes before doing anything. Like I said, sit in on the webinar, do a Google search, correspond with contacts. You probably have more contacts in the industry than you may think. And people are happy to answer questions.

these are necessary to fully understand the change. I hear people say, the standard or regulation changed, they should really say, boy, some details of the subparts have been changed, which is really actually the case. It's not the whole standard has changed, so let's not panic. Then also I'd say once the changes are understood, make sure changes are...

make sure the changes actually affect or involve the related aspects of your QMS. And lastly, I'd say meet with upper management to discuss the changes, how they impact the QMS, and then get buy-in that they support a plan. Buy-in of the plan is paramount. What they shouldn't do, I think there are two things they should absolutely not do. The first thing I feel strongly about is

starting the process of procedural updates without doing the three things I just mentioned. Just jumping in and changing things is, I've seen it before, I've seen it just after an audit. Never mind a regulatory change, just an audit. The company gets hammered in an audit and the boss says, fix all this. And they actually start fixing something during an audit. ⁓

I've never seen anything get fixed appropriately while an audit is going on because of an audit finding. The same situation here. So I would absolutely not procrastinate.

the second thing they should not do. Get things in motion as soon as possible to avoid a time crunch. Maybe the change affects you more than you think, or maybe it doesn't affect you as much. You're not gonna know that until you do your assessment, you put your plan together, and then you flesh out the scope of the updates. It's gonna lessen your anxiety when there's a clear picture of what needs to happen, what needs to be done.

Christian Reyes (19:35)
The best quality leaders, they don't overreact. They assess impact, prioritize risk.

control the change and strengthen the system as they go. And that's how you stay audit ready. That's how you avoid the chaos and that's how you build a QMS that can actually get stronger under pressure.

Phil Guarino (19:55)
Exactly.

Christian Reyes (19:56)
So Phil, thank you again for joining me. I really enjoyed this conversation and learned a lot.

Phil Guarino (19:59)
That's great. pleasure.

My pleasure.

Christian Reyes (20:04)
thank you to our listeners who joined in. if this episode helped you, please send it to one person on your team who hears new requirement and immediately wants to rewrite the universe. I'm Christian Reyes and this is the QT9 QCast. Like, subscribe, share it with a colleague. And until next time, stay compliant.