Episode 11: FDA QMSR Readiness: Training, Risk, and Audit Evidence That Holds Up

Christian (00:00)
Welcome back. I'm your host, Christian Reyes, and this is the Qt9 QCast. In part one, Michelle King from ComplyGoogle broke down what QMSR changes and what it doesn't. Now in part two, we focus on what teams should do next, training the transition plan and inspection readiness. All right, let's jump back in.

Christian (00:10)
Welcome back to the QT9 QCAST, the show for quality and operations leaders building better systems. I'm your host, Christian Reyes. Quick reminder, this podcast is for general educational information. It is not legal or regulatory advice. My guest is Michelle Keene, the QARA director at ComplyGuru.

she's seen how these requirements land in the real world.

Michelle Keane (00:19)
Thank you, Christian. Thank you.

Christian (00:20)
you actually led my ISO 13485 Lead Auditor Certification course just this past year, which was fantastic. I cannot say enough good things about the class itself through ComplyGuru, about you as my professor,

Michelle Keane (00:21)
So.

Yes, I did.

Thank you,

Christian (00:38)
But I really appreciate you taking the time to come on the QCast and join us.

Michelle Keane (00:43)
No problem and thank you for inviting us, myself and ComplyGuru to get involved.

Christian (00:49)
Now you touched real briefly on training under QMSR. And in an organization, what should every employee understand about QMSR versus what should be more role specific?

Michelle Keane (01:00)
Okay, so I think the important thing to recognise about training, first of all, in relation to clause 6.2, for example, when we talk about human resources, there is a responsibility that people, first of all, have the criteria determined for their role by that top management team or those functional managers who will facilitate that decision making. When it comes to training to the QMSR, I think people are...

So versed in the QSR and all those associated parts of the CFR that really where you could identify gaps is the 13485 itself. If I was to say to you what's the first thing I'm training people on, it's risk-based approach. You know, that's probably where I'm gonna be putting my pen first. First of all, reinforcing that there are mandatory documents and records that you will require from 13485.

then you as an organisation must determine the processes that you need on top of those mandatory documents and records to get your device made. Because if you were waiting to get your device made on just those mandatory documents and records, you'd never get a product, right? So you as an organisation then must define all of the other processes that you need to get your product made. Once you've defined those processes, you then must assign your KPIs against it, and then you must apply a risk-based approach to those processes and how they interact.

And then, finally, once you've done all of that, you must then determine how you're going to control changes to those processes. And this is the thing. Once you have trained everyone to that concept, you then must train them to understand, when we make a change to this process, it could also make a change to our system or to the device itself. And again, the system is very explicit, because we have 414 of 13485 that talks about a change to a process.

We have 542B that talks about a change to the system itself or those system or bigger changes. And then we have Clause 739, which is a change to the actual device. So, you know, this 13485, if you really want to train people, it's about getting them to understand that it is an interlink of processes. And a change to a process under 414 can impact on the system itself or indeed the device. But change is mentioned in those three very segmented ways.

What you do for a process looks different to what you do to the system and any change to the system is going to look different to what you do with your product. Which is why the standard mentions it three times. It could have just mentioned it once, but it mentioned it three times. Because it wants you to approach those changes differently. So when it comes to training, what I would try and get people to understand is, firstly, the standard is based on your plan, check, act, cycle. The clauses that belong in the planning phase are four, five, and six. The seven is the doing and the eight is checking and acting.

Christian (03:24)
Yep.

Michelle Keane (03:40)
If you can get them to fit into that mode, they will start to understand the relationship that exists between the different processes and how the data that's generated from those is monitored and measured and fed back into the system. And I think getting that awareness into the team is crucial because if they see it as role-specific, Christian, it's never going to succeed. Every role needs to see how they feed into the system overall because everyone can impact on everyone else in the system. For example, I can give you a very good example that

Christian (04:05)
Yes.

Michelle Keane (04:07)
You get a complaint from the market, it comes back in. You need to assess that first of all and do a complaint determination. Is this a complaint? Did the user use it off label? Even if they did, you still have to use that as feedback into your system. But that complaint could very well drive a design change. Maybe there was a fault by design. Maybe there was something done with design phase that was missed. We have seen this happening. We saw it happening with the hip on hip metal implant where there was a design flaw there. So it's not good.

out of the realm of reality that there can be a design flaw that's caught out on the market. So again, you just see how complaint handling is feeding directly into that design and development, into that risk management, into that Capa. So I think when people can see it as a system of interrelated processes and not see it as role specific, then you are setting yourself up for success in your system. But to do that, you need to train them to understand that the system is a system of interrelated processes.

Christian (04:38)
Yeah.

Michelle Keane (05:00)
with that risk-based approach nearer on top.

Christian (05:02)
Absolutely, absolutely. Now real quick before we jump into kind of some of the more nitty gritty around QSIT going away, where in your experience, where do digital QMS systems help most during a transition like this? And where do teams like over buy tech instead of actually fixing processes?

Michelle Keane (05:20)
Yeah, look, I think most organizations now have moved away from a paper-based Christian. Most systems, or most organizations have got an EQMS system embedded into their organization. So first of all, one of the risks that you're going to have with the EQMS is ensuring that it's validated for your business use. Don't fall into that trap where a vendor is telling you, no, no, it comes validated. That's great, but you still need to it.

validated for your own use as well in your day-to-day business and that's captured very clearly under 416 of the standard, okay? But the advantages that it brings and some of the really cool features that have evolved in these systems are what I call these spider web linkages. Some of these systems have a lovely tool where you can click and you can immediately see if I make an update here it's going to impact on this part of the system here and that's one of those tools that's very visual and it will facilitate organizations in identifying where there's impact assessment. In other words...

it's removing that human part of I could miss something. So if you are setting your system up correctly, if you are validating it per your use, you should have this lovely visualization tool that allows you to say, if I update on this process here, where's the impact felt around my system? Because I need to address it there as well. And that's something that is an incredible asset for organizations that have an electronic QMS because through our best efforts, we are only human.

Christian (06:17)
Right.

Michelle Keane (06:40)
and we will miss something in an impact assessment and we can have 20 people, 50 people working on a change, you can be guaranteed something is going to get missed. So one of the biggest advantages of having an EQMS is that ability to automate that decision or that, well not so much decision, but to automate that feature of impact assessment. If I make a change here, where is it felt downstream or upstream in my system? Because I will need to impact assess there as well and see what risk that presents.

Christian (06:59)
Right.

Absolutely, absolutely. Now we made a couple of references to it thus far being QSIT going away. So let's talk a little bit about the inspection realities post transition. What do you expect to feel different on the ground for manufacturers during an FDA inspection under QMSR?

Michelle Keane (07:24)
Well, you know what, Christian, isn't it just as well we're doing this today on the 2nd of February, the birthday of QMSR are being enforced because one thing that has also been issued today, I'm not sure if you're aware, but I most certainly am, Christian. I think we've established that I spend a lot of time reading and finding these lovely documents. So one of the really good documents and it's actually issued today, 2nd of February to align with the birthday of QMSR.

Christian (07:32)
Yes, yes.

Yeah.

Michelle Keane (07:52)
is the new compliance program document from the FDA. So that is being issued today. one of the most important documents that people should be reading right now, it's not 13485 by the way, from today, because I'm hoping everyone has already done their projects, Christian, I'm hoping everyone has already transitioned at this point, but it is the FDA's new inspection of medical device manufacturers compliance program issued today.

Christian (07:58)
Okay.

Yeah.

Michelle Keane (08:18)
2nd February mark it down. It's basically guiding you on what to expect in those inspections. mark it down today is the day. If you don't have a copy, find it because it is the document that you need to be reading. It hits on, I suppose, what I would like to bring here is that...

Christian (08:19)
today.

Michelle Keane (08:39)
The biggest takeaway from my reading of that document is that when the inspectors come in, they are not going to be catching missing procedures. That's not what they're interested in. This is my reading of it. It's not for them to be catching missing procedures. They are validating whether leadership decisions make sense in the face of risk. And that's my biggest takeaway from the document. It's not that they're going to come in and start searching for things that are missing from the system. What they are actually looking for is

risk-based inspection levels. This is what's going to be happening. They're going to be following risk threads across your processes. They're going to be looking at, if I'm betting, complaints, medical device reporting, recalls, audit outcomes, and how it all feeds back into your system and feeding that inspection depth. So they're going to pick that point and they're going to dig. They are now, it's going to be faster. I feel that they're going to be able to get through more information a lot more quickly.

because the processes are more interconnected and they're data driven. So I feel that they're going to be able to move a lot faster through the system as well. And the thing that I would say is if people are putting their data in silos or spreadsheets, you know, if they're keeping it very segregated, it's going to be harder to demonstrate control to your auditor. It's going to be harder to explain decisions and it's going to show a lack of traceability actually, because if you're siloing all this information away,

It's almost like you're keeping it a secret from the auditors. And that's what they want to see. They're going to want to see data-driven decision-making that's based on risk. So I will go back and I will say it again. The QMSR inspections, they're not going to be so much about what's missing, records and procedures that are missing. They're going to want to see how... It's going to be about validating whether the leadership decisions make sense when they are faced with risk. That's what they want to see.

Christian (09:56)
Yeah, yeah.

Michelle Keane (10:16)
And from my reading of that document, I came in very late last night, it was very late on Sunday when I got it here in Ireland, but that is my biggest takeaway from it. It's not going to be about what's missing, it's about leadership's decision in the face of it.

Christian (10:29)
Absolutely, absolutely. It's a great answer. So do you think that inspections will start to feel a bit more like ISO audits or will the FDA still have its own distinct flavor?

Michelle Keane (10:39)
I think it's going to be a mixture of both, but I think overall, and the one thing I would say as well, and we touched on it briefly before, we talked about management review meeting minutes now forming part of that audit, but I think it's important to point out that the FTA have already said that they're not going to be routinely inspecting those records. They will only be inspecting them when they need to. And this ties very clearly to what I've been saying. They are going to be signal detecting using your data.

So they're only going to want to those management review meeting minutes when they feel there's a need to based on the records and data that they're being presented with. And I think that's going to be the biggest shift in how the FDA are now going to be doing your audits. They're going to be using data to inform the next step of the audit. In other words, when they look at complaints, when they look at CAPA, when they look at nonconformities, whatever the case may be, they are using that to then circle into other parts of your system because that's organically what they're going to have to do.

Your system is a, it's basically just a big system filled with interconnected processes and the auditors will use the data that's presented to them in the records of evidence as the navigation tool to find their way around your system. So for me, when I say, it going to take more of an either approach? I would believe that it will because we are now incorporating by reference 13485 into your regulation. So it stands to reason that they would have to change their approach to auditing as well. However,

They do still have those retained parts of the QSR where they will also need to find a way to incorporate certain elements of their previous methods of auditing into the new 13485 way because, again, as I said, undo checkouts. You've identified your processes, you've assigned your criteria, you've made it proportionate to risk. Now you want to see that executed and you want to see the data as an output from that process to see if you're achieving those KPIs. If you are, great. If you're not,

How are you feeding that into your system? And what data analysis tools are you using? They are going to follow the story. They're going to follow the story the whole way through from end to end for your processes. And I think that that's going to allow them a little bit more speed through your system.

Christian (12:43)
Now, in terms of the ISO 13485 this might be a no, but in your opinion, does this more, does the harmonization towards 13485 change the global strategy conversation, especially for companies that are already selling in the EU or participating in MDSAF?

Michelle Keane (13:02)
Yeah, and it's a really important thing, Christian, because we did get kickback. think everyone has read the preamble of the new QMSR and they've read the comments and different things. And, you know, especially with the management review meeting minutes, for example, now coming into scope. You know, what I would say from a business or from a regulatory strategy perspective, I think that the transition to the QMSR will actually allow

a cleaner, maybe quicker access to certain markets because now we're kind of moving into this regulatory reliance space. You know, we already have a lot of different jurisdictions using MD SAP certification, for example, in different ways. You know, they accept 13485 certifications from certain auditing organisations as well. you know, this shift into QMSR really creates an opportunity for regulatory reliance and it could actually make it easier for you to get your product on the market.

And you know, I said earlier in the US, you probably have manufacturers that are happy to just sell in the US because it's a huge market and they could happily live off the spoils of just selling their product in the US. But this shift of harmonization could make them consider this regulatory reliance that could make it easier for them to get into other markets. For example, we look at some of those emerging African markets where they do rely heavily on regulatory reliance to get products on the market in those countries.

Christian (14:05)
Yeah.

Michelle Keane (14:22)
So you know, could be food for thought for some of those fights that are predominantly only selling in the US to maybe look further afield.

Christian (14:28)
Absolutely, Lower barrier, if there's any lower barrier to existing markets.

Michelle Keane (14:32)
Absolutely. And you know,

absolutely. And as you said, this global call to action, this shift of harmonization for 13485 is pretty much serving the basis of any regulatory market access at the moment. Of course, regulatory reliance is going to come into focus and the US shift to QMSR is really just reinforcing what the industry has been saying for a long time. We can make it easier to get product to market, especially where it's needed.

Christian (14:59)
Yes, yes. Now, Michelle, unfortunately, we're kind of coming up on our time here, which we could keep going for hours as far as I'm concerned. But unfortunately, we don't have that time today, but we would love to have you back on. But before we kind of get into the wrap, just a couple of lightning round questions where you can just reflexively answer. Yeah.

Michelle Keane (15:07)
We certainly could.

Okay, I'm nervous already.

Christian (15:25)
No need no need. But OK, so real quickly if we're ISO 13 if we are ISO 13485 certified we can ignore QMSR.

Michelle Keane (15:35)
For all the reasons I've just discussed. False.

Christian (15:36)
Okay.

For the too long didn't

read of the entire first part false and QMSR means we will have to rewrite our entire quality system

Michelle Keane (15:48)
I would also say false.

Christian (15:49)
Risk management is only a design controls thing.

Michelle Keane (15:52)
100 % false. Again, for everything, for all the listeners, go back and review. 14971 is accepted as a consensus standard. It's mentioned in the preamble, only mentioned in design controls under the QSR, but we know that it is embedded, it's baked into 13485. So false, false, false on that one question.

Christian (16:09)
It's

everywhere, it's everywhere. We can wait until late 2026 to deal with this.

Michelle Keane (16:14)
Absolutely false, no way. Absolutely not.

Christian (16:17)
And once we transition, we're done forever.

Michelle Keane (16:20)
And again, I'll go back to what we said at the very early part of this. 13485 is not an implement and job done. You will need to consistently monitor it for areas of improvement.

Christian (16:29)
For sure. Like you said, the quality system is a living thing. It's continuous improvement, plan, do, check, putting that cycle into place. as kind of a wrap up question, what does good quote unquote look like on the other side of this? What are the traits of companies that handle the transition well?

Michelle Keane (16:46)
I think preparation is key. think anyone that's only starting now is already behind. However, I would also put the chips down this way. Even if you are feeling that you're behind, you're not. But you do need to shift how you think about risk and leadership engagement. They are the two key parts here. You will not be able to successfully transition without that key leadership piece. They must lead by example. They can't just come in and talk about it.

Christian (17:05)
Mm-hmm.

Michelle Keane (17:13)
They need to enable this from the top down, otherwise it falls apart. So top management need to be heavily involved here. Get your management representative in place and document the decision making. Show how committed you are to your system and show that leadership in your decision making. And I will say it again, show me how your leadership decision manages in the face of risk. That's all you need to do. And if you can get that leadership team on board, you're already on to winner.

where we see organisations failing Christian is where leadership say, I hire you to do this, you handle it. Leadership need to be involved from the top down. They need to enable the behaviours and the cultures of QMS and they need to be seen to actively endorse its importance throughout the system. It's not just a module that lives at the side of your business, it is your business and it absorbs every single piece of it.

Christian (18:02)
That is, that's a fantastic answer. As I've said oftentimes And so for any of our listeners that are, would like more information on QMSR or just looking to upskill, can you share a few resources that you recommend, whether it's guidance pages, standards training, or anything practical?

Michelle Keane (18:19)
Yeah, so there's a couple of things that you can do. Obviously, I would have to promote my own Christian. So what I would say is that at Comply Guru, we do have a full end to end requirements course on the QMSR and it is RAPS recognised. So you will rack up some of those CPD and those points there with RAPS. So that's there. There are other resources that I would really tend you look at.

So for example, reach into that FDA website folks. It's a fountain of information there on the FDA website itself and I would always say that is the source of truth. There's plenty of other websites that are pulling information together and perhaps putting their spin on it and I think sometimes that reduces the conviction of what the FDA are trying to say. So if you wanted my opinion on it, I'd be sticking with the guys that know what they're at. Go to that FDA website because there is plenty of guidance documents on that website.

From the perspective of 13485 though, I would again, here at Comply Guru we have a number of different courses in relation to 13485, ranging from foundation level to requirements and practitioner level. And we also do internal and lead auditing as well on 13485. So we do have courses there as well that are CQI and DERCA recognised. Our regulatory courses on QMSR again are tiered so you can start with the basics and you can work right up to practitioner level and again, RAPS recognised.

So there's a lot of information there from a training perspective, but from a guidance documents perspective, the one thing I would be telling people to look at is the FDA website. There's also another document, Christian, that people overlook, and it's a really interesting one because it actually comes from Europe. It's an MDCG document, a Medical Device Coordination Group document, and it's the use of MD-SAP certificates under MDR and IVDR.

Christian (19:48)
Absolutely.

Michelle Keane (20:03)
So I don't think it's any harm having a read of that document either. It's there on the European Commission website. It's focused on 13485 because you did mention MD-SAP there previously as well and the US are participants in ⁓ MD-SAP audit modelling. So you know, it's no harm to check out that MD-CG document that looks at how the MD-SAP certificates can be used for MD-OR and IPD-OR as

Christian (20:28)
Absolutely, absolutely. Those are great resources. And like you said, it's better to just hear it from the horse's mouth. You're talking about looking at FDA guidance, FDA documentation, ⁓ and like a...

Michelle Keane (20:35)
Absolutely.

I think the intent

can sometimes get diluted when other organisations take that information and put their interpretation on it. really think that sticking to the FDA is the source of truth. If you do that you can't go wrong. And you know what? The FDA has proven time and time again early engagement is key. If you engage early with the FDA on this and if you have any questions they will help, they will facilitate. I mean at the moment they're very under resourced.

But if you engage early, and the FDA have proven this time and time again, if you engage early enough with the FDA, they will absolutely facilitate your organisation. And they're actually more likely to take you seriously if you engage with them in a timely manner, upfront, to discuss anything that you may be experiencing with your implementation.

Christian (21:05)
Yeah.

Absolutely, absolutely. as you said, Comply Guru offers FDA QMSR transition training and certification for practitioners. Who's that training best for and how should people use it to accelerate their internal transition plan?

Michelle Keane (21:35)
Yeah, so we have different levels of training. So we have QMSR training for requirements level and then introductory level. So really, we have a broad spectrum of audience that we can cater to.

it works right up the way to practitioner level or requirements level. And that's where it's focused on those quality and regulatory senior people, that management team, engineers, and people that sit at that senior level of the organization. And again, I would always say encourage people to check out the Comply Guru website, because there will be something there that fits the competence level of your team.

and what you need for your team we have the QMSR training and it's e-learning so again it's scalable.

When it comes to our auditor training, it's blended virtually in person So, you know, we have a huge portfolio of products and actually we have the largest portfolio of recognised certified training in medical devices in the world.

and our most recent courses came out there in December as well. So, you know, we're always plugging away here and I would encourage anyone that is looking for training on the QMSR or indeed the 13485 to check out the website. We have gone somewhat under the radar, Christian, and people are always pleasantly surprised when they find out that we do have the largest portfolio of medical device trainings in the world that's certified by both CQI Inurka, Exemplar Global and RAPS.

Christian (22:56)
Absolutely, And having done the course and achieved the certification, I really cannot recommend ComplyGuru enough. And Michelle, as an instructor enough, I really can't. I can go on and on about that. But like you said, check it out for yourselves. We'll have a link to the ComplyGuru website in the show notes here. So definitely click on through. See if there's anything that might catch your eye. But Michelle, I just want to thank you again very much for coming on the show today.

Michelle Keane (23:04)
Thank you.

Thank you, Christian.

And thank you for inviting. Hopefully you'll have me back soon.

Christian (23:23)
⁓

Our pleasure, truly our pleasure. We would love to have you back. And thank you to all of our listeners.

Michelle Keane (23:28)
Yeah.

Christian (23:33)
If you found this episode helpful, share it with the person on your team who owned the QMSR transition plan, and go make their lives easier by actually doing the gap assessment. For links to Michelle's recommended resources and ComplyGuru's QMSR training, check the show notes. I'm Christian Reyes, and this is the QT9 QCAST.

We'll see you next time and until then build quality and stay compliant.