CAPAs from Internal Audits: What Can FDA Request to See?

Q: It’s my understanding that during an FDA audit of a pharmaceutical company, the Agency can request to see CAPAs from internal audits — but if you’re a medical device company, it can’t. Is that correct?

Also, can the FDA request to see the minutes and presentations from our quality system management reviews?

A: FDA’s regulations, guidance, programs, policies and enforcement indeed are different for medical devices than they are for pharmaceuticals.

But in answer to your first question, FDA’s Center for Devices and Radiological Health (CDRH) believes it can ask to review all CAPA data, regardless of the source.

[pullquote align=”right” cite=”” link=”” color=”” class=”” size=””]Inspectors are more likely to review your overall CAPA system and corrective and preventive actions you’ve taken.[/pullquote]

Still, its inspectors aren’t likely to request to see specific CAPAs from internal audits. They are more likely to review your overall CAPA system and the corrective and preventive actions you’ve taken under your CAPA system. Originally the concept of not asking for internal audit results was a “suggestion” to investigators, but over the years the concept of not specifically seeking the source of CAPAs resulting from internal audits has now been written into device guidance and compliance programs.

In contrast, the Center for Drug Evaluation and Research (CDER) has not updated its guidance in the same way, but investigators rarely look for internal audit data during pharmaceutical investigations. Every few years, the issue is debated inside and outside the Agency. In the big picture, it probably makes little difference either way. A good quality system should be focused mostly on preventive actions, and your CAPA process should be used to continually improve your quality system.

FDA actually likes and expects to see a robust CAPA system — one that works hard to identify and address problems. For insights into each Center’s approach to investigations, I’d suggest you check the specific Compliance Program Guidance Manuals (CPGM) FDA makes available online.

Regarding your second question: By policy, CDRH has extended some of its thinking to management reviews of internal audit findings. While many FDA investigators won’t seek the minutes and presentations from management reviews, the only real exclusion for medical devices is for the internal audit-related data itself. The rest of the data from your CAPAs from internal audits is the product of a working quality system, and although it might seem to be “excludable” from review, it is very discoverable by FDA in other ways. Most companies find disclosing such data is a good way to prove their quality system works.

Answered by Martin Browning, EduQuest President and Co-Founder (22 years as an FDA investigator and the co-author of the original Part 11 rules when he served as the Special Assistant to FDA’s Associate Commissioner for Regulatory Affairs). Martin also is the developer and chairman of EduQuest’s FDA Auditing of Computerized Systems and Part 11/Annex 11 training class.


Leave a Reply

Your email address will not be published. Required fields are marked *