Regardless of the reason(s), my mission has long been to provide guidance to regulatory/quality professionals who lack experience in dealing with regulatory issues. I’m hoping this column will be useful to these folks, as they inevitably will face some tough regulatory challenges at some point in their careers. The topic of “regulatory distress” is treated much like finances, death, and taxes—we ignore it or avoid it as much as possible in the hopes it will go away. But a brief review of Corrections and Removals (recalls), Import Detentions, Warning Letters, and Consent Decrees confirms this regulatory anxiety is a mainstay in the medical device industry. It won’t be going anywhere anytime soon.
This column will focus on one service often provided by third-party consultants (independent consultants) to companies confronted with “regulatory distress”—verification. This might surprise some readers, as verification (design, product, and process verification, specifically) is a key aspect of medtech development and production. In some respects, verification is part of normal business operations. But this is not the kind of verification to which I refer. Rather, I cite a process whereby a third-party organization (typically a consulting firm) independently verifies that a company has properly completed committed corrective actions. This independent review typically is part of the commitment a company makes with a regulatory agency like the FDA.
Let’s explore third-party verification and determine how it can benefit inexperienced regulatory professionals.
Let’s start by defining verification: It is independent (this is also true with quality audits and certification), and it is strictly regulatory focused. The emphasis initially is typically very narrow in scope, concentrating on whether the company followed “the action described in response to the observation.” Was the action completed? In later stages, the focus switches to the solution (result of corrective action) working in daily operation, at the time of the verification. Finally, the verification focus shifts to the sustainable solution (a corrective action taken in response to a regulatory observation). To be sustainable, these solutions must be supported by the quality management system; as a result, sustainability verification is usually quite broad, and is often the most challenging aspect of the entire undertaking.
Now, let’s stipulate what verification does not mean:
- It is not remediation. Although it may be required as a result of the verification process, remediation typically is not performed or managed by the same organization performing the process. Verification is intended to identify actions that require remediation before being discovered by the regulatory agency that issued the observation.
- It is also not a quality audit. Indeed, the two are similar in that both verification activities and quality audits are independent. However, verification focuses solely on corrective actions, whereas quality audits only touch on corrective measures.
- It is not a compliance certification. For purposes of this discussion, compliance certification is an accreditation that a company has resolved its compliance issues; that certification is relayed by a certifying entity to the appropriate regulatory agency. Certification is often required by Consent Decree or other significant directives given to a company by a regulatory agency.
- There is no guidance document, standard, or regulation on how to perform verification.
- Clients have various expectations; even individuals within the company often have different expectations of the verification process.
- Those performing the verification often have different expectations. Frequently, the professionals performing the verification are independent consultants with many years of experience. While solid experience is preferred in this area, such knowledge requires that participants be on the same page to conduct a verification. That can be difficult to achieve.
- Usually, the verification team will not provide recommendations to avoid accountability. Understandable—if recommendations are followed but fail to resolve a regulatory issue, the company that performed the verification can be held partly liable for the blunder.
- Redlines are often provided to show the company’s response plans (the remediation). Feedback should be provided to the client company so it can avoid implementing a change process (time and effort) with corrective actions that fail to meet verifying party expectations. But as I stated earlier, do not make recommendations. The verifying party should explain why an action cannot be verified but never propose a solution. This is a very fine line, and it takes skill (as well as lots of practice) to avoid sliding down the slippery slope of solution sanctioning.
- The compliance bar is rising. The regulatory landscape in geographical areas in which I am familiar are moving more toward best practices than the now aging concept of simple compliance. The verification process must address this while also avoiding inappropriately expanding the boundaries to be best practices instead of compliance.
Collaboration: A good verification process will have good definitions, a standardized approach, quality assurance review (or at least a peer review), and an escalation process. Even so, keep in mind that verification is not a “check the box” process, nor is it perfectly black and white. Collaboration between the verifying party and company is necessary, especially when it involves situations that are not clear-cut. The risk here, at least for the verifying party, is becoming so close to the client that it loses its independence.
Escalation: Verification processes must have an escalation component, where discovered issues are raised to the appropriate people in a timely manner.
People: Like it or not, homo sapiens are involved in verification processes, so be aware that “human resource” issues can arise. These issues should be managed fairly and effectively (don’t worry—the verification process features a component to deal with human resource issues). Also, be on the lookout for burnout within the client company and/or verifying party. Verification processes can be quite the grind.
Quality system issues: The verification process is narrowly focused, especially in the early stages. It is only in later stages, when sustainability of the corrective actions is considered, that quality system issues are identified. One common pitfall associated with the verification process is the tendency to hold verification activities hostage over quality system issues. Verification processes should have a component designed to manage identified quality system issues that threaten sustainability.
Budget (financial) and time: Earlier in this column, I stated verification processes (like many things) take more time and money than anticipated. Since time and money are important considerations, the verification process should be designed for efficiency as well as effectiveness (in other words, quantity as well as quality). This is absolutely necessary to get the agreed upon results and deliver the expected value. Quality and regulatory professionals may not like it, but this is part of a business—a regulated (and often confusing) one at that, but a business nonetheless.
Culture: Verification processes must consider the client company’s culture. The process should not be undertaken to improve a corporate culture (i.e., make client company employees more effective), but rather it should contribute to cultural change activities. The impact of the verification process on long-term culture change is limited, at least in my experience.
Best practices: The verification process, if performed well, should shine additional light on best practices. But achieving best practices should not be a goal of the verification process.
Risks: There are two key risks associated with the verification process. The first is the risk of completing the verification process and not achieving the desired results. The second is achieving the desired results, but spending more time and money than expected.
I hope this column provided some additional insight on a regulatory compliance procedure—the verification process—that is rarely discussed, even in regulatory and quality circles. Verification doesn’t have to be an anxiety-riddled process. With careful planning and a thorough understanding, the process can produce fruitful results.
James A. “Jim” Dunning’s consulting career began in 2001. He has provided quality and regulatory consulting services for various companies ranging from Fortune 500 medical device firms to startups. Dunning’s passion, however, lies with startups and small companies, especially those in regulatory distress. He has amassed significant experience in preparing 510(k) applications, developing complete Quality Management Systems, providing Quality System Training, and advising on quality, business, and leadership issues. Dunning is a senior member of the American Society for Quality (ASQ) and a member of the Regulatory Affairs Professional Society. He can be reached at email@example.com.