MDSAP QMS P0009: Nonconformity and Corrective Action Procedure

Table of Contents

1. Purpose / Policy
2. Scope
3. Definitions / Acronyms
4. Authorities / Responsibilities
5. Procedures
   • 5.1. Identifying and Reporting Nonconformities
   • 5.2. Risk Assessment
   • 5.3. Investigation of Nonconformities
   • 5.4. Implementing Corrective Actions
   • 5.5. Timeframes
   • 5.6. Closeout
   • 5.7. Regulatory Authority Council (RAC) Review of Corrective Actions During Management Review
   • 5.8. MDSAP QMS Management Representative Review of Corrective Actions
6. Forms
7. Reference Documents
8. Document History

• Approval Sign-Off Sheet

---

1. Purpose / Policy

The purpose of this document is to describe procedures for the Medical Device Single Audit Program (MDSAP) to identify, document, implement, monitor and close corrective actions.

A Corrective Action procedure defines requirements for reviewing nonconformities; determining the cause of nonconformities; evaluating the need for action to ensure that nonconformities do not recur; determining and implementing action needed; updating documentation; recording the results of the investigation and of the action taken; reviewing the corrective action taken; and verifying the effectiveness of the action.

2. Scope

This procedure applies to MDSAP work products, processes, services, and quality management system.

3. Definitions / Acronyms

Cause: An identified reason for the presence of a defect or problem. (ASQ-Quality Glossary)

Complaint: Expression of dissatisfaction made to an organization related to its product or service or the complaints-handling process itself, where a response or resolution is explicitly expected. (ISO 9000:2015)

• Complaints are also objections, errors, or nonconformities involving work quality, or failures to provide service or other requests of the customer including timeliness.

Correction: Action to eliminate a detected nonconformity. (ISO 9000:2015)

Corrective Action (CA): Action to eliminate the cause of a nonconformity and to prevent recurrence. (ISO 9000:2015)

Nonconformity (NC): Non-fulfillment of a requirement. (ISO 9000:2005)

Concern Resolution Report (CRR) Log: Log used to document a nonconformity, and/or complaint, feedback, and, when applicable, to initiate corrective action(s), and to document the investigation, implementation and effectiveness of a CA.

4. Authorities / Responsibilities

Regulatory Authority Council (RAC): As necessary, the RAC reviews corrective actions that have been brought to their attention by the MDSAP QMS management representative. It is recommended that the RAC reviews the CRR Log during management review meetings at least once a year.

Regulatory Authority Corrective Action (RA/CA) Contact: The RA/CA Contact will review the nonconformity to determine if the issue should be assigned for corrective action to the CA Assignee or closed with a correction. If a corrective action is required, the RA/CA Contact will assign the nonconformity to a CA Assignee within their organization. Each Regulatory Authority must designate an RA/CA Contact.

Corrective Actions Administrator: The Corrective Actions Administrator will enter nonconformities into the database and periodically perform a quality review of the contents of the database. The Corrective Actions Administrator is also responsible for the routine routing and management of corrective actions. This role can be filled by the MDSAP QMS Management Representative, MDSAP QMS Site Representative, or other designee. The Corrective Actions Administrator will assign an identified nonconformity to the Corrective Action Contact designated by the Regulatory Authority for the affected country/region.

Corrective Action Assignee: The Assignee is responsible for developing and tracking corrections and corrective actions, and to report progress to the Corrective Actions Administrator and the RA/CA Contact. Any member of the MDSAP may serve as a CA Assignee.

MDSAP QMS Management Representative: Holds periodically reviews of the CRR Log and communicate with RAC if any discrepancies are encountered. Follows up with each MDSAP Quality Management System Site Representative as necessary.

Corrective Actions System Manager: The RAC Chair is assigned this role. The Corrective Actions System Manager has overall responsibility for the CA system management.

5. Procedures

5.1. Identifying and Reporting Nonconformities

Any MDSAP personnel or program participant may identify nonconformities as a result of: (1) the investigation of complaints (both internal and external to MDSAP): (2) process failures; (3) internal audits; (4) management reviews; or (5) any other source. The individual reporting a nonconformity should electronically document the event by e-mail CRR Log and to the MDSAP@fda.hhs.gov or to the RA contact listed in MDSAP QMS P0011.

The Corrective Actions Administrator will use the location of a complaint / nonconformity to determine and assign an appropriate RA/CA Contact. The RA/CA Contact may close a NC with a correction and refer the event back to the Corrective Actions Administrator. For example, a human error in transcribing information for nonconformity into a database, or into a report, is often a one-time oversight not requiring Corrective Action.

The RA/CA Contact must document on the CRR Log an evaluation of the NC and whether or not a Corrective Action is required.

If a Corrective Action is required, the RA/CA Contact will assign the nonconformity to a Corrective Action Assignee within his/her organization. When necessary, the RA/CA Contact may consult with the Corrective Actions Administrator to make this determination. Once a decision is made, the RA/CA Contact will email the Corrective Actions Administrator documenting the reasons for requiring, or not requiring, CA for the event. If the Corrective Actions Administrator accepts the proposal for Corrective Action, the RA/CA Contact must entry the CA in the CRR Log with a target completion date along with the Corrective Action Assignee who will be responsible for the Corrective Action.

Once a Corrective Action Assignee has received notification of an open Corrective Action, the assignee becomes the owner of the issue. The assignee may request assistance from other MDSAP members to identify, implement, and verify the effectiveness of appropriate corrective actions. The Corrective Actions assignee should communicate to the Corrective Actions Contact and Administrator any difficulties encountered, or additional resources required to progress corrective actions to completion. Once assigned a Corrective Action, the Corrective Action Assignee must determine and document the following information using CRR Log.

Nonconformity description:The Corrective Action Assignee should record a description of the NC with factual and precise language that clearly states the requirement, enables the reader to comprehend the non-fulfillment of a requirement, and references information to support the claim. The information presented should be an accurate representation of the records, samples and procedures reviewed, as well as interviews conducted. The Corrective Action Assignee may combine multiple instances of the non-fulfillment of a requirement into a single nonconformity unless the instances originate or relate to different aspects of a requirement.

5.2. Risk Assessment

Prior to the investigation of any nonconformity, the Corrective Action Assignee must identify the hazards (potential sources of harm) associated with the nonconformity and estimate the risk(s) associated with those hazards. These risk assessments may indicate the nonconformity is likely to, or has caused, a systemic failure within the MDSAP quality management system or is likely to cause, or has caused, significantly inaccurate work products which could, or may have, led to poor decisions or other adverse actions. The Corrective Action Assignee should also perform a risk assessment on the proposed corrective action to ensure that any introduced hazards are of an acceptable risk.

Any investigation and subsequent corrective action should be commensurate with the risk(s) posed by the nonconformity.

Risk Analysis Techniques: Techniques for the assessment of risk include; Fault Tree Analysis (for hazard identification) and Failure Mode and Effects Analysis (for the estimation and evaluation of risk), and many others. Risk management standards express risk using two quantities: 1) the magnitude or severity of the harm that may arise because of the nonconformity and 2) the probability of occurrence/reoccurrence of the harm due to the nonconformity. The Corrective Action Assignee is to document the assessed risk from the nonconformity on the CRR Log. The assessment must incorporate the two quantities noted above.

Please refer to QMS MDSAP P0004 Risk Management Procedure for guidance on Risk Management.

5.3 Investigation of Nonconformities

The Corrective Action Assignee must investigate the nonconformity to determine the cause before an appropriate Corrective Action is developed. The investigation should build upon any existing analysis, evaluation and investigation. Some of the more common tools and techniques used in cause investigation include:

• The 5 Why's Analysis: The goal of this analysis is to trace the chain of causality in direct increments from the effect through any layers of abstraction to a cause that still has some connection to the original problem. For example, if the problem is that Auditing Organizations are submitting incomplete reports to the MDSAP Team, the Corrective Action Assignee would ask: 1) Why? – An example answer may be "the web-based interface is too complicated." Then the Corrective Action Assignee would ask: 2) Why? – An example answer to that is "the interface has similar text field entry requirements in multiple locations." The Corrective Action Assignee would then ask: 3) Why? This would continue in order to drill down to the main cause of the problem. This may require more than 5 Why's.
• Pareto Analysis: This type of analysis is useful where many possible courses of action are possible. The analysis results are arranged on a Pareto Chart for visual representation. Generally, Pareto Analysis can help to identify 20% of the causes that lead to 80% of the problems within a system. Please refer to ASQ.org or other reference material for more information regarding Pareto Analysis and Charting.
• Fishbone/Ishikawa Cause and Effect Diagrams: These are diagrams which show the causes of a specific event. An investigator may group causes into major categories to identify the sources of variation.  These categories may include: 1) People, 2) Methods, 3) Machines (computers, etc), 4) Materials, 5) Measurements and 6) Environment. Creation of a diagram which evaluates the possible contribution of each of these categories will usually reveal the cause of the nonconformity.

These tools are examples. Other tools are available and may be used as appropriate.

The Corrective Action Assignee should describe the cause of a NC after a full investigation has occurred. The investigation and cause must be documented on the CRR Log. As part of the investigation of the cause of the nonconformity, the risk of the nonconformity as well as the risk of the recurrence of the nonconformity should be determined and documented on the CRR Log. The Corrective Action Assignee must initiate a Corrective Action if the cause of a NC cannot be determined (versus only performing a Correction). The Corrective Action Assignee should not implement CA until the cause of the nonconformity has been determined.

5.4 Implementing Corrective Actions

When the Corrective Action Assignee has fully described the NC and investigation has determined the cause, a correction or corrective action may be determined.

Note: The Corrective Action Assignee must consult with the RA/CA Contact regarding the adequacy of the proposed CA before taking any action.

• Correction of nonconformity: Explain in detail how the identified nonconformity will be, or has been, corrected. Before initiating a correction, the Corrective Action Assignee must consult with the Corrective Action Contact on the proposed correction. A Corrective Action does not always follow a Correction. (See next step).

• Determination of Corrective Action (if required): The Corrective Action Assignee must determine and fully document the cause of the nonconformity prior to any Corrective Action. (that can prevent a recurrence of the NC). Full documentation of the Corrective Action taken is required. When developing a Corrective Action, the Corrective Action Assignee must fully document all actions taken to resolve the systemic problems which led to the nonconformity. A simple retraining of staff or revision of a procedure may not be adequate.

  The Corrective Action Assignee must document or refer to a list of action items on the CRR Log before implementing corrective action. These may include:

  • A detailed description of the implementation of the action
  • Review of any applicable regulatory requirements
  • Roles and responsibilities for execution of action items
  • Identification of the necessary resources (e.g. IT infrastructure, financial, etc.)
  • Verification and/or validation protocols of the action with acceptance criteria
  • Timeline for implementation
  • Method for the determination of effectiveness with acceptance criteria
  • Identify the starting point of monitoring and end point of correction and/or corrective action
• Verification and Validation of Action to be taken: Where possible, the proposed Corrective Action should be verified and validated before implementation. These activities should ensure that the proposed action will prevent recurrence. Validation and verification activities and subsequent results must be documented on the CRR Log.

  Examples of items to be considered when planning verification / validation activities include:

  • Does the action eliminate the identified cause?
  • Does the action cover all affected work products or processes?
  • Does the action adversely affect the work products or processes?
  • Is it possible to complete the action in a timely manner?
  • Is the action commensurate with the degree of risk previously established?
  • Has the action introduced new risks or nonconformities?

• Results of action taken: A description of the Corrective Action taken as well as the results must be recorded on the CRR Log.

• Determining effectiveness of Corrective Action:  The Corrective Action Assignee must verify that the Corrective Action has been effective in mitigating the cause of the nonconformity before the Corrective Action can be successfully completed. The effectiveness verification must be documented on the CRR Log. Some questions to keep in mind when evaluating the effectiveness of the Corrective Action include:

  • Was the problem captured accurately and completely?
  • Has the extent of the problem been captured?
  • Was the cause effectively identified and mitigated?
  • Was the Corrective Action completely defined, planned, documented, verified, validated and implemented as intended?

5.5. Timeframes

All Corrective Actions will be opened with a target completion date of 60 days; however, it is understood that some actions may take longer. When the Corrective Action Assignee anticipates that a Corrective Action will take longer than 60 days, the Corrective Action Assignee should notify both the RA/CA Contact and the Corrective and Actions Administrator by e-mail and describe the reason for the extended timeline. The CA Assignee is responsible for updating the CRR Log with target completion dates.

5.6. Closeout

When the Corrective Action Assignee has successfully implemented all Corrective Actions, the Corrective Action Assignee will notify the RA/CA Contact and Corrective Actions Administrator by e-mail. RA/CA Contact, MDSAP QMS Management Representative, MDSAP QMS Site Representative, or other designee will verify the effectiveness of Corrective Actions.

5.7 Regulatory Authority Council (RAC) Review of Corrective Actions During Management Review

The RAC will hold reviews of Corrective Actions that are brought to their attention by the MDSAP QMS Management Representative on "as-needed" basis. The CRR Log will be reviewed by the RAC during the management review meetings convened by the RAC.

5.8 MDSAP QMS Management Representative Review of Corrective Actions

The MDSAP QMS Management Representative will hold monthly reviews of the CRR Log.

Any discrepancies will be communicated to the RAC and the MDSAP QMS Site Representative for follow up.

6. Forms

• Concern Resolution Report (CRR) Log

7. Reference Documents

• Conformity Assessment - General Requirements for Accreditation Bodies Accrediting conformity assessment bodies. (2004). ISO/IEC 17011:2004(E). International Organization for Standardization (ISO).
• Medical Devices - Application of Risk Management to Medical Devices. (n.d.). BS EN ISO 14971:2012. International Organization for Standardization (ISO).
• Medical Devices - Quality Management Systems - Requirements for Regulatory Purposes. (n.d.). ANSI/AAMI/ISO 13485:2016.

8. Document History

Version No.	Version date	Description of Change	Author Name / Project Manager
001	2013-07-15	Initial Release	Kenneth C. Millen
002	2015-01-21	Procedure was revised to accommodate the whistleblower policy and process and changes with QMS. Section 7. Reference removed HC Guidance	MDSAP Team
003	2016-01-27	Replaced under Section Form: QMS F0006.1 NCR and QMS F0009.1 CAPR with QMS F0013.1 Concern and Resolution Form	MDSAP Team
004	2016-10-20	Changes throughout the document to reflect the ISO 9001:2015 revisions. Title change to Nonconformity and Corrective Action Procedure. NC form changed to QMS F0013.1 Concern Resolution Form	Liliane Brown / Patricia Serpa
005	2017-04-10	Remove nonconformities classification (direct or indirect impact) and references to preventive actions.	MDSAP Team
006	2019-01-11	Removed NOTE regarding nonconformities classification (direct or indirect) in section 3. The title of QMS F0013.1 was corrected to Concern Resolution Report Form throughout the procedure. Added clarity to definition of Corrective Actions Administrator in section 4. Corrected definition of Pareto analysis in section 5.3 Minor capitalization corrections throughout Adjusted formatting	Kimberly Lewandowski-Walker / Hiromi Kumada
007	2024-01-18	Periodic review Adjusted formatting Concern Resolution Report Form changed to Concern Resolution Report Log The effectiveness check has been changed to be done by QMS Management Representative, Site Representative or designee instead of CA Assignee in section 5.6 Modified section 5.8 to reflect actual operations	Hiromi Kumada

Version Approval: 007

Approved: Signature on File, CHAIR, MDSAP RAC

Date: 2024-01-18

---

Uncontrolled when printed.

For the most current copy, contact MDSAP@fda.hhs.gov