The video provided below explains what is included when you purchase our standard operating procedures (SOPs) for ISO 13485:2016.
Your cart is empty
Do you need Standard Operating Procedures?
Our turnkey quality management system for compliance with ISO 13485:2016 includes all of the standard operating procedures (SOPs) required by the standard and 21 CFR 820, 21 CFR 803, and 21 CFR 806 for the FDA. It also includes procedures for Canadian Medical Device Licensing and European CE Marking. In total, we have 46+ procedures (listed below). The standard operating procedures (SOPs) also have associated forms, logs, and templates. We also completed updates to our procedures for Regulation (EU) 2017/745.
Turnkey Quality System - Global (1 of 4 installments)
The turnkey quality system - Global costs a total of $8,500, but we offer you the option to pay in four monthly installments of $2,125. If you want to make other payment arrangements, please contact Becca Taylor @ becca@medicaldeviceacademy.com.
Price: $2,125.00
If your company is only interested in compliance with the US Market (i.e., 21 CFR 820, 21 CFR 803, 21 CFR 806, 21 CFR 830 for the FDA), we offer a turnkey quality system for the US-only market at a reduced price of $6,000. The US-only turnkey quality system does not include the seven procedures identified below as “Global”. There are additional pricing options and configurations of the turnkey quality system described at the end of the work instruction that you can view when you click on the button below. However, please remember that “turnkey” does not mean “work-free“. It takes approximately 100-120 hours to implement a medical device quality system and after you implement the quality system it will take at least 4-8 hours per week to maintain the quality system for even the smallest start-up with most processes outsourced.
Turnkey Quality System - US Only (1 of 4 installments)
The turnkey quality system - US Only costs a total of $7,000, but we offer you the option to pay in four monthly installments of $1,750. If you want to make other payment arrangements, please contact Becca Taylor @ becca@medicaldeviceacademy.com. The US-only version does not include 6 of the procedures marked as "Global".
Price: $1,750.00
In addition to procedures, forms, log sheets, and templates, the quality management system includes an initial draft of your new quality. These documents require customization to fit your operations, such as the identification of your company name and logo. The Medical Device Academy logo and [Company Name] are included within the documents as placeholders. We also provide 16 pre-recorded training webinars. We also provide exams (i.e., 10-question quizzes) to verify training effectiveness. If you submit the completed exams to us by email in the native MS Word format, we will correct the exams and email you a training certificate with your corrected exams. The list of training webinars included with our turn-key quality system is provided below:
Finally, you will receive up to 8 hours of consultation to discuss any questions or assist with adjustments and edits for your individual system and situation delivered through email, phone, or Zoom Meetings.
If you are thinking about purchasing standard operating procedures (SOPs), instead of writing procedures yourself, it’s essential to understand the intent of the author that wrote the procedures. Many buyers expect to “pay by the pound.” After writing hundreds of procedures, I found that it requires more work to write a short and effective procedure than a 50-page dust collector.
If a company has a sophisticated quality management system, procedures tend to be lengthy, because each time an auditor finds a problem, another section is added to “clarify” the procedure. I try to write standard operating procedures that are concise and meet the requirements for an early-stage medical device company. Larger companies do not ask me to write many procedures. They ask me to audit procedures and to edit their procedures, but they seldom want me to start from scratch.
When Medical Device Academy writes standard operating procedures, we use a standard template for the sections. Almost everyone does this, but our template contains three unique elements:
monitoring and measurement requirements for the process
training and retraining requirements for personnel
application of risk management
The video below is describing our new work instruction for how to implement the turnkey quality system. You can download the work instruction using the button above. The work instruction is specific to the Medical Device Academy team, but anyone may copy the content of this work instruction and adapt it to their quality system implementation needs. If you want a quote for the quality system, please contact Lindsey Walker directly at sales@medicaldeviceacademy.com.
There is a section of the work instruction that is specific to creating a project in Asana. The above video shows you how to copy the 15 steps of the quality system implementation from the work instruction into a spreadsheet. Then this is saved as a .csv file (download link). Finally, the video shows you how to import the .csv file into Asana so that you can create a project in Asana for tracking and managing the implementation of Medical Device Academy’s turnkey quality system. The video was specifically designed for the free version of Asana if you need to share the project in Asana with people outside of your organization or you do not have the budget for Asana’s paid version.
If you want to learn more about our procedure template, please read our blog about it. You can also search our blog archives for the term “SOP” or “procedure.” Other product highlights are provided below, and the button below gives you a complete list of all our procedures, forms, templates, and logs.
Written specifically for early-stage medical device companies
Create a ready-made off-the-shelf Quality System for your company
Includes free updates for the ISO 13485:2016 as they become available
Can be used for FDA 483 responses
Are audit-ready
Incorporates risk management into each procedure
Includes monitoring and measurement requirements for the process
Includes training and retraining requirements for personnel
Written by highly experienced industry subject matter experts
If you want to purchase individual procedures or review what is included in a specific procedure, you can click on any of the hyperlinks provided below. If there is not a hyperlink, we will have one soon, or we can review the content with you in a Zoom session.
Each month Alysha picks a new procedure or webinar that will be eligible for the “Alysha” 50% discount. Just type Alysha in the discount code box. November’s discounted procedure is SYS-023 Nonconforming ProductProcedure.
Learn how to become ISO 13485 certified while avoiding the stress that tortures other quality system managers.
Your cart is empty
What is ISO 13485?
ISO 13485 is an international standard for quality management systems that is specific to the medical device industry. ISO 13485:2016 is the most recent version of the standard, and it has become the blueprint for medical device company quality systems globally. If your company wants to design, manufacture, or distribute medical devices you should consider becoming ISO 13485 certified.
Do you have to purchase a copy of ISO 13485?
Yes, you need to maintain a copy of the ISO 13485 standard as a “document of external origin.” This is needed for reference when you are making updates to procedures in your quality system. If you are looking for the best place to purchase a copy of the ISO 13485:2016 standard, we recommend the Estonian Centre for Standardisation and Accreditation. If you purchase a copy, we recommend selecting the option for a multi-user license so the standard can be used by more than one person in your company and printed. The only difference between the EN ISO version and the International ISO version is that the EN ISO version includes harmonization Annex ZA for compliance with the EU MDR and Annex ZB for compliance with the EU IVDR. This version is also referred to as A11:2021. Here’s a copy of the text from the beginning of the Standard:
“This Estonian standard EVS-EN ISO 13485:2016/A11:2021 consists of the English text of the European standard EN ISO 13485:2016/A11:2021. This standard has been endorsed with a notification published in the official bulletin of the Estonian Centre for Standardisation and Accreditation. Date of Availability of the European standard is 08.09.2021. The standard is available from the Estonian Centre for Standardisation and Accreditation.”
Medical Device Academy’s experience with ISO 13485 training
Rob Packard created his first quality system in the Spring of 2004. In October 2009, after successfully managing quality systems for three different medical device manufacturers, Rob joined BSI as a Lead Auditor and instructor. In April 2010, he purchased the 13485cert.com URL and he began to help companies implement quality systems as a consultant (while continuing to audit and train 140 days per year for BSI). In 2011 his medical device blog postings began as a way to help medical device companies. In 2012, Rob began building a library of quality system procedures for a turn-key quality system and selling the procedures from the Medical Device Academy website. Dozens and dozens of consulting clients have successfully achieved ISO 13485 certification with Medical Device Academy’s turnkey quality system procedures, and hundreds of quality systems were audited and/or improved. This ISO 13485 training webinar is also included as part of our turnkey quality system.
Projected Changes for 2023
On February 23, 2022, the FDA published a proposed rule for medical device quality system regulation amendments. The FDA planned to implement amended regulations within 12 months, but the consensus of the device industry is that a transition of several years would be necessary. In the proposed rule, the FDA justifies the need for amended regulations based on the “redundancy of effort to comply with two substantially similar requirements,” creating inefficiencies. The FDA also provided estimates of projected cost savings resulting from the proposed rule. What is completely absent from the proposed rule is any mention of the need for modernization of device regulations.
The QSR is 26 years old, and the regulation does not mention cybersecurity, human factors, or post-market surveillance. Risk is only mentioned once by the regulation, and software is only mentioned seven times. The FDA has “patched” the regulations with guidance documents, but there is a desperate need for new regulations that include critical elements. The FDA has “patched” the regulations through guidance documents, but there is a desperate need for new regulations that include critical elements. The transition of quality system requirements for the USA from 21 CFR 820 to ISO 13485:2016 will force regulators to establish policies for compliance with each of these quality system elements. Companies that do not already have ISO 13485 certification should be proactive by 1) updating their quality system to comply with the standard and 2) adopting the best practices outlined in the following related standards:
AAMI/TIR57:2016 – Principles For Medical Device Security – Risk Management
IEC 62366-1:2015 – Medical devices — Part 1: Application of usability engineering to medical devices
ISO/TR 20416:2020 – Medical devices — Post-market surveillance for manufacturers
ISO 14971:2019 – Medical Devices – Application Of Risk Management To Medical Devices
IEC 62304:2015 – Medical Device Software – Software Life Cycle Processes
ISO/TR 80002-1:2009 – Medical device software — Part 1: Guidance on the application of ISO 14971 to medical device software
ISO/TR 80002-2:2017 – Medical device software — Part 2: Validation of software for medical device quality systems
Previous versions of the ISO 13485 webinars
This 2-part webinar has been previously recorded three different times. Our previous webinar on the 2003 version of ISO 13485 was split into two parts: Stage 1 and Stage 2. That first webinar was recorded in 2015. The webinars were updated in 2016 and again in 2018. We followed the same format, 2-part Stage 1 and Stage 2, for all of the subsequent ISO 13485 training webinars. The Stage 1 webinar focuses on the following processes:
Management Review
CAPA
Internal Auditing
Quality System Documentation
The Stage 2 webinar on the rest of the standard, including but not limited to:
Change Control
Customer Related Processes
Design Controls
Supplier Controls
Servicing
Process Validation
Acceptance Activities
Incoming Inspection
UDI Requirements
The most recent version of ISO 13485 webinars
The webinars explaining the requirements for ISO 13485 were last updated in 2020. Anyone who purchases these webinars will receive free access to updated versions of the ISO 13485 training webinars. If you are making a new purchase of these two training webinars, the webinars are only being sold as a bundle for $258. You get:
access to the Stage 1 webinar recorded on July 24, 2020
access to the Stage 2 webinar recorded on July 28, 2020
native slide decks for both webinars
This pair of ISO 13485 training webinars explain precisely what you need to do to implement a quality system compliant with ISO 13485. After you create your own plan (a free template is provided with a subscription), you can show the recording of these two webinars to your management team so they can implement your plan in the next several months. All deliveries of content will be sent via Aweber emails to confirmed subscribers.
Webinar duration & format
Webinars were hosted live via Zoom in 2020. The Stage 1 webinar was 64 minutes, and the duration of the Stage 2 webinar was 82 minutes. When you purchase this webinar bundle, you will receive a link to download both recorded webinars from our Dropbox folder. In addition, you will receive links to download the native slide deck for each webinar from Dropbox.
Purchase the ISO 13485 training bundle
ISO 13485:2016 Training Webinars - Stage 1 & Stage 2
The webinars explaining the requirements for ISO 13485 were last updated for 2020. Anyone that purchases these webinars will receive free access to updated versions of the ISO 13485 training webinars. If you are making a new purchase of these two training webinars, the webinars are only being sold as a bundle for $258. You get:
1 - access to the Stage 1 webinar recorded July 24, 2020
2 - access to the Stage 2 webinar recorded July 28, 2020
3 - native slide decks for both webinars
Price: $258.00
Exam and Training Certificate available
Exam - ISO 13485:2016 update
This is a 20 question quiz with multiple choice and fill in the blank questions. The completed quiz is to be submitted by email to Rob Packard as an MS Word document. Rob will provide a corrected exam with explanations for incorrect answers and a training effectiveness certificate for grades of 70% or higher.
Price: $49.00
There is a big difference between being ISO 13485 certified and being compliant with ISO 13485:2016, the medical devices quality management systems standard. Anyone can claim compliance with the standard. Certification, however, requires that an accredited certification body has followed the requirements of ISO 17021:2015, and they have verified that your quality system is compliant with the standard. To maintain that certification, you must maintain your quality system’s effectiveness and endure both annual surveillance audits and a re-certification audit once every three years.
Step 1 – Planning for ISO 13485 certification
There are six steps in the ISO 13485 certification process, but that does not mean there are only six tasks. The first step in every quality system is planning. Most people refer to the Deming Cycle or Plan-Do-Check-Act (PDCA) Cycle when they describe how to implement a quality system. However, when you are implementing a full quality system, you need to break the “doing” part of the PDCA cycle into many small tasks rather than one big task. You also can’t implement a quality system alone. Quality systems are not the responsibility of the quality manager alone. Implementing a quality system is the responsibility of everyone in top management.
Below you will find seven tasks listed. I did NOT identify these nine tasks as “Steps” in the ISO 13485 certification process, because these tasks are typically repeated for each process in your quality system. Most quality systems are implemented over time, and the scope of the quality system usually grows. Therefore, you are almost certain to have to perform all of the following nine tasks multiple times–even after you receive the initial ISO 13485 certification. As the saying goes, “How do you eat an elephant? One bite at a time.” Therefore, avoid the inevitable heartburn caused by trying to do too much at one time. Implement your quality system one “bite” at a time.
Task 1 – Purchase applicable standards
The first task in implementing an ISO 13485 quality system is to purchase a copy of the ISO 13485:2016 standard, such as the MDSAP Companion Document. You will also need other applicable medical device standards. Some of these standards are general standards that apply to most, if not all, medical devices, such as ISO 14971:2019 for risk management. There are also guidance documents that explain how to use these general standards, such as ISO/TR 24971:2020, and guidance on how to apply ISO 14971:2019. Finally, there are testing standards that identify testing methods and acceptance criteria for things such as biocompatibility and electrical safety. You will need to monitor these standards for new and revised versions. When these standards are updated, you will need to identify the revised standard and develop a plan for addressing the changes.
When you purchase a standard, be sure to buy an electronic version of the standard so you can search the standard for keywords efficiently. You should also consider purchasing a multi-user license for the standard because every manager in your company will need to look up information in the standard. Alternatively, you could buy a paper copy of the standard and locate the standard where everyone in your company can access it. Often I am asked what the difference is between the EN version of the standard and the ISO version of the standard. “EN” is an abbreviation meaning European Standards or “European Norms,” which is based upon the literal translation from the French (i.e., “normes”) and German (i.e. “norm”) languages. “ISO” versions are international standards. In general, the body of the standard is typically identical but harmonized EN standards for medical devices include annexes ZA, ZB, and ZC that identify any deviations from the requirements in three medical device directives (i.e., MDD, AIMD, and IVDD).
Task 2 – Identify which processes are applicable
Clause 1 of ISO 13485 is specific to the scope of a quality system. ISO 9001, the general quality system standard, allows you to “exclude” any clause from your quality system certification. However, ISO 13485 will only allow you to exclude design controls (i.e., clause 7.3). Other clauses within ISO 13485 may be identified as “non-applicable” based on the nature of your medical device or service. You must also document the reason for non-applicability in your quality manual. Typically, the following clauses are common clauses identified for non-applicability:
Clause 4.1.6 – quality system software
Clause 6.4 – work environment
Clause 7.5.2 – cleanliness of the product
Clause 7.5.3 – installation
Clause 7.5.4 – servicing
Clause 7.5.5 – sterile devices
Clause 7.5.6 – process validation
Clause 7.5.7 – sterilization validation
Clause 7.5.9.2 – implantable devices
Clause 7.5.10 – customer property
Clause 8.3.4 – rework
Task 3 – Assign a process owner to each process
The third task is to assign a process owner to each of the processes in your quality system. Typically, you create a master list of each of the required processes. Usually, the assignments are made to managers in the company who may delegate some or all of a specific process. You should expect most managers to be responsible for more than one process because there are 28 required procedures in ISO 13485:2016, but most companies have fewer than ten people when they first implement a quality system.
Task 4 – Prioritize and schedule the implementation of each process
The fourth task is to identify which processes need to be created first and to schedule the implementation of procedures from first to last. You can and should build flexibility into the schedule, but some procedures are needed at the beginning. For example, you need document control, record control, and training processes to manage all of your other procedures. You also need to implement the following processes to document your Design History File (DHF): 1) design controls, 2) risk management, 3) software development (if applicable), and 4) usability. Therefore, these represent the seven procedures that most companies will implement as early as possible. Procedures such as complaint handling, medical device reporting, and advisory notice procedures are usually reserved for last. These procedures are last because they are not needed until you have a medical device in use.
Task 5 – Create forms, flowcharts, and procedures for each process
Forms create the structure for records in your quality system, and a well-designed form can reduce the need for lengthy explanations in a procedure or work instruction. Therefore, you should consider developing forms first. The form should include all required information that is specified in the applicable standard or regulations, and the cells for that information should be presented in the order that the requirements are listed in the standard. You might even consider numbering the cells of the form to provide an easy cross-reference to the corresponding section of the procedure. Once you create a form, you might consider creating a flowchart next. Flowcharts provide a visual representation of the process. You might consider including numbers in the flow chart that cross-reference to the form as well.
Once you have created a form and a flowchart, you are now ready to write your quality system procedure. Many sections are typically included in a procedure template. It is recommended that you use a template to ensure that none of the basic elements of a procedure are omitted. You might also consider adding two sections that are uncommon to a procedure: 1) a risk analysis of the procedure with the identification of risk controls to prevent risks associated with the procedure, and 2) a section for monitoring and measurement of the process to objectively measure the effectiveness of the process. These metrics are the best sources of preventive actions, and some of the metrics might be potential quality objectives to be identified by top management.
Task 6 – Perform a gap analysis of each procedure
Most companies rely upon internal audits to catch missing elements in their procedures. However, audits are intended to be a sampling rather than a 100% comprehensive assessment. Therefore, when a draft procedure is being reviewed and approved for the first time, or a major rewrite of a procedure is conducted, a thorough gap analysis should be done before the approval of the draft procedure. Matthew Walker created an article explaining how to conduct a gap analysis of procedures. In addition, Matthew has been gradually adding cross-references to ISO 13485:2016 requirements in each procedure. He is color-coding the cross-referenced clauses in blue font as well. This makes it much easier for auditors to verify that a procedure is compliant with the regulations with minimal effort. The success of these two methods has taught us the importance of conducting a gap analysis of all new procedures.
Task 7 – Train applicable personnel for each process
You are required to document the training requirements for each person or each job in your company. Documentation of training requirements may be in a job description or within a procedure. In addition to defining who should be trained, you also need to identify what type of training should be provided. We recommend recording your training to ensure that new future employees receive the same training to ensure consistency. Design controls training should be the first priority. You are also required to maintain records of the training. You must verify that the training was effective, and you need to check whether the person is competent in performing the tasks. This training may require days or weeks to complete. Therefore, you may want to start training people several weeks before your procedure is approved. Alternatively, you can swap the order of tasks and conduct training after the procedure approval. If that approach is taken, then the procedure should indicate the date the procedure becomes effective–typically 30 days after approval to allow time for training.
Task 8 – Approve the procedure
Approval of a procedure may be accomplished by signing and dating the procedure itself, while another approach is to create a document that lists all the procedures and forms being approved at one time. The second method is the method we use in our turnkey quality system. Companies can review and approve as many procedures at one time as they wish. Since this process needs to be defined to ensure that all of the procedures you implement are approved, the document control process is typically the first procedure that companies will approve in a new quality system. The second procedure generally is for the control of records. Then the next procedures implemented will typically be focused on the documentation of design controls, risk management, usability testing, and software development. The last procedures to be approved are typically complaint handling, medical device reporting, and recalls. These procedures are left for last because you don’t need them until you are selling your medical device.
Task 9 – Start using the procedure and generating records
The last task required for the implementation of a new quality system is to start using the procedures to generate records. All of the procedures will need records before the process can be verified to be effective. Records can be paper-based, or the records can be electronic. Whichever format you use for the record retention needs to be communicated to everyone in the company through your Control of Records procedure and/or within each procedure. If you include the information in each procedure, the records of each procedure should be listed in the procedure, and the location where those records are stored should be identified. Generally, there is no specific minimum number of records to have for a certification audit, but you should have at least a few records for each process that you implement.
Step 2 – Conducting your first internal audit
The purpose of the internal audit is to verify the effectiveness of the quality system and to identify nonconformities before the certification body auditor finds them. To successfully achieve this secondary objective, it is essential to have a more rigorous internal audit than you expect for the certification audit. Therefore, the internal audit should be of equal duration or longer in duration than the certification audit. The internal audit should not consist of a desktop review of procedures. Reviewing procedures should be part of gap analysis (i.e., task 6 above) that is conducted on draft procedures before they are approved. Internal audits should utilize the process approach to auditing, and the auditor should apply a risk-based approach (i.e., focus on those processes that are most likely to contribute to the nonconforming products, result in a complaint, or cause severe injuries and death).
After your internal audit, you will receive an internal audit report from the auditor. You should also expect findings from the internal auditor, and you should expect opportunities for improvement (OFI) to be identified. Experienced auditors can typically identify the root cause of a nonconformity more quickly than most process owners. Therefore, it is recommended for each process owner and subject matter expert to review nonconformities with the auditor and discuss how the nonconformity should be investigated. The root cause must be correctly identified during the CAPA process, and the effectiveness check must be objective to ensure that problems do not recur.
Step 3 – Initiating corrective actions
Corrective actions should be initiated for each internal audit finding immediately, to make sure the findings are corrected and prevented from repeat occurrence before the Stage 1 audit. It will take a minimum of 30 days to implement the most corrective actions. Depending upon the scheduling of the internal audit, there may not be sufficient time to complete the corrective actions. However, you should at least initiate a CAPA for each finding, perform an investigation of the root cause, and begin to implement corrective actions.
Also, to take corrective actions related to internal audit findings, you should look for internal audits from other sources. The diagram below shows several different sources of potential corrective and preventive actions.
Monitoring and measuring each process is the best source of preventive actions, while internal audits are typically the best source of corrective actions. Any quality problems identified during validation are also excellent sources of corrective actions because the validation can be repeated as a method of demonstrating that the corrective actions are effective. However, your ISO 13485 certification auditor will focus on non-conforming products, complaints, and services as the most critical sources of corrective actions. These three sources are prioritized because these three sources have the greatest potential for resulting in serious injury, death, or recall if corrective actions are not implemented to prevent problems from recurring.
Step 4 – Conducting your first management review
In addition to completing a full quality system audit before your stage 1 audit, you are also expected to complete at least one management review. To make sure that you have inputs for each of the 12 requirements in the ISO 13485:2016 standard, it is recommended to conduct your management review only after you have completed your full quality system audit and initiated some corrective actions. If possible, you should also conduct supplier audits for any contract manufacturers or contract sterilizers. It is recommended to use a template for that management review that is organized in the order of the required inputs to ensure that none of the necessary inputs are skipped. Quality objectives will need to be established long before the management review so that the top management team has sufficient time to gather data regarding each of the quality objectives. Also, you should consider delegating the responsibility for creating the various slides for each input to different members of top management. This will ensure that everyone invited to the meeting is engaged in the process, and it will spread the workload for meeting preparation across multiple people.
At the end of the meeting, top management will need to create a list of action items to be completed before the next management review meeting. Meeting minutes will need to be documented for the meeting, including the list of action items and each of the four required outputs of the management review process. We recommend using the notes section of a presentation slide deck to document the meeting minutes related to each slide. Then the slide deck can be converted into notes pages and saved as a PDF. The PDF notes pages will be your final meeting minutes for the management review. An example of one of these note pages is provided in the figure below.
One of the more common non-value-added findings by auditors is when an auditor issues a nonconformity because you do not have your next internal audit and your next management review scheduled–even though each may have occurred only a month prior to the Stage 1 audit. Therefore, we recommend that you document your next 12-month cycle for internal audits and schedule your next management review as action items in every management review meeting. The schedule can be adjusted if needed, but this allows top management to emphasize various areas in internal audits that may need improvement. You might even set a quality objective to conduct a minimum of three management reviews per year at the end of your first management review.
Step 5 – Stage 1, Initial ISO 13485 Certification Audit
In 2006, the ISO 17021 Standard was introduced for assessing certification bodies. This is the standard that defines how certification bodies shall go about conducting your initial certification audit, annual surveillance of your quality system, and the re-certification of your quality system. In the past, certification bodies would typically conduct a “desktop” audit of your company before the on-site visit to make sure that you have all the required procedures. However, ISO 17021 requires that certification bodies conduct a Stage 1 audit that assesses the readiness of your company before conducting a Stage 2 audit. Therefore, even if the Stage 1 audit is conducted remotely, the certification body is expected to interview process owners and sample records to verify that the quality system has been implemented. Certification body auditors will also typically verify that your company has conducted a full quality system audit and at least one management review. Finally, the auditor will usually select a process such as corrective action and preventive action (CAPA) to make sure that you are identifying problems with the quality system and taking appropriate measures to address those problems.
Your goal for the Stage 1 audit should not be perfection. Instead, your focus is to make sure that there are no “major” non-conformities. The term “major” used to have a specific definition:
Absence of a documented procedure or process
Release of nonconforming product
Repeat nonconformities (not possible during Stage 1)
Under the MDSAP, the grading system for nonconformities now uses a numbering system for grading nonconformities: “Nonconformity Grading System for Regulatory Purposes and Information Exchange Study Group 3 Final Document GHTF/SG3/N19:2012.” Any nonconformity is graded on a scale of one to four, and then two potential escalation rules are applied. If any nonconformities are graded as a four or a 5, then the auditor must assess whether a five-day notice to Regulatory Authorities is required. A five-day notice is required in either of the following situations: 1) one or more findings grading of “5”; or 2) three or more findings graded as “4.” If your Stage 1 audit results in a five-day notice, then you are not ready for your Stage 2 audit. For example, a complete absence of two required procedures in clauses 6.4 through 8.5 of ISO 13485:2016 would result in two findings with a grading of “4.” This would not result in a five-day notice, but the absence of a third required procedure would result in a five-day notice.
The duration of your Stage 1 audit will be one or two days, but a 1.5-day audit is quite common for MDSAP Stage 1 audits. The reason for the 1.5-day Stage 1 audit is that it is challenging to assess readiness for Stage 2 in one day, and if the total duration of Stage 1 and Stage 2 is 5.5 days, then the Stage 2 audit could be completed in four days. The four-day audit is more convenient than a three-day audit for a two-person audit team.
After your Stage 1 audit, you will receive an audit report, and you should expect findings. You should initiate corrective actions for each finding immediately, to make sure the findings are corrected and prevented from repeat occurrence before the Stage 2 audit. The duration between the audits is typically about 4-6 weeks. That does not leave much time for you to initiate a CAPA, perform an investigation of the root cause, and implement corrective action. At a minimum, you must submit a corrective action plan for each finding to your MDSAP auditing organization (AO) within 15 calendar days of receiving the finding. For any findings graded as a “4” or higher, you will need to provide evidence of implementing the corrective action plan to the AO within 30 calendar days of receiving the finding. You are also unlikely to have enough time to conduct an effectiveness check prior to the Stage 2 audit.
Step 6 – Stage 2, Initial ISO 13485 Certification Audit
The Stage 2 initial ISO 13485 certification audit will verify that all regulatory requirements have been met for any market you plan to distribute in. The auditor will complete an MDSAP checklist that includes all of the regulatory requirements for each of the countries that recognize MDSAP: 1) the USA, 2) Canada, 3) Brazil, 4) Austria, and 5) Japan. The auditor will also sample records from every process in your quality system to verify that the procedures and processes are fully implemented. This audit will typically be at least four days in duration unless multiple auditors are working in an audit team.
The audit objectives for the Stage 2 ISO 13485 certification audit specifically include evaluating the effectiveness of your quality system in the following areas:
Applicable regulatory requirements
Product and process-related technologies
Technical documentation
All procedures will be reviewed for compliance with ISO 13485:2016 and the applicable regulations. The auditor will also sample records from each process. If the auditor identifies any nonconformities during the audit, it is important to record the findings and begin planning corrective actions immediately. If you have any questions regarding the expectations for the investigation of the root cause, corrections, corrective actions, and effectiveness checks, you should ask the auditor during the audit or the closing meeting. At a minimum, you must submit a corrective action plan for each finding to your MDSAP auditing organization (AO) within 15 calendar days of receiving the finding. For any findings graded as a “4” or higher, you will need to provide evidence of implementing the corrective action plan to the AO within 30 calendar days of receiving the finding. The auditor will not be able to recommend you for ISO 13485 certification until your corrective action plans are accepted.
If you receive a finding with a grading of “5,” or three or more findings graded as “4,” then the MDSAP auditor is required to issue a five-day notification to the regulators. The auditor will also need to return to your facility for a follow-up audit to close as many findings as they can. It is not necessary to eliminate all of the findings in order to be recommended for ISO 13485 certification, but the grading of the findings must be reduced to at least a “3” before recommending the company for certification. The number of findings also determines whether the auditor recommends your company for certification.
In addition to reviewing the findings and conclusions of the audit during the closing meeting, the auditor will also review the plan for the annual surveillance and re-certification with you. Each certification cycle is three years in duration. There will be two surveillance audits of approximately one-third of the duration of the combined duration of stage 1 and stage 2 initial certification audits, and the first surveillance audit must be completed within 12 months of the initial certification audit. In the third year, there will be a re-certification audit for two-thirds of the duration of the combined duration of stage 1 and stage 2 initial certification audits. The initial ISO 13485 certificate will be issued with a three-year expiration, and the certificate is typically received about one month after the acceptance of your corrective action plan.
Q&A
There are no stupid questions, and we can save you weeks of wasted time if you just ask for help. We are always looking for new ideas for blogs, webinars, and videos on our YouTube channel. If you have any general questions about obtaining ISO 13485:2016 certification, please email Rob Packard at rob@fdaestar.com. If you have a suggestion for new ISO 13485 training materials, you can also use our “Suggestion Portal.” You can also schedule an initial free consultation with Rob using his calendly link.
About Your Instructor
Rob Packard is a regulatory consultant with ~25 years of experience in the medical device, pharmaceutical, and biotechnology industries. He is a graduate of UConn in Chemical Engineering. Rob was a senior manager at several medical device companies—including the President/CEO of a laparoscopic imaging company. His Quality Management System expertise covers all aspects of developing, training, implementing, and maintaining ISO 13485 and ISO 14971 certifications. From 2009 to 2012, he was a lead auditor and instructor for one of the largest Notified Bodies. Rob’s specialty is regulatory submissions for high-risk medical devices, such as implants and drug/device combination products for CE marking applications, Canadian medical device applications, and 510(k) submissions. The most favorite part of his job is training others. He can be reached via phone at 802.281.4381 or by email. You can also follow him on YouTube, LinkedIn, or Twitter.
The FDA patches the regulations with guidance documents, but there is a desperate need to modernize 21 CFR 820 to ISO 13485.
FDA Proposed Amendment to 21 CFR 820
On February 23, 2022, the FDA published a proposed rule for medical device quality system regulation amendments. The FDA planned to implement amended regulations within 12 months, but the consensus of the device industry is that a transition of several years would be necessary. In the proposed rule, the FDA justifies the need for amended regulations based on the “redundancy of effort to comply with two substantially similar requirements,” creating inefficiencies. In public presentations, the FDA’s supporting arguments for the proposed quality system rule change rely heavily upon comparing similarities between 21 CFR 820 and ISO 13485. However, the comparison table provided is quite vague (see the table from page 2 of the FDA’s presentation reproduced below). The FDA also provided estimates of projected cost savings resulting from the proposed rule. What is completely absent from the discussion of the proposed rule is any mention of the need to modernize 21 CFR 820.
Are the requirements “substantively similar”?
The above table provided by the FDA claims that the requirements of 21 CFR 820 are substantively similar to the requirements of ISO 13485. However, there are some aspects of ISO 13485 that will modernize 21 CFR 820. The areas of impact are 1) software, 2) risk management, 3) human factors or usability engineering, and 4) post-market surveillance. The paragraphs below identify the applicable clauses of ISO 13485 where each of the four areas are covered.
Modernize 21 CFR 820 to include software and software security
Despite the limited proliferation of software in medical devices during the 1990s, 21 CFR 820 includes seven references to software. However, there are some Clauses of ISO 13485 that reference software that are not covered in the QSR. Modernizing 21 CFR 820 to reference ISO 13485 will incorporate these additional areas of applicability. Clause 4.1.6 includes a requirement for the validation of quality system software. Clause 7.6 includes a requirement for the validation of software used to manage calibrated devices used for monitoring and measurement. Clause 7.3 includes a requirement for validation of software embedded in devices, but that requirement was already included in 21 CFR 820.30. The FDA can modernize 21 CFR 820 further by defining Software as a Medical Device (SaMD), referencing IEC 62304 for management of the software development lifecycle, referencing IEC/TR 80002-1 for hazard analysis of software, referencing AAMI TIR57 for cybersecurity, and referencing ISO 27001 for network security. Currently, the FDA strategy is to implement guidance documents for cybersecurity and software validation requirements, but ISO 13485 only references IEC 62304. The only aspect of 21 CFR 820 that appears to be adequate with regard to software is the validation of software used for automation in 21 CFR 820.75. This requirement is similar to Clause 7.5.6 (i.e., validation of processes for production and service provisions).
Does 21 CFR 820 adequately cover risk management?
The FDA already recognizes ISO 14971:2019 as the standard for the risk management of medical devices. However, the risk is only mentioned once in 21 CFR 820. In order to modernize 21 CFR 820, it will be necessary for the FDA to identify how risk should be integrated throughout the quality system requirements. The FDA recently conducted two webinars related to the risk management of medical devices, but implementing a risk-based approach to quality systems is a struggle for companies that already have ISO 13485 certification. Therefore, a guidance document with examples of how to implement a risk-based approach to quality system implementation would be very helpful to the medical device industry.
Modernize 21 CFR 820 to include Human Factors and Usability Engineering
ISO 13485 references IEC 62366-1 as the applicable standard for usability engineering requirements, but there is no similar requirement found in 21 CFR 820. Therefore, human factors are an area where 21 CFR 820 needs to be modernized. The FDA has released guidance documents for the human factors content to be included in a 510k pre-market notification, but the guidance was released in 2016 and the guidance does not reflect the FDA’s current thoughts on human factors/usability engineering best practices. The FDA recently released a draft guidance for the format and content of human factors testing in a pre-market 510k submission, but that document is not a final guidance document and there is no mention of human factors, usability engineering, or even use errors in 21 CFR 820. Device manufacturers should be creating work instructions for use-related risk analysis (URRA) and fault-tree analysis to estimate the risks associated with use errors as identified in the draft guidance. These work instructions will also need to be linked with the design and development process and the post-market surveillance process.
Modernize 21 CFR 820 to include Post-Market Surveillance
ISO/TR 20416:2020 is a new standard specific to post-market surveillance, but it is not recognized by the FDA. There is also no section of 21 CFR 820 that includes a post-market surveillance requirement. The FDA QSR focuses on reactive elements such as:
21 CFR 820.100 – CAPA
21 CFR 820.198 – Complaint Handling
21 CFR 803 – Medical Device Reporting
21 CFR 820.200 – Servicing
21 CFR 820.250 – Statistical Techniques
The FDA does occasionally require 522 Post-Market Surveillance Studies for devices that demonstrate risks that require post-market safety studies. In addition, most Class 3 devices are required to conduct post-approval studies (PAS). For Class 3 devices, the FDA requires the submitter to provide a plan for a post-market study. Once the study plan is accepted by the FDA, the manufacturer must report on the progress of the study. Upon completion of the study, most manufacturers are not required to continue PMS.
How will the FDA enforce compliance with ISO 13485?
It is not clear how the FDA would enforce compliance with Clause 8.2.1 in ISO 13485 because there is no substantively equivalent requirement in the current 21 CFR 820 regulations. The QSR is 26 years old, and the regulation does not mention cybersecurity, human factors, or post-market surveillance. Risk is only mentioned once by the regulation, and software is only mentioned seven times. The FDA has “patched” the regulations through guidance documents, but there is a desperate need for new regulations that include critical elements. The transition of quality system requirements for the USA from 21 CFR 820 to ISO 13485:2016 will force regulators to establish policies for compliance with all of the quality system elements that are not in 21 CFR 820.
Companies that do not already have ISO 13485 certification should be proactive by 1) updating their quality system to comply with the ISO 13485 standard and 2) adopting the best practices outlined in the following related standards:
AAMI/TIR57:2016 – Principles For Medical Device Security – Risk Management
IEC 62366-1:2015 – Medical devices — Part 1: Application of usability engineering to medical devices
ISO/TR 20416:2020 – Medical devices — Post-market surveillance for manufacturers
ISO 14971:2019 – Medical Devices – Application Of Risk Management To Medical Devices
IEC 62304:2015 – Medical Device Software – Software Life Cycle Processes
ISO/TR 80002-1:2009 – Medical device software — Part 1: Guidance on the application of ISO 14971 to medical device software
ISO/TR 80002-2:2017 – Medical device software — Part 2: Validation of software for medical device quality systems
What is the potential impact of the US FDA requiring software, risk management, cybersecurity, human factors, and post-market surveillance as part of a medical device company’s quality system?
This ISO 13485 quality plan webinar will teach you how to create a quality plan step-by-step for compliance with ISO 13485:2016.
When is the ISO 13485 Quality Plan webinar?
The ISO 13485 quality plan webinar will be hosted as a live webinar on June 16, 2020, at 8:30 am EDT. When you purchase this webinar, you will receive an invitation to participate in the live webinar. Everyone that registers for the webinar will receive a link to download the recording if they are unable to attend the live webinar.
Description of ISO 13485 quality plan webinar
If you aren’t sure what is ISO 13485? please visit our 2-part training webinar on the topic. If you’re planning to implement an ISO 13485:2016 quality system at your company or thinking about it. Maybe you are a medical device company with an existing quality management system that needs to implement ISO 13485:2016 in order to expand into export markets, such as Canada, Europe, Japan, or Australia. Maybe you are a supplier to the medical device sector who is required to implement ISO 13485:2016 to retain a customer or to attract new ones. Whatever external factors are driving you toward ISO 13485:2016 certification, you also have the opportunity to build a quality system that will be a source of competitive advantage to your company.
In the ISO 13458 quality plan webinar, you will learn how to develop a quality plan for implementing ISO 13485:2016 in your organization, how to resource and implement that plan, and then achieve ISO 13485:2016 certification in a timeframe that works for your company. You will also learn how to:
Choose a certification body and schedule audits
Build a simple, logical document structure
Analyze which documents must be written or modified
Integrate the ISO 13485:2016 quality system with other systems already in place
Identify the records that must be maintained
Plan the rollout and the training that is required
Consider the change management aspects of the project
Who should attend the ISO 13485 quality plan webinar?
Supplier quality
Quality assurance
Auditors
Lead auditors
Audit program managers
Senior management
Additional Resources Related to Quality Plans
The following blogs include additional information related to creating quality plans:
Rob Packard is a regulatory consultant with ~25 years of experience in the medical device, pharmaceutical, and biotechnology industries. He is a graduate of UConn in Chemical Engineering. Rob was a senior manager at several medical device companies—including the President/CEO of a laparoscopic imaging company. His Quality Management System expertise covers all aspects of developing, training, implementing, and maintaining ISO 13485 and ISO 14971 certifications. From 2009 to 2012, he was a lead auditor and instructor for one of the largest Notified Bodies. Rob’s specialty is regulatory submissions for high-risk medical devices, such as implants and drug/device combination products for CE marking applications, Canadian medical device applications, and 510(k) submissions. The most favorite part of his job is training others. He can be reached via phone at 802.281.4381 or by email.You can also follow him on YouTube,LinkedIn, or Twitter.
This article is a case study that explains how to implement a new ISO 13485 quality system plan at an accelerated schedule of just four months. The quality system will also be compliant with 21 CFR 820.
ISO 13485 quality system plan
Typically, I recommend implementing a new ISO 13485 quality system plan over a period of 6 months. The reason for this is that people can only read procedures and complete training at an individual pace. Since there are approximately 30 procedures required for a full-quality system, an implementation pace of one procedure per week allows a company to complete 90% of the reading and training in six months.
In October, a new client asked me for a proposal to implement a new ISO 13485 quality system plan. The proposed quality system plan indicated that the project would start in October and finish in March. The client accepted my proposal, but they asked me to help them implement the quality system plan in four months, as indicated in the table above. We just started the implementation of the quality system plan last week, and I have discovered some secrets that dramatically simplify the process. This blog shares some of the lessons learned that help implement the quality system plan at this faster pace.
Outsourcing ISO 13485 quality system development
Not everyone has the skill and experience to write a quality system procedure. Still, if you have a goodtemplate, you understand quality systems–then you can write quality system procedures. Depending upon the length of the procedure, it may take four to eight hours of writing for each procedure. Therefore, an in-house quality manager needs to allocate one day per week if they plan to write all the procedures for their quality system in six months. For a four-month implementation of an ISO 13485 quality system plan, you need to allocate two days per week to writing.
Alternatively, you can outsource the writing of your quality system. However, someone must be responsible for “customizing” generic procedures to fit your company, or the procedures need to be written from scratch. A third and final option is to have a hybrid of in-house procedures and outsourced procedures. If your quality manager has limited time resources, then you can supplement the managers’ time with procedures that are purchased and customized to fit your template. If there are specific procedures that the quality manager needs help with, such asrisk management, then you can also purchase just those procedures.
Continuous Improvement
One of the basic principles of quality management systems is “continuous improvement.” The continuous improvement cycle is also known as the “Deming Cycle.” There are four parts to the cycle:
Plan
Do
Check
Act
When you are developing an ISO 13485 quality system, the first step is to develop the quality system plan. I recommend the following guidelines for a quality system plan. First, plan to implement the quality system at a steady pace. Second, organize the implementation into small groups of related procedures.
In this case study, I have 29 procedures that we are implementing, and there are 11 recorded training webinars. During each of the four months, approximately the same number of procedures are implemented. Then I organized the small groups of procedures around the scheduled webinar training. For example, the month of November will have a total of 24 documents (i.e., eight procedures and 16 associated forms and lists) implemented, and there are four webinar trainings scheduled. Therefore, four procedures related to “Good Documentation Practices 101“ will be implemented as a group under document change notice (DCN) 15-001. Two procedures associated with “Are your Suppliers Qualified? Prove it!“will be implemented as a group under DCN 15-002. The remaining two procedures, design controls, and risk management, will be implemented as a group under DCN 15-003 with two related webinars on design controls andISO 14971.
Document Change Notice (DCN)
The next step in the Deming Cycle is to “Do.” For the implementation of an ISO 13485 quality system plan, “doing” involves the creation of procedures, forms, and lists, but “doing” also involves the review and approval of these documents. The form we use to review and approve procedures is called a document change notice or DCN.
It’s been almost 20 years since I completed my first DCN. For anyone unfamiliar with the review and approval of new and revised documents, most quality systems document the review and approval of procedures and forms on a separate form. The reason for this is that when you make one change, it often affects several other documents and forms. Therefore, it is more efficient to list all the documents and forms that are affected by the change on one form. This results in fewer signatures for reviewers and approvers. Several of the companies that I have helped to implement an ISO 13485 quality system plan for failure to review and approve the documents and forms in a timely manner. I think there are two reasons for this:
they haven’t been responsible for document control before, and
they don’t want to have to create and maintain quality system records any sooner than required.
The first reason can be addressed quickly with training. The second reason, however, is flawed. It is essential to implement the procedures as soon as possible to begin creating quality system records that can be audited by an ISO 13485 certification auditor or by FDA inspectors for compliance with 21 CFR 820. I have struggled with this hesitation in the past, but for this project, I am completing DCNs for the initial release of all the procedures and forms. This ensures that all the procedures and forms will be reviewed and approved shortly after the webinar training is completed. Also, this gives my client multiple examples of DCNs to follow as they make revisions to the procedures and forms over time.
Quality Objectives & Data Analysis
The third step in the Deming Cycle is to “check.” I recommend using quantitative metrics to track progress toward your goal of completing the quality system implementation. For example, if you have 50 documents to review and approve, you can track the % complete by just multiplying each document that is approved by 2%. You can also track the implementation of documents separately by type. Every DCN you route for approval will take a certain number of days to complete. You might consider tracking the duration of DCN approval. As a benchmark, an efficient paper-based DCN process should average about four days from initiation to completion. I have seen average durations measured in months, but hopefully, your average duration of DCN approval will be measured in days. Another metric to consider is the % of required training that has been completed for the company, for each department, and for each employee. Regardless of which metrics you choose to evaluate your quality system implementation, you should pick some of these metrics as quality objectives (i.e., a requirement of ISO 13485, Clause 5.4.1). You should also analyze this data for positive and negative trends as required by ISO 13485, Clause 8.4.
Your first CAPAs
The fourth and final step in the Deming Cycle is to “act.” Acting involves taking corrective action(s) when your data analysis identifies processes that are not functioning as well as they should be. To achieve ISO 13485 certification, you will need some examples of corrective and preventive actions (CAPAs) that you have implemented. The steps you take in response to observed trends during data analysis are all potentialCAPAs.
Download an ISO 13485 quality system plan
Later this week, I will be posting afollow-up blogthat explains how to write an ISO 13485 quality system plan for establishing a new quality system. There will also be a link for downloading a free ISO 13485 quality system plan.
This blog explains how to reconcile the conflict between ISO 13485 and ISO 9001, and discusses whether you should maintain dual certification.
What is the conflict between ISO 13485 and ISO 9001?
The previous version of ISO 13485 was released in 2003. That standard was written following the same format and structure as the overall quality system standard at the time (i.e., ISO 9001:2000). In 2008, there was an update to the ISO 9001 standard, but the changes were minor, only clarified a few points, and the periodic review of ISO 13485 in 2008 determined there was not a need to update 13485 at that time. Unfortunately, the proposed structure of the ISO 9001 standard was radically different, and this forces companies with dual certification to reconcile the conflict between ISO 13485 and ISO 9001.
On December 1-5, 2014, the working group for the revision of ISO 13485 (i.e., TC 210 WG1), met at AAMI’s Standards week to review the comments and prepare a first Draft International Standard (DIS). We should have some updates on the progress of the DIS later in December, but hopefully, the news will not be delayed in publication until 2016. The following is a summary of the status before last that meeting.
Updated ISO 13485 and ISO 9001 Standards Being Released
In 2015, there will be a new international version of ISO 9001 released. This new version will have dramatic changes to the standard–including the addition of a new section on risk management and the adoption of the new High-Level Structure (HLS) changing from 9 sections to 11.The ISO 13485 standard is also anticipated to have a new international version released in 2015, but the ISO 13485 standard will maintain the current HLS with nine sections. The timing of the ISO 9001:2015 release and the ISO 13485:2015 release will likely be around the same time (Correction: the ISO 13485:2016 standard was released in February 2016). Both standards are expected to have a three-year transition period for implementation. The combination of the three-year transition and lessened requirements in the new version of ISO 9001 for a structured quality manual should allow most manufacturers to wait until the ISO 13485 release before they begin drafting a quality plan for compliance with the new standards.Some of my clients have already indicated that they may drop their ISO 9001 certification when it expires, instead of changing their quality system to comply with the ISO 9001:2015 requirements. However, my clients will not have the ability to allow their ISO 13485 certification to lapse. Will Health Canada be updating GD210 and continue to require ISO 13485 certification for medical device licensing? What should companies do?
Update on the reconciliation of ISO 13485:2016 and ISO 9001:2015 on May 29, 2020:
GD210 was never updated, and instead, it was replaced by MDSAP
ISO 13485:2016 certification, under the MDSAP program, is required for Canadian Medical Device Licensing
Many device companies have dropped the ISO 9001 certification.
Recommendations
From the experience of preparing for the ISO 13485:2016 and ISO 9001:2015 releases, I learned that obtaining draft versions of the standards before publication is invaluable. I was able to use the drafts to help prepare quality plans for the transition. Second, companies need to train their management teams and auditors on the differences between the current and the new standards to enable a gap analysis to be completed. Any manager that is responsible for a procedure required by the current version of a standard should receive training specific to the changes to understand how they will meet the requirements for documented information. Most companies will need to improve theirrisk managementcompetency (which was updated again in December 2019). I recommend that companies begin drafting their quality plans and enter discussions with their certification body for quality system changes as early as possible. I also recommend that medical device companies maintain a quality manual structure that follows the ISO 13485:2016 standard rather than the ISO 9001:2015 standard. Following ISO 13485:2016 will help everyone locate information faster.
There is also specific text in the introduction of ISO 9001:2015 that states it is not the intent of the standard to imply the need to align your quality management system to the clause structure of the standard. Companies that maintain ISO 9001 certification should consider including cross-references between the two standards in their quality manual.
Historical Note
There are also European National (EN) versions of each standard(e.g., EN ISO 13485:2012). The EN versions are harmonized with the EU directives, but the content of the body or normative sections of the standards are identical. Historically, the differences were explained in Annex ZA, which was the last Annex in the EN version of the standard. In 2009 the harmonization annex for ISO 14971 (i.e., the medical device risk management standard) was split into three parts to match up with the three directives for medical devices (i.e., theMDD, AIMD, and IVDD). The new annexes (i.e., ZA, ZB, and ZC) were moved to the front of the EN version of the standard. The changes to ISO 14971 consisted of a correction and the change to Annex ZA. In 2012, there were new harmonization annexes created for ISO 13485 to follow the same format that was used for the EN ISO 14971 annexes. It is expected that these “zed” annexes will be released with a new EN version of the standard shortly after the international standard is published.
In this article, you will learn what ISO 13485 stage 2 audit preparation you should complete specific to training records and practice interviews. Stage 2 Audit Preparation
If you aren’t sure what ISO 13485 is, please visit our two-part training webinar series. During your Stage 1 ISO 13485 Certification audit, the auditor verifies that your company has all 28 procedures required in ISO 13485:2016. During the Stage 2 audit preparation, however, the auditor will be reviewing training records for each employee. A training matrix is one of the best tools for verifying that your training records are completed. First, you create a table of all 28 required procedures in Excel (this is your far left column). Across the top of the table, you need to list each of the employees in your organization. This would be difficult for a large organization, but most companies seeking initial ISO 13485 certification have less than 20 employees. In your training matrix, you need to identify which procedures each employee must be trained on. This is one of the most common ways to identify training requirements, and color-coding the matrix works is helpful.
Once you have defined your training requirements, review and approve this document as a controlled document that you will maintain as the company grows. However, as the company grows, you may convert specific names to job functions. Once the training requirements matrix is reviewed and approved, you should enter the date that training was completed for each employee. This is a more effective check than the “checkbox” approach, and it enables you to verify that everyone was trained since the last revision of any procedure. Now, you have a summary document to prove that 100% of your employees have current training on each of the 28 required procedures.
Interview employees as part of your Stage 2 audit preparation
During the Stage 2 audit, any of the employees could be interviewed by the auditor. As part of your Stage 2 audit preparation, you should interview each employee on your training matrix by asking them the following open-ended questions:
Can you show me where I can find the company’s quality policy?
Please explain how the quality policy is relevant to your job.
Can you show me a copy of the training procedure?
What quality objectives do you or your department monitor?
The first question is typical of auditors. You don’t have to have the policy memorized, but every employee should know where to find it. My favorite location is the back of employee ID badges, but the quality policy needs to be updated periodically. If everyone has the policy on their ID badge, you might consider handing out updated stickers with the revised quality policy when you hand out paychecks. The second question is related to the first, and it verifies that each person understands the importance of their job function as it relates to quality.
The third question is a test to ensure every employee can locate procedures. Don’t help them, because the auditor won’t. After each employee answers the question, make sure you explain the correct answer concerning where the most current version of every procedure is. Redlined copies in a drawer do not exist. The person should also have read each procedure in their training matrix so that they can answer a question. It’s ok to say “I don’t remember,” but they shouldn’t guess.
The fourth question verifies that top management has established quality objectives for all functions and at all levels within the company. Every manager should have at least one quality objective they are tracking, and progress toward the quality objective should be visibly communicated to everyone in the department. Employees, especially managers, should also be aware of where quality objectives for the company as a whole are posted. Ideally, each employee will know how their job function contributes to one or more of these objectives.
Stage 2 audit preparation – How to handle “stage fright”
Anyone can get nervous when they are being interviewed by an auditor–even the most experienced managers. In particular, a large entourage of observers following an auditor can make the situation worse. Therefore, you should anticipate this and discuss this with every employee in your company when you are doing practice interviews. Tell them this is normal, and it’s ok to be nervous. Remind them to take a deep breath to settle their nerves. Assure employees that they will not get in trouble for being nervous, and the company will not fail and audit just because someone has difficulty answering a question. At worst, you will need to initiate a CAPA and do some more training. The best-case scenario for a certification audit is that you will need to initiate a CAPA and do some more training. Either way, the outcome is the same.
Congratulations on your successful Stage 2 audit preparation
Do not stress everyone out the day before your Stage 2 certification audit. You had six months to prepare, and everyone worked hard to help prepare the company. Now is the time to celebrate with your family. Everyone should go home on time and get a good night’s rest. Positive attitudes and relaxation are as crucial as all the work that has been completed. I learned this lesson the hard way during my first ISO 13485 Certification in 2004. We received certification, but I don’t recommend letting your boss turn purple with rage during the audit–it might be career-limiting.
I have only made the mistake of staying up late the night before on one other occasion–and the client was not recommended for certification at the end of the Stage 2 audit. Fortunately, the auditor was able to schedule a follow-up audit within a few weeks, and we were able to address all the open issues at that time. The client received their ISO 13485 certificate and CE Certificate within three months of starting the project, and the certificates were just in time for an important trade show in Germany.
Additional training resources to prepare for ISO 13485:2016 certification
This 12-part procedure template for your medical device QMS can result in writing shorter, more effective documents that facilitate training.
Procedure Template
We all have a standard template for our quality system procedures. Typically, we begin with purpose, scope, and definitions. This 12-part procedure template for your medical device QMS can result in shorter, more effective documents that are easier to train personnel on.
1. Purpose. Often I read something like, “This purpose of this document is to describe the CAPA procedure.” That necessary information is the reason why we title procedures. A better statement of purpose would be, “The purpose of this procedure is to provide a process for identifying, preventing and eliminating the causes of an actual or potential nonconformity, and using risk management principles.” The second version gives readers a better indication of the purpose of the procedure.
2. Scope. This section should identify functions or situations that the procedure applies to, but it is even more critical to identify which situations the procedure does not apply to.
3. References and Relationships. Reference documents that apply to the entire quality management system (e.g., – ISO 13485 and 21 CFR 820) only need to be listed in the Quality Manual. This reduces the need for future revisions to the procedures. I list here any procedure-specific external standard (e.g., – ISO 14971) in the applicable procedure. The relationship between procedures is more important than the references. Therefore, I prefer to use a simple flow diagram, with inputs and outputs, similar to the one below for a document control process.
4. Document Approval.Who must sign off on the procedure? Keep this list short. Ideally, just the primary process owner and Quality Manager (to ensure consistency and integrity across the quality management system).
5. Revision History.A brief listing of each revision and a brief description of what was changed in the procedure.
6. Responsibilities and Authorities. A listing of the main areas of responsibility for each role. Remember to include the title of managers who may be required to approve forms, or make key decisions.
7. Procedure.I prefer to create a detailed flowchart outlining each step of a process before writing the procedure. Each task box in the flowchart will include a reference number. If you organize the reference numbers in an outline format, then you can write the text of your procedure to match the flowchart—including the numbering of the flowchart task boxes.
8. Monitoring and Measurement. An explanation of how the process is monitored and measured, who does it, how often, format, method of communicating the analysis, and what process that analysis will be input into, e.g., Management Review.
9. Training/Retraining. Tabulated, which roles need to be trained in this procedure, and to what level? The example below is also from a Document Control procedure.
10. Risk Management.This section identifies risks associated with each procedure and how the procedure controls those risks. As well as complying with the requirement to apply risk management throughout product realization (i.e., Clause 7 of ISO 13485), including a section specific to risk management forces the author of the procedure to think of ways the process can fail and to develop ways to avoid failure. Risks can also be a starting point for training people on the procedure.
11. Records.Tabulated, form number and names, a brief description of its purpose, and a column for retention and location. This column also allows for reference to compilations if the record becomes part of, e.g., the Design History File, Device Master Record, or the Risk Management File.
12. Flowcharts.Step-by-step through the process, saying who performs the step when it isn’t apparent. I keep task shapes simple: rectangles for tasks, rounded rectangles for beginnings and endings, diamonds for decision boxes, and off-page reference symbols.
When the task needs supporting text, e.g., guidance or examples, put a number in the box and a corresponding number in the table in (7) above. Ideally, the flowcharts are placed in the document with the Notes table on the same page or the opposite page. In practice, I often put them at the end to simplify the layout. One of my clients loves her flowcharts and puts them on the front page.
Benefits of this Approach
Information is well structured and presented consistently across procedures, more so than can be achieved through narrative.
The flowchart is the primary means of documenting the procedure.
Tables provide details that are not clear in the flowchart.
The procedure structure described above facilitates a consistent training approach built around the document. Purpose and scope are presented first, and then the Risk section is presented to explain what is essential in the procedure and why. The flowchart, the table, and the formwork together describe each step of the procedure. Finally, a PowerPoint template can be used to guide process owners in developing their training.
And to make it even easier, you have already spelled out who needs to be trained and to what level.
In this article, you will learn five reasons why implementing ISO 13485 takes longer than you expect and tips to help avoid pitfalls
Implementing ISO 13485
Your company wants to achieve ISO 13485 certification. How are you going to get there?In a recent blog, I reviewed setting objectives for implementing an ISO 13485 certification project. Once you’re clear on those, then you’re ready to create your first quality plan. The basic elements of any strategy will be:
Task breakdown (which I will cover in a separate blog)
Timeline
Resources (skills and hours available)
Timeframes and Trade-offs of ISO 13485 Certification Planning
The endpoint of planning for the certification project is the certification audit. The earlier you choose your registrar or Notified Body and book the audit, the more choice you will have regarding the date. This should be one of the earliest tasks in the task breakdown. To be able to do that, you need a timeframe as to when you will be ready for the certification audit.How long it takes to implement ISO 13485 and be ready for a certification audit depends upon your starting point and your available resources. If you have no QMS in place, it will take you longer than if you already have a strong, documented QMS that complies with 21 CFR Part 820.
It May Take More Work
If you already have ISO 9001 certification, though you already have a structure in place, the upgrade to ISO 13485 is likely to take more work than you expect because:
There are fewer procedures required by ISO 9001
Most of your existing procedures will require revision
Your employees will need training on the new procedures
You will need time to generate records using new procedures
You will need to complete a full quality system audit of the new procedures
Many companies also underestimate the required resources for ISO 13485 certification. If you have a knowledgeable consultant, and people available to write procedures, then ISO 13485 implementation will progress faster than an organization that has little expertise and little time available, so plan accordingly.Ideally, you will determine the length of time each task will take and decide on an endpoint for the project based on that information and available resources. This approach works well if you already have a well-documented, regulated QMS.
6 Months-Reasonable Timeframe?
Six months is my rule of thumb for the time needed to implement a quality system compliant with ISO 13485. If the implementation schedule is longer, organizational enthusiasm may wane. If the timeframe is shorter than six months, it’s difficult to complete all the required tasks. No matter how carefully you plan, you still need to write procedures, train personnel, and implement procedures, so there is adequate time to generate records. Six months is aggressive for most companies, but the objective of achieving certification in six months is reasonable.
You may find it interesting that in Rob Packard’s white paper on ISO 13485 implementation. He also recommends that you allocate six months of one Full-Time Equivalent (FTE). This is a reasonable starting point, but you may want to adjust your resource allocation up or down depending on the level of experience within the implementation team.Experience has taught me that smaller organizations are more successful at building an effective quality system when effectiveness is achieved in reiterative steps (i.e., – revision 1, revision 2, etc.). This is also the basis of the Deming/Shewhart Plan-Do-Check-Act (PDCA) cycle. This is also what I meant in a recent blog, where I suggested that you should “throw perfectionism out the window.”
Your understanding of how the quality system links together will grow as you implement each process in your implementation plan. As knowledge grows, you may reconsider some of your procedures. Instead of delaying the certification process (i.e., – revision 1), you may want to implement improvements as a second revision to procedures after the Stage 2 certification audit (i.e., – revision 2).During your Stage 1 and Stage 2 certification audits, your understanding of how the standard is interpreted and audited will build. After you achieve the initial ISO 13485 certification, you will have a much greater understanding of how all the elements of the quality system need to work together. You will also understand what parts of your quality system are easy for an outsider to audit.
After the ISO 13485 Certification Audit
During the initial planning stage, you should also imagine your future state after the certification audit. Your boss may assume that once the audit has been and gone, then everything will settle back to “normal” again. The reality is that after you deal with any nonconformities, and you take off a few days like you promised your family, you will have a long list of improvement ideas waiting for you. You will also need to prepare for next year’s surveillance audit.Therefore, I recommend that you manage expectations by adding “Create Quality Plan #2” as the last step of your ISO 13485 certification plan.
The author provides tips, practical examples, and six steps to follow if your ISO 13485 implementation project falls behind schedule.
In the best-planned project, with plentiful, skilled resources and diligent monitoring, things can still go awry. We need to be watchful for signs of our plans falling behind schedule, and develop contingency plans to prevent delays.
Walk Around the Mountains
Identify major obstacles early and develop a plan to deal with them. The major obstacles are usually the tasks that take the longest—such as process validation. Specifically, name these tasks in your pitch to management for resources before you start. This approach will ensure that everyone is focused on the biggest challenges.
If your plan to climb over those mountains is failing, work out a route around them. Maybe your R&D Manager can’t yet accept that there will now be design controls. In this case, an alternate path might be to leave design controls for last purposely. If you write a concise procedure and release it as your last procedure, then you have a built-in excuse for why you have very few records to demonstrate an implementation of design controls. You will still need at least one design project plan and training records to demonstrate that the process is implemented.
If this plan is successful, your auditor will write in the report that “design controls are implemented, but there are limited records to demonstrate implementation at this time.” If this plan is unsuccessful, you will need to provide additional design control records before you can be recommended for ISO certification—typically within 90 days.
Another approach is to initiate a CAPA and implement some of the tasks after the audit. For example, you have more suppliers than you can audit before certification. In this case, qualify all your suppliers, and use a risk-based approach to help you prioritize which suppliers need to be audited first. In your plan, identify that you will start by auditing the three highest-risk suppliers. Lower risk suppliers can be scheduled for audits after certification.
Be Watchful
Keep a close eye on your project plan. One of the most critical factors for success is keeping the plan and progress against the plan in front of the key players and senior management. Do this in such a way that progress, or the lack of it, is very clearly visible. It’s a basic maxim of Quality that we act on what we measure.
ISO 13485 Implementation: If Your Project Falls Behind Schedule
If you find yourself lagging seriously behind in your project, the following steps will assist you in recovering sufficiently to still be able to attain certification.
Enlist management support when you need it, especially if you need them to free up resources.
Prioritize. Before the Stage 1 audit, ensure that those procedures which are required by ISO 13485 are released (there are 19). There’s always room for improvement, but leave some of it for the second revision, instead of delaying certification.
Ensure that you have at least a few examples of all the required records. Your auditor will be unable to tick off his checklist if a record is absent. Make it easy for the auditor.
If there is a sizeable gap that you won’t be able to close before certification (i.e., – you have a validation procedure, but validations have not been completed), write a CAPA outlining your action plan to address the gap. During the audit, act confidently when you are questioned about the gap. Many auditors will give you credit for identifying the problem yourself.
Don’t panic. The worst the auditor can do is to identify a nonconformity you will have to address with a CAPA plan before you can be recommended for certification. At most, this will result in a delay of a few weeks.
Throughout your certification preparations and during the certification audits, you will identify issues you may not have time to resolve before the certification process is complete. If you are planning to revise procedures and make other corrections, make sure you track these issues as CAPAs or with some other tool (e.g., – an action item list). You want to address each issue prior to the first surveillance audit (no more than 12 months from the date of the Stage 2 audit).
Best wishes for your project. Success is the result of good planning, good communication, and good monitoring.