Blog

Regulatory pathway document creation–a case study

This regulatory pathway case study is provided by Medical Device Academy for 510k submission, CE Marking application and Canadian Medical Device License application.

Regulatory Pathway 1 Regulatory pathway document creation  a case study

How do you select the right regulatory pathway for your device?

Manufacturers considering global expansion need to master the process of creating a regulatory pathway analysis. That analysis must be product-specific. I used to create long documents that were tedious to read, but in the past month I found a better way. I now use webinar recordings to help clients analyze the regulatory pathway for their products. I create a slides for each market that my client is considering for expansion. At the end of the 20-30 minute presentation, my client asks clarification questions and we discuss the possible next steps toward regulatory approval.

A Typical Regulatory Pathway Analysis

A typical regulatory pathway analysis involves 3 major markets for a new product: 1) USA, 2) Europe, and 3) Canada. There will be one slide per market identifying the classification rationale for each market, and if there are exceptions this will be explained. Exceptions often arise for specific indications for use, duration of contact and for unique components such as:

nanomaterials (Class III in European new regulations)
– antibiotics (Class III as per Rule 13 or combination product)

Recommended Regulatory Pathway Document Content

There will be a slide per market identifying the regulatory approval process. For devices without predicates, this will be a De Novo application or a PMA submission in the USA. For Canada, you might need an Establishment License or a Medical Device Distribution License.

There will be a slide per market identifying QMS requirements customized to reflect the QMS my client already has. If you already have ISO 13485 certification you only need 2-3 new procedures to launch in Canada, while there are typically more procedures required for launching a product in the USA due to differences between ISO 13485 and 21 CFR 820. Even in Europe, a Japanese company will need: 1) a vigilance reporting procedure, changes to their Advisory Notice Procedure, and 3) a procedure for creating a technical file.

Finally, most clients need help identifying the testing requirements for safety and efficacy. If the FDA has a recent special controls guidance this is much easier. If guidance is non-existent or outdated, then you need experts like Leo to help navigate international and European National (EN) Standards that might be applicable for safety and efficacy testing.

Regulatory pathway case study

In 2015 I published a series of three blogs explaining how to identify the regulatory pathway for different markets:

  1. CE Marking Approval of a Medical Device (Case Study)
  2. 510k Submission to the FDA (Case Study – Part 1)
  3. Obtaining a Health Canada Medical Device License (Case Study)

The blogs were specific to a hypothetical product–a tissue adhesive for topical approximation of skin. Therefore, I decided to use the same hypothetical product for this case study regulatory pathway. If you are interested in watching a recording of this regulatory pathway, click here to download the case study recording.

Are you planning a submission in 2016?

Please visit our regulatory pathway webpage if you are interested in purchasing this service.

Posted in: CE Marking

Leave a Comment (0) →

Management review revisions for ISO 13485:2016

The article explains management review revisions required for ISO 13485:2016 compliance. The article tells a story about a recent re-certification audit nonconformity and how the revised ISO 13485:2016 Standard will help prevent this type of quality issue in the future. The article includes links to information about new and revised regulatory requirements, how to write a procedure and there is a link for downloading a free management review webinar.

Management Review 20161 Management review revisions for ISO 13485:2016

One of my clients recently had a re-certification audit in December with their Notified Body and they received a nonconformity in the first couple of hours of the 4 day audit. Here’s what happened.

First, they had an opening meeting with the auditor from 8:30am – 9:05am. Next they took the auditor on a tour of the facility to show her some of the areas of the facility that had been renovated since last year’s surveillance audit. The management representative and the auditor returned to the conference room at 9:40am and the auditor began with a review of the management review revisions to the procedure. The procedure had not changed since the previous year so the auditor asked to see the most recent management review. The company conducted a management review on Tuesday, December 8, 2015. The audit reviewed all the required inputs since the previous management review–which was conducted on Tuesday, December 9, 2014.

When the auditor reviewed data analysis of complaints, she noticed a spike in complaints related to shipping errors that occurred in the months of February through May. When she asked for an explanation, the management representative explained that the renovations caused some misplacement of inventory that resulted in shipping delays and a few mistakes. The auditor asked when the trend was first observed. The management representative indicated that the trend was observed in April, and corrections were made by the warehouse manager in May. The trend was confirmed to have reversed in the data from the third quarter.

The auditor asked if a formal corrective action was implemented. The management representative said that no formal CAPA was initiated, because the problem did not appear to be a systemic problem due to the small volume of complaints relative to the large volume of shipments. The auditor asked if shipping complaints were a quality objective. The management representative confidently indicated that they were. The auditor then asked when top management was notified of the negative trend and reviewed the spike in the performance of the quality objective. The management representative said that the quality objective performance is reviewed by top management during the management reviews and since the corrections appeared to be effective no further action was warranted.

The auditor responded that she would be issuing a minor nonconformity against the management review process. The reason the auditor provided was that top management and the management representative did not maintain effectiveness of the quality management system during a major renovation, because they did not monitor quality objectives on a sufficient frequency to react to quality issues in a timely manner. Furthermore, they failed to modify there planned interval for management reviews to take into account major changes in the facility that could negatively impact quality.

At the closing meeting, top management asked what should have been done to avoid this finding. The auditor was hesitant to provide advice, but she indicated that management could have been more proactive and taken measures to prevent the shipping complaints in the first place. A quality plan for the renovation could have included increased management oversight and more frequent review of quality objectives related to the areas being renovated. Instead of reviewing quality metrics quarterly, a monthly schedule might have been used during the renovations. Instead of scheduling the management review for December, top management might have scheduled a management review during or immediately after the renovations to address any quality issues with corrective actions or action items in the management review outputs. Another possible, and less proactive, approach would have been for the warehouse manager to initiate a formal corrective action as soon as the negative trend was observed. Then top management would have been aware of the quality issue through the CAPA process. Unfortunately, none of these actions were taken.

The auditor indicated that she could have written the finding against a number of different clauses (e.g., CAPA, monitoring and measurement of processes, quality system planning). She chose to reference the management review process in the finding, because the company will need to make management review revisions in 2016 to document the justification for management review intervals. There are also management review revisions required to address new and revised regulatory requirements in the meeting outputs. Therefore, the company’s corrective action plan might also address the requirements of the revised ISO 13485:2016 Standard.

Management review revisions to frequency of planned intervals

Most companies satisfy the requirement for conducting a management review (i.e., 21 CFR 820.20 and ISO 13485, Clause 5.6) in one of the following ways:

  1. conducting one meeting each year
  2. conducting one meeting each quarter

If your company is conducting only annual reviews, your reviews will be far more useful if you switch to a quarterly schedule. In the case of my client, top management would have discussed the negative trend in shipping complaints in April 2015 instead of December 2015–8 months earlier. Reviewing data from 9-10 months ago is too late to take action.

Management Review Revisions Medical Device Academy Made

You can download the management review procedure from this website that was just updated for compliance with ISO 13485:2016. If you have your own procedure, you might want to read my blog about improving your own management review procedure. The key to writing a procedure is link the procedure to template that will be used as a starting point for each management review. The template should include each of the 8 required inputs (i.e., Clause 5.6.2), the 3 required outputs (i.e., Clause 5.6.3) and a slide for covering both the Quality Policy and the overall effectiveness of the Quality Management System. The procedure should be short and the bullets should match the requirements verbatim.

Training Top Management

The biggest reason why management reviews are ineffective is that there is little engagement by most of the people in the room. Everyone in the room should be familiar with the requirements and contribute to the preparation for a management review and management review revisions. The best management representatives anticipate the needs of top management and give them tools that explain exactly what they need to do to prepare for a management review and their responsibilities during the meeting.

Additional Management Review Resources

If you are looking for more information on this topic, here are some resources:

  1. How to Improve Your Medical Device Management Review Procedure
  2. Management Review Procedure Case Study
  3. Management Review Webinar: Making your meetings more effective
  4. Medical Device Management Review Meetings: 3 Compliance Issues

Posted in: ISO 13485:201x, ISO Certification

Leave a Comment (4) →

Post-market surveillance plans: How to write one for CE Marking.

This article explains how to write a post-market surveillance plan for CE Marking and how to determine if a post-market clinical follow-up (PMCF) study is required.

Screenshot 2015 12 15 at 6.18.57 AM Post market surveillance plans: How to write one for CE Marking.

A post-market surveillance (PMS) plan is only required for the highest risk devices by the FDA (i.e., typically devices that require a PMA or premarket approval). For CE Marking, however, all product families are required to have evidence of post-market clinical follow-up (PMCF) studies or a justification for why PMCF is not required.

Why is a post-market surveillance plan a “hot button” with auditors recently?

Post-Market Surveillance is an area of emerging concern around the world. Not just a procedure for PMS, but an actual product-specific plan for gathering post-production data about your product or product family. Product registries, the anticipated launch of Eudamed and the implementation of UDI regulations are part of this industry-wide movement. The FDA has articulated the US plan for strengthening PMS in a guidance document, while the European PMS efforts are being debated as a central part of the new European Medical Device Regulations.

The biggest mistake I see 

The biggest mistake I see is that manufacturers refer to their PMS procedure as the PMS plan for their product family, and they say that they do not need to perform a PMCF study because the device is similar to several other devices on the market. Manufacturers need to have a PMS plan that is specific to a product or family of products.

How often is post-market surveillance data collected?

Your post-market surveillance procedure needs to be updated to identify the frequency and product-specific nature of post-market surveillance for each product family or a separate document needs to be created for each product family. For devices that are high-risk, implantable or devices that have innovative characteristics the manufacturer will need to perform some PMCF studies. Even products with clinical studies might require PMCF, because changes to the device, accessories and range of sizes may not be covered by the clinical studies. MEDDEV 2.12/2 provides guidance on the requirements for PMCF studies, but most companies manufacturing moderate risk devices do not have experience obtaining patient consent to access medical records in order to collect PMCF data–such as postoperative follow-up data.

Additional Resources

Medical Device Academy has created a post-market surveillance plan template that you can download for free. If you are looking for a procedure for post-market surveillance, please click here. If you are interested in learning more about PMS and PMCF studies, we also have a webinar on this topic.

Posted in: Clinical Studies & Post-Market Surveillance

Leave a Comment (0) →

Define medical device software verification and validation (V&V)

This article defines software verification and validation (V&V) for medical devices. The article also provides an overview of the CE Marking application and 510k submission requirements for medical devices containing software. Finally, we provide a link to our free download of a webinar on 510k software documentation.

Software Validation and Verification 1 Define medical device software verification and validation (V&V)

Software verification and validation is an essential tool for ensuring medical device software is safe. Software is not a piece of metal that can be put into a strain gauge to see if the code is strong enough not to break. That’s because software is intangible. You can’t see if it is in the process of failing until it fails. The FDA is concerned about software safety since many medical devices now include software. Software failure can result in serious injury, or even death to a patient. This places significant liability on the device manufacturer to ensure their software is safe. One way to ensure software safety is to perform software verification and validation (V&V).

What is software verification and validation (V&V)?

Definitions of software verification and validation confuse most people. Which tasks are software verification? and which tasks are software validation? Sometimes the terms are used interchangeably. Even the FDA does not clearly define the meaning of these two terms for software. For example, in the FDA’s design control guidance document the following definitions are used:

“Verification means confirmation by examination and provision of objective evidence that specified requirements have been fulfilled.”

“Validation means confirmation by examination and provision of objective evidence that the particular requirements for a specific intended use can be consistently fulfilled.”

Specific intended use requirement…specified requirements…what is the difference? To understand the difference between the two terms, the key is understanding “Intended Use.” It is asking the question: “What is the software’s intended use?”

“Intended Use” is not just about a bunch of engineers sitting around a table coming up with really cool ideas. “Intended Use” refers specifically to the patient/customer of the software and how it fulfills their needs (i.e., “User Needs”). Systematic identification of user needs is required, and the user needs must be addressed by the software. Identification of user needs is done through customer focus groups, rigorous usability studies and consultation with subject matter experts such as doctors and clinicians providing expert insight.

“Intended Use” also ensures safety of the process through the process of “Hazard Analysis” whereby any hazard that could potentially cause harm to the patient/customer is identified. For each identified hazard, software requirements, software design and other risk controls are used to make sure the hazard does not result in harm, or if it does, the severity of the harm is reduced as far as possible.

So if “Validation” ensures user needs are met, what is “Verification” and how does it apply to the software development process. “Verification” ensures that the software is built correctly based on the software requirements (i.e., design inputs), with regard to each task the software must perform (i.e., unit testing), during communication between software modules (i.e., integration testing) and within the overall system architecture (i.e., system level testing). This is accomplished by rigorous and thorough software testing using prospectively approved software verification protocols.

CE Marking requirements for software verification and validation (V&V)

European CE Marking applications include submission of a technical file that summarizes the technical documentation for the medical device. In order to be approved for CE Marking by a Notified Body, the device must meet the essential requirements defined in the applicable EU directive. The technical file must also include performance testing of the medical device in accordance with the “State of the Art.” For software, IEC/EN 62304:2006, medical device software – software life cycle processes, is considered “State of the Art” for development and maintenance of software for medical devices. This standard applies to stand-alone software and embedded software alike. The standard also identifies specific areas of concern, such as software of unknown pedigree (SOUP). As with most medical device standards, the standard provides a risk-based approach for evaluation of SOUP acceptability and defines testing requirements for SOUP.

FDA requirements for software verification and validation (V&V)

For 510k submissions to the US FDA, section 16 of the 510k submission describes the software verification and validation (V&V) activities that have been conducted to ensure the software is safe and effective. There are 11 documents that are typically included in this section of the submission for software with a moderate level of concern:

  1. Level of Concern
  2. Software Description
  3. Device Hazard Analysis
  4. Software Requirement Specification (SRS)
  5. Architecture Design Chart
  6. Software Design Specification (SDS)
  7. Traceability Analysis
  8. Software Development Environment Description
  9. Verification and Validation Documentation
  10. Revision Level History
  11. Unresolved Anomalies (Bugs or Defects)

The FDA does not require compliance with IEC 62304 as the European Regulations do, but IEC 62304 is a recognized standard and manufacturers must comply with all applicable parts of IEC 62304 if they claim to follow IEC 62304. The FDA also provides a guidance document for the general principles of software validation.

Additional Resources

If you are interested in learning more about the documentation requirements for a 510k submission of a software medical device, please click here to download a free recording of our 510k software documentation webinar.

Medical Device Academy also has a new live webinar scheduled for Tuesday, January 5, 2016 @ Noon (EST). The topic is “Planning Your 2016 Annual Audit Schedule”. We are also offering this live webinar as a bundle with our auditor toolkit.

About the Author

Nancy Knettell is the newest member of Medical Device Academy’s consulting team and this is her first blog contribution to our website. Nancy is an IEC 62304 subject matter expert. To learn more about Nancy, please click here. If you have suggestions for future blogs or webinars on the topic of medical device software, please submit your requests to our updated suggestion box.

Posted in: Software Verification and Validation

Leave a Comment (0) →

How to handle FDA inspector with incompetencies and ego

Handle FDA inspector egos and incompetencies during an audit of your facility–including requests for exempt quality system records.

p31653 p v7 aa e1449491882329 298x300 How to handle FDA inspector with incompetencies and ego

This is not how to handle FDA inspector or auditor!

This topic was submitted to my suggestion box from a colleague in Australia. Originally I posted this as an announcement for my LinkedIn Group, but the post was limited to ISO certification body auditors and excluded FDA inspectors. The basic approach is the same, but there are some important nuances regarding how to handle FDA inspector incompetencies and ego that I am including in this article.

Handle FDA Inspector Distrust

In general anyone that works for the FDA is genuinely concerned about public health and welfare. They also have a very low tolerance for unethical behavior. This has not always been the case at the FDA and the agency has fought hard over the past twenty years to eliminate anyone from their ranks that is not ethical. Therefore, if an FDA inspector thinks that you have something to hide the best approach to handle FDA inspector concerns is to give them anything they ask for–and quickly.

Unlike ISO auditors, FDA inspectors are not allowed to review three types of records:

  1. Management Review Meeting Minutes
  2. Internal Audit Reports
  3. Supplier Audit Reports

The FDA can learn almost everything they want to know by reviewing CAPAs that resulted from Management Reviews, internal audits and supplier audits. However, some FDA inspectors will still ask to see records that are part of the quality system record exceptions (i.e., 21 CFR 820.180c). Some quality system managers design cover sheets for these three records to specifically show FDA inspectors only the information that they are entitled to. If I am faced with this situation, I handle FDA inspector requests for restricted quality system records in the following way.

“Here is a copy of the quality system record you requested. This is one of the records that is exempt from the requirements in 21 CFR 820.180. However, we have nothing to hide. Therefore, you can take as many notes as you like about the content of this record, but you may not take a copy of the record with you.”

The above approach is intended to convince an FDA inspector that you have nothing to hide, but it also requires that you review and edit your records prior to approval and archiving to make sure that statements made in the records are appropriate–regardless of the audience reading the record.

Handle FDA Inspector and auditor personality

100% of auditors are a little weird (yep, takes one to know one). You travel for a living and tell people what’s wrong with their quality system. If you don’t start out drinking scotch, you probably will eventually. However, a little patience, understanding and over communication helps. For example, provide directions (that are accurate). Recommend a hotel (middle of the road, not the Ritz or a flea bag). Tell them about the corporate discount. Ask them in advance if they have food allergies (I’m gluten-free, and not by choice), and then try to remember not to serve only the things they are allergic to (yes, Panera Bread is a crappy choice but a gluten-free pizza is heaven). If Uber makes sense recommend it, because nobody wants to negotiate with Payless Rent-A-Car at 11:59pm.

FDA inspectors are in the same situation as auditors with regard to being travel weary. However, FDA inspectors will probably not take your recommendation for a hotel. Instead they will follow FDA guidelines and stay at a hotel chain where they prefer to accumulate membership points and they can get a government employee discount. In addition, FDA inspectors will not eat at your facility. It seems as though a few companies entertained FDA inspectors at clubs and fancy restaurants in the past. In order to eliminate any possible perception of unethical behavior, FDA inspectors are now instructed to leave your facility for lunch and return to complete the day. They probably won’t even accept a cup of coffee unless you place a carafe on the table for everyone to drink. You can also count on the FDA inspectors driving a rental car if they do not live locally.

Handle FDA Inspector and Auditor Ego

Everyone has an ego. Auditors typically have a big one, and a few FDA inspectors do too. I’m not shy, I’m smart and I love a good debate. If I’m you’re auditor, you’re lucky because I’ll admit when I’m wrong or make a mistake. Most auditors will not admit mistakes. In fact, the stronger they argue a point the more likely that they are insecure on the topic or that they have a personal preference that is a result of a bad experience. Unfortunately, FDA inspectors seem to be even more likely to argue a point when they know very little experience.

Don’t ask FDA inspectors and auditors to prove something is in the regulations or the standard. Instead, try reading Habit 5 by Covey (7 Habits of Highly Effective People). You need to be an empathic listener. The FDA inspector or auditor doesn’t hate you. They might even be trying to help you. They also might be wrong, but try restating what the person is saying in your own words and try explaining why it’s important. This shows them that you were listening, you understand what they said and you understand how they feel about the issue. Pause. Then tell them how you were trying to address this issue.

One of the areas where the above approach is especially important is when and FDA inspector is reviewing complaint records and medical device reports (MDRs). You want to convince the FDA inspector that you are doing everything you can do to investigate the complaint or adverse event and you want to prevent recurrence. Remember that someone was hurt by your device or misuse of your device, and FDA inspectors take public safety very seriously. You will not be able to handle an FDA inspector that believes you are doing less than you could be.

Handle FDA Inspector and Auditor Incompetencies

FDA inspectors rarely have industry experience, but they know the regulations. Therefore, arguing the regulations with an FDA inspector is a huge mistake. The only frame of reference for “industry best practice” is what the FDA inspector has seen at other device manufacturers they audit. Therefore, it is very import to know how experienced your FDA inspector is. If they don’t have a lot of experience they will be defensive and you might need to “educate” them.

During ISO audits you have less time to retrain your auditor. Don’t even try. I do this for a living and we’re a stubborn bunch of orifices. Instead, try the empathic listening first. 99% of the time one or both of you is not communicating clearly. Either they can’t find what they are looking for, or they misunderstood what you were telling them. It could be a difference of interpretation, but it’s probably not. If it is, then say “We were interpreting that requirement as…”. Say this once. If they argue, let it drop for now.

Resolution of 483 Observations and Audit Findings

You shouldn’t just take incorrect findings lying down. Do your homework. Send me an email. Get help. If you’re right, then contest it at the closing meeting in a factual and persuasive way. If the auditor holds their ground, ask what the policy is for resolving disputes. This is supposed to be covered as part of the closing meeting of every audit. If your auditor is just lazy, sloppy and incompetent–request a new auditor. You might even disagree in writing, address the finding anyway and then request the new auditor. That shows the management of the certification body that you’re not lazy, sloppy or incompetent.

FDA inspection 483 observations are a little different. If you and the inspector disagree you should state this in the closing meeting when they give you the 483 observation, and you should be clear that you disagree prior to end of the inspection when they start preparing FDA Form 483. Once a 483 observation is issued, however, your only recourse is to persuade the district office that the 483 observation is undeserved. The FDA district office will have copies of all your procedures and records and a copy of the FDA inspector’s notes. Be careful with complaints to the district office though. FDA inspectors are far more likely to retaliate than ISO auditors.

Caution

If you make a habit of disputing everything, your auditor or FDA inspector will come prepared for war. You also will have little credibility with the managers at the certification body or the FDA district office. Dispute only things that are justified and provide a written, factual justification that is devoid of all emotion.

Responding to FDA 483 Observations

If you do receive FDA 483 observations, it is important that you respond with well-conceived corrective action plans. If you need help with responding to an FDA 483 inspection observation, you might be interested in my webinar on this topic.

Posted in: FDA

Leave a Comment (0) →

How to write a quality system plan template (free download)

This article explains how to write a quality system plan template to revise and update your quality system for compliance with ISO 13485:2016 when it is released early next year. The end of the article includes a form to complete if you want to download a free quality system plan template.

Screenshot 2015 11 19 at 5.52.44 PM How to write a quality system plan template (free download)

Templates are the key to writing a quality system plan

Plan, do, check and act (PDCA) is the mantra of the Deming disciples, but does anyone know what should be in your quality system plan template. Everyone focuses on the steps–the “What’s.” Unfortunately, people forget to include the other important pieces of an all inclusive quality system plan template. Why? When? Who? and How much?

The table in the template is an example of “What?” steps to perform, but it is specific to my procedures. You will need to revise the table to reference your own procedures and the changes you make will be specific to your quality system plan. The other sections of the template tell you what needs to be included in that section, but I did not provide examples for those sections.

Why to write a quality system plan template

The purpose section of the quality system plan template answers the question of “Why?” You need to specify if the purpose of your quality system plan is compliance with new and revised regulatory requirements, preventing recurrence of quality issues or maybe a faster development cycle. The purpose section of the plan also provides guidance with regard to the monitoring and measurement section of your quality system plan template.

When to write a quality system plan template

Most changes have deadlines. In the case of ISO 13485:2016, there will be a 3-year transition period, but most companies establish internal goals for early implementation by the end of the fiscal year or the end of a financial quarter. Some of the changes can be made in parallel, while other changes need to be sequential. Therefore, there may be specific milestones within the quality system plan template that must be complete by specific dates. These dates define “When?” the steps in the quality system plan must be implemented.

Who should write your quality system plan template

As my quality system plan template indicates, I recommend defining both individual process owners and teams of process owners where processes can be grouped together. For example, I typically group the following four processes together as part of “Good Documentation Practices (GDPs)”: 1) control of documents (SYS-001), 2) control of records (SYS-002), 3) training (SYS-004), and 4) change control (SYS-006). In fact, I cover all four processes in a webinar called “GDP 101.”

It is important to have one person that is accountable and has the authority to implement changes for each process, but only one person should be in control of each process. If you have four related procedures, then the team of four people will need to coordinate their efforts so that changes are implemented swiftly and accurately. For the overall quality system plan template, I recommend assigning a team leader for the team of four process owners described above. One of those people should be responsible for team leadership and writing the quality system plan template.

Monitoring implementation of your quality system plan template

Monitoring the progress of your plan ensures successful implementation of the plan. Sometimes things don’t work as planned and corrections need to be made. Additional resources might be needed. The plan may have been too optimistic with regard to the implementation time required. I recommend assigning one person the task of retrieving team status reports from each of the teams and consolidating the team reports into an overall progress report.

Free download of ISO 13485:2016 quality system plan template

The sign-up form below will allow you to receive an email with the ISO 13485:2016 quality system plan template attached. This is a two-step process that will require you to confirm the sign-up.

Posted in: ISO Certification

Leave a Comment (2) →

How to implement a new ISO 13485 quality system plan in 2016

This article is a case study that explains how to implement a new ISO 13485 quality system plan at an accelerated schedule of just four months. The quality system will also be compliant with 21 CFR 820.

 

QMS Implementation Plan How to implement a new ISO 13485 quality system plan in 2016

Typically, I recommend implementing a new ISO 13485 quality system plan over a period of 6 months. The reason for this is that people can only read procedures and complete training at a certain pace. Since there are approximately 30 procedures required for a full quality system, an implementation pace of one procedure per week allows a company to complete 90% of the reading and training in six months.

In October a new client asked me for a proposal to implement a new ISO 13485 quality system plan. The proposed quality system plan indicated that the project would start in October and finish in March. The client accepted my proposal, but they asked me help them implement the quality system plan in four months as indicated in the table above. We just started implementation of the quality system plan last week, and I have discovered some secrets that dramatically simplify the process.  This blog shares some of the lessons learned that help implement the quality system plan at this faster pace.

Outsourcing ISO 13485 quality system development

Not everyone has the skill and experience to write a quality system procedure, but if you have a good template, you understand quality systems–then you can write quality system procedures. Depending upon the length of the procedure, it may take four to eight hours of writing for each procedure. Therefore, an in-house quality manager needs to allocate one day per week if they plan to write all the procedures for their quality system in six months. For a four-month implementation of an ISO 13485 quality system plan, you need to allocate two days per week to writing.

Alternatively, you can outsource the writing of your quality system. However, someone must be responsible for “customizing” generic procedures to fit your company or the procedures need to be written from scratch. A third and final option is to have a hybrid of in-house procedures and outsourced procedures. If your quality manager has limited time resources, then you can supplement the managers time with procedures that are purchased and customized to fit your template. If there are certain procedures that the quality manager needs help with, such as risk management, then you can also purchase just those procedures.

ISO 13485 quality system plan

One of the basic principles of quality management systems is “continuous improvement.” The continuous improvement cycle is also known as the “Deming Cycle.” There are four parts to the cycle:

  1. Plan
  2. Do
  3. Check
  4. Act

When you are developing an ISO 13485 quality system, the first step is to develop the quality system plan. I recommend the following guidelines for a quality system plan. First, plan to implement the quality system at a steady pace. Second, organize the implementation into small groups of related procedures.

In this case study, I have 29 procedures that we are implementing and there are 11 recorded training webinars. During each of the four months approximately the same number of procedures are implemented. Then I organized the small groups of procedures around the scheduled webinar trainings. For example, the month of November will have a total of 24 documents (i.e., 8 procedures and 16 associated forms and lists) implemented and there are four webinar trainings scheduled. Therefore, four procedures associated with “Good Documentation Practices 101 will be implemented as a group under document change notice (DCN) 15-001. Two procedures associated with “Are your Suppliers Qualified? Prove it! will be implemented as a group under DCN 15-002. The remaining two procedures, design controls and risk management, will be implemented as a group under DCN 15-003 with two related webinars on design controls and ISO 14971.

Document Change Notice (DCN)

The next step in the Deming Cycle is to “Do.” For implementation of an ISO 13485 quality system plan, “doing” involves creation of procedures, forms and lists; but “doing” also involves the review and approval of these documents. The form we use to review and approve procedures is called a document change notice or DCN.

It’s been almost 20 years since I completed my first DCN. For anyone that is unfamiliar with the review and approval of new and revised documents, most quality systems document the review and approval of procedures and forms on a separate form. The reason for this is that when you make one change it often affects several other documents and forms. Therefore, it is more efficient to list all the documents and forms that are affected by the change on one form. This results in fewer signatures for reviewers and approvers. Several of the companies that I have helped to implement an ISO 13485 quality system plan for fail to review and approve the documents and forms in a timely manner. I think there are two reasons for this:

  1. they haven’t been responsible for document control before, and
  2. they don’t want to have to create and maintain quality system records any sooner than required.

The first reason can be addressed easily with training. The second reason, however, is flawed. It is important to implement the procedures as soon as possible in order to begin creating quality system records that can be audited by an ISO 13485 certification auditor or FDA inspectors. I have struggled with this hesitation in the past, but for this project I am completing DCNs for the initial release of all the procedures and forms. This ensures that all the procedures and forms will be reviewed and approved shortly after the webinar training is completed. In addition, this gives my client multiple examples of DCNs to follow as the make revisions to the procedures and forms over time.

Quality Objectives & Data analysis

The third step in the Deming Cycle is to “check.” I recommend using quantitative metrics to track progress toward your goal of completing the quality system implementation. For example, if you have 50 documents to review and approve you can track the % complete by just multiplying each document that is approved by 2%. You can also track the implementation of documents separately by type. Every DCN you route for approval will take a certain number of days to complete. You might consider tracking the duration of DCN approval. As a benchmark, an efficient

paper-based DCN process should average about 4 days from initiation to completion. I have seen average durations measured in months, but hopefully your average duration of DCN approval will be measured in days. Another metric to consider is the % of required training that has been completed for the company, for each department and for each employee. Regardless of which metrics you choose to evaluate your quality system implementation, you should pick some of these metrics as quality objectives (i.e., a requirement of ISO 13485, Clause 5.4.1). You should also analyze this data for positive and negative trends as required by ISO 13485, Clause 8.4.

Your first CAPAs

The fourth and final step in the Deming Cycle is to “act.” Acting involves taking corrective action(s) when your data analysis identifies processes that are not functioning as well as they should be. In order to achieve ISO 13485 certification, you will need some examples of corrective and preventive actions (CAPAs) that you have implemented. The actions you take in response to observed trends during data analysis are all potential CAPAs.

Download an ISO 13485 quality system plan

Later this week I will be posting a follow-up blog that explains how to write an ISO 13485 quality system plan for establishing a new quality system. There will also be a link for downloading a free ISO 13485 quality system plan. To receive an email notification of when this blog is posted, please subscribe to my blog. I will be writing additional blogs about lessons learned from this accelerated implementation project.

Posted in: ISO Certification

Leave a Comment (1) →

Case Study Part 2: Packaging CAPA Preventive Action and Corrective Action

This article explains details of implementing a CAPA preventive action and corrective action for packaging issues. Specifically, containment measures, corrections, corrective actions and preventive actions to address the root cause identified in part 1 of this case study.

Screenshot 2015 11 08 at 12.34.46 PM 1024x504 Case Study Part 2: Packaging CAPA Preventive Action and Corrective Action

Comparing Incoming Inspection Results as a CAPA Preventive Action

CAPA Step 1: Containment of Product with Defective Packaging

When you learn of a packaging complaint related to a specific lot, you also need to determine if other product associated with the lot is safe to ship to customers. You should not attempt a correction and removal of product unless you have a reasonably high level of confidence that there is a packaging issue with the lot or a portion of a lot, but you might consider placing product from the same lot in your inventory on hold until your investigation is completed. If you confirm that you have an issue with a specific lot, lots or portion of a lot; then you should initiate correction and removal of product to prevent potentially, non-sterile product from being used. This type of problem could result in a Class 1 recall (i.e., the most severe of the three categories). Therefore, you need to act quickly and according to established procedures for corrections and removals.

CAPA Step 2: Correction(s) of Defective Packaging

If you find a problem there is little you can do to fix the existing, defective packaging other than to repackage the product. If the product has only been sterilized once, and you have revalidated the product for resterilization, then you can repackage, relabel and resterilize. In order to ensure traceability to the lot that has been reworked, you may need to revise the labeling (e.g., add an “R” to the lot number). If you have not revalidated the resterilization of product, you may want to use this lot for validation of resterilization instead of throwing it out. However, sometimes your best option is to scrap the product.

Additional corrections may involve correcting the calibration of a testing device or performing repair to sealing equipment. You might modifying a specification on a drawing. You might correct a work instruction that did not have the correct validated sealing parameters. All of these could be corrections.

CAPA Step 4: Corrective Action(s) for Packaging Issues

Investigation of root cause (CAPA Step 3) occurs in parallel with containment (CAPA Step 1) and correction (CAPA Step 2). Corrective actions (CAPA Step 4) prevent the packaging issues from recurring, and they occur after the first three steps, because you can only implement corrective actions once you understand the root cause of the quality issue. The best tool for evaluating your current process controls and evaluating the implementation of new corrective actions is a process risk control plan. In order to do this you need a process flow diagram and a process risk analysis. Each step of the process from raw material fabrication of film to the released product needs to have potential hazards identified, risks evaluated and risk controls implemented. You should use your process validation to verify the effectiveness of process risk controls quantitatively. If the process capability is greater than 95% for each parameter and you have addressed every possible source of problems, then you probably won’t gain much from additional risk controls. However, many companies reduce their sampling or rely on certificates of conformity to ensure that the process is controlled adequately.

CAPA Step 5: CAPA Preventive Action for Packaging Issues

You already had a packaging issue with one lot of product, but you could have another issue with a different product or lot for the same reason or a different reason. If the product is the same, and the reason is the same, then actions taken are corrective actions. If you take action to prevent occurrence of this issue with a different product, or you prevent other potential causes of packaging issues by initiating more robust monitoring and process controls, then your actions are preventive actions. Often you will want to implement both types of actions.

In the box plot example provided in this article, Lot D was detected at incoming inspection as having peel test results that were outside the alert limit but acceptable when compared to the specification limit for peel testing. The alert limit was established during validation of the pouches and comparison of lots A, B, C and D demonstrate that Lot D is slightly lower in peel strength. The manufacturer may choose to use the lot, but the sampling plan for in-process peel testing may be altered or the manufacturer may choose to place the new lot in quarantine while an investigation is performed. This is a CAPA preventive action.

Below I have listed six additional potential CAPA preventive actions to consider for your packaging process:

  1. Perform peel testing and/or bubble leak testing of packaging raw materials as part of the receiving inspection process and perform data analysis of the incoming inspection samples to determine if lower or higher alert and action limits should be established for the new lot of raw materials. The limits should be based upon the manufacturer’s seals as well as your own seal.
  2. Retain remnants of in-process peel testing, include the remnants with the sterilization load, and then store the remnants for real-time aging.
  3. Consider implementing visual inspection tools that are able to detect sealing imperfections non-destructively.
  4. Increase the number of samples you test (e.g., 1 to 3 or 3 to 5) for each lot of product sealed to increase your confidence that the seals will be within specifications.
  5. Perform statistical analysis of in-process data for seal peel strength in order to identify potential lots with packaging issues prior to release.
  6. Evaluate the performance of the packaging at temperature and humidity extremes that may be higher or lower than the conservative estimates for ambient conditions (e.g., 30C vs. 25C).

Additional Resources

In addition to the previous article that was part 1 of this case study, I have posted 10 other blogs specifically on the topic of CAPA. There is also a CAPA procedure you can download from this website.

Risk-based CAPA Webinar

If you are interested in learning more about a risk-based approach to CAPAs, then please click here.

Posted in: CAPA

Leave a Comment (0) →

Case Study Part 1: Packaging Complaint Investigation

This article explains how to perform a packaging complaint investigation using a case study example of flexible packaging that was found open by a customer. This is part one of a two part article. The second part will focus on the CAPA Process. Specifically, containment measures, corrections, corrective actions and preventive actions.

Screenshot 2015 11 08 at 11.58.18 AM Case Study Part 1: Packaging Complaint Investigation

This case study example involves a flexible, peelable pouch made of Tyvek and a clear plastic film. This is one of the most common types of packaging used for sterile medical devices. In parallel with the complaint investigation, containment measures and corrections are implemented immediately in order to prevent the complaint from becoming a more widespread problem. The investigation process utilizes a “Fishbone Diagram” to identify the root cause of the packaging failure. This is just one of several root cause analysis tools that you can use for complaint investigations, but it works particularly well for examples where something has gone wrong in production process controls, but we are not sure which process control has failed.

Once the root cause is identified, for the packaging complaint, then you need to implement corrective actions to prevent recurrence. In addition, FDA Clause 21 CFR 820.100 and ISO 13485, Clause 8.5.3 require that you implement preventive actions to detect situations that might result in a potential packaging failure in the future and implement preventive measures so that similar packaging failures are not able to occur.

Packaging Incident

The incident that was reported was reported by a distributor. The distributor told customer service that two pouches in a box containing 24 sterile devices were found to have a seal that appeared to be delaminating. Unfortunately the distributor was unable provide a sample of the delaminated pouches or the lot number of the units. Packaging issues and labeling issues are typically two of the most common complaint categories for medical devices. Often the labeling issues are operators errors or a result of labeling mixups, while the packaging errors have may be due to customers that accidentally ordered or opened the wrong size of product and therefore they may complain about packaging when there was actually nothing wrong. It is important to be diligent in the investigation of each packaging complaint, because if there is a legitimate packaging quality issue then there may be a need or a product recall as part of your corrective action plan.

Reporting of Packaging Complaint Investigation

A lot of clients do not want to report packaging issues as a Medical Device Report or MDR, because they are concerned about potential action by the agency or the negative publicity of the reported adverse event. Even if an injury or death did not occur with a sterile medical device, the quality issue should still be reported as an MDR in accordance with 21 CFR 803 because it could cause an adverse event such as a serious infection that could result in sepsis and death. If you think that this is an extremely conservative approach, you might be surprised to learn that 225 MDRs were reported in just October of 2015 for packaging issues. One random example is this report of a leaking contact lens vial in the following report:

Event Description

“It was reported that the lens vial was found to have little or no saline storage solution. This was discovered upon receipt and the product was not used.”

Manufacturers Narrative

“The lens and lens vial were not returned for evaluation. The lot history record was reviewed and there were no non-conformities or anomalies related to this complaint. Based on the information currently available the most likely root cause of the event is related to a leaking lens vial. The type of lens vial associated with this report has been discontinued and a new (redesigned) vial was implemented.”

Packaging Complaint Investigation when product IS NOT returned

What the narrative above does not elaborate on is what was the specific investigation details for “lot history reviewed.” One of the most useful tools for performing this type of investigation is the “Fishbone Diagram”. There are six parts “6Ms” to this method:

  1. materials,
  2. method,
  3. machine,
  4. “mother nature” or environment,
  5. “manpower” or people, and
  6. measurement.

Here are a couple of things that could have been done:

  1. review the complaint log for other complaints with the same lot number and/or from a similar time period, lot of raw materials or packaging machine
  2. review the device history record for the lot to make sure that the number of units rejected as part of normal in-process and final inspection did not exceed pre-established thresholds for monitoring of the sealing process
  3. if retains of the lot are available, these might be retested to verify that the testing results after real-time aging remain acceptable
  4. the maintenance and calibration records of the equipment for manufacture and for testing may be reviewed to verify that no repairs were required and no equipment was identified as out-of-calibration

If all of the above fail to identify a potential cause for a packaging failure, then you might have a problem related to people or the environment. People includes the people sealing the product package and the users. The environment includes the temperature and humidity for storage of packaging raw materials, packaged product, sterilization conditions, storage conditions after sterilization and shipping conditions–including any temporary extremes that might occur during transit.

In our case study the product was not returned and we did not have the lot number. Therefore, we may need to review distribution records to that distributor and/or the customer to narrow down the possible lots to one or more lots. Then we would need to perform the same type of review of lot history records for each potential lot. In the future, the UDI bar codes that are on products and product labeling will facilitate the identification of lots, because the UDI bar codes will be scanned into each patient’s electronic medical record and the production identifier (PI) portion of the code will tell manufacturers exactly which production lot was involved.

Packaging Complaint Investigation when product IS returned

Sometimes you are fortunate enough to received returned product. The product should be immediately segregated from your other products to prevent mix-ups and/or contamination. After it has been determined that the product is safe to handle, the assigned investigator may inspect the product packaging to confirm packaging issues and to possibly destructively test the packaging to verify that the packaging returned meets the specifications.

Additional Resources

There are an enormous number of articles and studies on the topic of package testing and package design for sterile medical devices. If you have a question, you can probably find a dissertation or two on any obscure aspect of packaging you are interested. For example, Jordan Montgomery is a packaging engineer/technical fellow with Medtronic. He performed a thorough investigation comparing testing methods for the EN ISO 898-5 with the ASTM F88 method. A dissertation I read also attempted to correlate between burst test results and peel testing results for the same packaging.

Related Blogs

If you are interested in learning more about root cause analysis, then you should visit the following articles specifically written about this topic:

Posted in: Complaint Handling

Leave a Comment (1) →

Risk Management Traceability for CE Marking Technical Files

This article explains how to use risk management traceability for CE Marking in order to cross-reference hazards, risks and risk controls throughout your technical file. This approach will more efficiently integrate risk management tools into your Design History File (DHF), post-market surveillance documentation and clinical evaluation reports (CERs).

The table below provides a simple template for nomenclature of risk management elements that you need to cross-reference and provides risk management traceability for throughout your technical documentation.

Screenshot 2015 11 05 at 7.29.21 AM Risk Management Traceability for CE Marking Technical Files

The table does not include a cross-reference code for verification and validation reports, because there could and typically are multiple risk controls that are validated and verified for each risk and many times they are applied across multiple product lines. Therefore, it is more efficient to simply reference the controlled document number for the verification report that is applicable to that risk control.

Basic Concept of Risk Management Traceability

The concept of risk traceability is more than being able to identify the verification and validation study that was performed in order to verify effectiveness of risk controls in your FMEA, because it is in the same row of your table. Best practice is to number your hazards, risks and risk controls so that you can cross-reference more easily throughout all your technical documentation [i.e., design requirements matrix, risk management file, clinical evaluation report, post-market surveillance plan / reports and post-market clinical follow-up (PMCF) report].

Design Requirements Traceability Matrix (DRTM)

The design requirements traceability matrix (DRTM) is a combination of two documents that have been used for the past two decades by medical device manufacturers: 1) the design requirements matrix or IOVV (i.e., inputs, outputs, verification and validation), and 2) the risk traceability matrix. The second document is less commonly used, but an example of one is provided in the Figure 3 of the GHTF risk management guidance document SG3 N15R8.

The risk management summary table that is presented in Figure 3 of the guidance also provides cross-references to specific tests, and each test has an identification number for traceability. This approach is also used frequently in risk control plans–an excellent tool for production process controls and planning product realization prior to process validation.

Risk Management Traceability to Post-Market Surveillance

I recommend that companies create a post-market surveillance plan for devices or device families during the design transfer process. This is NOT the post-market surveillance procedure. Your procedure should indicate the process you use for post-market surveillance, but your plan should be process specific and identify specific risks that you intend to gather post-production data for. The post-market surveillance plan should provide traceability back to each risk in your risk management file (e.g., R1, R2, R3). You should include a post-market clinical follow-up (PMCF) protocol and and report that also cross-reference to these risks and associated risk controls–or provide a justification for not conducting a PMCF study. In the 2016, the new European Medical Device Regulations (EMDR) will require that both the protocol and the report be included in your post-market surveillance plan as a required section (see Annex II of the proposed regulations) of the technical file or design dossier. Finally, I recommend that you revise and update your risk management plan for post-production data collection at the time of design transfer. When you make this revision, I recommend moving the risk management plan from the design plan to your post-market surveillance plan as an integral part of the plan (i.e., one of the primary sections of the plan).

Risk Management Traceability for Your Clinical Evaluation Report (CER) 

In your clinical evaluation report (CER), if you simply said that “the clinical data reviewed addresses all of the residual risks identified in the risk management summary report” you are not being specific enough. Your clinical evaluation report (CER) should explain how the clinical study data you reviewed addresses each of the risks that you identified in your risk analysis. Personally I like to have subsections in the discussion section of the clinical evaluation report (CER) for each of the risks identified in the risk management file. I also do this when I write my post-market surveillance plan. When I do this I include a cross-reference to the applicable hazard in my design requirements matrix, risk analysis and hazard identification summary report (e.g., “HZ1”, “HZ1” and “HZ3”).

Risk Management Traceability to Warnings & Precautions

ISO 14971:2007 indicates that disclosing residual risks to users of your device is a risk control. In Annex ZA, deviation 7 of EN ISO 14971:2012 it indicates that you cannot claim to reduce the risks of your product by disclosing this residual risks–even though these are considered risk controls. You should still validate the effectiveness of the instructions for use, technique guide and training through simulated use studies prior to product release. However, you cannot claim a quantitative risk reduction in your risk analysis as per deviation 7. Of course there can be a reduction in overall risks when you train users, but you can’t claim it and the prevalence of “use errors” demonstrates the limited effectiveness of IFUs and training.

Additional Risk Management References

I have published 14 previous blogs specifically on the topic of risk management over the past couple of years. Please click here if you are looking for more information related to risk management. You can expect many more blogs on this topic during the next six months because I will be presenting four presentations in Brussels at an international medical device conference scheduled for June 13-17, 2016.

Procedures & Templates for Risk Management

If you are looking for a procedure (SOP) and associated form for risk management please click here.

Posted in: Risk Management

Leave a Comment (2) →
Page 4 of 23 «...23456...»
Follow

Get every new post on this blog delivered to your Inbox.

Join other followers:

Simple Share Buttons
Simple Share Buttons