Blog

Archive for ISO Certification

Updating Training Procedure for Compliance with ISO 13485:2016

This article explains my process for updating training procedure SYS-004 for compliance with ISO 13845:2016 while the procedure was also simplified.

Training and Competency 1 Updating Training Procedure for Compliance with ISO 13485:2016

In addition to weekly blogging for the Medical Device Academy website and the FDAeCopy website, I am also updating each of my procedures for ISO 13485:2016 compliance. This week the training and competency procedure (SYS-004) was updated. You are updating your own procedures for compliance with the revised standard, but are you making any other strategic changes at the same time?

Changes to Training in ISO 13485:2016

The primary change to Clause 6.2 in ISO 13485 was the addition of the phrase, “shall document the process(es) for establishing competence, providing training and ensuring awareness.” This doesn’t represent a change in the intent of the standard, but it does signal that certification bodies should be emphasizing the importance of assessing effectiveness of training and competency–not just verifying the existence of training records.

Updating Training Procedure

The original version of SYS-004 had 8 pages and includes three different flow charts to explain the process. The procedure also required the use of a training plan for each employee. While I agree that training should be planned by managers, if you make this a formal requirement with a controlled form it creates an unnecessary burden for managers.

Therefore, when the procedure was updated to the requirements of ISO 13485:2016, the procedure was also simplified for easier implementation by start-up companies. When you update your procedures you might look for similar opportunities to simplify and streamline the processes.

The updated procedure now has suggestions for how to consolidate certain roles for smaller companies. The procedure still references a training record for documenting training, but now there is also a reference to a training matrix to help document training requirements for each employee.

The FDA also requires that there are documented training requirements. Therefore, the procedure identifies the need to create a job description that includes training and competency requirements. The procedure does not, however, require that the job descriptions be maintained as controlled documents. If your company has multiple people with the same job function (e.g., customer service), then it might make sense to have a controlled document that is a job description for customer service. A company with 4 employees do not need controlled documents and instead a unique record for each employee makes more sense.

Updating Training Procedure to Explain How to Complete Forms?

Another option is to make your procedure very detailed to explain how to complete each section of a form, such as the training record (FRM-002) or the training matrix (FRM-026). However, I see very few managers struggle with completing training records. Therefore, instead I plan to record a brief training webinar that explains how to fill in the forms. This will be provided as a free update to anyone that purchases the training competency procedure. This makes it easier to review the procedure for regulatory compliance and puts the details on how to complete forms in the training curriculum where it belongs.

If you have questions about how to update any of your procedures to ISO 13485, please email me at rob@13485cert.com. Maybe I’ll use your question as a topic for a future blog.

Posted in: ISO 13485:201x, ISO Certification

Leave a Comment (0) →

Control of Records – Updating Your Procedure for ISO 13485:2016

Article reviews changes recommended for your control of records procedure to ensure compliance with ISO 13485:2016 and applicable regulatory requirements.

VA File Storage Control of Records   Updating Your Procedure for ISO 13485:2016

Nine months have already passed since the release of the 2016 version of ISO 13485. In 2015, you were told to update your quality system procedures early before the new European Regulations were released. There is a three year transition period, and you decided to do it next year. Now it’s 2017. It’s time to update your procedures.

Quality Plan for Revising Procedures to ISO 13485:2016

My plan is to update one procedure each week from the 2003 version of ISO 13485 to the 2016 version. Some of the procedures were already updated last year, but just like you I decided to finish the work next year. For the next 6 months we will be busy revising procedures.

Training on the requirements for Control of Records

In addition to a procedure for control of records, you also need to train employees on good documentation practices. Originally I created a webinar called “GDP 101” that combined control of documents, control of records and training. Several people recommended that the webinar be revised to focus on control of records. Therefore, new webinars will be recorded each week to explain the updates to each procedure and to ensure that there is a training webinar for each procedure.

Three Generic Updates to Control of Records Procedure (SYS-002)

When you update a procedure, you need to do more than change the reference to the version of ISO 13485. For all procedures I recommend that you make three general improvements:

  1. identify a risk-based approach for that procedure,
  2. identify methods for documenting training effectiveness and competency, and
  3. verify that you have updated the procedure to address regulatory requirements.

In the case of control of records, the most important records should have more rigorous controls and more frequent monitoring of record control to ensure it is effective. For example, the following critical records are frequently sampled by FDA inspectors and should be carefully stored, organized and monitored:

  • CAPAs
  • Complaints
  • Adverse Event Reports
  • Recalls
  • Nonconforming Material Records
  • Design History Files
  • Training Records

FDA inspectors are not permitted to review records of your management reviews, internal audit records and supplier records. However, all three records will be sampled by certification bodies and therefore these three records exempt from the requirements of 21 CFR 820.180 should also be a priority for risk-based control of records.

To address the third of the generic procedural updates, you should be aware that the new EU Medical Device Regulations are expected to increase the required record retention period for non-implant devices from 5 years to 10 years. Implants are expected to remain at 15 years.

Three Procedure-Specific Updates to Control of Records Procedure (SYS-002)

In addition to the generic procedural updates, there are three changes in the Standard that are specific to control of records. First, in the section for control of documents (renumbered as Clause 4.2.4) there is now a requirement to prevent the deterioration and loss of documents.

Second, there is now a requirement in Clause 7.3.10 for maintaining design and development files for devices. This may have been previously been addressed as a requirement to meet the FDA requirements for maintaining a Design History File (DHF), but not all ISO 13485 certified companies sell product in the USA.

Third, there is a new requirement related to protection of confidential health information, such as the information gathered during complaint investigations and clinical studies. Many companies refer to this as HIPAA compliance.

Updated Procedure & Webinar Bundle

If you need to update your control of records procedure and train your employees, you might consider our new procedure and webinar bundle.

Posted in: ISO 13485:201x, ISO Certification

Leave a Comment (0) →

Implementing Procedures for CAPA, NCMR & Receiving Inspection

The article shares lessons learned from implementing procedures for a new ISO 13485 quality system. This is the second in a series. The first month of procedure implementation was covered in a previous article titled, “How to implement a new ISO 13485 quality system plan in 2016.”

Implementing Procedures Implementing Procedures for CAPA, NCMR & Receiving Inspection

Typically, I recommend implementing a new ISO 13485 quality system over a 6-month period, but recently I a few clients have requested my assistance with implementing a quality management system within 4 months. In November I wrote an article about implementing a new ISO 13485 quality system. That article described implementing procedures for the first month. Specifically, the implementation of the following procedures was covered:

  1. SYS-027, Purchasing
  2. SYS-001, Document Control
  3. SYS-002, Record & Data Control
  4. SYS-004, Training & Competency
  5. SYS-011, Supplier Quality Management
  6. SYS-008, Product Development
  7. SYS-010, Risk Management
  8. SYS-006, Change Control

These 8 procedures are typically needed first. This article covers implementation of the next set of procedures. During this month, I recommend conducting company-wide quality management system training for the ISO 13485 and 21 CFR 820.

Implementing Receiving Inspection Procedures

During the first month procedures for purchasing components and services are implemented. As these products are shipped and received by your company, you need to create records of incoming inspection. It is not sufficient to merely have a log for receiving inspection. You need records of the results of inspection. You may outsource the inspection activities, but receiving personnel must review the records of inspection for accuracy and completeness prior to moving product to your storage warehouse or production areas. Even if inspection is 100% outsourced, it is still recommended to periodically verify the inspection results independently on a sampling basis. This is should be a risk-based sampling that takes into account the importance of the item being inspected and the existence of in-process and final inspection activities that will identify potential nonconformities.

The most difficult part of this process typically is identifying inspection procedures and calibrated devices for inspection. Your company must find a balance between inspections performed by suppliers, incoming inspection, in-process inspection and final inspection. Each of these process controls requires time and resources, but implementation should be risk based and take into account the effectiveness of each 

inspection process–as determined by process validation. Sample sizes for inspection should also be risk-based.

Implementing Procedures for Identification and Traceability

The lot or serial number of components must be identified throughout product realization–including incoming inspection, storage, production, final inspection and shipping. In addition to identifying what things are, you must also identify the status of each item throughout the product realization process. For example:

  • Is product to be inspected or already inspected?
  • After inspection is product accepted or rejected?
  • Which production processes have been completed?
  • Is product released for final shipment?

The procedure for identification and traceability should be implemented immediately after the purchasing process, implemented during 1st month, because traceability requirements should be communicated to suppliers as part of supplier quality agreements and as part of each purchase order.

Initially when this process is implemented there is a tendency to complete forms for every step of the process and to distribute copies of the forms to communicate status. Completing forms and copying paperwork requires labor and adds no value. Therefore, learn manufacturing methods and visual indicators such as color coding are recommended as best practices for identifying product and its status.

Implementing CAPA Procedures

When product is identified as nonconforming, corrective actions need to be implemented to prevent recurrence. Procedures need to include the requirement for planning corrective actions, containing product that is nonconforming, correcting nonconformities and implementing actions to prevent any future nonconformities. These procedures also need to address negative trends to prevent nonconformities before product is out of specification (i.e., preventive actions). Procedures also need to provide guidelines for how to verify effectiveness of corrective and preventive actions. Initially the actions implemented will be specific to purchased product that is received and rejected. However, over time data analysis of process monitoring and internal auditing will identify additional corrective and preventive actions that are needed.

The effectiveness of CAPA processes in general requires three key elements:

  1. A well-designed CAPA form
  2. Proper training on root cause analysis
  3. Performing effectiveness checks

In the CAPA training provided during the second month, the best practices for CAPA form design are covered. The training includes several methods for root causes analysis too. Finally, the training emphasizes using quantitative measurements to verify effectiveness of corrective actions. In fact, it is recommended to identify the quantitative acceptance criteria for an effective corrective action prior to initiating actions in order to ensure that the actions planned are sufficient to prevent recurrence.

Monitoring Your Procedure Implementation Process

As indicated in November’s article, I recommend using quantitative metrics to track progress of procedure implementation. For example:

  1. % of procedures implemented,
  2. duration of document review and approval process, and
  3. % of required training completed.

Implementing Procedures for ISO 13485:2016

If you already have a quality system in place a you are implementing procedures that are modified for ISO 13485:2016 compliance, some of the same lessons learned apply. If you are interested in learning more about the changes required for compliance with the 2016 version of the standard, we recorded two live webinars on March 24, 2016.

Posted in: ISO 13485:201x

Leave a Comment (0) →

Management review revisions for ISO 13485:2016

The article explains management review revisions required for ISO 13485:2016 compliance. The article tells a story about a recent re-certification audit nonconformity and how the revised ISO 13485:2016 Standard will help prevent this type of quality issue in the future. The article includes links to information about new and revised regulatory requirements, how to write a procedure and there is a link for downloading a free management review webinar.

Management Review 20161 Management review revisions for ISO 13485:2016

One of my clients recently had a re-certification audit in December with their Notified Body and they received a nonconformity in the first couple of hours of the 4 day audit. Here’s what happened.

First, they had an opening meeting with the auditor from 8:30am – 9:05am. Next they took the auditor on a tour of the facility to show her some of the areas of the facility that had been renovated since last year’s surveillance audit. The management representative and the auditor returned to the conference room at 9:40am and the auditor began with a review of the management review revisions to the procedure. The procedure had not changed since the previous year so the auditor asked to see the most recent management review. The company conducted a management review on Tuesday, December 8, 2015. The audit reviewed all the required inputs since the previous management review–which was conducted on Tuesday, December 9, 2014.

When the auditor reviewed data analysis of complaints, she noticed a spike in complaints related to shipping errors that occurred in the months of February through May. When she asked for an explanation, the management representative explained that the renovations caused some misplacement of inventory that resulted in shipping delays and a few mistakes. The auditor asked when the trend was first observed. The management representative indicated that the trend was observed in April, and corrections were made by the warehouse manager in May. The trend was confirmed to have reversed in the data from the third quarter.

The auditor asked if a formal corrective action was implemented. The management representative said that no formal CAPA was initiated, because the problem did not appear to be a systemic problem due to the small volume of complaints relative to the large volume of shipments. The auditor asked if shipping complaints were a quality objective. The management representative confidently indicated that they were. The auditor then asked when top management was notified of the negative trend and reviewed the spike in the performance of the quality objective. The management representative said that the quality objective performance is reviewed by top management during the management reviews and since the corrections appeared to be effective no further action was warranted.

The auditor responded that she would be issuing a minor nonconformity against the management review process. The reason the auditor provided was that top management and the management representative did not maintain effectiveness of the quality management system during a major renovation, because they did not monitor quality objectives on a sufficient frequency to react to quality issues in a timely manner. Furthermore, they failed to modify there planned interval for management reviews to take into account major changes in the facility that could negatively impact quality.

At the closing meeting, top management asked what should have been done to avoid this finding. The auditor was hesitant to provide advice, but she indicated that management could have been more proactive and taken measures to prevent the shipping complaints in the first place. A quality plan for the renovation could have included increased management oversight and more frequent review of quality objectives related to the areas being renovated. Instead of reviewing quality metrics quarterly, a monthly schedule might have been used during the renovations. Instead of scheduling the management review for December, top management might have scheduled a management review during or immediately after the renovations to address any quality issues with corrective actions or action items in the management review outputs. Another possible, and less proactive, approach would have been for the warehouse manager to initiate a formal corrective action as soon as the negative trend was observed. Then top management would have been aware of the quality issue through the CAPA process. Unfortunately, none of these actions were taken.

The auditor indicated that she could have written the finding against a number of different clauses (e.g., CAPA, monitoring and measurement of processes, quality system planning). She chose to reference the management review process in the finding, because the company will need to make management review revisions in 2016 to document the justification for management review intervals. There are also management review revisions required to address new and revised regulatory requirements in the meeting outputs. Therefore, the company’s corrective action plan might also address the requirements of the revised ISO 13485:2016 Standard.

Management review revisions to frequency of planned intervals

Most companies satisfy the requirement for conducting a management review (i.e., 21 CFR 820.20 and ISO 13485, Clause 5.6) in one of the following ways:

  1. conducting one meeting each year
  2. conducting one meeting each quarter

If your company is conducting only annual reviews, your reviews will be far more useful if you switch to a quarterly schedule. In the case of my client, top management would have discussed the negative trend in shipping complaints in April 2015 instead of December 2015–8 months earlier. Reviewing data from 9-10 months ago is too late to take action.

Management Review Revisions Medical Device Academy Made

You can download the management review procedure from this website that was just updated for compliance with ISO 13485:2016. If you have your own procedure, you might want to read my blog about improving your own management review procedure. The key to writing a procedure is link the procedure to template that will be used as a starting point for each management review. The template should include each of the 8 required inputs (i.e., Clause 5.6.2), the 3 required outputs (i.e., Clause 5.6.3) and a slide for covering both the Quality Policy and the overall effectiveness of the Quality Management System. The procedure should be short and the bullets should match the requirements verbatim.

Training Top Management

The biggest reason why management reviews are ineffective is that there is little engagement by most of the people in the room. Everyone in the room should be familiar with the requirements and contribute to the preparation for a management review and management review revisions. The best management representatives anticipate the needs of top management and give them tools that explain exactly what they need to do to prepare for a management review and their responsibilities during the meeting.

Additional Management Review Resources

If you are looking for more information on this topic, here are some resources:

  1. How to Improve Your Medical Device Management Review Procedure
  2. Management Review Procedure Case Study
  3. Management Review Webinar: Making your meetings more effective
  4. Medical Device Management Review Meetings: 3 Compliance Issues

Posted in: ISO 13485:201x, ISO Certification

Leave a Comment (4) →

How to write a quality system plan template (free download)

This article explains how to write a quality system plan template to revise and update your quality system for compliance with ISO 13485:2016 when it is released early next year. The end of the article includes a form to complete if you want to download a free quality system plan template.

Screenshot 2015 11 19 at 5.52.44 PM How to write a quality system plan template (free download)

Templates are the key to writing a quality system plan

Plan, do, check and act (PDCA) is the mantra of the Deming disciples, but does anyone know what should be in your quality system plan template. Everyone focuses on the steps–the “What’s.” Unfortunately, people forget to include the other important pieces of an all inclusive quality system plan template. Why? When? Who? and How much?

The table in the template is an example of “What?” steps to perform, but it is specific to my procedures. You will need to revise the table to reference your own procedures and the changes you make will be specific to your quality system plan. The other sections of the template tell you what needs to be included in that section, but I did not provide examples for those sections.

Why to write a quality system plan template

The purpose section of the quality system plan template answers the question of “Why?” You need to specify if the purpose of your quality system plan is compliance with new and revised regulatory requirements, preventing recurrence of quality issues or maybe a faster development cycle. The purpose section of the plan also provides guidance with regard to the monitoring and measurement section of your quality system plan template.

When to write a quality system plan template

Most changes have deadlines. In the case of ISO 13485:2016, there will be a 3-year transition period, but most companies establish internal goals for early implementation by the end of the fiscal year or the end of a financial quarter. Some of the changes can be made in parallel, while other changes need to be sequential. Therefore, there may be specific milestones within the quality system plan template that must be complete by specific dates. These dates define “When?” the steps in the quality system plan must be implemented.

Who should write your quality system plan template

As my quality system plan template indicates, I recommend defining both individual process owners and teams of process owners where processes can be grouped together. For example, I typically group the following four processes together as part of “Good Documentation Practices (GDPs)”: 1) control of documents (SYS-001), 2) control of records (SYS-002), 3) training (SYS-004), and 4) change control (SYS-006). In fact, I cover all four processes in a webinar called “GDP 101.”

It is important to have one person that is accountable and has the authority to implement changes for each process, but only one person should be in control of each process. If you have four related procedures, then the team of four people will need to coordinate their efforts so that changes are implemented swiftly and accurately. For the overall quality system plan template, I recommend assigning a team leader for the team of four process owners described above. One of those people should be responsible for team leadership and writing the quality system plan template.

Monitoring implementation of your quality system plan template

Monitoring the progress of your plan ensures successful implementation of the plan. Sometimes things don’t work as planned and corrections need to be made. Additional resources might be needed. The plan may have been too optimistic with regard to the implementation time required. I recommend assigning one person the task of retrieving team status reports from each of the teams and consolidating the team reports into an overall progress report.

Free download of ISO 13485:2016 quality system plan template

The sign-up form below will allow you to receive an email with the ISO 13485:2016 quality system plan template attached. This is a two-step process that will require you to confirm the sign-up.

Posted in: ISO Certification

Leave a Comment (2) →

How to implement a new ISO 13485 quality system plan in 2016

This article is a case study that explains how to implement a new ISO 13485 quality system plan at an accelerated schedule of just four months. The quality system will also be compliant with 21 CFR 820.

 

QMS Implementation Plan How to implement a new ISO 13485 quality system plan in 2016

Typically, I recommend implementing a new ISO 13485 quality system plan over a period of 6 months. The reason for this is that people can only read procedures and complete training at a certain pace. Since there are approximately 30 procedures required for a full quality system, an implementation pace of one procedure per week allows a company to complete 90% of the reading and training in six months.

In October a new client asked me for a proposal to implement a new ISO 13485 quality system plan. The proposed quality system plan indicated that the project would start in October and finish in March. The client accepted my proposal, but they asked me help them implement the quality system plan in four months as indicated in the table above. We just started implementation of the quality system plan last week, and I have discovered some secrets that dramatically simplify the process.  This blog shares some of the lessons learned that help implement the quality system plan at this faster pace.

Outsourcing ISO 13485 quality system development

Not everyone has the skill and experience to write a quality system procedure, but if you have a good template, you understand quality systems–then you can write quality system procedures. Depending upon the length of the procedure, it may take four to eight hours of writing for each procedure. Therefore, an in-house quality manager needs to allocate one day per week if they plan to write all the procedures for their quality system in six months. For a four-month implementation of an ISO 13485 quality system plan, you need to allocate two days per week to writing.

Alternatively, you can outsource the writing of your quality system. However, someone must be responsible for “customizing” generic procedures to fit your company or the procedures need to be written from scratch. A third and final option is to have a hybrid of in-house procedures and outsourced procedures. If your quality manager has limited time resources, then you can supplement the managers time with procedures that are purchased and customized to fit your template. If there are certain procedures that the quality manager needs help with, such as risk management, then you can also purchase just those procedures.

ISO 13485 quality system plan

One of the basic principles of quality management systems is “continuous improvement.” The continuous improvement cycle is also known as the “Deming Cycle.” There are four parts to the cycle:

  1. Plan
  2. Do
  3. Check
  4. Act

When you are developing an ISO 13485 quality system, the first step is to develop the quality system plan. I recommend the following guidelines for a quality system plan. First, plan to implement the quality system at a steady pace. Second, organize the implementation into small groups of related procedures.

In this case study, I have 29 procedures that we are implementing and there are 11 recorded training webinars. During each of the four months approximately the same number of procedures are implemented. Then I organized the small groups of procedures around the scheduled webinar trainings. For example, the month of November will have a total of 24 documents (i.e., 8 procedures and 16 associated forms and lists) implemented and there are four webinar trainings scheduled. Therefore, four procedures associated with “Good Documentation Practices 101 will be implemented as a group under document change notice (DCN) 15-001. Two procedures associated with “Are your Suppliers Qualified? Prove it! will be implemented as a group under DCN 15-002. The remaining two procedures, design controls and risk management, will be implemented as a group under DCN 15-003 with two related webinars on design controls and ISO 14971.

Document Change Notice (DCN)

The next step in the Deming Cycle is to “Do.” For implementation of an ISO 13485 quality system plan, “doing” involves creation of procedures, forms and lists; but “doing” also involves the review and approval of these documents. The form we use to review and approve procedures is called a document change notice or DCN.

It’s been almost 20 years since I completed my first DCN. For anyone that is unfamiliar with the review and approval of new and revised documents, most quality systems document the review and approval of procedures and forms on a separate form. The reason for this is that when you make one change it often affects several other documents and forms. Therefore, it is more efficient to list all the documents and forms that are affected by the change on one form. This results in fewer signatures for reviewers and approvers. Several of the companies that I have helped to implement an ISO 13485 quality system plan for fail to review and approve the documents and forms in a timely manner. I think there are two reasons for this:

  1. they haven’t been responsible for document control before, and
  2. they don’t want to have to create and maintain quality system records any sooner than required.

The first reason can be addressed easily with training. The second reason, however, is flawed. It is important to implement the procedures as soon as possible in order to begin creating quality system records that can be audited by an ISO 13485 certification auditor or FDA inspectors. I have struggled with this hesitation in the past, but for this project I am completing DCNs for the initial release of all the procedures and forms. This ensures that all the procedures and forms will be reviewed and approved shortly after the webinar training is completed. In addition, this gives my client multiple examples of DCNs to follow as the make revisions to the procedures and forms over time.

Quality Objectives & Data analysis

The third step in the Deming Cycle is to “check.” I recommend using quantitative metrics to track progress toward your goal of completing the quality system implementation. For example, if you have 50 documents to review and approve you can track the % complete by just multiplying each document that is approved by 2%. You can also track the implementation of documents separately by type. Every DCN you route for approval will take a certain number of days to complete. You might consider tracking the duration of DCN approval. As a benchmark, an efficient

paper-based DCN process should average about 4 days from initiation to completion. I have seen average durations measured in months, but hopefully your average duration of DCN approval will be measured in days. Another metric to consider is the % of required training that has been completed for the company, for each department and for each employee. Regardless of which metrics you choose to evaluate your quality system implementation, you should pick some of these metrics as quality objectives (i.e., a requirement of ISO 13485, Clause 5.4.1). You should also analyze this data for positive and negative trends as required by ISO 13485, Clause 8.4.

Your first CAPAs

The fourth and final step in the Deming Cycle is to “act.” Acting involves taking corrective action(s) when your data analysis identifies processes that are not functioning as well as they should be. In order to achieve ISO 13485 certification, you will need some examples of corrective and preventive actions (CAPAs) that you have implemented. The actions you take in response to observed trends during data analysis are all potential CAPAs.

Download an ISO 13485 quality system plan

Later this week I will be posting a follow-up blog that explains how to write an ISO 13485 quality system plan for establishing a new quality system. There will also be a link for downloading a free ISO 13485 quality system plan. To receive an email notification of when this blog is posted, please subscribe to my blog. I will be writing additional blogs about lessons learned from this accelerated implementation project.

Posted in: ISO Certification

Leave a Comment (1) →

Good Documentation Practices (GDP 101) Webinar

good documetnation practice GDP101 300x261 Good Documentation Practices (GDP 101) Webinar

No White Out!

Medical Device Academy released a new webinar this week for training companies on good documentation practices.

Have you ever wondered where the FDA regulation is that says, “…shall not use white out to correct quality system records.”

Don’t bother looking, because you won’t find it. You also won’t find any regulations against the use of red pens, highlighters, pencils or markers. You can’t even find a guidance document that tells you not to put a single line through mistakes, initial and date it.

The applicable regulation is 21 CFR 820.180, but the regulation doesn’t specifically say these things. Instead, the regulation says: “Records shall be legible and shall be stored to minimize deterioration and to prevent loss.” The ISO 13485 Standard is not much different. It states that you must establish a procedure that will, “Define the controls needed for the identification, storage, protection, retrieval, retention time and disposition of records.”

Over time medical device companies have developed some standard approaches to meet the requirements for Document Control, Control of Records and Training. These are the three core processes that I call “good documentation practices.” If you need training or you need tools for training employees, click on the link below to purchase our new webinar on good documentation practices.

http://robertpackard.wpengine.com/good-documentation-practices-webinar/

The webpage also includes an exam for training people on good documentation practices. The exam serves as an effectiveness check for the training, but we recommend that process owners monitor these processes–especially if the process is manual. For example, QC inspectors will complete inspection records and file the record as a quality system record. The QC supervisor, or process owner, should periodically review this records for completeness and accuracy. If the supervisor notices an error, the supervisor should notify the inspector and have them correct the mistake. The supervisor should also track how many times each error is made and specifically where errors are occurring. Collection of this data gives the supervisor trend data to help them identify which forms need to be updated to prevent errors and which employees require retraining. This data also provides evidence of competency for each employee with regard to good documentation practices.

After you have completed the training, you might also be interested in downloading our procedures for Document Control, Control of Records and Training:

http://robertpackard.wpengine.com/standard-operating-procedures-medical-device-academy/

Posted in: ISO Certification

Leave a Comment (0) →

Management Review Procedure Case Study Example

This article, “Management Review Procedure Case Study” describes an error-proof method for review and approval of procedures.

Redlined Management Review Procedure Management Review Procedure Case Study Example

The first time I was ever formally trained on how to conduct a document review was during a lead auditor course. I thought the topic seemed out of place, but as I audited more companies, I realized that missing a regulatory requirement in a procedure was quite common. Regardless of who reviews a procedure, or how many times it is reviewed, something is always missed. Unfortunately, a desktop audit of procedures is not an effective corrective action or verification method. Auditing procedures is an ineffective method for reviewing procedures, because audits are limited by sampling.

Instead of random sampling, a systematic review of 100% of regulatory requirements is needed to ensure that none of the regulatory requirements are accidentally omitted. Systematically reviewing the requirements for each country your company is selling in is tedious at best. You need a tool to make the reviewing process simple and error-proof. You also need each reviewer of the procedure to have a defined function to eliminate the duplication of work.

Procedure Reviewer Roles

Typically, there are 3-5 reviewers of procedures in most companies. Some companies make the mistake of having as many as 8-10 reviewers of procedures, but more is not better in this case. There are four primary roles for review and approval of procedures:

  1. process owner
  2. quality management
  3. regulatory
  4. independent

The process owner may be the author of a procedure, but I don’t recommend it. Editing someone else’s work is much more effective than editing your own work. Therefore, I recommend that department managers delegate the responsibility for writing a draft of a procedure to a subordinate that actually needs to perform the procedure. Then the department manager, who should also be the process owner, is responsible for reviewing and approving the initial draft.

The quality management person should be responsible for reviewing the procedure for accuracy and interactions with other processes. For example, the management review process has eight required inputs (i.e., ISO 13485, Clause 5.6.2a-h). Each of those inputs comes from another process and procedure. It is important to ensure that if you are reviewing the complaint handling procedure, somewhere in that procedure it should state that the monitoring and measuring of complaint trends should be an input into the management review process.

The regulatory person is responsible for verifying that 100% of the regulatory requirements are met by the procedure. This person should verify that the scope of the procedure identifies the relevant markets, and if there are references to documents of external origin, the regulatory person should verify that these references are accurate. It is recommended to eliminate references to revisions of documents of external origin and internal procedure revisions, because inclusion of revisions will increase the frequency of minor revisions to procedures that add no value.

Finally, the independent reviewer is looking for two things:

  1. Does the procedure make sense–to someone that performs the procedure (if that person was not the author); and to an external auditor, such as a certification body (internal auditors can fill this role)?
  2. Are there typos, spelling or grammar mistakes?

The independent reviewer does not need to be a manager. It needs to be someone that writes well. Copy editing is boring, but obvious mistakes in spelling or grammar prompt auditors to review procedures more carefully. I recommend asking an internal auditor to be the independent reviewer.

Reviewing Regulatory Requirements

The two most common reasons for audit findings is:

  1. the procedure is not being followed, and
  2. a regulatory requirement is not being met.

The first problem should be addressed by having processing owners review and write procedures instead of asking quality assurance to provide a procedure. If you are purchasing a procedure, it’s important for the person that will be performing the procedure to carefully review the procedure to ensure it matches how they intend to actually perform that process. If it’s a manufacturing procedure, I like to conduct the training of personnel with a draft procedure and hand out red pens. That also dramatically reduces complaints from the people that do the work.

For regulatory requirements, your regulatory reviewer needs to create a checklist that includes 100% of the requirements for that procedure. The model I like to follow is the Essential Requirements or Essential Principles Checklist used for technical documentation (i.e., for CE Marking). There are 13 Essential Requirements and most of the requirements have multiple subparts. The regulatory person that completes an Essential Requirements Checklist must indicate the following information next to the applicable requirement in the checklist table:

  • yes, the requirement applicable or a justification if it’s not applicable
  • a reference to any applicable standards
  • a cross reference to the record where evidence of meeting the requirement can be found (e.g., the risk management file)

Regulatory personnel can revise this approach slightly by doing the following for review of procedures:

  • yes, the requirement applicable or a justification if it’s not applicable
  • a reference to the applicable specific sub-clause in a Standard or a regulation
  • a cross reference to the subsection of the procedure where evidence of meeting the requirement can be found (e.g., section 5.1 of the SYS-003)

Case Study of SYS-003, Management Review Procedure

In the Medical Device Academy Management Review Procedure, Section 8 is the “procedure section.” Sub-section 8.3 of the procedure lists all the required inputs to a Management Review meeting. In fact, next to each input I have included a cross-reference to the sub-clause in ISO 13485:2003 for the Management Review input. There is also a requirement in 21 CFR 820.20 for conducting Management Reviews as scheduled intervals. This requirement is met by sub-section 8.1 of the Management Review procedure.

Teaching Auditors to Review Regulatory Requirements

Now, when I teach my own version of the Lead Auditor Course, I ask attendees to split into small groups and review one of their own procedures. In the last company I did this, each of the four teams found a regulatory requirement missing in the procedure they were reviewing. All four procedures the teams selected were reviewed, approved and currently in use.

Management Review Procedure – Free Download


Posted in: ISO Certification

Leave a Comment (1) →

How to Reconcile the Upcoming ISO 13485 and 9001 Standards

how to reconcile diverging standards How to Reconcile the Upcoming ISO 13485 and 9001 Standards

This blog, “How to Reconcile the Upcoming ISO 13485 and 9001 Standards” provides recommendations about how companies should implement these two standards. 

In 2003, the current version of ISO 13485 was released. This standard was written following the same format and structure of the general quality system standard at the time (i.e., ISO 9001:2000). In 2008, there was an update to the ISO 9001 standard, but the changes were extremely minor, only clarified a few points, and the periodic review of ISO 13485 in 2008 determined there was not a need to update 13485 at that time.

On December 1-5 the working group for revision of ISO 13485 (i.e., TC 210 WG1), met at AAMI’s Standards week (http://bit.ly/AAMI-Standards-Week) to review the comments and prepare a first Draft International Standard (DIS). We should have some updates on the progress of the DIS later in December, but hopefully the news will not be a delay of publication until 2016. The following is a summary of the status prior to last that meeting.

New Standards Being Released

In 2015, there will be a new international version of ISO 9001 released. This new version will have dramatic changes to the standard–including the addition of a new section on risk management and adoption of the new High Level Structure (HLS) changing from 9 sections to 11. The ISO 13485 standard is also anticipated to have a new international version released in 2015, but the ISO 13485 standard will maintain the current HLS with 9 sections. Timing of the ISO 9001:2015 release and the ISO 13485:2015 release will likely be around the same time. Both standards are expected have a three-year transition period for implementation. The combination of the three-year transition and lessened requirements in the new version of ISO 9001 for a structured quality manual should allow most manufacturers to wait until the ISO 13485 release before they begin drafting a quality plan for compliance with the new standards. Some of my clients have already indicated that they may drop their ISO 9001 certification when it expires, instead of changing their quality system to comply with the ISO 9001:2015 requirements. However, my clients will not have the ability to allow their ISO 13485 certification to lapse. Will Health Canada be updating GD210 (http://bit.ly/GD210Guidance) and continue to require ISO 13485 certification for medical device licensing? What should companies do?

Recommendations

First, I recommend that companies purchase copies of the new versions when they are published. Second, companies will need to train their management teams and auditors on the differences between the current and the new standards to enable a gap analysis to be completed. Any manager that is responsible for a procedure required by the current version of the standard should receive training specific to the changes to understand how they will meet the requirements for documented information. Most companies will need to improve their risk management competency. I recommend that companies begin drafting their quality plans and enter discussions with their certification body for quality system changes in 2016 to obtain certification of compliance with new versions of the standards in 2017. Further, I recommend that clients keep the current structure of their quality system, because the ISO 13485 standard will continue to use the current HLS and it will help everyone remember where to locate information.

There is also specific text currently in the introduction of the DIS version of ISO 9001 (highly likely to remain unchanged) that outlines it is not the intent of the standard to imply the need to align your quality management system to the clause structure of the standard. Companies that keep their ISO 9001 certification should consider including cross-references between the two standards in their quality manual.

Historical Note

There are also European National (EN) versions of each standard (e.g., EN ISO 13485:2012 – http://bit.ly/EN-ISO-13485-2012-Release). The EN versions are harmonized with the EU directives, but the content of the body or normative sections of the standards are identical. Historically, the differences were explained in Annex ZA and that was the last Annex in the EN version of the standard. In 2009 the harmonization annex for ISO 14971 (i.e., the medical device risk management standard) was split into three parts to match up with the three directives for medical devices (i.e., the MDD, AIMD and IVDD). The new annexes (i.e., ZA, ZB and ZC) were moved to the front of the EN version of the standard. The changes to ISO 14971 consisted of a correction and the change to Annex ZA. In 2012, there were new harmonization annexes created for ISO 13485 to follow the same format that was used for the EN ISO 14971 annexes. It is expected that these “zed” annexes will be released with a new EN version of the standard shortly after the international standard is published.

Posted in: ISO Certification

Leave a Comment (2) →

Disposition of Nonconforming Materials-21 CFR 820.90 Compliance

Disposition of Nonconforming Materials-21 CFR 820.90 Compliance focuses on determining a disposition method, including scrap, return to supplier, rework, use as is, etc. Part 3 in our series will address process interactions with the nonconforming material process.

Sorting Disposition of Scrap Disposition of Nonconforming Materials 21 CFR 820.90 Compliance

In our previous blog, (http://bit.ly/Auditing-NCRs-Part1) we focused on requirements to identify and segregate nonconforming materials. Once nonconformities are labeled and locked in your quarantine cage, what do you do next?

The next step in the process for controlling nonconforming materials is to determine a disposition. The most common dispositions are:

  • Scrap
  • Return to Supplier (RTS)
  • Rework
  • Use As Is (UAI)

Some companies also have dispositions of sort and repair. Sort is not a disposition, and often creates confusion for anyone auditing records of nonconforming materials. Sorting is the process that you must perform when a lot of material fails to meet acceptance criteria, but some of the individual units within the lot meet the acceptance criteria. In this scenario, the following sequence of events is recommended.

Sorting

First, the lot is segregated from conforming product and an NCR number is assigned. Next, the lot is 100% inspected for the defect and the results of the inspection are recorded on the inspection record. It is important to record the specific number of nonconforming units on the NCR record–not the total amount inspected. The final step is to release conforming product back into the production process or warehouse, and the Material Review Board (MRB) will disposition the units identified as nonconforming.

If identifying nonconforming product requires an inspection method that is not typically performed, then the inspection plan needs to be corrected, or a corrective action plan is needed. New and unforeseen defects may indicate a process change, a change in the raw materials or inadequate training of personnel at your company or your supplier. An investigation of root cause is needed, and it is recommended to consider documenting this investigation as an internal CAPA or a Supplier Corrective Action Request (SCAR).

Material Review Board (MRB)

Most companies have a “Material Review Board” (MRB) that is responsible for making the decision related to disposition of nonconforming material. Typically, the MRB will be scheduled once per week to review the most recent nonconformities. The board usually consists of a cross-functional team, such as:

  • Quality Assurance
  • Research & Development
  • Manufacturing
  • Supply Chain
  • Regulatory

The reason for a cross-functional team is to review potential adverse effects of rework and potential risks associated with a UAI disposition. If rework is required, the cross-functional team will typically have the necessary expertise to create a rework instruction and to review and approve that rework instruction–including any additional inspections that may be required beyond the standard inspection work instructions.

Scrap

If the material is going to be scrapped, there is no risk to patients or users. Therefore, the entire MRB team should not be required in order to scrap product. Because there may be a cost associated with the scrap of nonconforming product, it is recommended that someone from accounting and a quality assurance representative approve scrap dispositions. Other departments should be notified of scrap, but a trend analysis of all nonconforming product should be reviewed by each department and by top management during management reviews. Auditors and FDA inspectors specifically, will be looking for evidence of statistical analysis of nonconforming material trends and then implementation of appropriate corrective actions.

Return to Supplier (RTS)

Returning nonconforming material to the supplier that produced it is the most common disposition, but the trend of RTS should continuously be improving. If the trend of RTS is not improving, your supplier qualification process or your supplier control may be inadequate. The best way to ensure that the trend is improving is to initiate a SCAR. Some companies automatically wait until they have a trend of nonconforming material before initiating a SCAR. However, if you wait until a defect occurs twice, you are doubling the number of nonconformities for that root cause. If you wait until a defect occurs three times, you are tripling the nonconformities. For this disposition, there also does not need to be approval from the entire MRB. Typically, only someone from the supply chain management and quality assurance are needed to return nonconforming product to a supplier.

Rework

Almost every auditor looks for a specific phrase in the procedure for Control of Nonconforming Material: “The MRB will review and document the potential adverse effects of rework.” Most companies are doing this, but the procedures often do not specifically state this requirement, and rework instructions are often missing any specific inspection instructions that have been added to reduce risks associated with the rework process. Repeating the normal inspection criteria is seldom adequate for reworked product, because the rework process typically results in different defects.

Another phrase that auditors and inspectors are looking for is the requirement to document the rework instructions, and to have the instructions reviewed and approved by the same functions that reviewed and approved the normal production process. This requirement is often not specifically stated in the procedure, and FDA 483 inspection observations are commonly issued for this oversight.

Use As Is (UAI)

The UAI disposition should be rare. When I see a large number of NCRs with a disposition of UAI, I expect one of two reasons for this situation. First, the NCRs are for cosmetic defects where the acceptance criteria are too subjective and inspectors need clear guidelines regarding acceptable blemishes and unacceptable nonconformities. The visual inspection guides used during solder joint inspection for printed circuit boards is an excellent example of best practices for clearly defining visual inspection criteria. Personally, I prefer to use a digital camera to take pictures of representative “good” and “bad” parts. Then I create a visual inspection chart with a green, smiley face for “good” and a red, frowny face for “bad.” The best inspection charts identify the proper inspection equipment and quantitative acceptance criteria with pictures and symbols instead of words.

The second reason for a larger percentage of UAI dispositions is that the product specifications exceed the design inputs. For example, if a threaded rod needs to be at least 1” long, but a 1.25” long is acceptable, then you should not approve a drawing with a specification of 1.00” +/- 0.05”. Often, the legend of drawings will define a default tolerance that is unnecessary. A more appropriate specification would be 1.13” +/- 0.12”. No matter how much work it is to specifically define tolerances for each dimension on a drawing, the work required to do this at the time of initial drawing approval is much less than the work required to justify a UAI disposition. FDA inspectors will consider a UAI disposition as a potential adulterated or misbranded product, and a formal Health Hazard Evaluation (HHE) may be required to justify the reason why product is not recalled.

Regardless of the disposition of product, the decision for disposition should be a streamlined process that is not delayed unnecessarily. In order to ensure that your nonconforming material dispositions are effective and processed in a timely manner, our next blog (http://bit.ly/MDA-Blog) in the series about control of nonconforming materials will focus on process interactions, monitoring and measuring of nonconforming product and when to initiate a CAPA or SCAR to prevent more NCRs.

Posted in: ISO Certification

Leave a Comment (4) →
Page 1 of 4 1234
Follow

Get every new post on this blog delivered to your Inbox.

Join other followers:

Simple Share Buttons
Simple Share Buttons