Blog

Archive for ISO 13485:201x

Updating Training Procedure for Compliance with ISO 13485:2016

This article explains my process for updating training procedure SYS-004 for compliance with ISO 13845:2016 while the procedure was also simplified.

Training and Competency 1 Updating Training Procedure for Compliance with ISO 13485:2016

In addition to weekly blogging for the Medical Device Academy website and the FDAeCopy website, I am also updating each of my procedures for ISO 13485:2016 compliance. This week the training and competency procedure (SYS-004) was updated. You are updating your own procedures for compliance with the revised standard, but are you making any other strategic changes at the same time?

Changes to Training in ISO 13485:2016

The primary change to Clause 6.2 in ISO 13485 was the addition of the phrase, “shall document the process(es) for establishing competence, providing training and ensuring awareness.” This doesn’t represent a change in the intent of the standard, but it does signal that certification bodies should be emphasizing the importance of assessing effectiveness of training and competency–not just verifying the existence of training records.

Updating Training Procedure

The original version of SYS-004 had 8 pages and includes three different flow charts to explain the process. The procedure also required the use of a training plan for each employee. While I agree that training should be planned by managers, if you make this a formal requirement with a controlled form it creates an unnecessary burden for managers.

Therefore, when the procedure was updated to the requirements of ISO 13485:2016, the procedure was also simplified for easier implementation by start-up companies. When you update your procedures you might look for similar opportunities to simplify and streamline the processes.

The updated procedure now has suggestions for how to consolidate certain roles for smaller companies. The procedure still references a training record for documenting training, but now there is also a reference to a training matrix to help document training requirements for each employee.

The FDA also requires that there are documented training requirements. Therefore, the procedure identifies the need to create a job description that includes training and competency requirements. The procedure does not, however, require that the job descriptions be maintained as controlled documents. If your company has multiple people with the same job function (e.g., customer service), then it might make sense to have a controlled document that is a job description for customer service. A company with 4 employees do not need controlled documents and instead a unique record for each employee makes more sense.

Updating Training Procedure to Explain How to Complete Forms?

Another option is to make your procedure very detailed to explain how to complete each section of a form, such as the training record (FRM-002) or the training matrix (FRM-026). However, I see very few managers struggle with completing training records. Therefore, instead I plan to record a brief training webinar that explains how to fill in the forms. This will be provided as a free update to anyone that purchases the training competency procedure. This makes it easier to review the procedure for regulatory compliance and puts the details on how to complete forms in the training curriculum where it belongs.

If you have questions about how to update any of your procedures to ISO 13485, please email me at rob@13485cert.com. Maybe I’ll use your question as a topic for a future blog.

Posted in: ISO 13485:201x, ISO Certification

Leave a Comment (0) →

Control of Records – Updating Your Procedure for ISO 13485:2016

Article reviews changes recommended for your control of records procedure to ensure compliance with ISO 13485:2016 and applicable regulatory requirements.

VA File Storage Control of Records   Updating Your Procedure for ISO 13485:2016

Nine months have already passed since the release of the 2016 version of ISO 13485. In 2015, you were told to update your quality system procedures early before the new European Regulations were released. There is a three year transition period, and you decided to do it next year. Now it’s 2017. It’s time to update your procedures.

Quality Plan for Revising Procedures to ISO 13485:2016

My plan is to update one procedure each week from the 2003 version of ISO 13485 to the 2016 version. Some of the procedures were already updated last year, but just like you I decided to finish the work next year. For the next 6 months we will be busy revising procedures.

Training on the requirements for Control of Records

In addition to a procedure for control of records, you also need to train employees on good documentation practices. Originally I created a webinar called “GDP 101” that combined control of documents, control of records and training. Several people recommended that the webinar be revised to focus on control of records. Therefore, new webinars will be recorded each week to explain the updates to each procedure and to ensure that there is a training webinar for each procedure.

Three Generic Updates to Control of Records Procedure (SYS-002)

When you update a procedure, you need to do more than change the reference to the version of ISO 13485. For all procedures I recommend that you make three general improvements:

  1. identify a risk-based approach for that procedure,
  2. identify methods for documenting training effectiveness and competency, and
  3. verify that you have updated the procedure to address regulatory requirements.

In the case of control of records, the most important records should have more rigorous controls and more frequent monitoring of record control to ensure it is effective. For example, the following critical records are frequently sampled by FDA inspectors and should be carefully stored, organized and monitored:

  • CAPAs
  • Complaints
  • Adverse Event Reports
  • Recalls
  • Nonconforming Material Records
  • Design History Files
  • Training Records

FDA inspectors are not permitted to review records of your management reviews, internal audit records and supplier records. However, all three records will be sampled by certification bodies and therefore these three records exempt from the requirements of 21 CFR 820.180 should also be a priority for risk-based control of records.

To address the third of the generic procedural updates, you should be aware that the new EU Medical Device Regulations are expected to increase the required record retention period for non-implant devices from 5 years to 10 years. Implants are expected to remain at 15 years.

Three Procedure-Specific Updates to Control of Records Procedure (SYS-002)

In addition to the generic procedural updates, there are three changes in the Standard that are specific to control of records. First, in the section for control of documents (renumbered as Clause 4.2.4) there is now a requirement to prevent the deterioration and loss of documents.

Second, there is now a requirement in Clause 7.3.10 for maintaining design and development files for devices. This may have been previously been addressed as a requirement to meet the FDA requirements for maintaining a Design History File (DHF), but not all ISO 13485 certified companies sell product in the USA.

Third, there is a new requirement related to protection of confidential health information, such as the information gathered during complaint investigations and clinical studies. Many companies refer to this as HIPAA compliance.

Updated Procedure & Webinar Bundle

If you need to update your control of records procedure and train your employees, you might consider our new procedure and webinar bundle.

Posted in: ISO 13485:201x, ISO Certification

Leave a Comment (0) →

Implementing Procedures for CAPA, NCMR & Receiving Inspection

The article shares lessons learned from implementing procedures for a new ISO 13485 quality system. This is the second in a series. The first month of procedure implementation was covered in a previous article titled, “How to implement a new ISO 13485 quality system plan in 2016.”

Implementing Procedures Implementing Procedures for CAPA, NCMR & Receiving Inspection

Typically, I recommend implementing a new ISO 13485 quality system over a 6-month period, but recently I a few clients have requested my assistance with implementing a quality management system within 4 months. In November I wrote an article about implementing a new ISO 13485 quality system. That article described implementing procedures for the first month. Specifically, the implementation of the following procedures was covered:

  1. SYS-027, Purchasing
  2. SYS-001, Document Control
  3. SYS-002, Record & Data Control
  4. SYS-004, Training & Competency
  5. SYS-011, Supplier Quality Management
  6. SYS-008, Product Development
  7. SYS-010, Risk Management
  8. SYS-006, Change Control

These 8 procedures are typically needed first. This article covers implementation of the next set of procedures. During this month, I recommend conducting company-wide quality management system training for the ISO 13485 and 21 CFR 820.

Implementing Receiving Inspection Procedures

During the first month procedures for purchasing components and services are implemented. As these products are shipped and received by your company, you need to create records of incoming inspection. It is not sufficient to merely have a log for receiving inspection. You need records of the results of inspection. You may outsource the inspection activities, but receiving personnel must review the records of inspection for accuracy and completeness prior to moving product to your storage warehouse or production areas. Even if inspection is 100% outsourced, it is still recommended to periodically verify the inspection results independently on a sampling basis. This is should be a risk-based sampling that takes into account the importance of the item being inspected and the existence of in-process and final inspection activities that will identify potential nonconformities.

The most difficult part of this process typically is identifying inspection procedures and calibrated devices for inspection. Your company must find a balance between inspections performed by suppliers, incoming inspection, in-process inspection and final inspection. Each of these process controls requires time and resources, but implementation should be risk based and take into account the effectiveness of each 

inspection process–as determined by process validation. Sample sizes for inspection should also be risk-based.

Implementing Procedures for Identification and Traceability

The lot or serial number of components must be identified throughout product realization–including incoming inspection, storage, production, final inspection and shipping. In addition to identifying what things are, you must also identify the status of each item throughout the product realization process. For example:

  • Is product to be inspected or already inspected?
  • After inspection is product accepted or rejected?
  • Which production processes have been completed?
  • Is product released for final shipment?

The procedure for identification and traceability should be implemented immediately after the purchasing process, implemented during 1st month, because traceability requirements should be communicated to suppliers as part of supplier quality agreements and as part of each purchase order.

Initially when this process is implemented there is a tendency to complete forms for every step of the process and to distribute copies of the forms to communicate status. Completing forms and copying paperwork requires labor and adds no value. Therefore, learn manufacturing methods and visual indicators such as color coding are recommended as best practices for identifying product and its status.

Implementing CAPA Procedures

When product is identified as nonconforming, corrective actions need to be implemented to prevent recurrence. Procedures need to include the requirement for planning corrective actions, containing product that is nonconforming, correcting nonconformities and implementing actions to prevent any future nonconformities. These procedures also need to address negative trends to prevent nonconformities before product is out of specification (i.e., preventive actions). Procedures also need to provide guidelines for how to verify effectiveness of corrective and preventive actions. Initially the actions implemented will be specific to purchased product that is received and rejected. However, over time data analysis of process monitoring and internal auditing will identify additional corrective and preventive actions that are needed.

The effectiveness of CAPA processes in general requires three key elements:

  1. A well-designed CAPA form
  2. Proper training on root cause analysis
  3. Performing effectiveness checks

In the CAPA training provided during the second month, the best practices for CAPA form design are covered. The training includes several methods for root causes analysis too. Finally, the training emphasizes using quantitative measurements to verify effectiveness of corrective actions. In fact, it is recommended to identify the quantitative acceptance criteria for an effective corrective action prior to initiating actions in order to ensure that the actions planned are sufficient to prevent recurrence.

Monitoring Your Procedure Implementation Process

As indicated in November’s article, I recommend using quantitative metrics to track progress of procedure implementation. For example:

  1. % of procedures implemented,
  2. duration of document review and approval process, and
  3. % of required training completed.

Implementing Procedures for ISO 13485:2016

If you already have a quality system in place a you are implementing procedures that are modified for ISO 13485:2016 compliance, some of the same lessons learned apply. If you are interested in learning more about the changes required for compliance with the 2016 version of the standard, we recorded two live webinars on March 24, 2016.

Posted in: ISO 13485:201x

Leave a Comment (0) →

Management review revisions for ISO 13485:2016

The article explains management review revisions required for ISO 13485:2016 compliance. The article tells a story about a recent re-certification audit nonconformity and how the revised ISO 13485:2016 Standard will help prevent this type of quality issue in the future. The article includes links to information about new and revised regulatory requirements, how to write a procedure and there is a link for downloading a free management review webinar.

Management Review 20161 Management review revisions for ISO 13485:2016

One of my clients recently had a re-certification audit in December with their Notified Body and they received a nonconformity in the first couple of hours of the 4 day audit. Here’s what happened.

First, they had an opening meeting with the auditor from 8:30am – 9:05am. Next they took the auditor on a tour of the facility to show her some of the areas of the facility that had been renovated since last year’s surveillance audit. The management representative and the auditor returned to the conference room at 9:40am and the auditor began with a review of the management review revisions to the procedure. The procedure had not changed since the previous year so the auditor asked to see the most recent management review. The company conducted a management review on Tuesday, December 8, 2015. The audit reviewed all the required inputs since the previous management review–which was conducted on Tuesday, December 9, 2014.

When the auditor reviewed data analysis of complaints, she noticed a spike in complaints related to shipping errors that occurred in the months of February through May. When she asked for an explanation, the management representative explained that the renovations caused some misplacement of inventory that resulted in shipping delays and a few mistakes. The auditor asked when the trend was first observed. The management representative indicated that the trend was observed in April, and corrections were made by the warehouse manager in May. The trend was confirmed to have reversed in the data from the third quarter.

The auditor asked if a formal corrective action was implemented. The management representative said that no formal CAPA was initiated, because the problem did not appear to be a systemic problem due to the small volume of complaints relative to the large volume of shipments. The auditor asked if shipping complaints were a quality objective. The management representative confidently indicated that they were. The auditor then asked when top management was notified of the negative trend and reviewed the spike in the performance of the quality objective. The management representative said that the quality objective performance is reviewed by top management during the management reviews and since the corrections appeared to be effective no further action was warranted.

The auditor responded that she would be issuing a minor nonconformity against the management review process. The reason the auditor provided was that top management and the management representative did not maintain effectiveness of the quality management system during a major renovation, because they did not monitor quality objectives on a sufficient frequency to react to quality issues in a timely manner. Furthermore, they failed to modify there planned interval for management reviews to take into account major changes in the facility that could negatively impact quality.

At the closing meeting, top management asked what should have been done to avoid this finding. The auditor was hesitant to provide advice, but she indicated that management could have been more proactive and taken measures to prevent the shipping complaints in the first place. A quality plan for the renovation could have included increased management oversight and more frequent review of quality objectives related to the areas being renovated. Instead of reviewing quality metrics quarterly, a monthly schedule might have been used during the renovations. Instead of scheduling the management review for December, top management might have scheduled a management review during or immediately after the renovations to address any quality issues with corrective actions or action items in the management review outputs. Another possible, and less proactive, approach would have been for the warehouse manager to initiate a formal corrective action as soon as the negative trend was observed. Then top management would have been aware of the quality issue through the CAPA process. Unfortunately, none of these actions were taken.

The auditor indicated that she could have written the finding against a number of different clauses (e.g., CAPA, monitoring and measurement of processes, quality system planning). She chose to reference the management review process in the finding, because the company will need to make management review revisions in 2016 to document the justification for management review intervals. There are also management review revisions required to address new and revised regulatory requirements in the meeting outputs. Therefore, the company’s corrective action plan might also address the requirements of the revised ISO 13485:2016 Standard.

Management review revisions to frequency of planned intervals

Most companies satisfy the requirement for conducting a management review (i.e., 21 CFR 820.20 and ISO 13485, Clause 5.6) in one of the following ways:

  1. conducting one meeting each year
  2. conducting one meeting each quarter

If your company is conducting only annual reviews, your reviews will be far more useful if you switch to a quarterly schedule. In the case of my client, top management would have discussed the negative trend in shipping complaints in April 2015 instead of December 2015–8 months earlier. Reviewing data from 9-10 months ago is too late to take action.

Management Review Revisions Medical Device Academy Made

You can download the management review procedure from this website that was just updated for compliance with ISO 13485:2016. If you have your own procedure, you might want to read my blog about improving your own management review procedure. The key to writing a procedure is link the procedure to template that will be used as a starting point for each management review. The template should include each of the 8 required inputs (i.e., Clause 5.6.2), the 3 required outputs (i.e., Clause 5.6.3) and a slide for covering both the Quality Policy and the overall effectiveness of the Quality Management System. The procedure should be short and the bullets should match the requirements verbatim.

Training Top Management

The biggest reason why management reviews are ineffective is that there is little engagement by most of the people in the room. Everyone in the room should be familiar with the requirements and contribute to the preparation for a management review and management review revisions. The best management representatives anticipate the needs of top management and give them tools that explain exactly what they need to do to prepare for a management review and their responsibilities during the meeting.

Additional Management Review Resources

If you are looking for more information on this topic, here are some resources:

  1. How to Improve Your Medical Device Management Review Procedure
  2. Management Review Procedure Case Study
  3. Management Review Webinar: Making your meetings more effective
  4. Medical Device Management Review Meetings: 3 Compliance Issues

Posted in: ISO 13485:201x, ISO Certification

Leave a Comment (10) →
Follow

Get every new post on this blog delivered to your Inbox.

Join other followers:

Simple Share Buttons
Simple Share Buttons