Blog

Posts Tagged ISO 13485

How to Reconcile the Upcoming ISO 13485 and 9001 Standards

how to reconcile diverging standards How to Reconcile the Upcoming ISO 13485 and 9001 Standards

This blog, “How to Reconcile the Upcoming ISO 13485 and 9001 Standards” provides recommendations about how companies should implement these two standards. 

In 2003, the current version of ISO 13485 was released. This standard was written following the same format and structure of the general quality system standard at the time (i.e., ISO 9001:2000). In 2008, there was an update to the ISO 9001 standard, but the changes were extremely minor, only clarified a few points, and the periodic review of ISO 13485 in 2008 determined there was not a need to update 13485 at that time.

On December 1-5 the working group for revision of ISO 13485 (i.e., TC 210 WG1), met at AAMI’s Standards week (http://bit.ly/AAMI-Standards-Week) to review the comments and prepare a first Draft International Standard (DIS). We should have some updates on the progress of the DIS later in December, but hopefully the news will not be a delay of publication until 2016. The following is a summary of the status prior to last that meeting.

New Standards Being Released

In 2015, there will be a new international version of ISO 9001 released. This new version will have dramatic changes to the standard–including the addition of a new section on risk management and adoption of the new High Level Structure (HLS) changing from 9 sections to 11. The ISO 13485 standard is also anticipated to have a new international version released in 2015, but the ISO 13485 standard will maintain the current HLS with 9 sections. Timing of the ISO 9001:2015 release and the ISO 13485:2015 release will likely be around the same time. Both standards are expected have a three-year transition period for implementation. The combination of the three-year transition and lessened requirements in the new version of ISO 9001 for a structured quality manual should allow most manufacturers to wait until the ISO 13485 release before they begin drafting a quality plan for compliance with the new standards. Some of my clients have already indicated that they may drop their ISO 9001 certification when it expires, instead of changing their quality system to comply with the ISO 9001:2015 requirements. However, my clients will not have the ability to allow their ISO 13485 certification to lapse. Will Health Canada be updating GD210 (http://bit.ly/GD210Guidance) and continue to require ISO 13485 certification for medical device licensing? What should companies do?

Recommendations

First, I recommend that companies purchase copies of the new versions when they are published. Second, companies will need to train their management teams and auditors on the differences between the current and the new standards to enable a gap analysis to be completed. Any manager that is responsible for a procedure required by the current version of the standard should receive training specific to the changes to understand how they will meet the requirements for documented information. Most companies will need to improve their risk management competency. I recommend that companies begin drafting their quality plans and enter discussions with their certification body for quality system changes in 2016 to obtain certification of compliance with new versions of the standards in 2017. Further, I recommend that clients keep the current structure of their quality system, because the ISO 13485 standard will continue to use the current HLS and it will help everyone remember where to locate information.

There is also specific text currently in the introduction of the DIS version of ISO 9001 (highly likely to remain unchanged) that outlines it is not the intent of the standard to imply the need to align your quality management system to the clause structure of the standard. Companies that keep their ISO 9001 certification should consider including cross-references between the two standards in their quality manual.

Historical Note

There are also European National (EN) versions of each standard (e.g., EN ISO 13485:2012 – http://bit.ly/EN-ISO-13485-2012-Release). The EN versions are harmonized with the EU directives, but the content of the body or normative sections of the standards are identical. Historically, the differences were explained in Annex ZA and that was the last Annex in the EN version of the standard. In 2009 the harmonization annex for ISO 14971 (i.e., the medical device risk management standard) was split into three parts to match up with the three directives for medical devices (i.e., the MDD, AIMD and IVDD). The new annexes (i.e., ZA, ZB and ZC) were moved to the front of the EN version of the standard. The changes to ISO 14971 consisted of a correction and the change to Annex ZA. In 2012, there were new harmonization annexes created for ISO 13485 to follow the same format that was used for the EN ISO 14971 annexes. It is expected that these “zed” annexes will be released with a new EN version of the standard shortly after the international standard is published.

Posted in: ISO Certification

Leave a Comment (2) →

ISO 13485: Compliance with European, Canadian & 21 CFR 820 Regs

iso 13485 cert compliance ISO 13485: Compliance with European, Canadian & 21 CFR 820 Regsby Susan Christie

This blog reviews key regulatory requirements in Europe, Canada and the U.S. (21 CFR 820) related to developing a quality plan for ISO 13485 certification.

Your medical device company developed a quality plan for ISO 13485 certification (http://bit.ly/ISOQualityPlan), and your plan is targeting the three most common markets for U.S. companies: 1) USA, 2) Europe and 3) Canada. Now that you’ve identified your target markets, what are the applicable regulatory requirements?

Three separate quality systems would be inefficient and confusing. The key to managing multiple markets is to create one Quality Management System (QMS) that meets the requirements for all your target markets. If you are doing this for the first time, this is a daunting task.

Where to Start

The basic foundation for achieving regulatory compliance is ISO 13485, but each of the three markets has additional regulatory requirements that must be incorporated into the QMS. Therefore, we recommend the following step-by-step approach:

  1. Organize your quality system and Quality Manual in accordance with ISO 13485
  2. Starting with Health Canada’s GD210 Guidance document, which includes a comparison table to ISO 13485, identify the unique requirements of the CMDR
  3. Next, identify the differences between the MDD and ISO 13485
  4. Finally, identify the differences between QSR requirements and ISO 13485

You might also review comparison tables from the IMDRF website (http://bit.ly/IMDRFDoc) to help you identify differences between the ISO 13485 Quality System documentation and international regulatory requirements. The person responsible for this review should also be able to prepare your company for inspection and audits from each regulatory body.

U.S. Market: 21 CFR 820

For the U.S. market, companies must comply with 21 CFR 820 (see link above). Fortunately, the QSR and ISO 13485 are very similar. Key differences between 21 CFR 820 and ISO 13485 include the following:

  1. Training procedure, (21 CFR 820.25)…which satisfies ISO 13485, Clause 6.2.2
  2. Statistical techniques procedure, (21 CFR 820.250)…which could be combined with ISO 13485, Clause 8.4 for Data Analysis
  3. Recall procedure (http://bit.ly/21CFR806), which is typically combined with the requirement for an advisory notice procedure in ISO 13485, Clause 8.5.1
  4. Medical Device Reporting procedure, (http://bit.ly/21CFR803) which you may want to keep independent from your other adverse event reporting procedures
European Market

In the European market, devices must have approval for the CE Mark in accordance with one of the three device directives: the Medical Device Directive (MDD), Active Implantable Medical Devices (AIMD) or In Vitro Diagnostics Directive (IVDD). This process is defined in the MDD. There is also a similar directive for AIMD and IVDD. The European Commission issued a draft proposal to replace the three directives with two new regulations. The proposed medical device regulation (http://bit.ly/EUProposal) combines the MDD and the AIMD directives, while the proposed in vitro diagnostic regulation (http://bit.ly/EUIVDProposal) will replace the IVDD when it is finalized.

Canadian Market

In Canada, companies must conform to the Canadian Medical Device Regulations (CMDR) under the Canadian Medical Device Conformity Assessment System (CMDCAS). During the QMS certification process, the most critical sections of CMDR are those specific to distribution records (Section 52), Medical Device Licensing (Sections 44-51), Mandatory Problem Reporting (Section 59), recalls (Section 63), and Implant Registration (Section 66).

These sections of the CMDR are important, because each requirement must be addressed in your procedures. The reference documents identified above provide the information you need to properly prepare for CMDCAS certification. There is a cross-reference table in the back of the GD210 guidance document that is organized according to the ISO 13485 Standard. The table also includes audit checklist questions that your internal audit team should use to verify conformity to the CMDR during internal audits.

Medical Device Academy started a 6-part series on the Roadmap to ISO 13485 Certification on August 28. These six seminars are being recorded, and you can register at any time (http://bit.ly/roadmapiso). The 6th and final seminar in the series is specific to Stage 1 and Stage 2 ISO Certification Audits.

If you need assistance with ISO 13485 Certification, or you are interested in training on medical device regulations for the United States, Europe, or Canada; please email the Medical Device Academy at rob@13485cert.com or contact Rob Packard by phone @ +1.802.258.1881. For other blogs on the topic of “ISO Certification,” please view the following blog category page: http://robertpackard.wpengine.com/category/iso-certification/

Please Join us on Social Medialinkedin 1 ISO 13485: Compliance with European, Canadian & 21 CFR 820 Regsgoogleplus ISO 13485: Compliance with European, Canadian & 21 CFR 820 Regstwitter ISO 13485: Compliance with European, Canadian & 21 CFR 820 Regs

Posted in: ISO Certification

Leave a Comment (3) →

12 Important Tasks for Implementing ISO 13485

%name 12 Important Tasks for Implementing ISO 13485By Guest Blogger, Brigid Glass

The author describes 12 important tasks (training, auditing, etc.) which should be included in your plan for successfully implementing ISO 13485.

For your ISO 13485 implementation project, use a planning tool that you are comfortable with (e.g., – a spreadsheet or project planning software). Your plan should include the following:

  1. Identification of each task
  2. Target dates for completion of each task
  3. Primary person responsible for each task
  4. Major milestones throughout the project

Regular progress reports to top management and implementation meetings with all process owners are recommended to track your progress to plan. Weekly meetings are also recommended, so that no tasks can fall too far behind schedule. Be sure to invite top management to weekly meetings, and communicate the progress toward completion of each task to everyone within your company. The list below identifies 12 of the most important tasks that should be included in your plan.

12 Tasks to Consider for Implementing ISO 13485
  • 1. Select a certification body and schedule your certification audits (i.e., – Stage 1 and Stage 2). If you want to place devices on the market in the EU, Japan or Canada, make sure your certification body meets the specific regulatory requirements for that market (http://bit.ly/Sept24FX).
  • 2. Establish a Quality Manual and at least 19 required procedures. If you have purchased a copy of the excellent Canadian CSA publication “Plus 13485” (http://bit.ly/13485Plus), this lists required procedures for you. There are a few extra procedures or work instructions needed to meet regulatory requirements (e.g., – training, mandatory problem reporting, and post-market surveillance).
  • 3. Document training on the procedures comprising the quality system. A signed form indicating that employees “read and understand” the procedures is not enough. Training records should include evidence of effectiveness of training, and you should be able to demonstrate competency of the people performing those procedures.
  • 4. You must complete at least one full quality system internal audit. Timing of your internal audit should be late enough in the quality plan that that most elements of your quality system have been implemented. However, you want to allow enough time to initiate CAPAs in response to internal audit findings before your Stage 1 audit. If your internal auditor(s) have been heavily involved in the implementation of the quality system, you may need to hire an external consultant to perform your first internal audit.
  • 5. You need to complete at least one management review, which can be done just before the Stage 1 audit. My preference, if there is time, is to have at least two management reviews. The first review might occur three months before the Stage 1 audit, just before you plan to perform an internal audit of the management processes. There may be limited data to review at that time, but this first review provides an opportunity to train top management on their roles and responsibilities during a management review.

The second management review must cover all the requirements identified in ISO 13485, Clause 5.6. The second management review is also your last chance to identify any gaps in your quality system, and initiate a CAPA or action items before your certification auditor arrives.

  • 6. Compliance with regulatory requirements must be a commitment stated in your company’s Quality Policy. Specific regulatory requirements should be traceable to a specific procedure(s).

If you are seeking ISO 13485 Certification as part of the Canadian Medical Device Conformity Assessment System (CMDCAS) or the CE Marking process, then these regulatory requirements will be specifically included in your certification audit.

  • 7. Systematically incorporate customer and regulatory requirements into the quality management system. For contract manufacturers, this is especially important, and the Supplier Quality Agreements your company executes are the best source of these customer requirements. If your company is a legal manufacturer (the company named on the product label), this task is probably addressed sufficiently in tasks #1 and 6.
  • 8. You need to implement a supplier quality management process. If you already have a strong supplier quality program, then this may be a small task involving a few changes to your procedure. If you don’t have much of a supplier program yet, then this may involve identifying your suppliers, ranking them all according to type and risk, qualifying or disqualifying them and executing supplier quality agreements.

Note: If you need training on Supplier Quality Management, you might consider participating in Medical Device Academy’s October 4th training workshop (http://bit.ly/MDAWorkshops).

  • 9. If product design is within the scope of your QMS, which is typical of legal manufacturers, but not for contract manufacturers, then you must establish a design control procedure(s). Product development projects often operate in a timeframe that is longer than your implementation project, and you may need ISO 13485 certification as part of the regulatory approval process.

Therefore, the minimum expectation is to initiate at least one development project prior to the certification audits. For records of implementation, you should have a design project plan, an initial risk management plan, reviewed and approved design inputs for your first product and conduct at least one design review.

  • 10. Document what your Certification Body expects (e.g., – notifying them of significant changes). These expectations are likely to be stated in your contract with the Certification Body.
  • 11. Appoint the management representative and a deputy. Ideally, this is formally documented with a letter of appointment signed by the CEO and the management representative. This letter should be maintained in the management representative’s personnel file, along with a copy of the job description explaining the job responsibilities of the management representative. This may also be achieved by identifying the management representative and a deputy in your company’s organization chart.
  • 12. After the certification audit, your last task should be to “Create Quality Plan #2”—another PDCA (http://bit.ly/PDCAcycle) loop through the system. The reason for a new quality plan is to implement improvements based upon what you learned while you were building the quality system for the initial certification audit.

If your company wants to achieve ISO 13485 certification, you may be interested in our 6-part, “Road to Certification – The Series” (http://bit.ly/roadmapiso) audiocasts beginning on August 28, 2013 (also available as a recording).

Posted in: ISO Certification

Leave a Comment (2) →

Implementing ISO 13485: Planning the Project

By Guest Blogger,  Brigid Glass %name Implementing ISO 13485: Planning the Project

5 reasons why ISO 13485 certification may take longer than you expect, as well as tips and planning advice to help avoid pitfalls are provided.

Your company wants to achieve ISO 13485 certification. How are you going to get there? In a recent blog, I reviewed setting objectives for implementing an ISO 13485 certification project. Once you’re clear on those, then you’re ready to create your first quality plan. The basic elements of any plan will be:

  • Task breakdown (which I will cover in a separate blog)
  • Timeline
  • Resources (skills and hours available)
Timeframes and Trade-offs of ISO 13485 Certification Planning 

The endpoint of planning for the certification project is the certification audit. The earlier you choose your registrar or Notified Body and book the audit, the more choice you will have regarding the date. This should be one of the earliest tasks in the task breakdown. To be able to do that, you need a timeframe as to when you will be ready for the certification audit. How long it takes to implement ISO 13485 and be ready for a certification audit depends upon your starting point and your available resources. If you have no QMS in place, it will take you longer than if you already have a strong, documented QMS that is in compliance with 21 CFR Part 820.

It May Take More Work

If you already have ISO 9001:2008 certification, though you already have a structure in place, the upgrade to ISO 13485 is likely to take more work than you expect because:

  1. There are fewer procedures required by ISO 9001
  2. Most of your existing procedures will require revision
  3. Your employees will need training on the new procedures
  4. You will need time to generate records using new procedures
  5. You will need to complete a full quality system audit of the new procedures

Many companies also underestimate the required resources for ISO 13485 certification. If you have a knowledgeable consultant, and people available to write procedures, then ISO 13485 implementation will progress faster than an organization that has little expertise and little time available, so plan accordingly. Ideally, you will determine the length of time each task will take, and decide on an endpoint for the project based on that information and available resources. This approach works well if you already have a well-documented, regulated QMS.

6 Months-Reasonable Timeframe?

Six months is my personal rule of thumb for the time needed to implement a quality system compliant with ISO 13485. If the implementation schedule is longer, organizational enthusiasm may wane. If the timeframe is shorter than six months, it’s difficult to complete all the required tasks. No matter how carefully you plan, you still need to write procedures, train personnel and implement  procedures, so there is adequate time to generate records. Six months is aggressive for most companies, but the objective of achieving certification in six months is reasonable.

You may find it interesting that in Rob Packard’s white paper on ISO 13485 implementation. he also recommends that you allocate six months of one Full-Time Equivalent (FTE). This is a reasonable starting point, but you may want to adjust your own resource allocation up or down depending upon the level of experience within the implementation team. Experience has taught me that smaller organizations are more successful at building an effective quality system when effectiveness is achieved in reiterative steps (i.e., – revision 1, revision 2, etc.). This is also the basis of the Deming/Shewhart Plan-Do-Check-Act (PDCA) cycle (http://bit.ly/PDCAcycle). This is also what I meant in a recent blog (http://bit.ly/ImplementationObjectives) where I suggested that you should “throw perfectionism out the window.”

Your understanding of how the quality system links together will grow as you implement each process in your implementation plan. As understanding grows, you may reconsider some of your procedures. Instead of delaying the certification process (i.e., – revision 1), you may want to implement improvements as a second revision to procedures after the Stage 2 certification audit (i.e., – revision 2). During your Stage 1 and Stage 2 certification audits, your understanding of how the standard is interpreted and audited will build. After you achieve initial ISO 13485 certification, you will have a much greater understanding of how all the elements of the quality system need to work together. You will also understand what parts of your quality system are easy for an outsider to audit.

After the ISO 13485 Certification Audit

During the initial planning stage, you should also imagine your future state after the certification audit (http://bit.ly/Beginwiththeendinmind). Your boss may assume that once the audit has been and gone, then everything will settle back to “normal” again. The reality is that after you deal with any nonconformities, and you take off a few days like you promised your family, you will have a long list of improvement ideas waiting for you. You will also need to prepare for next year’s surveillance audit. Therefore, I recommend that you manage expectations by adding “Create Quality Plan #2” as the last step of your ISO 13485 certification plan. If your company wants to achieve ISO 13485 certification, you may be interested in our 6-part, “Road to Certification – The Series” (http://bit.ly/roadmapiso) beginning on August 28, 2013 (also available as a recording).

Posted in: ISO Certification

Leave a Comment (0) →

Implementing ISO 13485: Dealing with Delays

By Guest Blogger,  Brigid Glass

%name Implementing ISO 13485: Dealing with Delays  The author provides tips, practical examples and 6 steps to follow if your ISO 13485 implementation project falls behind schedule.

In the best planned project, with plentiful, skilled resources and diligent monitoring, things can still go awry. We need to be watchful for signs of our plans falling behind schedule, and develop contingency plans to prevent delays.

Walk Around the Mountains

Identify major obstacles early and develop a plan to deal with them. The major obstacles are usually the tasks that take the longest—such as process validation. Specifically, name these tasks in your pitch to management for resources before you start. This approach will ensure that everyone is focused on the biggest challenges.

If your plan to climb over those mountains is failing, work out a route around them. Maybe your R&D Manager can’t yet accept that there will now be design controls. In this case, an alternate path might be to purposely leave design controls for last. If you write a concise procedure and release it as your last procedure, then you have a built-in excuse for why you have very few records to demonstrate implementation of design controls. You will still need at least one design project plan and training records to demonstrate that the process is implemented.

If this plan is successful, your auditor will write in the report that “design controls are implemented, but there are limited records to demonstrate implementation at this time.” If this plan is unsuccessful, you will need to provide additional design control records before you can be recommended for ISO certification—typically within 90 days.

Another approach is to initiate a CAPA and implement some of the tasks after the audit. For example, you have more suppliers than you can audit prior to certification. In this case, qualify all your suppliers, and use a risk-based approach to help you prioritize which suppliers need to be audited first. In your plan, identify that you will start by auditing the three highest-risk suppliers. Lower risk suppliers can be scheduled for audits after certification.

Be Watchful

Keep a close eye on your project plan. One of the most important factors for success is keeping the plan, and progress against the plan, in front of the key players and senior management. Do this in such a way that progress, or the lack of it, is very clearly visible. It’s a basic maxim of Quality that we act on what we measure.

ISO 13485 Implementation: If Your Project Falls Behind Schedule

If you find yourself lagging seriously behind in your project, the following steps will assist you in recovering sufficiently to still be able to attain certification.

  1. Enlist management support when you need it, especially if you need them to free up resources.
  2. Prioritize. Before the Stage 1 audit, ensure that those procedures which are required by ISO 13485 are released (there are 19). There’s always room for improvement, but leave some of it for the second revision, instead of delaying certification.
  3. Ensure that you have at least a few examples of all the required records. Your auditor will be unable to tick off his checklist if a record is absent. Make it easy for the auditor.
  4. If there is a sizeable gap that you won’t be able to close before certification (i.e., – you have a validation procedure, but validations have not been completed), write a CAPA outlining your action plan to address the gap. During the audit, act confidently when you are questioned about the gap. Many auditors will give you credit for identifying the problem yourself.
  5. Don’t panic. The worst the auditor can do is to identify a nonconformity you will have to address with a CAPA plan before you can be recommended for certification. At most, this will result in a delay of a few weeks.
  6. Throughout your certification preparations, and during the certification audits, you will identify issues you may not have time to resolve before the certification process is complete. If you are planning to revise procedures and make other corrections, make sure you track these issues as CAPAs, or with some other tool (e.g., – an action item list). You want to address each issue prior to the first surveillance audit (no more than 12 months from the date of the Stage 2 audit).

Best wishes for your project. Success is the result of good planning, good communication and good monitoring.

This blog is part of a series of blogs that leads up to our Roadmap to Iso 13485 Certification Courses

 

Posted in: ISO Certification

Leave a Comment (0) →

Implementing the ISO 13485 Standard: Objectives

By Guest Blogger, Brigid Glass

The author discusses implementing the ISO 13485 standard, including 7 questions to clarifying your objectives and 6 considerations in shaping your objectives.%name Implementing the ISO 13485 Standard: Objectives

Implementing ISO 13485 is such a large undertaking for an organisation that it pays to approach the planning strategically to ensure that all objectives are met.  Often, some objectives are made explicit, others are unspoken. It is worth taking the time to ensure that all objectives are clearly stated to achieve the outcomes you want. Begin with the end in mind. Then, ensure that you are taking the organisation with you, and you are all headed to the same destination.

7 Questions to Clarify Your Objectives
  1. What are your regulatory drivers for ISO 13485 implementation? Are there dates associated with marketing plans that you need to take into account? Are there other regulatory requirements that need to be built into the QMS and the implementation plan, (e.g., incident reporting for Canada, or a Technical File for CE marking?)
  2. What other regulatory requirements must you meet to get into international markets? ISO 13485 requires that you meet applicable regulations for each market, such as: a training procedure to address 21 CFR 820.25, a post-market surveillance plan to address CE Marking requirements, and a Mandatory Problem Reporting Procedure for Canada.
  3. If you are a supplier to medical device manufacturers, what do your customers expect of your QMS? If they haven’t made this explicit already, ask them. Meeting their needs and their audits of your system may be as important to you as the certification audit.
  4. Do you want to achieve business improvements by implementing a QMS? If you include this in your stated objectives, and everyone “buys into” the program, then you will build procedures that deliver business improvements, rather than just being regulatory overhead.
  5. Do you have real buy-in from your CEO? You may have buy-in for certification, but if you don’t already have a regulated QMS, does she or he fully understand the cultural change that he or she must lead? If not, make this one of your unwritten objectives and keep it front of mind.
  6. Do you have organisational buy-in?  Ensure that it is clear who owns each process, and that those process owners have the ultimate responsibility for compliance of their process and ownership of documentation that is created for those processes. Keep project progress visible. Develop a communication plan with its own objectives and targets, even if your organisation is small.
  7. Do you want to align with other systems? If you already have a QMS, you will want to integrate ISO 13485 compliance with that. Do you also need to implement ISO 14971, the risk management standard? Since you are going to be doing this much work on your QMS, maybe you could take the opportunity to align it with your health and safety or environmental management systems.
Timeframes and Trade-offs

How long it takes to implement ISO 13485 will be covered in another blog soon.  Six months is a workable rule of thumb.

So what do you do if you don’t have that long, and have to meet a pressing deadline?  Or you don’t have the resources available to implement, as well as you want in the time available?  Compromises have to be made, and now it’s necessary to set short-term and long-term objectives.

6 Considerations in Shaping Your ISO 13485 Standard Implementation Objectives

If you are constrained from structuring the implementation project ideally, the following considerations below will assist you in shaping your objectives:

  1. Get a qualified consultant who understands your business. If you have a large company, find someone who spends more of their time working with corporates, and vice versa for a small company.
  2. Throw perfectionism out the window. The goal is not perfect procedures. The essence of a Quality System is documentation to explain the intent, records to capture reality, internal auditing and monitoring to identify the gaps and CAPA to improve and maintain effectiveness. The Deming Plan-Do-Check-Act cycle assumes that you are never perfect.)
  3. Accept that you then have another round of work to do to improve procedures.
  4. Organisational buy-in is even more critical. Be very careful about setting expectations. Adjusting to the extra requirements of a regulated QMS is already difficult. In these circumstances, you may be asking people to live with procedures that are not as usable as they would like.
  5. Be especially careful to ensure that the auditor can tick off all the essential points, and find how you have fulfilled the requirements without hunting too hard. All the required procedures and records must be in place. It’s more important to address 100% of the requirements, than to perfect 80% and skip the last 20%.
  6. Accept that there may be nonconformities that have to be dealt with after the certification audit. Set the organisational expectation around this and build time for it into your schedule. Ask your certification body early to tell you the timeframe for dealing with nonconformities.
Setting Expectations

Objectives need to be communicated clearly to everyone in the organisation. For a project (and many other things in life),

Satisfaction (or Disappointment) = Actual Result – Expectation

The certification audit is not the end. You will still need people to align their effort to making the implementation succeed after the pressure and obvious deadline of the certification audit has passed.  Setting their expectations appropriately early in the project is essential to keeping their (and your) motivation going. This is especially important if you are building your QMS, short on time or resource, and therefore know that you need to do a lot of work in the year following certification to develop improved workable procedures and generate a recorded history of compliance.

 

This blog is part of a series of blogs that leads up to our Roadmap to Iso 13485 Certification Courses

Posted in: ISO Certification

Leave a Comment (0) →

Benefits of Incorporating Risk Management into Procedure Documents

By Guest Blogger, Brigid Glass
8971385878 db2fe2e49a q Benefits of Incorporating Risk Management into Procedure DocumentsThe author discusses benefits of incorporating risk management into procedure documents. An example procedure for Record Control is included.

When I was first introduced to FMEA many years ago, I loved it. I loved the systematic approach, and  particularly appreciated using a Process FMEA to explain to those involved with a production process why certain controls had been put in place. I enthusiastically taught FMEA to our engineers. At the time, our bubbly, buoyant, outcomes-focused Training Manager said to me, “You Quality people have such a negative outlook. You’re always looking for what can go wrong!”  Well yes, but it’s our role to prevent things from going wrong!  I’d found a tool to help me with that.

Next, there was EN 1441, a risk analysis standard that never satisfied, and always felt incomplete. ISO 14971 followed, covering the entire lifecycle of a product, with closed feedback loops.  So now, risks in product and process design were well covered, but ISO 13485 section 7.1 asks us to “establish documented requirements for risk management throughout product realization.”  Many of us would acknowledge that we could do better, even though we pass audits.  And what about the rest of the quality management system?  I know that when we document a procedure, we already apply risk management principles in our heads, but we usually don’t apply them systematically, or write down the results.

The Idea

Recently, Rob Packard and I started work on a project that requires us to generate a full set of documentation for a QMS, compliant with both U.S. and EU requirements, including ISO 13485 and ISO 14971. We each had our own ideas on how best to write a procedure, but this project provided us an opportunity to get some synergy going. Rob wanted to address risk management in each procedure. “Yes!” I said, thinking that here was a chance to fill that gap. But then it was my job to develop the template for the procedures and work out how to accomplish this…

My first results looked very complicated, so I took the KISS (Keep It Simple, Stupid) approach: one column for the hazards and consequences, and one for the risk control measures.

What I didn’t include:

  • I started with more complex hazard documentation (hazard ID, impact, trigger event, etc), but felt the benefits in the context of a procedure document were not balanced by the extra complexity and work required for analysis and training. It would be a hard sell to users within an organisation who were not used to the risk management approach.
  • I decided not to assess risks and controls quantitatively for the same reasons as in the bullet point above.
  • Initially, I included references to implementation, but this would be difficult to maintain as other documents changed.
  • I thought about verification of implementation of risk controls, then decided to leave that verification to reviewers.

Below is an example from a procedure for Record Control where records are completed on paper, then scanned as a pdf. My list won’t be the same as your list, but it is illustrative.

brigid chart 1 Benefits of Incorporating Risk Management into Procedure Documents

Standards and regulations are essentially a set of risk controls, so they are the first starting point when identifying hazards. The list should include direct risks to product, risks to the integrity of the QMS and regulatory risks. For those of us who have been in this industry for awhile, experience, past mistakes, questions fielded in external audits and observations of other systems will yield further hazards and appropriate controls. Audits provide the opportunity to update and refine the list and test the control measures.

Benefits of Incorporating Risk Management into Procedure Documents

  • Impresses your ISO 13485 auditor!
  • When first writing procedure documents, starting the writing process by reviewing the external requirements, and systematically writing the risk section, sharpens the mind as to what must be included in the procedure. This is the same approach as in design controls, where we include risk mitigators that apply to product design in the design inputs. This is part of planning in the PDCA cycle.
  • Supports future decision-making, in the same way that the risk file for a product is considered when a design is changed. The risk control section of a procedure provides the criteria against which any improvement or change can be assessed. Will it enhance the risk controls, or might it introduce a new hazard?
  • Serves as the basis for training on the procedure. Making visible the link between potential hazards and procedural controls much more convincing than saying, “Do this because the procedure says so,” or, “It’s in the procedure because the regs say so.”

This is part 1 in a series of blogs that leads up to our Roadmap to Iso 13485 Certification Courses

 

Posted in: Risk Management

Leave a Comment (0) →

Preparing for ISO 13485 Certification in 5 Steps

The author provides 5 steps in preparing for the ISO 13485 certification process, and his own insights and tips for each step are reviewed.

A LinkedIn connection of mine recently asked for sources of good guidance on ISO 13485 registration. I wrote a blog recently about Quality Management Systems in General, but I had trouble finding resources specific to the ISO 13485 registration process. Therefore, I decided to write a blog to answer this question.

Typically, people learn the hard way by setting up a system from scratch. The better way to learn it is to take a course on it. I used to teach a two-day course on the topic for BSI. The link for this course is: http://bit.ly/Get13485; I shortened the link to the BSI website.

Other registrars offer this course too. I suspect you can find a webinar on this through TUV SÜD, BSI, SGS, LNE/GMED, Dekra, etc. from time to time.

The only registrar I could find that described the process step-by-step was Dekra. I have copied their steps below:

 ISO 13485 Certification: Inquiry to Surveillance in 5 Steps

1. Inquiry

An initial meeting between [THE REGISTRAR] and the client can take place on site or via teleconference. At this time, the client familiarizes [THE REGISTRAR] with company specifics and its quality assurance certification requirements; [THE REGISTRAR] explains its working methods and partnering philosophy, and previews the details of the process.

%name Preparing for ISO 13485 Certification in 5 Steps

Rob’s 2 Cents

As a client I have completed two initial certifications personally and three transfers, but I have only once had the sales representative actually visit my company. I think this process is typically accomplished by phone and email. If any registrars are reading this, you will close on more accounts if you visit prospective clients personally. In fact, the one that actually visited my company (Robert Dostert) has been on speed dial for almost a decade and he’s received repeat business.

 

 

2. Application Form

The client chooses to move forward by filling out an online application form. Based on the information obtained during the inquiry stage, along with the application form, [THE REGISTRAR] prepares a quote, free of charge, for the entire certification process. A client-signed quotation or purchase order leads to the first stage of the certification process.

my two cents1 Preparing for ISO 13485 Certification in 5 Steps

Rob’s 2 Cents

For both of the Notified Body transfers I completed, I completed application forms and requested quotes from multiple Notified Bodies. During the quoting process, my friend Robert was more responsive and able to answer my questions better than the competition. Robert was also able to schedule earlier audit dates than the competition. To this day, I am still amazed that Notified Bodies are not more responsive during this initial quoting process. All of the Notified Bodies are offering a certificate (a commodity). The customer service provided by each Notified Body, however, is not a commodity. Each Notified Body has its own culture, and every Notified Body has good and bad auditors. Therefore, you need to treat this selection process just like any other supplier selection decision. I have provided guidance on this specific selection process on more than one occasion, but I am definitely biased.

 3. Phase One: Document Review and Planning Visit

%name Preparing for ISO 13485 Certification in 5 Steps

LNE/GMED Flow Diagram for the process of ISO 13485 Certification

At this stage, [THE REGISTRAR] performs a pre-certification visit, which entails verifying the documented quality systems against the applicable standard. [THE REGISTRAR] works with the client to establish a working plan to define the [THE REGISTRAR] quality auditing process. If the client wishes, [THE REGISTRAR] will perform a trial audit or “dress rehearsal” at this stage. This allows the client to choose business activities for auditing, and to test those activities against the applicable standard. It also allows the client to learn and experience [THE REGISTRAR] ‘s quality auditing methods and style. The results of the trial audit can be used toward certification. Most clients elect for one or two days of trial auditing.

%name Preparing for ISO 13485 Certification in 5 Steps

Rob’s 2 Cents

Dekra’s statement that, “The results of the trial audit can be used toward certification,” is 100% opposite from BSI’s policy. BSI calls this a pre-assessment. The boilerplate wording used in BSI quotations is, “The pre-assessment is an optional service that is an informal assessment activity intended to identify areas of concern where further attention would be beneficial and to assess the readiness of the quality management system for the initial formal assessment.” During these pre-assessments, BSI auditors explain that any findings during the pre-assessment will not used during the Stage 1 and Stage 2 certification audits, and the client will start with a “clean slate.” Most of the clients I conducted pre-assessments for were skeptical of this, but most auditors are ethical and make every effort to avoid even the perception of biasing their sampling during the Stage 1 and Stage 2 audits.

I highly recommend conducting a pre-assessment. You want an extremely thorough and tough pre-assessment, so that the organization is well prepared for the certification audits. If the auditor that will be conducting the Stage 1 and Stage 2 audit is not available to conduct a pre-assessment, try to find a consultant that knows the auditor’s style and “hot buttons” well. FYI…You can almost always encourage me to do a little teaching when I’m auditing (I just can’t resist), and my “hot buttons” are CAPA,  internal auditing and design controls.

 4. Phase Two: Final Certification Audit

Once the client’s documented systems have met the applicable standards, [THE REGISTRAR] will conduct an audit to determine its effective implementation.  [THE REGISTRAR] uses a professional auditing interview style instead of a simple checklist approach. This involves interviewing the authorized and responsible personnel as designated in the documented quality system.

%name Preparing for ISO 13485 Certification in 5 Steps

Rob’s 2 Cents

For certification audits, ISO 17021 requires a Stage 1 and Stage 2 audit to be conducted. The combined duration of the certification audits must be in accordance with the IAF MD9 guidance document–which is primarily based upon the number of employees in the company. The “interview style” that Dekra is referring to is called the “Process Approach.” This is required in section 0.2 of the ISO 13485 Standard, and this is the primary method recommended by the ISO 19011 Standard for auditing–although other methods of auditing are covered, as well.

 

5. Surveillance

[THE REGISTRAR] arranges for surveillance audits semi-annually or annually, as requested by the client.

%name Preparing for ISO 13485 Certification in 5 Steps

Rob’s 2 Cents

I highly recommend annual surveillance audits, because the short duration of surveillance audits becomes unrealistically short when the auditor is asked to split their time between two semi-annual visits. A few clients have indicated that the semi-annual audits help them by maintaining pressure on the organization to be ready for audits all year-round, and prevents them from procrastinating to implement corrective actions. This is really an issue of management commitment that needs to be addressed by the company. Scheduling semi-annual surveillance audits doesn’t address the root cause. The only good argument I have for semi-annual cycles is if you have very large facilities that would have an audit duration of at least two days on a semi-annual basis.

The most important consideration related to scheduling surveillance audits is to ensure that you schedule the audits well before the anniversary date. I recommend 11 months between audits. By doing this, you end up scheduling the re-certification audits three months before the certificate expires. BSI has a different policy. They want auditors to schedule the first surveillance audit 10 months after the Stage 2 audit, the second surveillance audit 12 months after the first surveillance audit, and then the re-certification audit must be scheduled at least 60 days prior to certificate expiration (i.e.,  – no more than 12 months after the second surveillance audit). No matter what, schedule early.

If you have additional questions about becoming ISO 13485 registered, please post a discussion question in the following LinkedIn subgroup: Medical Device: QA/RA. For example, on Monday a new discussion question was posted asking for help with selection of a Notified Body for CE Marking. You will need to become a member of the parent group (Medical Device Group)–if you are not already one of the 140,000+ members connected with Joe Hage. George Marcel and I manage this subgroup for Joe. George is out in the Bay Area and I’m in the Green Mountains.

Posted in: ISO Certification

Leave a Comment (5) →

7 Steps to Auditing Design Controls Using the ISO 13485 Standard

This blog reviews seven steps to effectively auditing design controls utilizing the ISO 13485 standard.

Third- party auditors (i.e., – a Notified Body Auditor) don’t always practice what we preach. I know this may come as a huge shock to everyone, but sometimes we don’t use the process approach. Auditing design controls is a good example of my own failure to follow was it true and pure. Instead, I use NB-MED 2.5.1/rec 5 as a checklist, and I sample Technical Files to identify any weaknesses. The reason I do this is that I want to provide as much value to the auditing client as possible without falling behind in my audit schedule.

Often, I would sample a new Technical File for a new product family that had not been sampled by the Technical Reviewer yet. My reason for doing this is that I could often find elements that are missing from the Technical File before the Technical Reviewer saw the file. This gives the client an opportunity to fix the deficiency before submission and potentially shortens the approval process. Since NB-MED documents are guidance documents, I could not write the client up for a nonconformity, unless they were missing a required element of the M5 version of the MDD (93/42/EEC as modified by 2007/47/EC). This is skirting the edge of consulting for a third- party reviewer, but I found it was a 100% objective way to review Technical Files. I also found I could review an entire Technical File in about an hour.

So what’s wrong with this approach?

This approach only tells you if the elements of a Technical File are present, but it doesn’t really evaluate the design process. Therefore, I supplemented my element approach with a process audit of the design change process by picking a few recent design changes that I felt were high risk issues. During the process audit of the design change process, I sampled the review of  risk management documentation, any associated process validation documentation and the actual design change approval records. If I had time, I looked for the following types of changes: 1) vendor change, 2) specification change, and 3) process change. By doing this, I covered the following clauses: 7.4 (purchasing), 7.3.7 (design changes), 7.5.2 (process validation), 7.1 (risk management) and 4.2.4 (control of records).

So what is my bastardized process approach to auditing design controls missing? Clauses 7.3.1 through 7.3.6 of ISO 13485 are missing. These clauses are the core of the design and development process. To address this, I would like to suggest the following process approach:

Step 1: Identify the process owner and interview them. Do this in their office–not in the conference room. Get your answers for steps 2-7 directly from them. Ask lots of open-ended questions to prevent “yes/no” responses.

Step 2: Identify how design projects are initiated. Look for a record of a meeting where various design projects were vetted and approved for internal funding. These are inputs into the design process. There should be evidence of customer focus, and some examples of corrective actions taken based upon complaints or service trend analysis. Step 3: Identify where Design History Files (DHF) are stored physically or electronically, and determine how the DHF is updated as the design projects progress.

Step 4: This is typically the step of a process audit where there auditor needs to identify “what resources” are used in the process. However, only companies that have software systems for design controls have resources dedicated to Design and Development. I have indicated this in the following “Turtle Diagram.”

%name 7 Steps to Auditing Design Controls Using the ISO 13485 Standard

“With What Resources” is typically not applicable, because most companies do not have electronic design history files.

Step 5: Identify which people are assigned to the design team for a design project. Sometimes companies assign very large teams. In this case, the auditor should focus on the team members that must review and approve design inputs (see Clause 7.3.2) and design outputs (see Clause 7.3.3). All of these team members should have training records for Design Control procedures and Risk Management procedures.

Step 6: Identify procedures and forms that define the Design and Development process. Do not read and review these procedures. Auditors never have the time to do this. Instead, ask the process owner to identify specific procedures or clauses within procedures where clauses in the ISO Standard are addressed. If the process owner knows exactly where to find what you are looking for, they’re training was effective, or they may have written the procedure(s). If the process owner has trouble locating the clauses you are requesting, spend more time sampling training records.

Step 7: Ask the process owner to identify some metrics or quality objectives they are using to monitor and improve the design and development process. This is a struggle for many process owners–not just design. If there are any metrics that are not performing up to expectations, there should be evidence of actions being taken to address this. If there are no metrics being tracked by the process owner, you might review schedule compliance.

Many design projects are behind schedule and therefore this is an important metric for most companies. Now that you have completed your “Turtle Diagram”, if you have more time to audit the design process, you can interview team members to review their role in the design process. You could also sample specific Technical Files as I indicated above. If you are performing a thorough internal audit, I recommend doing both.

Posted in: Design Control

Leave a Comment (0) →
Follow

Get every new post on this blog delivered to your Inbox.

Join other followers:

Simple Share Buttons
Simple Share Buttons