Blog

Posts Tagged ISO

Implementing ISO 13485: Dealing with Delays

By Guest Blogger,  Brigid Glass

%name Implementing ISO 13485: Dealing with Delays  The author provides tips, practical examples and 6 steps to follow if your ISO 13485 implementation project falls behind schedule.

In the best planned project, with plentiful, skilled resources and diligent monitoring, things can still go awry. We need to be watchful for signs of our plans falling behind schedule, and develop contingency plans to prevent delays.

Walk Around the Mountains

Identify major obstacles early and develop a plan to deal with them. The major obstacles are usually the tasks that take the longest—such as process validation. Specifically, name these tasks in your pitch to management for resources before you start. This approach will ensure that everyone is focused on the biggest challenges.

If your plan to climb over those mountains is failing, work out a route around them. Maybe your R&D Manager can’t yet accept that there will now be design controls. In this case, an alternate path might be to purposely leave design controls for last. If you write a concise procedure and release it as your last procedure, then you have a built-in excuse for why you have very few records to demonstrate implementation of design controls. You will still need at least one design project plan and training records to demonstrate that the process is implemented.

If this plan is successful, your auditor will write in the report that “design controls are implemented, but there are limited records to demonstrate implementation at this time.” If this plan is unsuccessful, you will need to provide additional design control records before you can be recommended for ISO certification—typically within 90 days.

Another approach is to initiate a CAPA and implement some of the tasks after the audit. For example, you have more suppliers than you can audit prior to certification. In this case, qualify all your suppliers, and use a risk-based approach to help you prioritize which suppliers need to be audited first. In your plan, identify that you will start by auditing the three highest-risk suppliers. Lower risk suppliers can be scheduled for audits after certification.

Be Watchful

Keep a close eye on your project plan. One of the most important factors for success is keeping the plan, and progress against the plan, in front of the key players and senior management. Do this in such a way that progress, or the lack of it, is very clearly visible. It’s a basic maxim of Quality that we act on what we measure.

ISO 13485 Implementation: If Your Project Falls Behind Schedule

If you find yourself lagging seriously behind in your project, the following steps will assist you in recovering sufficiently to still be able to attain certification.

  1. Enlist management support when you need it, especially if you need them to free up resources.
  2. Prioritize. Before the Stage 1 audit, ensure that those procedures which are required by ISO 13485 are released (there are 19). There’s always room for improvement, but leave some of it for the second revision, instead of delaying certification.
  3. Ensure that you have at least a few examples of all the required records. Your auditor will be unable to tick off his checklist if a record is absent. Make it easy for the auditor.
  4. If there is a sizeable gap that you won’t be able to close before certification (i.e., – you have a validation procedure, but validations have not been completed), write a CAPA outlining your action plan to address the gap. During the audit, act confidently when you are questioned about the gap. Many auditors will give you credit for identifying the problem yourself.
  5. Don’t panic. The worst the auditor can do is to identify a nonconformity you will have to address with a CAPA plan before you can be recommended for certification. At most, this will result in a delay of a few weeks.
  6. Throughout your certification preparations, and during the certification audits, you will identify issues you may not have time to resolve before the certification process is complete. If you are planning to revise procedures and make other corrections, make sure you track these issues as CAPAs, or with some other tool (e.g., – an action item list). You want to address each issue prior to the first surveillance audit (no more than 12 months from the date of the Stage 2 audit).

Best wishes for your project. Success is the result of good planning, good communication and good monitoring.

This blog is part of a series of blogs that leads up to our Roadmap to Iso 13485 Certification Courses

 

Posted in: ISO Certification

Leave a Comment (0) →

An Auditor’s Best Practices in Issuing a Major Nonconformity

%name An Auditors Best Practices in Issuing a Major Nonconformity

From the opening meeting through the audit and closing meeting, the author describes an auditor’s best practices in issuing a major nonconformity.

As an auditor, one of the most important (and difficult) things to learn is how to issue a nonconformity—especially a major. This is normally done at the closing meeting of an audit, but the closing meeting is not where the process of issuing the nonconformity begins. Issuing a nonconformity actually starts in the opening meeting.

ISO 19011:2011 is the official guidance document for auditors of Quality Management Systems. Section 6.4.2 of this Standard explains best practices for an opening meeting. The last five items in this section are critical to preparing the client for potential nonconformities:

  1. Method of reporting audit findings, including grading, if any
  2. Conditions under which the audit may be terminated
  3. Time and place of the closing meeting
  4. How to deal with possible findings during the audit
  5. System for feedback from the auditee on findings or conclusions of audit
  6. Process for complaints and appeals
Methods of Reporting and Grading Nonconformities

The auditor should be crystal clear in their description of minor and major nonconformities, or any other grading that will be used. The auditor should also make it clear that they are looking for conformity, rather than nonconformity. This is an audit—not an inspection. Typically, a minor nonconformity is described as “a single lapse in the fulfillment of a requirement,” while a major nonconformity is described as one of the following: 1) “a total absence in the fulfillment of a requirement,” 2) “repetition of a previous nonconformity,” 3) “failure to address a previously identified minor non-conformity”, or 4) “shipment of non-conforming product.” When the auditor is in doubt, then the finding is minor, and never a major. For a major nonconformity to be issued, there can be no doubt.

Conditions for Termination

The option to terminate an audit is typically reserved for a certification audit where a major nonconformity is identified and there is no point in continuing. Termination is highly discouraged, because it is better to know about all minor and major nonconformities right away, instead of waiting until the certification audit is rescheduled. The certification body will charge you for their time anyway.

Another reason for termination is when an auditor is being unreasonable or inappropriate. This is rare, but it happens. If the audit is terminated, you should communicate this to upper management at the certification body and the company—regardless of which side of the table you sit. For FDA inspections, this is not an option. For audits performed by Notified Bodies, there is the possibility of suspension of a certificate in response to audit termination. Therefore, I always recommend appealing after the fact, instead of termination. Appealing also works for FDA inspections.

How to Deal with Findings

All guides and auditees should be made aware of possible findings at the time an issue is discovered. This is important, so that an auditee has the opportunity to clarify the evidence being presented. Often, nonconformities are the result of miscommunication between the auditor and auditee. This happens frequently when the auditor has a poor understanding of the process being audited. It is a tremendous waste of time for both sides when this occurs. If there is an actual nonconformity, it is also important to gather as much objective evidence as possible for the auditor to write a thorough finding, and for the auditee to prepare an appropriate corrective action plan in response to the finding.

%name An Auditors Best Practices in Issuing a Major Nonconformity
Feedback from the Auditee

As an auditor, I always encourage auditees to provide honest feedback to me directly and to management, so that I could continue to improve. If you are giving feedback about an internal auditor or a supplier auditor, you should always give feedback directly before going to the person’s superior. You are both likely to work together in the future, and you should give the person every opportunity to hear the feedback first-hand.

When providing feedback from a third-party certification audit, you should know that there will be no negative repercussions against your company if you complain directly to the certification body. At most, the certification body will assign a new auditor for future audits and investigate the need for taking action against the auditor. In all likelihood, any action taken will be “retraining.” I never fired somebody for a single incident—unless they broke the law, or did something that was unsafe. The key to providing feedback, however, is to be objective. Give specific examples in your complaint, and avoid personal feelings and opinions.

Complaints and Appeals

As the auditee, you should ask for the contact information of the certification body during the opening meeting. Ask with a smile—just in case you disagree, and so you can provide feedback (which might be positive). As the auditor, you should always make contact information for the certification body available. If you are conducting a supplier audit or an internal audit, you probably know the auditor’s boss and there is probably no formal complaint or appeals process. In the case of a supplier audit, the customer is always right—even when they are wrong.

During the Audit

During the audit, you should always make the guide(s) and process owner(s) aware of any potential nonconformities as you find them. This is their opportunity to clarify the objective evidence for you and to explain why there is not a nonconformity. Often, at this point in the audit, I will refer to the Standard. I will identify specific requirement(s) and show the process owner. I will say, “This is what I am trying to verify. Do you have anything that would help address this requirement?” If the process owner is unsure of how to meet the requirement, often, I will provide an example of how this requirement is addressed in other areas, or at other companies.

If the audit is a multi-day audit, I will review the potential nonconformities at the end of the day and give the auditee the opportunity to provide additional objective evidence in the morning. If it is the last day of the audit, or it is a single-day audit, I will give auditees until the closing meeting to provide the objective evidence. Often, I will use this opportunity to explain what would be considered a minor nonconformity and what would be a major nonconformity. Usually I can say, “This is definitely not a major nonconformity, because…”

%name An Auditors Best Practices in Issuing a Major Nonconformity

Closing Meeting

The closing meeting should be conducted as scheduled, and the time/location should be clearly communicated to upper management in the audit agenda and during the opening meeting. Top management won’t be happy about nonconformities, but failure to communicate when the closing meeting will be conducted will irritate them further.

At the closing meeting, the auditee should never be surprised. If an issue remains unfulfilled at the closing meeting, the auditee should be expecting a minor nonconformity—unless the issue clearly warrants a major nonconformity. Since a minor nonconformity is described as “a single lapse in the fulfillment of a requirement,” it is difficult for an auditee to argue that an issue does not warrant a minor nonconformity. Typically, the argument is that you are not consistent with other auditors. The most common response to that issue is, “Audits are just a sample, and previous auditors may not have seen the same objective evidence.” The more likely scenario, however, is that the previous auditor interprets requirements, instead of reviewing requirements with the client, and ensuring both parties agree before a finding is issued.

If a finding is major, the auditee should have very few questions. Also, I often find the reason for a major noncconformity is a lack of management commitment to address the root cause of a problem. Issuing a major nonconformity is sometimes necessary to get management’s attention.

Regardless of the grading, all audit findings will require a corrective action plan—even an FDA warning letter requires a CAPA plan. Therefore, a major nonconformity is not a disaster. You just need to create a more urgent plan for action.

Posted in: ISO Auditing

Leave a Comment (0) →

7 Steps to Training Auditors on the Process Approach of the ISO Standard

The author uses the turtle diagram as the foundation to reviewing seven (7) steps to training auditors on the process approach for the ISO standard.

I have been reviewing trends for how people find my website, and a large number of you appear to be interested in my auditing schedules and other audit-related topics. Therefore, this week’s blog is dedicated to training auditors on the process approach.

First, the process approach is just a different way of organizing audits. Instead of auditing by clause, or by procedure, instead you audit each process. Typical processes include:
  1. Design & Development
  2. Purchasing
  3. Incoming inspection
  4. Assembly
  5. Final Inspection
  6. Packaging
  7. Sterilization
  8. Customer Service
  9. Shipping
  10. Management Review
  11. CAPA
  12. Internal Auditing

Why the Process Approach is Recommended

First, the process approach identifies linkages between processes as inputs and outputs. Therefore, if there is a problem with communication between departments, the process approach will expose it. If only a procedural audit is performed, the lack of communication to the next process is often overlooked.

Second, the process approach is a more efficient way to cover all the clauses of the ISO Standard than auditing each clause (i.e.,– the element approach). My rationale for the claim of greater efficiency is simple: there are 19 required procedures in the ISO 13485 Standard, but there are only 12 processes identified above. The “missing” procedures are actually incorporated into each process audit.

For example, each process audit requires a review of records as input and outputs. In addition, training records should be sampled for each employee interviewed during an audit. Finally, nonconforming materials can be identified and sampled at incoming inspection, in assembly processes, during final inspection, during packaging, and even during shipment. The tool that BSI uses to teach the process approach is the “Turtle Diagram.” The diagram below illustrates where the name came from.

tutle diagram1 7 Steps to Training Auditors on the Process Approach of the ISO Standard

Process Auditing – “Turtle Diagram”

The Interview

The first skill to teach a new auditor is the interview. Each process audit should begin with an interview of the process owner. The process owner and the name of the process are typically documented in the center of the turtle diagram. Next, most auditors will ask, “Do you have a procedure for ‘x process’?” This is a weak auditing technique, because it is an “closed-ended” or yes/no. This type of question does little to help the auditor gather objective evidence. Therefore, I prefer to start with the question, “Could you please describe the process?” This should give you a general overview of the process if you are unfamiliar with it.

After getting a general overview, I like to ask the question: “How do you know how to start the process.” For example, inspectors know that there is material for incoming inspection, because raw materials are in the quarantine area. I have seen visual systems, electronic and paper-based systems for notifying QC inspectors of product to inspect. If there is a record indicating that material needs to be inspected—that is the ideal scenario. A follow-up question is, “What are the outputs of the inspection process?” Once again, the auditor should be looking for paperwork. Sampling these records and other supporting records is how the process approach addresses Clause 4.2.4—control of records.

The next step of this approach is to “determine what resources are used by incoming inspection.” This includes gauges used for measurement, cleanliness of the work environment, etc. This portion of the process approach is where an auditor can review calibration, gowning procedures and software validation. After “With What Resources,” the auditor then needs to identify all the incoming inspectors on all shifts. From this list, the auditor should select people to interview and follow-up with a request for training records.

The sixth step  is to request procedures and forms. Many auditors believe that they need to read the procedure. However, if a company has long procedures, this could potentially waste valuable time. Instead, I like to ask the inspector to show me where I can find various regulatory requirements in the procedures. This approach has the added benefit of forcing the inspector to demonstrate they are trained in the procedures—a more effective assessment of competency than reviewing a training record.

Process Owners Challenged

The seventh and final step of the turtle diagram seems to challenge process owners the most. This is where the auditor should be looking for department Quality Objectives and assessing if the department objectives are linked with company quality objectives. Manufacturing often measures first pass yield and reject rates, but every process can be measured. If the process owner doesn’t measure performance, how does the process owner know that all the required work is getting done? The seventh step also is where the auditor can sample and review monitoring and measurement of processes, and the trend analysis can be verified to be an input into the CAPA process.

In my brief description of the process approach, I used the incoming inspection process. I typically choose this process for training new auditors, because it is a process that is quite similar in almost every company, and is easy to understand. More importantly, however, the incoming inspection process does an effective job of covering more clauses of the Standard than most audits. Therefore, new auditors get an appreciation for how almost all the clauses can be addressed in one process audit. If you are interested in learning more about Turtle Diagrams and the process approach to auditing, please register for our webinar on the process approach to auditing.

Posted in: ISO Auditing

Leave a Comment (3) →

Management Representative Requirement: ISO 9001:2008

The author reviews the Management Representative section 5.5.2 of ISO 9001:2008 requirement, and provides eight (8)  proposed actions to take for companies who receive a finding against this section.

The idea for this posting was from a thread I found on Elsmar Cove: http://elsmar.com/Forums/showthread.php?t=45658

One person posted a question about the requirement for the Management Representative (MR) to be a member of the organization’s management (see section 5.5.2 of ISO 9001:2008). Companies that are seeking initial certification sometimes struggle with this requirement. Some struggle because they do not have anyone in-house that is sufficiently trained to be the MR. Other companies struggle, because they are very small and outsource their QA functions to a consultant. The following blog is targeted at helping these companies.

Auditing

I audit companies to the ISO 13485 (medical Quality Management Systen (QMS) & 9001 (QMS) Standards. The intent of both Standards was always to have the MR be part of management, but some companies did not interpret the Standards in this way. With the 2008 revision of 9001, the possibility of misinterpreting the meaning is much less likely. Companies that receive findings during the Stage 1 or Stage 2 audit for this requirement usually fall into one of two categories. Category #1: our company is small and the only person that really knows enough about ISO requirements is not a member of management. Category #2: our company is small and we outsource QA functions.

The good news is that any manager can be assigned the responsibility of being MR. One of my clients assigned this responsibility to the VP of Sales. Another company assigned this responsibility to the Director of R&D. Both of these individuals had to put in the time to learn about their quality management systems, but both have embraced the challenge and I have learned much from them. They have a different perspective and bring a lot of value to the MR role. The bad news is: whomever you assign has to learn enough to be competent in the role.

The definition of “Management” is typically a stumbling block. Most people think of managers requiring that they have other people reporting to them. This is not an absolute. The MR should report directly to a top manager, such as the President or CEO to prevent conflicts of interest. As a manager, they should not require a great deal of direct supervision, and the President or CEO should not be overly burdened by adding one person to their list of direct reports. Some auditors like to see a “deputy MR” identified. My advice is to have the CEO or President sufficiently trained that they can be the “back-up” when the MR is on vacation.

Every manager should know enough about their subordinate’s job duties that they can “fill in.MR’s should be involved in senior staff meetings too, but not necessarily at the same frequency as every other senior staff manager. Typically, operations and sales have the most frequent meetings with the CEO–often weekly. Finance is typically monthly. HR and the MR might be bi-monthly or quarterly. Communication of the status of quality objectives should be regular reports to all senior staff, but you don’t have to have a Management Review to communicate the status. If the company is small enough to have only one QA person, there probably isn’t a need for more than one or two management review meetings per year.

Management Representative Finding: 8 Proposed Actions to Take

If your company has a finding against clause 5.5.2, I recommend the following actions:

1. Assign a person that is already a member of your senior staff as MR.

2. Document the responsibility in the person’s job description.

3. Document the responsibility in the org chart.

4. Assign the person’s direct supervisor (typically the CEO or President) as a “deputy MR.”

5. Find a good webinar on ISO training for the new MR and their boss (ideally one with a quiz and a certificate).

6. Have the new MR develop a 45 minute presentation for the senior staff on the topic of Management Responsibilities. This training should cover all of section 5 in the Standard.

7. Give the senior staff a 15 minute multiple choice quiz to evaluate effectiveness of the training.

8. Have the new MR discuss delegation of various management review inputs (see section 5.6.2) with their boss. Quality should be a shared responsibility and Management Reviews will be more effective if everyone participates.

Posted in: ISO Certification

Leave a Comment (0) →

Supplier Qualification: How To Get The Best Results

This article discusses how to utilize various strategies for obtaining the best results related to supplier qualification.      

 Section 7.4 of the ISO Standard states that companies shall “evaluate and select suppliers based on their ability to supply product in accordance with the organization’s requirements.” This requirement is quite vague, but the medical device industry has developed a surprisingly limited number of approaches to address the requirement of this clause. The most common approach is to ask for some combination of the following: 1) ISO certification, 2) a copy of the supplier’s Quality System Manual, 3) completion of a supplier questionnaire, and 4) performing a supplier audit. Unfortunately, all four selection criteria are flawed.

I think the best way for me to explain why these criteria are flawed is to use an analogy. Let’s compare qualifying a new supplier with recruiting a new employee. ISO certification is sort of like a college degree. You can make some general assumptions about a potential job candidate based upon which school they got their engineering degree from, but the degree is still just a piece of paper on the wall. As the old joke goes:

            What do you call the person that graduated last in their class at medical school?

            Doctor.

Some registrars have a better reputation than others, but the name of the registrar is only as good as its worst client—who had four major nonconformities during their last audit and is about to lose that certificate. To improve this approach to supplier qualification, a potential customer could ask for a copy of the most recent audit report. This information is dependent upon the quality of the audit, but this would be a big improvement over requesting a copy of the certificate.

            CAUTION: Audits are still just samples—very small samples. 

Quality Manual

The second selection criteria I mentioned is: The Quality Manual. The Quality Manual is analogous to a resume. The purpose of a resume is two-fold: 1) to provide an interviewer with information, so they can ask the interviewee questions without looking like an idiot, and 2) to provide objective evidence that a company did not illegally discriminate against a candidate that the hiring manager did not like. I suppose you could argue that the purpose is to help candidates get a job, but in my own experience, less than 10% of resumes submitted result in a job interview—let alone a job offer. The purpose of a Quality Manual is NOT to help a company get new customers. If I am wrong about this, I need to do a much better job of marketing my Quality Manuals in the future.

Some suppliers have the nerve to say that their Quality Manual is proprietary. Humbug! Proprietary information should not be in the Quality Manual. You can copy a manual from another company and edit a few of the details. I will gladly write you a Quality Manual in less than a week that will pass any auditors review. You can even buy a Quality Manual online. This almighty document just explains the intent of the Quality System—which is to conform to the requirements of the ISO Standard. Several auditors will tell you that this can be done in just four pages. When you request a Quality Manual from a supplier, your primary intent should be to use this document for the purposes of planning an on-site supplier audit. Any other purpose is just a waste of your time—unless you need to write a Quality Manual of your own. 

Supplier Questionnaire

The third selection criteria I mentioned was: a supplier questionnaire or supplier survey. Questionnaires are analogous to employment applications. Coincidently, supplier questionnaires are often required by companies when a Quality Manual or ISO Certificate is not available. Do you find the similarities eerie?

Questionnaires are typically 15-20 page documents that someone has plagiarized from a previous employer. I have seen various versions of this questionnaire, but several of them appear suspiciously similar. Hmmm?

I am not sure what the original intent of this type of document was, but I think it was intended to capture detailed information about potential suppliers for a company in the Fortune 500®. For most companies, 80% of the information on the questionnaire is meaningless. Customer requirements for a supplier are typically few in number and specific to the product or service being purchased. Therefore, please use your MRP system as a template and ensure that the questionnaire answers all the information you need to add the supplier to your system as an approved supplier. You should also have a product or service specification that gives you some more questions to ask. Ideally your questionnaire will be organized in the same order that you enter the information into the MRP system. Then this questionnaire will make the data entry easier for the purchasing agent adding the supplier to the database. Questionnaires and surveys are great, but brevity is next to Godliness.

Supplier Audits

Finally, we come to the auditor’s favorite—supplier audits. Audits are similar to job interviews. Ideally you want a cross-functional audit team and you might need to visit more than once. Unfortunately, most companies cannot afford to audit every supplier. Some companies try to perform desktop audits, but these are seldom effective. I guess I think of a desktop audit as a “phone interview.” I use phone interviews to prescreen candidates before I pay more money and waste other peoples’ time with on-site interviews. Desktop audits of suppliers should only be a precursor to an on-site audit, so your supplier quality engineers do not have to spend so many nights at the Hampton Inn.

If audits are your best selection criteria, how can you make the most of your auditing resources? Also, how can you qualify all your suppliers if you only have enough auditors to audit 5% of the approved supplier list? I have the following suggestion: “Start at the end.”

What I mean by this cryptic, four-word phrase is that auditors should start at the end of the ISO Standard with sections 8.5.2 & 8.5.3 (Corrective and Preventive Action (CAPA) Process). This is the heart of a Quality System. If you disagree, remember that FDA inspectors are required to look at the CAPA system during every Level 1 inspection. Registrars also look at the CAPA process during every assessment—not just the certification audits. The purpose of the CAPA process is to fix problems, so they don’t come back—ever.

If you think that a new supplier is never going to make a mistake, you might as well quit looking. You want suppliers with strong CAPA systems. If a supplier has a strong CAPA system, problems will be fixed quickly and permanently. To sample the CAPA process, an auditor only needs the following: 1) the CAPA procedure(s), 2) the CAPA log(s), and 3) a handful of completed CAPA records—selected not so randomly from the log(s). This can all be done remotely in a desktop audit. If suppliers are resistant to giving you the log or actual records, ask them to redact any sensitive information. If you have executed a nondisclosure agreement, the supplier should agree with this approach.

Analysis of Data

Working from the back of the Standard, the next process to sample is clause 8.4 (Analysis of Data). There are four requirements of this clause. If the company has a requirement for customer satisfaction to be measured (ISO 9001:2008 section 8.4a), this is a great place to focus. There are also requirements to look at the trend of product conformity (8.4b), process metrics (8.4c), and trends in supplier data—such as on-time delivery and raw material nonconformities (8.4d). The quality of the analysis will tell an auditor as much about the company as the data itself. This process audit can also be performed remotely as a desktop audit.

Clause 8.3, Control of Nonconforming Materials, is the third area to look at. To sample this area you will need the “Holy Trinity” again: 1) procedure, 2) log, and 3) records. In this desktop audit, you want to look very closely at any nonconforming materials that are reworked or accepted “as is” (i.e. – UAI). Either of these two dispositions should be ULTRA-RARE. Everything else should be processed efficiently as scrap or Return To Vendor (i.e., – RTV).

If a potential supplier passes all three “tests” described above, you are ready to address clause 8.2.4—Monitoring & Measurement of Product. In this section, there is a requirement to maintain records of product release and to verify that product requirements are met. If you think you can effectively audit this by paperwork alone, the supplier is a good candidate for “desktop only.” However, if the lot release paperwork, batch record, or Device History Record (DHR) is a 50-page tome—then you better make your flight plans.

The good news is that very few suppliers will pass the first three tests and implode during the on-site audit. Also, with three process audits complete you should be able to reduce the duration of your on-site audit. Finally, for low-risk suppliers you have a strong basis for provisional approval of suppliers to proceed with prototype runs before you schedule an on-site audit.

           

 

Posted in: Supplier Quality Management

Leave a Comment (0) →
Follow

Get every new post on this blog delivered to your Inbox.

Join other followers:

Simple Share Buttons
Simple Share Buttons