This page has been moved…https://medicaldeviceacademy.com/root-cause-analysis/

90% of usability testing submitted to the FDA is unacceptable and the root cause is simply a failure to understand the human factors process.

Human factors process inadequate?

If you submitted no usability testing to the FDA in your 510(k) submission, it would be obvious why the FDA reviewer identified usability as a major deficiency. However, you spent tens of thousands of dollars on usability testing that delayed the 510(k) submission by six months. Despite all of the time and money your company invested in the human factors process, it appears that you need to start over and repeat the entire process again. The CEO is furious, and he wants you to show him where in the 49-page FDA guidance it says that you have to do things differently.

Benefits from the human factors process

1. Use errors result in serious injuries and death
2. Easy-to-use products sell
3. You will prevent delays in regulatory approval

Why was your rationale for no usability testing rejected?

Unlike CE Marking technical files, the FDA does not require a usability engineering file for all products. Instead, the FDA determines if usability testing is required based on a comparison of your device’s user interface and a competitor’s user interface (i.e. predicate device user interface). If the user interface is identical, then usability testing may not be required. Instead, your company should be able to write a rationale for not doing usability testing based on equivalence with the predicate device. If there are differences in your user interface, you will need to provide use-related risk analysis (URRA), identify critical tasks, implement risk controls, and provide verification testing to demonstrate the effectiveness of the risk controls. Even if your device is “easier to use” or “simpler”, you still need to provide the documentation to support this claim in your submission. The FDA also does not allow comparative claims in your marketing for 510(k) cleared devices. Comparative claims require the support of clinical data.

What is the 10-step human factors process?

1. Define human factors for your device or IVD
2. Identify use errors
3. Conduct a URRA
4. Perform a critical task analysis
5. Conduct a risk control option analysis
6. Conduct formative usability testing
7. Implement risk controls
8. Conduct summative usability testing
9. Prepare HFE/UE documentation
10. Collect post-market surveillance data specific to use errors

There is a YouTube video describing these 10 steps at the bottom of this blog posting.

Why is formative testing needed?

• Observational study to identify unforeseen use errors
• Observational study to evaluate risk control options
• What are the other types of studies?
• Development of indications for use
• Development of training materials

Why is the human factors process crazy expensive to outsource?

• Human factors consultants need time to learn about your device
• Consultants are more conservative because they cannot afford to fail
• Justifying your choice of risk controls is difficult because you started too late
• Your instructions for use (IFU) are inadequate
• Consultants need to explain the human factors process to you
• Recruiting subjects is marketing (which may not be their expertise)
• You are paying for infrastructure (specialized testing facilities)
• This is a team effort that requires many consulting hours collectively

Why was your Usability Engineering File refused?

1. Your company provided an application failure modes and effects analysis (aFMEA) to support your justification that residual risks are acceptable. The FDA guidance suggests using risk analysis tools such as an FMEA or fault-tree analysis, but deficiency letters from FDA reviewers recommend a use-related risk analysis (URRA) format that is totally different.

   

   The primary problem with using an FMEA or Fault-Tree risk analysis tool is that these tools involve the estimation of the severity of harm and the probability of occurrence of harm, while the FDA does not feel it is appropriate to estimate the probability of occurrence of harm. Instead, the FDA instructs companies to assume that use errors will occur and to implement risk controls to mitigate those risks (see URRA example above). Although “mitigation” is unlikely, and use risks will only be reduced, this is the approach the FDA wants companies to use. In addition, the FDA expects your company to provide traceability of risk control implementation to each use-related risk you identified and the FDA expects documentation of verification testing (i.e. usability testing) that shows your risk controls are effective. Finally, the FDA (and ISO 14971, Clause 10) expects you to collect and perform a trend analysis of use errors. Any use errors that are reported should be evaluated for the need to implement additional corrective actions to prevent future use errors. Blaming “user error” is not an acceptable approach. 

2. You provided risk analysis and human factors testing in your 510(k) submission, but the FDA reviewer said you need to identify critical tasks and provide traceability to each critical task in your summative validation report. – Critical tasks are specifically mentioned in section 3.2 of the FDA guidance on applying human factors and usability engineering–and a total of 49 times throughout the guidance. However, “critical tasks” are not mentioned even once in ISO 14971:2019 or ISO/TR 24971:2020. The term “critical tasks” is not even found in IEC 62366-1:2015. There is mention of “tasks”, and “task” is a formal definition (i.e. Definition 3.14, “Task – one or more USER interactions with a MEDICAL DEVICE to achieve a desired result”). Therefore, companies that are familiar with the ISO Standards and CE Marking process frequently need training on the FDA requirements for the human factors process. After receiving training, then your company will be prepared to modify your usability engineering file documentation to comply with the FDA requirements for human factors.
3. You completed a summative validation protocol, but the FDA disagrees with your definition of user groups. – Each user has a different level of experience, training, and competency. Therefore, if you define the intended user population too broadly (e.g. healthcare practitioners), the FDA may not accept your summative usability testing. This is the reason that the human factors process begins with defining the human factors for your IVD or device. Radiologists, for example, have the following training pathway:
   • graduate from medical school;
   • complete an internship;
   • pass state licensing exam;
   • complete a residency in radiology;
   • become board certified; and
   • complete an optional fellowship.

Therefore, if you are developing imaging software, you need to make sure your user group includes radiologists that cover the entire range of competencies. In addition, most radiology images are taken by radiology technicians and then reviewed by the radiologist. Therefore, radiology technicians should be considered a completely different user group due to the differences in experience, training, and competency when compared to a radiologist. This simple example doubles the number of users needed because you have two user groups instead of one.

1. You evaluated 15 users, but the FDA reviewer is asking you to evaluate a larger number of users based on a special controls guidance document. – The FDA guidance on human factors testing specifies a minimum of 15 users for each user group–not a minimum of 15 users. Therefore, for a device that is for Rx-only and OTC use, you will have at least two user groups that need to be evaluated independently. In addition, some devices have special controls guidance documents that specify usability testing requirements. For example, an OTC blood glucose meter must pass a 350-person lay-user study. Covid-19 self-tests are expected to pass a 30-person lay-user study as another example.
2. Your usability study was conducted in Australia, but the FDA insists that your usability study must be repeated in the USA. – Most people think of language being the primary difference between two countries, and therefore the author of a study protocol may not perceive any difference between the USA and Australia, Ireland, Canada, or the UK. However, this lack of ability to identify differences between cultural norms shows our own ignorance of cultural differences. International travelers learn quickly about the differences in the interface used for electrical outlets between the USA and other countries. There are also more subtle differences between cultures, such as in which direction do you toggle a light switch to turn on a light, up or down? For devices that are used in a hospital environment, it is critical to understand how your device will interact with other devices and how different hospital protocols might impact human factors.
3. The FDA reviewer indicated that your usability engineering file does not assess the ability of laypersons to self-select whether your OTC device is appropriate for them. – Devices and IVD devices may have contraindications or indications for use that are specific to an intended patient population or intended user population. In these cases, the user of the device or IVD needs to be able to “self-select” as included or excluded from use. The ability to self-select should be assessed as part of any OTC usability study. The ability to identify suitable and unsuitable patients for treatment is also a common criterion for a usability study involving prescription devices where a physician is the subject of the study.
4. The FDA reviewer indicated that you did not provide raw data collected by the study moderator. – Data collected during a human factors study is usually subjective in nature, and the FDA may want to conduct its own review and analysis of your data. Therefore, you cannot provide only a testing report that summarizes the results of your study. You must also provide the raw data for the study. It is permitted to provide the data in a tabular format that has been transcribed from paper case report forms or was recorded electronically. You should also consider scanning any paper forms for permanent retention or retaining the paper forms in case there is any question of accuracy in the transcription of the data collected. Finally, it is best practice to record videos of the study participants performing each task and answering interview questions. This will help in filling any gaps in the notes recorded by the moderator, and the recording provides additional objective evidence of the study results.
5. The FDA reviewer indicated that your study is not valid, because the training provided by moderators was not scripted and training decay was not considered in the design of the study. – Summative usability testing requires that users complete all of the critical tasks identified in your critical task analysis without assistance. It is permitted to provide training to the user prior to conducting the study if the device or IVD is for prescription use and healthcare practitioners are responsible for providing instruction to the user. However, any training provided must be scripted in advance and approved as part of the summative usability testing protocol. This ensures that every subject in the study receives consistent training. Unfortunately, the FDA may still not be satisfied with the design of your study if you do not allow sufficient time to pass between the time that training is provided to the user and when the subject uses the device or IVD for the first time. In general, one hour is the minimum amount of time that should pass between providing user training and when the device or IVD is used for the first time. This is referred to as “training decay” and the duration of time between your scripted training and the user performing critical tasks for the first time should be specified in your summative usability protocol. One solution to address both issues is to provide a video of the instructions to each subject 24-hours in advance of participation in the study.

Additional resources for the human factors process and usability testing

• IEC 62366-1:2015
• FDA guidance
• SYS-048
• human factors testing webinar
• 10x 2023 Slide Deck

Learn how to become ISO 13485 certified while avoiding the stress that tortures other quality system managers.

What is ISO 13485?

ISO 13485 is an international standard for quality management systems that is specific to the medical device industry. ISO 13485:2016 is the most recent version of the standard, and it has become the blueprint for medical device company quality systems globally. If your company wants to design, manufacture, or distribute medical devices you should consider becoming ISO 13485 certified.

Do you have to purchase a copy of ISO 13485?

Yes, you need to maintain a copy of the ISO 13485 standard as a “document of external origin.” This is needed for reference when you are making updates to procedures in your quality system. If you are looking for the best place to purchase a copy of the ISO 13485:2016 standard, we recommend the Estonian Centre for Standardisation and Accreditation. If you purchase a copy, we recommend selecting the option for a multi-user license so the standard can be used by more than one person in your company and printed. The only difference between the EN ISO version and the International ISO version is that the EN ISO version includes harmonization Annex ZA for compliance with the EU MDR and Annex ZB for compliance with the EU IVDR. This version is also referred to as A11:2021. Here’s a copy of the text from the beginning of the Standard:

“This Estonian standard EVS-EN ISO 13485:2016/A11:2021 consists of the English text of the European standard EN ISO 13485:2016/A11:2021. This standard has been endorsed with a notification published in the official bulletin of the Estonian Centre for Standardisation and Accreditation. Date of Availability of the European standard is 08.09.2021. The standard is available from the Estonian Centre for Standardisation and Accreditation.”

The most recent version of ISO 13485 webinars

The webinars explaining the requirements for ISO 13485 were last updated in 2020. Anyone who purchases these webinars will receive free access to updated versions of the ISO 13485 training webinars. If you are making a new purchase of these two training webinars, the webinars are only being sold as a bundle for $258. You get:

• access to the Stage 1 webinar recorded on July 24, 2020
• access to the Stage 2 webinar recorded on July 28, 2020
• native slide decks for both webinars

This pair of ISO 13485 training webinars explain precisely what you need to do to implement a quality system compliant with ISO 13485. After you create your own plan (a free template is provided with a subscription), you can show the recording of these two webinars to your management team so they can implement your plan in the next several months. All deliveries of content will be sent via Aweber emails to confirmed subscribers.

Webinar duration & format

Webinars were hosted live via Zoom in 2020. The Stage 1 webinar was 64 minutes, and the duration of the Stage 2 webinar was 82 minutes. When you purchase this webinar bundle, you will receive a link to download both recorded webinars from our Dropbox folder. In addition, you will receive links to download the native slide deck for each webinar from Dropbox. 

Purchase the ISO 13485 training bundle

ISO 13485:2016 Training Webinars - Stage 1 & Stage 2

The webinars explaining the requirements for ISO 13485 were last updated for 2020. Anyone that purchases these webinars will receive free access to updated versions of the ISO 13485 training webinars. If you are making a new purchase of these two training webinars, the webinars are only being sold as a bundle for $258. You get: 1 - access to the Stage 1 webinar recorded July 24, 2020 2 - access to the Stage 2 webinar recorded July 28, 2020 3 - native slide decks for both webinars

Price: $258.00

Exam and Training Certificate available

Exam - ISO 13485:2016 update

This is a 20 question quiz with multiple choice and fill in the blank questions. The completed quiz is to be submitted by email to Rob Packard as an MS Word document. Rob will provide a corrected exam with explanations for incorrect answers and a training effectiveness certificate for grades of 70% or higher.

Price: $49.00

There is a big difference between being ISO 13485 certified and being compliant with ISO 13485:2016, the medical devices quality management systems standard. Anyone can claim compliance with the standard. Certification, however, requires that an accredited certification body has followed the requirements of ISO 17021:2015, and they have verified that your quality system is compliant with the standard. To maintain that certification, you must maintain your quality system’s effectiveness and endure both annual surveillance audits and a re-certification audit once every three years.

Step 1 – Planning for ISO 13485 certification

There are six steps in the ISO 13485 certification process, but that does not mean there are only six tasks. The first step in every quality system is planning. Most people refer to the Deming Cycle or Plan-Do-Check-Act (PDCA) Cycle when they describe how to implement a quality system. However, when you are implementing a full quality system, you need to break the “doing” part of the PDCA cycle into many small tasks rather than one big task. You also can’t implement a quality system alone. Quality systems are not the responsibility of the quality manager alone. Implementing a quality system is the responsibility of everyone in top management.

Below you will find seven tasks listed. I did NOT identify these nine tasks as “Steps” in the ISO 13485 certification process, because these tasks are typically repeated for each process in your quality system. Most quality systems are implemented over time, and the scope of the quality system usually grows. Therefore, you are almost certain to have to perform all of the following nine tasks multiple times–even after you receive the initial ISO 13485 certification. As the saying goes, “How do you eat an elephant? One bite at a time.” Therefore, avoid the inevitable heartburn caused by trying to do too much at one time. Implement your quality system one “bite” at a time.

Task 1 – Purchase applicable standards

The first task in implementing an ISO 13485 quality system is to purchase a copy of the ISO 13485:2016 standard, such as the MDSAP Companion Document. You will also need other applicable medical device standards. Some of these standards are general standards that apply to most, if not all, medical devices, such as ISO 14971:2019 for risk management. There are also guidance documents that explain how to use these general standards, such as ISO/TR 24971:2020, and guidance on how to apply ISO 14971:2019. Finally, there are testing standards that identify testing methods and acceptance criteria for things such as biocompatibility and electrical safety. You will need to monitor these standards for new and revised versions. When these standards are updated, you will need to identify the revised standard and develop a plan for addressing the changes.

When you purchase a standard, be sure to buy an electronic version of the standard so you can search the standard for keywords efficiently. You should also consider purchasing a multi-user license for the standard because every manager in your company will need to look up information in the standard. Alternatively, you could buy a paper copy of the standard and locate the standard where everyone in your company can access it. Often I am asked what the difference is between the EN version of the standard and the ISO version of the standard. “EN” is an abbreviation meaning European Standards or “European Norms,” which is based upon the literal translation from the French (i.e., “normes”) and German (i.e. “norm”) languages. “ISO” versions are international standards. In general, the body of the standard is typically identical but harmonized EN standards for medical devices include annexes ZA, ZB, and ZC that identify any deviations from the requirements in three medical device directives (i.e., MDD, AIMD, and IVDD).

Task 2 – Identify which processes are applicable

Clause 1 of ISO 13485 is specific to the scope of a quality system. ISO 9001, the general quality system standard, allows you to “exclude” any clause from your quality system certification. However, ISO 13485 will only allow you to exclude design controls (i.e., clause 7.3). Other clauses within ISO 13485 may be identified as “non-applicable” based on the nature of your medical device or service. You must also document the reason for non-applicability in your quality manual. Typically, the following clauses are common clauses identified for non-applicability:

1. Clause 4.1.6 – quality system software
2. Clause 6.4 – work environment
3. Clause 7.5.2 – cleanliness of the product
4. Clause 7.5.3 – installation
5. Clause 7.5.4 – servicing
6. Clause 7.5.5 – sterile devices
7. Clause 7.5.6 – process validation
8. Clause 7.5.7 – sterilization validation
9. Clause 7.5.9.2 – implantable devices
10. Clause 7.5.10 – customer property
11. Clause 8.3.4 – rework

Task 3 – Assign a process owner to each process 

The third task is to assign a process owner to each of the processes in your quality system. Typically, you create a master list of each of the required processes. Usually, the assignments are made to managers in the company who may delegate some or all of a specific process. You should expect most managers to be responsible for more than one process because there are 28 required procedures in ISO 13485:2016, but most companies have fewer than ten people when they first implement a quality system.

Task 4 – Prioritize and schedule the implementation of each process

The fourth task is to identify which processes need to be created first and to schedule the implementation of procedures from first to last. You can and should build flexibility into the schedule, but some procedures are needed at the beginning. For example, you need document control, record control, and training processes to manage all of your other procedures. You also need to implement the following processes to document your Design History File (DHF): 1) design controls, 2) risk management, 3) software development (if applicable), and 4) usability. Therefore, these represent the seven procedures that most companies will implement as early as possible. Procedures such as complaint handling, medical device reporting, and advisory notice procedures are usually reserved for last. These procedures are last because they are not needed until you have a medical device in use.

Task 5 – Create forms, flowcharts, and procedures for each process

Forms create the structure for records in your quality system, and a well-designed form can reduce the need for lengthy explanations in a procedure or work instruction. Therefore, you should consider developing forms first. The form should include all required information that is specified in the applicable standard or regulations, and the cells for that information should be presented in the order that the requirements are listed in the standard. You might even consider numbering the cells of the form to provide an easy cross-reference to the corresponding section of the procedure. Once you create a form, you might consider creating a flowchart next. Flowcharts provide a visual representation of the process. You might consider including numbers in the flow chart that cross-reference to the form as well.

Once you have created a form and a flowchart, you are now ready to write your quality system procedure. Many sections are typically included in a procedure template. It is recommended that you use a template to ensure that none of the basic elements of a procedure are omitted. You might also consider adding two sections that are uncommon to a procedure: 1) a risk analysis of the procedure with the identification of risk controls to prevent risks associated with the procedure, and 2) a section for monitoring and measurement of the process to objectively measure the effectiveness of the process. These metrics are the best sources of preventive actions, and some of the metrics might be potential quality objectives to be identified by top management. 

Task 6 – Perform a gap analysis of each procedure

Most companies rely upon internal audits to catch missing elements in their procedures. However, audits are intended to be a sampling rather than a 100% comprehensive assessment. Therefore, when a draft procedure is being reviewed and approved for the first time, or a major rewrite of a procedure is conducted, a thorough gap analysis should be done before the approval of the draft procedure. Matthew Walker created an article explaining how to conduct a gap analysis of procedures. In addition, Matthew has been gradually adding cross-references to ISO 13485:2016 requirements in each procedure. He is color-coding the cross-referenced clauses in blue font as well. This makes it much easier for auditors to verify that a procedure is compliant with the regulations with minimal effort. The success of these two methods has taught us the importance of conducting a gap analysis of all new procedures.

Task 7 – Train applicable personnel for each process 

You are required to document the training requirements for each person or each job in your company. Documentation of training requirements may be in a job description or within a procedure. In addition to defining who should be trained, you also need to identify what type of training should be provided. We recommend recording your training to ensure that new future employees receive the same training to ensure consistency. Design controls training should be the first priority. You are also required to maintain records of the training. You must verify that the training was effective, and you need to check whether the person is competent in performing the tasks. This training may require days or weeks to complete. Therefore, you may want to start training people several weeks before your procedure is approved. Alternatively, you can swap the order of tasks and conduct training after the procedure approval. If that approach is taken, then the procedure should indicate the date the procedure becomes effective–typically 30 days after approval to allow time for training.

Task 8 – Approve the procedure 

Approval of a procedure may be accomplished by signing and dating the procedure itself, while another approach is to create a document that lists all the procedures and forms being approved at one time. The second method is the method we use in our turnkey quality system. Companies can review and approve as many procedures at one time as they wish. Since this process needs to be defined to ensure that all of the procedures you implement are approved, the document control process is typically the first procedure that companies will approve in a new quality system. The second procedure generally is for the control of records. Then the next procedures implemented will typically be focused on the documentation of design controls, risk management, usability testing, and software development. The last procedures to be approved are typically complaint handling, medical device reporting, and recalls. These procedures are left for last because you don’t need them until you are selling your medical device.

Task 9 – Start using the procedure and generating records

The last task required for the implementation of a new quality system is to start using the procedures to generate records. All of the procedures will need records before the process can be verified to be effective. Records can be paper-based, or the records can be electronic. Whichever format you use for the record retention needs to be communicated to everyone in the company through your Control of Records procedure and/or within each procedure. If you include the information in each procedure, the records of each procedure should be listed in the procedure, and the location where those records are stored should be identified. Generally, there is no specific minimum number of records to have for a certification audit, but you should have at least a few records for each process that you implement.

Step 2 – Conducting your first internal audit

The purpose of the internal audit is to verify the effectiveness of the quality system and to identify nonconformities before the certification body auditor finds them. To successfully achieve this secondary objective, it is essential to have a more rigorous internal audit than you expect for the certification audit. Therefore, the internal audit should be of equal duration or longer in duration than the certification audit. The internal audit should not consist of a desktop review of procedures. Reviewing procedures should be part of gap analysis (i.e., task 6 above) that is conducted on draft procedures before they are approved. Internal audits should utilize the process approach to auditing, and the auditor should apply a risk-based approach (i.e., focus on those processes that are most likely to contribute to the nonconforming products, result in a complaint, or cause severe injuries and death).

After your internal audit, you will receive an internal audit report from the auditor. You should also expect findings from the internal auditor, and you should expect opportunities for improvement (OFI) to be identified. Experienced auditors can typically identify the root cause of a nonconformity more quickly than most process owners. Therefore, it is recommended for each process owner and subject matter expert to review nonconformities with the auditor and discuss how the nonconformity should be investigated. The root cause must be correctly identified during the CAPA process, and the effectiveness check must be objective to ensure that problems do not recur.

Step 3 – Initiating corrective actions

Corrective actions should be initiated for each internal audit finding immediately, to make sure the findings are corrected and prevented from repeat occurrence before the Stage 1 audit. It will take a minimum of 30 days to implement the most corrective actions. Depending upon the scheduling of the internal audit, there may not be sufficient time to complete the corrective actions. However, you should at least initiate a CAPA for each finding, perform an investigation of the root cause, and begin to implement corrective actions.

Also, to take corrective actions related to internal audit findings, you should look for internal audits from other sources. The diagram below shows several different sources of potential corrective and preventive actions.

Monitoring and measuring each process is the best source of preventive actions, while internal audits are typically the best source of corrective actions.  Any quality problems identified during validation are also excellent sources of corrective actions because the validation can be repeated as a method of demonstrating that the corrective actions are effective. However, your ISO 13485 certification auditor will focus on non-conforming products, complaints, and services as the most critical sources of corrective actions. These three sources are prioritized because these three sources have the greatest potential for resulting in serious injury, death, or recall if corrective actions are not implemented to prevent problems from recurring.

Step 4 – Conducting your first management review 

In addition to completing a full quality system audit before your stage 1 audit, you are also expected to complete at least one management review. To make sure that you have inputs for each of the 12 requirements in the ISO 13485:2016 standard, it is recommended to conduct your management review only after you have completed your full quality system audit and initiated some corrective actions. If possible, you should also conduct supplier audits for any contract manufacturers or contract sterilizers. It is recommended to use a template for that management review that is organized in the order of the required inputs to ensure that none of the necessary inputs are skipped. Quality objectives will need to be established long before the management review so that the top management team has sufficient time to gather data regarding each of the quality objectives. Also, you should consider delegating the responsibility for creating the various slides for each input to different members of top management. This will ensure that everyone invited to the meeting is engaged in the process, and it will spread the workload for meeting preparation across multiple people.

At the end of the meeting, top management will need to create a list of action items to be completed before the next management review meeting. Meeting minutes will need to be documented for the meeting, including the list of action items and each of the four required outputs of the management review process. We recommend using the notes section of a presentation slide deck to document the meeting minutes related to each slide. Then the slide deck can be converted into notes pages and saved as a PDF. The PDF notes pages will be your final meeting minutes for the management review. An example of one of these note pages is provided in the figure below.

One of the more common non-value-added findings by auditors is when an auditor issues a nonconformity because you do not have your next internal audit and your next management review scheduled–even though each may have occurred only a month prior to the Stage 1 audit. Therefore, we recommend that you document your next 12-month cycle for internal audits and schedule your next management review as action items in every management review meeting. The schedule can be adjusted if needed, but this allows top management to emphasize various areas in internal audits that may need improvement. You might even set a quality objective to conduct a minimum of three management reviews per year at the end of your first management review.

Step 5 – Stage 1, Initial ISO 13485 Certification Audit

In 2006, the ISO 17021 Standard was introduced for assessing certification bodies. This is the standard that defines how certification bodies shall go about conducting your initial certification audit, annual surveillance of your quality system, and the re-certification of your quality system. In the past, certification bodies would typically conduct a “desktop” audit of your company before the on-site visit to make sure that you have all the required procedures. However, ISO 17021 requires that certification bodies conduct a Stage 1 audit that assesses the readiness of your company before conducting a Stage 2 audit. Therefore, even if the Stage 1 audit is conducted remotely, the certification body is expected to interview process owners and sample records to verify that the quality system has been implemented. Certification body auditors will also typically verify that your company has conducted a full quality system audit and at least one management review. Finally, the auditor will usually select a process such as corrective action and preventive action (CAPA) to make sure that you are identifying problems with the quality system and taking appropriate measures to address those problems.

Your goal for the Stage 1 audit should not be perfection. Instead, your focus is to make sure that there are no “major” non-conformities. The term “major” used to have a specific definition:

1. Absence of a documented procedure or process
2. Release of nonconforming product
3. Repeat nonconformities (not possible during Stage 1)

Under the MDSAP, the grading system for nonconformities now uses a numbering system for grading nonconformities: “Nonconformity Grading System for Regulatory Purposes and Information Exchange Study Group 3 Final Document GHTF/SG3/N19:2012.” Any nonconformity is graded on a scale of one to four, and then two potential escalation rules are applied. If any nonconformities are graded as a four or a 5, then the auditor must assess whether a five-day notice to Regulatory Authorities is required. A five-day notice is required in either of the following situations: 1) one or more findings grading of “5”; or 2) three or more findings graded as “4.” If your Stage 1 audit results in a five-day notice, then you are not ready for your Stage 2 audit. For example, a complete absence of two required procedures in clauses 6.4 through 8.5 of ISO 13485:2016 would result in two findings with a grading of “4.” This would not result in a five-day notice, but the absence of a third required procedure would result in a five-day notice.

The duration of your Stage 1 audit will be one or two days, but a 1.5-day audit is quite common for MDSAP Stage 1 audits. The reason for the 1.5-day Stage 1 audit is that it is challenging to assess readiness for Stage 2 in one day, and if the total duration of Stage 1 and Stage 2 is 5.5 days, then the Stage 2 audit could be completed in four days. The four-day audit is more convenient than a three-day audit for a two-person audit team.

After your Stage 1 audit, you will receive an audit report, and you should expect findings. You should initiate corrective actions for each finding immediately, to make sure the findings are corrected and prevented from repeat occurrence before the Stage 2 audit. The duration between the audits is typically about 4-6 weeks. That does not leave much time for you to initiate a CAPA, perform an investigation of the root cause, and implement corrective action. At a minimum, you must submit a corrective action plan for each finding to your MDSAP auditing organization (AO) within 15 calendar days of receiving the finding. For any findings graded as a “4” or higher, you will need to provide evidence of implementing the corrective action plan to the AO within 30 calendar days of receiving the finding. You are also unlikely to have enough time to conduct an effectiveness check prior to the Stage 2 audit.

Step 6 – Stage 2, Initial ISO 13485 Certification Audit

The Stage 2 initial ISO 13485 certification audit will verify that all regulatory requirements have been met for any market you plan to distribute in. The auditor will complete an MDSAP checklist that includes all of the regulatory requirements for each of the countries that recognize MDSAP: 1) the USA, 2) Canada, 3) Brazil, 4) Austria, and 5) Japan. The auditor will also sample records from every process in your quality system to verify that the procedures and processes are fully implemented. This audit will typically be at least four days in duration unless multiple auditors are working in an audit team.

The audit objectives for the Stage 2 ISO 13485 certification audit specifically include evaluating the effectiveness of your quality system in the following areas:

1. Applicable regulatory requirements
2. Product and process-related technologies
3. Technical documentation

All procedures will be reviewed for compliance with ISO 13485:2016 and the applicable regulations. The auditor will also sample records from each process. If the auditor identifies any nonconformities during the audit, it is important to record the findings and begin planning corrective actions immediately. If you have any questions regarding the expectations for the investigation of the root cause, corrections, corrective actions, and effectiveness checks, you should ask the auditor during the audit or the closing meeting. At a minimum, you must submit a corrective action plan for each finding to your MDSAP auditing organization (AO) within 15 calendar days of receiving the finding. For any findings graded as a “4” or higher, you will need to provide evidence of implementing the corrective action plan to the AO within 30 calendar days of receiving the finding. The auditor will not be able to recommend you for ISO 13485 certification until your corrective action plans are accepted.

If you receive a finding with a grading of “5,” or three or more findings graded as “4,” then the MDSAP auditor is required to issue a five-day notification to the regulators. The auditor will also need to return to your facility for a follow-up audit to close as many findings as they can. It is not necessary to eliminate all of the findings in order to be recommended for ISO 13485 certification, but the grading of the findings must be reduced to at least a “3” before recommending the company for certification. The number of findings also determines whether the auditor recommends your company for certification.

In addition to reviewing the findings and conclusions of the audit during the closing meeting, the auditor will also review the plan for the annual surveillance and re-certification with you. Each certification cycle is three years in duration. There will be two surveillance audits of approximately one-third of the duration of the combined duration of stage 1 and stage 2 initial certification audits, and the first surveillance audit must be completed within 12 months of the initial certification audit. In the third year, there will be a re-certification audit for two-thirds of the duration of the combined duration of stage 1 and stage 2 initial certification audits. The initial ISO 13485 certificate will be issued with a three-year expiration, and the certificate is typically received about one month after the acceptance of your corrective action plan.

Q&A

There are no stupid questions, and we can save you weeks of wasted time if you just ask for help. We are always looking for new ideas for blogs, webinars, and videos on our YouTube channel. If you have any general questions about obtaining ISO 13485:2016 certification, please email Rob Packard at rob@13485cert.com. If you have a suggestion for new ISO 13485 training materials, you can also use our “Suggestion Box.” You can also schedule an initial free consultation with Rob using his calendly link.

Your CAPA procedure is the most important SOP. It forces you to investigate quality problems and take actions to prevent nonconformity.

CAUTION: Read the story in the next few paragraphs before you implement any purchased procedure

During a recent internal audit, I noticed that the client was not meeting one of the requirements of their CAPA procedure. Specifically, the procedure indicated that all CAPA plans must be written within seven calendar days of initiating the CAPA. Despite this requirement in their procedure, the client was indicating that CAPA plans were due within 30 calendar days on their CAPA form.

This example is a minor nonconformity, but the reason why this client was not following their procedure is more interesting. The procedure was 100% compliant with FDA regulations, but the procedure did not match how the company performed the process. The procedure and the process MUST match.

This client purchased their CAPA procedure from another consultant, changed the title, and had everyone in the company “read and understand” the procedure for training.

Make sure your CAPA procedure is clear and concise

Procedures are often unclear because the author is more familiar with the process than the intended audience for the procedure. An author may abbreviate a step or skip it altogether. As an author, you should use an outline format and match your CAPA form exactly. There should be nothing extra in the procedure, and nothing left out. Medical Device Academy’s updated CAPA procedure is only six pages and the CAPA form is four pages.

SYS-024 Corrective and Preventive Action (CAPA) Procedure, Form, and Log

SYS-024 - Medical Device Academy's newly updated CAPA procedure is a 6-page procedure. Your purchase will also include our CAPA form (FRM-009), and our CAPA log (LST-005). The procedure is compliant with ISO 13485:2016, 21 CFR 820.100, SOR 98/282, and the EU MDR. You will also receive free updates in the future. We are currently distributing our 16th version of the procedure.

Price: $299.00

CAPA procedure writing recommendations

Procedures are often unclear because the author is an expert with more experience than the intended audience. An author may abbreviate a step or skip it altogether. As an author, you should use an outline format and match your CAPA form exactly. There should be nothing extra in the procedure, and nothing left out. Before writing your own CAPA procedure, consider following these 7 steps:

1. Design your CAPA form first
2. Identify which steps in your process are most important and specify how these steps will be monitored (i.e., risk-based approach)
3. Write a procedure that follows your CAPA form and includes instructions for monitoring and measuring your CAPA process
4. Conduct group CAPA training using the draft version of your form and procedure
5. Make revisions to the form and procedure to clarify steps the trainees had difficulty with
6. Ask the trainees to review the revised form and procedure
7. Make final revisions and route the procedure for approval

The specific order of steps is essential to creating a CAPA procedure—or any procedure. Writing a procedure that matches the form used with that procedure helps people understand the tasks within a process. Throughout the rest of this article, we describe each of the nine steps of Medical Device Academy’s CAPA procedure (SYS-024). The actual CAPA form (FRM-009) sold with SYS-024 is more complex than 9 steps, but a more complex form is needed to make sure every sub-task is documented in your CAPA records.

Review nonconformities, including complaints, to determine if a CAPA is needed (Step 1)

If I am auditing a CAPA process, and almost all the CAPAs are resulting from auditor findings, then I know the client is not adequately reviewing other sources of potential quality issues. When I took my first CAPA training course, the image below was drawn on a flip chart by Kim Trautman. I have used this image in all of my CAPA training for other people since. I think this provides a good visual representation of the most common sources of new CAPAs. Although the number of CAPAs from each source will never be equal, you should review all of these data sources for quality issues periodically. 

CAPA procedure step 2 – Describe and reference the quality issue

The next step is to copy and paste your quality issue directly into the CAPA record and add a reference to the source. This step of the CAPA procedure is not a specific requirement of the ISO 13485 standard or the FDA regulations. However, describing and referencing quality issues in your CAPA record is a practical requirement. The person assigned to investigate the root cause of the quality issue needs to know what the source of the quality issue is, and when you are trying to close a complaint or audit report you will find it helpful to cross-reference the two records. For example, the CAPA might be related to the fifth nonconformity in your second internal audit report for 2022 (e.g. IA 220205).

Attribution: Icons were copied and pasted from Flaticon.com.

Step 3 – Perform a root cause analysis

Why can’t we fix our mistakes the first time? We are doomed to repeat mistakes when we fail to identify the root cause or causes. The person you assign to investigate a quality issue must be trained to perform a thorough root cause analysis. Successful root cause analysis depends upon four things:

1. Courage to admit that your process is broken
2. Learning more than one tool for analyzing problems
3. Practicing the use of root cause analysis tools
4. Sampling enough records (or testing enough product)

The common belief is that people fail to identify the root cause because they need root cause training (#2) or more practice (#3). However, most people fail because they stop sampling or testing too soon. I typically recommend that companies sample at least twice as many records as the suspected problem frequency. For example, if a complaint occurs 1% of the time, you should review 200 records before you can be sure you identified that root cause. If you are correct, you will only find the quality issue twice in the 200 records. However, a review of 200 records often reveals that the quality problem is more common than you originally estimated and there is more than one cause of device malfunction.

CAPA procedure step 4 – Do you need a new CAPA?

After you have successfully completed a root cause analysis, you now need to determine if a new CAPA is needed. If there is already a CAPA that is open for the same quality issue, you can use the existing CAPA as justification for not conducting corrective actions. In this case, you should include a cross-reference in the new CAPA record to the existing CAPA record. You should also document containment measures and corrections.

In both the existing CAPA record and your new CAPA record you should also be documenting your risk evaluation of your CAPA. In the latest update to our CAPA procedure, we changed the method of risk evaluation to match the MDSAP grading process for nonconformities. A copy of this section is provided in the image below.

In the CAPA procedure, we state that any risk score of 4 or 5 requires the implementation of a CAPA. If any of the escalation rules apply to the risk score, you should implement a CAPA regardless of the total risk score. This is our recommendation for a method of risk evaluation, but there is no standard telling you that you must do it this way. However, we believe this method of calculation is more likely to be consistent because it is based on the MDSAP grading guidelines.

If no escalation rules apply to your risk score, it may be possible to implement containment and corrections only. If your action plan includes only containment and corrections, we recommend that you monitor the quality issue as a process metric or quality objective to identify future occurrences. If you are evaluating a new CAPA that appears to have the same root cause as an existing CAPA, you may need to update the risk score of the existing CAPA to a higher number based on the escalation rules. Escalation may impact your corrective action plan, and it should certainly affect the prioritization of your existing CAPA.

Plan and document your corrective actions, including updating documentation (Step 5)

The biggest mistake you can make in this stage of the CAPA process is to spend too much time planning your corrective actions. “Take action and document it” is the essence of this step in the CAPA procedure. If you spend all of your time planning, then you will never take action. The CAPA plan can and should be edited. Therefore, if you know a procedure needs revision, start revising the procedure immediately. You can always add more corrective actions to your corrective action plan after you write the procedure, but you need to start writing. The second biggest mistake you can make during this stage is failing to document the actions you take. If you don’t document your actions, it’s a rumor, not a record.

Do your planned actions adversely affect regulatory compliance or safety and performance? (Step 6)

One of the required actions for a CAPA is to update your procedure(s) to reflect any process improvements to eliminate the root cause. When you update procedures, you need to make sure procedural changes do not create a regulatory compliance issue. We do this by inserting a cross-reference to each regulatory requirement in our procedures. The cross-reference is then color-coded and we add a symbol for people that are color blind. Symbols also facilitate electronic searches for regulatory requirements.

If corrective actions you implement involve design changes you will need to repeat design verification and design validation to make sure design changes do not impact safety and performance. If corrective actions change your manufacturing or service processes, you will need to repeat process validation to make sure that the process changes do not impact compliance with your design specifications. These recertification and revalidations steps are frequently forgotten, and they represent the biggest challenge for review and approval of design and process changes (described in the video below).

Perform an effectiveness check – Step 7 of your CAPA procedure

Most people verify CAPA effectiveness by verifying that all the actions planned were completed, but this is not a CAPA effectiveness check. An effectiveness check should use quantitative data from your investigation of the root cause as a benchmark. Then you should verify that the performance after corrective actions is implemented resulted in a decrease in the frequency of the quality problem, a decrease in the severity of the quality problem, or both. Ideally, a process re-validation was performed because validation protocols are required to include quantitative acceptance criteria for success.

Step 8 – Record your CAPA results

You are required to record each step of your CAPA procedure in a CAPA record (FRM-009). Therefore, we created a form that is organized in the order of the CAPA process, and then we wrote the CAPA procedure to match the organization of the form. The biggest mistake we see is that the CAPA owner does not update the record to include all of the details until the CAPA plan is completely implemented. This is a mistake. You should be documenting actions when they are taken. When you gather new information, and you need to update your root cause investigation or your corrective action plan, you are allowed to modify the record. You just need to have a system that allows you to keep track of revisions. This is often referred to as an “audit trail.” If you have a paper-based system, you will need to sign and date the document each time you make an addition. If you revise previous entries, you will need to revise and reprint the CAPA record, and then you will need to sign and date the revised and reprinted CAPA record. Ideally, you will have an electronic system with an audit trail, but software budgets are not infinite.

CAPA procedure step 9 – Close the CAPA record 

The last step in the CAPA procedure is to close your CAPA record. As with most quality system records, the person responsible for the process should review and approve each record for closure with a signature and date. If the person assigned to the CAPA left sections incomplete or made mistakes in completing the CAPA form, the person that made the mistake should be instructed to correct the mistake, identify that they made a correction, and identify the date of the correction. If a CAPA is not effective, then a cross-reference to the new CAPA that is opened should be documented in the older CAPA record.

CAPA Training

If you are interested in more training on CAPA, you might be interested in purchasing Medical Device Academy’s Risk-Based CAPA webinar. 99% of companies hold off on their training until a procedure is officially released as a controlled document. In my experience, however, these procedures seem to have a lot of revisions made immediately after the initial release. New users ask simple questions that identify sections of procedures that are unclear or were written out of sequence. Therefore, you should always conduct at least one training session with users prior to the final review and approval of a procedure. This will ensure that the final procedure is right the first time, and it will give those users some ownership of the new procedure.

After you train your initial group, and after you make the edits they recommended, ask those trainees to review and edit your changes to the procedure. Sometimes we don’t completely understand what someone is describing, and sometimes maybe only half-listening. Going back to those people to verify that you accurately interpreted their feedback is the most important step for ensuring that users accept your new procedure.

After you approve your new CAPA procedure, make sure everyone in your company is trained on the final version of the procedure. CAPA is a critical process (i.e., “the heart”) in your quality system. Everyone should understand it. You should also provide extra CAPA training for department managers, such as root cause analysis training because they will be responsible for implementing CAPAs assigned to their department. You can use this 7-step process for any procedure, but ensure you use it for the most important process of all—your corrective and preventive action process.
Thank you for reading to the end of this article. Spaz and I thank you for your support.