Author name: Robert Packard

Medical Device CE Marking: Writing a Classification Rationale

Leave a Comment / CE Marking / By / ,

%name Medical Device CE Marking: Writing a Classification RationaleThe author reviews considerations in “how to” write a classification rationale for medical device CE marking (i.e., questions for applying classification rules).

 CE Marking of medical devices requires technical documentation (i.e., – a Technical File or Design Dossier). One of the requirements of this technical documentation is to establish the risk class of a device in accordance with the classification rules in Annex IX. The requirement to include this classification rationale in the Technical File is not well defined in Article 9, Classification, of the Medical Device Directive (http://bit.ly/M5MDD), but the guidance document for Technical Documentation (http://bit.ly/NBMED251Rec5) clearly defines this requirement in Section 3.2 (viii). Establishing a classification rationale is the first step to establishing the regulatory pathway that will be required to CE Mark your medical device.

What are the Classifications?

There are four different classifications of medical devices in Europe: Class I, Class IIa, Class IIb and Class III. These four classifications are also referred to as “risk class.” The lowest risk classification is Class I, and the highest risk classification is Class III. Class IIa is considered a “medium risk,” while Class IIb is considered a “high risk” medical device. Notified Body involvement and a CE Certificate from the Notified Body is required for almost all medical devices distributed in Europe, however, Class I devices that are non-sterile and do not perform a measurement function do not require Notified Body involvement. Class I devices that are sterile are often referred to as “Class I-S,”but this is not a term used in the Directive. The same is true of “Class I-M” for Class I devices with a measurement function.

Applying the Rules for Medical Device CE Marking

In order to apply the classification rules as defined in Annex IX of the MDD, the following questions must be answered for the device or device family:

  1. Is the device invasive? –  Invasiveness of a device is an important criterion, because non-invasive devices are generally Class I, and there is typically no Notified Body involvement required for these devices.
  2. Is the device surgically invasive, or invasive with respect to body orifices?  If a device is surgically invasive with respect to a body orifice, Rule 5 is the most likely classification rule. For all other devices that are surgically invasive, the duration of use is important
  3. How long is the device used inside the body? The primary difference between Rules 6, 7 and 8 is the duration of use. In general, permanent implants are subject to Rule 8, and are Class IIb devices. The other surgically invasive devices are generally Class IIa devices. Devices under Rule 6 are for “transient” use (i.e., – intended for continuous use for less than 60 minutes). Devices under Rule 7 are for “short-term” use (i.e., – intended for continuous use for between 60 minutes and 30 days.). There are multiple exceptions to each rule, and these exceptions should all be considered.
  4. Is the device electrically powered (i.e., – an active device)? Active devices are subject to rules 9, 10, 11 and 12.
  5. Do any of the “Special Rules” apply? It is recommended to actually start with Rules 13-18 to ensure that one of the special rules do not apply. For example, if you are making blood bags, there is no need to read anything in Annex IX except Rule 18.
Guidance Document for Classification

Annex IX defines the classification rules for Europe, but there is also a guidance document (http://bit.ly/EUClassification) published that helps to explain the classification rules with examples. This guidance document is extremely important, because it provides clarification of rules based upon interpretations that have been made by Competent Authorities with Notified Bodies and companies. For example, critical anatomical locations are defined in Section 3.1.3: “For the purposes of the Directive 93/42/EEC, ‘central circulatory systemmeans the following vessels:…”.

When you write a classification rationale for your technical documentation, it is important to reference this document—as well as Annex IX of the MDD. Your rationale should address each of the questions above for applying the classification rules. In addition, your rationale should indicate that none of the “Special Rules” (Rules 13-18) are applicable to your device or device family.

Mixed Classifications

It is possible to have a device family, contained within one Technical File or Design Dossier, that has more than one Classification. For example, you could choose to group a family of vascular grafts together in one Technical File that are permanent implants and non-absorbable. Normally, these devices would be Class IIb in accordance with Rule 8. However, if one or more of the grafts is intended for vessels included in the central circulatory system, then these grafts would be Class III devices. If a graft can be used for either indication, then the higher classification should be applied.

Proposed EU Regulations

On September 26, 2012, the European Commission released a draft proposal for a new medical device regulation. The expected implementation transition period for these proposed regulations is 2015-2017. In Annex II of the proposed regulations (http://bit.ly/EUProposal), it specifies that the risk class and applicable classification rationale shall be documented in the technical documentation. This appears as item 1.1e) under the heading of “Device description and specification.”

The MDD defines the classification rules for medical devices in Annex IX, while in the proposed EU regulations classification, rules are now in Annex VII. The MDD also has 18 rules, while the proposed regulations have 21 rules. In order to download a Gap Analysis of the Classification Rules for CE Marking, please visit the following page on this website: http://bit.ly/gapanalysiscmda.

If you need assistance with medical device CE Marking, or you are interested in training on CE Marking, please contact Medical Device Academy at: rob@13485cert.com. Medical Device Academy is developing a webinar series specifically for this purpose. You can also call Rob Packard by phone @ 802.258.1881. For other blogs on the topic of “CE Marking,”please view the following blog category page: http://robertpackard.wpengine.com/category/ce-marking/

ALARP vs As far as possible – Deviation #3

3 Comments / ISO 14971:2019 (Risk Management) / By / ,

This third blog in a seven-part series reviews deviation #3, ALARP vs. “As far as possible,” with regard to risk reduction.

chart dev 3 ALARP vs As far as possible Deviation #3In 2012, the European National (EN) version of the Medical Device Risk Management Standard was revised, but there was no change to the content of Clauses 1 through 9. Instead, the European Commission identified seven content deviations between the 14971 Standard and the requirements of three device directives for Europe. This seven-part blog series reviews each of these changes individually and recommends changes to be made to your current risk management policies and procedure.

Note: This is 2013 blog that will be updated in the near future, but the following link is for our current risk management training.

Risk reduction: “As Far As Possible” (AFAP) vs. “As Low As Reasonably Practicable” (ALARP)

The third deviation is specific to the reduction of risk. Design solutions cannot always eliminate risk. This is why medical devices use protective measures (i.e., – alarms) and inform users of residual risks (i.e., – warnings and contraindications in an Instructions For Use (IFU). However, Essential Requirement 2 requires that risks be reduced “as far as possible.” Therefore, it is not acceptable to only reduce risks with cost-effective solutions. The “ALARP” concept has a legal interpretation, which implies financial considerations. However, the European Directives will not allow financial considerations to override the Essential Requirements for the safety and performance of medical devices. If risk controls are not implemented, the justification for this must be on another basis other than financial.

There are two acceptable reasons for not implementing certain risk controls. First, risk control will not reduce additional risk. For example, if your device already has one alarm to identify a battery failure, a second alarm for the same failure will not reduce further risk. The redundant alarms are often distracting, and too many alarms will result in users ignoring them.

The second acceptable reason for not implementing a risk control is that there is a more effective risk control that cannot be simultaneously implemented. For example, there are multiple ways to anchor orthopedic implants to bone. However, there is only enough real estate to have one fixation element at each location. If a femoral knee implant is already being anchored to the femur with metal posts and bone cement, you cannot also use bone screws at the same location on the femur to anchor the implants in place.

ALARP does not reduce risk “As far as possible”

Annex D.8 in ISO 14971, recommends the ALARP concept in Clause 3.4 of the 14971 Standard. Therefore, the risk management standard is contradicting the MDD. This contradiction is the primary reason why medical device companies should discontinue the use of phthalates and latex for most medical devices. Even though these materials are inexpensive solutions to many engineering challenges presented by medical devices, these materials present risks that can be avoided by using more expensive materials that are not hazardous and do not pose allergic reactions to a large percentage of the population. The use of safer materials is considered “state-of-the-art,” and these materials should be implemented if the residual risks, after implementation of the risk control (i.e., – use of a safer material) are not equal to, or greater than, the risk of the cheaper material.

Recommendation for eliminating ALARP

Your company may have created a risk management procedure that includes a matrix for severity and probability. The matrix is probably color-coded to identify red cells as unacceptable risks, yellow cells that are ALARP, and green cells that are acceptable. To comply with EN ISO 14971:2012, the “yellow zone” should not be labeled as ALARP. A short-term solution is to simply re-label these as high, medium, and low risks. Unfortunately, renaming the categories of risk high, medium, and low will not provide guidance as to whether the residual risk is reduced “as far as possible.”

Resolution to this deviation

As companies become aware of this deviation between the 14971 Standard and the Essential Requirements of the device directives, teams that are working on risk analysis, and people that are performing a gap analysis of their procedures will need to stop using a matrix, like the example above. Instead of claiming that the residual risks are ALARP, your company will need to demonstrate that risks are reduced AFAP, by showing objective evidence that all possible risk control options were considered and implemented. Your procedure or work instruction for performing a risk control option analysis may currently state that you will apply your risk management policy to determine if additional risk controls need to be applied, or if the residual risks are ALARP.

This procedure or work instruction needs to be revised to specify that all risk control options will be implemented unless the risk controls would not reduce risks further, or the risk controls are incompatible with other risk controls. Risk control options should never be ruled out due to cost.

Effective Management Solutions for 10 CAPA Program Blunders

3 Comments / CAPA / By / , ,

The author provides effective management solutions for ten real-life CAPA program blunders., (i.e., procedures, root cause analysis, closing CAPAs, etc.)

%name Effective Management Solutions for 10 CAPA Program Blunders
Effective Management Solutions for 10 CAPA Program Blunders

I am always looking for new and creative ways to help people understand the importance of maintaining an effective Corrective and Preventive Action (CAPA) program. If my last dozen CAPA blogs were not convincing enough, maybe this list of suggestions will help.

  • 1. If someone doesn’t follow procedures, just fire them. The employee in question is obviously the root cause. Management cannot be held responsible for the actions of employees. Once, I read a corrective action plan that indicated termination was the correction for a missing training record. The QA Manager clarified this statement by saying that the employee resigned for personal reasons, and there was no opportunity to train the employee. The CAPA record also indicated that 100% of the training records for manufacturing employees were reviewed for completion. There were a few records identified as incomplete, and those employees were trained—not terminated. The company also implemented a tracking tool to monitor training records. As a general rule, termination is not an acceptable corrective action or correction.
  • 2. If CAPAs are open longer than your procedure allows, close the existing CAPAs the day before the CAPAs become overdue, and open new CAPAs. CAPAs are not “closed” until all nonconformities have been corrected, corrective and preventive actions are implemented, and effectiveness checks are done. If the corrective and preventive actions were not completely effective, some companies chose to reopen the record and expand the plan of corrective and/or preventive actions. Other companies chose to open a new CAPA record, and reference the new record in the effectiveness check section of the previous CAPA record. Either approach works, but you cannot close an incomplete record and remain compliant.
  • 3. To verify the effectiveness of corrective actions, just include a copy of your document change order. Documenting changes to procedures meets part of the CAPA requirements, but this verifies implementation—not effectiveness. To verify the efficacy, you need to confirm that a nonconformity, or a potential nonconformity, will not recur. Low-frequency defects are often hard to demonstrate directly. The best approach is to validate the process parameters to demonstrate quantitatively that the process capability has improved. For manual processes, you may need to test the new process to verify that the error will not occur or will be detected.
  • 4. If you can’t finish tasks on schedule, revise your plan. If you still can’t finish tasks on schedule, revise your plan again—and again. It’s appropriate to revise your plan if you discover additional causes that your initial investigation missed. You should not, however, be revising target completion dates—except in rare cases. You also should not need to revise your plan multiple times.
  • 5. When you’re unsure why a problem occurred, identify the root cause as an unclear procedure, and make a minor change to the appropriate SOP. Making changes to procedures is quick and easy to verify. Unfortunately, this approach is seldom effective in preventing recurrence. You need to develop new process controls to make errors impossible. Eliminate variation in raw materials, eliminate subjectivity in inspections, and provide tools and fixtures to make manual processes capable of more consistent results. After you have reduced all three of these sources for process defects, then you are ready to revise your procedures and retrain employees.
  • 6. Whenever an employee fails to follow a procedure, just change the procedure to require another person to verify that they did it right. If one employee fails to follow procedures 100% of the time, a second person manually inspecting will also not be 100% effective. Another method of process control should be used to ensure that your process results in a conforming product. Adding more people provides a false sense of confidence. The use of objective measurement and go/no go fixtures offer a higher degree of certainty.
  • 7. Write a justification for an extension of the implementation timeline if a CAPA is about to become overdue. Justifications for extension provide objective evidence that management is aware that a CAPA plan is not meeting the target completion times. This is necessary on rare occasions, but extensions should never become routine. Also, if the progress of a CAPA is slow, monitoring should be frequent enough that management can release additional resources, or re-prioritize assignments in order to catch-up with the target completion date.
  • 8. Use the “5 Why” technique for root cause analysis to identify a user error to blame for complaints. The “5 Why” technique is effective at investigating the depth of a problem to ensure that the root cause is identified—instead of a symptom. If the reason for a problem is recognized as a supplier, then it is necessary to ask why the supplier’s error was not prevented or detected. Sometimes this requires asking “Why” more than five times, but identifying a cause you have no control over will fix nothing
  • 9. To monitor your CAPA program, conduct weekly CAPA board meetings where a person is asked to explain why the CAPA they were assigned is overdue. Anyone can make an excuse, but excuses will not complete CAPAs. CAPA boards and weekly meetings can be extremely valuable, but your CAPA board should rely on three rules: 1. Managers need to be present to re-allocate resources and re-prioritize tasks. 2. CAPAs that are on schedule or ahead of schedule requires no further discussion. 3. Anyone assigned to a CAPA that is behind schedule should request help and suggest solutions before the CAPA becoming overdue.
  • 10. Do not assign other departments the responsibility for CAPAs, because only QA has the training and competency to conduct an investigation of the root cause, and write a CAPA plan.  One of the most effective CAPA management tools I observed was a visual communication board that used color-coded paperclips, which identified resources assigned to CAPAs. By limiting the number of paperclips to equal the number of resources allocated to CAPAs, the company was able to level the workload of CAPA assignments to match the available resources in each department. You can only achieve this level of efficiency and effectiveness if multiple people in multiple departments are trained and competent to investigate the root cause and write CAPA plans. CAPA should be a core competency for every department because it’s the best process for fixing and preventing problems.

Disclaimer: If you missed my sarcasm, these are ten ways to mismanage a CAPA program. The brief paragraph after each numbered example is intended to provide the actual recommendation for effective management of your CAPA program.

%name Effective Management Solutions for 10 CAPA Program BlundersIf you are interested in learning more about CAPA, please register for the Medical Device Academy’s CAPA Workshop on October 3 in San Diego. Click here to register for the event: http://bit.ly/MDAWorkshops.

Risk Acceptability – Deviation #2 in EN ISO 14971

6 Comments / ISO 14971:2019 (Risk Management) / By /

This 7-part blog series continues with the author reviewing deviation #2, risk acceptability, in the EN ISO 14971:2012 Standard.
%name Risk Acceptability Deviation #2 in EN ISO 14971

In 2012, the European National (EN) version of the Medical Device Risk Management Standard was revised, but there was no change to the content of Clauses 1 through 9. Instead, the European Commission identified seven content deviations between the 14971 Standard and the requirements of three device directives for Europe. This seven-part blog series reviews each of these changes individually. The second deviation is specific to risk acceptability.

Discretionary power of manufacturers as to Risk Acceptability

The second deviation is specific to determining risk acceptability in the risk evaluation process. The ISO 14971 Standard indicates in Annex D4 that the acceptability of risk is not specified by the Standard and must be determined by the manufacturer. Clause 3.2 of the 14971 Standard, it states that “Top management  shall: define and document the policy for determining criteria for risk acceptability.” This risk management policy is intended to indicate a threshold for risk acceptability. In Clause 5 of the 14971 Standard, the manufacturer is instructed to evaluate whether risks are acceptable using the risk management criteria defined in the risk management policy.

Essential requirements 1 and 2 require that risks be reduced as far as possible and that all risks shall be included in a risk-benefit analysis—not just the risks that exceed a certain threshold for risk acceptability. Therefore, the requirement to establish a risk policy for the acceptability of risk directly contradicts the MDD.

Since the 2nd edition of the 14971 Standard was first issued (i.e., -2007), clients have been asking me how to establish risk acceptability criteria, for new devices, I recommend benchmarking the risks of the new device against existing devices. In other words, if the new device presents equal or lower risks than existing devices, then the risks of the new device are acceptable. For existing devices, I recommend performing a risk-benefit analysis, evaluating adverse events observed with the device against the benefits of using the device. Unfortunately, most companies choose arbitrary thresholds for risk acceptability. Instead of relying upon benchmarking or risk-benefit analysis, companies will establish a policy that all risks must be below a quantitative value. For example, if the range of possible risk scores is from 1 to 1,000, all risks of 100 or less may be acceptable.

What is acceptable?

In order to comply with the EN ISO 14971:2012 version of the risk management standard, you will need to implement risk controls for all risks, regardless of acceptability. However, you will also need to perform a risk-benefit analysis. The risk-benefit analysis should consider not only the benefits to patients and the risks of using the device, but the analysis should also consider the relative benefits of using other devices.

The clinical evaluation report and the risk management report for the device should be based upon clinical evidence of the device for the intended use—including adverse events. For new devices that are evaluated based upon a literature review of equivalent devices, Notified Bodies expect a Post-Market Clinical Follow-up (PMCF) study to be conducted to verify that the actual risk-benefit of the device is consistent with the conclusions of the clinical evaluation. To perform this analysis, a clinical expert is necessary to properly evaluate the risk-benefit ratio of the device and to create a protocol for a PMCF study.

MEDDEV 2.12/2 rev 2, Post Market Clinical Follow-up Studies, indicates that the PMCF study protocol should indicate the study endpoints and the statistical considerations. In order to do this, your company will need to establish quantitative criteria for the acceptability of the identified risks. Therefore, the current 14971 Standard needs to be modified to clarify that risk acceptability criteria should be based upon clinical data, and evaluation of risks should be conducted at a later point in the risk management process (e.g., – as part of the overall risk-benefit analysis).

Impact of Deviation #2

As your company becomes aware of the second deviation between the 14971 Standard and the Essential Requirements of the device directives, your risk management team will need to change the risk management process to clarify when risk acceptability should be evaluated, and the risk management policy should specify how acceptability should be determined.

The risk management process at your company will need to specify that the implementation of risk controls is required for all risks—regardless of acceptability. You should also consider eliminating the evaluation of risk before the implementation of risk controls. Instead, your company should base the acceptability of risk solely upon the clinical risk-benefit analysis and should involve the manufacturer’s medical officer in making this determination.

Finally, your risk management process should specify the need for PMCF studies in order to verify that actual clinical data supports the conclusion that the risk-benefit ratio is acceptable over the lifetime of the device.

If you are interested in ISO 14971 training, we are conducting a risk management training webinar on October 19, 2018.

QMS Implementation Tasks

3 Comments / ISO Certification / By / ,

Learn 12 QMS implementation tasks you need to include in your quality plan for successfully implementing ISO 13485.%name QMS Implementation Tasks

QMS Implementation Tasks 

For your ISO 13485 implementation project, use a planning tool that you are comfortable with (e.g., – a spreadsheet or project planning software). Your plan should include the following:

  1. Identification of each task
  2. Target dates for completion of each task
  3. Primary person responsible for each task
  4. Major milestones throughout the project

Regular progress reports to top management and implementation meetings with all process owners are recommended to track your progress to plan. Weekly meetings are also recommended so that no tasks can fall too far behind schedule. Be sure to invite top management to weekly meetings, and communicate the progress toward completion of each task to everyone within your company. The list below identifies 12 of the most important tasks that should be included in your plan.

12 QMS Implementation Tasks to Consider for Implementing ISO 13485

  • 1. Select a certification body and schedule your certification audits (i.e., – Stage 1 and Stage 2). If you want to place devices on the market in the EU, Japan, or Canada, make sure your certification body meets the specific regulatory requirements for that market.
  • 2. Establish a Quality Manual and at least 28 required procedures. If you have purchased a copy of the excellent AAMI Guidance Document, this lists the required procedures for you. There are a few extra procedures or work instructions needed to meet regulatory requirements (e.g., – training, mandatory problem reporting, and post-market surveillance).
  • 3. Document training on the procedures comprising the quality system. A signed form indicating that employees “read and understand” the procedures is not enough. Training records should include evidence of the effectiveness of training, and you should be able to demonstrate the competency of the people performing those procedures.
  • 4. You must complete at least one full quality system internal audit. The timing of your internal audit should be late enough in the quality plan that that most elements of your quality system have been implemented. However, you want to allow enough time to initiate CAPAs in response to internal audit findings before your Stage 1 audit. If your internal auditor(s) have been heavily involved in the implementation of the quality system, you may need to hire an external consultant to perform your first internal audit.
  • 5. You need to complete at least one management review, which can be done just before the Stage 1 audit. My preference, if there is time, is to have at least two management reviews. The first review might occur three months before the Stage 1 audit, just before you plan to perform an internal audit of the management processes. There may be limited data to review at that time, but this first review provides an opportunity to train top management on their roles and responsibilities during a management review.

The second management review must cover all the requirements identified in ISO 13485, Clause 5.6. The second management review is also your last chance to identify any gaps in your quality system, and initiate a CAPA or action items before your certification auditor arrives.

  • 6. Compliance with regulatory requirements must be a commitment stated in your company’s Quality Policy. Specific regulatory requirements should be traceable to a specific procedure(s).

If you are seeking ISO 13485 Certification as part of the Canadian Medical Device Conformity Assessment System (CMDCAS) or the CE Marking process, then these regulatory requirements will be specifically included in your certification audit.

  • 7. Systematically incorporate customer and regulatory requirements into the quality management system. For contract manufacturers, this is especially important, and the Supplier Quality Agreements your company executes are the best source of these customer requirements. If your company is a legal manufacturer (the company named on the product label), this task is probably addressed sufficiently in tasks #1 and 6.
  • 8. You need to implement a supplier quality management process. If you already have a strong supplier quality program, then this may be a small task involving a few changes to your procedure. If you don’t have much of a supplier program yet, then this may involve identifying your suppliers, ranking them all according to type and risk, qualifying or disqualifying them, and executing supplier quality agreements.

Note: If you need training on Supplier Quality Management, you might consider participating in Medical Device Academy’s webinars.

  • 9. If product design is within the scope of your QMS, which is typical of legal manufacturers, but not for contract manufacturers, then you must establish a design control procedure(s). Product development projects often operate in a timeframe that is longer than your implementation project, and you may need ISO 13485 certification as part of the regulatory approval process.

Therefore, the minimum expectation is to initiate at least one development project before the certification audits. For records of implementation, you should have a design project plan, an initial risk management plan, reviewed and approved design inputs for your first product, and conduct at least one design review.

  • 10. Document what your Certification Body expects (e.g., – notifying them of significant changes). These expectations are likely to be stated in your contract with the Certification Body.
  • 11. Appoint the management representative and a deputy. Ideally, this is formally documented with a letter of appointment signed by the CEO and the management representative. This letter should be maintained in the management representative’s personnel file, along with a copy of the job description explaining the job responsibilities of the management representative. This may also be achieved by identifying the management representative and a deputy in your company’s organizational chart.
  • 12. After the certification audit, your last task should be to “Create Quality Plan #2”—another PDCA loop through the system. The reason for a new quality plan is to implement improvements based on what you learned while you were building the quality system for the initial certification audit.

If your company wants to achieve ISO 13485 certification, you may be interested in YouTube video on this topic.

Implementing ISO 13485: Planning the Project

1 Comment / ISO Certification / By /

In this article, you will learn five reasons why implementing ISO 13485 takes longer than you expect and tips to help avoid pitfalls
%name Implementing ISO 13485: Planning the Project

Implementing ISO 13485

Your company wants to achieve ISO 13485 certification. How are you going to get there? In a recent blog, I reviewed setting objectives for implementing an ISO 13485 certification project. Once you’re clear on those, then you’re ready to create your first quality plan. The basic elements of any strategy will be:

  • Task breakdown (which I will cover in a separate blog)
  • Timeline
  • Resources (skills and hours available)

Timeframes and Trade-offs of ISO 13485 Certification Planning 

The endpoint of planning for the certification project is the certification audit. The earlier you choose your registrar or Notified Body and book the audit, the more choice you will have regarding the date. This should be one of the earliest tasks in the task breakdown. To be able to do that, you need a timeframe as to when you will be ready for the certification audit. How long it takes to implement ISO 13485 and be ready for a certification audit depends upon your starting point and your available resources. If you have no QMS in place, it will take you longer than if you already have a strong, documented QMS that complies with 21 CFR Part 820.

It May Take More Work

If you already have ISO 9001 certification, though you already have a structure in place, the upgrade to ISO 13485 is likely to take more work than you expect because:

  1. There are fewer procedures required by ISO 9001
  2. Most of your existing procedures will require revision
  3. Your employees will need training on the new procedures
  4. You will need time to generate records using new procedures
  5. You will need to complete a full quality system audit of the new procedures

Many companies also underestimate the required resources for ISO 13485 certification. If you have a knowledgeable consultant, and people available to write procedures, then ISO 13485 implementation will progress faster than an organization that has little expertise and little time available, so plan accordingly. Ideally, you will determine the length of time each task will take and decide on an endpoint for the project based on that information and available resources. This approach works well if you already have a well-documented, regulated QMS.

6 Months-Reasonable Timeframe?

Six months is my rule of thumb for the time needed to implement a quality system compliant with ISO 13485. If the implementation schedule is longer, organizational enthusiasm may wane. If the timeframe is shorter than six months, it’s difficult to complete all the required tasks. No matter how carefully you plan, you still need to write procedures, train personnel, and implement procedures, so there is adequate time to generate records. Six months is aggressive for most companies, but the objective of achieving certification in six months is reasonable.

You may find it interesting that in Rob Packard’s white paper on ISO 13485 implementation. He also recommends that you allocate six months of one Full-Time Equivalent (FTE). This is a reasonable starting point, but you may want to adjust your resource allocation up or down depending on the level of experience within the implementation team. Experience has taught me that smaller organizations are more successful at building an effective quality system when effectiveness is achieved in reiterative steps (i.e., – revision 1, revision 2, etc.). This is also the basis of the Deming/Shewhart Plan-Do-Check-Act (PDCA) cycle. This is also what I meant in a recent blog, where I suggested that you should “throw perfectionism out the window.”

Your understanding of how the quality system links together will grow as you implement each process in your implementation plan. As knowledge grows, you may reconsider some of your procedures. Instead of delaying the certification process (i.e., – revision 1), you may want to implement improvements as a second revision to procedures after the Stage 2 certification audit (i.e., – revision 2). During your Stage 1 and Stage 2 certification audits, your understanding of how the standard is interpreted and audited will build. After you achieve the initial ISO 13485 certification, you will have a much greater understanding of how all the elements of the quality system need to work together. You will also understand what parts of your quality system are easy for an outsider to audit.

After the ISO 13485 Certification Audit

During the initial planning stage, you should also imagine your future state after the certification audit. Your boss may assume that once the audit has been and gone, then everything will settle back to “normal” again. The reality is that after you deal with any nonconformities, and you take off a few days like you promised your family, you will have a long list of improvement ideas waiting for you. You will also need to prepare for next year’s surveillance audit. Therefore, I recommend that you manage expectations by adding “Create Quality Plan #2” as the last step of your ISO 13485 certification plan.

Implementing ISO 13485: Dealing with Delays

1 Comment / ISO Certification / By / ,

By Guest Blogger,  Brigid Glass

%name Implementing ISO 13485: Dealing with DelaysThe author provides tips, practical examples, and six steps to follow if your ISO 13485 implementation project falls behind schedule.

In the best-planned project, with plentiful, skilled resources and diligent monitoring, things can still go awry. We need to be watchful for signs of our plans falling behind schedule, and develop contingency plans to prevent delays.

Walk Around the Mountains

Identify major obstacles early and develop a plan to deal with them. The major obstacles are usually the tasks that take the longest—such as process validation. Specifically, name these tasks in your pitch to management for resources before you start. This approach will ensure that everyone is focused on the biggest challenges.

If your plan to climb over those mountains is failing, work out a route around them. Maybe your R&D Manager can’t yet accept that there will now be design controls. In this case, an alternate path might be to leave design controls for last purposely. If you write a concise procedure and release it as your last procedure, then you have a built-in excuse for why you have very few records to demonstrate an implementation of design controls. You will still need at least one design project plan and training records to demonstrate that the process is implemented.

If this plan is successful, your auditor will write in the report that “design controls are implemented, but there are limited records to demonstrate implementation at this time.” If this plan is unsuccessful, you will need to provide additional design control records before you can be recommended for ISO certification—typically within 90 days.

Another approach is to initiate a CAPA and implement some of the tasks after the audit. For example, you have more suppliers than you can audit before certification. In this case, qualify all your suppliers, and use a risk-based approach to help you prioritize which suppliers need to be audited first. In your plan, identify that you will start by auditing the three highest-risk suppliers. Lower risk suppliers can be scheduled for audits after certification.

Be Watchful

Keep a close eye on your project plan. One of the most critical factors for success is keeping the plan and progress against the plan in front of the key players and senior management. Do this in such a way that progress, or the lack of it, is very clearly visible. It’s a basic maxim of Quality that we act on what we measure.

ISO 13485 Implementation: If Your Project Falls Behind Schedule

If you find yourself lagging seriously behind in your project, the following steps will assist you in recovering sufficiently to still be able to attain certification.

  1. Enlist management support when you need it, especially if you need them to free up resources.
  2. Prioritize. Before the Stage 1 audit, ensure that those procedures which are required by ISO 13485 are released (there are 19). There’s always room for improvement, but leave some of it for the second revision, instead of delaying certification.
  3. Ensure that you have at least a few examples of all the required records. Your auditor will be unable to tick off his checklist if a record is absent. Make it easy for the auditor.
  4. If there is a sizeable gap that you won’t be able to close before certification (i.e., – you have a validation procedure, but validations have not been completed), write a CAPA outlining your action plan to address the gap. During the audit, act confidently when you are questioned about the gap. Many auditors will give you credit for identifying the problem yourself.
  5. Don’t panic. The worst the auditor can do is to identify a nonconformity you will have to address with a CAPA plan before you can be recommended for certification. At most, this will result in a delay of a few weeks.
  6. Throughout your certification preparations and during the certification audits, you will identify issues you may not have time to resolve before the certification process is complete. If you are planning to revise procedures and make other corrections, make sure you track these issues as CAPAs or with some other tool (e.g., – an action item list). You want to address each issue prior to the first surveillance audit (no more than 12 months from the date of the Stage 2 audit).

Best wishes for your project. Success is the result of good planning, good communication, and good monitoring.

This blog is part of a series of blogs that leads up to our Roadmap to Iso 13485 Certification Courses

Quality objectives for achieving your goals

2 Comments / ISO Certification / By / ,

This article, updated in 2020, describes two different approaches to establishing quality objectives to achieve your business goals.
BHAG JFK Quality objectives for achieving your goalsGoal setting and communicating a vision of the future is not just the responsibility of the company President. Every manager should be setting goals for the teams they manage, and you can set yourself apart from your peers by building a vision with clear benefits to employees, customers, and the bottom line. Establishing quality objectives, and monitoring the progress toward those objectives is one of the greatest tools you can use to achieve your business goals. There are two different approaches to setting quality objectives, and you should use both.

Two Types of Quality Objectives

The most popular type of quality objective is a visionary goal. The phrase that I think captures this idea is the “Big Hairy Audacious Goal” (BHAG). Jim Collins and Jerry Porras coined this phrase in Built to Last. Visionary goals are long-term quality objectives that will require many smaller, coordinated changes intended to “level up” your business.

The second type of quality objective is a short-term goal. Short-term goals are not nearly as “sexy,” but achieving short-term goals builds momentum and creates long-term habits that are crucial to success. The two books that capture this concept best are The Compound Effect by Darren Hardy and The Slight Edge by Jeff Olsen. Both books emphasize the importance of consistency and small improvements to achieve success. The secret to establishing short-term goals is to make sure that your short-term goals are aligned toward helping you achieve long-term goals.

In our quality system procedures, we include a section for monitoring, measurement, and data analysis. For every process in your quality system, you should have at least one defined quality metric that you consistently measure. Everyone involved in that process should be aware of the metric, and data analysis should be shared with everyone in the company. Some of those quality metrics will be more important than others, but everyone must expect to achieve the goals that are set. You can pick anything you want to measure for a process, but for the metric to be used as a quality objective, it must be measurable and consistent with your quality policy. I like to define measurable by saying, “You must be able to graph it.”

6 Steps to Achieving Big Hairy Audacious Goals (BHAG)

Not all quality objectives have to be small, dull, or easy. You are required to establish quality objectives. Both the QSR (21 CFR 820.20, management responsibility) and the ISO Standard (ISO 13485:2016, Clause 5.4.1, require that top management establish quality objectives. These objectives must also be reviewed during management reviews, and they should be established at all levels throughout your company. Some of these objectives will be small, but you should make at least one of your quality objectives big, exciting, and hard to achieve. If you want to set your first BHAG for your team, try following these six steps.

STEP 1: Involve your team in setting quality objectives

Weak managers dictate goals, but leaders get teams involved in the goal-setting process. Getting your team involved gives them ownership of the goal. If you’re unsure of how to get your team involved, you might try a brainstorming session. A good brainstorming session is relatively short (i.e., – < 1 hour). Everyone needs to understand the goal of the brainstorming session: to generate many ideas for a possible BHAG. Everyone needs to understand what a BHAG is. These examples might help:

  1. Reduce average monthly scrap by 80% with a Pareto Chart
  2. Reduce the average number of nonconforming material reports by 50%
  3. Increase the ratio of preventive actions to corrective actions to > 1.00

Finally, negative comments should not be tolerated. Bad, good, and silly ideas should all be encouraged because the purpose of brainstorming is to generate many ideas. After you have 100+ ideas, you and your team can schedule another meeting to select the best goal(s).

STEP 2: Predict the bottom-line impact of quality objectives

Top management’s perception of a BHAG will be directly proportional to the impact on the bottom line. If the impact is small, the “B” in BHAG is a “b.” You and your team should use the potential impact on the bottom line as the first selection criteria for picking the best BHAG from the brainstorming list. The accuracy of these estimates doesn’t matter initially. Still, once you choose the goal, you will need to verify the accuracy of the financial impact and define how that impact will be measured.

STEP 3: Look to the future, but focus on the next milestone

Picking a five and ten-year goals is appropriate for discussions with Human Resources about your career, but companies are measured on quarterly financials. Therefore, you will need to focus on the goals you can achieve in three to six quarters. The number of milestones you set should also be few, and you should focus on one at a time. If the goal is only three quarters away, you might have monthly targets, while longer projects need interim milestones.

STEP 4: Milestone momentum

Longer projects often become delayed because people will procrastinate, and teams will lose momentum. When you break your long-term goals into smaller chunks, everyone can focus on the next milestone and see the progress. Each piece should be a sound stage of the project, and completion of the stage must be clearly defined. To create momentum, you must achieve each milestone–always. The pattern of consistent milestone achievement builds confidence, and your team will gradually develop the habits needed to sustain your progress.

STEP 5: Assign the Skeptic to Report on Quality Objectives

A good statistician can make the numbers look any way you want, but skeptics in other departments (and within your team) will criticize your claims of success. One way to silence the skeptics on your team is to make them responsible for measuring and reporting the team’s progress. This approach ensures that progress reports are conservative and accurate, rather than inflated or unbelievable. Progress should also be reported publicly because public victories are something your team can be proud of.

STEP 6: Promise a Reward for Achieving Quality Objectives

Some managers believe that the reward for hard work should be a paycheck. That’s sort of like telling your children that they get to eat for doing something you’re proud of. Employees are not children, but you are responsible for developing them into more valuable employees so that they can be promoted. If there is no incentive, your team will not be engaged. Therefore, pick a reward that is proportional to the bottom-line impact. Five percent of the bottom-line impact is what I like to target, but you would be amazed at how effective a few small rewards at each milestone can be. If you have trouble getting management approval for rewards, remind your boss of the bottom-line impact and link the rewards closely to the impact.

How to Utilize CAPA Training To Avoid FDA 483 Citations

1 Comment / CAPA, FDA / By / , ,

The author discusses how formal CAPA training can help solve the four most common CAPA deficiencies and help avoid FDA 483 citations.

%name How to Utilize CAPA Training To Avoid FDA 483 Citations

Corrective And Preventive Action (CAPA) is considered to be one of the most critical processes in a Quality Management System (QMS). CAPAs prevent nonconformities from recurring, as well as identify potential problems that may occur within the QMS.

Both the Code of Federal Regulations (21 CFR 820.100) and the ISO 13485 Standard (8.5.2 and 8.5.3, respectively) include similar requirements for establishing and maintaining a compliant CAPA process. The concept seems pretty straightforward, right?

Then why do so many companies struggle with this process and go into panic mode during FDA inspections and Notified Body audits?

CAPA process deficiencies have long been the number one Good Manufacturing Practice (GMP) violation cited in FDA Warning Letters. Therefore, providing trained experts to teach the CAPA process is well worth the investment to provide your employees with the expertise needed to implement a sustainable, effective, and compliant process. Support from top management is a must for success.

7 Reasons Why There is LIttle Support for the CAPA Process
  1. Managers view CAPA as a necessary evil and apply minimum effort and resources to complete the required paperwork.
  2. All complaints, audit findings, shop floor nonconformities, etc., go straight into the CAPA system, resulting in what is known as “Death by CAPA.” There are hundreds of CAPAs to be dealt with, but the CAPAs languish and quickly become a mountain of overdue records.
  3. The lack of ability to conduct effective root cause analysis results in, at best, a band-aid solution, and recurrence of the same issues time and again.
  4. There is no risk-based or prioritization process that provides a triage for determining when a CAPA is appropriate, and how to classify its criticality.
  5. CAPA forms are either too restrictive, such as using “yes/no” questions, thereby stemming the creative flow of process thinking or, too open-ended, leaving the CAPA owner with little guidance for getting to the exact root cause.
  6. Trending and metrics that would highlight quality issues before they become complaints are lacking, so most CAPAs are last-minute reactions to a crisis, instead of proactive improvement projects.
  7. Senior management has not allocated sufficient time and resources to CAPA owners to develop expertise, and clearly do not understand the nuances of FDA compliance, the ISO Standard, and the responsibilities of CAPA ownership.
Consequences of an Ineffective CAPA System: FDA 483 Citations Are Possible

FDA 483 observations, Warning Letters, and loss of your ISO 13485 certification are possible consequences of failing to manage your CAPA process. Imagine explaining to your customers why you lost your certification, and why they should keep you as a trusted supplier. That is not a conversation you want to have.

A weak CAPA process allows nonconformities to recur, results in manufacturing downtime, requires to rework, and ends with the scrapping of product or lost customers. The consequences of a weak CAPA process negatively impact your company’s financial strategy and goals.

To prevent an increase in the cost of poor quality, your business cannot remain static. You need to improve and adopt best practices. Your CAPA process is a systematic way to make those improvements happen.

Characteristics of an Effective CAPA system?
  • Easy to follow the procedure
  • Defined CAPA inputs
  • Risk assessment and prioritization
  • Root-cause investigation tools
  • A well-defined action plan
  • Metrics to track progress
  • Communication of information and status
  • Effectiveness checks
  • Management support and escalation
What to Expect from Formal CAPA Training

Death by Powerpoint is not training. Effective CAPA training requires hands-on participation in working through root-cause analysis with an expert. One of the best training tools is case studies based upon recent 483 observations. A CAPA training course should teach you how to:

  1. Accurately identify the cause of problems
  2. Prioritize your corrective and preventive actions using a risk-based approach
  3. Implement an appropriate corrective and/or preventive action, and
  4.  Verify the effectiveness of your actions

CAPA training should teach you how to reduce the length and number of investigations. Training will also help you master current problem-solving methodologies to identify true root causes, utilizing facts, instead of guesswork or opinion. The proper identification of the exact root cause of a problem is critical because otherwise, your CAPA plan will fail to fix real problems.

Not all formal training needs to be in-person. Face-to-face training can be supplemented with more cost-effective training of concepts using webinars and recorded presentations. Interactive training is needed to supplement this training so that students can practice what they learn.

How Training Solves Common CAPA Deficiencies

The four most common CAPA deficiencies are:

  1. Inadequate procedures
  2. Incomplete investigations
  3. Overdue actions, and
  4. Failure to perform an effectiveness check

Each of these deficiencies is addressed directly by CAPA training. Formal CAPA training reviews each of the requirements for your CAPA process, and trainers will often share samples of CAPA procedures, and CAPA forms that they wrote and found to be effective. Learning multiple root cause investigation techniques, and practicing them using the case study technique, ensure that CAPAs are thoroughly investigated, rather than identifying superficial symptoms.

CAPA metrics are introduced during training to ensure that the CAPA process owner knows best practices for monitoring and analyzing the process. Finally, CAPA training includes specific examples of what is and what is not, a proper technique for performing an effectiveness check.

Results After Formal CAPA Training

The best reason for making formal CAPA training available to the people responsible for CAPAs are the results you will experience after the training. For example:

  1. Elimination of hundreds of overdue CAPAs
  2. Reduction in nonconformities, scrap, rework and customer complaints
  3. Lower overall costs associated with quality problems
  4. Better FDA inspection and Notified Body outcomes, and
  5. Safer products for your customer

%name How to Utilize CAPA Training To Avoid FDA 483 CitationsIf you are interested in learning more about CAPA, click here to register for Medical Device Academy’s Risk-Based CAPA webinar.

Implementing the ISO 13485 Standard: Objectives

1 Comment / ISO Certification / By /

By Guest Blogger, Brigid Glass

The author discusses implementing the ISO 13485 standard, including seven questions to clarifying your objectives and six considerations in shaping your objectives.%name Implementing the ISO 13485 Standard: Objectives

Implementing ISO 13485 is such an enormous undertaking for an organization that it pays to approach the planning strategically to ensure that all objectives are met.  Often, some objectives are made explicit, and others are unspoken. It is worth taking the time to ensure that all objectives are clearly stated to achieve the outcomes you want. Begin with the end in mind. Then, ensure that you are taking the organization with you, and you are all headed to the same destination.

7 Questions to Clarify Your Objectives
  1. What are your regulatory drivers for ISO 13485 implementation? Are there dates associated with marketing plans that you need to take into account? Are there other regulatory requirements that need to be built into the QMS and the implementation plan, (e.g., incident reporting for Canada or a Technical File for CE marking?)
  2. What other regulatory requirements must you meet to get into international markets? ISO 13485 requires that you meet applicable regulations for each market, such as a training procedure to address 21 CFR 820.25, a post-market surveillance plan to address CE Marking requirements, and a Mandatory Problem Reporting Procedure for Canada.
  3. If you are a supplier to medical device manufacturers, what do your customers expect of your QMS? If they haven’t made this explicit already, ask them. Meeting their needs and their audits of your system may be as important to you as the certification audit.
  4. Do you want to achieve business improvements by implementing a QMS? If you include this in your stated objectives, and everyone “buys into” the program, then you will build procedures that deliver business improvements, rather than just being regulatory overhead.
  5. Do you have real buy-in from your CEO? You may have buy-in for certification, but if you don’t already have a regulated QMS, does she or he fully understand the cultural change that he or she must lead? If not, make this one of your unwritten objectives and keep it front of mind.
  6. Do you have organizational buy-in?  Ensure that it is clear who owns each process, and that those process owners have the ultimate responsibility for the compliance of their process and ownership of documentation that is created for those processes. Keep the project progress visible. Develop a communication plan with its objectives and targets, even if your organization is small.
  7. Do you want to align with other systems? If you already have a QMS, you will want to integrate ISO 13485 compliance with that. Do you also need to implement ISO 14971, the risk management standard? Since you are going to be doing this much work on your QMS, maybe you could take the opportunity to align it with your health and safety or environmental management systems.
Timeframes and Trade-offs

How long it takes to implement ISO 13485 will be covered in another blog soon.  Six months is a workable rule of thumb.

So what do you do if you don’t have that long, and have to meet a pressing deadline?  Or you don’t have the resources available to implement, as well as you want in the time available?  Compromises have to be made, and now it’s necessary to set short-term and long-term objectives.

6 Considerations in Shaping Your ISO 13485 Standard Implementation Objectives

If you are constrained from structuring the implementation project ideally, the following considerations below will assist you in shaping your objectives:

  1. Get a qualified consultant who understands your business. If you have a large company, find someone who spends more of their time working with corporates, and vice versa for a small company.
  2. Throw perfectionism out the window. The goal is not perfect procedures. The essence of a Quality System is documentation to explain the intent, records to capture reality, internal auditing, and monitoring to identify the gaps and CAPA to improve and maintain effectiveness. The Deming Plan-Do-Check-Act cycle assumes that you are never perfect.)
  3. Accept that you then have another round of work to do to improve procedures.
  4. Organizational buy-in is even more critical. Be very careful about setting expectations. Adjusting to the extra requirements of a regulated QMS is already tricky. In these circumstances, you may be asking people to live with procedures that are not as usable as they would like.
  5. Be especially careful to ensure that the auditor can tick off all the essential points, and find how you have fulfilled the requirements without hunting too hard. All the required procedures and records must be in place. It’s more important to address 100% of the requirements than to perfect 80% and skip the last 20%.
  6. Accept that there may be nonconformities that have to be dealt with after the certification audit. Set the organizational expectation around this and build time for it into your schedule. Ask your certification body early to tell you the timeframe for dealing with nonconformities.
Setting Expectations

Objectives need to be communicated clearly to everyone in the organization. For a project (and many other things in life),

Satisfaction (or Disappointment) = Actual Result – Expectation

The certification audit is not the end. You will still need people to align their effort into making the implementation succeed after the pressure and obvious deadline of the certification audit has passed.  Setting their expectations appropriately early in the project is essential to keeping their (and your) motivation going. This is especially important if you are building your QMS, short on time or resource, and therefore know that you need to do a lot of work in the year following certification to develop improved workable procedures and generate a recorded history of compliance.

 

This blog is part of a series of blogs that leads up to our Roadmap to Iso 13485 Certification Courses

Scroll to Top