Blog

Author Archive

When to Initiate a Corrective And Preventative Action (CAPA)

This blog reviews the differences between a corrective action and preventive action, and when to initiate a corrective and preventive action.

I’ve completed almost 100 audits in the past two years, and I review the Corrective Action and Preventive Action (CAPA) process during every single audit. Surprisingly, this seems to be a process with more variation from company to company than almost any other process I review. This also seems to be a major source of nonconformities. In the ISO 13485 Standard, clause 8.5.2 (Corrective Action) and clause 8.5.3 (Preventive Action) have almost identical requirements. Third-party auditors, however, emphasize that these are two separate clauses. We are purists. Although we acknowledge that companies may implement preventive actions as an extension to a corrective action, we also expect to see examples of actions that are strictly preventive in nature.

Many companies seem to be confused, but it doesn’t need to be.  Just ask yourself one question. What is the source of this action?

If the answer is a complaint, audit nonconformity or rejected components—then your actions are corrective.

If the answer is a negative trend that is still within specifications or an “Opportunity For Improvement” (OFI) identified by an auditor—then your actions are preventive.

Root Cause Investigation

If you are investigating the root cause of a complaint, people will sample additional records to estimate the frequency of the quality issue. I describe this as investigating the depth of a problem. The FDA emphasizes the need to review other product lines, or processes, to determine if a similar problem exists. I describe this as investigating the breadth of a problem. Most companies describe actions taken on other product lines and/or processes as “preventive actions.” This is not always accurate. If a problem is found elsewhere, actions taken are corrective. If potential problems are found elsewhere, actions taken are preventive. You could have both types of actions, but most people incorrectly identify corrective actions as preventive actions.

Another common mistake is to characterize corrections as corrective actions.

The most striking difference between companies seems to be the number of CAPAs they initiate. There are many reasons, but the primary reason is the failure to use a risk-based approach to CAPAs. Not every quality issue should result in the initiation of a formal CAPA. The first step is to investigate the root cause of a quality issue. The FDA requires that the root cause investigation is documented, but if you already have an open CAPA for the same root cause…

DO NOT OPEN A NEW CAPA!!!

If you do not have a CAPA open for the root cause that you identify, then what should you do?

I know this will shock everyone, but…it depends.

The image below gives you my basic philosophy.

death by capa When to Initiate a Corrective And Preventative Action (CAPA)

 

 

 

 

 

 

 

 

Most investigations document the estimated probability of occurrence for a quality issue. This is only half of the necessary risk analysis I describe below. Another aspect of an investigation is to document the severity of potential harm resulting from the quality issue. If customer satisfaction, safety, or efficacy are affected by a quality issue—the severity is big. Risk is the product of severity and probability of occurrence.

Estimated Risk-Initiating a Corrective And Preventive Action (CAPA)

If the estimated risk is low and the probability of occurrence is known, then alert limits and action limits can be statistically derived. These quality issues are candidates for continued trend analysis—although the alert limit or action limit may be modified in response to an investigation. If the trend analysis results in identifying events that require action, then that is the time when a formal CAPA should be opened. If the trend remains below your alert limit, then no formal CAPA is needed.

If the estimated risk is moderate or the probability of occurrence is unknown, then a formal CAPA should be considered. Ideally, you will be able to establish a baseline for the occurrence and demonstrate that frequency decreases upon the implementation of corrective actions. If you can demonstrate a significant drop in frequency, this verifies the effectiveness of actions taken. If you need statistics to show a difference, then your actions are not effective.

If the estimated risk is high, or there are multiple causes that require multiple corrective actions, a quality improvement plan may be more appropriate. There are two clauses in the Standard that apply. Clause 5.4.2 addresses the planning of changes to the Quality Management System. For example, if you correct problems with your incoming inspection process—this addresses 5.4.2. Clause 7.1 addresses the planning of product realization. For example, if you correct problems with a component specification where the incoming inspection process is not effective, this addresses 7.1. Depending upon the number of contributing causes and the complexity of implementing solutions, the plan could be longer or shorter. If it will take more than 90 days to implement corrective action, you might consider the following approach.

Step 1 – open a CAPA

Step 2 – identify the initiation of a quality plan as one of your corrective actions

Step 3 – close the CAPA when your quality plan is initiated (i.e., – documented and approved)

Step 4 –verify effectiveness by reviewing the progress of the quality plan in management reviews and other meeting forums…you can cross-reference the CAPA with the appropriate management review meeting minutes in your effectiveness section

If the corrective action required is the installation of new equipment and validating that equipment, the CAPA can be closed as soon as a validation plan is created. The effectiveness of the CAPA is verified when the validation protocol is successfully implemented and a positive conclusion is reached. The same approach also works for implementing software solutions to better manage processes. The basic strategy is to get the long-term improvement projects started with the CAPA system, but monitor the status of these projects outside the CAPA system.

Best practices would be the implementation of six-sigma projects with formal charters for each long-term improvement project.

NOTE: I believe in closing CAPAs when actions are implemented, and tracking the effectiveness checks for CAPAs as a separate quality system metric. If closure takes more than 90 days, the CAPA should probably be converted to a Quality Plan. This is NOT intended to be a “workaround” to give companies a way to extend CAPAs that are not making progress in a timely manner.

Posted in: CAPA

Leave a Comment (4) →

But What About FDA Regulations?

The author writes that when you are auditing, you should always read the FDA regulations again to ensure accuracy.  

I hear this question, or a question with similar wording, quite frequently when I am auditing. Typically, the question is in response to a better way to do something that seems simple and efficient. Most people seem to approach regulatory requirements with the approach of…let’s bury the regulator in paperwork. While it’s true that auditors expect a certain amount of paperwork with each regulatory requirement, they frequently accept a broader range of documentation than people realize (i.e., one page can be enough).

For example, a design control procedure could be a one-page flowchart that references forms and work instructions, or twelve separate documents, with a minimum length of ten pages and a maximum of forty pages per document. As long as the procedure has sufficient detail for personnel performing these tasks, and all the required elements are included, ISO clauses 7.3.1-7.3.7. An auditor should identify the process as conforming.

However, some people are FDA inspectors looking for NONCONFORMITY!

In the case of inspectors, it is critical to present your information in such a way that it is easy for the inspector to see how you meet the requirements of the regulations. One of the best ways to do that is to reference the requirements directly in your procedures.

For those that prefer finesse try to organize information following the regulations. For example, if I am writing a procedure for an ISO registration audit, I write the procedure to specifically address the ISO sub-clauses. I might even use a document control number like SOP-73 for my “Design and Development” procedure.

In my previous blog posting, http://bit.ly/AuditHours, I suggested a slight change to the scheduling of internal audits. To ensure this meets FDA requirements, the key is to READ THE REGULATIONS AGAIN. Concerning internal auditing, the applicable FDA regulation is 21 CFR 820.22:

“Each manufacturer shall establish procedures for quality audits and conduct such audits to assure that the quality system is in compliance with the established quality system requirements and to determine the effectiveness of the quality system. Quality audits shall be conducted by individuals who do not have direct responsibility for the matters being audited. Corrective action (s), including a reaudit of deficient matters, shall be taken when necessary. A report of the results of each quality audit, and reaudit(s) where taken, shall be made and such reports shall be reviewed by management having responsibility for the matters audited. The dates and results of quality audits and reaudits shall be documented.”

The above requirement is quite vague concerning how many auditors and how many days must be spent auditing. These are the variables I suggested changing in my previous blog http://bit.ly/AuditHours. The FDA regulation 21 CFR 820.22 is specific, however, with regard to documenting the “reaudit” of any deficiencies found during an audit. This prescriptive requirement can be met by reviewing previous audit findings of all audits with the audit program manager during the audit preparation process. The audit program manager can facilitate the assignment of which auditor will reaudit each discovery. This may require a few more minutes of audit preparation, but this should not measurably impact the overall time allocated to an audit.

I do this out of habit when I am performing internal audits on behalf of clients, but if I am auditing the internal audit process of a client—now I’ll remember to point out this additional requirement that is specific to the FDA and not included in the ISO Standard. This is why we should always READ THE REGULATIONS AGAIN.

 

Posted in: FDA

Leave a Comment (0) →

Improving Your ISO Internal Auditing Schedule

 

The author provides tips on how to improve the efficiency and effectiveness of your ISO internal auditing schedule. 

Each week I audit a different company, or I teach a group of students how to audit. In the courses I teach, I use a slide that gives an example of an audit schedule (see example below).

%name Improving Your ISO Internal Auditing Schedule

On the surface, this example seems like a good schedule. There are 12 auditors performing two audits each year. If each auditor spends a day auditing, and another day writing the report, the combined resources equal 48 days (~$20,000) allocated to auditing, and each person spends less than two percent of their work year auditing.

Unfortunately, I have learned that the quality of auditing is directly related to how much time you spend auditing. Therefore, I recommend using fewer auditors. There is no perfect number, but “less is more.” My example also has another fundamental weakness. The audit schedule does not take full advantage of the process approach. Instead of performing an independent audit of document control and training, these two clauses/procedures should be incorporated into every audit. The same is true of maintenance and calibration. Wherever maintenance and calibration are relevant, these clauses should be investigated as part of auditing that area.

For example, when the incoming inspection process is audited, it only makes sense to look for evidence of calibration for any devices used to perform measurements in that area. For a second example…when the production area is being audited, it only makes sense to audit maintenance of production equipment too.

If the concept of process auditing is fully implemented, the following clauses can easily be audited in the regular course of reviewing other processes: 4.2.1), Quality System Documentation, 4.2.3), Document Control, 4.2.4), Record Control, 5.3), Quality Policy, 5.4.1), Quality Objectives, 6.2.2), Training, 6.3), Maintenance, 6.4), Work Environment, 7.1), Planning of Product Realization & Risk Management, 7.6), Calibration, 8.2.3), Monitoring & Measurement of Processes, 8.5.2), Corrective Action, and 8.5.3) Preventive Action. This strategy reduces the number of audits needed by more than half.

Internal Auditing: Upstream/Downstream Examples

Another way to embrace the process approach to auditing is to assign auditors to processes that are upstream or downstream in the product realization process from their own area. For example, Manufacturing can audit Customer Service to understand better how customer requirements are confirmed during the order confirmation process. This is an example of auditing upstream because Manufacturing receives the orders from Customer Service—often indirectly through an MRP system. Using this approach allows someone from Manufacturing to identify opportunities for miscommunication between the two departments. If Regulatory Affairs audits the engineering process, this is an example of auditing downstream. Regulatory Affairs is often defining the requirements for the Technical Files and Design History Files that Engineering creates. If someone from Regulatory Affairs audits these processes, the auditor will realize what aspects of technical documentation are poorly understood by Engineering, and quickly identify retraining opportunities.

One final aspect of the example audit schedule that I think can be improved is the practice of auditing the same process twice per year. This practice doesn’t seem to work very well for a few reasons. First, it requires that an auditor prepare for an audit twice per year and write two reports, instead of one. This doubles the number of time auditors spends in preparation and follow-up activities associated with an audit. Second, increasing the number of audits naturally shortens the duration of each audit. It is more difficult for auditors to cover all the applicable clauses in a shorter audit because it takes time to locate records and pursue follow-up trails. Longer audits, covering more clauses, make it easier for the auditor to switch to a different clause while they are waiting for information. Third, if an area is audited every six months, it is often difficult to implement corrective actions and produce evidence of effectiveness before the area is due for auditing again.

I can’t provide a generic audit schedule that will work for every company or even show how all the clauses will be addressed in one table. I can, however, provide an example of an improved schedule that illustrates the above concepts. This example (see below) uses four auditors instead of 12, and the number of days planned for each audit is two days instead of one. The preparation and reporting time is still one day per audit. Therefore the combined resources equal 24 days (~$10,000) allocated to auditing, and each person spends two and one-half percent of their work year auditing. My intention is not to create the perfect plan, but to give audit program managers some new ideas for more efficient utilization of resources. I hope this helps, and please share your own ideas as comments to this posting.

%name Improving Your ISO Internal Auditing Schedule

Posted in: ISO Auditing

Leave a Comment (5) →

Learning Pyramid – 4 Levels of Learning

The author discusses the four levels of learning in the Learning Pyramid, and the lessons learned when he taught an ISO 14971 Risk Management course.%name Learning Pyramid   4 Levels of Learning

I am in Canada, it’s almost midnight, and my client has me thinking so hard that I can’t sleep. I am here to teach the company’s Canadian facility about ISO 14971:2007—the ISO Standard for Risk Management of medical devices.

Most of the companies that request this training are doing so for one of two reasons: 1) several of their design engineers know almost nothing about risk management, or 2) they have several design engineers that are quite knowledgeable concerning risk management, but these engineers have not maintained their credentials, and their last risk management training was related to the 2000 version of the Standard. This company falls into the second category.

I always tell students that I learn something by teaching each course. From this company, however, I have learned so much. This company has forced me to re-read the Standard several times and reflect on the nuances of almost every single phrase. I have learned more about this Standard in one month than I learned in the 3.5 years since I first took the course I am now teaching. 

The four levels of the Learning Pyramid

I have developed a model for learning that explains this phenomenon. I call this model the “Learning Pyramid.” At the base of the pyramid, there are “Newbies.”

This is the first of four levels. At the base, students read policies and procedures with the hope of understanding.

In the second level of the pyramid, the student is now asked to watch someone else demonstrate proper procedures. One of my former colleagues has a saying that explains the purpose of this process well, “A picture tells a thousand words, but a demonstration is like a thousand pictures.” This is what our children call “sharing time,” but everyone over 40 remembers this as “show and tell.”

In the third level of the pyramid, the student is now asked to perform the tasks they are learning. This is described as “doing,” but in my auditing courses, I refer to this process as “shadowing.” Trainees will first read the procedures for Internal Auditing (level 1). Next, trainees will shadow the trainer during an audit as a demonstration of the proper technique (level 2). During subsequent audits, the trainees will audit, and the trainer will shadow the trainee (level 3). During this “doing” phase, the trainer must watch, listen, and wait for what I call the “Teachable Moment.” This is a moment when the trainee makes a mistake, and you can use this mistake as an opportunity to demonstrate a difficult subject.

Finally, in the fourth level of the Learning Pyramid, we now allow the trainee to become a trainer. This is where I am at—so I thought. I am an instructor, but I am still learning. I am learning what I don’t know.

Teaching forces you back to the bottom of the Learning Pyramid

The next step in the learning process is to return to the first level. I am re-reading the Standard and procedures until I understand the nuances that I was unaware of. Then, I will search for examples in the real world that demonstrate these complex concepts I am learning. After searching for examples, I will test my knowledge by attempting to apply the newly acquired knowledge to a 510(k) or CE Marking project for a medical device client. Finally, I will be prepared to teach again.

This reiterative process reminds me of the game Chutes and Ladders, but one key difference is that we never really reach the level of “Guru.” We continue to improve, but never reach our goal of perfection…For further inspiration, try reading “Toyota Under Fire.”

Posted in: Education, ISO 14971:2019 (Risk Management)

Leave a Comment (5) →

How to Write A Procedure: 6 Secrets to Improve Effectiveness

The author, an experienced trainer, shares six secrets for how to write a procedure and improves its effectiveness.

During a CAPA course I taught earlier today, one of the attendees asked if I have a course on “How to Write Better Procedures.” Unfortunately, the only material I could offer was material from a course I taught on Training the Trainer.” That training course focused on visual communication. There are several books related to Lean Manufacturing that explain indepth how to use visual communication to replace text (i.e., – “a picture says a thousand words”). During my ride home, however, I thought of a few other ideas that might help anyone that is in the process of writing or re-writing a procedure.

1. Develop a standardized format for procedures. If you have a procedure for writing procedures, ensure you allow the flexibility to deviate from the standardized format. The Standard does require that procedures have a “mandatory” format. Referring to the standardized formatting as “suggested formatting” will avoid unnecessary nonconformities.

2. Avoid making unnecessary references to other external standards. If you are writing a procedure on risk management—it makes sense to reference ISO 14971. It does not make sense to reference all the other risk analysis standards, unless you are specifically using them to perform risk analysis. Included in this category would be references to other regulatory requirements, such as 21 CFR 820 or Part 1 of the Canadian MDR. Companies can claim compliance with other requirements in the Quality Manual instead. What should be referenced in a document is any related procedures or forms.

3. Avoid including the revision of a Standard. This is just another opportunity for unnecessary nonconformities. If you don’t specify the revision, then an auditor can only assume that the most current revision of the Standard is implied. If changes to a Standard are minor, no changes to a procedure may be warranted and a revision to the procedure can be avoided—assuming that the revision of the Standard is not specified. Some argue that you should include the revision and update the reference to document that the procedure was reviewed to determine if changes were warranted. This is unnecessary. A review of procedures, where the decision is made for “no change,” can easily be documented in the Management Review under the category of “New and Revised Regulatory Requirements.”

4. Indicate the process owner and training requirements associated with each procedure. By doing this, it is easier to define who is responsible for reviewing and revising procedures—as well as who is assigned CAPAs if there are findings related to the process in question.

For the training requirements, the process owner should specify who needs to be trained on the process. Why? They know the procedure best. If there is a “grey area,” this should be resolved with the department manager for the job function in question. In addition, retraining requirements should be specified. By this, I mean that it is a good idea to indicate if retraining is required when a procedure has been revised. If the revision is minor, training should only be required for people that have not been trained to a previous revision.

5. Adopt the Plan-Do-Check-Act (PDCA) model for the structure of procedures. For the “Plan” portion, the procedure should explain how to prepare to do something. This planning activity can apply to anything from planning to perform an audit to planning to inspect incoming raw materials. The “Do” portion is what most people refer to as the “Procedure” section. The “Check” portion of the procedure is a great place to specify the monitoring and measurement requirements for the process (see Section 8.1 of the Standard). Finally, the “Act” portion of the procedure should indicate what to do when target metrics are not met. For example, what should be done when an alert limit is reached? What should be done when an action limit is reached?

6. Include revision history. It’s extremely helpful to know which Engineering Change Order (ECO) approved the document revision, why the changes were made, the nature of changes, whether there is a related corrective action and when the change was made.

 

Posted in: ISO Certification

Leave a Comment (1) →

Effective Management Skills for Managers

This blog reviews some practical management skills that managers should possess.

Are you frustrated?

Sometimes we hear phrases like: “Well, that’s just an ISO requirement.” This apparent lack of support by top management is what frustrates every Management Representative in the world.

There was a question posted on the Elsmar Cove website on January 10, 2011. In just ten days, there have been 153 postings in response to the original question. As I read through the various postings, I saw several comments about a lack of support from top management.

A little over a decade ago, I was still learning how to supervise people. In an effort to educate myself further, I read a book (sorry I can’t be sure which book anymore). In this book, the boss gave an employee a card with a picture of a baseball bat on it. The instructions provided with this magical card were to use it only when the boss failed to pay attention, and the employee had something important to tell him.

As managers, we assume the impressive title, along with the awesome responsibility. Managers are responsible for leading others. Subordinates are not the “others” I am referring too. The “others” are peers. If you cannot persuade your peers to support you, then you will fail as a manager. The Quality Department cannot fix all the problems. My philosophy is that Quality is responsible for recommending improvements, training people, and helping to implement. We assign corrective actions, but we should be assigning them to the process owner (i.e., – Manager) that is responsible for the area where the problems were created.

Effective Management Skills

If you need help persuading the unenlightened, try picking a project that is critical to the success of the stubborn one. If you can show someone that is currently a detractor how they can apply the Quality principles to help solve their problems, then you will have a convert. Converts become strong supporters. If the stubborn one happens to be at the top, figure out what the CEO’s initiatives are. Initiatives are easy to identify; they talk about it at least twenty times a week. Try showing the CEO how their actions can become Quality Objectives. Show them with graphs. Show up with solutions to their problem. Use the CAPA process as a framework. Show them how the management TEAM can fix it.

If nothing seems to be working, you can always try reviewing some FDA MedWatch reports too–just to scare your boss.

Posted in: ISO Certification

Leave a Comment (0) →

Management Representative Requirement: ISO 9001:2008

The author reviews the Management Representative section 5.5.2 of ISO 9001:2008 requirement and provides eight (8)  proposed actions to take for companies who receive a finding against this section.

The idea for this posting was from a thread I found on Elsmar Cove: http://elsmar.com/Forums/showthread.php?t=45658

One person posted a question about the requirement for the Management Representative (MR) to be a member of the organization’s management (see section 5.5.2 of ISO 9001:2008). Companies that are seeking initial certification sometimes struggle with this requirement. Some struggle because they do not have anyone in-house that is sufficiently trained to be the MR. Other companies struggle because they are very small and outsource their QA functions to a consultant. The following blog is targeted at helping these companies.

Auditing

I audit companies to the ISO 13485 (medical Quality Management System (QMS) & 9001 (QMS) Standards. The intent of both Standards was always to have the MR be part of management, but some companies did not interpret the Standards in this way. With the 2008 revision of 9001, the possibility of misinterpreting the meaning is much less likely. Companies that receive findings during the Stage 1 or Stage 2 audit for this requirement usually fall into one of two categories. Category #1: our company is small, and the only person that knows enough about ISO requirements is not a member of management. Category #2: our company is small, and we outsource QA functions.

The good news is that any manager can be assigned the responsibility of being MR. One of my clients assigned this responsibility to the VP of Sales. Another company appointed this responsibility to the Director of R&D. Both of these individuals had to put in the time to learn about their quality management systems, but both have embraced the challenge, and I have learned much from them. They have a different perspective and bring a lot of value to the MR role. The bad news is: whomever you assign has to learn enough to be competent in the position.

The definition of “Management” is typically a stumbling block. Most people think of managers requiring that they have other people reporting to them. This is not absolute. The MR should report directly to a top manager, such as the President or CEO, to prevent conflicts of interest. As a manager, they should not require a great deal of direct supervision, and the President or CEO should not be overly burdened by adding one person to their list of direct reports. Some auditors like to see a “deputy MR” identified. My advice is to have the CEO or President sufficiently trained that they can be the “back-up” when the MR is on vacation.

Every manager should know enough about their subordinate’s job duties that they can “fill in. MR’s should be involved in senior staff meetings too, but not necessarily at the same frequency as every other senior staff manager. Typically, operations and sales have the most frequent meetings with the CEO–often weekly. Finance generally is monthly. HR and the MR might be bi-monthly or quarterly. Communication of the status of quality objectives should be regular reports to all senior staff, but you don’t have to have a Management Review to communicate the status. If the company is small enough to have only one QA person, there probably isn’t a need for more than one or two management review meetings per year.

Management Representative Finding: 8 Proposed Actions to Take

If your company has a finding against clause 5.5.2, I recommend the following actions:

1. Assign a person that is already a member of your senior staff as MR.

2. Document the responsibility in the person’s job description.

3. Document the responsibility in the org chart.

4. Assign the person’s direct supervisor (typically the CEO or President) as a “deputy MR.”

5. Find an excellent webinar on ISO training for the new MR and their boss (ideally one with a quiz and a certificate).

6. Have the new MR develop a 45-minute presentation for the senior staff on the topic of Management Responsibilities. This training should cover all of section 5 in the Standard.

7. Give the senior staff a 15-minute multiple-choice quiz to evaluate the effectiveness of the training.

8. Have the new MR discuss the delegation of various management review inputs (see section 5.6.2) with their boss. Quality should be a shared responsibility, and Management Reviews will be more effective if everyone participates.

Posted in: ISO 9001:2008, ISO Certification

Leave a Comment (0) →

Auditing: Effective Training in 7 Steps

Effective auditing requires effective training. Our author, who has extensive experience, provides seven steps to train new auditors effectively.

Recently, a client asked me to create a training course on how to train operators. I could have taught the operators myself, but there were so many people that needed training, that we felt it would be more cost-effective to train the trainers.

Usually, I have multiple presentations archived that I can draw upon, but this time I had nothing. I had never trained engineers on how to be trainers before—at least not formally. I thought about what kinds of problems other quality managers have had in training internal auditors, and how I have helped the auditors improve. The one theme I recognized was that most auditors needed feedback.

Deming Cycle

I finally decided to use the Deming Cycle (Plan-Do-Check-Act, (PDCA) as my framework for the training. Most QA Managers are very experienced and have little trouble planning an audit schedule. The next step is to conduct the audit. The problem is that there is very little objective oversight of the auditing process. The ISO 13485 for medical devices Standard requires that “Auditors shall not audit their own work.” Therefore, most companies will opt for one of two solutions for auditing the internal audit process: 1) hire a consultant, or 2) ask the Director of Regulatory Affairs to audit the internal auditing process.

Both of the above strategies meet the requirements of the ISO 13485 for medical devices Standard, but neither approach helps to improve the internal auditor’s performance. I have interviewed many audit program managers, maybe 50+, and the most common feedback program managers give “change the wording of this finding” or “you forgot to close this previous finding.” This type of feedback is related to the report writing phase of the audit process. I rarely hear program managers explain how they help auditors improve at the other parts of the process.

When auditors are first being trained, we typically provide examples of best practices for audit preparation, checklists, interviewing techniques, AND reports. After the auditors have been “shadowed” by the program manager for an arbitrary three times, the auditors are now miraculously “trained.” Let’s see if I can draw an analogy that will make my point…

That kind of sounds like watching your 16-year-old drive the family car three times and then giving them a license. I guess that’s why my new Ford Festiva was severely dented on all four sides within six months. You may think my father was a Saint, but I think he might have totaled his tenth car by age 18. At least I contained the damage to one vehicle.

Effective Auditing Requires Effective Training For New Auditors: 7 Steps

The key to training auditors to audit is consistent follow-up over a long period of time (1-2 years depending upon the frequency of audits). I recommend following the same training process that accredited auditors must complete. I have adapted that process and developed seven(7) seven specific recommendations:

1. Have a new auditor observe a few audits before they are allowed to participate (make sure they take notes and explain what you are doing and why, as you conduct audits they are observing)

2. Have new auditors join as team members for 10-20 audits, before they are allowed to act as a lead auditor

3. Have new lead auditors conduct team audits with another qualified lead auditor for 10-20 audits before you allow them to conduct an audit alone

4. Shadow new auditors for 100% of their first audit and gradually observe less with each subsequent audit; try to plan the shadowing into your audit agenda

5. Review the notes of new auditors periodically throughout the audit to provide suggestions for improvement and identify missing information

6. Have new lead auditors submit a draft audit agenda to you before sending it to the supplier or department manager

7. Have new lead auditors rehearse their first few opening and closing meetings with you in private before conducting the opening and closing meeting (make sure they have an opening/closing meeting checklist to help them)

The question is…was my training successful?

Well, how much follow-up training of the trainers did the client ask for?

Posted in: ISO Auditing

Leave a Comment (0) →

Contract Manufacturers Need Strong Risk Management Processes

This blog discusses why contract manufacturers need to have a strong risk management process, and your company needs to help your contract manufacturers.

Risk management is not our responsibility Contract Manufacturers Need Strong Risk Management Processes

Can contract manufacturers exclude risk management from the scope of their quality system?

Most contract manufacturers in the medical device industry exclude design from their Quality Management Systems. Unfortunately, most of the contract manufacturers also associate risk management with only the design process. Risk Management cannot be “not applicable” in an ISO 13485 Quality Management System. The requirement of section 7.1 is: “The organization shall establish documented requirements for risk management throughout product realization. Records arising from risk management shall be maintained.” The Standard also references ISO 14971 as a source of guidance on Risk Management.

Have you experienced an audit dialogue at a contract manufacturer similar to this?

The auditor asks, “How do you manage risk throughout the production process?” Then the auditee responds, “That is the responsibility of our customers. We will prepare a risk analysis if customers pay for it, but usually, customers do the risk analysis.”

For a contract manufacturer, compliance with ISO 14971 is not my primary concern as an auditor. My primary concern is to verify that contract manufacturers analyze risks associated with the processes that they perform and do their best to minimize those risks. What I don’t understand is why more companies don’t want to have strong risk management processes. Risk management is how we prevent bad things from happening. Bad stuff like scrap, complaints, and recalls. Should we expect our suppliers to have a strong risk management process?

Duh.

Why your company needs to be involved in the risk management process?

Contract manufacturers should be doing everything they can to get better at risk management. During pre-production planning, they should be asking, “What happens if…” The contract manufacturer knows best HOW things will fail in production, while the customer knows best WHAT happens when things fail in production. To be safe and effective, both companies need to collaborate on risk analysis.

In any risk analysis, you need to estimate the severity of potential harm and the probability of occurrence of that harm. For production defects, the contract manufacturer can estimate the probability of occurrence of defects (i.e., P1 in Annex E of ISO 14971:2007), but the likelihood of occurrence of harm is less. The probability of occurrence of harm is the product of multiplying P1 and P2. The probability that occurrence will result in harm is P2, and P2 is a number that is less than 100% or 1. Your company can gather pre-market clinical data and post-market clinical data to estimate P2, but before launching your product, you can only guess at the value of P2. Your contract manufacturer, however, is not able to estimate P2 at all. It’s ok to estimate risk without P2 during the design phase because this will overestimate risks and result in more conservative decisions.

In addition to P2, your contract manufacturer is also not capable of estimating the severity of potential harm. As the designer of the medical device, you will know best how your device is used and what the likely clinical outcomes are when a device malfunctions. There may even be multiple possible clinical outcomes. The contract manufacturer knows what can go wrong during manufacturing, but you will need to define the clinical outcomes due to malfunctions.  

Why do contract manufacturers avoid doing risk analysis?

The reason contract manufacturers avoid doing risk analysis is because it’s time-consuming and tedious.

Too bad, so sad.

Balancing my checkbook is time-consuming and tedious too, but I balance my checkbook to prevent an overdraft charge. Not doing a risk analysis can be much more painful. Scrapping out a part can cost tens or hundreds of dollars. Complaints can cost thousands of dollars. Recalls can cost millions of dollars.

If I owned a contract manufacturing company, I would ensure that everyone in the company is involved in risk management. We don’t want scrap, we can’t afford mistakes that lead to complaints, and a recall could put us out of business.

Posted in: ISO 14971:2019 (Risk Management)

Leave a Comment (1) →

Elsmar Cove – Wikipedia for QA Professionals

The author discusses The Elsmar Cove Forum as a great information resource on best practices and trends for Quality Assurance professionals.

Most of the people reading my blog are probably aware of a website called Elsmar Cove, but I think most people visit this site only when they need a quick answer to a question. It’s sort of like Wikipedia for Quality Assurance. Marc Smith is the creator of Elsmar Cove, http://elsmar.com/, and the forum just had its 15th anniversary. This is a no-frills website that has fantastic content and very little advertising. People from all over the world (~18,000 active participants) are contributing daily to this forum, and many of the contributors are Quality and Regulatory experts. I like to use the site to keep up on best practices and trends in Quality. It also allows me to learn from other types of Quality Systems, such as AS9100, TS16949, and ISO14001.

Someone I used to work with had a saying he learned from his first boss: “A picture tells a thousand words, but a demonstration is better than a thousand pictures.” Therefore, I thought I would try to demonstrate the power of Elsmar Cove by researching best practices in supplier evaluation.

Step 1: The first thing you do is to visit the site.

Step 2: Type “supplier evaluation” into the Google™ custom search. This will produce hundreds of links within the Elsmar Cove Forum related to supplier evaluation.

Step 3: Skim the search results to find the entry or entries you are looking for. These search results include a supplier evaluation survey that you can download and adapt to your own company. If you need a quick solution, this is fast and free.

Another approach is to limit your search to Forum discussion threads. You can do this by going to the Forum Discussion page: http://elsmar.com/Forums/index.php.

If you click on the toolbar link for “search,” a pop-up window will appear. If you type “supplier evaluation” in this search bar, you will see 531 results presented in reverse chronological order. Below are a couple of threads that I thought were particularly good:

Benchmarking Supplier Certification Programs

http://elsmar.com/Forums/showthread.php?t=42595&highlight=supplier+evaluation

Service Supplier Rating where objective pass/fail data is not available

http://elsmar.com/Forums/showthread.php?t=44412&highlight=supplier+evaluation

Choosing Supplier Evaluation Methods – Determining what a Critical Supplier is

http://elsmar.com/Forums/showthread.php?t=10951&highlight=supplier+evaluation

Supplier Approval for Distributors of Equipment

http://elsmar.com/Forums/showthread.php?t=43508&highlight=supplier+evaluation

Second-party audits – Supplier audits or product audits?

http://elsmar.com/Forums/showthread.php?t=30966&highlight=supplier+evaluation

How you do Receiving Inspection for Chemicals?

http://elsmar.com/Forums/showthread.php?t=44951&highlight=supplier+evaluation

Supplier Evaluation Responsibility

http://elsmar.com/Forums/showthread.php?t=43756&highlight=supplier+evaluation

I hope you find Elsmar Cove to be a useful information resource.

Posted in: ISO Certification

Leave a Comment (2) →
Page 24 of 25 «...10202122232425