Author name: Robert Packard

Process Approach to Auditing – 7 Steps to Training Auditors

4 Comments / ISO Auditing / By / , ,

The process approach to auditing is demonstrated using Turtle Diagrams as a tool instead of using traditional auditor checklists.

tutle diagram1 Process Approach to Auditing 7 Steps to Training Auditors

I have been reviewing trends for how people find my website, and a large number of you appear to be interested in my auditing schedules and other audit-related topics. Therefore, this week’s blog is dedicated to training auditors on the process approach.

First, the process approach is just a different way of organizing audits. Instead of auditing by clause, or by procedure, instead, you audit each process. Typical processes include:
  1. Design & Development
  2. Purchasing
  3. Incoming inspection
  4. Assembly
  5. Final Inspection
  6. Packaging
  7. Sterilization
  8. Customer Service
  9. Shipping
  10. Management Review
  11. CAPA
  12. Internal Auditing

Why the Process Approach is Recommended

First, the process approach identifies linkages between processes as inputs and outputs. Therefore, if there is a problem with communication between departments, the process approach will expose it. If only a procedural audit is performed, the lack of communication to the next process is often overlooked.

Second, the process approach is a more efficient way to cover all the clauses of the ISO Standard than auditing each clause (i.e.,– the element approach). My rationale for the claim of greater efficiency is simple: there are 19 required procedures in the ISO 13485 Standard, but there are only 12 processes identified above. The “missing” procedures are incorporated into each process audit.

For example, each process audit requires a review of records as input and outputs. Also, training records should be sampled for each employee interviewed during an audit. Finally, nonconforming materials can be identified and sampled at incoming inspection, in assembly processes, during final inspection, during packaging, and even during shipment. The tool that BSI uses to teach the process approach is the “Turtle Diagram.” The diagram above illustrates where the name came from.

Interviewing with the Process Approach

The first skill to teach a new auditor is the interview. Each process approach audit should begin with an interview of the process owner. The process owner and the name of the process are typically documented in the center of the turtle diagram. Next, most auditors will ask, “Do you have a procedure for ‘x process’?” This is a weak auditing technique because it is a “closed-ended” or yes/no. This type of question does little to help the auditor gather objective evidence. Therefore, I prefer to start with the question, “Could you please describe the process?” This should give you a general overview of the process if you are unfamiliar with it.

After getting a general overview, I like to ask the question: “How do you know how to start the process.” For example, inspectors know that there is material for incoming inspection because raw materials are in the quarantine area. I have seen visual systems, electronic and paper-based systems for notifying QC inspectors of product to inspect. If there is a record indicating that material needs to be inspected—that is the ideal scenario. A follow-up question is, “What are the outputs of the inspection process?” Once again, the auditor should be looking for paperwork. Sampling these records and other supporting records is how the process approach addresses Clause 4.2.4—control of records.

The next step of this approach is to “determine what resources are used by incoming inspection.” This includes gauges used for measurement, cleanliness of the work environment, etc. This portion of the process approach is where an auditor can review calibration, gowning procedures, and software validation. After “With What Resources,” the auditor then needs to identify all the incoming inspectors on all shifts. From this list, the auditor should select people to interview and follow-up with a request for training records.

The sixth step is to request procedures and forms. Many auditors believe that they need to read the procedure. However, if a company has long procedures, this could potentially waste valuable time. Instead, I like to ask the inspector to show me where I can find various regulatory requirements in the procedures. This approach has the added benefit of forcing the inspector to demonstrate they are trained in the procedures—a more effective assessment of competency than reviewing a training record.

Challenging Process Owners

The seventh and final step of the turtle diagram seems to challenge process owners the most. This is where the auditor should be looking for department Quality Objectives and assessing if the department objectives are linked with company quality objectives. Manufacturing often measures first pass yield and reject rates, but every process can be measured. If the process owner doesn’t measure performance, how does the process owner know that all the required work is getting done? The seventh step also is where the auditor can sample and review the monitoring and measurement of processes, and the trend analysis can be verified to be input into the CAPA process.

In my brief description of the process approach, I used the incoming inspection process. I typically choose this process for training new auditors because it is a process that is quite similar in almost every company, and it is easy to understand. More importantly, however, the incoming inspection process does an effective job of covering more clauses of the Standard than most audits. Therefore, new auditors get an appreciation for how almost all the clauses can be addressed in one process audit. If you are interested in learning more about Turtle Diagrams and the process approach to auditing, please register for our webinar on the process approach to auditing.

Process Approach to Auditing – 7 Steps to Training Auditors Read More »

Canadian Medical Device Regulations (CMDR): Identifying New Changes

1 Comment / Health Canada / By / , ,

The author reviews a few methods to identify changes to the Canadian Medical Device Regulations (CMDR), including using the “compare” function in MS Word.

One of the most frustrating things about the Canadian Medical Device Regulations (CMDR), SOR/98-282, is the difficulty in identifying what has changed since the previous revision. There is no detailed revision history indicating what changed. This is surprising to me because Canada was the first country to require ISO 13485 certification as a component of the regulatory approval process. Did the Therapeutic Products Directorate (TPD) overlook Clause 4.2.3?

Using MS Word to Compare CMDR Versions

Anyway, before I became an auditor, the way I determined what changed was to use the “compare” function in MS Word to compare the versions of the CMDR. The bottom of the first page indicates, “Current to May 14, 2012.” This is our revision date, and it seems to change every month. Then below this, the document says, “Last amended on December 16, 2011.” This tells us that the last time TPD made a change was in December. Nowhere does CMDR tell us what changed.

On the second page of the CMDR, there is a note at the bottom of the page that supposedly clarifies the revision history:

“This consolidation is current to May 14, 2012. The last amendments came into force on December 16, 2011. Any amendments that were not in force as of May 14, 2012, are set out at the end of this document under the heading ‘Amendments Not in Force’.”

I have never seen a heading titled “Amendments Not in Force.” So here’s what I do:

  1. “Select All” from the current PDF version of the CMDR and another version before the last amendment date: December 16, 2011.
  2. I copy and paste the text from each document into a separate MS Word document.
  3. I save each document with a different date code.
  4. I use the “compare” function to identify the revisions that were made to the pre-December version.
  5. Then I pound my forehead against my desk because I just wasted 15 minutes to verify that the only changes made between August 8, 2011, and May 14, 2012, were as follows:
    • Date of revision throughout the document
    • Table of Provisions pagination was updated to reflect reformatting of Annex 3
    • Section 32.7 – changed wording from “may” to “shall,” and “giving” to “that gave”
    • Annex 3 was reformatted so that the English and French versions appear side-by-side instead of on page 61 & 62 sequentially

Assessing the Impact of Change

So…the next time a third-party auditor asks you for objective evidence that you have assessed the impact of changes to the CMDR, show them this blog posting. If they force you to document the impact analysis of the change of the word “may” to the word “shall” in Section 32.7, request a new auditor quickly. If they ask for documentation of the impact of the tense change in Section 32.7, also request a new auditor quickly.

On a far less amusing note, the following new and revised regulatory requirements occurred on the TPD website:

  1. On May 31, 2012, there was an announcement by HC indicating “Categorization of Therapeutic Products at the Device/Drug Interface.”
  2. On October 19, 2011, the electronic submission pilot for Class IV devices was expanded to Class III devices: “Notice – Guidance for Industry: Preparation of a Premarket Review Document in Electronic Format for a Class III and Class IV Medical Device Licence Application”; this revised guidance document includes a table for Class III applications based upon the STED guidance document from GHTF.

You can also type in “What’s New” into the search engine for the TPD website. The search results can be narrowed down to a year, and postings are typically no more frequent than monthly (eight in 2011; one in 2012).

You should also be aware of the third-party auditor report guidance document (GD211):Guidance on the Content of Quality Management System audit reports. This was released on June 8, 2011. You can also get training on this GD211 format at the US FDA website. The webinars are at the bottom of the list. 

If you are interested in learning more about the CMDR or CMDCAS, please join my LinkedIn CMDCAS Group.

CMDCAS Group Logo Canadian Medical Device Regulations (CMDR): Identifying New Changes
LinkedIn CMDCAS Group Logo

Canadian Medical Device Regulations (CMDR): Identifying New Changes Read More »

FDA Approval Process: “Triage” for 510(k)

1 Comment / 510(k) / By / , , ,

The Triage program for 510(k) submissions is reviewed. The goal of this FDA approval process program is to reduce review time from 90 to 30 days.

Thursday, Congress voted 96 to 1 for a bill to increase FDA user fees. The rationale is that the FDA needs more funding to be strong enough to properly regulate foods, drugs, and medical devices. One of the commitments linked with this new funding is to shorten the review of 510(k) submissions. To this end, OIVD has created a new program called “Triage.” The goal of this program is to accelerate the review of specific traditional 510(k) submissions to 30 days instead of 90 days.

In theory, this pilot program will help some companies get their 510(k) clearance letter faster, but simultaneously, the FDA will be able to concentrate resources on high-risk 510(k) submissions. This entire strategy seems to be the opposite of triage. Triage involves sorting sick patients into three categories:

1) Those who are likely to live, regardless of what care they receive

2) Those who are likely to die, regardless of what care they receive

3) Those for whom immediate care might make a positive difference in their outcome

If we apply the triage analogy to 510(k) submissions, we see three categories:

1)      510(k) submissions that are likely to be approved, regardless of how much time the FDA spends

2)      510(k) submissions that are likely to be rejected, regardless of how much time the FDA spends

3)      510(k) submissions whose approval or rejection is not apparent, but the FDA’s earlier involvement in the design and development process would substantially improve review time.

The FDA’s “triage” program is intended to demonstrate improvement in the time required to approve medical devices by sorting submissions into two groups: group #1 above and group # 2/3 from above. This will make the numbers look good, but the FDA should be spending even less time on #2 than it spends on the #1 category of submissions. The FDA should also get involved in group #3 submissions much earlier.

FDA Approval Process

The types of submissions that need more FDA reviewer time are devices that are higher in risk and where special controls guidance documents and or ISO Standards have not already been established for performance and safety testing criteria (i.e., – Category #3 above). In these cases, when a company tries to obtain some feedback from the FDA, they are asked to request a pre-IDE meeting. The company will not be necessarily performing a clinical trial, but this is the only vehicle the FDA has for justifying the time it spends providing feedback on proposed verification and validation testing plans. The FDA needs to develop a new model that is ideally suited for 510(k) products where guidance and Standards do not exist. This would also have the effect of reducing the number of “Not Substantially Equivalent” (NSE) letters the FDA issues.

If a company is developing a device that already has an applicable special controls document or ISO Standard, then the 510(k) pathway should be well-defined without the FDA’s help. Unfortunately, there is no easy mechanism for ensuring compliance with these external standards. This type of submission would benefit from software-controlled submissions and or pre-screening of submissions by third-party reviewers. The Turbo 510(k) software tool could lend itself to software-controlled submissions, but a proliferation of the Turbo 510(k) has been limited.

Submitting a 510(k)

If a company does not submit a 510(k) with all the required elements of a guidance document, the submission should not be processed. Implementation of validated software tools for each 3-letter product code would prevent incomplete submissions. At the very least, companies should be required to provide a rationale for any sections of submission that are not applicable.

One example of a possible software solution is currently used by third-party auditors at BSI. BSI uses a software tool that will not allow the auditor to generate a final report unless all the required elements have been completed. The FDA could use the existing screening checklist and convert this into a similar “SmartForm.” If the submission does not have all the required elements of the checklist, the submission form could not be generated from the software. This forces the task of pre-screening reviews back upon the submitter with the aid of a validated software tool.

The most significant shortfall of the Triage program is the target product types. IVD devices are quite different from other device types. Each IVD has unique chemistry, and there are a limited number of Guidance documents for IVDs, and IVD submissions represent only 10-20% of all submissions. Orthopedic, cardiovascular, general/plastic surgery and radiology devices each represent more than 10% of the submissions, and collectively they represent half of the submissions. These types of devices also have both special controls documents and ISO Standards defining the design inputs for design verification. Therefore, these four device types would be a better choice for a pilot program to expedite reviews.

FDA Approval Process: “Triage” for 510(k) Read More »

What is a MEDDEV?

1 Comment / CE Marking / By / , , , , , , ,

The author defines what a MEDDEV is, recent updates, and information resources to learn more.

The most important part of my website is “Helpful Links.” These are the links that I use most in Regulatory Affairs. It started as an auditor’s toolbox, but now I am morphing it into a place to review updates to regulatory requirements and external standards. The MEDDEV’s are on the top of my list. These are the guidance documents written by Competent Authorities. Still, most of the Notified Bodies treat them as requirements and often write nonconformities against at least one of them: MEDDEV 2.12/1 – Medical Device Vigilance System.

Many companies rely on RSS feeds to keep them current on the latest external standards, but this doesn’t work for a MEDDEV. For MEDDEV’s, your best bet is to go to the source. Sure, you can hire a consultant that will try and keep you current. You can also wait until your NB auditor lets you know the hard way (i.e.,. – time to write another administrative CAPA).

For those of you who don’t know the source, it is my #1 “Helpful Link”:

http://ec.europa.eu/health/medical-devices/documents/guidelines/index_en.htm 

When asked how to keep current, my advice is to have a systematic process for checking various sources of external documents. At a minimum, you should be checking all of the possible sources just before each Management Review. This will give you something to include for the requirement in clause 5.6.2h) of the ISO 13485:2003 Standard. “More preferably,” as lawyers would say, check out the website link above at least once per month. For those of you that are completely out of touch, and those that just fell off the University hayride, the following explains why you can’t get away with saying:

“There haven’t been any new or revised regulatory requirements since the last Management Review.”

MEDDEV Updates

There were several updates to the MEDDEVs released as supporting documents for the M5 version of the MDD (93/42/EEC as modified by 2007/47/EC). Specifically, there were four in December 2009 and one in June 2010. Then there were two more MEDDEVs released in December 2010 related to clinical study requirements in Europe. In January 2012, another six MEDDEVs were released, and one more was released in March. Not all of these updates apply to every company, but every RA professional working on CE Marked products has been busy readying themselves to sleep at night.

I could spend some time here telling you a couple of sentences about each of these new MEDDEVs, but someone already did that for me:

http://www.eisnersafety.com/eu-medical-device-meddevs-guidance-docs-newly-rlsed-or-updated/#.T8Oml7Dy-So

One fellow blogger indicated that the MEDDEV 2.5/10, about Authorized Representatives (ARs), was disruptive:

http://medicaldeviceslegal.com/2012/02/09/new-meddev-on-authorised-representatives-everything-you-know-is-wrong/

I don’t agree with Erik Vollebregt about it being disruptive. Erik feels that we can all expect substantial revisions in the AR contracts, but I think the Germany AR’s I have worked with were already moving in this direction. Emergo has been a strong AR all along—with a distinctly more friendly Dutch style to their processes. In the end, I just don’t see Notified Bodies (NBs), making these contracts a priority initiative. I think we’ll see more auditors verifying that contracts are in place and current, but I don’t expect auditors to receive guidance on how to review contracts anytime soon.

The real changes will be in the smaller AR’s that are not European Association of Authorized Representatives (EAAR) members. The Competent Authorities (CAs) have been knocking on the door of various “wannabee” AR’s for a few years now. I think they have done an excellent job of shutting down illegitimate representatives, and the member companies of EAAR (http://www.eaarmed.org/) have done well in raising awareness. The next logical step was to provide some guidance so that there is more consistency among the ARs. I see this as just the beginning of the CA’s moving toward one approach.

Erik wrote another article about MEDDEV 2.12/2 on the subject of Post-Market Clinical Follow-up (PMCF):

http://medicaldeviceslegal.com/2012/01/17/new-eu-guidance-on-post-market-clinical-follow-up-studies-published-and-other-meddev-guidance-announced/

Erik just touched on this MEDDEV briefly, but if your company is a manufacturer of a Class III device that is CE Marked—YOU NEED TO READ THIS MEDDEV!

MEDDEV Whitepaper

As in all things post-market related, BSI has taken the lead by publishing an article that is almost as long as the original MEDDEV. This white paper was written by Dr. Hamish Forster, BSI’s Orthopedic & Dental Product Expert, and the document is called “The Post-Market Priority.” I think you can only obtain a copy of this white paper by requesting it from BSI online, but the customer service person that follows up is quite polite.

BSI’s leadership role in PMCF is not new, either. Gert Bos gave a presentation that highlighted the importance of PMCF back on March 31, 2010:

http://www.bsigroup.nl/upload/Presentatie%2031%20maart%20-%20Gert%20Bos.pdf

My advice for anyone that has a Class III device that is CE Marked is to read this MEDDEV a few times, Annex X 1.1c of the MDD, read the whitepaper, and review these presentations by Gert Bos. This will help you prepare for what is coming. For those of you that think you know something about PMCF and have justified why your company doesn’t need to do it, think again. You should review the 16 bullet points in the MEDDEV on pages 14 and 15 (17 bullets in the whitepaper, but one was just split into two parts). Identify how many of these points apply to your Class III device. The more points that apply to your product, the more extensive the NB’s will expect your PMCF plans to be.

 

What is a MEDDEV? Read More »

How to Write Design Control Procedures

Leave a Comment / Design Control / By / , ,

The author has reviewed 100+ design control processes in his career, and this blog provides five steps to write design control procedures.

In my previous blog posting, I indicated six things that medical device companies can do to improve design controls. While the last posting focused on better design team leaders (WANTED: Design Team Needs Über-Leader), this posting focuses on writing stronger procedures. I shared some of my thoughts on how to write design control procedures just a few weeks ago, but my polls and LinkedIn Group discussions generated great feedback regarding how to write design control procedures.

No Need to Write Design Control Procedures

One of the people that responded to my poll commented that there was no option in the poll for “zero.” Design controls do not typically apply to contract manufacturers. These companies make what other companies design. Therefore, their Quality Manual will indicate that Clause 7.3 of the ISO 13485:2016 Standard is excluded. If this describes your company, sit back and enjoy the music.

1 Procedure Only

Another popular vote was “one.” If you only have one procedure for design controls, this meets the requirements. It might even be quite effective.

When I followed up with poll respondents, asking how many pages their procedures were, a few people suggested “one page.” These people are subscribing to the concept of using flow charts instead of text to define the design control process. I use the following diagram to describe the design process: The Waterfall Diagram!

waterfall diagram How to Write Design Control Procedures
From the US FDA Website.

I first saw this diagram in the first course I took on Design Controls. This is on the FDA website too. To make this diagram effective as a procedure, we might need to include some references, such as work instructions, forms, the US FDA guidance document for Design Controls, and Clause 7.3 of the ISO 13485:2016 Standard.

Many Design Control Procedures

The bulk of the remaining respondents indicated that their company has eight or more procedures related to design controls. If each of these procedures is short and specific to a single step in the Waterfall Diagram, this type of documentation structure works well. Unfortunately, many of these procedures are a bit longer.

If your company designs software, active implantable devices, or a variety of device types—it may be necessary to have more than one procedure just to address these more complex design challenges. If your company has eight lengthy procedures to design Class 1 devices that are all in the same device family, then the design process could lose some fat.

In a perfect world, everyone on the design team would be well-trained and experienced. Unfortunately, we all have to learn somehow. Therefore, to improve the effectiveness of the team, we write design control procedures for the team to follow. As an auditor and consultant, I have reviewed 100+ design control processes. One observation is that longer procedures are not followed consistently. Therefore, keep it short. Another observed is that well-designed forms help teams with compliance.

Therefore, if you want to re-write design control procedures, try the following steps:

  1. Use a flow chart or diagram to illustrate the overall process
  2. Keep work instructions and procedures short
  3. Spend more time revising and updating forms, instead of procedures
  4. Train the entire team on design controls and risk management
  5. Monitor and measure team effectiveness and implement corrective actions when needed

The following is a link to the guidance document on design controls from the US FDA website. In addition to the comments I made in this blog, please refer back to my earlier blog on how to write a procedure. You can also purchase Medical Device Academy’s design control procedure and forms.

How to Write Design Control Procedures Read More »

Design Team – Needs a Superwoman Leader

4 Comments / Design Control / By /
mona superwoman Design Team Needs a Superwoman Leader
“Mona Superwoman” by Teddy Royannez (France)

This blog discusses the reasons for a female design team leader and the qualities and skills that she should possess to get maximum results out of her team.

Last November, Eucomed published a position paper titled, A new EU regulatory framework for medical devices: Six steps guaranteeing rapid access to safe medical technology while safeguarding innovation. While I have serious doubts that any government will ever be able to “guarantee” anything other than its own continued existence, I have an idea of how the industry can help.

The position paper identified six steps. Each of these steps has a comparable action that could be taken in every medical device company. My list of six steps is:

Only the best leaders have:

  1. Only one approach to design controls
  2. Stronger internal procedures
  3. Cross-pollination by independent reviewers
  4. Clear communication of project status to management
  5. Better project management skills

The most critical element to success is developing stronger design team leaders. Design teams are cross-functional teams that must comply with complex international regulations while simultaneously be creative and develop new products. This type of group is the most challenging type to manage. To be successful, design team leaders must be “Über-Leaders.”

Critical Design Team Leader Skills

The most critical skills are not technical skills but team leadership skills. The role of a design team leader is to ensure that everyone is contributing, without tromping on smaller personalities in the group. Unfortunately, there are more men in this role than women.

Why is this unfortunate? Because men have difficulty when it comes to listening (takes one to know one).

We need a leader that will be strong, but we also need someone that is in touch with the feelings of others and will use that skill to bring out the best of everyone on the team. This superwoman also needs to earn the respect of the male egos around the table. She needs to be an expert in ISO 14971, ISO 13485, Design Controls, Project Management, and managing meetings. Our beautiful heroine must also be a teacher because some of our team members will not know everything—even if they pretend to.

The Über-Leader will always remind the team that Safety & Efficacy are paramount. As team leaders, we must take the “high road” and do what’s right—even when it delays a project or fails to meet our boss’s unrealistic timetable. Superwoman must demand proof in the form of verification and validation data. It is never acceptable to go with an opinion.

She will remind us that compromise is the enemy, and we must be more creative to solve problems without taking shortcuts that jeopardize safety and efficacy. She will work harder on the project than anyone else on the team. She will keep us on schedule. She will whisper to get our attention, but she won’t be afraid to yell and kick our ass.

As Jim Croce says, “You don’t tug on Superman’s cape.” Superwoman is the only exception to this rule.

 

Design Team – Needs a Superwoman Leader Read More »

Design Input Requirements: 3 Common Errors

4 Comments / Design Control / By / ,

The author reviews three common errors related to design input requirements and uses examples to illustrate compliance.

I have been directly involved in dozens of design projects throughout my career, and during the past three years, I have audited 50+ Design Dossiers for CE Marking of Medical Devices. Throughout most of these design projects, I have noticed one common thread—a misunderstanding of design inputs.

ISO 13485 identifies design input requirements. These requirements are:

  1. Functional (7.3.2a)
  2. Performance (7.3.2a)
  3. Safety (7.3.2a)
  4. Statutory/Regulatory (7.3.2b)
  5. Previous and Similar Designs (7.3.2c)
  6. Essential Requirements (7.3.2d)
  7. Outputs of Risk Management (7.3.2e)
  8. Customer Requirements (7.2.1)
  9. Organizational Requirements (7.2.1)

Design Requirements: 3 Common Errors Reviewed

The most common error seems to be the failure to include the outputs of risk management. For those of you who have used design FMEAs,that’sight-hand columns are for that. When you identify suggested actions to mitigate risks with the current design, these actions should be translated into inputs for the “new a“d improved” mode”.

The second most common error seems to be a failure to consider regulatory requirements. There are two ways this mistake is frequently made: 1) Canadian MDRs were not considered as design inputs for a device intended for Canadian medical device licensing, and 2) an applicable ISO Standard was not considered (i.e., – “State“of the Art” is E”sential Requirement 2 of the Medical Device Directive (MDD)).

The third most common error, and the one that drives me crazy, is a confusion of design outputs and design inputs. For example, an outer diameter of 2.3 +/- 0.05 mm is not a design input for a 7 French arterial catheter. This is a design output. The user need might be that the catheter must be small enough to fit inside the femoral artery and allow interventional radiologists to navigate to a specific location to administer therapy. Validation that the new design can do this is relatively straight forward to evaluate in a pre-clinical animal model or a clinical study. The question is, “What “s the design input?”

Desi”n Input Examples

Design inputs are supposed to be objective criteria for verification that the design outputs are adequate. One example of a design input is that the catheter outer diameter must be no larger than a previous design that is an 8 French catheter. Another possible design input is that the cathetcatheter’s diameter must be less than a compete competitor’s ct. In both examples, a simple measurement of the OD is all that is required to complete the verification. This also gives a design team much more freedom to develop novel products than a narrow specification of 23 +/- 0.05 mm allows for.

If you are developing a Class II medical device for a 510(k) submission to the FDA, special controls guidance documents will include design inputs. If you are developing a Class IIa, Class IIb, or Class III medical device for CE marking, there is probably an ISO Standard that lists functional, performance, and safety requirements for the device. Regulatory guidance documents and ISO Standards usually reference test methods and indicate acceptance criteria. When you have a test method and acceptance criteria defined, it is easier to write a verification protocol. Therefore, design teams should always strive to document design inputs that reference a test method and acceptance criteria. Verification protocols are much more challenging to write if this is not done.

In my earlier example, the outer diameter of 2.3 +/- 0.05 mm is a specification. Unfortunately, many companies would document this as an input and use the final drawing as the output. By making this mistake“ “ver ““cati”n” si” p”y means measuring the outer diameter to verify that it matches the drawing. This adds no value; if the specifications are incorrect, the design team will not know about it.

A true verification would include a protocol that identifies th“ “wor ““case scenar”o” an”  ”erifies that this still meets the design input requirements. Therefore, if the drawing indicates a dimensional tolerance of 2.3 +/- 0.05, th“ “wor ““ca”e” is” 2”35 mm. The verification process is to measure either a previous version of the product or a competitor’s catheter. The smallest previous version or competitor catheter tested must be larger than the upper limit of the design output for the outer diameter of the new catheter.

Design Input Requirements: 3 Common Errors Read More »

Best In Class Process Validation Program

Leave a Comment / ISO Certification / By /

This blog reviews a best in class CNC machining process validation program. Our author writes, “In general, the best approach is a risk-based approach.”

The original question from a former client was: “What does a best in class CNC machining process validation program look like?” Although I intend to answer this question, I know a few other clients that have done a great job of this. Hopefully, they will add their own opinions as a comment. Therefore, I am expanding the scope of this question to validation in general.

Process Validation

The problem with validation is that you can always do a more thorough validation. Only in the cases of processes, such as sterilization, do we have ISO Standards that tell us what is required. Otherwise, we are usually the experts, and we have to use our judgment as to what is necessary. In general, the best approach is a risk-based approach.

For each design specification established for a component, we also need to identify what process risks are associated with failure to meet the specification. Most companies perform a process Failure Modes and Effects Analysis (pFMEA). This risk analysis has three quantitative components: 1) severity of the failure’s effect, 2) probability of occurrence, and 3) detectability. The first factor, severity, is based upon the intended use of the device and how that component failure impacts that use. Usually, it is important to have a medical professional involved in this portion of the estimation.

The second factor, probability, is typically quantified during process validation activities. One company I audited developed a ranking scale for the probability that was linked directly to the CpK of the process. Higher CpK values received lower scores because the process was less likely to result in an out-of-specification component. Another company I worked for used a six-point logarithmic scale (i.e., – 10e-6 = 1, 10e-5 = 2, 10e-4 = 3, 10e-3 = 4, 10e-2 = 5, and 10e-1 = 6). This logarithmic scale was based on sterilization validation, where a sterility assurance level of 10e-6 is considered “validated.”

The third factor, detectability, is best estimated by using a quantitative scale that is based upon a gauge R&R study or some other method of inspection method validation.

Most companies struggle with the determination of what is acceptable for design risk analysis. However, for process risk analysis, it is usually much easier to quantify the acceptable risk level.

Corrective Action

Once you have determined that a process is not acceptable at the current residual risk level, then you must take corrective actions to reduce the risk. The first step to achieve this should be to review the process flow. There are critical control points that can be identified in the process flow. One of those places is at the end of the process at the inspection step in the process.

The inspection step in the process flow affects the detectability of defects. For many automated processes, such as CNC machining, it is not reasonable to perform 100% inspection. Therefore, these processes require validation. Most engineers make the mistake of trying to validate every dimension that is machined. However, only some of the aspects result in device failures. These are the dimensions that are critical to validate. The best practice is to calculate the process capability for meeting each of these critical specifications (i.e., – CpK). A minimum threshold should be established for the CpK (refer back to the process risk analysis for ideas on linking CpK to risk acceptance). Any CpK values below the threshold require a more consistent process. These are the component specifications that should be the focus of process validation efforts.

During a process validation, it is often advisable to perform a Design Of Experiment (DOE) in order to quantify the effects of each process variable. Typically a DOE will evaluate the impact on CpK for each variable at a high, low, and middle value, while other variables are maintained at nominal values. Any variables that appear to have a significant impact on the CpK are candidates for performing an Operational Qualification (OQ). For a machining process, this could include spindle speeds, feed rates, and material hardness. If variation of the variable has little or no impact upon the CpK, then there is probably little benefit to the inclusion of this variable in an OQ.

The output of an OQ validation should be high and low limits for each process variable that will result in a “good” part. Performance Qualification (PQ) validation is the final step of process validation. In the PQ, most companies will conduct three repeat lots at nominal values for the variables. If the OQ is designed well, there is often little added value in the PQ. Therefore, the sample size is typically three lots of 10 samples each. If the OQ validation does not clearly identify safe operating limits for the variables, or the process has the marginal capability (i.e., – a low CpK), then the OQ should be repeated, and an additional DOE may be needed.

Information Resources

Here are a few information resources for those of you that are in “Deviceland”

  1. Guidelines for the Validation of Chemical Methods for the FDA Foods Program (3/22/2012) – http://www.fda.gov/downloads/ScienceResearch/FieldScience/UCM298730.pdf
  2. Process Validation: General Principles and Practices (January 2011) –  http://www.fda.gov/downloads/Drugs/…/Guidances/UCM070336.pdf
  3. Guidelines for the Validation of Analytical Methods for the Detection of Microbial Pathogens in Foods (9/8/2011) –  http://www.fda.gov/downloads/ScienceResearch/FieldScience/UCM273418.pdf
  4.  CPG Sec. 490.100 Process Validation Requirements for Drug Products and Active Pharmaceutical Ingredients Subject to Pre-Market Approval (3/12/2004) –  http://www.fda.gov/ICECI/ComplianceManuals/CompliancePolicyGuidanceManual/ucm074411.htm?utm_campaign=Google2&utm_source=fdaSearch&utm_medium=website&utm_term=validation&utm_content=3
  5. Q2 (R1) Validation of analytical procedures: text and methodology (June 1995)http://www.ema.europa.eu/ema/index.jsp?curl=pages/regulation/general/general_content_000431.jsp&mid=WC0b01ac0580029593&jsenabled=true

Best In Class Process Validation Program Read More »

Scroll to Top