Which changes are forgotten in your MDR labeling procedure?

Which changes are forgotten in your MDR labeling procedure?

Did you forget any of the MDR labeling procedure requirements when you were updating your device labeling for CE Marking?

Don’t forget to subscribe to our YouTube channel for more medical device quality and regulatory training. The topic of this article is how to create an MDR labeling procedure for compliance with Regulation (EU) 2017/745 (MDR) for CE Marking of medical devices. The MDR does not actually include a requirement for a labeling procedure. In fact, the MDR doesn’t even specifically require that you have ISO 13485:2016 certification. ISO 13485:2016, clause 7.5.1 states that you shall implement “defined operations for labeling and packaging,” but the standard doesn’t specifically say that “the organization shall document procedures” for labeling. In 21 CFR 820.120, the FDA states that “each manufacturer shall establish and maintain procedures to control labeling activities.” But there is no similar requirement in the MDR.

MDR Quality System Requirements

Article 10 is the section of the MDR that defines the obligations for device manufacturers to create quality system procedures, but a labeling procedure is not specifically mentioned. Article 10(9)(a) states that your quality system shall include “a strategy for regulatory compliance, including…procedures for management of modifications to the devices covered by the system,” and this would include label changes. The next paragraph states that your quality system shall include, “identification of applicable general safety and performance requirements.” The general safety and performance requirements (GSPRs) are found in Annex I of the MDR, and the very last GSPR (i.e. GSPR 23) is for your label and instructions for use.

Then, which changes do you need to make for the MDR labeling procedure?

The GSPRs in Annex I of the MDR are longer than the Essential Requirements that were in the MDD. In addition to the new requirements for UDI compliance (which you should address in a UDI Requirements Procedure), GSPR 23 has new general requirements (i.e. 23.1) and new requirements for information on the sterile packaging (i.e. 23.3). There is also a more detailed specification for the information on the label (i.e. 23.2) and the information in the instructions for use (i.e. 23.4). The approach for demonstrating compliance with the GSPRs suggested in the MDR is to provide a checklist. Therefore, most manufacturers of CE Marked devices have replaced their Essential Requirements Checklist (ERC) with a GSPR checklist. However, if you are reviewing a draft label for approval, you don’t want to review and update your entire 22-page, GSPR checklist for every label.

The more efficient approach is to create one or more labeling checklists that are specific to the requirements in GSPR 23. If you create a separate checklist for the label, the information on the sterile packaging, and for the information in the instructions for use, then you would have three shorter checklists to complete. The label checklist and the checklist of the information on the sterile packaging would be only one page each, while the checklist for the instructions for use would be approximately four pages. There may be additional labeling requirements for specific countries and types of devices. Electrical medical equipment also has specific labeling requirements in IEC 60601-1 and IEC 60601-1-2. You will also need to create a user needs specification that can be used as criteria for summative usability testing (i.e. validation that the design and risk controls implemented meet the user needs specification). You should also document a use-related risk analysis (URRA), and perform formative testing, in order to identify critical tasks which need to be in the instructions for use to prevent use errors.

Are there any other MDR requirements that you should address in a labeling procedure?

There are two other requirements that should be addressed in your labeling procedure. The first is the general labeling requirements in GSPR 23.1. Withing GSPR 23.1, there are actually nine “sub-requirements.” The first “sub-requirement” in GSPR 23.1 is to provide the identity of the device, your company, and any safety and performance information needed by the user on the packaging or the instructions for use, and on your website. Many manufacturers do not want to make this information available on their website, because it makes it easier for competitors to copy the instructions for use, but this is not optional. This requirement and the other eight requirements in GSPR 23.1 could be included in your procedure or as part of a fourth labeling checklist associated with your MDR labeling procedure.

The second requirement is the requirement to translate your instructions for use into an official Union language(s) determined by the member state where your device will be made available to the intended user or patient. Creating these translations, and verifying the accuracy of the translations, can be expensive and burdensome–especially if your device is sold in most of the member states.

You might also consider implant cards as labeling requirements and try to add them to your MDR labeling procedure. However, if the requirement for implant cards (see Article 18 of the MDR) is applicable to your company you should create an implant card procedure instead because this is a detailed and critical requirement that will not apply to most of the other labels in your company. You should make sure that the implant card procedure is compliant with MDCG 2021-11 released in May 2021 and MDCG 20201-8 v2 release in March 2020. These guidance documents also have great examples of how to design your implant cards.

Other changes in labeling requirements

The ISO 15223-1:2016 standard has been revised and was expected for release at the end of 2020. However, only draft versions are currently available (i.e. ISO/DIS 15223-1:2020). This new version of the standard for symbols to be used with labeling will also need to be updated shortly in your MDR labeling procedure. This new version is already referenced in the medical device standard for information provided by the manufacturer (i.e. EN ISO 20417:2021)–which supersedes EN 1041:2008. Consultants and chat rooms have argued over whether the requirement for identifying the importer must be on the label or if it could be presented in other documents. EN ISO 20417:2021 resolves this dispute in section 7.1: “Where necessary, the label of a medical device or accessory shall include the name or trade name and full address of the importer to which the responsible organization can refer.” In the note following that clause, it clarifies that “This can be required by the authority having jurisdiction.” There is even a new symbol referenced for importers (i.e. Symbol 5.1.8 in ISO 15223-1).

If you have specific questions about device labeling or MDR compliance, please use our calendly app to schedule a call with a member of our team. You can also purchase our labeling and translation procedure (SYS-030) to save yourself the time and effort of making your own versions of the labeling checklist described above.

About the Author

Rob Packard 150x150 Which changes are forgotten in your MDR labeling procedure?

Robert Packard is a regulatory consultant with 25+ years of experience in the medical device, pharmaceutical, and biotechnology industries. He is a graduate of UConn in Chemical Engineering. Robert was a senior manager at several medical device companies—including the President/CEO of a laparoscopic imaging company. His Quality Management System expertise covers all aspects of developing, training, implementing, and maintaining ISO 13485 and ISO 14971 certification. From 2009-2012, he was a lead auditor and instructor for one of the largest Notified Bodies. Robert’s specialty is regulatory submissions for high-risk medical devices, such as implants and drug/device combination products for CE marking applications, Canadian medical device applications, and 510(k) submissions. The most favorite part of his job is training others. He can be reached via phone 802.258.1881 or email. You can also follow him on Google+, LinkedIn or Twitter.

Posted in: CE Marking

Leave a Comment (0) →

Software as a medical device (SaMD)

Can you combine the software development lifecycle with design controls when you are developing software as a medical device (SaMD)?

Don’t forget to subscribe to our YouTube channel for more medical device quality and regulatory training. There has been a remarkable increase in the number of medical devices developed in the past few years that consist of only software. The medical device industry refers to these products as software as a medical device (SaMD). Along with the increase in the number of SaMDs on the market, there has also been an increase in the number of companies that are developing these SaMDs without any prior medical device industry experience. Medical Device Academy specializes in helping start-up medical device companies, and we see common characteristics shared by these MedTech start-ups. First, they are usually successful in demonstrating proof of concept for their software device within months. Second, the development team is typically virtual (i.e. everyone lives in a different state or even in different countries). Third, the development team does not include anyone with quality or regulatory responsibility. Fourth, the company has not implemented software design controls or started a design history file (DHF). Fifth, the company is not even aware of the existence of IEC 62304 (less expensive than other websites) –the international standard that defines the life cycle requirements for medical device software.

The above situation is quite common, but it is not a serious problem. These Medtech start-ups just need guidance on how to comply with medical device regulations without creating an overly burdensome quality system and excessive documentation. At the same time, these companies need to stay small, agile, and thrifty. Most people believe that the quality system and software documentation process slows down the development process, but the intent is to prevent mistakes and to help you plan the design and development of your SaMD so that the resulting software is safe and performs as you intended (i.e. efficacious). In order to create a quality system and software documentation process that is lean and efficient, there are some common pitfalls you should avoid.

When do you need to implement a quality system for software as a medical device (SaMD)?

When a quality system is required depends upon which market you are launching your product in first. If you are launching your product in Canada, you need a special kind of quality system certificate before you can apply for a Canadian Medical Device License (i.e. MDSAP Certificate for ISO 13485:2016). MDSAP stands for “medical device single audit program,” and there are only 16 organizations that can issue this type of certificate. If you are launching your product in Europe, you will go through your ISO 13485 quality system certification in parallel with obtaining CE Certification of your SaMD. If you are launching your product in the USA, you do not need your quality system to be complete until after you obtain 510(k) clearance and you are ready to register and list with the FDA. You also do not need ISO certification for the US market. If your SaMD is a Class 1 device in any of these three markets, you may have fewer quality system and regulatory requirements.

Regardless of which market you are planning to launch your product in, you should not invest in a complete quality system and then develop your SaMD. You should either develop both in parallel, or you should develop your SaMD first. The only processes that are really important to implement at the beginning of product development are 1) design controls, 2) software development, 3) risk management, and 4) usability engineering or human factors testing. You can wait to implement the other 20+ procedures until you are entering the design transfer phase of your design and development project.

Do you need separate procedures for design controls, change control, and software development?

If you are developing a complex system that includes hardware and software you should probably have three separate procedures. The reason for this is that there are different quality system and regulatory requirements for changes to hardware and software. If you are only developing SaMD, then you can easily combine these three processes into one procedure. The video at the beginning of this blog describes how to combine these three into one procedure, but the following outlines the software documentation that should be covered in each stage of your design process:

  1. Phase 1 – Design planning requires identification of the software risk classification (i.e. A, B, or C) in accordance with IEC 62304, and the Level of Concern (LoC) for your software in accordance with the FDA guidance for software documentation. Regardless of what the LoC is for your SaMD, you will still need to develop the documentation required for the risk classification in IEC 62304–even if the FDA does not want to review all of that documentation in your 510(k) submission. You will also need to identify the regulatory pathway for your SaMD. Your design plan will identify the team members and each person’s role and responsibility. This phase is when you should document your software development environment, create a draft software description, and create a draft software architecture diagram.
  2. Phase 2 – Design inputs must be documented and approved in the second phase. These inputs are testing requirements. Therefore, you need to develop a testing plan for your product based upon the regulatory pathway for that product, recognized international standards or common specifications, and any guidance documents that are specific to your type of SaMD. Typically, it is recommended to review your testing plan with a regulator in a pre-submission meeting prior to conducting your verification and validation testing–especially if animal preclinical studies or human clinical studies are required. This phase is when you should conduct a hazard analysis and approve your software requirements specification (SRS). The hazard analysis should include use-related risk analysis (URRA) and cybersecurity risk analysis.
  3. Phase 3 – Design outputs are iteratively developed during the third phase. This is typically the longest phase of your development process, and the “Waterfall Diagram” is not an accurate depiction of most software development processes. The “V-Diagram” presented in IEC 62304 is a better representation of the software development process because you continuously repeat steps as you debug your code and add functionality to your software. Only the simplest firmware is written in a linear fashion without multiple debug and retest cycles, and lean product development methods (i.e. Agile programming) are intended to be iterative. This phase of development is complete when you conduct a “design freeze” and begin your verification and validation testing. Typically, companies that are developing SaMD can complete most of their unit testing and integration testing prior to the design freeze, but system validation may not be conducted until phase 4. Unfortunately, the unit testing and integration testing can only proceed so far if you have an embedded system (i.e. software embedded in hardware). If the SaMD requires human clinical studies, that software validation is performed during Phase 4. Phase 3 is when you should be documenting your software design specifications (SDS), unit testing, and integration testing. Any formative testing required for the user interface would be done during this phase. Formative testing may include: 1) evaluating very software functions, 2) developing directions for use, and 3) developing a training program for users. You should write testing protocols for system validation and summative usability testing during this phase as well. It is important to identify all of the critical tasks related to use-related risks during this phase and document them. These critical tasks determine the summative usability testing required. It is also an excellent idea to start drafting a traceability matrix during this phase to ensure that each hazard and SRS item is being addressed in your verification and validation plan.
  4. Phase 4 – Design verification and validation of your SaMD is completed during this phase. At the end of this phase, you should have a complete traceability matrix, you should create a summary report of your unit testing and integration testing, and you should create a system validation report–including any benchtop, animal, or human performance testing is conducted. You should also create a revision history document and a bug report identifying any known bugs in the software with a justification for why the software is safe to release with these bugs. This phase is also when you should complete your risk management file and your summative usability testing report. Finally, you need to complete a final draft of your user manual for the software that includes directions for use and the indications for use. When all of this documentation is completed, you are ready for your regulatory submission.
  5. Phase 5 – Product release is the last phase of design and development. Once you receive 510k clearance for your SaMD, then you can begin the final release of your product. You will need to update your “splash” or “about” screen for the software to include a Unique Device Identifier (UDI). The information will need to be uploaded to the FDA’s GUDID. You can assign the DI for the UDI anytime, but the GUDID data elements cannot be finalized until you have 510k clearance from the FDA. You will also need to manage revisions of your software for this minor change and revalidate the code. This type of change will not require a new 510k, because it is a minor device modification. However, you will need to review the FDA guidance on software changes for other types of software revisions you make in the future.

Should you outsource software documentation for software as a medical device (SaMD)?

You can outsource all of your software documentation for a SaMD, but the person(s) creating that documentation will still need the documents mentioned in phase 2. If you do not provide any documentation of hazards, a software description, or a crude sketch of your software’s architecture, it will be nearly impossible for anyone to create your software documentation. It is also extremely expensive to outsource software documentation. Even if you do outsource this task, you still will need to review and approve that documentation. Most people outsource tasks because they don’t know how to do it, but it is critical for medical device companies to learn how to document their software development because they will need to maintain that documentation when the software is updated to fix a software bug or to patch cybersecurity weaknesses. Everyone that is developing software for an SaMD should receive basic training on the requirements of IEC 62304 early in your project. Your team does not need to be an expert in IEC 62304, but you need to create draft documents that you can present to experts for feedback. Your team should also review all four of the guidance documents that the FDA released for software documentation:

  1. General Principles of Software Validation (2002)
  2. Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices (2005)
  3. Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (2014)
  4. Postmarket Management of Cybersecurity in Medical Devices (2016)
  5. Off-The-Shelf Software Use in Medical Devices (2019)

Creating your documentation is the hard part that your team should be doing, while reviewing and editing your documentation is a great task to hire an expert consultant for your first SaMD project. This will ensure your team is writing the software documentation to the correct level of detail, and you are not missing anything critical. Expert consultants can also provide you with templates for your software documentation.

Does software as a medical device (SaMD) require an electronic quality management system (eQMS)?

There are two types of quality systems: 1) paper-based, and 2) electronic. Most start-up companies chose the paper-based option because they don’t want the extra hassle of having to validate an electronic system. However, if your company is smart enough to validate SaMD, you are smart enough to validate software for your quality system too. The applicable standard for validation of software tools is ISO/TR 80002-2:2017. You can also purchase templates for software tool validation from Medical Device Academy. Companies are always asking for a referral of which eQMS system to purchase. The problem is that every year software has more functionality and costs less. Therefore, my general advice is to never pay more than $10,000 for eQMS as a start-up and consider starting with free database software to organize all of the documentation that is in your traceability matrix. You can migrate the data into an eQMS later by mapping your free database to the new eQMS software database.

Who should be responsible for quality and regulatory if your device is software as a medical device (SaMD)?

Quality and regulatory are two different functions, and it doesn’t always make sense to have one person be responsible for both requirements. The two primary standards that are applicable to quality assurance of SaMD are 1) IEC 62304, and 2) ISO 13485. Anyone you are considering for the position of quality manager should be familiar with both standards, and they should be making sure that your development team is documenting the software verification and validation as you proceed through the iterative software development process that is typical of Agile software development teams. The person doesn’t need to be able to code software, but they should be able to help review software documentation and suggest changes. This person’s role is extremely important to make sure that software revisions are managed properly, your software is only released when all of the validation and revalidation is complete. This person should also be able to determine if a new 510(k) is required for software modifications.

The regulatory process is the preparation of the 510k submission and communications with the FDA. This is an activity that you will probably need to perform once every two years. The FDA requirements for a 510k change more frequently than once every two years, and it is extremely difficult to become proficient when you are filling out government forms so rarely. For these reasons, it is recommended to work with an expert regulatory consultant with SaMD experience until your company has enough software products and revisions that you need to file multiple 510k submissions each year. Therefore, a less experienced quality manager can gradually learn the regulatory requirements over time and they will need less help from a regulatory consultant each year.

Do you need a corporate office?

Many MedTech companies are virtual companies, but the FDA will require a physical address to visit for an FDA inspection. FDA inspectors have visited the home of the company founder at other companies, but you probably will be more comfortable with an office space for the FDA inspector to visit. The FDA is unlikely to visit your company during the first year after you initially register your product. An inspection is more likely in the second year after initial registration and listing. Therefore, you might consider renting a co-working space where you can reserve a conference room if an FDA inspector visits. If you don’t have the funds to afford rent until after you launch your product, don’t worry. FDA inspectors are unlikely to visit so soon, and if they do–just relax and be honest about the situation. You are not alone.

About the Author

Rob Packard 150x150 Software as a medical device (SaMD)

Robert Packard is a regulatory consultant with 25+ years of experience in the medical device, pharmaceutical, and biotechnology industries. He is a graduate of UConn in Chemical Engineering. Robert was a senior manager at several medical device companies—including the President/CEO of a laparoscopic imaging company. His Quality Management System expertise covers all aspects of developing, training, implementing, and maintaining ISO 13485 and ISO 14971 certification. From 2009-2012, he was a lead auditor and instructor for one of the largest Notified Bodies. Robert’s specialty is regulatory submissions for high-risk medical devices, such as implants and drug/device combination products for CE marking applications, Canadian medical device applications, and 510(k) submissions. The most favorite part of his job is training others. He can be reached via phone 802.258.1881 or email. You can also follow him on Google+, LinkedIn or Twitter.

Posted in: Design Control, Software Verification and Validation

Leave a Comment (0) →

Before 510k clearance, 10 quality tasks you need to prevent unexpected delays

Before 510k clearance, 10 quality tasks you need to prevent unexpected delays

The US FDA does not require that 100% of your quality system be implemented before 510k clearance, but these 10 activities need to be done.

The form above allows you to register for a live webinar we are hosting on Friday, May 21, 2021 @ 1 pm EDT. The webinar will share the 510k project management lessons learned by our team since 2016. In addition to 510k project management, MedTech companies also need to implement their quality system in parallel with their regulatory submissions. Some people say that you need to implement your quality system before you submit your 510k. That is not an FDA requirement, but you do have quality system activities that need to be done before you will have all of the technical documentation you need to submit a 510k. This article describes 10 quality tasks you need to prevent unexpected delays.

Design & Risk Management Planning

Design & Risk Management Planning is your 1st priority because you want to identify all of the major activities that need to be completed in your design and risk management processes and which activities are critical path items. Otherwise, you will have unexpected delays. You can and should add details to the plan as you go, but items 2-9 listed below should be included in that initial plan–along with your design and risk management activities.

Risk Management Activities are Needed Before 510k Clearance

Risk Management is your 2nd priority because it’s an input to almost everything else listed below – this includes hazard identification, creating a use-related risk analysis (URRA), and identifying cybersecurity risks if you have software/firmware. Reference: ISO 14971:2019 Medical devices — Application of risk management to medical devices. Cybersecurity depending on the device should evaluate security as an overlapping but separate area from risk management. (Reference AAMI TIR57: 2016 Principles For Medical Device Security – Risk Management.)

Formative Usability Testing

Formative Usability Testing is your 3rd priority because this helps you evaluate your device design while it’s still evolving. Formative testing helps you identify opportunities for improvement, provides confirmation that your design is moving in the right direction, and identifies potential use errors while there is still time to implement effective risk controls such as alarms and other safety features. References:

Software Validation is Needed Before 510k Clearance

Software Validation is your 4th priority because it must precede electrical safety testing for electromedical devices and most companies underestimate the time required to document software validation in accordance with IEC 62304:2006 / AMD 1:2015 and the FDA’s five guidance documents:

Supplier Qualification is Needed Before 510k Clearance

Supplier qualification is your 5th priority because you do not want to order all of your prototype parts for the initial testing parts and then find out that the supplier is not capable of supporting you commercially. If you have to switch suppliers you might be forced to repeat biocompatibility testing and other design verification testing due to changes in the manufacturing process. Implementation of a supplier qualification process before 510k clearance is needed.

Label & IFU Requirements Specifications

Label requirements and instructions for use requirements specifications is your 6th priority because you cannot perform electrical safety testing or design validation (including summative usability testing) of your device without labeling and instructions. These requirements are the design inputs for information provided to the user and these must be controlled under design controls rather than document control.

Packaging Specifications

Packaging specifications is the 7th priority you should implement before 510k clearance because the packaging is needed to maintain sterility, to ensure product stability, and to protect the product from shipping. Companies are also frequently surprised by the long lead times associated with ordering custom packaging and you may not have the budget to validate sub-optimal “stock” packaging for your 510(k) submission and then repeat the validation for the optimized packaging later.

Quality System Implementation

Quality system implementation is the 8th priority for implementation before 510k clearance because you will need a fully functional quality system by the time your 510(k) is cleared. Quality system implementation typically takes 6+ months while the 510(k) review should take 4 months or less. Quality system implementation includes writing 25+ procedures, reviewing and approving those procedures, training your employees, and actually using those procedures to begin generating quality system records. For companies that are pursuing Canadian Licensing or CE Marking, the quality system must be fully implemented and certified before the regulatory submission is possible. (Quality System Requirements for the U.S. FDA are outlined within 21 CFR 820-Quality System Regulation)

Summative Usability Testing

Summative usability testing should happen after Design Freeze or you risk having to backtrack in your design process if this validation test reveals a need for device changes. The FDA’s 2016 Usability Guidance explicitly defines this validation testing as just a portion of overall design validation. (Reference Applying Human Factors and Usability Engineering to Medical Devices Guidance for Industry and Food and Drug Administration Staff (2016))

Apply for Small Business Status Before 510k Clearance

Application for small business status should be the 10th priority for implementation before 510k clearance because this can save your company $9,000+ but it requires that you submit your application at least 60 days before you need to pay the 510(k) user fee.

About the Author

20190531 005146 150x150 Before 510k clearance, 10 quality tasks you need to prevent unexpected delaysMatthew Walker – QMS, Risk Management, Usability Testing, Cybersecurity

Matthew came to us with a regulatory background that focused on OSHA and NFPA regulations when he was a Firefighter/EMT. Since we kidnapped him from his other career, he now works in Medical Device Quality Management Systems, Technical/Medical Writing and is a Lead Auditor. He is currently a student in the Champlain College’s Cybersecurity and Digital Forensics program, and we are proud to say that he is also a member of both the Golden Keys and Phi Theta Kappa Honor Societies! Matthew participates as a member of our audit team and has a passion for risk management and human factors engineering. Always the mad scientist, Matthew pairs his professional life in regulatory affairs with hobbies in the culinary arts as he also holds a Butchers/Meat Cutters certificate from Vermont Technical College.


Connect on Linkedin:

Posted in: 510(k)

Leave a Comment (0) →

What is 510k Content Format

This article defines the 510k content format for an FDA 510k pre-market notification submission in accordance with the September 13, 2019, FDA guidance.

image 1 What is 510k Content Format

What is a 510k?

A 510k submission is a pre-market notification submission to the FDA. The “510(k)” designation refers to the applicable section and sub-section of the Food Drug & Cosmetic Act. The “pre-market” designation is a reminder that companies must submit a 510k submission before marketing their products. Finally, the “notification” part of the phrase is used instead of the word “approval” because the FDA does not consider the 510k review process to be an endorsement or approval of your product. Instead, the 510k review process is a review by the FDA to determine if your product meets the requirements of substantial equivalence with a predicate device. The FDA initially performs a prescreening of the 510k submission to verify that it meets the minimum requirements for 510 content format. Then during the 510k substantive review process, the reviewer must answer six questions in the substantial equivalence decision tree:

  1. Is the predicate device legally marketed?
  2. Do the devices have the same intended use?
  3. Do the devices have the same technological characteristics?
  4. Do the different technical characteristics of the devices raise different questions of safety and effectiveness?
  5. Are the methods acceptable?
  6. Do the data demonstrate substantial equivalence?

The 510k process was not intended to be the primary process for regulatory approval by the FDA. The 510k process was intended to be a simplified approach for clearance of devices that are of moderate-risk and similar in design and intended use to another moderate-risk device that is already on the market. However, the process was manipulated as a loophole by device companies to avoid the more rigorous pre-market approval (PMA) process that requires conducting a clinical investigation.

Recent changes to the 510k review process are much deeper than the 510k content format

In approximately 2010, the FDA gradually started making changes to the 510k process. The FDA started publishing more guidance documents specifying both collateral guidance documents that apply to all device classifications (e.g., biocompatibility and human factors ), and particular guidance documents that apply to only a small number of product classifications (e.g., CADe). In 2012, the FDA implemented a new policy called the Refusal to Accept (RTA) Policy for 510(k)s. The FDA implemented this policy to improve the general quality of 510k submissions. All submissions are now subject to a 15-day review of the 510k content format to ensure that the submission includes all 20 required sections required by the FDA, the submission includes a table of contents and page numbering, and the various sections of the 510k include basic elements that are frequently forgotten by companies. Initially, more than 60% of the 510k submissions were rejected during the RTA screening process. Still, submissions have improved, and training of the FDA personnel performing the RTA screening has resulted in a more consistent application of the RTA policy. The FDA also systematically converted each of the remaining Class 3 devices that were eligible for 510k clearance to Class 3 devices requiring a PMA. The most recent changes were the elimination of requiring the submission to include a printed hardcopy of the submission (i.e., FDA eCopy only) and no longer allowing predicates that are more than ten years old.

FDA requirements for 510k Content Format

The FDA requires that your 510k submission is organized into 20 sections as described in section V of the table of contents of the September 13, 2019, FDA 510k guidance document. The FDA no longer requires a hardcopy of the submission. Now the FDA only requires an electronic copy (i.e., FDA eCopy) with a hardcopy of the 510k cover letter. The cover letter may be included in the eCopy, but it is not required. The FDA eCopy guidance document was updated on December 16, 2019.

The FDA eCopy guidance gives you the option of organizing the 20 sections of a 510k into 20 volumes with multiple documents in each volume or to submit sequentially numbered documents. The word “volume” refers to electronic folders in the FDA eCopy rather than physical binders. There is no right or wrong choice regarding volumes—if your eCopy uploads. The answer to this question is personal preference. The FDA recommends that multiple volumes be used for more extensive submissions, but using the same process for every 510(k) submission makes submission teams more efficient. It also is more comfortable for the FDA to navigate between documents when they are not in separate volumes. Therefore, the document structure is generally best for the FDA, and the volume structure is usually best for the company to prevent the need for renumbering files and file names. We always use the volume structure for every submission, even pre-submissions. Submissions are organized into 20 volumes to match the 20 sections of a 510k submission. If we include an RTA Checklist, then we add a 21st volume. The FDA recommends using the 21st volume for miscellaneous appendices, but the volume structure of the submission makes it easy to insert miscellaneous content directly into the applicable sections by adding documents after the initial section summary document.

Overall Numbering or Numbering within Sections?

Again, this is a personal preference. However, there are always last-minute changes to documents. Therefore, whichever numbering system you use should minimize the need for the last-minute renumbering of the entire submission. This is especially painful when you number the overall submission, and then you add a page to the middle of the submission when you are trying to ship out your submission that day. By numbering only the sections, you reduce the amount of rework required. Our firm deviates slightly from the “numbering within sections” requirement. In the table of contents, we indicate how many pages are associated with each document in a volume, and then we start each document with page 1. One FDA reviewer recently requested that we modify this to “page x of y,” where “x” is the page number of that document, and “y” is the total number of pages in the document. Therefore, we updated all of our templates to reflect the “page x of y” format for page numbering.

510k Format Content: Using Your Table of Contents for Project Management

When I was less experienced, I used project management software and action item lists to manage submission projects. Experience has taught me to simplify. Now I only use an action item list to track the progress of individual tasks. To track the overall submission, I now use the table of contents as my project management “report.” If you color-code the rows of your table of contents, you can communicate the status of each document in the submission. At the beginning of the project, all the rows indicate documents are not yet started—signified by the color red. Once I being a document, I change the color to yellow. Finally, when the document is completed, I change the color of the row to green. Three documents require the signature of the official correspondent with the FDA:

  1. 510k Cover Letter
  2. Certification Regarding Confidentiality
  3. Truthful and Accuracy Statement

Once these three documents are completed, they still need a signature that should only be applied just before we prepare the eCopy. Therefore, I signify the status of documents waiting for signatures with blue rows. A couple of people struggle with reformatting row colors, but every single person on your team will understand that they want the table of contents to gradually change from red, to yellow and finally to 100% green.

Posted in: 510(k)

Leave a Comment (0) →

Why remote audit duration should never exceed 90 minutes

This article explains why remote audit duration should not exceed 90 minutes and the unique opportunities created by a series of short remote audits.

download 3 Why remote audit duration should never exceed 90 minutes

Parkinson’s Law and the subject of audit duration

On November 19, 1995, Cyril Northcote Parkinson published an essay in the Economist. The title of the article was “Parkinson’s Law.” In the first sentence of the essay, Parkinson says, “It is a commonplace observation that work expands to fill the time available for its completion.” This essay refers to the observation that work is elastic concerning the demands on time when completing paperwork. When I first trained as an auditor, trainers emphasized that the most significant challenge faced by auditors is to complete an audit within the time available. An auditor’s task is to achieve the audit objectives within the time specified by the audit program manager. Time is precious, and you cannot easily extend the audit duration after scheduling the audit.

How much time is needed for a full quality system audit?

This question is a silly question to ask a consultant that works on an hourly basis. A consultant working on an hourly basis will make more money if they work more hours. Therefore, there is little incentive to underestimate the time required to complete the objectives of an audit. However, after completing hundreds of audits, I can honestly state that eight hours is not enough time to perform a full quality system audit of a medical device company’s quality system. However, I completed a full quality system audit of a small company in less than two days. I also had difficulty completing an audit of a larger company in four days. An FDA inspector typically requires four days to complete a routine inspection, even at foreign manufacturers where English is a second language, and they only need to return on the fifth day to prepare their FDA 483 observations to give to the company. Therefore, three days is typically the absolute minimum time required to complete a full quality system audit.

Does Parkinson’s Law apply to audit duration?

Parkinson’s Law certainly applies to the audit duration. If the lead auditor assigns a team member to review the CAPA process, the task is unlikely to be completed in 30 minutes, and most auditors would struggle to appear busy for more than three hours. You need enough notes to provide objective evidence of conformity for your audit report, but if you finish too quickly, then others may perceive that you were not thorough. Therefore, most auditors will begin any process audit by asking for a copy of the procedure and a log of the records available. The auditor will quickly review the procedure’s revision history to determine when the last revision was made and if there have been any significant revisions since the last audit. Next, the auditor will review the log to estimate how many records should be sampled. The auditor will then estimate how much time is needed to review the sampled records. Finally, a quick mental calculation is made to determine how much time remains for procedure review before the auditor must move on to interview the next subject matter expert.

Why are auditors always behind schedule?

An auditor begins with small, close-ended questions that are designed to put the auditee at ease. The auditor may even comment on unrelated subjects to build rapport first. Records may not be readily available, but auditors almost always have to wait for record retrieval. The request is recorded, copies are made, and the subject matter expert may need a little time to review before handing the auditor the requested record. Auditors will ask clarifying questions, and auditees will need a few moments to check their facts. Any one of these delays is insignificant by itself, but collectively there may be two-and-half minutes of delay cumulatively for each record requested if you sample five records, which represents a combined delay 12.5 minutes. If you average only seven minutes to review each record, then a sampling of five records will require 47.5 minutes. This will leave you only 12.5 minutes for introductions, review of the procedure, and conclusions. If you want to interview any of the people that investigated root-cause, then you will need more than an hour to complete your audit, and you will not finish in the one hour scheduled.

Why is it so hard to complete a full quality system audit in three days?

Most of your process audits require a few more minutes than you expected, but you will also need time to walk to the next subject matter expert, or you will be waiting for the next subject matter expert to enter the conference room. If the quality system consists of only the minimum twenty-eight required procedures, your full quality system audit will require more than 28 hours to complete. If there are additional regulatory requirements for CE Marking or MDSAP certification, you will need even more time to audit every process. You should also expect certain processes to require more time to properly sample records, such as technical documentation and design controls. Even the most experienced auditors struggle to review a technical file and/or design history file in less than two hours.

What happens to an auditor after auditing all day?

As a Notified Body auditor, I used to leave my home in Vermont on Sunday afternoon and drive two hours to the nearest major airport. Then I would be gone all week conducting audits. On Friday, I would drive home and arrive in the middle of the night. Each day audits would begin early in the morning, and I would complete the day after 8.5 to 9 hours of work. Jet lag, sleep deprivation, too little exercise, and constantly eating at restaurants took its toll. I would consult my Google calendar to learn what city I was in each morning, and to remember what company I was on my schedule for the day. I would purposely try to do as much walking around during the day just to keep my blood flowing and to help stay awake. I would read documents while pacing back-and-forth in conference rooms, and I would always make sure that we had to audit the most remote area of a facility after lunch to make sure that I didn’t fall asleep. I will tell stories and jokes to entertain my hosts, but it was necessary to break up the monotony of auditing quality systems seven days a week. I would make sure I drank at least six liters of water each day for health, but this also gave me an excuse to go to take frequent bathroom breaks. Somehow I managed to survive that lifestyle for more than three years. Each day my feet, legs, back, and neck were in severe pain. I had constant headaches, and I know the quality of my work gradually declined throughout each day. The most valuable lesson I learned was, you need to move frequently, or you will die.

unnamed Why remote audit duration should never exceed 90 minutes

What happens when you sit in front of a computer for eight hours?

I can sit in front of a computer longer than almost anyone I know. When I focus on work, four hours can elapse without me getting up from a chair even once. I might pick up my empty coffee mug four or five times to take a sip before I am conscious of the need to get another cup. On days where my schedule consists primarily of Zoom meetings, I may sit through as many as six consecutive meetings before I take the time to get up and go to the bathroom and get a drink of water. Clients may perceive that I have tremendous endurance, but there are negative consequences to this work pattern. My wrist becomes sore, and I need to switch my mouse pad and the style of the mouse I am using every day. I change computers, switch microphones, and take a short walk. My neck, back, and legs will hurt worse than any of the audits during my years as a Notified Body auditor. Sitting at a computer all day has resulted in mild symptoms of restless legs syndrome. Sitting at a computer continuously for the audit duration is physically exhausting and tedious. If you must complete a remote audit on a continuous eight-hour day, you can, but it is not healthy or productive. The negative health consequences and negative impact on productivity are equally applicable to auditees.

What can you do to reduce audit fatigue during a remote audit?

The most straightforward strategy for reducing fatigue is to take breaks. Instead of auditing for eight hours continuously, try auditing in two or three 90-minutes segments each day. If you are auditing someone in a different time zone, you may only be able to accommodate an audit duration of one 90-minute session per day without working through the night. Taking breaks will allow you to leave your computer, eat food, and even go to the bathroom. You can recharge your headset during a break too. You should consider taking a walk outside. It is incredible how much better you feel when you get some exercise, stretch, and experience a little natural light instead of the unnatural glow of your computer’s monitor. The person you are auditing will appreciate the breaks, but they will also enjoy the improvement in your overall demeanor. A simple smile after a 30-minute break has a tremendous positive impact.

How can we utilize breaks more effectively during remote audits?

Auditors need documents and records to review as objective evidence. The most obvious way to make use of breaks is for the auditor to give the auditee a list of documents and records to gather during the break. This will give the auditee an excuse to go and get the documents and records if they are stored in another location. The auditee might also scan records during a break. A break also gives subject matter experts time to re-familiarize themselves with the documents and records before resuming the audit. Auditees and auditors will need to recharge batteries, but the auditor might take time to convert their notes into a summary for the final audit report. The auditor might also review the audit criteria one more time before writing a nonconformity. The auditee might take advantage of the break to initiate a new CAPA and write a draft of the corrective action plan. Then when the audit resumes, the auditee can review the draft plan with the auditor to ensure that the plan is appropriate and nothing was accidentally omitted from the CAPA plan.

unnamed 1 Why remote audit duration should never exceed 90 minutes

Why are 90 minutes a magical audit duration?

Auditing one process in a single 45-60 minute session is ok, but if you audit two processes in a single 90-minute session, you can reduce the time spend starting and stopping the audit session by half. Adding a third process to a single session will have a smaller impact, and the meeting will need to be so long that most participants will begin to lose concentration, and fatigue becomes a significant factor. Ninety minutes is not quite long enough to audit two processes effectively. Still, an auditor can request procedures in advance of the session or spend time after the session reviewing procedures. Therefore, by paying an additional 30 minutes reviewing two procedures “off-line,” the auditor can dedicate 100% of the “on-line” time to reviewing records and interviewing subject matter experts. The result is a fast-paced, 90-minute session where each subject matter expert typically is only needed for 45 minutes. Alternatively, if you are auditing more complex records like a design history file, you can spend all 90 minutes discussing that area.

Posted in: Auditing, ISO Auditing, Remote Auditing

Leave a Comment (0) →

How to make a supplier questionnaire for remote auditing

You already have a supplier questionnaire, but do you know how to make a supplier questionnaire to assess a supplier’s ability to support a remote audit?

FRM 004 Supplier Questionnaire How to make a supplier questionnaire for remote auditing

The four most significant mistakes people make when designing a supplier questionnaire

In Medical Device Academy’s supplier qualification webinar, you learn how to improve your supplier qualification process by replacing the traditional methods of supplier qualification with more effective approaches to supplier evaluation. The following are four examples of how to improve your supplier questionnaire.

Supplier questionnaires should be specific to the product or service provided

The first mistake people make is to use a generic questionnaire. It would be best if you asked your supplier questions that are important to the work that the supplier will be performing. Therefore, each category of product or service should have its own set of questions. For example, important questions related to ethylene oxide contract sterilization services are the maximum size limitations for pallets in the sterilization chamber and whether the facility can conduct sterility testing on-site. However, an injection molding supplier might delay the return of your supplier questionnaire if these questions were on the survey that you send to them because they don’t understand the questions.

Supplier surveys should be more than checkboxes

The second mistake people make is to ask questions that can be answered with a “yes” or “no” response or a checkbox. These are closed-ended questions. It would be best if you always were asking open-ended questions because the response will give you more information about the supplier. In addition, most people resist responding with a “no” response even if the real answer is “no.” For example, “What is your FDA registration number?” is more useful than “Is your company FDA registered?” Another example is, “How many production lines use SPC charts?” instead of “Do you use SPC charts?” In fact, in the open-ended version of this question, you will learn if the use of SPC charts is widespread, and you learn how many production lines the supplier has.

Remember to ask suppliers to update survey surveys every year

The third mistake people make is to request that a supplier questionnaire be completed only during the initial supplier qualification process. Every year companies grow, shrink, or change. If you ask suppliers to update their questionnaire, you can use that information to determine the health of your supplier’s business. You might also discover that one supplier just added a new production capability that will allow you to consolidate more of your outsourced work with that supplier and eliminate another problem supplier. Every company has a turnover in personnel as well. It is a great idea to ask suppliers to provide contact information for multiple people in the organization, such as quality contact, billing contact, and a production planner. Eventually, you will probably need to speak with each of these people, and if one of the contacts is no longer at your supplier, you will still have two other contacts. Updating this information also gives you a hint of whether turnover is widespread or limited to a specific individual.

Supplier questionnaires should be in spreadsheet format

The fourth mistake people make is to send a Word Document for suppliers to complete (PDF format is even worse). Word and PDF formats are time-consuming to complete, and they are harder for you to analyze than a spreadsheet. Most people provide a Word document or a PDF because they are focusing on the requirement for control of records. However, if you have an electronic quality system, the supplier survey information will be part of your electronic system as soon as you enter the data into your software. Alternatively, if you have a paper-based quality system, then you can print the spreadsheet out, sign it, and date it. The huge advantage of using Excel spreadsheets is that you can copy the new data into a column next to the previous year’s responses. Then you can quickly see what changes your supplier made in the past year.

What should you add to your supplier questionnaire?

Most private companies will not share what their revenues are for the business, but as a customer, you should be more concerned with how many human resources your supplier has. Therefore, you should consider asking, “How many employees, or full-time equivalents (FTEs), work for your company?” You might also want to know if your supplier is relying on a temporary workforce. For example, “What percentage of the FTEs are temporary workers?” Many questionnaires will ask for the square footage of the facility, but this doesn’t provide you with any details about the facility layout. Alternatively, you could ask for a copy of the pest-control map for the facility. This would give you a detailed layout of the facility, and it also confirms that your supplier has a pest control plan for the facility. Another related question to ask is, “Please describe any expansion/construction projects that have been implemented in the past year or projects that are in progress (e.g., the addition of a mezzanine).” If the company added 30,000 square feet to their production area, but there was no change to the pest control plan, you might have some clarification questions for your supplier. In general, a good strategy for developing your questionnaire is to think of at least one open-ended question related to each clause of the ISO 13485:2016 standard without referencing the standard. The following are some examples that might help you:

  1. When was the last software re-validation for quality system software?
  2. How many active external standards is your company currently maintaining?
  3. Please provide a list of procedures and identify the person who would be interviewed during an audit for each procedure (i.e., process owner or subject matter expert).
  4. In the absence of the management representative, who is designated as the liaison for an FDA inspector?
  5. What are the upper control limits for particulate counts, air viable counts, and surface viable counts in your controlled environment(s)?
  6. On what dates was the environmental monitoring of controlled environments conducted in the last year?
  7. Please identify how many quality inspectors are responsible for the incoming inspection?
  8. Please list the calibration ID and equipment name for any inspection equipment that requires specialized training (e.g., CMM)?
  9. How many suppliers are on your approved supplier list (ASL)? And how many suppliers did you audit in the past year?
  10. How many nonconforming material reports (NCMRs) were opened in the past year? And how many NCMRs currently remain open?
  11. How many partial or complete lots were returned to your company by customers in the past year?
  12. Please list any corrections and removals (i.e., recalls) that your company has been involved in during the past year and the current status?

How many questions should your supplier questionnaire include?

There are 28 required procedures in ISO 13485:2016, and there are even more subclauses within the standard. It is an excellent idea to create a list of questions you might ask for each subclause, but a supplier questionnaire should not include all of those questions. Just as audits are just a sampling, your supplier survey questions should be sampling as well. You should review last year’s questions and eliminate questions that you think are not especially useful for that supplier. Some questions should be asked each year to assess if the quality system has changed significantly, and you should consider adding a few new questions each year. The best questions will require the person to perform some research to answer the questions. But it is unreasonable to expect a supplier to spend more than two hours completing a supplier questionnaire if you plan to purchase less than $20,000 in product or services.

Supplier questionnaires specific to remote auditing

In many ways, a well-designed supplier questionnaire is similar to a remote audit, because you are asking the supplier to answer multiple open-ended questions about their quality system to verify that the quality system is fully implemented and remains effective. However, due to the Covid-19 pandemic, many employees are now required to work from home, and it is not possible to physically visit certain facilities. Therefore, you should be adding three elements to your supplier questionnaire to assess your supplier’s ability to support a remote audit and to determine their ability to maintain the effectiveness of the quality system during a viral outbreak. The three elements are 1) policies for personal protective equipment for employees and visitors, 2) business continuity plans to maintain internal operations and to ensure redundancy of crucial suppliers, and 3) availability of digital documents and records or paper documents and records via video conference software. These three areas were also the subject of a previous blog on changes triggered by Covid-19. It would help if you also asked about the availability of hardware and software communication tools for conducting a remote audit. You might ask your supplier, “Which areas of your facility can we observe during a remote audit using live video conferencing (e.g., Zoom mobile application)?” and “What experience does your company have in the use of Zoom as a video conferencing tool?”

Gimbal How to make a supplier questionnaire for remote auditing

Access to documents and records during remote audits

During a remote audit, you will need to access documents and records virtually. If your supplier can participate via a video conferencing tool with a high definition web camera or smartphone, then you should be able to see any documents and records that you could normally see during an on-site audit. However, your supplier will need to hold the document or records steady, possibly by using a music stand and a camera tripod so that you can take notes regarding the contents of the document or record. You will also need a way to record your notes. You might try using a Pixelbook or similar computer to write your audit notes. At the same time, you watch the video conference using a second computer–possibly on a conference room projector screen or large flat screen monitor. You could also use a tablet, such as remarkable. Of course, you can always use a pad of paper and a pen and then transcribe your notes later. All of these methods will be faster and more convenient than digitally scanning each document and uploading the documents to a shared folder or sending the scanned document by email.

It would help if you also were asking your supplier which records are already available digitally. You can expect all of the quality system procedures to be available in digital formats, but many records may already be available electronically as well. For example, purchase orders, quality system certificates, drawings, and blank forms should be available in digital format. In a supplier audit, you typically will focus on a subset of the quality system records that are related to production process controls, purchasing, incoming inspection, shipping, and control of the nonconforming product. Asking your supplier which of these records are available in digital format will help you determine which records you need to request from the supplier in advance and which records can be requested on-demand.

How to obtain our supplier questionnaire template (FRM-004)

If you are interested in purchasing our supplier questionnaire template, FRM-004, it is included with the purchase of our supplier qualification webinar. If you think of any new questions to add to this template, please email me at Just put “FRM-004 Suggestion” in the subject line.

Posted in: ISO Auditing, Supplier Quality Management

Leave a Comment (0) →

How to get ISO 13485 certified, time for success?

In this article, you will learn how to get ISO 13485 certified, and you will be successful while avoiding the stress that tortures other quality managers.

ISO 13485 Certified How to get ISO 13485 certified, time for success?

There is a big difference between being ISO 13485 certified and being compliant with ISO 13485:2016, the medical devices quality management systems standard. Anyone can claim compliance with the standard. Certification, however, requires that an accredited certification body has followed the requirements of ISO 17021:2015, and they have verified that your quality system is compliant with the standard. To maintain that certification, you must maintain your quality system’s effectiveness and endure both annual surveillance audits and a re-certification audit once every three years.

Step 1 – Planning for ISO 13485 certification

There are six steps in the ISO 13485 certification process, but that does not mean there are only six tasks. The first step in every quality system is planning. Most people refer to the Deming Cycle or Plan-Do-Check-Act (PDCA) Cycle when they describe how to implement a quality system. However, when you are implementing a full quality system, you need to break the “doing” part of the PDCA cycle into many small tasks rather than one big task. You also can’t implement a quality system alone. Quality systems are not the responsibility of the quality manager alone. Implementing a quality system is the responsibility of everyone in top management.

Below you will find seven tasks listed. I did NOT identify these nine tasks as “Steps” in the ISO 13485 certification process, because these tasks are typically repeated for each process in your quality system. Most quality systems are implemented over time, and the scope of the quality system usually grows. Therefore, you are almost certain to have to perform all of the following nine tasks multiple times–even after you receive the initial ISO 13485 certification. As the saying goes, “How do you eat an elephant? One bite at a time.” Therefore, avoid the inevitable heartburn caused by trying to do too much at one time. Implement your quality system one “bite” at a time.

Task 1 – Purchase applicable standards

The first task in implementing an ISO 13485 quality system is to purchase a copy of the ISO 13485:2016 standard, such as the MDSAP Companion Document. You will also need other applicable medical device standards. Some of these standards are general standards that apply to most, if not all, medical devices, such as ISO 14971:2019 for risk management. There are also guidance documents that explain how to use these general standards, such as ISO/TR 24971:2020, guidance on how to apply ISO 14971:2019. Finally, there are testing standards that identify testing methods and acceptance criteria for things such as biocompatibility and electrical safety. You will need to monitor these standards for new and revised versions. When these standards are updated, you will need to identify the revised standard and develop a plan for addressing the changes.

When you purchase a standard, be sure to buy an electronic version of the standard so you can search the standard for keywords efficiently. You should also consider purchasing a multi-user license for the standard because every manager in your company will need to look-up information in the standard. Alternatively, you could buy a paper copy of the standard and locate the standard where everyone in your company can access it. Often I am asked what the difference is between the EN version of the standard and the ISO version of the standard. “EN” is an abbreviation meaning European Standards or “European Norms,” which is based upon the literal translation from the French (i.e., “normes”) and German (i.e. “norm”) languages. “ISO” versions are international standards. In general, the body of the standard is typically identical, but harmonized EN standards for medical devices include annexes ZA, ZB, and ZC that identify any deviations from the requirements in three medical device directives (i.e., MDD, AIMD, and IVDD).

Task 2 – Identify which processes are applicable

Clause 1 of ISO 13485 is specific to the scope of a quality system. ISO 9001, the general quality system standard, allows you to “exclude” any clause from your quality system certification. However, ISO 13485 will only allow you to exclude design controls (i.e., clause 7.3). Other clauses within ISO 13485 may be identified as “non-applicable” based upon the nature of your medical device or service. You must also document the reason for non-applicability in your quality manual. Typically, the following clauses are common clauses identified for non-applicability:

  1. Clause 4.1.6 – quality system software
  2. Clause 6.4 – work environment
  3. Clause 7.5.2 – cleanliness of the product
  4. Clause 7.5.3 – installation
  5. Clause 7.5.4 – servicing
  6. Clause 7.5.5 – sterile devices
  7. Clause 7.5.6 – process validation
  8. Clause 7.5.7 – sterilization validation
  9. Clause – implantable devices
  10. Clause 7.5.10 – customer property
  11. Clause 8.3.4 – rework

Task 3 – Assign a process owner to each process 

The third task is to assign a process owner to each of the processes in your quality system. Typically, you create a master list of each of the required processes. Usually, the assignments are made to managers in the company who may delegate some or all of a specific process. You should expect most managers to be responsible for more than one process because there are 28 required procedures in ISO 13485:2016, but most companies have fewer than ten people when they first implement a quality system.

Task 4 – Prioritize and schedule the implementation of each process

The fourth task is to identify which processes need to be created first and to schedule the implementation of procedures from first to last. You can and should build flexibility into the schedule, but some procedures are needed at the beginning. For example, you need document control, record control, and training processes to manage all of your other procedures. You also need to implement the following processes to document your Design History File (DHF): 1) design controls, 2) risk management, 3) software development (if applicable), and 4) usability. Therefore, these represent the seven procedures that most companies will implement as early as possible. Procedures such as complaint handling, medical device reporting, and advisory notice procedures are usually reserved for last. These procedures are last because they are not needed until you have a medical device in use.

Task 5 – Create forms, flowcharts, and procedures for each process

Forms create the structure for records in your quality system, and a well-designed form can reduce the need for lengthy explanations in a procedure or work instruction. Therefore, you should consider developing forms first. The form should include all required information that is specified in the applicable standard or regulations, and the cells for that information should be presented in the order that the requirements are listed in the standard. You might even consider numbering the cells of the form to provide an easy cross-reference to the corresponding section of the procedure. Once you create a form, you might consider creating a flowchart next. Flowcharts provide a visual representation of the process. You might consider included numbers in the flow chart that cross-reference to the form as well.

Once you have created a form and a flowchart, you are now ready to write your quality system procedure. Many sections are typically included in a procedure template. It is recommended that you use a template to ensure that none of the basic elements of a procedure are omitted. You might also consider adding two sections that are uncommon to a procedure: 1) risk analysis of the procedure with the identification of risk controls to prevent risks associated with the procedure, and 2) a section for monitoring and measurement of the process to objectively measure the effectiveness of the process. These metrics are the best sources of preventive actions, and some of the metrics might be potential quality objectives to be identified by top management. 

Task 6 – Perform a gap analysis of each procedure

Most companies rely upon internal audits to catch and missing elements in their procedures. However, audits are intended to be a sampling rather than a 100% comprehensive assessment. Therefore, when a draft procedure is being reviewed and approved for the first time, or a major re-write of a procedure is conducted, a thorough gap analysis should be done before the approval of the draft procedure. Matthew Walker created an article explaining how to conduct a gap analysis of procedures. In addition, Matthew has been gradually adding cross-references to ISO 13485:2016 requirements in each procedure. He is color-coding the cross-referenced clauses in blue font as well. This makes it much easier for auditors to verify that a procedure is compliant with the regulations with minimal effort. The success of these two methods has taught us the importance of conducting a gap analysis of all new procedures.

Task 7 – Train applicable personnel for each process 

You are required to document the training requirements for each person or each job in your company. Documentation of training requirements may be in a job description or within a procedure. In addition to defining who should be trained, you also need to identify what type of training should be provided. We recommend recording your training to ensure that new future employees receive the same training. This will ensure consistency. You are also required to maintain records of the training. You must verify that training was effective, and you need to check the person is competent in performing the tasks. This training may require days or weeks to complete. Therefore, you may want to start training people several weeks before your procedure is approved. Alternatively, you can swap the order of tasks and conduct training after the procedure approval. If that approach is taken, then the procedure should indicate the date the procedure becomes effective–typical 30 days after approval to allow time for training.

Task 8 – Approve the procedure 

Approval of a procedure may be accomplished by signing and dating the procedure itself, while another approach is to create a document that lists all the procedures and forms being approved at one time. The second method is the method we use in our turn-key quality system. Companies can review and approve as many procedures at one time as they wish. Since this process needs to be defined to ensure that all of the procedures you implement are approved, the document control process is typically the first procedure that companies will approve in a new quality system. The second procedure generally is for control of records. Then the next procedures implemented will typically be focused on the documentation of design controls: design controls, risk management, usability testing, and software development. The last procedures to be approved are typically complaint handling, medical device reporting, and recalls. These procedures are left for last because you don’t need them until you are selling your medical device.

Task 9 – Start using the procedure and generating records

The last task required for the implementation of a new quality system is to start using the procedures to generate records. All of the procedures will need records before the process can be verified to be effective. Records can be paper-based, or the records can be electronic. Whichever format you use for the record retention needs to be communicated to everyone in the company through your Control of Records procedure and/or within each procedure. If you include the information in each procedure, the records of each procedure should be listed in the procedure, and the location where those records are stored should be identified. Generally, there is no specific minimum number of records to have for a certification audit, but you should have at least a few records for each process that you implement.

Step 2 – Conducting your first internal audit

The purpose of the internal audit is to verify the effectiveness of the quality system and to identify nonconformities before the certification body auditor finds them. To successfully achieve this secondary objective, it is essential to have a more rigorous internal audit than you expect for the certification audit. Therefore, the internal audit should be of equal duration or longer in duration than the certification audit. The internal audit should not consist of a desktop review of procedures. Reviewing procedures should be part of gap analysis (i.e., task 6 above) that is conducted on draft procedures before they are approved. Internal audits should utilize the process approach to auditing, and the auditor should apply a risk-based approach (i.e., focus on those processes that are most likely to contribute to the nonconforming products, result in a complaint, or cause severe injuries and death).

After your internal audit, you will receive an internal audit report from the auditor. You should also expect findings from the internal auditor, and you should expect opportunities for improvement (OFI) to be identified. Experienced auditors can typically identify the root cause of a nonconformity more quickly than most process owners. Therefore, it is recommended for each process owner and subject matter expert to review nonconformities with the auditor and discuss how the nonconformity should be investigated. The root cause must be correctly identified during the CAPA process, and the effectiveness check must be objective to ensure that problems do not recur.

Step 3 – Initiating corrective actions

Corrective actions should be initiated for each internal audit finding immediately, to make sure the findings are corrected and prevented from repeat occurrence before the Stage 1 audit. It will take a minimum of 30 days to implement the most corrective actions. Depending upon the scheduling of the internal audit, there may not be sufficient time to complete the corrective actions. However, you should at least initiate a CAPA for each finding, perform an investigation of the root-cause, and begin to implement corrective actions.

Also, to taking corrective actions related to internal audit findings, you should look for internal audits from other sources. The diagram below shows several different sources of potential corrective and preventive actions.

Risk based CAPA Process Diagram How to get ISO 13485 certified, time for success?

Monitoring and measuring of each process is the best source of preventive actions, while internal audits are typically the best source of corrective actions.  Any quality problems identified during validation are also excellent sources of corrective actions because the validation can be repeated as a method of demonstrating that the corrective actions are effective. However, your ISO 13485 certification auditor will focus on non-conforming products, complaints, and service as the most critical sources of corrective actions. These three sources are prioritized because these three sources have the greatest potential for resulting in a serious injury, death, or recall if corrective actions are not implemented to prevent problems from recurring.

Step 4 – Conducting your first management review 

In addition to completing a full quality system audit before your stage 1 audit, you are also expected to complete at least one management review. To make sure that you have inputs for each of the 12 requirements in the ISO 13485:2016 standard, it is recommended to conduct your management review only after you have completed your full quality system audit and initiated some corrective actions. If possible, you should also conduct supplier audits for any contract manufacturers or contract sterilizers. It is recommended to use a template for that management review that is organized in the order of the required inputs to ensure that none of the necessary inputs are skipped. Quality objectives will need to be established long before the management review so that the top management team has sufficient time to gather data regarding each of the quality objectives. Also, you should consider delegating the responsibility for creating the various slides for each input to different members of top management. This will ensure that everyone invited to the meeting is engaged in the process, and it will spread the workload for meeting preparation across multiple people.

At the end of the meeting, top management will need to create a list of action items to be completed before the next management review meeting. Meeting minutes will need to be documented for the meeting, including the list of action items and each of the four required outputs of the management review process. We recommend using the notes section of a presentation slide deck to document the meeting minutes related to each slide. Then the slide deck can be converted into notes pages and saved as a PDF. The PDF notes pages will be your final meeting minutes for the management review. An example of one of these notes pages is provided in the figure below.

Print PDF of Meeting Minutes Notes Page Example How to get ISO 13485 certified, time for success?

One of the more common non-value-added findings by auditors is when an auditor issues a nonconformity because you do not have your next internal audit and your next management review scheduled–even though each may have occurred only a month prior to the Stage 1 audit. Therefore, we recommend that you document your next 12-month cycle for internal audits and schedule your next management review as action items in every management review meeting. The schedule can be adjusted if needed, but this allows top management to emphasize various areas in internal audits that may need improvement. You might even set a quality objective to conduct a minimum of three management reviews per year at the end of your first management review.

Step 5 – Stage 1, Initial ISO 13485 Certification Audit

In 2006, the ISO 17021 Standard was introduced for assessing certification bodies. This is the standard that defines how certification bodies shall go about conducting your initial certification audit, annual surveillance of your quality system, and the re-certification of your quality system. In the past, certification bodies would typically conduct a “desktop” audit of your company before the on-site visit to make sure that you have all the required procedures. However, ISO 17021 requires that certification bodies conduct a Stage 1 audit that assesses the readiness of your company before conducting a Stage 2 audit. Therefore, even if the Stage 1 audit is conducted remotely, the certification body is expected to interview process owners and sample records to verify that the quality system has been implemented. Certification body auditors will also typically verify that your company has conducted a full quality system audit and at least one management review. Finally, the auditor will usually select a process such as corrective action and preventive action (CAPA) to make sure that you are identifying problems with the quality system and taking appropriate measures to address those problems.

Your goal for the Stage 1 audit should not be perfection. Instead, your focus is to make sure that there are no “major” nonconformities. The term “major” used to have a specific definition:

  1. Absence of a documented procedure or process
  2. Release of nonconforming product
  3. Repeat nonconformities (not possible during a Stage 1)

Under the MDSAP, the grading system for nonconformities now uses a numbering system for grading of nonconformities: “Nonconformity Grading System for Regulatory Purposes and Information Exchange Study Group 3 Final Document GHTF/SG3/N19:2012.” Any nonconformity is graded on a scale of one to four, and then two potential escalation rules are applied. If any nonconformities are graded as a four or a 5, then the auditor must assess whether a five-day notice to Regulatory Authorities is required. A five-day notice is required for in either of the following situations: 1) one or more finding grading of “5”; or 2) three or more findings graded as “4.” If your Stage 1 audit results in a five-day notice, then you are not ready for your Stage 2 audit. For example, a complete absence of two required procedures in clauses 6.4 through 8.5 of ISO 13485:2016 would result in two findings with a grading of “4.” This would not result in a five-day notice, but the absence of a third required procedure would result in a five-day notice.

The duration of your Stage 1 audit will be one or two days, but a 1.5-day audit is quite common for MDSAP Stage 1 audits. The reason for the 1.5-day Stage 1 audit is that it is challenging to assess readiness for Stage 2 in one day, and if the total duration of Stage 1 and Stage 2 is 5.5 days, then the Stage 2 audit could be completed in four days. The four-day audit is more convenient than a three-day audit for a two-person audit team.

After your Stage 1 audit, you will receive an audit report, and you should expect findings. You should initiate corrective actions for each finding immediately, to make sure the findings are corrected and prevented from repeat occurrence before the Stage 2 audit. The duration between the audits is typically about 4-6 weeks. That does not leave much time for you to initiate a CAPA, perform an investigation of the root-cause, and implement corrective action. At a minimum, you must submit a corrective action plan for each finding to your MDSAP auditing organization (AO) within 15 calendar days of receiving the finding. For any findings graded as a “4” or higher, you will need to provide evidence of implementing the corrective action plan to the AO with 30 calendar days of receiving the finding. You are also unlikely to have enough time to conduct an effectiveness check prior to the Stage 2 audit.

Step 6 – Stage 2, Initial ISO 13485 Certification Audit

The Stage 2 initial ISO 13485 certification audit will verify that all regulatory requirements have been met for any market you plan to distribute in. The auditor will complete an MDSAP checklist that includes all of the regulatory requirements for each of the countries that recognize MDSAP: 1) the USA, 2) Canada, 3) Brazil, 4) Austria, and 5) Japan. The auditor will also sample records from every process in your quality system to verify that the procedures and processes are fully implemented. This audit will typically be at least four days in duration unless multiple auditors are working in an audit team.

The audit objectives for the Stage 2 ISO 13485 certification audit specifically include evaluating the effectiveness of your quality system in the following areas:

  1. Applicable regulatory requirements
  2. Product and process-related technologies
  3. Technical documentation

All procedures will be reviewed for compliance with ISO 13485:2016 and the applicable regulations. The auditor will also sample records from each process. If the auditor identifies any nonconformities during the audit, it is important to record the findings and begin planning corrective actions immediately. If you have any questions regarding the expectations for the investigation of the root-cause, corrections, corrective actions, and effectiveness checks, you should ask the auditor during the audit or the closing meeting. At a minimum, you must submit a corrective action plan for each finding to your MDSAP auditing organization (AO) within 15 calendar days of receiving the finding. For any findings graded as a “4” or higher, you will need to provide evidence of implementing the corrective action plan to the AO with 30 calendar days of receiving the finding. The auditor will not be able to recommend you for ISO 13485 certification until your corrective action plans are accepted.

If you receive a finding with a grading of “5,” or three or more findings graded as “4,” then the MDSAP auditor is required to issue a five-day notification to the regulators. The auditor will also need to return to your facility for a follow-up audit to close as many findings as they can. It is not necessary to eliminate all of the findings in order to be recommended for ISO 13485 certification, but the grading of the findings must be reduced to at least a “3” before recommending the company for certification. The number of findings also determines whether the auditor recommends your company for certification.

In addition to reviewing the findings and conclusions of the audit during the closing meeting, the auditor will also review the plan for the annual surveillance and re-certification with you. Each certification cycle is three years in duration. There will be two surveillance audits of approximately one-third the duration of the combined duration of stage 1 and stage 2 initial certification audits, and the first surveillance audit must be completed within 12 months of the initial certification audit. In the third year, there will be a re-certification audit for two-thirds of the duration of the combined duration of stage 1 and stage 2 initial certification audits. The initial ISO 13485 certificate will be issued with a three-year expiration, and the certificate is typically received about one month after the acceptance of your corrective action plan.

Other resources related to ISO 13485 certification:

Posted in: ISO Certification

Leave a Comment (0) →

How to avoid the most common supplier evaluation mistakes

The focus of this article is on the process of supplier evaluation and re-evaluation for medical device companies and how to document your evaluations.
No Grandfathering Image How to avoid the most common supplier evaluation mistakes

You have several suppliers today, but did you have a rigorous supplier evaluation process when you first hired those suppliers? If your business is going to be successful, you need to treat your supplier evaluation process as a critical strategic process. Supplier qualification and is more important than the hiring of any senior manager. ISO 13485:2016 requires you to have a procedure for supplier evaluation and re-evaluation, but the type and extent of your supplier controls are not specified.

Which of your suppliers are critical or crucial?

Crucial suppliers were defined in a draft policy published by the European Commission as part of the introduction of the requirement for unannounced audits. Essential suppliers make a component or subassembly that is high-risk, or your firm cannot easily purchase the component or subassembly from another supplier. Critical suppliers for medical device manufacturers fall into one of three categories: 1) a contract manufacturer, 2) a contract sterilizer, or 3) a contract packager or labeler. These three types of suppliers may be selected for unannounced audits by a Notified Body. The FDA also requires these three categories of suppliers to register their facility.

Should you establish other supplier evaluation categories?

The short answer is no. The purpose of categories is to ensure that a large number of suppliers are consistently managed. Instead, try reducing the number of suppliers you are managing. Give your best suppliers more work, and fire the worst suppliers. If a component is “single-source,” encourage another supplier to quote that business before you look for a new supplier. It would be best if you took the time to evaluate each supplier thoroughly. If you don’t have the supply chain resources to do this, then you have three choices: 1) hire another person to help manage your supply chain, 2) fire suppliers that are not meeting your requirements, or 3) replace the weakest member of your supply chain team.

How do you re-evaluate existing suppliers now?

There are a lot of possible answers to this question, but unfortunately, the most common answer is, “because that’s who we’ve always used.” This practice, referred to as “grandfathering,” is a horrible approach to supplier re-evaluation. Suppliers that miss your requested delivery dates, and suppliers that ship nonconforming product should be required to implement supplier corrective actions immediately. You need to follow-up on these corrective actions and verify that the corrective actions were effective. If the corrective actions are not effective, or if new supplier issues occur, then you should find an alternate supplier as soon as possible.

Another stupid reason for selecting a supplier is “because they were the lowest bidder.” There’s an old government contracting joke about this strategy. It sounds something like this, “a million mission-critical parts, designed by engineers that have no clue what the real world is like, built by the lowest bidder, and inspected by a bureaucrat that can be bribed with a bottle of wine and some prime rib.” I tend to discount the quality of the lowest bidder every time. I always wonder what they forgot to consider when they bid on the job. If the lowest bidding supplier can explain why they have an inherent advantage over their competition, then maybe you should consider hiring them. If there is no rational reason why a supplier’s pricing is below their competition, this usually means that the supplier is desperate, or they plan to increase their pricing after you are a customer.

What should be your supplier evaluation and re-evaluation criteria?

All medical device suppliers should have a quality system, but ISO certification is not required. Therefore, if a supplier has ISO 13485 certification, you might abbreviate your initial supplier qualification process. However, ISO 13485 certification should have minimal impact upon your on-going supplier evaluation process. You need to know how well your supplier’s quality system is being maintained. If your supplier is sharing copies of their annual surveillance audits and FDA inspection reports with you, this will give you a better indication of the quality system effectiveness.

Consider performing supplier audits for supplier evaluation

Although it is not required, the best way to evaluate the effectiveness of a supplier’s quality system is to perform a supplier audit. Specifically, you should focus on the processes that are directly related to your product or component. Production process controls and final inspection are the most critical areas to audit. Other areas that are important to consider for supplier audits are 1) incoming inspection, 2) purchasing controls, 3) shipping, and 4) control of nonconforming materials. Conducting a supplier audit using the process approach is the most effective method. The process approach method of auditing will ensure that document control, record control, calibration, process validation, and training are sampled as support processes. The supplier audits may also be conducted as on-site audits or remote audits.

Certificate of Conformity (CoC) vs. Certificate of Analysis (CoA)

Another supplier evaluation criteria should be product conformity. You should be reviewing more than whether your supplier shipped the correct product and the correct quantity. Did your supplier provide a Certificate of Analysis (CoA) that summarized the inspection methods, acceptance criteria, and the inspection results? Or do you verify that a Certificate of Conformity (CoC) was included and accept the lot you received? If your company is only receiving a CoC from a supplier, you should be sampling the product at incoming inspection and verifying that the product is conforming with your requirements. Even if the supplier is providing a CoA, you should still perform periodic sampling and inspection of the product to make sure the CoA provided matches the actual product you are receiving.

Considering Improving your supplier questionnaires

If your company is requesting that suppliers complete supplier questionnaires, make sure that you are asking the most relevant questions. You need to know if your supplier can support remote audits. You need to know if there have been any significant changes to the quality system. You need to know if the company has had any significant non-conformities resulting from certification body audits. You need to know if there have been FDA inspections and what the results of the inspection were. You should also be obtaining monitoring and measurement data related to process conformity and product conformity. Asking your supplier to identify any shutdown periods or planned renovations is a required input for critical and crucial suppliers for CE Marked medical devices subject to unannounced audits. It would help if you also were asking your supplier to update the names, titles, and contact information for key management personnel. Would you like a copy of our supplier questionnaire?

No Grandfathering Image 1 e1591549101295 How to avoid the most common supplier evaluation mistakes

What should you be doing to address the Covid-19 pandemic?

As a consequence of the Covid-19 pandemic, many suppliers have had significant disruptions to their supply chains, workforce availability, and transportation vendors. Since many medical device products are urgently needed during this pandemic, it is important to ask suppliers to provide a summary of their current situation and any analysis they have done to assess potential risks that could disrupt your supply chain. Does your supplier have adequate personal protective equipment (PPE)? What type of precautions is being taken to ensure that employees don’t exhibit symptoms of Covid-19 illness? Does your supplier have a policy for self-quarantining if an employee is exposed to someone that has the virus? Does your supplier have a disaster recovery plan?

Consider using size for supplier evaluation

Bigger is not always better. If you are a small customer of a large supplier, your needs will seldom be important to your supplier. Alternatively, if your company is much larger than your supplier, your supplier may not have the resources to grow with you and keep up with your current demand. When you are initially qualifying suppliers, try to select suppliers that are approximately the same size as your company or slightly larger. You should also consider identifying more suitably sized suppliers if you have a significant size mismatch or one develops over time.

What if you don’t have the resources to evaluate your suppliers?

Supplier evaluation and re-evaluation is a strategic function that impacts your profits, your ability to deliver product on-time to your customers, and nonconforming product can tarnish your company’s reputation. Therefore, your company needs to invest resources to analyze your supply chain. It would help if you had suppliers that have excellent quality and suppliers that will encourage your company to improve. Are there best practices you can learn from your suppliers? Is your supplier able to help you manage your inventory? Can your suppliers help you solve production problems? Supplier evaluation should only be secondary in importance to your design process and post-market surveillance. As they say, “garbage in equals garbage out.”

Do you need additional training on supplier evaluation?

On June 25, 2020, at 11 am EDT, and we are hosting a live webinar on how to qualify your suppliers. In this webinar, you will learn how to qualify new suppliers even if they don’t have ISO certification and best practices in supplier evaluation. We will be sharing a new supplier questionnaire that includes questions to help you assess whether a supplier is capable of supporting remote audits. We will help you develop a strategy for the allocation of supply chain personnel, and show you how to convince top management to prioritize supplier audits.

Posted in: Supplier Quality Management

Leave a Comment (0) →

How to apply a risk-based auditing approach to audits and remote audits

In this article, you will learn what risk-based auditing is, and how to apply a risk-based approach to auditing and remote supplier audits.

animal nature reptile animal world How to apply a risk based auditing approach to audits and remote audits

Risk-based auditing considers the risks of failing to achieve audit objectives and the opportunities created by choosing various audit methods and strategies. For example, if you are conducting your first internal audit for a new quality system, a desktop audit of procedures might be appropriate. Alternatively, if you are auditing a mature quality system where very few changes to procedures have been made in the past year, a desktop audit would be a waste of time, and using the element approach to auditing is unlikely to add much value. Audits are meant to be a sampling. Therefore, you should focus on areas of importance, areas where previous nonconformities were identified, any new products or processes, and anything that changed significantly. 

The risk-based auditing approach is the most significant change in ISO 19011:2018

One of the main differences between ISO 19011:2018 and the previous 2011 version is the addition of a “risk-based approach” to the principles of auditing. Specifically, clause 4(g) of the guidelines for auditing management systems is, “The risk-based approach should substantively influence the planning, conducting and reporting of audits to ensure that audits are focused on matters that are significant for the audit client, and for achieving the audit program objectives.” A lot of people are unsure of what is meant by a risk-based approach, but the key to understanding this is to focus on the definition of risk. From a product perspective, the risk is the “combination of the probability of occurrence of harm and the severity of that harm.” From a process perspective, the risk is the “effect of uncertainty on an expected result” (ISO 9001:2015, clause 3.09). Therefore, auditors should emphasize medical devices that present the highest severity of harm and any devices that have a high probability of hazards or hazardous situations occurring. When an auditor is focusing on a process, rather than a specific medical device, auditors should emphasize any processes that are not under control and any recent process changes.

Auditor selection should also be risk-based

If you are conducting a supplier audit as part of your initial supplier qualification for a critical component supplier or contract manufacturer, you should consider doing a team audit with a multi-disciplinary team. This is a risk-based approach to the supplier qualification process, which ensures that you have subject matter experts evaluating each process instead of auditors with a general quality assurance background. This approach also forces more of your personnel to introduce themselves to the new supplier, and the audit will develop more reliable communication channels between your two companies. Alternatively, if you are conducting a routine internal audit of a production process, you might select a new lead auditor to conduct the audit. You don’t expect any significant findings in a routine internal audit of an established production process. In your role as an audit program manager, you need to match the new lead auditor to a process that will force them to look at all aspects of the process approach to auditing. Specifically, process validation, calibration, maintenance, and process monitoring are areas that may not apply to other administrative process areas such as purchasing.

Risk-based auditing should influence your auditing schedule.

The frequency of auditing suppliers and internal process areas should reflect the risks associated. Therefore, when you create or update your auditing schedule, you should consider the risk level of products being audited and the process being audited. Production processes with a moderate or high level of non-conforming products may need to be audited more than once per year. Still, a supplier with an excellent track record of extremely high quality and on-time delivery may be audited on alternating years. If you previously scheduled a remote audit, you may want to alternate to conducting an on-site audit the next time.

The duration of your audits should not always be the same either. If one production process makes one product in low-volume, and another production process makes multiple products in high-volume, you should not schedule a two-hour internal audit for both processes every year. The low-volume production process may only need a one-hour audit once per year. In contrast, the high-volume process may require a four-hour internal audit or multiple audits each year.

Risk-based auditing applied to remote supplier auditing.

The risk-based auditing approach was added to ISO 19011:2018 as the seventh principle of auditing. This represents the most significant change to that standard, but how does it apply to remote auditing? Despite the opportunities created by remote supplier auditing, there are also risks associated with auditing suppliers remotely. Most people worry about auditees hiding hazardous situations or unacceptable environmental conditions such as filth or disrepair. However, unacceptable cleanliness and maintenance practices don’t happen overnight. Therefore, you should expect a clean and well-maintained facility to remain that way. One approach is to alternate between remote and on-site audits to verify the overall condition of a supplier’s facility. Therefore, the risk of auditees hiding objective evidence is more an issue of trust than a highly probable occurrence.

The more probable risks associated with remote auditing are related to the potential lack of availability of records. This is especially important for paper-based quality systems. Most people try to address this risk by scanning paper documents and records, but scanning documents have limited value. Scanning paper documents is more efficiently performed in a large batch by an automated or semi-automated process. Also, auditors and inspectors typically focus on the most recent records, and auditors and inspectors rarely sample 100% of the records. Therefore, the best risk controls include:

  • Ask a guide to send a digital picture of the record.
  • Use a tripod-mounted HD webcam focused on a music stand or similar surface.
  • Ask the auditee to read the document while you take notes.

In our experience, you will probably rely on all three risk controls, but it is unlikely to delay the audit. However, in response to the limited physical access to medical device facilities and personnel, certification bodies are sending out questionnaires to assess the risk of being unable to achieve audit objectives or cover the required scope of surveillance and recertification audits. As the audit program manager, you can reduce these risks by working with supply chain managers to develop new supplier questionnaires that specifically ask questions about the capability of supporting audits remotely. In particular, it would be important to obtain facility maps to identify areas with inadequate cellular coverage and identification of records that are only available in hardcopy format.


Posted in: Auditing, Remote Auditing

Leave a Comment (0) →

Plague Doctor’s Scary Guide – Available for Pre-Order

The “Plague Doctor’s Scary Guide to Remarkable Remote Quality Audits” by Matthew C. Walker and Robert V. Packard is now available for pre-order from Amazon ($5 pre-order discount until August 28, 2020).

%name Plague Doctors Scary Guide   Available for Pre Order

Book Description for “Plague Doctor’s Scary Guide to Remarkable Remote Quality Audits”

Remote quality audits can be remarkable. Remote audits don’t have to be an 8-hour Zoom meeting marathon that causes deep vein thrombosis. You don’t need a box of adult diapers either. We can teach you a better way. Unfortunately, today on-site quality audits have become scary adventures into a plague-infested world. Most people describe auditing as more boring than Ferris Bueller’s homeroom teacher. Your top management deeply disdains to participate in quality audits, and most CEOs cannot be bothered to show up for an opening meeting unless an FDA inspector is present. Today we are faced with a global viral pandemic that has transformed on-site auditing from a necessary evil to a positively scary and potentially dangerous job.

Ok, maybe I’m just dramatic. Perhaps it is not so “scary” to hop on a plane to conduct an on-site audit. After all, how many people die in conference rooms, excluding death from boredom? Maybe you always wanted to perform quality audits remotely to eliminate the cost of travel expenses. Remote audits are especially attractive for supplier audits on the other side of the world, after all, who looks forward to a 14-hour direct flight from JFK to Seoul. The biggest challenge in changing your audit process from an on-site audit to a remote audit is that you need to convince top management, your certification body, and the next FDA inspector that remote quality audits are just as effective as an on-site audit.

Quality audits can be a remarkable value-added activity. Still, I don’t think you will learn how by reading the mighty 645-page tome on value-added auditing that was written by another indie author published on Amazon. You need to stop using the element approach and learn to conduct audits using the process approach instead. You also need to make better use of the subject-matter experts in your company. They can help you audit a specific process if you teach them how, but they are not joining you on that 14-hour flight. You need to start using remote auditing techniques to get engineers involved in the auditing of areas they know better than you do.

It might not be possible to convince a design engineer to learn to be a lead auditor, but you can teach them to be capable audit team members for 90-minutes. Your design engineer can be an audit team member from the safety of their home at 8 pm on a Tuesday when it’s 9 am in Seoul on Wednesday morning. Let us teach you and the other engineers in your company how to conduct effective remote quality audits, and we will keep you safe.

I know you will say there is just one problem. How will you convince your boss? Well, you could mention the thousands of dollars you will save on travel costs. You could suggest using those 28 hours of flight time to do something more important than trying to sleep on the “Redeye” Korean Air flight. You could also say that it will be infinitely easier to coordinate five 90-minute Zoom meetings with your supplier than scheduling one full-day audit in Korea.

Covid-19 has changed the world as we know it. Your approach to auditing must change with it, or people will die. Buy the book now, because I guarantee changing your audit approach will save you money, changing will improve the quality of your audits, and changing might save the life of someone on your audit team.

20190531 005146 150x150 Plague Doctors Scary Guide   Available for Pre OrderMatthew Walker is the creative genius behind the “Plague Doctor’s Scary Guide to Remarkable Remote Auditing.” Matthew and Rob Packard just finished creating a new lead auditor course for a significant US non-profit training organization. Matthew’s job is to help clients implement new quality systems for ISO 13485 certification. He is the gap analysis guru for the consulting firm, and he is continuously updating quality system procedures. Matthew is a gifted writer. His delightful sarcasm and satire will entertain you while you read about the most boring topic on planet earth.

Rob Packard 150x150 Plague Doctors Scary Guide   Available for Pre OrderRob Packard was the instructor in 12 different lead auditor courses for more than 100+ lead auditors in total. He was a certified lead auditor for CE Marking, CMDCAS, ISO 13485, and ISO 14971. He was director of quality, and the audit program manager, for four different medical device companies. Rob now owns and operates a successful regulatory and quality system consulting firm with six full-time employees, and 100% of the employees work remotely.

Other Information

Our first book was “How to Prepare Your 510(k) in 100 Days. The book was only made available to attendees of our 510(k) courses in Amsterdam and Las Vegas. We also made a PDF version available to people that purchased our 510(k) templates and 510(k) webinar series.

This new book, the “Plague Doctor’s Scary Guide to Remarkable Remote Auditing,” was the idea of Matthew Walker and is being co-authored by Matthew Walker and Rob Packard. The target length is 25,000 words, but we are likely to exceed that. The content will be organized in the order of the ISO 19011:2018 standard.

Sean Gardner is the artist that is creating the book cover design for the Plague Doctor’s Scary Guide. He specializes in dark, scary images with swirls of magic. The above picture is a draft for the cover art (tell us what you think). He is a talented caricaturist and tattoo artist that works at Helheim Gallery in Salem, MA.

We are also kicking off the project with a blog series specific to remote auditing techniques:

  1. Changes triggered by COVID19 in your quality system – May 2
  2. Remote audit opening meeting – 4 changes – May 12
  3. Audit team communications – May 19
  4. Remote audit resources – software and hardware tools – May 26
  5. How to apply a risk-based auditing approach to audits and remote audits – June 2
  6. How to make a supplier questionnaire for remote auditing – June 25
  7. Remote audit duration less than 90 minutes – June 30
  8. Remote auditing work instruction – July 14
  9. Planning partial remote audits – July 21
  10. Remote audit invitations – 4 things to remember – August 4
  11. Training new audit team members and lead auditors – August 11

Five (5) new webinars planned on related topics:

  1. Opening Meetings Webinar (free) – May 14, 2020
  2. Audit team communication during a remote audit (free) – June 4, 2020
  3. How to qualify your suppliers webinar (pre-order by June 1) – June 25, 2020
  4. Remote auditing techniques webinar (pre-order by July 1) – July 16, 2020
  5. MDSAP Certification Body Interviews (free) – August 6, 2020

Posted in: Remote Auditing

Leave a Comment (0) →
Page 2 of 28 12345...»