Blog

Root cause analysis – Learn 4 tools

The author describes four tools (Five Why Analysis, Is/Is Not Analysis, Fishbone Diagram, and Pareto Analysis) and how each one can help conduct effective root cause analysis.

Quality problems are like weeds. If you don’t pull them out by the root, they grow right back.

Training on the 4 Tools

Most companies are doomed to repeat their mistakes because the root cause of their mistakes is not fixed. Why don’t companies fix their mistakes? Because the people responsible for the corrective actions (CAPA), were not adequately trained on root cause analysis. Adequate training on root cause analysis requires three things:

  1. Courage to admit that your process is broken
  2. Learning more than one tool for analyzing problems
  3. Practicing the use of root cause analysis tools

If your auditor identifies a nonconformity and you disagree with the finding, then you should not accept the finding and state your case. If an inspector rejects a part, and you believe the part is acceptable, then you should allow the part to be used “as is.” In both of these cases, however, you need to be very careful. Sometimes the problem is that “acceptable” is not as well-defined as we thought. I recommend pausing a moment and reflecting on what your auditors and inspectors are saying and doing. You may realize that you caused the problem.

Once you have accepted that there is a problem, you need to learn how to analyze the problem. There are five root cause analysis tools that I recommend:

Root Cause Analysis Tool # 1 – 5 Why Analysis

A “Five Why Analysis” is not just five questions that begin with the word “why.” Taiichi Ohno is credited with institutionalizing the “Five Why Analysis” at Toyota as a tool to drill down to the root cause of a problem by asking why five times. I have read about this, used this tool, and taught this concept to students, but I learned of a critical instruction that I was missing when I read Toyota Under Fire.

In that book, Jeff Liker makes the following statement, “Toyota Business Practices dictates using the ‘Five Whys’ to get to the root cause of a problem, not the ‘Five Whos’ to find a fire the guilty party.” At the end of the book, there are lessons learned from Toyota’s experience. Lesson 2 says, “There is no value to the Five Whys if you stop when you find a problem that is outside of your control.” If your company is going to use this tool, it is important that the responsible person is the one performing the five why analysis, and asks why they didn’t take into account forces that are out of their control.

5 why analysis for root cause analysis 1024x700 Root cause analysis   Learn 4 tools

Root Cause Analysis Tool # 2 – Is/Is Not Analysis

The next tool was presented to me at an AAMI course that I attended on CAPA. One of the instructors was from Pathwise, and he explained the “Pathwise Process” to us for problem-solving. A few years later, I learned that this tool is called the “Is/Is Not Analysis.” This tool is intended to be used when you are having trouble identifying the source of a problem. This method involves asking where the problem is occurring as a potential clue to the reason for the problem. For example, if the problem only occurs on one machine, you can rule out a lot of possible factors and focus on the few that are machine-specific.

The reverse approach is also used to help identify the cause. You can ask where the problem is not occurring. This approach may also lead you to possible solutions to your problem. For example, if the problem never occurs on the first or second shift, you should focus on the processes and the people that work on the third shift to locate the cause. The “Is/Is Not Analysis” is seldom used alone, but it may be the first step toward locating the cause of a quality problem.

Root Cause Analysis Tool # 3 – Fishbone Diagram

fishbone Root cause analysis   Learn 4 tools

This name comes from the shape of the diagram. Other names for this diagram are the “Cause and Effect” or “Ishikawa” diagram. If a problem is occurring in low frequency and has always existed, this might not be your first tool. However, I typically start with this tool when I am doing an investigation of nonconforming product—especially when rejects suddenly appear.

If you are baffled about the cause of a problem, brainstorming the possible causes in a group sometimes works. However, I like to organize and categorize the ideas from a brainstorming session into the “6Ms” of the Fishbone Diagram.

Root Cause Analysis Tool # 4 – Pareto Analysis

The fourth root cause analysis tool is the Pareto Analysis named after Antoine Pareto. This tool is also a philosophy that was the subject of a book called The 80/20 Principle: The Secret to Achieving More with Less. The Pareto Analysis is used to organize a large number of nonconformities and prioritize the quality problems based upon the frequency of occurrence. The Pareto Chart presents each challenge in descending order from the highest rate to the lowest frequency. After you perform your Pareto Analysis, you should open a CAPA for the #1 problem, and then open a CAPA for the #2 problem. If you get to #3, consider yourself lucky to have the time and resources for it. We have an example of a Pareto Chart in our article on FDA 483 inspection observations from 2013.

Additional Training Resources

If you are interested in learning more about root cause analysis and practicing these techniques, please register for the Medical Device Academy’s Risk-Based CAPA training.

Posted in: CAPA

Leave a Comment (15) →

A3 Reports – The Missing Link to Effective CAPA Process Management

A3 Workbook A3 Reports – The Missing Link to Effective CAPA Process ManagementYour CAPA process is the most important process in your Quality System for two reasons. First, CAPA is the tool you use to fix quality problems. Second, your CAPA process is guaranteed to be an area of interest for your next FDA inspector.

If CAPA is so important, why do companies still have inefficient CAPA processes?

When auditors review a CAPA process, some of them start by reading the procedure. When FDA writes a 483 observation about CAPA processes, the wording begins with “Procedures for corrective and preventive action have not been adequately established. Specifically…”. The approach of auditors and inspectors seems to suggest that your procedure is the key to an effective CAPA process, but your procedures are not the reason for the success or failure of processes.

Processes are effective when the management of the processes is effective. If a CAPA falls behind schedule, writing a justification for an extension is a process “solution.” A real solution is managing the process better. Management needs to monitor the progress of CAPAs regularly, should prioritize resources to ensure that CAPAs are completed on time, and needs to make decisions on which actions should be taken to prevent recurrence of quality problems. Therefore, you need to spend more time developing a method of managing CAPAs than you spend developing the CAPA process itself.

What is an A3 Report?

An A3 report is a tool that is ideally suited for managing CAPAs. “A3” refers to the size of the paper used (i.e., – approximately 11”x17”). An A3 report is a one-sided, single piece of paper that is used to build consensus among company management when you are making an important decision. The initial draft of the A3 report is distributed to each of the affected departments to ensure that all possible inputs to a quality problem are received. By encouraging 360-degree feedback for a proposed solution to a quality problem, you will ensure that the CAPA you develop addresses the issue completely.

In addition to encouraging 360-degree feedback, an A3 report includes an analysis of the problem, identification of the cause, proposed actions that require management decision, a section for documenting actions taken, and a follow-up section for management to review at specific milestones during the implementation plan. Including all of this information in one page forces CAPA owners to summarize information for management, and the standardized format makes it easier for managers to locate the information they want.

Here’s how these sections would be used for managing CAPAs.

Analysis of the Problem

This section is identical to the section of a traditional CAPA record, where the investigation of the problem is documented. This is where tools such as 5 Why analysis, Pareto charts, and Fishbone Diagrams would be used to illustrate the analysis of the problem. This section may change a great deal during the 360-degree review of the A3 report.

Root Cause or Potential Cause

In this section, there should be a concise statement of the root cause for corrective action plans or the potential cause(s) for preventive action plans. During the initial review of the A3 report, management may ask the person or team assigned to the CAPA to investigate the problem in greater depth or investigate other possible sources of information if the analysis appears to be inadequate. Management should also ensure that the causes are within the control of the company to correct or prevent. Identifying a cause that is outside the control of the company is just placing blame.

Proposed Actions

This section is similar to a typical CAPA plan, but the section includes the reason(s) why the proposed actions are recommended. The reasons why actions are proposed is important during the process of management reviewing the initial A3 report and approving the recommended actions. The best practice is to phrase the reasons in terms of quantitative results that will be achieved because this will provide a framework for metrics during follow-up by management.

Actions Taken

This section of the A3 report is updated throughout the implementation of the project. By comparing this section with proposed actions, management can monitor the status of each task included in the CAPA plan.

Follow-up

This section of the A3 report identifies how management will monitor the implementation of actions and when. The initial A3 report identifies what management will be monitoring, how it will be monitored, and at what milestones. Ideally, the monitoring includes quantitative metrics that demonstrate the effectiveness of the CAPA. During the implementation of the CAPA plan, actual metrics will be recorded in this section, and any adjustments that management makes are recorded here.

If you are interested in learning more about A3 reports, you can learn more from Daniel Matthews at http://bit.ly/A3Workbook.

You can also learn more about improving your CAPA process by attending one of the workshops on CAPA: September 9 in Orlando or October 3 in San Diego. Each workshop is one day, and early bird pricing is $249 per day if you register before August 1. Click Here to learn more: http://bit.ly/12AxxQ0

Posted in: CAPA

Leave a Comment (0) →

Benefits of Incorporating Risk Management into Procedure Documents

By Guest Blogger, Brigid Glass
8971385878 db2fe2e49a q Benefits of Incorporating Risk Management into Procedure DocumentsThe author discusses the benefits of incorporating risk management into procedure documents. An example procedure for Record Control is included.

When I was first introduced to FMEA many years ago, I loved it. I loved the systematic approach and particularly appreciated using a Process FMEA to explain to those involved with a production process why certain controls had been put in place. I enthusiastically taught FMEA to our engineers. At the time, our bubbly, buoyant, outcomes-focused Training Manager said to me, “You Quality people have such a negative outlook. You’re always looking for what can go wrong!”  Well, yes, but it’s our role to prevent things from going wrong!  I’d found a tool to help me with that.

Next, there was EN 1441, a risk analysis standard that never satisfied, and always felt incomplete. ISO 14971 followed, covering the entire lifecycle of a product, with closed feedback loops.  So now, risks in product and process design were well covered, but ISO 13485 section 7.1 asks us to “establish documented requirements for risk management throughout product realization.”  Many of us would acknowledge that we could do better, even though we pass audits.  And what about the rest of the quality management system?  I know that when we document a procedure, we already apply risk management principles in our heads, but we usually don’t apply them systematically or write down the results.

The Idea

Recently, Rob Packard and I started work on a project that requires us to generate a full set of documentation for a QMS, compliant with both U.S. and EU requirements, including ISO 13485 and ISO 14971. We each had our ideas on how best to write a procedure, but this project provided us an opportunity to get some synergy going. Rob wanted to address risk management in each procedure. “Yes!” I said, thinking that there was a chance to fill that gap. But then it was my job to develop the template for the procedures and work out how to accomplish this…

My first results looked very complicated, so I took the KISS (Keep It Simple, Stupid) approach: one column for the hazards and consequences, and one for the risk control measures.

What I didn’t include:

  • I started with more complex hazard documentation (hazard ID, impact, trigger event, etc.). Still, I felt the benefits in the context of a procedure document was not balanced by the extra complexity and work required for analysis and training. It would be a hard sell to users within an organization who were not used to the risk management approach.
  • I decided not to assess risks and controls quantitatively for the same reasons as in the bullet point above.
  • Initially, I included references to implementation, but this would be difficult to maintain as other documents changed.
  • I thought about verification of the implementation of risk controls, then decided to leave that verification to reviewers.

Below is an example from a procedure for Record Control where records are completed on paper, then scanned as a pdf. My list won’t be the same as your list, but it is illustrative.

brigid chart 1 Benefits of Incorporating Risk Management into Procedure Documents

Standards and regulations are essentially a set of risk controls, so they are the first starting point when identifying hazards. The list should include direct risks to products, risks to the integrity of the QMS, and regulatory risks. For those of us who have been in this industry for a while, experience, past mistakes, questions fielded in external audits, and observations of other systems will yield further hazards and appropriate controls. Audits provide the opportunity to update and refine the list and test the control measures.

Benefits of Incorporating Risk Management into Procedure Documents

  • Impresses your ISO 13485 auditor!
  • When first writing procedure documents, starting the writing process by reviewing the external requirements, and systematically writing the risk section, sharpens the mind as to what must be included in the procedure. This is the same approach as in design controls, where we include risk mitigators that apply to product design in the design inputs. This is part of planning in the PDCA cycle.
  • Supports future decision-making, in the same way, that the risk file for a product is considered when a design is changed. The risk control section of a procedure provides the criteria against which any improvement or change can be assessed. Will it enhance the risk controls, or might it introduce a new hazard?
  • Serves as the basis for training on the procedure. Making visible the link between potential hazards and procedural controls much more convincing than saying, “Do this because the procedure says so,” or, “It’s in the procedure because the regs say so.”

This is part 1 in a series of blogs that leads up to our Roadmap to Iso 13485 Certification Courses

 

Posted in: ISO 14971:2019 (Risk Management)

Leave a Comment (0) →

CAPA Form – 15 tips to avoid CAPA failure

This blog reviews 15 tips for creating an effective CAPA form including source, quality issue description, and the root cause investigation.

Your cart is empty

CAPA Form 1024x362 CAPA Form   15 tips to avoid CAPA failure

The reason for creating a “great CAPA form” is to improve the effectiveness of your CAPA process. Anyone in your company could be assigned to a CAPA, but not everyone is a CAPA expert. Therefore, designing an effective CAPA form can reduce errors and improve the effectiveness of the actions taken. You can also purchase our CAPA procedure and CAPA form, which is compliant with ISO 13485:2016.

Corrective and Preventive Action CAPA Procedure CAPA Form   15 tips to avoid CAPA failure
SYS-024 Corrective and Preventive Action (CAPA) Procedure, Form, and Log

SYS-024 – Medical Device Academy’s newly updated CAPA procedure is a 6-page procedure. Your purchase will also include our CAPA form (FRM-009), and our CAPA log (LST-005). The procedure is compliant with ISO 13485:2016, 21 CFR 820.100, SOR 98/282, and the EU MDR. You will also receive free updates in the future. We are currently distributing our 16th version of the procedure.

Price: $299.00

Provide adequate space in CAPA form

The most important feature of a CAPA form is to ensure that there is adequate space for writing a complete response for each section. Having sufficient space is more important than the benefits of a shorter record.

Date your CAPA form was initiated

The date your CAPA form begins to be completed can be used to verify that there was no “undue delay” in the initiation of a CAPA in response to internal audit findings. The date of initiation is also used to calculate the due date for completing the investigation and providing a corrective/preventive action plan.

Include a cross-reference number in your CAPA form

This is typically a sequentially assigned CAPA log number. Ensure the number is prominent on all pages—just in case pages are separated.

CAPA source

The source of a CAPA is useful information when performing data analysis—especially for internal audits where the audit schedule should reflect the results of previous audits. Examples of CAPA sources include:

  • Complaints/Reportable Events
  • Internal, Supplier, and Third-Party Audits
  • Service Work Orders
  • Nonconforming Materials
  • Management Reviews

Description of CAPA issue

I use the word “issue” instead of nonconformity because you need a CAPA form that will work for potential nonconformities (i.e., – preventive actions), as well as nonconformities. Typically, the wording is identical to a customer complaint or an auditor’s text, but the description of the issue identifies the symptoms observed. Specific references to records, locations, times, equipment, products, and personnel involved may be necessary for the root cause investigation.

The investigator assigned and target due date for the plan

In ISO 13485:2016, the only change to the requirements for corrective actions and preventive actions was the clarification that planning is required. Since this was always implied in the standard, your procedure should already comply with clauses 8.5.2 and 8.5.3 in the 2016 version of ISO 13485.

This section of your CAPA form should identify who is going to investigate the root cause of the issue and the date that a corrective/preventive action plan is needed. The FDA requires submitting a corrective action plan for all 483 observations within 15 business days, or it will result in an automatic Warning Letter. Most certification bodies require a plan within 30 days. Your target due date should be risk-based unless there is a specific regulatory requirement. The date will also need to be based upon the date the issue was identified—not necessarily the date the CAPA was initiated.

Documenting the investigation of the root cause is the #1 item in a CAPA form

This section always reminds me of the story about the Ohno Circle. Every company asks if they can close a nonconformity during an audit, and the answer should always be “No.” You can correct a problem, but you cannot perform a root cause investigation and implement an effective corrective action during the same audit. You need to investigate the cause and the investigation documented. Some companies include a specific tool in this section, such as a “Fishbone Diagram.” This is also a mistake because there are many root cause analysis tools, and you need to select the best one for your specific situation. You might even need to use more than one tool.

Is your CAPA form missing containment of nonconforming product?

If the issue requires preventive action, there is nothing to contain. If the issue is specific to a procedure’s deficiency, there is also nothing to contain. If the issue requires corrective action and nonconforming materials or products are involved, then you need to quarantine the affected items. If the affected product has already left the company’s direct control (see 21 CFR 806.2(l) for a definition), then you have a potential recall. Regulators often look for “bracketing” or “bounding” of the upper and lower lot limits for an issue. Therefore, this section is where you document the rationale for why certain lots of products/materials are quarantined, and other lots are not.

Correction(s) – Your CAPA form must separate this from corrective actions

Fixing the immediate problem does not prevent a recurrence, but regulators will verify that each occurrence of the issue identified during the investigation of the root cause has been corrected. You should verify that each of the nonconformities identified in the original finding and the investigation is addressed in this section of your CAPA form. For preventive actions, this section is not applicable.

Corrective Action Plan/Target Due Date for Implementation

These are the steps planned to prevent a recurrence. If the plan changes, then it should be updated. There is no need to delete the old version of the plan, but the new version should include a date when the plan was revised. For preventive actions, this section is not applicable. The target date of implementation should reflect the risk associated with the issue.

Preventive action plan / target due date for implementation

These are the steps planned to prevent the occurrence of nonconformity. If an issue occurred for one product, but not for others, the actions taken for other products can be preventive. In this case, both the corrective action plan and the preventive action plan sections should be completed. The target date of implementation should reflect the risk associated with the issue.

Corrective and preventive actions implemented – Update your CAPA form weekly

This section details what specific actions were performed—both corrective and preventive actions can be documented here. The dates of completing actions should be documented, and reasons for delays and overdue actions should be identified.

How to document your plan for verification of effectiveness – CRITICAL

I recommend filling this section before the plan for corrective and preventive action is developed. This often helps the person developing the plan to ensure that the actions planned are adequate. Whenever possible, this should be quantitative, and it helps to identify a specific date for performing the effectiveness check.

Verification of effectiveness

This section of your CAPA form is where you document verification of effectiveness. Specifically, what verification activities were performed to ensure that the corrective and preventive actions you implemented were effective. The date verification of effectiveness was performed should be documented, and if the actions were not effective, then a new CAPA should be referenced here.

Signature and closure date

Someone needs to review, sign, and date your CAPA form when it is completed. Often, regulators will review only closed records.

Posted in: CAPA

Leave a Comment (5) →

CAPA Training Remediation Case Study: Hundreds of Open CAPAs

This blog presents a CAPA training case study related to hundreds of open CAPAs, and how to effectively remediate this issue using a CAPA filter to avoid “death by CAPA.”

Years ago, when I took my first CAPA course, the student sitting next to me explained that he was taking the course as part of a consent decree with the USFDA. Evidently. his company had hundreds of open CAPAs that were not being closed promptly, and the CAPAs were ineffective when the records were finally closed.

Hundreds of open CAPAs?!

I was in total shock. You probably only have five to ten open CAPAs at your company. How could anyone have hundreds open?

He told me that every time a customer asked for technical support, a person was paged. If the page was not answered within three minutes, this was considered a customer complaint, and a new CAPA was opened automatically. The course instructor described the situation as “Death by CAPA.” His company did three things wrong    

1. Overreaction with Microscopic Focus

The company incorrectly identified failure to meet the three minute target response time as a customer complaint. Also, several complaints related to the same issue should not result in a CAPA specific to each complaint.

2. Lack of Management Oversight

Nobody was tracking how long CAPAs remained open. There were no actions taken when target completion dates were missed. There were no reports to management on the status of CAPAs, and the only time CAPAs were discussed in a meeting was at the annual Management Review meeting.    

3. Failure to Check Effectiveness

Instead of verifying that corrective actions were effective, the company confirmed that corrective actions were implemented. Most of the corrective actions involved “retraining” or “revising the procedure.”

For any process to work correctly, you need to ensure that the process can handle the volume. If one person is responsible for managing hundreds of CAPAs each year, the CAPA process will be ineffective. You need more resources or fewer CAPAs. My recommendation is to use a CAPA filter.

 

Capa funnel photo CAPA Training Remediation Case Study: Hundreds of Open CAPAs

A CAPA filter does two things. First, it sorts CAPAs into problem categories. For example, all the poor response times to pages should be one problem with one CAPA. Second, a CAPA filter sorts CAPAs according to risk. A response to a page within five minutes instead of three minutes results in a customer waiting longer. A customer receiving no response could have a more severe impact, especially if the customer has diabetes that cannot seem to get their glucose monitoring device to work correctly.

Trend Analysis

Therefore, response rates to pages should be a metric subject to monitoring and measuring—not necessarily a CAPA. You have a positive trend if the number of late responses is declining, and the average delay is steadily shrinking. In this case, there may be no need for a CAPA. You have a negative trend if the number of late responses is increasing, or the average delay is getting longer. In this case, one or two CAPAs may be needed—not one CAPA for each occurrence.

Depending upon the issue, there may be a safety issue associated with extreme limits. In this case, it is recommended to establish alert limits and action limits. Alert limits may increase the frequency of monitoring and measuring, and corrections may also be implemented. However, if the action limit is reached, then a CAPA may be required.

Quality Plan

When I audit a company, it is not uncommon to observe a problem and to quickly identify a root cause. This frequently happens when the issue is familiar to many companies, and the root cause is: 1) inadequate procedures, 2) insufficient training, or 3) inadequate management oversight. If the problem is limited to one area, a CAPA may be entirely appropriate. However, if I observe the same type of problems in several areas, then the root cause is systemic. This can happen in a company where the following problems exist at the same time:

  1. The training procedure does not require demonstrating training effectiveness
  2. Employees are only required to “read and understand” procedures
  3. The top management has put a “freeze” on spending related to training

In a small company, this trifecta of doom is not uncommon. Therefore, in these cases, a CAPA does not address the root cause. Many companies will mistakenly identify the root cause as an “inadequate procedure.” The correction will be to fix the problem caused by the inadequate procedure. The corrective action will be to revise the procedure.

This is only a partial solution because it does not address the root cause. A stronger approach is to identify the root cause as an “ineffective training process.” The correction will be the same. The corrective action, however, will be expanded to include the initiation of a Quality Plan for changing the company training process.

The combined approach of a CAPA plan and a Quality Plan is a better solution because the process change will affect the entire Quality Management System and will require many months to implement fully. This is especially true if resources are constrained.

Here are a couple of upcoming webinars I am doing on CAPA and Complaint Handling:

Posted in: CAPA

Leave a Comment (1) →

Negligible Risks – Deviation #1 in ISO 14971

This blog reviews the treatment of the negligible risks, which is deviation #1 within the EN ISO 14971:2012 European normative risk management standard.

%name Negligible Risks   Deviation #1 in ISO 14971

In 2012, the European National (EN) version of the Medical Device Risk Management Standard was revised, but there was no change to the content of Clauses 1 through 9. Instead, the European Commission identified seven content deviations between the 14971 Standard and the requirements of three device directives for Europe. This seven-part blog series reviews each of these changes individually.

Treatment of Negligible Risks in ISO 14971

The first deviation is specific to the treatment of negligible risks. In Annex D8.2, the ISO 14971 Standard indicates that the manufacturer may discard negligible risks. However, Essential Requirements in the three device directives require that “All risks, regardless of their dimension, need to be reduced as much as possible and need to be balanced, together with all other risks, against the benefit of the device.”

Common Misinterpretations

One of the most common mistakes is to confuse the concepts of hazard, harm, and risk. Each of these terms is defined in the ISO 14971 Standard in section 2, but the common mistake is to think that the European Commission is saying that 100% of the hazards you identify need to be reduced as much as possible.

The intent is to require manufacturers to reduce risks, rather than hazards. The first step of the risk analysis process involves identifying hazards. Still, some of these hazards may never result in harm, due to risk controls that are inherent to the design your company has chosen. Also, the severity of harm that a hazard may present could be so low that it may present no risk to the user or patient.

The best practice in risk management is to identify as many hazards as possible at the beginning of the risk analysis process. Still, then these hazards must be sorted into those hazards that will be analyzed for risk. One of the common phrases used in training is: “It is better to estimate the risk of 10% of 1,000 hazards than it is to estimate 50% of 100 hazards.”

If you follow the logic behind the phrase above, your team will need to estimate risk for 100 hazards, rather than 50 hazards. Your risk analysis team will also need to document the rationale behind the categorization of hazards.

Categorizing Hazards

If a hazard is associated with adverse events in the Manufacturer and User Facility Device Experience (MAUDE) database for your device or a similar device, then you need to ensure that the risk associated with that hazard is assessed and there are adequate risk controls. This is also true for any hazard associated with a customer complaint that your company anticipates. Any hazard that presents a high potential severity of harm should also be included in your risk analysis. However, if a hazard is entirely eliminated by the design of your device, then you do not need to include it in the risk analysis.

I recommend writing a hazard identification report that includes all the hazards that were identified. This report should also categorize the hazard. You only need two categories: 1) hazards to be analyzed for risk, and 2) hazards that do not require risk analysis. You need a rationale for each risk that you do not perform risk analysis for, and you need traceability to risk controls and the risk-benefit analysis for each hazard that you do analyze.

Example of a Rationale for Not Analyzing the Risk of a Hazard

About eight years ago, the United States Food and Drug Administration (USFDA) issued an alert cautioning physicians to avoid the use of hemostatic agents near the spinal column, due to the potential hazard of paralysis caused by the swelling of a hemostatic agent as it absorbs the blood. My employer, Z-Medica, quickly received many customer inquiries asking about the safety of QuikClot near the spinal column. I was able to quickly respond that there were zero risks of QuikClot causing paralysis because that particular hemostatic agent did not swell. Instead of absorption, the product adsorbed blood and did not change in size or shape during the adsorption process.

Impact of Deviation #1 about “Negligible Risk”

As companies become aware of this deviation between the 14971 Standard and the Essential Requirements of the device directives, I believe teams that are working on risk analysis and people that are performing a gap analysis of their procedures will need to be more careful about which hazards are identified in their risk management reports. The burden of showing traceability from hazards to risk controls and risk-benefit analysis is substantial. Therefore, it is important to be systematic about how hazards are identified and to provide a clear justification for any hazards that are not included in the risk analysis.

The common phrase that has been used in risk management training classes should be reconsidered in light of feedback from the European Commission. Maybe a better phrase would be: “It is better to estimate the risk of 10% of 200 hazards than it is to estimate 50% of 20 hazards. However, it is important to provide a clear justification for any hazards that are not included in the risk analysis.”

If you are interested in ISO 14971 training, we are conducting a risk management training webinar on October 19, 2018.

Posted in: ISO 14971:2019 (Risk Management)

Leave a Comment (4) →

An Auditor’s Best Practices in Issuing a Major Nonconformity

%name An Auditors Best Practices in Issuing a Major Nonconformity

From the opening meeting through the audit and closing meeting, the author describes an auditor’s best practices in issuing a major nonconformity.

As an auditor, one of the most important (and difficult) things to learn is how to issue a nonconformity—especially a major. This is usually done at the closing meeting of an audit, but the closing meeting is not where the process of issuing the nonconformity begins. Issuing a nonconformity starts in the opening meeting.

ISO 19011:2011 is the official guidance document for auditors of Quality Management Systems, and ISO 13485 is the quality system standard for medical device manufacturers. Section 6.4.2 of this Standard explains best practices for an opening meeting. The last five items in this section are critical to preparing the client for potential nonconformities:

  1. Method of reporting audit findings, including grading, if any
  2. Conditions under which the audit may be terminated
  3. Time and place of the closing meeting
  4. How to deal with possible findings during the audit
  5. System for feedback from the auditee on findings or conclusions of the audit
  6. Process for complaints and appeals
Methods of Reporting and Grading Nonconformities

The auditor should be crystal clear in their description of minor and major nonconformities or any other grading that will be used. The auditor should also make it clear that they are looking for conformity rather than nonconformity. This is an audit—not an inspection. Typically, a minor nonconformity is described as “a single lapse in the fulfillment of a requirement,” while a major nonconformity is described as one of the following: 1) “a total absence in the fulfillment of a requirement,” 2) “repetition of a previous nonconformity,” 3) “failure to address a previously identified minor nonconformity,” or 4) “shipment of non-conforming product.” When the auditor is in doubt, then the finding is minor, and never a major. For a major nonconformity to be issued, there can be no doubt.

Conditions for Termination

The option to terminate an audit is typically reserved for a certification audit where a major nonconformity is identified, and there is no point in continuing. Termination is highly discouraged, because it is better to know about all minor and major nonconformities right away, instead of waiting until the certification audit is rescheduled. The certification body will charge you for their time anyway.

Another reason for termination is when an auditor is unreasonable or inappropriate. This is rare, but it happens. If the audit is terminated, you should communicate this to upper management at the certification body and the company—regardless of which side of the table you sit. For FDA inspections, this is not an option. For audits performed by Notified Bodies, there is the possibility of suspension of a certificate in response to audit termination. Therefore, I always recommend appealing after the fact, instead of termination. Appealing also works for FDA inspections.

How to Deal with Findings

All guides and auditees should be made aware of possible findings at the time an issue is discovered. This is important so that an auditee has the opportunity to clarify the evidence being presented. Often, nonconformities are the result of miscommunication between the auditor and the auditee. This frequently happens when the auditor has a poor understanding of the process being audited. It is a tremendous waste of time for both sides when this occurs. If there is an actual nonconformity, it is also important to gather as much objective evidence as possible for the auditor to write a thorough finding and for the auditee to prepare an appropriate corrective action plan in response to the discovery.

%name An Auditors Best Practices in Issuing a Major Nonconformity
Feedback from the Auditee

As an auditor, I always encourage auditees to provide honest feedback to me directly and to management, so that I could continue to improve. If you are giving feedback about an internal auditor or a supplier auditor, you should always give feedback directly before going to the person’s superior. You are both likely to work together in the future, and you should give the person every opportunity to hear the feedback first-hand.

When providing feedback from a third-party certification audit, you should know that there will be no negative repercussions against your company if you complain directly to the certification body. At most, the certification body will assign a new auditor for future audits and investigate the need for taking action against the auditor. In all likelihood, any action taken will be “retraining.” I never fired somebody for a single incident—unless they broke the law or did something unsafe. The key to providing feedback, however, is to be objective. Give specific examples in your complaint, and avoid personal feelings and opinions.

Complaints and Appeals

As the auditee, you should ask for the contact information of the certification body during the opening meeting. Ask with a smile—just in case you disagree, and so you can provide feedback (which might be positive). As the auditor, you should always make contact information for the certification body available. If you are conducting a supplier audit or an internal audit, you probably know the auditor’s boss, and there is perhaps no formal complaint or appeals process. In the case of a supplier audit, the customer is always right—even when they are wrong.

During the Audit

During the audit, you should always make the guide(s) and process owner(s) aware of any potential nonconformities as you find them. This is their opportunity to clarify the objective evidence for you and to explain why there is not a nonconformity. Often, at this point in the audit, I will refer to the Standard. I will identify the specific requirement(s) and show the process owner. I will say, “This is what I am trying to verify. Do you have anything that would help address this requirement?” If the process owner is unsure of how to meet the requirement, often, I will provide an example of how this requirement is addressed in other areas or at other companies.

If the audit is a multi-day audit, I will review the potential nonconformities at the end of the day and allow the auditee to provide additional objective evidence in the morning. If it is the last day of the audit, or it is a single-day audit, I will give auditees until the closing meeting to provide the objective evidence. Often, I will use this opportunity to explain what would be considered a minor nonconformity and what would be a major nonconformity. Usually, I can say, “This is not a major nonconformity because…”

%name An Auditors Best Practices in Issuing a Major Nonconformity

Closing Meeting

The closing meeting should be conducted as scheduled, and the time/location should be communicated to upper management in the audit agenda and during the opening meeting. Top management won’t be happy about nonconformities, but failure to communicate when the closing meeting will be conducted will irritate them further.

At the closing meeting, the auditee should never be surprised. If an issue remains unfulfilled at the closing meeting, the auditee should be expecting a minor nonconformity—unless the issue warrants a major nonconformity. Since a minor nonconformity is described as “a single lapse in the fulfillment of a requirement,” it is difficult for an auditee to argue that an issue does not warrant a minor nonconformity. Typically, the argument is that you are not consistent with other auditors. The most common response to that issue is, “Audits are just a sample, and previous auditors may not have seen the same objective evidence.” The more likely scenario, however, is that the previous auditor interprets requirements, instead of reviewing requirements with the client, and ensuring both parties agree before a finding is issued.

If a finding is major, the auditee should have very few questions. Also, I often find the reason for a major nonconformity is a lack of management commitment to address the root cause of a problem. Issuing a major nonconformity is sometimes necessary to get management’s attention.

Regardless of the grading, all audit findings will require a corrective action plan—even an FDA warning letter requires a CAPA plan. Therefore, a major nonconformity is not a disaster. You just need to create a more urgent plan for action.

Posted in: ISO Auditing

Leave a Comment (2) →

EU Medical Device Directive: 6 New Essential Requirements

%name EU Medical Device Directive: 6 New Essential RequirementsEssential Requirements (ER) changes in the proposed EU Medical Device Regulations versus the ER in Annex I of the EU Medical Device Directive are reviewed.

Click HERE if you want to receive future “European Regulatory Updates” by email. Just provide your name, company, phone number, and email address where you would like to receive updates.

Annex I of the European Medical Device Directive (http://bit.ly/M5MDD) is titled “Essential Requirements.” Most companies demonstrate that their device meets the 13 Essential Requirements (ERs) by creating an Essential Requirements Checklist (ERC). I have no idea what the origin of the ERC is, but you know that regulators love tables and checklists. This particular checklist is so commonly used that the Global Harmonization Task Force (GHTF) included an example of an ERC, called an “Essential Principles Checklist” (EPC) at the end of a guidance document on how to create Summary Technical Documentation (STED) for In Vitro Diagnostic devices (http://bit.ly/STEDIVD)—which is now maintained on the IMDRF.org website.

On September 26, 2012, the European Commission released a proposal for new EU Medical Device Regulations (http://bit.ly/EUProposal). This proposal still includes ERs in Annex I, but there are 19 ERs in the proposal. One regulatory professional recently sent me a follow-up question in response to an audio seminar I conducted in November (). Her question was, “What are the six new ERs?”

A few of the early reviews of the proposal indicated that there were no significant changes. Still, I have learned the hard way that you should always go to the source and verify the information for yourself (i.e., – Genchi Genbutsu). Here’s what I found:

General Requirements (ER 1-6a)

  1. No real change to this requirement.
  2. This requirement was reworded to clarify the intent (see Annex ZA of EN 14971:2012 for more info @ http://bit.ly/ISO14971-2012changes).
  3. It appears as though the Commission thought the current ER 3 was redundant, and the requirement was addressed by ER 1 and ER 5 already.
  4. This is now the new ER 3, and the requirement now clarifies how Notified Bodies shall apply this requirement in cases where a lifetime of the device is not stated.
  5. This is now the new ER 4, and there is no real change.
  6. This is now the new ER 5, and the wording has been clarified.

ER6a is conspicuously missing from the proposed ERs, but don’t get excited. Clinical evaluations are still required as part of the Technical Documentation in Annex II, Section 6.1c: “the report on the clinical evaluation in accordance with Article 49(5) and Part A of Annex XIII.”

Chemical, Physical & Biological Properties (ER 7)

ER 7.1 has one new requirement: “d) the choice of materials used, reflecting, where appropriate, matters such as hardness, wear and fatigue strength.” ER 7.2 and 7.3 remain unchanged. ER 7.4 has been simplified to what is proposed as the new, shorter ER 9. ER 7.5 is now the new ER 7.4, and the changes reflect the current status of phthalate regulations and similar issues. ER 7.6 is now the new ER 7.5, but there is no change to the content. The new ER 7.6 requires that manufacturers address risks associated with the size and properties of particles, especially nanomaterials. The changes related to this section will impact certain device types more than others—such as orthopedic implants.

Infection & Microbial Contamination (ER 8)

ER 8 is still ER 8, but ER 8.1 is now prescriptive regarding design solutions, and the current ER 8.2 is now the new ER 10. The new ER 10 is expanded and references the new EU regulations regarding devices manufactured utilizing tissues or cells of animal origin: Commission Regulation (EU) No 722/2012 of August 8, 2012 (http://bit.ly/AnimalTissueReg). The new ER 8.2 is a new requirement that was an oversight of the MDD, and the new ER 8.7 now clarifies that the labeling must differentiate sterile and non-sterile versions of the product; packaging is no longer an acceptable mechanism for differentiation. The balance of ER 8 remains unchanged.

Construction & Environmental Properties (ER 9)

This ER is now identified as the new ER 11, and this section is expanded. This reflects the emphasis on the need to evaluate the safety of devices with accessories, compatibility with other devices, and the effects of the use environment.

Devices with a Measuring Function (ER 10)

This ER is now identified as the new ER 12, but ER 10.2 from the current Directive appears to be missing. What’s up?

Take a look at the new ER 11. ER 10.2 is now the new ER 11.6.

Protection Against Radiation (ER 11)

This ER is now identified as the new ER 13, but there is nothing new.

Requirements for Devices Connected to or Equipped with an Energy Source (ER 12)

ER 12.1 and 12.1a are now ER 14. This section is specific to software requirements and has more detail than the current Directive. IEC 62304:2006, “Medical device software – Software life cycle processes,” is the Standard that will be expected by Notified Bodies as a reference for ER 14. ER 12.2 through ER 12.6 is now ER 15, but there is nothing new. Section ER 12.7 and its sub-parts are now addressed by ER 16. ER 12.8 and its subparts are now addressed by ER 17.

Information Supplied by the Manufacturer (ER 13)

This is now identified as ER 19: “Label and Instructions for Use.” This section is simplified from ER 13 (i.e., – there are fewer sections), but this ER does not seem to be any shorter. ER 19.1 has subparts a-g, and this ER section incorporates the concepts previously addressed by ER 13.1, 13.2, 13.4, and 13.5. ER 19.2 is a new and improved version of the previous ER 13.3 specific to labeling requirements. This labeling section is expanded from subparts “a” through “n” to “a” through “q.” The UDI requirement is subpart “h.” ER 13.6 is now ER 19.3 specific to the Instructions For Use (IFU). This section is expanded from subparts “a” through “q” to “a” through “t.”

The number of subparts to ER 19.3 doesn’t reflect the additional requirements for IFUs that are proposed by the Commission. The subsections of this part warrant special attention. Items that frequently are found missing from IFUs on the market today include:

  1. ER 19.3c – performance intended by the manufacturer
  2. ER 19.3h – installation and calibration instructions
  3. ER 19.3k – how to determine if a reusable device should be repaired/replaced
  4. ER 19.3m – restrictions on combinations with other devices
  5. ER 19.3o – detailed warning information
  6. ER 19.3p – information about safe disposal of the device
  7. ER 19.3t – notice to user/patient to report adverse events

ER 18 – Use by Lay Persons

This is a short section, but the requirement is new. There are no additional requirements for products intended for use by a layperson. The risk management report, design validation, and clinical evaluation report will need to include specific evidence to demonstrate conformity with this ER. The post-market surveillance plan for these products should carefully verify the accuracy of risk estimates. Post-Market Clinical Follow-up (PMCF) studies would be challenging in the past. Still, the prevalence of social media and product registration databases may facilitate conducting PMCF studies for these products in the future.

Australia & Canada

There is also an EPC that is required by the Therapeutic Goods Administration (TGA) in Australia, (http://bit.ly/EPCTGA) and  Therapeutics Product Directorate (TPD) in Canada (http://bit.ly/CanadianSTED). If you would like to learn more about the Essential Principles of Safety and Performance, you should also review the GHTF guidance document on this topic (http://bit.ly/EPSafetyPerf) on the IMDRF.org website. This 2012 version of the document supersedes GHTF/SG1/N041:2005.

I have observed the approval of products where the European ERC was submitted in place of an EPC for Australia and Canada. I guess they are a little more rational than some other regulators, but if you have experienced any “push back” regarding this approach, please share this by posting a comment or by sending an email.

If you need assistance with medical device CE Marking, or you are interested in training on CE Marking, please contact Medical Device Academy at rob@13485cert.com. Medical Device Academy is developing a webinar series specifically for this purpose. You can also call me by phone @ +1.802.258.1881. For other blogs on the topic of “CE Marking,” please view the following blog category page: http://robertpackard.wpengine.com/category/ce-marking/.

Posted in: CE Marking

Leave a Comment (2) →

A 6 Step Approach if You Disagree With a Notified Body Auditor

The author’s first certification audit experience is discussed, and we review six different approaches to take if you disagree with a notified body auditor.

My first certification audit ever didn’t go so well. The reason it didn’t go well is that the auditor wrote nonconformities that my boss and our regulatory consultant didn’t agree with. At the time, I was too inexperienced to know how to handle it. My boss and the consultant, however, totally lost it. I’ve never seen veins that big in someone’s forehead–even in cartoons.

I asked them both to leave the room because I was afraid to “push back” on the auditor. Many Management Representatives feel the same way that I did during that initial certification audit. The best way to summarize our concerns is with the following picture:

kodiak A 6 Step Approach if You Disagree With a Notified Body Auditor

Recently another LinkedIn group member emailed me to say that they have seen several auditors for registrars identifying nonconformities that represented their own personal opinions rather than specific requirements of the Standard. For example, there is a requirement to assign management responsibilities and document it, but there is no requirement to have an organization chart.

Another common mistake is when auditors insist that a company must create a turtle diagram for every single process. I support the use of turtle diagrams 100%, but the only requirement in the Standard is to use the process approach–not turtle diagrams specifically.

My favorite is my own personal mistake. I wrote a nonconformity for not having a process for implant registration cards for a company that was planning to ship a high-risk implant product to Canada. There is a requirement for implant registry cards, but I forgot that Canada defines “implants” in this case as only a very short list of implant devices–not implants in general.

Auditors are human. These are audit findings–not a jail sentence. Everyone needs to remember that the worst that can happen is that you receive a nonconformity. If the auditor finds a nonconformity, then you need to develop a CAPA plan. If the auditor finds nothing, you still need to do your own internal audits to identify nonconformities and continuously improve processes.

What Should You Do When an Auditor is Wrong?

I recommend that you “push back,” but you need to know-how. Many consultants suggest saying, “Can you show me in the Standard where it says I have to do that?” That’s just like poking a bear. If you do it once, it’s annoying. If you do it multiple times, an auditor might just eat you.

One Management Representative did that to me after I had taken the time to review the requirements with him. I responded by holding the ISO 13485 Standard in front of him and reciting clause 7.3.2. He responded by saying, “Well, that’s up for interpretation.” I offered to recite the ISO 14969 guidance document for him, but his boss told him to shut up.

This certainly wasn’t the only time a client pushed back during a registration audit, but other clients have had the sense to argue about things they understood.

One of the clients I audited said that he would change the topic to the auditor’s favorite sports team. That’s one approach. I’m sure that more than one client has taken the approach of asking me to explain where they can learn about best practices. I’m sure that they were somewhat successful. Another approach is to slide the lunch menu in front of them; I have only met one auditor that would not be distracted by a lunch menu.

6 Step Approach When You Disagree With an Auditor

1. Shut-up and look it up (before you open your mouth, grab the applicable external Standard and locate the information you are looking for).

2. If you are still convinced that the auditor is wrong, then tell that you are having trouble finding the requirement. Show them where you are looking, and then ask them to help you find the requirement.

3. If the auditor can’t show you where you are wrong, or it appears that the auditor is interpreting the Standard as they see fit, then focus on asking the auditor for guidance on what they will be looking for in your CAPA plan.

4. If the CAPA plan the auditor is looking for is something you think is a good idea, then shut up and implement the improvements. If the CAPA plan is not acceptable to you, then you should ask what the process is for the resolution of disputes.

5. No matter what, don’t start an argument with the registrar. They enjoy it. They like a challenge and resent people with less experience criticizing them.

6. If you still disagree with your auditor, then you should ask if the auditor can explain the process for appealing findings and follow that process.

Posted in: ISO Certification

Leave a Comment (0) →

3 Tools for Effectively Qualifying Suppliers

%name 3 Tools for Effectively Qualifying Suppliers

Do you have the right tools for qualifying your suppliers?


For every task, you have a choice of tools that you can use. For qualifying your suppliers, are you using the correct tools? 

This blog reviews how to utilize statistical process control, process validation, and supplier auditing to qualify suppliers effectively.
If you could afford to audition suppliers for a few months against hundreds of other competitors, then only the qualified suppliers would be approved. Unfortunately, you don’t have the same budget that American Idol has. So what should you do instead?

Most companies use the same three, tired tools to qualify suppliers: ISO Certification, Quality Manuals, and questionnaires. ISO certification is a weak tool because certification is only as good as the registrar’s worst client. Quality Manuals are intended to define the intent of your supplier’s Quality Management System, while most of the details are located in procedures. You only need a copy of your supplier’s Quality Manual to help you plan audits. Supplier questionnaires seem to be the most popular tool, but most of the questions require a “Yes/No” response that suppliers rarely answer negatively. To assess the qualifications of potential suppliers more effectively, try using the following tools instead:

Tool # 1: Statistical Process Control

Most companies require a Certificate of Compliance (CoC) with every shipment. A CoC is useless. Just like the “Yes/No” responses to questionnaires, you will never see a CoC that indicates something is wrong. A Certificate of Analysis (CoA) is much more useful, because the CoA has actual data, and the tolerance range is typically indicated for each test or measurement that was performed by the supplier. The best report you can get from a supplier is a statistical analysis of each specification during the prototype production lot. When you have a Statistical Process Control (SPC) run chart, you know quantitatively if the supplier is capable of making an acceptable product. The run chart can also be used to develop an appropriate sampling plan for incoming inspection.

Tool # 2: Process Validation

Process validation is much more than determining if a process is capable of producing a consistent product. An SPC run chart can do that. Process validation tells you what range of operating parameters will produce a consistent product. Therefore, when you have process deviations or measurement devices are slightly out-of-calibration, you will know if your supplier’s process will still make an acceptable product. The validation of a process should also identify which variables are critical indicators of the process. This information can be used to reduce the number of variables and specifications that are monitored for a production process, and focus both your supplier’s resources and your own.

Tool # 3: Supplier Auditing

A multi-disciplinary team audit of a potential supplier is an effective tool for assessing a supplier’s qualifications and will help build a stronger relationship between your team and the supplier’s team. Before you conduct an audit, it is important to plan the audit to ensure you get the greatest possible value. The following recommendations are important to supplier auditing:

  1. Use a risk-based approach to auditing suppliers (this goes beyond just critical and non-critical)
  1. Strategically select auditors and train them well
  2. Plan the auditing goals and objectives for the team in advance
  3. Create a formal audit agenda that defines which processes each auditor will be focusing on

Auditing 100% of your critical suppliers may seem impossible, due to limited resources, but have you ever seen a cost/benefit analysis?

What’s the cost of rejects, rework, and product redesign?

Supplier Quality Management Webinars Available 

Are your Suppliers Qualified? Prove It! 

http://robertpackard.wpengine.com/suppliers-qualified-prove/

Supplier Auditing and Remote Auditing: Tips to Save You Time and Money 

http://robertpackard.wpengine.com/supplier-auditing-and-remote-auditing-tips-save-time-money/

 

 

Posted in: Supplier Quality Management

Leave a Comment (3) →
Page 24 of 29 «...10202223242526...»