Auditing Design Controls – 7 Step Process

This blog reviews seven steps for effectively auditing design controls utilizing the ISO 13485 standard and process approach to auditing.

turtle diagram for design controls Auditing Design Controls   7 Step Process

Third-party auditors (i.e., – a Notified Body Auditor) don’t always practice what we preach. I know this may come as a huge shock to everyone, but sometimes we don’t use the process approach. Auditing design controls is a good example of my own failure to follow was it true and pure. Instead, I use NB-MED 2.5.1/rec 5 as a checklist, and I sample Technical Files to identify any weaknesses. The reason I do this is that I want to provide as much value to the auditing client as possible without falling behind in my audit schedule.

Often, I would sample a new Technical File for a new product family that had not been sampled by the Technical Reviewer yet. My reason for doing this is that I could often find elements that are missing from the Technical File before the Technical Reviewer saw the file. This gives the client an opportunity to fix the deficiency before submission and potentially shortens the approval process. Since NB-MED documents are guidance documents, I could not write the client up for a nonconformity, unless they were missing a required element of the M5 version of the MDD (93/42/EEC as modified by 2007/47/EC). This is skirting the edge of consulting for a third- party reviewer, but I found it was a 100% objective way to review Technical Files. I also found I could review an entire Technical File in about an hour.

What’s wrong with this approach to auditing design controls?

This approach only tells you if the elements of a Technical File are present, but it doesn’t evaluate the design process. Therefore, I supplemented my element approach with a process audit of the design change process by picking a few recent design changes that I felt were high-risk issues. During the process audit of the design change process, I sampled the review of risk management documentation, any associated process validation documentation, and the actual design change approval records. If I had time, I looked for the following types of changes: 1) vendor change, 2) specification change, and 3) process change. By doing this, I covered the following clauses in ISO 13485:2016: 7.4 (purchasing), 7.3.9 (design changes), 7.5.6 (process validation), 7.1 (risk management), and 4.2.5 (control of records).

So what is my bastardized process approach to auditing design controls missing? Clauses 7.3.1 through 7.3.10 of ISO 13485:2016 are missing. These clauses are the core of the design and development process. To address this, I would like to suggest the following process approach:

Step 1 – Define the Design Process

Identify the process owner and interview them. Do this in their office–not in the conference room. Get your answers for steps 2-7 directly from them. Ask lots of open-ended questions to prevent “yes/no” responses.

Step 2 – Process Inputs

Identify how design projects are initiated. Look for a record of a meeting where various design projects were vetted and approved for internal funding. These are inputs into the design process. There should be evidence of customer focus, and some examples of corrective actions taken based upon complaints or service trend analysis.

Step 3 – Process Outputs

Identify where Design History Files (DHF) are stored physically or electronically, and determine how the DHF is updated as the design projects progress.

Step 4 – What Resources

This is typically the step of a process audit where their auditor needs to identify “what resources” are used in the process. However, only companies that have software systems for design controls have resources dedicated to Design and Development. I have indicated this in the “Turtle Diagram” presented above.

Step 5 – With Whom, Auditing Training Records

Identify which people are assigned to the design team for a design project. Sometimes companies assign great teams. In this case, the auditor should focus on the team members that must review and approve design inputs (see Clause 7.3.2) and design outputs (see Clause 7.3.3). All of these team members should have training records for Design Control procedures and Risk Management procedures.

Step 6 – Auditing Design Controls Procedures and Forms

Identify the design control procedures and forms. Do not read and review these procedures. Auditors never have the time to do this. Instead, ask the process owner to identify specific procedures or clauses within procedures where clauses in the ISO Standard are addressed. If the process owner knows exactly where to find what you are looking for, they’re training was effective, or they may have written the procedure(s). If the process owner has trouble locating the clauses you are requesting, spend more time sampling training records.

Step 7 – Process Metrics

Ask the process owner to identify some metrics or quality objectives they are using to monitor and improve the design and development process. This is a struggle for many process owners–not just design. If any metrics are not performing up to expectations, there should be evidence of actions being taken to address this. If no metrics are being tracked by the process owner, you might review schedule compliance.

Many design projects are behind schedule, and therefore this is an important metric for most companies. Now that you have completed your “Turtle Diagram,” if you have more time to audit the design process, you can interview team members to review their role in the design process. You could also sample-specific Technical Files as I indicated above. If you are performing a thorough internal audit, I recommend doing both. To learn more about using the process approach to auditing, you can register for our webinar on the topic.

Auditing Design Controls – 7 Step Process Read More »

Software vendors – How do you audit software developers?

Learn how to qualify and audit software vendors to develop software as a medical device (SaMD) and software in a medical device (SiMD).

How do you audit medical device software developers?

Software medical devices are used to assist medical professionals. For example, radiologists use software to identify areas of interest for medical imaging. Do you know how to audit software vendors?

As a third-party auditor, I have had the pleasure of auditing software companies for CE Marking. When you audit a software company for the first time, this forces you to re-learn the entire ISO 13485 Standard. For example, if a company only produces software (i.e., software as a medical device or SaMD), there is very little to sample for incoming inspection and purchasing records. This is because the product is not physical—it’s software. Clauses of ISO 13485 related to sterility, implants, and servicing are also not applicable to SaMD products. If the software is web-based, the shipping and distribution clauses (i.e., – 7.5.1) might also present a challenge to an auditor.

The aspects of the ISO 13485 Standard that I found to be the most important to auditing software products were design controls and customer communication. Many auditors are trained in auditing the design and development of software, but very few auditors have experience auditing technical support call centers. When auditing a call center, most calls represent potential complaints related to software “bugs,” system incompatibilities with the operating system or hardware, and use errors resulting from the design of the user interface.

In most technical support call centers, the support person tries to find a workaround for identified problems. The problem with a “workaround” is that it is the opposite approach to the CAPA process. To meet ISO 13485 requirements, software companies must show evidence of monitoring and measuring these “bugs.” There must also be evidence of management identifying negative trends and implementing corrective actions when appropriate.

As an auditor, you should focus on how the company prioritizes “bugs” for corrective actions. Most software companies focus on the severity of software operations and the probability of occurrence. This is the wrong approach. Failure to operate is not the most severe result of medical device software failure. Medical device software can result in injury or death to patients. Therefore, it is critical to use a risk-based approach to the prioritization of CAPAs. This risk-based approach should focus on the severity of effects upon patients—not users. This focus on safety and performance is emphasized throughout the EU Medical Device Regulations and it is a risk management requirement in ISO 14971.

Referral to one of our favorite software developers

There are many vendors to choose from worldwide, but we prefer to work with smaller companies because our clients are start-up companies. We also prefer to work with vendors focused on the medical device industry. We also look for vendors that complement Medical Device Academy’s quality and regulatory expertise. Bold Type is a perfect example. The video below showcases the President and Founder–Jose Bohorquez. Bold Type provides software development services, cybersecurity consulting services, and software consulting services. If you are interested in speaking with Jose direct, please schedule a meeting with him online.

PS – We do not receive compensation from Bold Type–we just prefer to partner with firms that are ideal for our customers.

Software vendors – How do you audit software developers? Read More »

What is an NB-MED?

The author defines what an NB-MED is, Team NB and their role, provide a regulatory update and some information sources.

Each time I review a list of external standards, I notice at least a few out-of-date references. Occasionally, I am surprised, and everything appears to be current, but it is almost impossible to stay current with all the external standards. The most demanding standards to maintain are those that are untracked. Untracked standards are difficult to keep current with because it requires manually checking each source to determine if a standard has been updated. One of these sources is Team NB.

Team NB

Team NB describes itself as the “European Association of Notified Bodies for Medical Devices.” Team NB is an organization comprised of Notified Bodies (NBs). These NBs create guidance documents to clarify the interpretation of regulations in the EU. Since NBs are generating the documents rather than Competent Authorities (CAs), it is possible for Team NB to reach a consensus more quickly than CAs. Since these documents are guidance documents, the NB-MED documents are not enforceable or binding. However, in all likelihood, your NB will interpret ISO 13485 and the MDD (93/42/EEC as modified by 2007/47/EC) in accordance with these guidance documents.

The website link I provide in my “Helpful Links” page includes many links to important guidance documents. Among the recently updated NB-MED documents is NB-MED 2.5.2/rec 2. The “rec” is not the same as a revision. For example, rec two is “Reporting of design changes and changes of the quality system,” while rec 1 is “Subcontracting – QS related.” The link I have provided will land you directly on the list of NB-MED documents, and the right-hand column identifies the date the document was added to the list. Therefore, if you want to know about new and revised NB-MED documents, you merely need to read the documents that are identified as being added since your last visit.

NB-MED 2.4.2/rec 2

NB-MED 2.5.2/rec 2 is the only recent addition, and you should read it. Many companies struggle with design changes and don’t know if the change is significant. Revision 8 of this document includes helpful examples. I recommend reading this document carefully and then revising your own change notification procedure to match the document. If you don’t have a change notification procedure, your QMS auditor has been lazy. Don’t let them give you the excuse of “It’s just a sampling.” This document has been published for a long time, and the intent has not changed since 2008—just new examples to clarify the interpretations.

There is a posting from 1/14/11. This is an excellent list of all the NB-MED documents. I recommend printing this document and using it to compare against your current external standards list. There is a very recent posting from 2/7/12 that answers frequently asked questions about the implementation of EN 60601. You probably don’t have an active device if you don’t know what this is.

On 3/27/12, Team NB sent a letter indicating that they condemn Poly Implant Prothèse (PIP) for committing fraud (well, duh). Who would endorse them?

Finally, on April 17, 2012, meeting minutes were posted from an April 5 meeting of Team NB. The NBs indicated that the medical device authorization system is excellent! This is not a surprise since any other response would be self-criticism and potentially career-limiting. The minutes also indicate that the team wants as many of the members to endorse the “Code of Conduct” (CoC) that was drafted by the “Big 5” NBs. So far, the acceptance of this Code is limited, but the Competent Authorities have other plans.

Competent Authorities (CAs) are currently evaluating the NBs with regard to competency for handling Class III devices. In addition, there is a plan to revise the European regulations14 the guess). These changes will be significant. The Team NB website could be a source of information about rapid changes in the next 12 months, but it’s the quiet before the storm. The Great Consolidation of European Regulators is about to begin (or maybe all the NBs will endorse the CoC, and the CAs will forget about it).

 

What is an NB-MED? Read More »

Process Approach to Auditing – 7 Steps to Training Auditors

The process approach to auditing is demonstrated using Turtle Diagrams as a tool instead of using traditional auditor checklists.

tutle diagram1 Process Approach to Auditing   7 Steps to Training Auditors

I have been reviewing trends for how people find my website, and a large number of you appear to be interested in my auditing schedules and other audit-related topics. Therefore, this week’s blog is dedicated to training auditors on the process approach.

First, the process approach is just a different way of organizing audits. Instead of auditing by clause, or by procedure, instead, you audit each process. Typical processes include:
  1. Design & Development
  2. Purchasing
  3. Incoming inspection
  4. Assembly
  5. Final Inspection
  6. Packaging
  7. Sterilization
  8. Customer Service
  9. Shipping
  10. Management Review
  11. CAPA
  12. Internal Auditing

Why the Process Approach is Recommended

First, the process approach identifies linkages between processes as inputs and outputs. Therefore, if there is a problem with communication between departments, the process approach will expose it. If only a procedural audit is performed, the lack of communication to the next process is often overlooked.

Second, the process approach is a more efficient way to cover all the clauses of the ISO Standard than auditing each clause (i.e.,– the element approach). My rationale for the claim of greater efficiency is simple: there are 19 required procedures in the ISO 13485 Standard, but there are only 12 processes identified above. The “missing” procedures are incorporated into each process audit.

For example, each process audit requires a review of records as input and outputs. Also, training records should be sampled for each employee interviewed during an audit. Finally, nonconforming materials can be identified and sampled at incoming inspection, in assembly processes, during final inspection, during packaging, and even during shipment. The tool that BSI uses to teach the process approach is the “Turtle Diagram.” The diagram above illustrates where the name came from.

Interviewing with the Process Approach

The first skill to teach a new auditor is the interview. Each process approach audit should begin with an interview of the process owner. The process owner and the name of the process are typically documented in the center of the turtle diagram. Next, most auditors will ask, “Do you have a procedure for ‘x process’?” This is a weak auditing technique because it is a “closed-ended” or yes/no. This type of question does little to help the auditor gather objective evidence. Therefore, I prefer to start with the question, “Could you please describe the process?” This should give you a general overview of the process if you are unfamiliar with it.

After getting a general overview, I like to ask the question: “How do you know how to start the process.” For example, inspectors know that there is material for incoming inspection because raw materials are in the quarantine area. I have seen visual systems, electronic and paper-based systems for notifying QC inspectors of product to inspect. If there is a record indicating that material needs to be inspected—that is the ideal scenario. A follow-up question is, “What are the outputs of the inspection process?” Once again, the auditor should be looking for paperwork. Sampling these records and other supporting records is how the process approach addresses Clause 4.2.4—control of records.

The next step of this approach is to “determine what resources are used by incoming inspection.” This includes gauges used for measurement, cleanliness of the work environment, etc. This portion of the process approach is where an auditor can review calibration, gowning procedures, and software validation. After “With What Resources,” the auditor then needs to identify all the incoming inspectors on all shifts. From this list, the auditor should select people to interview and follow-up with a request for training records.

The sixth step is to request procedures and forms. Many auditors believe that they need to read the procedure. However, if a company has long procedures, this could potentially waste valuable time. Instead, I like to ask the inspector to show me where I can find various regulatory requirements in the procedures. This approach has the added benefit of forcing the inspector to demonstrate they are trained in the procedures—a more effective assessment of competency than reviewing a training record.

Challenging Process Owners

The seventh and final step of the turtle diagram seems to challenge process owners the most. This is where the auditor should be looking for department Quality Objectives and assessing if the department objectives are linked with company quality objectives. Manufacturing often measures first pass yield and reject rates, but every process can be measured. If the process owner doesn’t measure performance, how does the process owner know that all the required work is getting done? The seventh step also is where the auditor can sample and review the monitoring and measurement of processes, and the trend analysis can be verified to be input into the CAPA process.

In my brief description of the process approach, I used the incoming inspection process. I typically choose this process for training new auditors because it is a process that is quite similar in almost every company, and it is easy to understand. More importantly, however, the incoming inspection process does an effective job of covering more clauses of the Standard than most audits. Therefore, new auditors get an appreciation for how almost all the clauses can be addressed in one process audit. If you are interested in learning more about Turtle Diagrams and the process approach to auditing, please register for our webinar on the process approach to auditing.

Process Approach to Auditing – 7 Steps to Training Auditors Read More »

Canadian Medical Device Regulations (CMDR): Identifying New Changes

The author reviews a few methods to identify changes to the Canadian Medical Device Regulations (CMDR), including using the “compare” function in MS Word.

One of the most frustrating things about the Canadian Medical Device Regulations (CMDR), SOR/98-282, is the difficulty in identifying what has changed since the previous revision. There is no detailed revision history indicating what changed. This is surprising to me because Canada was the first country to require ISO 13485 certification as a component of the regulatory approval process. Did the Therapeutic Products Directorate (TPD) overlook Clause 4.2.3?

Using MS Word to Compare CMDR Versions

Anyway, before I became an auditor, the way I determined what changed was to use the “compare” function in MS Word to compare the versions of the CMDR. The bottom of the first page indicates, “Current to May 14, 2012.” This is our revision date, and it seems to change every month. Then below this, the document says, “Last amended on December 16, 2011.” This tells us that the last time TPD made a change was in December. Nowhere does CMDR tell us what changed.

On the second page of the CMDR, there is a note at the bottom of the page that supposedly clarifies the revision history:

“This consolidation is current to May 14, 2012. The last amendments came into force on December 16, 2011. Any amendments that were not in force as of May 14, 2012, are set out at the end of this document under the heading ‘Amendments Not in Force’.”

I have never seen a heading titled “Amendments Not in Force.” So here’s what I do:

  1. “Select All” from the current PDF version of the CMDR and another version before the last amendment date: December 16, 2011.
  2. I copy and paste the text from each document into a separate MS Word document.
  3. I save each document with a different date code.
  4. I use the “compare” function to identify the revisions that were made to the pre-December version.
  5. Then I pound my forehead against my desk because I just wasted 15 minutes to verify that the only changes made between August 8, 2011, and May 14, 2012, were as follows:
    • Date of revision throughout the document
    • Table of Provisions pagination was updated to reflect reformatting of Annex 3
    • Section 32.7 – changed wording from “may” to “shall,” and “giving” to “that gave”
    • Annex 3 was reformatted so that the English and French versions appear side-by-side instead of on page 61 & 62 sequentially

Assessing the Impact of Change

So…the next time a third-party auditor asks you for objective evidence that you have assessed the impact of changes to the CMDR, show them this blog posting. If they force you to document the impact analysis of the change of the word “may” to the word “shall” in Section 32.7, request a new auditor quickly. If they ask for documentation of the impact of the tense change in Section 32.7, also request a new auditor quickly.

On a far less amusing note, the following new and revised regulatory requirements occurred on the TPD website:

  1. On May 31, 2012, there was an announcement by HC indicating “Categorization of Therapeutic Products at the Device/Drug Interface.”
  2. On October 19, 2011, the electronic submission pilot for Class IV devices was expanded to Class III devices: “Notice – Guidance for Industry: Preparation of a Premarket Review Document in Electronic Format for a Class III and Class IV Medical Device Licence Application”; this revised guidance document includes a table for Class III applications based upon the STED guidance document from GHTF.

You can also type in “What’s New” into the search engine for the TPD website. The search results can be narrowed down to a year, and postings are typically no more frequent than monthly (eight in 2011; one in 2012).

You should also be aware of the third-party auditor report guidance document (GD211):Guidance on the Content of Quality Management System audit reports. This was released on June 8, 2011. You can also get training on this GD211 format at the US FDA website. The webinars are at the bottom of the list. 

If you are interested in learning more about the CMDR or CMDCAS, please join my LinkedIn CMDCAS Group.

CMDCAS Group Logo Canadian Medical Device Regulations (CMDR): Identifying New Changes
LinkedIn CMDCAS Group Logo

Canadian Medical Device Regulations (CMDR): Identifying New Changes Read More »

FDA Approval Process: “Triage” for 510(k)

The Triage program for 510(k) submissions is reviewed. The goal of this FDA approval process program is to reduce review time from 90 to 30 days.

Thursday, Congress voted 96 to 1 for a bill to increase FDA user fees. The rationale is that the FDA needs more funding to be strong enough to properly regulate foods, drugs, and medical devices. One of the commitments linked with this new funding is to shorten the review of 510(k) submissions. To this end, OIVD has created a new program called “Triage.” The goal of this program is to accelerate the review of specific traditional 510(k) submissions to 30 days instead of 90 days.

In theory, this pilot program will help some companies get their 510(k) clearance letter faster, but simultaneously, the FDA will be able to concentrate resources on high-risk 510(k) submissions. This entire strategy seems to be the opposite of triage. Triage involves sorting sick patients into three categories:

1) Those who are likely to live, regardless of what care they receive

2) Those who are likely to die, regardless of what care they receive

3) Those for whom immediate care might make a positive difference in their outcome

If we apply the triage analogy to 510(k) submissions, we see three categories:

1)      510(k) submissions that are likely to be approved, regardless of how much time the FDA spends

2)      510(k) submissions that are likely to be rejected, regardless of how much time the FDA spends

3)      510(k) submissions whose approval or rejection is not apparent, but the FDA’s earlier involvement in the design and development process would substantially improve review time.

The FDA’s “triage” program is intended to demonstrate improvement in the time required to approve medical devices by sorting submissions into two groups: group #1 above and group # 2/3 from above. This will make the numbers look good, but the FDA should be spending even less time on #2 than it spends on the #1 category of submissions. The FDA should also get involved in group #3 submissions much earlier.

FDA Approval Process

The types of submissions that need more FDA reviewer time are devices that are higher in risk and where special controls guidance documents and or ISO Standards have not already been established for performance and safety testing criteria (i.e., – Category #3 above). In these cases, when a company tries to obtain some feedback from the FDA, they are asked to request a pre-IDE meeting. The company will not be necessarily performing a clinical trial, but this is the only vehicle the FDA has for justifying the time it spends providing feedback on proposed verification and validation testing plans. The FDA needs to develop a new model that is ideally suited for 510(k) products where guidance and Standards do not exist. This would also have the effect of reducing the number of “Not Substantially Equivalent” (NSE) letters the FDA issues.

If a company is developing a device that already has an applicable special controls document or ISO Standard, then the 510(k) pathway should be well-defined without the FDA’s help. Unfortunately, there is no easy mechanism for ensuring compliance with these external standards. This type of submission would benefit from software-controlled submissions and or pre-screening of submissions by third-party reviewers. The Turbo 510(k) software tool could lend itself to software-controlled submissions, but a proliferation of the Turbo 510(k) has been limited.

Submitting a 510(k)

If a company does not submit a 510(k) with all the required elements of a guidance document, the submission should not be processed. Implementation of validated software tools for each 3-letter product code would prevent incomplete submissions. At the very least, companies should be required to provide a rationale for any sections of submission that are not applicable.

One example of a possible software solution is currently used by third-party auditors at BSI. BSI uses a software tool that will not allow the auditor to generate a final report unless all the required elements have been completed. The FDA could use the existing screening checklist and convert this into a similar “SmartForm.” If the submission does not have all the required elements of the checklist, the submission form could not be generated from the software. This forces the task of pre-screening reviews back upon the submitter with the aid of a validated software tool.

The most significant shortfall of the Triage program is the target product types. IVD devices are quite different from other device types. Each IVD has unique chemistry, and there are a limited number of Guidance documents for IVDs, and IVD submissions represent only 10-20% of all submissions. Orthopedic, cardiovascular, general/plastic surgery and radiology devices each represent more than 10% of the submissions, and collectively they represent half of the submissions. These types of devices also have both special controls documents and ISO Standards defining the design inputs for design verification. Therefore, these four device types would be a better choice for a pilot program to expedite reviews.

FDA Approval Process: “Triage” for 510(k) Read More »

What is a MEDDEV?

The author defines what a MEDDEV is, recent updates, and information resources to learn more.

The most important part of my website is “Helpful Links.” These are the links that I use most in Regulatory Affairs. It started as an auditor’s toolbox, but now I am morphing it into a place to review updates to regulatory requirements and external standards. The MEDDEV’s are on the top of my list. These are the guidance documents written by Competent Authorities. Still, most of the Notified Bodies treat them as requirements and often write nonconformities against at least one of them: MEDDEV 2.12/1 – Medical Device Vigilance System.

Many companies rely on RSS feeds to keep them current on the latest external standards, but this doesn’t work for a MEDDEV. For MEDDEV’s, your best bet is to go to the source. Sure, you can hire a consultant that will try and keep you current. You can also wait until your NB auditor lets you know the hard way (i.e.,. – time to write another administrative CAPA).

For those of you who don’t know the source, it is my #1 “Helpful Link”:

http://ec.europa.eu/health/medical-devices/documents/guidelines/index_en.htm 

When asked how to keep current, my advice is to have a systematic process for checking various sources of external documents. At a minimum, you should be checking all of the possible sources just before each Management Review. This will give you something to include for the requirement in clause 5.6.2h) of the ISO 13485:2003 Standard. “More preferably,” as lawyers would say, check out the website link above at least once per month. For those of you that are completely out of touch, and those that just fell off the University hayride, the following explains why you can’t get away with saying:

“There haven’t been any new or revised regulatory requirements since the last Management Review.”

MEDDEV Updates

There were several updates to the MEDDEVs released as supporting documents for the M5 version of the MDD (93/42/EEC as modified by 2007/47/EC). Specifically, there were four in December 2009 and one in June 2010. Then there were two more MEDDEVs released in December 2010 related to clinical study requirements in Europe. In January 2012, another six MEDDEVs were released, and one more was released in March. Not all of these updates apply to every company, but every RA professional working on CE Marked products has been busy readying themselves to sleep at night.

I could spend some time here telling you a couple of sentences about each of these new MEDDEVs, but someone already did that for me:

http://www.eisnersafety.com/eu-medical-device-meddevs-guidance-docs-newly-rlsed-or-updated/#.T8Oml7Dy-So

One fellow blogger indicated that the MEDDEV 2.5/10, about Authorized Representatives (ARs), was disruptive:

http://medicaldeviceslegal.com/2012/02/09/new-meddev-on-authorised-representatives-everything-you-know-is-wrong/

I don’t agree with Erik Vollebregt about it being disruptive. Erik feels that we can all expect substantial revisions in the AR contracts, but I think the Germany AR’s I have worked with were already moving in this direction. Emergo has been a strong AR all along—with a distinctly more friendly Dutch style to their processes. In the end, I just don’t see Notified Bodies (NBs), making these contracts a priority initiative. I think we’ll see more auditors verifying that contracts are in place and current, but I don’t expect auditors to receive guidance on how to review contracts anytime soon.

The real changes will be in the smaller AR’s that are not European Association of Authorized Representatives (EAAR) members. The Competent Authorities (CAs) have been knocking on the door of various “wannabee” AR’s for a few years now. I think they have done an excellent job of shutting down illegitimate representatives, and the member companies of EAAR (http://www.eaarmed.org/) have done well in raising awareness. The next logical step was to provide some guidance so that there is more consistency among the ARs. I see this as just the beginning of the CA’s moving toward one approach.

Erik wrote another article about MEDDEV 2.12/2 on the subject of Post-Market Clinical Follow-up (PMCF):

http://medicaldeviceslegal.com/2012/01/17/new-eu-guidance-on-post-market-clinical-follow-up-studies-published-and-other-meddev-guidance-announced/

Erik just touched on this MEDDEV briefly, but if your company is a manufacturer of a Class III device that is CE Marked—YOU NEED TO READ THIS MEDDEV!

MEDDEV Whitepaper

As in all things post-market related, BSI has taken the lead by publishing an article that is almost as long as the original MEDDEV. This white paper was written by Dr. Hamish Forster, BSI’s Orthopedic & Dental Product Expert, and the document is called “The Post-Market Priority.” I think you can only obtain a copy of this white paper by requesting it from BSI online, but the customer service person that follows up is quite polite.

BSI’s leadership role in PMCF is not new, either. Gert Bos gave a presentation that highlighted the importance of PMCF back on March 31, 2010:

http://www.bsigroup.nl/upload/Presentatie%2031%20maart%20-%20Gert%20Bos.pdf

My advice for anyone that has a Class III device that is CE Marked is to read this MEDDEV a few times, Annex X 1.1c of the MDD, read the whitepaper, and review these presentations by Gert Bos. This will help you prepare for what is coming. For those of you that think you know something about PMCF and have justified why your company doesn’t need to do it, think again. You should review the 16 bullet points in the MEDDEV on pages 14 and 15 (17 bullets in the whitepaper, but one was just split into two parts). Identify how many of these points apply to your Class III device. The more points that apply to your product, the more extensive the NB’s will expect your PMCF plans to be.

 

What is a MEDDEV? Read More »

How to Write Design Control Procedures

The author has reviewed 100+ design control processes in his career, and this blog provides five steps to write design control procedures.

In my previous blog posting, I indicated six things that medical device companies can do to improve design controls. While the last posting focused on better design team leaders (WANTED: Design Team Needs Über-Leader), this posting focuses on writing stronger procedures. I shared some of my thoughts on how to write design control procedures just a few weeks ago, but my polls and LinkedIn Group discussions generated great feedback regarding how to write design control procedures.

No Need to Write Design Control Procedures

One of the people that responded to my poll commented that there was no option in the poll for “zero.” Design controls do not typically apply to contract manufacturers. These companies make what other companies design. Therefore, their Quality Manual will indicate that Clause 7.3 of the ISO 13485:2016 Standard is excluded. If this describes your company, sit back and enjoy the music.

1 Procedure Only

Another popular vote was “one.” If you only have one procedure for design controls, this meets the requirements. It might even be quite effective.

When I followed up with poll respondents, asking how many pages their procedures were, a few people suggested “one page.” These people are subscribing to the concept of using flow charts instead of text to define the design control process. I use the following diagram to describe the design process: The Waterfall Diagram!

waterfall diagram How to Write Design Control Procedures
From the US FDA Website.

I first saw this diagram in the first course I took on Design Controls. This is on the FDA website too. To make this diagram effective as a procedure, we might need to include some references, such as work instructions, forms, the US FDA guidance document for Design Controls, and Clause 7.3 of the ISO 13485:2016 Standard.

Many Design Control Procedures

The bulk of the remaining respondents indicated that their company has eight or more procedures related to design controls. If each of these procedures is short and specific to a single step in the Waterfall Diagram, this type of documentation structure works well. Unfortunately, many of these procedures are a bit longer.

If your company designs software, active implantable devices, or a variety of device types—it may be necessary to have more than one procedure just to address these more complex design challenges. If your company has eight lengthy procedures to design Class 1 devices that are all in the same device family, then the design process could lose some fat.

In a perfect world, everyone on the design team would be well-trained and experienced. Unfortunately, we all have to learn somehow. Therefore, to improve the effectiveness of the team, we write design control procedures for the team to follow. As an auditor and consultant, I have reviewed 100+ design control processes. One observation is that longer procedures are not followed consistently. Therefore, keep it short. Another observed is that well-designed forms help teams with compliance.

Therefore, if you want to re-write design control procedures, try the following steps:

  1. Use a flow chart or diagram to illustrate the overall process
  2. Keep work instructions and procedures short
  3. Spend more time revising and updating forms, instead of procedures
  4. Train the entire team on design controls and risk management
  5. Monitor and measure team effectiveness and implement corrective actions when needed

The following is a link to the guidance document on design controls from the US FDA website. In addition to the comments I made in this blog, please refer back to my earlier blog on how to write a procedure. You can also purchase Medical Device Academy’s design control procedure and forms.

How to Write Design Control Procedures Read More »

Design Team – Needs a Superwoman Leader

mona superwoman Design Team   Needs a Superwoman Leader
“Mona Superwoman” by Teddy Royannez (France)

This blog discusses the reasons for a female design team leader and the qualities and skills that she should possess to get maximum results out of her team.

Last November, Eucomed published a position paper titled, A new EU regulatory framework for medical devices: Six steps guaranteeing rapid access to safe medical technology while safeguarding innovation. While I have serious doubts that any government will ever be able to “guarantee” anything other than its own continued existence, I have an idea of how the industry can help.

The position paper identified six steps. Each of these steps has a comparable action that could be taken in every medical device company. My list of six steps is:

Only the best leaders have:

  1. Only one approach to design controls
  2. Stronger internal procedures
  3. Cross-pollination by independent reviewers
  4. Clear communication of project status to management
  5. Better project management skills

The most critical element to success is developing stronger design team leaders. Design teams are cross-functional teams that must comply with complex international regulations while simultaneously be creative and develop new products. This type of group is the most challenging type to manage. To be successful, design team leaders must be “Über-Leaders.”

Critical Design Team Leader Skills

The most critical skills are not technical skills but team leadership skills. The role of a design team leader is to ensure that everyone is contributing, without tromping on smaller personalities in the group. Unfortunately, there are more men in this role than women.

Why is this unfortunate? Because men have difficulty when it comes to listening (takes one to know one).

We need a leader that will be strong, but we also need someone that is in touch with the feelings of others and will use that skill to bring out the best of everyone on the team. This superwoman also needs to earn the respect of the male egos around the table. She needs to be an expert in ISO 14971, ISO 13485, Design Controls, Project Management, and managing meetings. Our beautiful heroine must also be a teacher because some of our team members will not know everything—even if they pretend to.

The Über-Leader will always remind the team that Safety & Efficacy are paramount. As team leaders, we must take the “high road” and do what’s right—even when it delays a project or fails to meet our boss’s unrealistic timetable. Superwoman must demand proof in the form of verification and validation data. It is never acceptable to go with an opinion.

She will remind us that compromise is the enemy, and we must be more creative to solve problems without taking shortcuts that jeopardize safety and efficacy. She will work harder on the project than anyone else on the team. She will keep us on schedule. She will whisper to get our attention, but she won’t be afraid to yell and kick our ass.

As Jim Croce says, “You don’t tug on Superman’s cape.” Superwoman is the only exception to this rule.

 

Design Team – Needs a Superwoman Leader Read More »

Design Input Requirements: 3 Common Errors

The author reviews three common errors related to design input requirements and uses examples to illustrate compliance.

I have been directly involved in dozens of design projects throughout my career, and during the past three years, I have audited 50+ Design Dossiers for CE Marking of Medical Devices. Throughout most of these design projects, I have noticed one common thread—a misunderstanding of design inputs.

ISO 13485 identifies design input requirements. These requirements are:

  1. Functional (7.3.2a)
  2. Performance (7.3.2a)
  3. Safety (7.3.2a)
  4. Statutory/Regulatory (7.3.2b)
  5. Previous and Similar Designs (7.3.2c)
  6. Essential Requirements (7.3.2d)
  7. Outputs of Risk Management (7.3.2e)
  8. Customer Requirements (7.2.1)
  9. Organizational Requirements (7.2.1)

Design Requirements: 3 Common Errors Reviewed

The most common error seems to be the failure to include the outputs of risk management. For those of you who have used design FMEAs,that’sight-hand columns are for that. When you identify suggested actions to mitigate risks with the current design, these actions should be translated into inputs for the “new a“d improved” mode”.

The second most common error seems to be a failure to consider regulatory requirements. There are two ways this mistake is frequently made: 1) Canadian MDRs were not considered as design inputs for a device intended for Canadian medical device licensing, and 2) an applicable ISO Standard was not considered (i.e., – “State“of the Art” is E”sential Requirement 2 of the Medical Device Directive (MDD)).

The third most common error, and the one that drives me crazy, is a confusion of design outputs and design inputs. For example, an outer diameter of 2.3 +/- 0.05 mm is not a design input for a 7 French arterial catheter. This is a design output. The user need might be that the catheter must be small enough to fit inside the femoral artery and allow interventional radiologists to navigate to a specific location to administer therapy. Validation that the new design can do this is relatively straight forward to evaluate in a pre-clinical animal model or a clinical study. The question is, “What “s the design input?”

Desi”n Input Examples

Design inputs are supposed to be objective criteria for verification that the design outputs are adequate. One example of a design input is that the catheter outer diameter must be no larger than a previous design that is an 8 French catheter. Another possible design input is that the cathetcatheter’s diameter must be less than a compete competitor’s ct. In both examples, a simple measurement of the OD is all that is required to complete the verification. This also gives a design team much more freedom to develop novel products than a narrow specification of 23 +/- 0.05 mm allows for.

If you are developing a Class II medical device for a 510(k) submission to the FDA, special controls guidance documents will include design inputs. If you are developing a Class IIa, Class IIb, or Class III medical device for CE marking, there is probably an ISO Standard that lists functional, performance, and safety requirements for the device. Regulatory guidance documents and ISO Standards usually reference test methods and indicate acceptance criteria. When you have a test method and acceptance criteria defined, it is easier to write a verification protocol. Therefore, design teams should always strive to document design inputs that reference a test method and acceptance criteria. Verification protocols are much more challenging to write if this is not done.

In my earlier example, the outer diameter of 2.3 +/- 0.05 mm is a specification. Unfortunately, many companies would document this as an input and use the final drawing as the output. By making this mistake“ “ver ““cati”n” si” p”y means measuring the outer diameter to verify that it matches the drawing. This adds no value; if the specifications are incorrect, the design team will not know about it.

A true verification would include a protocol that identifies th“ “wor ““case scenar”o” an”  ”erifies that this still meets the design input requirements. Therefore, if the drawing indicates a dimensional tolerance of 2.3 +/- 0.05, th“ “wor ““ca”e” is” 2”35 mm. The verification process is to measure either a previous version of the product or a competitor’s catheter. The smallest previous version or competitor catheter tested must be larger than the upper limit of the design output for the outer diameter of the new catheter.

Design Input Requirements: 3 Common Errors Read More »

Scroll to Top