Filter posts by category

Internal Audit Training for New Hires

1 Comment / ISO Auditing / By / ,

 

welcome aboard Internal Audit Training for New Hires

The author discusses a few proven internal audit training strategies (i.e., shadowing, auditing process owners) for new hires.

Once you have identified someone that you want to “hire” as an internal auditor, your next step should be to develop an “Onboarding” plan for them with their boss. If you are hiring someone that will be a dedicated auditor, please ignore my quotation marks above. In most companies, however, the internal auditors are volunteers that report to another hiring manager. Therefore, as the audit program manager, you need to get a firm commitment from the auditor’s boss with regard to the time required to train the new auditor and to perform audits on an ongoing basis.

Square subscribe to our blog button 281x300 Internal Audit Training for New Hires

Winning Over the Boss

In my previous posting, I said that “The biggest reason why you want to be an auditor is that it will make you more valuable to the company.” The auditor’s boss may or may not agree with this statement, but the boss knows that the salary is coming out of their budget either way. Therefore, talk with the auditor’s boss and determine what the auditor’s strengths and weaknesses are. Find out which skills the boss would like to see the auditor develop. By doing this, the two of you can develop a plan for making the auditor more valuable to their boss AND the company. 

Making Re-Introductions

Ideally, auditors are extraverted and have worked at the company long enough to know the processes and process owners that they will be assigned to audit—especially if they will be auditing upstream and downstream from their process area. In the past, the auditor may have been a customer or a supplier, but now the relationship with a process owner will change. Auditors are required to interview process owners, and this involves asking tough questions that might not be appropriate in the auditor’s regular job duties. Therefore, as the audit program manager, you should re-introduce the auditor to the process owner in their new capacity as an auditor. During this re-introduction, it is important to make three points:

  1. The auditor is going to be trained first (on auditing and ISO 13485)
  2. You will be shadowing the auditor during the audit, and
  3. The auditor’s job is to help the process owner identify opportunities for improvement

By making the first point, you are reminding the process owner of the scheduled audit—well in advance. You are also informing the process owner that this auditor will have new skills, and the process owner should have some tolerance for mistakes that new employees make. You might also mention that you would like to get the process owner’s feedback after the audit, so the auditor knows which areas they need to improve upon to become better auditors. The second point should put the process owner at ease—assuming the process owner has a good relationship with you as the audit program manager. It is important to be descriptive when “shadowing” is mentioned. Both the process owner and the auditor may not understand the process or the purpose of shadowing. The following blog posting might help with this: “How do you shadow an auditor? Did you learn anything?”

The third point is the most critical step in onboarding a new auditor. For an auditor to be successful, they must ADD VALUE! As an auditor, you cannot pretend to add value. The process owner should know their process, and they probably know which areas are weakest. The audit program manager should encourage the process owner to list some specific areas in which they are having problems. Ideally, the process owner would be informed of this need before the re-introduction. Then the process owner can be better prepared for the meeting, and hopefully, they will have a few target areas already identified. Targets with associated metrics are the best choice for a new auditor because these targets reinforce the process approach to auditing. 

Next Steps for Internal Audit Training

Once your new auditor has been re-introduced to the process owners, they will be auditing, and you need to begin the training process. As with any new employee, it is important to document training requirements and to assess the auditor’s qualifications against the requirements of an auditor. Every new auditor will need some training, but the training should be tailored specifically to the needs of the auditor. The training plan for a new auditor should include the following:

  1. A reading list of company procedures specific to auditing and external standards that are relevant
  2. Scheduled dates for the auditor to shadow another experienced auditor
  3. Scheduled dates for an experienced auditor to shadow the auditor during the first two process audits (upstream and downstream)
  4. Goals and objectives for the internal audit program; and
  5. Any training goals that the auditor’s boss has identified for the auditor

 

Internal Audit Training for New Hires Read More »

Auditing ISO 14971 – 4 Steps to Assess Compliance

7 Comments / ISO 14971 / By / , ,

This article describes four key steps for auditing ISO 14971, and suggested auditing questions are included.

Let’s say that you went ahead and purchased ISO 14971:2012, read Annex ZA, and identified a couple of gaps in your procedure. After you revised your Risk Management procedure to be compliant with the revised Standard, then what are you supposed to do?

Most QA Managers struggle over whether they should purchase ISO 14971:2012. I wrote a couple of blog postings about this matter, but my point was not to debate this question but to ensure companies are aware that they need to be compliant with the MDD and the ISO 14971 Standard. The “changes” from 2009 to the 2012 version are simply the European Commission reminding manufacturers that there are seven aspects of the ISO 14791 Standard that do not meet the requirements of the MDD. Therefore, if your company has already verified that your risk management process is compliant with the MDD–then you have nothing to change. However, if your risk management process is only compliant with ISO 14971:2009, then you need to revise your processes and procedures to address these seven aspects. 

4 Steps in Auditing ISO 14971

Once you have made revisions to your risk management process, how do you perform auditing of ISO 14971?

Step 1: Planning your auditing ISO 14971

This will be an internal audit, and since you (the QA Manager) are the process owner for the risk management process, you personally cannot audit this process. You need to assign someone that has the technical skill to perform the audit, but this person cannot be the process owner (you) or a direct report to the process owner (the rest of the QA department). Fortunately, the Director of Engineering is also trained as an internal auditor at your company. She is trained on ISO 14971:2009, but she did not receive risk management training to the most current version. To address this gap, she must read the updated Standard to understand what’s new.

novcover preview 211x300 Auditing ISO 14971 4 Steps to Assess Compliance
Clause 3.2 of ISO 14971 requires that top management review the Risk Management Process for Effectiveness.

She has participated in risk management activities, but each product development engineer participates in risk management activities for their own design projects. Therefore, she has several projects she can sample risk management records from without auditing her own work. You have communicated that you need this audit finished sometime in December because you want any CAPAs resulting from the audit to be finalized before the next Management Review at the end of January. The timing of the Management Review is important because the risk management procedure requires that top management assess the effectiveness of the risk management process during Management Review meetings.

There are no previous audit findings to close from the last audit of the risk management process. Still, the Director of Engineering has seven specific items to emphasize from the 2012 revision of the Standard, and a revised procedure for risk management. Therefore, she will prepare for the audit by identifying some new interview questions to specifically address these changes–as well as some more general, open-ended questions.

Specific questions related to Annex ZA when auditing ISO 14971

1. How does the risk analysis evaluate the acceptability of risks in the lowest category? (This is a leading question, but it is specifically designed to determine if negligible risks are discarded).

2. Please provide a few examples of how risks in the lowest category were reduced. (In sections 1 and 2 of the Annex, I require all risks to be reduced as far as possible, and for all risks to be evaluated for acceptability. The wording of this question also allows auditors flexibility in their sampling).

3.  How did the design team determine when they had implemented sufficient risk controls to minimize risks? (Many companies use a color-coded matrix as a quasi-objective method for determining when risks are adequately reduced. This process is often referred to as the ALARP concept. Annex ZA specifically prohibits using economic considerations as part of this determination).

4. How did you conduct a risk-benefit analysis? (The Standard allows for performing a risk-benefit analysis when overall residual risks exceed the acceptability criteria as outlined in the risk management plan. However, the MDD requires an overall risk-benefit analysis in Section 1 of Annex I. Section 6 also requires that a risk-benefit analysis be performed for each individual risk).

5. How were risk control options selected? (Section 2 of the MDD implies that the manufacturer shall review All the control options and pick the most appropriate ones. Therefore, the auditor should specifically look for evidence that the team systematically reviewed all possible control options to reduce risks–rather than stopping as soon as the risks were reduced to an acceptable level).

6. What were your team’s priorities for the implementation of risk control options? (It’s possible that the previous question will be sufficient to gather evidence that risk controls were implemented with the required prioritization, as specified in the MDD. However, this question would be used as a follow-up question if it is not clear that the team prioritized the risk control options in accordance with Section 2 of Annex I).

7. How was the effect of labeling and warnings in the instructions for use incorporated into the estimation of residual risks? (Almost every company remembers to include residual risks in their IFU as a warning or caution statement. However, Section 2 of Annex I does not allow for including this information given to the users as a method of reducing risks. Therefore, in a Design FMEA, you would not list labeling and IFUs in your column for current risk controls when you determine the risk. This should be identified as an action to be taken–with no impact on the score for residual risk).

%name Auditing ISO 14971 4 Steps to Assess ComplianceThe above questions are not examples of using the process approach, but each question is phrased in an open-ended manner to maximize the objective evidence gathered during the interview process. If you are doing a process audit, it’s still acceptable to include questions that use the element approach.

Generic questions when auditing ISO 14971

1. When was the ISO 14971:2012 version of the Standard added to the controlled list of external Standards?

2. Please provide examples of where you have updated the Essential Requirements Checklist (a Technical File document) to reference the newest revision of ISO 14971:2012, and please show at least one example of how the risk management report was updated to reflect this revision.

3. How did you verify training effectiveness for the design team specific to the updated risk management procedure before conducting a risk analysis?

%name Auditing ISO 14971 4 Steps to Assess ComplianceThese generic questions do not require reading the ISO 14971:2012 Standard. Instead, each question forces the auditee to demonstrate their knowledge of the revised Standard by answering open-ended interview questions. Each of these questions is also designed to test linkages with other support processes. This is an example of how to use the process approach.

Step 2: Auditing ISO 14971

The next step is to conduct your audit of ISO 14971. During the auditing of ISO 14971, the Director of Engineering will gather objective evidence of both conformity and nonconformity for the risk management process. The generic interview questions that were developed allow her to evaluate the effectiveness of linkages between the risk management process and other processes, such as:

1) Document control

2) Creating technical documentation for regulatory submissions

3) The training process

Specific questions verify that each of the seven elements identified in Annex ZA of ISO 14971:2012 is adequately addressed in the revised procedure. When the audit is completed, the auditor will have a closing meeting with the process owner (you) and the auditee(s), so that everyone is clear about what the findings were, and if there were any nonconformities. This is the time to clarify what needs to be done to prevent each nonconformity from recurring.

Step 3: Writing the Report & Taking Corrective Action(s)

This is no different from any other audit. Still, it is critical to have the report completed soon enough so that CAPAs can be initiated (not necessarily completed) before the Management Review.

Step 4: Verifying Effectiveness of Corrective Action(s)

Many people struggle with verifying the effectiveness of corrective actions–regardless of the process. My advice is to identify a process metric to measure effectiveness. Then the effectiveness check is objective. For example, monitoring the frequency of updates to the list of external standards can help verify that the process for monitoring when Standards are updated is effective. Likewise, the frequency of updates to the Essential Requirements Checklist and the risk management records referenced in the Essential Requirements Checklist indicates if the risk management process is being maintained. Finally, monitoring the lag between the time procedures are updated and when the associated training records are updated quickly identifies if there is a systemic problem with training or if a training gap is just an example of a single lapse.

Auditing ISO 14971 – 4 Steps to Assess Compliance Read More »

Quality Management System Information Sources

3 Comments / ISO 13485 / By /

This blog reviews a number of quality management system information sources.

A blog follower from Jon Speer’s website, Creo Quality, recently sent me a message asking for information sources on  Quality Management System (QMS) subject matter.

The single best guidance document on the implementation of a QMS system in accordance with ISO 13485 is “13485 Plus” (type in the words in quotes to the CSA Group search engine).

There are also a bunch of pocket guides you can purchase for either ISO 9001 or ISO 13485 to help you quickly access information you are having trouble remembering. One of my lead auditor students recommended one pocket guide in particular and she was kind enough to give me her copy.

There are some webinars out there that provide an overview of QMS Standards. Some are free and some have a modest fee. I’m not sure of the value for these basic overview webinars, but if you need to train a group, it’s a great solution. I know BSI has several webinars that are recorded for this purpose.

AAMI has an excellent course on the Quality System Regulations (QSR) which combines 21 CFR 820 and ISO 13485.

There are a number of blogs I recommend on my website.

You can try to identify a local mentor–either in your own company, or at your local ASQ Section.

You can join the following LinkedIn subgroup: Medical Device: QA/RA. You will need to become a member of the parent group (Medical Device Group)–if you are not already one of the 140,000+ members connected with Joe Hage. George Marcel and I manage this subgroup for Joe.

You can visit the Elsmar Cove website and participate in the discussions you find there. I wrote a blog about Elsmar Cove a while back (wow almost 2 years ago now).

The best way to learn this stuff is to do all of the above.

Quality Management System Information Sources Read More »

How to request FDA Device Classification – 513(g) Alternative

1 Comment / FDA / By / ,

This blog provides a five-step process on how to request FDA device classification information. A screenshot of the FDA website for each step is included.

If your company is currently registering with the US FDA, you are probably reviewing the guidance document this month for the FY2013 user fees. On pages six and seven, there is a table of these fees, but you might have overlooked 513(g). Section 513(g) is a provision in the law that allows companies to request device classification information from the FDA.

For example, if your company was developing a new product, and you were having difficulty identifying the regulatory pathway, 513(g) is your friend. In my opinion, these fees are modest: $5,061 = Standard Fee, and $2,530 = Small Business Fee (updated for FY 2022). Most consultants will charge at least ten hours of consulting to identify the regulatory pathway for a company. I would charge quite a bit less because it takes me a lot less than ten hours. I still think the FDA’s pricing is a good deal because getting information directly from the source is always more valuable than an “expert.”

The US FDA has published a guidance document explaining the process for 513(g) requests. This guidance document was released on April 6, 2012 (updated in 2019). The guidance explains what information companies need to provide in order to submit a 513(g) request. The guidance also has a fantastic list of FDA resources on page five. These are the very same resources that the “experts” use—including yours truly. If you absolutely don’t want to submit a 513(g), and you plan to search for you own predicate, we have another related article that provides five alternatives to a 513(g) for identifying a predicate device.

Just as any good lawyer tries to avoid asking questions that they don’t already know the answer to, I recommend that you first try using these resources yourself. Once you think you know the answer, your request for classification information will be easier to organize.

Here’s how I would proceed to request FDA device classification information: 

Step 1 – Are there similar devices on the market?

Identify another device similar to yours. If you can’t do this, you need serious help. You need a similar device that is already sold on the market to use as a predicate device. If you cannot identify a predicate, then you can’t use the 510(k) process—or you don’t know your competition. Either way, there are challenges to overcome. For example, if you are trying to launch a new topical adhesive made from cyanoacrylate—”Dermabond” might be the first predicate device that comes to mind.

registration and listing How to request FDA Device Classification 513(g) Alternative

Step 2 – Search the Registration Database for FDA Device Classification

Use the registration and listing database on the FDA website to find the company that manufacturers the device. The link for this is #4 on my helpful links page (updated). This link also will provide you with connections to the classification database—which you can use to find the classification for any device. However, the registration and listing database is less likely to lead you astray. When I type “Dermabond” into the field for the proprietary device name, I get a list of five different product listings.

5 listings for dermabond How to request FDA Device Classification 513(g) Alternative

Step 3 – Select one of the competitor links to identify the FDA Device Classification

Clicking on any one of these five will take you to a listing page for the corresponding company. On that page, you will find the three-letter product code that identifies the device classification and the applicable regulations for that device.

device listing for dermabond1 How to request FDA Device Classification 513(g) Alternative

Step 4 – Your found the FDA Device Classification

Clicking on the three-letter product code (i.e., – “MPN” in our Dermabond example) takes you to the Product Classification page. This is where you will find that Dermabond, and other tissue adhesives, are Class II devices that require a 510(k) submission. Also, the Product Classification page identifies an applicable guidance document to follow for design verification and validation testing. This is also called the “Special Controls Document.”

mpn product classification How to request FDA Device Classification 513(g) Alternative

Step 5 – TheTPLC Report lists all the recent 510(k) submissions

Click on the “TPLC Product Code Report” link. This link will provide you with a report of all the 510(k) ‘s recently granted to your competitors, problems customers have experienced with their products, and recalls for the past five years. This is extremely valuable information as a design input—as well as competitive information for your marketing team.

tplc total product life cycle report for mpn How to request FDA Device Classification 513(g) Alternative
TPLC Report for Product Code “MPN” – Topical Adhesive

How to request FDA Device Classification – 513(g) Alternative Read More »

10 FDA Inspection Strategies that DON’T Work

4 Comments / FDA / By /

You were just notified of an FDA inspection and don’t think you are ready; using tricks to hide your problems is a huge mistake. Over the years, I have heard a few recommendations for “secrets” to hide those problems. In this post, I share my top 10 FDA Inspection Strategies–and why they DON’T work.

Here are my top 10 ways to make an FDA inspection worse:

10. Stalling when the investigator makes a requestThis just irritates investigators. At best, the investigator will use the waiting time to identify additional documents to sample or to review the information you have provided more closely. At worst, the investigator will accuse the company of not cooperating with the inspection, and the investigator may return the following week with several more team members to help them. Whenever this occurred during a third-party audit that I conducted, I would move onto another area and interview someone. However, before I left the person that was slow to respond, I provided the person with a list of documents and records that I expected to be waiting for me upon my return. In extreme cases, I had to bluntly tell the management representative that I needed documentation more quickly. As an instructor, I teach auditors techniques for coping with this tactic.

9. Suggesting records for the investigator to sampleThis is forbidden in third-party inspections and audits. The FDA has work instructions for identifying sample sizes, and samples are supposed to be selected randomly. In reality, samples are rarely random, and the investigator usually follows a trail to a specific lot, part number, etc. When clients offered me samples, I tried to be polite and review the records they provided. However, I also would request several other records or follow a trail, as I have indicated above. Another approach I often use is to focus on high-risk items (i.e., – a risk-based approach to sampling). In general, you can expect the FDA investigators to sample more items than a registrar–and sample sizes are often statistically derived if the number of records is sufficiently large. When sample sizes are pretty small, I recommend sampling 100% of the records since the previous inspection/audit. This is not always possible for third-party auditors, but internal auditors often can achieve this.

8. Outsourcing processes to subcontractorsThe FDA recently reinstated the requirement for contract manufacturers and contract sterilizers to be registered with the FDA by October 1, 2012. Therefore, hiding manufacturing problems from the FDA by outsourcing manufacturing is increasingly more difficult. In addition, the FDA focuses heavily on supplier controls and validation of outsourced processes. Therefore, an investigator will identify high-risk processes performed by subcontractors and request process validation documentation from that supplier. If the company does not have the validation reports, this could quickly escalate to a 483 and possibly a visit to the subcontractor.

7. Trying to correct problems during the inspectionThis is what I like to call the document creation department. At one company I worked for, we noticed a mistake across several of the procedures and made a change overnight between the first and second days of the audit. When the auditor asked for the procedures in the morning, he asked, “Is the ink dry yet?” The auditor then requested records demonstrating compliance with the newly minted procedures. As you might have guessed, this resulted in several nonconformities. When clients attempt to correct problems found by an investigator, the investigator typically will respond with the following statement, “I applaud you for taking immediate action to contain and correct the problem. However, you still need to investigate the root cause and develop a corrective action plan to prevent a recurrence. To do this investigation properly may take several days.” I also teach auditors to memorize this phrase.

6. Writing a letter to fileWhen companies make minor design changes, one of the most common approaches is to “write a letter to file.” This phrase indicates that the design team is adding a memo to the Design History File (DHF) that justifies why design validation or regulatory notification/approval is not required. The FDA used to publish a decision tree to help companies make these decisions. In fact, such a decision tree is still part of the Canadian significant change document. The FDA recently withdrew a draft document that eliminated many perceived opportunities to utilize the “letter to file” approach. However, the FDA will still issue a 483 to a company if the investigator can identify a change that required validation that was not done or a 510(k) that was not submitted for a design change. The FDA looks explicitly for these types of issues when an investigator is doing a “for cause” inspection after a recall or patient death.

5. Shut it downNot running a production line that has problems is an ideal strategy for hiding problems. However, the FDA and auditors will be forced to spend more time sampling and reviewing records of the problematic production line. If you need to shut down a line, ensure everything is identified as non-conforming, and carefully segregate rejected products from good ones. You should also use these problem lines to show off your investigation skills and ability to initiate CAPAs. If you simply forgot to validate a piece of equipment or do some maintenance, take your lumps and keep production running. If you are a contract manufacturer, never shut it down without notifying the customer. If you do not tell your customer, you will get a complaint related to on-time delivery and a 483.

4. Storing all records off-siteI first heard about this tactic during an auditor course I was co-teaching. During the course, we had many reasons why the company should be able to provide the records in a timely manner. However, I have experienced this first-hand as a third-party auditor. When this happens, I do three things: 1) increase my sampling of available records, 2) carefully review supplier controls and supplier evaluation of the storage facility (assuming it is outsourced), and 3) verify that the company has a systematic means for tracking the location (i.e., – pallet and box) for every record sent to storage. FDA investigators will move along to another record and follow up on their earlier request with a second visit or a request to send them a copy of the document after the inspection.

3. Identifying information as confidentialA company can claim information is confidential and may not be shared with the public. Still, very little information concerning the FDA or Notified Bodies is “confidential.” Therefore, this strategy rarely works. In fact, it will enrage most FDA investigators. In training courses, I train auditors to ask the auditee to redact confidential information. For example, a CAPA log may have confidential information in the descriptions, but the trend data on opening and closing dates are never confidential.

2. The FDA is not allowed to look at those records – Although this statement is technically true for internal audit reports and management reviews, the FDA always says that they can access this information through the CAPA system. What the FDA means is that there should always be evidence of CAPAs from internal audits and management reviews. If there is not, then this will quickly become a 483. Another person I met tells the story that when they agreed to share the management review records with the investigator, the inspector rarely issued a 483. When they refused to share the management review with the FDA, the inspection went quite badly from that point forth. I’m afraid I have to disagree with being vindictive, but it happens.

1. Show me where that is requiredThis is just silly. Investigators and auditors are trained on the regulations, while you are educated on your procedures. Spend your time and effort figuring out how your procedures meet the regulations in some way. Challenging the investigator excites the investigator. We all like a challenge–and we rarely lose. One auditee tried this approach with me in front of their CEO. This experience allowed me to show off that I had memorized the clause in question–and the corresponding guidance document sections. I think the CEO realized quickly that the management representative was not qualified.

My final advice is to do your best to help the investigator do their job and treat every 483 as “just an opportunity to improve.” Just ensure you submit a response in 14 days, or you will receive a Warning Letter, too!

10 FDA Inspection Strategies that DON’T Work Read More »

Wiki Document Control

3 Comments / ISO 13485 / By / ,

The author read an article about Wiki document control, and he shares a “genius idea that is coming of age.”

Wiki Document Control

Procedures can constantly be improved, but our goal is to make better products—not better procedures. So, what could be so exciting about document control that I feel compelled to write another post about “blah, blah, blah?” I read an article about using Wiki for document control. A Wiki is a collaborative environment where anyone can add, delete, and edit content. All changes are saved, and Wiki can be controlled—while simultaneously being available to everyone. The most famous of all Wiki is Wikipedia. In 2009, Francisco Castaño (a.k.a. – Pancho) began a discussion thread to explain how his company used Wiki to manage its documentation system. Last month, ASQ published an update on the status of Pancho’s Wiki process for document control. Depending upon how you implement a Wiki and what software tools you use, it might be a virtual quality system or an eQMS.

Writing Procedures

The process owner writes procedures in most companies, and other people rarely comment on minor errors. In the most dysfunctional companies, the Quality Department writes the procedures for the rest of the company or outsources them to consultants. Reviewing and editing procedures should be the responsibility of everyone in the company. Still, I never considered the possibility of having everyone within the company edit procedures simultaneously—until I saw Pancho’s thread. Throughout the discussion, others have indicated that they also tried using Wiki to optimize content. This is a genius idea that is coming of age.

Many QMS consultants, including myself, have written procedures for clients. Sometimes, this is part of the consulting business model. In these cases, the consultant writes a procedure once and edits it forever—while getting paid a modest fee each time a client asks for a “new” procedure. I often think that it would make more sense to do something like Linux developers have done—use the collaboration of QMS experts around the world to create a general procedure that is free to everyone. This is possible using Wiki’s that are publicly available.

Very soon (hopefully in 2013), the responsibilities section of our procedures will fundamentally change. Instead of reading and understanding, everyone will be responsible for writing and editing (oh no, I’ll have to create a new learning pyramid).

Quality will no longer be responsible for writing procedures. Instead, the quality function can focus on monitoring, measuring, data analysis, and improving processes and products. The downside is that we will need less personnel in document control.

If you want to learn more about Wiki for document control, follow this thread on Elsmar Cove. It’s rich in content, and even the moderators have been forced to rethink their preconceptions.

You should also read two articles by Pancho:

  1. Using a Wiki for Document Control
  2. Using a Wiki to Implement a Quality Management System

Wiki Document Control Read More »

What is an NB-MED?

4 Comments / CE Marking / By / , , , , , , ,

The author defines what an NB-MED is, Team NB and their role, provide a regulatory update and some information sources.

Each time I review a list of external standards, I notice at least a few out-of-date references. Occasionally, I am surprised, and everything appears to be current, but it is almost impossible to stay current with all the external standards. The most demanding standards to maintain are those that are untracked. Untracked standards are difficult to keep current with because it requires manually checking each source to determine if a standard has been updated. One of these sources is Team NB.

Team NB

Team NB describes itself as the “European Association of Notified Bodies for Medical Devices.” Team NB is an organization comprised of Notified Bodies (NBs). These NBs create guidance documents to clarify the interpretation of regulations in the EU. Since NBs are generating the documents rather than Competent Authorities (CAs), it is possible for Team NB to reach a consensus more quickly than CAs. Since these documents are guidance documents, the NB-MED documents are not enforceable or binding. However, in all likelihood, your NB will interpret ISO 13485 and the MDD (93/42/EEC as modified by 2007/47/EC) in accordance with these guidance documents.

The website link I provide in my “Helpful Links” page includes many links to important guidance documents. Among the recently updated NB-MED documents is NB-MED 2.5.2/rec 2. The “rec” is not the same as a revision. For example, rec two is “Reporting of design changes and changes of the quality system,” while rec 1 is “Subcontracting – QS related.” The link I have provided will land you directly on the list of NB-MED documents, and the right-hand column identifies the date the document was added to the list. Therefore, if you want to know about new and revised NB-MED documents, you merely need to read the documents that are identified as being added since your last visit.

NB-MED 2.4.2/rec 2

NB-MED 2.5.2/rec 2 is the only recent addition, and you should read it. Many companies struggle with design changes and don’t know if the change is significant. Revision 8 of this document includes helpful examples. I recommend reading this document carefully and then revising your own change notification procedure to match the document. If you don’t have a change notification procedure, your QMS auditor has been lazy. Don’t let them give you the excuse of “It’s just a sampling.” This document has been published for a long time, and the intent has not changed since 2008—just new examples to clarify the interpretations.

There is a posting from 1/14/11. This is an excellent list of all the NB-MED documents. I recommend printing this document and using it to compare against your current external standards list. There is a very recent posting from 2/7/12 that answers frequently asked questions about the implementation of EN 60601. You probably don’t have an active device if you don’t know what this is.

On 3/27/12, Team NB sent a letter indicating that they condemn Poly Implant Prothèse (PIP) for committing fraud (well, duh). Who would endorse them?

Finally, on April 17, 2012, meeting minutes were posted from an April 5 meeting of Team NB. The NBs indicated that the medical device authorization system is excellent! This is not a surprise since any other response would be self-criticism and potentially career-limiting. The minutes also indicate that the team wants as many of the members to endorse the “Code of Conduct” (CoC) that was drafted by the “Big 5” NBs. So far, the acceptance of this Code is limited, but the Competent Authorities have other plans.

Competent Authorities (CAs) are currently evaluating the NBs with regard to competency for handling Class III devices. In addition, there is a plan to revise the European regulations14 the guess). These changes will be significant. The Team NB website could be a source of information about rapid changes in the next 12 months, but it’s the quiet before the storm. The Great Consolidation of European Regulators is about to begin (or maybe all the NBs will endorse the CoC, and the CAs will forget about it).

 

What is an NB-MED? Read More »

Canadian Medical Device Regulations (CMDR): Identifying New Changes

1 Comment / Health Canada / By / , ,

The author reviews a few methods to identify changes to the Canadian Medical Device Regulations (CMDR), including using the “compare” function in MS Word.

Square subscribe to our blog button 281x300 Canadian Medical Device Regulations (CMDR): Identifying New Changes

One of the most frustrating things about the Canadian Medical Device Regulations (CMDR), SOR/98-282, is the difficulty in identifying what has changed since the previous revision. There is no detailed revision history indicating what changed. This is surprising to me because Canada was the first country to require ISO 13485 certification as a component of the regulatory approval process. Did the Therapeutic Products Directorate (TPD) overlook Clause 4.2.3?

Using MS Word to Compare CMDR Versions

Anyway, before I became an auditor, the way I determined what changed was to use the “compare” function in MS Word to compare the versions of the CMDR. The bottom of the first page indicates, “Current to May 14, 2012.” This is our revision date, and it seems to change every month. Then below this, the document says, “Last amended on December 16, 2011.” This tells us that the last time TPD made a change was in December. Nowhere does CMDR tell us what changed.

On the second page of the CMDR, there is a note at the bottom of the page that supposedly clarifies the revision history:

“This consolidation is current to May 14, 2012. The last amendments came into force on December 16, 2011. Any amendments that were not in force as of May 14, 2012, are set out at the end of this document under the heading ‘Amendments Not in Force’.”

I have never seen a heading titled “Amendments Not in Force.” So here’s what I do:

  1. “Select All” from the current PDF version of the CMDR and another version before the last amendment date: December 16, 2011.
  2. I copy and paste the text from each document into a separate MS Word document.
  3. I save each document with a different date code.
  4. I use the “compare” function to identify the revisions that were made to the pre-December version.
  5. Then I pound my forehead against my desk because I just wasted 15 minutes to verify that the only changes made between August 8, 2011, and May 14, 2012, were as follows:
    • Date of revision throughout the document
    • Table of Provisions pagination was updated to reflect reformatting of Annex 3
    • Section 32.7 – changed wording from “may” to “shall,” and “giving” to “that gave”
    • Annex 3 was reformatted so that the English and French versions appear side-by-side instead of on page 61 & 62 sequentially

Assessing the Impact of Change

So…the next time a third-party auditor asks you for objective evidence that you have assessed the impact of changes to the CMDR, show them this blog posting. If they force you to document the impact analysis of the change of the word “may” to the word “shall” in Section 32.7, request a new auditor quickly. If they ask for documentation of the impact of the tense change in Section 32.7, also request a new auditor quickly.

On a far less amusing note, the following new and revised regulatory requirements occurred on the TPD website:

  1. On May 31, 2012, there was an announcement by HC indicating “Categorization of Therapeutic Products at the Device/Drug Interface.”
  2. On October 19, 2011, the electronic submission pilot for Class IV devices was expanded to Class III devices: “Notice – Guidance for Industry: Preparation of a Premarket Review Document in Electronic Format for a Class III and Class IV Medical Device Licence Application”; this revised guidance document includes a table for Class III applications based upon the STED guidance document from GHTF.

You can also type in “What’s New” into the search engine for the TPD website. The search results can be narrowed down to a year, and postings are typically no more frequent than monthly (eight in 2011; one in 2012).

You should also be aware of the third-party auditor report guidance document (GD211):Guidance on the Content of Quality Management System audit reports. This was released on June 8, 2011. You can also get training on this GD211 format at the US FDA website. The webinars are at the bottom of the list. 

If you are interested in learning more about the CMDR or CMDCAS, please join my LinkedIn CMDCAS Group.

CMDCAS Group Logo Canadian Medical Device Regulations (CMDR): Identifying New Changes
LinkedIn CMDCAS Group Logo

Canadian Medical Device Regulations (CMDR): Identifying New Changes Read More »

FDA Approval Process: “Triage” for 510(k)

1 Comment / 510(k) / By / , , ,

The Triage program for 510(k) submissions is reviewed. The goal of this FDA approval process program is to reduce review time from 90 to 30 days.

Thursday, Congress voted 96 to 1 for a bill to increase FDA user fees. The rationale is that the FDA needs more funding to be strong enough to properly regulate foods, drugs, and medical devices. One of the commitments linked with this new funding is to shorten the review of 510(k) submissions. To this end, OIVD has created a new program called “Triage.” The goal of this program is to accelerate the review of specific traditional 510(k) submissions to 30 days instead of 90 days.

In theory, this pilot program will help some companies get their 510(k) clearance letter faster, but simultaneously, the FDA will be able to concentrate resources on high-risk 510(k) submissions. This entire strategy seems to be the opposite of triage. Triage involves sorting sick patients into three categories:

1) Those who are likely to live, regardless of what care they receive

2) Those who are likely to die, regardless of what care they receive

3) Those for whom immediate care might make a positive difference in their outcome

If we apply the triage analogy to 510(k) submissions, we see three categories:

1)      510(k) submissions that are likely to be approved, regardless of how much time the FDA spends

2)      510(k) submissions that are likely to be rejected, regardless of how much time the FDA spends

3)      510(k) submissions whose approval or rejection is not apparent, but the FDA’s earlier involvement in the design and development process would substantially improve review time.

The FDA’s “triage” program is intended to demonstrate improvement in the time required to approve medical devices by sorting submissions into two groups: group #1 above and group # 2/3 from above. This will make the numbers look good, but the FDA should be spending even less time on #2 than it spends on the #1 category of submissions. The FDA should also get involved in group #3 submissions much earlier.

FDA Approval Process

The types of submissions that need more FDA reviewer time are devices that are higher in risk and where special controls guidance documents and or ISO Standards have not already been established for performance and safety testing criteria (i.e., – Category #3 above). In these cases, when a company tries to obtain some feedback from the FDA, they are asked to request a pre-IDE meeting. The company will not be necessarily performing a clinical trial, but this is the only vehicle the FDA has for justifying the time it spends providing feedback on proposed verification and validation testing plans. The FDA needs to develop a new model that is ideally suited for 510(k) products where guidance and Standards do not exist. This would also have the effect of reducing the number of “Not Substantially Equivalent” (NSE) letters the FDA issues.

If a company is developing a device that already has an applicable special controls document or ISO Standard, then the 510(k) pathway should be well-defined without the FDA’s help. Unfortunately, there is no easy mechanism for ensuring compliance with these external standards. This type of submission would benefit from software-controlled submissions and or pre-screening of submissions by third-party reviewers. The Turbo 510(k) software tool could lend itself to software-controlled submissions, but a proliferation of the Turbo 510(k) has been limited.

Submitting a 510(k)

If a company does not submit a 510(k) with all the required elements of a guidance document, the submission should not be processed. Implementation of validated software tools for each 3-letter product code would prevent incomplete submissions. At the very least, companies should be required to provide a rationale for any sections of submission that are not applicable.

One example of a possible software solution is currently used by third-party auditors at BSI. BSI uses a software tool that will not allow the auditor to generate a final report unless all the required elements have been completed. The FDA could use the existing screening checklist and convert this into a similar “SmartForm.” If the submission does not have all the required elements of the checklist, the submission form could not be generated from the software. This forces the task of pre-screening reviews back upon the submitter with the aid of a validated software tool.

The most significant shortfall of the Triage program is the target product types. IVD devices are quite different from other device types. Each IVD has unique chemistry, and there are a limited number of Guidance documents for IVDs, and IVD submissions represent only 10-20% of all submissions. Orthopedic, cardiovascular, general/plastic surgery and radiology devices each represent more than 10% of the submissions, and collectively they represent half of the submissions. These types of devices also have both special controls documents and ISO Standards defining the design inputs for design verification. Therefore, these four device types would be a better choice for a pilot program to expedite reviews.

FDA Approval Process: “Triage” for 510(k) Read More »

What is a MEDDEV?

1 Comment / CE Marking / By / , , , , , , ,

The author defines what a MEDDEV is, recent updates, and information resources to learn more.

The most important part of my website is “Helpful Links.” These are the links that I use most in Regulatory Affairs. It started as an auditor’s toolbox, but now I am morphing it into a place to review updates to regulatory requirements and external standards. The MEDDEV’s are on the top of my list. These are the guidance documents written by Competent Authorities. Still, most of the Notified Bodies treat them as requirements and often write nonconformities against at least one of them: MEDDEV 2.12/1 – Medical Device Vigilance System.

Many companies rely on RSS feeds to keep them current on the latest external standards, but this doesn’t work for a MEDDEV. For MEDDEV’s, your best bet is to go to the source. Sure, you can hire a consultant that will try and keep you current. You can also wait until your NB auditor lets you know the hard way (i.e.,. – time to write another administrative CAPA).

For those of you who don’t know the source, it is my #1 “Helpful Link”:

http://ec.europa.eu/health/medical-devices/documents/guidelines/index_en.htm 

When asked how to keep current, my advice is to have a systematic process for checking various sources of external documents. At a minimum, you should be checking all of the possible sources just before each Management Review. This will give you something to include for the requirement in clause 5.6.2h) of the ISO 13485:2003 Standard. “More preferably,” as lawyers would say, check out the website link above at least once per month. For those of you that are completely out of touch, and those that just fell off the University hayride, the following explains why you can’t get away with saying:

“There haven’t been any new or revised regulatory requirements since the last Management Review.”

MEDDEV Updates

There were several updates to the MEDDEVs released as supporting documents for the M5 version of the MDD (93/42/EEC as modified by 2007/47/EC). Specifically, there were four in December 2009 and one in June 2010. Then there were two more MEDDEVs released in December 2010 related to clinical study requirements in Europe. In January 2012, another six MEDDEVs were released, and one more was released in March. Not all of these updates apply to every company, but every RA professional working on CE Marked products has been busy readying themselves to sleep at night.

I could spend some time here telling you a couple of sentences about each of these new MEDDEVs, but someone already did that for me:

http://www.eisnersafety.com/eu-medical-device-meddevs-guidance-docs-newly-rlsed-or-updated/#.T8Oml7Dy-So

One fellow blogger indicated that the MEDDEV 2.5/10, about Authorized Representatives (ARs), was disruptive:

http://medicaldeviceslegal.com/2012/02/09/new-meddev-on-authorised-representatives-everything-you-know-is-wrong/

I don’t agree with Erik Vollebregt about it being disruptive. Erik feels that we can all expect substantial revisions in the AR contracts, but I think the Germany AR’s I have worked with were already moving in this direction. Emergo has been a strong AR all along—with a distinctly more friendly Dutch style to their processes. In the end, I just don’t see Notified Bodies (NBs), making these contracts a priority initiative. I think we’ll see more auditors verifying that contracts are in place and current, but I don’t expect auditors to receive guidance on how to review contracts anytime soon.

The real changes will be in the smaller AR’s that are not European Association of Authorized Representatives (EAAR) members. The Competent Authorities (CAs) have been knocking on the door of various “wannabee” AR’s for a few years now. I think they have done an excellent job of shutting down illegitimate representatives, and the member companies of EAAR (http://www.eaarmed.org/) have done well in raising awareness. The next logical step was to provide some guidance so that there is more consistency among the ARs. I see this as just the beginning of the CA’s moving toward one approach.

Erik wrote another article about MEDDEV 2.12/2 on the subject of Post-Market Clinical Follow-up (PMCF):

http://medicaldeviceslegal.com/2012/01/17/new-eu-guidance-on-post-market-clinical-follow-up-studies-published-and-other-meddev-guidance-announced/

Erik just touched on this MEDDEV briefly, but if your company is a manufacturer of a Class III device that is CE Marked—YOU NEED TO READ THIS MEDDEV!

MEDDEV Whitepaper

As in all things post-market related, BSI has taken the lead by publishing an article that is almost as long as the original MEDDEV. This white paper was written by Dr. Hamish Forster, BSI’s Orthopedic & Dental Product Expert, and the document is called “The Post-Market Priority.” I think you can only obtain a copy of this white paper by requesting it from BSI online, but the customer service person that follows up is quite polite.

BSI’s leadership role in PMCF is not new, either. Gert Bos gave a presentation that highlighted the importance of PMCF back on March 31, 2010:

http://www.bsigroup.nl/upload/Presentatie%2031%20maart%20-%20Gert%20Bos.pdf

My advice for anyone that has a Class III device that is CE Marked is to read this MEDDEV a few times, Annex X 1.1c of the MDD, read the whitepaper, and review these presentations by Gert Bos. This will help you prepare for what is coming. For those of you that think you know something about PMCF and have justified why your company doesn’t need to do it, think again. You should review the 16 bullet points in the MEDDEV on pages 14 and 15 (17 bullets in the whitepaper, but one was just split into two parts). Identify how many of these points apply to your Class III device. The more points that apply to your product, the more extensive the NB’s will expect your PMCF plans to be.

 

What is a MEDDEV? Read More »

Scroll to Top