Do you have the right tools to qualify your suppliers?
For every task, you have a choice of tools that you can use. Are you using the correct tools to qualify your suppliers?
This blog reviews how to utilize statistical process control, process validation, and supplier auditing to qualify suppliers effectively.
Only qualified suppliers would be approved if you could afford to audition suppliers against hundreds of other competitors for a few months. Unfortunately, you don’t have the same budget as American Idol. So what should you do instead?
Most companies use the same three tired tools to qualify suppliers: ISO Certification, Quality Manuals, and questionnaires. ISO certification is a weak tool because certification is only as good as the registrar’s worst client. Quality Manuals are intended to define the intent of your supplier’s Quality Management System, while most of the details are located in procedures. You only need a copy of your supplier’s Quality Manual to help you plan audits. Supplier questionnaires seem to be the most popular tool, but most questions require a “Yes/No” response that suppliers rarely answer negatively. To assess the qualifications of potential suppliers more effectively, try using the following tools instead:
Tool # 1: Statistical Process Control
Most companies require a Certificate of Compliance (CoC) with every shipment. A CoC is useless. Like the “Yes/No” questionnaire responses, you will never see a CoC that indicates something is wrong. A Certificate of Analysis (CoA) is much more helpful because the CoA has actual data, and the tolerance range is typically indicated for each test or measurement the supplier performed. The best report you can get from a supplier is a statistical analysis of each specification during the prototype production lot. When you have a Statistical Process Control (SPC) run chart, you know quantitatively if the supplier can make an acceptable product. The run chart can also be used to develop an appropriate sampling plan for incoming inspection.
Tool # 2: Process Validation
Process validation is much more than determining if a process is capable of producing a consistent product. An SPC run chart can do that. Process validation tells you what range of operating parameters will create a consistent product. Therefore, when you have process deviations or measurement devices that are slightly out-of-calibration, you will know if your supplier’s process will still make an acceptable product. The validation of a process should also identify which variables are critical indicators of the process. This information can be used to reduce the number of variables and specifications that are monitored for a production process and focus both your supplier’s resources and your own.
Tool # 3: Supplier Auditing
A multi-disciplinary team audit of a potential supplier is an effective tool for assessing a supplier’s qualifications. It will help build a stronger relationship between your team and the supplier’s team. Before you conduct an audit, it is important to plan the audit to ensure you get the most significant possible value. The following recommendations are essential to supplier auditing:
Use a risk-based approach to auditing suppliers (this goes beyond just critical and non-critical)
Strategically select auditors and train them well
Plan the auditing goals and objectives for the team in advance
Create a formal audit agenda that defines which processes each auditor will be focusing on
Auditing 100% of your critical suppliers may seem impossible due to limited resources, but have you ever seen a cost/benefit analysis?
What’s the cost of rejects, rework, and product redesign?
Passing a webinar on auditing does not make you competent.
This blog reviews an audit program manager’s four areas of auditor competency: experience, skills, training, and education.
Does your company ask incoming inspectors to update CAD drawings when a design changes occur? Of course not. Your company has engineers trained to use SolidWorks, and it takes a new engineer a while to become proficient with the software. Auditing is a skill that you learn—just like SolidWorks.
I’ve never met a manager who wondered where the value was in having an engineer update a drawing, but many managers view internal and supplier audits as a necessary evil. Instead of asking the expert how few audit days you can get away with, ask the expert: “What is the purpose of auditing?”
Internal auditing aims to confirm that the management system is effective and identify opportunities for improvement. Supplier auditing seeks to verify that a supplier can meet your needs and identify opportunities for improvement; therefore, if an auditor finds no nonconformities or opportunities for improvement, what a waste of time!
To receive value from auditing, you need competent auditors. Clause 6.2.1 of the ISO 13485 Standard states, “Personnel performing work affecting product quality shall be competent based on appropriate education, training, skills, and experience.” As the audit program manager, recruit people who demonstrate auditing competency.
Education
First, educational background is essential for auditors. You cannot expect someone who has never taken a microbiology course to be an effective auditor of sterilization validation. Likewise, someone who has never taken a course in electricity and magnetism will not be effective as an auditor for active implantable devices. Therefore, determine what types of processes the auditor will be auditing. Then, ensure that the person you hire has the necessary education to understand the processes they will be auditing.
Training
Second, auditors need to be trained before they can audit. The auditor needs training in three different aspects: 1) the process they will be auditing, 2) the standard that is the basis for assessing conformity, and 3) auditing techniques. If you are auditing Printed Circuit Board (PCB) manufacturers with Surface-Mount Technology (SMT), then you need to learn about the types of components used to make PCBs and how these components are soldered to a raw board. I know first-hand that anyone can learn how SMT works, but it took me a few months of studying.
If your company only sells medical devices in the United States, you will need to learn 21 CFR 820 (i.e., – the QSR). However, suppose your company also sells devices in Europe or Canada. In that case, you will need to learn ISO 13485, the Medical Device Directive (MDD) (93/42/EEC as modified by 2007/47/EC), and the Canadian Medical Device Regulations (CMDR). I learned about ISO 13485 in a four-and-a-half day lead auditor course in Florida, MDD in a three-day CE Marking Course in Virginia, and the CMDR in a two-day course taught by Health Canada in Ontario. A 50-minute webinar on each regulation is not sufficient for auditing.
Finally, you need training in the techniques of auditing. A two-day course is typically needed. I took a 50-minute webinar and passed a quiz before conducting my first internal audit, but I had not developed my skills.
Skills
Third, an auditor needs communication, organizational, and analytical skills to be helpful as an auditor. Communication skills must include the ability to read and write exceptionally well, and the auditor needs to be able to verbally communicate with auditees during meetings and interviews. The most difficult challenge for auditors is covering all items on their agenda in the time available. The auditor rarely has more time than they need to audit any topic, and audit team leaders must be able to manage their own time and simultaneously manage the time of several other auditors.
Experience
Last but not least, an essential aspect of auditor competency is experience. This is why third-party auditors are required to act as team members under the guidance of a more experienced auditor before they are allowed to perform audits on their own. This is required, regardless of how many internal or supplier audits the person may have conducted. More experienced auditors are also required to observe new auditors and recommend modifications to their techniques. Once a new auditor has completed a sufficient number of audits as a team member, the auditor can practice leading audits while being observed. After six to nine months, a new auditor is finally ready to be a lead auditor on their own. An internal auditor does not need the same degree of experience as a third-party auditor, but being shadowed two or three times is not sufficient experience for an auditor (first or second-party). For more information about this topic, please read my blog posting on auditor shadowing.
The author discusses a few proven internal audit training strategies (i.e., shadowing, auditing process owners) for new hires.
Once you have identified someone that you want to “hire” as an internal auditor, your next step should be to develop an “Onboarding” plan for them with their boss. If you are hiring someone that will be a dedicated auditor, please ignore my quotation marks above. In most companies, however, the internal auditors are volunteers that report to another hiring manager. Therefore, as the audit program manager, you need to get a firm commitment from the auditor’s boss with regard to the time required to train the new auditor and to perform audits on an ongoing basis.
Winning Over the Boss
In my previous posting, I said that “The biggest reason why you want to be an auditor is that it will make you more valuable to the company.” The auditor’s boss may or may not agree with this statement, but the boss knows that the salary is coming out of their budget either way. Therefore, talk with the auditor’s boss and determine what the auditor’s strengths and weaknesses are. Find out which skills the boss would like to see the auditor develop. By doing this, the two of you can develop a plan for making the auditor more valuable to their boss AND the company.
Making Re-Introductions
Ideally, auditors are extraverted and have worked at the company long enough to know the processes and process owners that they will be assigned to audit—especially if they will be auditing upstream and downstream from their process area. In the past, the auditor may have been a customer or a supplier, but now the relationship with a process owner will change. Auditors are required to interview process owners, and this involves asking tough questions that might not be appropriate in the auditor’s regular job duties. Therefore, as the audit program manager, you should re-introduce the auditor to the process owner in their new capacity as an auditor. During this re-introduction, it is important to make three points:
The auditor is going to be trained first (on auditing and ISO 13485)
You will be shadowing the auditor during the audit, and
The auditor’s job is to help the process owner identify opportunities for improvement
By making the first point, you are reminding the process owner of the scheduled audit—well in advance. You are also informing the process owner that this auditor will have new skills, and the process owner should have some tolerance for mistakes that new employees make. You might also mention that you would like to get the process owner’s feedback after the audit, so the auditor knows which areas they need to improve upon to become better auditors. The second point should put the process owner at ease—assuming the process owner has a good relationship with you as the audit program manager. It is important to be descriptive when “shadowing” is mentioned. Both the process owner and the auditor may not understand the process or the purpose of shadowing. The following blog posting might help with this: “How do you shadow an auditor? Did you learn anything?”
The third point is the most critical step in onboarding a new auditor. For an auditor to be successful, they must ADD VALUE! As an auditor, you cannot pretend to add value. The process owner should know their process, and they probably know which areas are weakest. The audit program manager should encourage the process owner to list some specific areas in which they are having problems. Ideally, the process owner would be informed of this need before the re-introduction. Then the process owner can be better prepared for the meeting, and hopefully, they will have a few target areas already identified. Targets with associated metrics are the best choice for a new auditor because these targets reinforce the process approach to auditing.
Next Steps for Internal Audit Training
Once your new auditor has been re-introduced to the process owners, they will be auditing, and you need to begin the training process. As with any new employee, it is important to document training requirements and to assess the auditor’s qualifications against the requirements of an auditor. Every new auditor will need some training, but the training should be tailored specifically to the needs of the auditor. The training plan for a new auditor should include the following:
A reading list of company procedures specific to auditing and external standards that are relevant
Scheduled dates for the auditor to shadow another experienced auditor
Scheduled dates for an experienced auditor to shadow the auditor during the first two process audits (upstream and downstream)
Goals and objectives for the internal audit program; and
Any training goals that the auditor’s boss has identified for the auditor
This article describes four key steps for auditing ISO 14971, and suggested auditing questions are included.
Let’s say that you went ahead and purchased ISO 14971:2012, read Annex ZA, and identified a couple of gaps in your procedure. After you revised your Risk Management procedure to be compliant with the revised Standard, then what are you supposed to do?
Most QA Managers struggle over whether they should purchase ISO 14971:2012. I wrote a couple of blog postings about this matter, but my point was not to debate this question but to ensure companies are aware that they need to be compliant with the MDD and the ISO 14971 Standard. The “changes” from 2009 to the 2012 version are simply the European Commission reminding manufacturers that there are seven aspects of the ISO 14791 Standard that do not meet the requirements of the MDD. Therefore, if your company has already verified that your risk management process is compliant with the MDD–then you have nothing to change. However, if your risk management process is only compliant with ISO 14971:2009, then you need to revise your processes and procedures to address these seven aspects.
4 Steps in Auditing ISO 14971
Once you have made revisions to your risk management process, how do you perform auditing of ISO 14971?
Step 1: Planning your auditing ISO 14971
This will be an internal audit, and since you (the QA Manager) are the process owner for the risk management process, you personally cannot audit this process. You need to assign someone that has the technical skill to perform the audit, but this person cannot be the process owner (you) or a direct report to the process owner (the rest of the QA department). Fortunately, the Director of Engineering is also trained as an internal auditor at your company. She is trained on ISO 14971:2009, but she did not receive risk management training to the most current version. To address this gap, she must read the updated Standard to understand what’s new.
Clause 3.2 of ISO 14971 requires that top management review the Risk Management Process for Effectiveness.
She has participated in risk management activities, but each product development engineer participates in risk management activities for their own design projects. Therefore, she has several projects she can sample risk management records from without auditing her own work. You have communicated that you need this audit finished sometime in December because you want any CAPAs resulting from the audit to be finalized before the next Management Review at the end of January. The timing of the Management Review is important because the risk management procedure requires that top management assess the effectiveness of the risk management process during Management Review meetings.
There are no previous audit findings to close from the last audit of the risk management process. Still, the Director of Engineering has seven specific items to emphasize from the 2012 revision of the Standard, and a revised procedure for risk management. Therefore, she will prepare for the audit by identifying some new interview questions to specifically address these changes–as well as some more general, open-ended questions.
Specific questions related to Annex ZA when auditing ISO 14971
1. How does the risk analysis evaluate the acceptability of risks in the lowest category? (This is a leading question, but it is specifically designed to determine if negligible risks are discarded).
2. Please provide a few examples of how risks in the lowest category were reduced. (In sections 1 and 2 of the Annex, I require all risks to be reduced as far as possible, and for all risks to be evaluated for acceptability. The wording of this question also allows auditors flexibility in their sampling).
3. How did the design team determine when they had implemented sufficient risk controls to minimize risks? (Many companies use a color-coded matrix as a quasi-objective method for determining when risks are adequately reduced. This process is often referred to as the ALARP concept. Annex ZA specifically prohibits using economic considerations as part of this determination).
4. How did you conduct a risk-benefit analysis? (The Standard allows for performing a risk-benefit analysis when overall residual risks exceed the acceptability criteria as outlined in the risk management plan. However, the MDD requires an overall risk-benefit analysis in Section 1 of Annex I. Section 6 also requires that a risk-benefit analysis be performed for each individual risk).
5. How were risk control options selected? (Section 2 of the MDD implies that the manufacturer shall review All the control options and pick the most appropriate ones. Therefore, the auditor should specifically look for evidence that the team systematically reviewed all possible control options to reduce risks–rather than stopping as soon as the risks were reduced to an acceptable level).
6. What were your team’s priorities for the implementation of risk control options? (It’s possible that the previous question will be sufficient to gather evidence that risk controls were implemented with the required prioritization, as specified in the MDD. However, this question would be used as a follow-up question if it is not clear that the team prioritized the risk control options in accordance with Section 2 of Annex I).
7. How was the effect of labeling and warnings in the instructions for use incorporated into the estimation of residual risks? (Almost every company remembers to include residual risks in their IFU as a warning or caution statement. However, Section 2 of Annex I does not allow for including this information given to the users as a method of reducing risks. Therefore, in a Design FMEA, you would not list labeling and IFUs in your column for current risk controls when you determine the risk. This should be identified as an action to be taken–with no impact on the score for residual risk).
The above questions are not examples of using the process approach, but each question is phrased in an open-ended manner to maximize the objective evidence gathered during the interview process. If you are doing a process audit, it’s still acceptable to include questions that use the element approach.
Generic questions when auditing ISO 14971
1. When was the ISO 14971:2012 version of the Standard added to the controlled list of external Standards?
2. Please provide examples of where you have updated the Essential Requirements Checklist (a Technical File document) to reference the newest revision of ISO 14971:2012, and please show at least one example of how the risk management report was updated to reflect this revision.
3. How did you verify training effectiveness for the design team specific to the updated risk management procedure before conducting a risk analysis?
These generic questions do not require reading the ISO 14971:2012 Standard. Instead, each question forces the auditee to demonstrate their knowledge of the revised Standard by answering open-ended interview questions. Each of these questions is also designed to test linkages with other support processes. This is an example of how to use the process approach.
Step 2: Auditing ISO 14971
The next step is to conduct your audit of ISO 14971. During the auditing of ISO 14971, the Director of Engineering will gather objective evidence of both conformity and nonconformity for the risk management process. The generic interview questions that were developed allow her to evaluate the effectiveness of linkages between the risk management process and other processes, such as:
1) Document control
2) Creating technical documentation for regulatory submissions
3) The training process
Specific questions verify that each of the seven elements identified in Annex ZA of ISO 14971:2012 is adequately addressed in the revised procedure. When the audit is completed, the auditor will have a closing meeting with the process owner (you) and the auditee(s), so that everyone is clear about what the findings were, and if there were any nonconformities. This is the time to clarify what needs to be done to prevent each nonconformity from recurring.
Step 3: Writing the Report & Taking Corrective Action(s)
This is no different from any other audit. Still, it is critical to have the report completed soon enough so that CAPAs can be initiated (not necessarily completed) before the Management Review.
Step 4: Verifying Effectiveness of Corrective Action(s)
Many people struggle with verifying the effectiveness of corrective actions–regardless of the process. My advice is to identify a process metric to measure effectiveness. Then the effectiveness check is objective. For example, monitoring the frequency of updates to the list of external standards can help verify that the process for monitoring when Standards are updated is effective. Likewise, the frequency of updates to the Essential Requirements Checklist and the risk management records referenced in the Essential Requirements Checklist indicates if the risk management process is being maintained. Finally, monitoring the lag between the time procedures are updated and when the associated training records are updated quickly identifies if there is a systemic problem with training or if a training gap is just an example of a single lapse.
The single best guidance document on the implementation of a QMS system in accordance with ISO 13485 is “13485 Plus” (type in the words in quotes to the CSA Group search engine).
There are also a bunch of pocket guides you can purchase for either ISO 9001 or ISO 13485 to help you quickly access information you are having trouble remembering. One of my lead auditor students recommended one pocket guide in particular and she was kind enough to give me her copy.
There are some webinars out there that provide an overview of QMS Standards. Some are free and some have a modest fee. I’m not sure of the value for these basic overview webinars, but if you need to train a group, it’s a great solution. I know BSI has several webinars that are recorded for this purpose.
You can try to identify a local mentor–either in your own company, or at your local ASQ Section.
You can join the following LinkedIn subgroup: Medical Device: QA/RA. You will need to become a member of the parent group (Medical Device Group)–if you are not already one of the 140,000+ members connected with Joe Hage. George Marcel and I manage this subgroup for Joe.
You can visit the Elsmar Cove website and participate in the discussions you find there. I wrote a blog about Elsmar Cove a while back (wow almost 2 years ago now).
The best way to learn this stuff is to do all of the above.
This blog provides a five-step process on how to request FDA device classification information. A screenshot of the FDA website for each step is included.
If your company is currently registering with the US FDA, you are probably reviewing the guidance document this month for the FY2013 user fees. On pages six and seven, there is a table of these fees, but you might have overlooked 513(g). Section 513(g) is a provision in the law that allows companies to request device classification information from the FDA.
For example, if your company was developing a new product, and you were having difficulty identifying the regulatory pathway, 513(g) is your friend. In my opinion, these fees are modest: $5,061 = Standard Fee, and $2,530 = Small Business Fee (updated for FY 2022). Most consultants will charge at least ten hours of consulting to identify the regulatory pathway for a company. I would charge quite a bit less because it takes me a lot less than ten hours. I still think the FDA’s pricing is a good deal because getting information directly from the source is always more valuable than an “expert.”
The US FDA has published a guidance document explaining the process for 513(g) requests. This guidance document was released on April 6, 2012 (updated in 2019). The guidance explains what information companies need to provide in order to submit a 513(g) request. The guidance also has a fantastic list of FDA resources on page five. These are the very same resources that the “experts” use—including yours truly. If you absolutely don’t want to submit a 513(g), and you plan to search for you own predicate, we have another related article that provides five alternatives to a 513(g) for identifying a predicate device.
Just as any good lawyer tries to avoid asking questions that they don’t already know the answer to, I recommend that you first try using these resources yourself. Once you think you know the answer, your request for classification information will be easier to organize.
Here’s how I would proceed to request FDA device classification information:
Step 1 – Are there similar devices on the market?
Identify another device similar to yours. If you can’t do this, you need serious help. You need a similar device that is already sold on the market to use as a predicate device. If you cannot identify a predicate, then you can’t use the 510(k) process—or you don’t know your competition. Either way, there are challenges to overcome. For example, if you are trying to launch a new topical adhesive made from cyanoacrylate—”Dermabond” might be the first predicate device that comes to mind.
Step 2 – Search the Registration Database for FDA Device Classification
Use the registration and listing database on the FDA website to find the company that manufacturers the device. The link for this is #4 on my helpful links page (updated). This link also will provide you with connections to the classification database—which you can use to find the classification for any device. However, the registration and listing database is less likely to lead you astray. When I type “Dermabond” into the field for the proprietary device name, I get a list of five different product listings.
Step 3 – Select one of the competitor links to identify the FDA Device Classification
Clicking on any one of these five will take you to a listing page for the corresponding company. On that page, you will find the three-letter product code that identifies the device classification and the applicable regulations for that device.
Step 4 – Your found the FDA Device Classification
Clicking on the three-letter product code (i.e., – “MPN” in our Dermabond example) takes you to the Product Classification page. This is where you will find that Dermabond, and other tissue adhesives, are Class II devices that require a 510(k) submission. Also, the Product Classification page identifies an applicable guidance document to follow for design verification and validation testing. This is also called the “Special Controls Document.”
Step 5 – TheTPLC Report lists all the recent 510(k) submissions
Click on the “TPLC Product Code Report” link. This link will provide you with a report of all the 510(k) ‘s recently granted to your competitors, problems customers have experienced with their products, and recalls for the past five years. This is extremely valuable information as a design input—as well as competitive information for your marketing team.
TPLC Report for Product Code “MPN” – Topical Adhesive
You were just notified of an FDA inspection and don’t think you are ready; using tricks to hide your problems is a huge mistake. Over the years, I have heard a few recommendations for “secrets” to hide those problems. In this post, I share my top 10 FDA Inspection Strategies–and why they DON’Twork.
Here are my top 10 ways to make an FDA inspection worse:
10. Stalling when the investigator makes a request – This just irritates investigators. At best, the investigator will use the waiting time to identify additional documents to sample or to review the information you have provided more closely. At worst, the investigator will accuse the company of not cooperating with the inspection, and the investigator may return the following week with several more team members to help them. Whenever this occurred during a third-party audit that I conducted, I would move onto another area and interview someone. However, before I left the person that was slow to respond, I provided the person with a list of documents and records that I expected to be waiting for me upon my return. In extreme cases, I had to bluntly tell the management representative that I needed documentation more quickly. As an instructor, I teach auditors techniques for coping with this tactic.
9. Suggesting records for the investigator to sample – This is forbidden in third-party inspections and audits. The FDA has work instructions for identifying sample sizes, and samples are supposed to be selected randomly. In reality, samples are rarely random, and the investigator usually follows a trail to a specific lot, part number, etc. When clients offered me samples, I tried to be polite and review the records they provided. However, I also would request several other records or follow a trail, as I have indicated above. Another approach I often use is to focus on high-risk items (i.e., – a risk-based approach to sampling). In general, you can expect the FDA investigators to sample more items than a registrar–and sample sizes are often statistically derived if the number of records is sufficiently large. When sample sizes are pretty small, I recommend sampling 100% of the records since the previous inspection/audit. This is not always possible for third-party auditors, but internal auditors often can achieve this.
8. Outsourcing processes to subcontractors – The FDA recently reinstated the requirement for contract manufacturers and contract sterilizers to be registered with the FDA by October 1, 2012. Therefore, hiding manufacturing problems from the FDA by outsourcing manufacturing is increasingly more difficult. In addition, the FDA focuses heavily on supplier controls and validation of outsourced processes. Therefore, an investigator will identify high-risk processes performed by subcontractors and request process validation documentation from that supplier. If the company does not have the validation reports, this could quickly escalate to a 483 and possibly a visit to the subcontractor.
7. Trying to correct problems during the inspection – This is what I like to call the document creation department. At one company I worked for, we noticed a mistake across several of the procedures and made a change overnight between the first and second days of the audit. When the auditor asked for the procedures in the morning, he asked, “Is the ink dry yet?” The auditor then requested records demonstrating compliance with the newly minted procedures. As you might have guessed, this resulted in several nonconformities. When clients attempt to correct problems found by an investigator, the investigator typically will respond with the following statement, “I applaud you for taking immediate action to contain and correct the problem. However, you still need to investigate the root cause and develop a corrective action plan to prevent a recurrence. To do this investigation properly may take several days.” I also teach auditors to memorize this phrase.
6. Writing a letter to file – When companies make minor design changes, one of the most common approaches is to “write a letter to file.” This phrase indicates that the design team is adding a memo to the Design History File (DHF) that justifies why design validation or regulatory notification/approval is not required. The FDA used to publish a decision tree to help companies make these decisions. In fact, such a decision tree is still part of the Canadian significant change document. The FDA recently withdrew a draft document that eliminated many perceived opportunities to utilize the “letter to file” approach. However, the FDA will still issue a 483 to a company if the investigator can identify a change that required validation that was not done or a 510(k) that was not submitted for a design change. The FDA looks explicitly for these types of issues when an investigator is doing a “for cause” inspection after a recall or patient death.
5. Shut it down – Not running a production line that has problems is an ideal strategy for hiding problems. However, the FDA and auditors will be forced to spend more time sampling and reviewing records of the problematic production line. If you need to shut down a line, ensure everything is identified as non-conforming, and carefully segregate rejected products from good ones. You should also use these problem lines to show off your investigation skills and ability to initiate CAPAs. If you simply forgot to validate a piece of equipment or do some maintenance, take your lumps and keep production running. If you are a contract manufacturer, never shut it down without notifying the customer. If you do not tell your customer, you will get a complaint related to on-time delivery and a 483.
4. Storing all records off-site – I first heard about this tactic during an auditor course I was co-teaching. During the course, we had many reasons why the company should be able to provide the records in a timely manner. However, I have experienced this first-hand as a third-party auditor. When this happens, I do three things: 1) increase my sampling of available records, 2) carefully review supplier controls and supplier evaluation of the storage facility (assuming it is outsourced), and 3) verify that the company has a systematic means for tracking the location (i.e., – pallet and box) for every record sent to storage. FDA investigators will move along to another record and follow up on their earlier request with a second visit or a request to send them a copy of the document after the inspection.
3. Identifying information as confidential—A company can claim information is confidential and may not be shared with the public. Still, very little information concerning the FDA or Notified Bodies is “confidential.” Therefore, this strategy rarely works. In fact, it will enrage most FDA investigators. In training courses, I train auditors to ask the auditee to redact confidential information. For example, a CAPA log may have confidential information in the descriptions, but the trend data on opening and closing dates are never confidential.
2. The FDA is not allowed to look at those records – Although this statement is technically true for internal audit reports and management reviews, the FDA always says that they can access this information through the CAPA system. What the FDA means is that there should always be evidence of CAPAs from internal audits and management reviews. If there is not, then this will quickly become a 483. Another person I met tells the story that when they agreed to share the management review records with the investigator, the inspector rarely issued a 483. When they refused to share the management review with the FDA, the inspection went quite badly from that point forth. I’m afraid I have to disagree with being vindictive, but it happens.
1. Show me where that is required – This is just silly. Investigators and auditors are trained on the regulations, while you are educated on your procedures. Spend your time and effort figuring out how your procedures meet the regulations in some way. Challenging the investigator excites the investigator. We all like a challenge–and we rarely lose. One auditee tried this approach with me in front of their CEO. This experience allowed me to show off that I had memorized the clause in question–and the corresponding guidance document sections. I think the CEO realized quickly that the management representative was not qualified.
My final advice is to do your best to help the investigator do their job and treat every 483 as “just an opportunity to improve.” Just ensure you submit a response in 14 days, or you will receive a Warning Letter, too!
The author read an article about Wiki document control, and he shares a “genius idea that is coming of age.”
Wiki Document Control
Procedures can constantly be improved, but our goal is to make better products—not better procedures. So, what could be so exciting about document control that I feel compelled to write another post about “blah, blah, blah?” I read an article about using Wiki for document control. A Wiki is a collaborative environment where anyone can add, delete, and edit content. All changes are saved, and Wiki can be controlled—while simultaneously being available to everyone. The most famous of all Wiki is Wikipedia. In 2009, Francisco Castaño (a.k.a. – Pancho) began a discussion thread to explain how his company used Wiki to manage its documentation system. Last month, ASQ published an update on the status of Pancho’s Wiki process for document control. Depending upon how you implement a Wiki and what software tools you use, it might be a virtual quality system or an eQMS.
Writing Procedures
The process owner writes procedures in most companies, and other people rarely comment on minor errors. In the most dysfunctional companies, the Quality Department writes the procedures for the rest of the company or outsources them to consultants. Reviewing and editing procedures should be the responsibility of everyone in the company. Still, I never considered the possibility of having everyone within the company edit procedures simultaneously—until I saw Pancho’s thread. Throughout the discussion, others have indicated that they also tried using Wiki to optimize content. This is a genius idea that is coming of age.
Many QMS consultants, including myself, have written procedures for clients. Sometimes, this is part of the consulting business model. In these cases, the consultant writes a procedure once and edits it forever—while getting paid a modest fee each time a client asks for a “new” procedure. I often think that it would make more sense to do something like Linux developers have done—use the collaboration of QMS experts around the world to create a general procedure that is free to everyone. This is possible using Wiki’s that are publicly available.
Very soon (hopefully in 2013), the responsibilities section of our procedures will fundamentally change. Instead of reading and understanding, everyone will be responsible for writing and editing (oh no, I’ll have to create a new learning pyramid).
Quality will no longer be responsible for writing procedures. Instead, the quality function can focus on monitoring, measuring, data analysis, and improving processes and products. The downside is that we will need less personnel in document control.
If you want to learn more about Wiki for document control, follow this thread on Elsmar Cove. It’s rich in content, and even the moderators have been forced to rethink their preconceptions.
The author defines what an NB-MED is, Team NB and their role, provide a regulatory update and some information sources.
Each time I review a list of external standards, I notice at least a few out-of-date references. Occasionally, I am surprised, and everything appears to be current, but it is almost impossible to stay current with all the external standards. The most demanding standards to maintain are those that are untracked. Untracked standards are difficult to keep current with because it requires manually checking each source to determine if a standard has been updated. One of these sources is Team NB.
Team NB
Team NB describes itself as the “European Association of Notified Bodies for Medical Devices.” Team NB is an organization comprised of Notified Bodies (NBs). These NBs create guidance documents to clarify the interpretation of regulations in the EU. Since NBs are generating the documents rather than Competent Authorities (CAs), it is possible for Team NB to reach a consensus more quickly than CAs. Since these documents are guidance documents, the NB-MED documents are not enforceable or binding. However, in all likelihood, your NB will interpret ISO 13485 and the MDD (93/42/EEC as modified by 2007/47/EC) in accordance with these guidance documents.
The website link I provide in my “Helpful Links” page includes many links to important guidance documents. Among the recently updated NB-MED documents is NB-MED 2.5.2/rec 2. The “rec” is not the same as a revision. For example, rec two is “Reporting of design changes and changes of thequality system,” while rec 1 is “Subcontracting – QS related.” The link I have provided will land you directly on the list of NB-MED documents, and the right-hand column identifies the date the document was added to the list. Therefore, if you want to know about new and revised NB-MED documents, you merely need to read the documents that are identified as being added since your last visit.
NB-MED 2.4.2/rec 2
NB-MED 2.5.2/rec 2 is the only recent addition, and you should read it. Many companies struggle with design changes and don’t know if the change is significant. Revision 8 of this document includes helpful examples. I recommend reading this document carefully and then revising your own change notification procedure to match the document. If you don’t have a change notification procedure, your QMS auditor has been lazy. Don’t let them give you the excuse of “It’s just a sampling.” This document has been published for a long time, and the intent has not changed since 2008—just new examples to clarify the interpretations.
There is a posting from 1/14/11. This is an excellent list of all the NB-MED documents. I recommend printing this document and using it to compare against your current external standards list. There is a very recent posting from 2/7/12 that answers frequently asked questions about the implementation of EN 60601. You probably don’t have an active device if you don’t know what this is.
On 3/27/12, Team NB sent a letter indicating that they condemn Poly Implant Prothèse (PIP) for committing fraud (well, duh). Who would endorse them?
Finally, on April 17, 2012, meeting minutes were posted from an April 5 meeting of Team NB. The NBs indicated that the medical device authorization system is excellent! This is not a surprise since any other response would be self-criticism and potentially career-limiting. The minutes also indicate that the team wants as many of the members to endorse the “Code of Conduct” (CoC) that was drafted by the “Big 5” NBs. So far, the acceptance of this Code is limited, but the Competent Authorities have other plans.
Competent Authorities (CAs) are currently evaluating the NBs with regard to competency for handling Class III devices. In addition, there is a plan to revise the European regulations14 the guess). These changes will be significant. The Team NB website could be a source of information about rapid changes in the next 12 months, but it’s the quiet before the storm. The Great Consolidation of European Regulators is about to begin (or maybe all the NBs will endorse the CoC, and the CAs will forget about it).
The author reviews a few methods to identify changes to the Canadian Medical Device Regulations (CMDR), including using the “compare” function in MS Word.
One of the most frustrating things about the Canadian Medical Device Regulations (CMDR), SOR/98-282, is the difficulty in identifying what has changed since the previous revision. There is no detailed revision history indicating what changed. This is surprising to me because Canada was the first country to require ISO 13485 certification as a component of the regulatory approval process. Did the Therapeutic Products Directorate (TPD) overlook Clause 4.2.3?
Using MS Word to Compare CMDR Versions
Anyway, before I became an auditor, the way I determined what changed was to use the “compare” function in MS Word to compare the versions of the CMDR. The bottom of the first page indicates, “Current to May 14, 2012.” This is our revision date, and it seems to change every month. Then below this, the document says, “Last amended on December 16, 2011.” This tells us that the last time TPD made a change was in December. Nowhere does CMDR tell us what changed.
On the second page of the CMDR, there is a note at the bottom of the page that supposedly clarifies the revision history:
“This consolidation is current to May 14, 2012. The last amendments came into force on December 16, 2011. Any amendments that were not in force as of May 14, 2012, are set out at the end of this document under the heading ‘Amendments Not in Force’.”
I have never seen a heading titled “Amendments Not in Force.” So here’s what I do:
“Select All” from the current PDF version of the CMDR and another version before the last amendment date: December 16, 2011.
I copy and paste the text from each document into a separate MS Word document.
I save each document with a different date code.
I use the “compare” function to identify the revisions that were made to the pre-December version.
Then I pound my forehead against my desk because I just wasted 15 minutes to verify that the only changes made between August 8, 2011, and May 14, 2012, were as follows:
Date of revision throughout the document
Table of Provisions pagination was updated to reflect reformatting of Annex 3
Section 32.7 – changed wording from “may” to “shall,” and “giving” to “that gave”
Annex 3 was reformatted so that the English and French versions appear side-by-side instead of on page 61 & 62 sequentially
Assessing the Impact of Change
So…the next time a third-party auditor asks you for objective evidence that you have assessed the impact of changes to the CMDR, show them this blog posting. If they force you to document the impact analysis of the change of the word “may” to the word “shall” in Section 32.7, request a new auditor quickly. If they ask for documentation of the impact of the tense change in Section 32.7, also request a new auditor quickly.
On a far less amusing note, the following new and revised regulatory requirements occurred on the TPD website:
On May 31, 2012, there was an announcement by HC indicating “Categorization of Therapeutic Products at the Device/Drug Interface.”
On October 19, 2011, the electronic submission pilot for Class IV devices was expanded to Class III devices: “Notice – Guidance for Industry: Preparation of a Premarket Review Document in Electronic Format for a Class III and Class IV Medical Device Licence Application”; this revised guidance document includes a table for Class III applications based upon the STED guidance document from GHTF.
You can also type in “What’s New” into the search engine for the TPD website. The search results can be narrowed down to a year, and postings are typically no more frequent than monthly (eight in 2011; one in 2012).
