What are the secrets to success in responding to an FDA RTA Hold?

2 Comments / 510(k) / By Robert Packard

When an FDA reviewer places your 510k on RTA Hold, there are secrets you can learn to improve your chances of a successful response.

Test your knowledge about the FDA RTA Hold process

Did you know that approximately 50% of 510(k) submissions are placed on RTA Hold? Did you know that you can be placed on RTA Hold multiple times for the same submission? Did you know that the 90-day review clock is reset to “0” when you submit your response? Do you know how to respond to the FDA when the reviewer is incorrect? Did you know that you can avoid the RTA screening process for any 510(k) submission if you use the correct template? Every year there are more than 1,000 submissions placed on RTA Hold, but did you know there is an FDA guidance specifically telling you how to respond to deficiencies? You can learn the secrets to responding to an FDA RTA Hold just by reading this article.

What is an FDA RTA Hold?

When the FDA receives a Traditional 510k submission FDA eCopy, the eCopy is uploaded to the FDA system within hours of the submission being received. If the eCopy does not meet the eCopy format requirements, then the submission will be placed upon eCopy Hold. The official correspondent will receive an automated email indicating that the submission is on eCopy Hold, and the submitter will be asked to correct the submission format to meet the eCopy submission requirements and provide a replacement eCopy. If the FDA user fee has not cleared, then the submission will be placed on User Fee Hold. It is possible to be placed on eCopy Hold and User Fee Hold at the same time.

If your eCopy is accepted, then a reviewer is assigned to screen your submission for compliance with the FDA Refusal to Accept (RTA) policy. The reviewer has 14 days to complete this review, and on the 15th day the reviewer must do one of three things: 1) issue a RTA Hold letter to the submitter, 2) issue an RTA Acceptance letter to the submitter, or 3) issue a letter that states the RTA screening was not completed on-time and the submission was automatically accepted. If your receive an RTA Hold letter, it will be via email from the reviewer and the RTA Checklist will be attached. In the checklist, there will some items highlighted in yellow and deficiencies will be noted in those sections. The reviewer may add additional comments to the checklist, but you are only required to respond to the highlighted sections. The process that the reviewer follows for RTA screening is defined in the FDA guidance for the Refusal to Accept process, and the guidance includes a checklist for traditional, abbreviated, and special 510k submissions. Some companies will fill in these checklists themselves and submit a copy of the checklist with the 510k submission. This is intended to help the reviewer identify where all of the requirements in the RTA checklist can be found. Third-party reviewers require that the company complete the RTA checklist and provide it to them with the eCopy.

How many times can you be placed on hold for the same submission?

Technically there is no limit to the number of times a submission can be placed on RTA Hold, and our firm has seen a few submissions placed on RTA Hold twice in a row. The first RTA Hold is referred to as RTA1, and the response to that RTA Hold is referred to as the first supplement (i.e. K123456/S001). If a second RTA Hold is issued, that hold is RTA2, and the response to that RTA Hold is referred to as the second supplement (i.e. K123456/S002). A response to an eCopy Hold is referred to as an amendment (i.e. K123456/A001).

What happens to the 90-day review clock when you are placed on RTA Hold?

When the FDA reviewer places your submission on RTA Hold, the 90-day review clock is automatically reset. Therefore, even if you respond to an RTA Hold on the same day you receive the RTA Hold, and your submission is received the next day, the “real” review timeline is now 106 days instead of 90. If your submission is placed on RTA Hold twice, then the “real” review timeline is now 122 days instead of 90. If the lead reviewer of your 510k requests additional information, this is referred to as an “AI Request.” We will address this in a future blog, but an AI Request does not reset the review timeline. The AI Request, however, will increase the review timeline. Although we rarely have an RTA Hold, we almost always have an AI Request. This is why our average submission is approximately 125 days (i.e. ~30 days are required to respond to the AI Request.

How should you respond if the FDA reviewer is incorrect?

The average 510(k) submission has grown over time from 300 pages to more than 1,200 pages, but the FDA review “clock” is still 90 days and the RTA screening is limited to 15 days. Therefore, it is not reasonable for you to expect the reviewer to understand and absorb every detail of your submission. If the reviewer can’t find the information they are looking for quickly, the reviewer may state that they could not find the information in the submission or that you did not provide it. If the information is found in the submission, you should provide a reference to the section of the submission, including the document and page number, in your RTA response. You may even choose to quote the information in your response memo if it is brief.

Other times the reviewer may not understand why certain information is not relevant to your submission. In this case, you should restate why the information requested is not relevant. You may want to review relevant FDA guidance documents that explain how to justify why information is not required. For example, if you did not provide biocompatibility testing reports for some of the endpoints that are identified in ISO 10993-1:2018, then you should either provide a detailed biological risk assessment in accordance with the FDA guidance on the use of ISO 10993-1, or you should provide a biocompatibility certification statement.

If you are not sure why the FDA reviewer stated the information you provided is not acceptable, you might try calling or emailing the reviewer to ask for clarification. If you do this, be respectful of their time and be brief. You should identify who you are (you must be the official submission correspondent to speak with the reviewer), you should identify which submission you are contacting the reviewer about (they are working on many simultaneously), you should restate the issue identified by the reviewer (it may have been an issue of another member of the review team), and then you should indicate where the information can be found in the submission. If they believe this addresses the issue, then they will instruct you to provide that information in an RTA response. If the information does not address the issue, usually they will explain why. Your chances of receiving an email response are also better than speaking to the person on the phone–especially during the Covid-19 pandemic.

FDA eSTAR submissions are not subjected to the RTA screening process

When you use the FDA eSTAR submission instead of creating an eCopy, your submission should already meet all of the RTA screening requirements. The eSTAR includes automation to validate that the submission is administratively complete and therefore the reviewer does not need to do an RTA screening of an eSTAR submission. Therefore, most companies should realize a shorter overall 510k clearance timelines, because they will only have an AI Request and the review clock will not be reset.

Does the FDA offer any guidance on how to respond to deficiencies?

When the FDA writes deficiencies, the reviewer is supposed to follow the FDA guidance for deficiency content and format. However, the RTA checklist deficiencies typically are shorter and may not be as clear as a deficiency in additional information (AI) requests or non-substantial equivalence (NSE) letters. The first part of the deficiency is a reference to the information that was provided by the submitter (i.e. section, page number, or table). In an RTA checklist, each deficiency is provided in the comments section at the end of the section of the checklist. Therefore, if you have a deficiency related to your device description, the deficiency will be written at the end of the device description section of the RTA checklist. The comment will be highlighted in yellow, and there will be a checkbox next to the specific checklist item indicating that the requirement was not met. In the far-right column of the checklist, there will be a reference to the page of the submission where the deficiency can be found.

In the comment there reviewer should explain why the current information does not meet the requirement of the RTA checklist. The reviewer should also clarify the relevance of the deficiency with regard to the substantial equivalence determination. For the example of a deficiency related to your device description, usually, the issue is that your submission has inconsistencies between the various submissions or there is insufficient detail about your device. At the end of the comment, the reviewer should provide an explicit request for the information needed to address the RTA Hold.

In section “V” of the FDA guidance on deficiency responses, the FDA recommends that you restate the issue identified by the reviewer in your response. Next, your response should include one of the following:

the information or data requested, or
an explanation of why the issue is not relevant, or
alternate information with an explanation of why the information you are providing addresses the issue.

Before you respond to an RTA Hold, you should look up any FDA guidance documents referenced in the RTA Checklist to make sure that you address each requirement in the applicable FDA guidance document(s).

The most important technique to learn when you are responding to regulators is to organize your response in a tabular format that is numbered in exactly the same order that the request was made. Typically there will also be sub-parts to certain issues. In that case, you should duplicate the numbers and/or letters of each sub-part and segregate each sub-part in a different row of the table. Personally, I like to alternate the color of the font I use in the table to make it even more obvious which information is a restatement of the reviewer’s comment and which information is the company’s response to the RTA Hold.

Regardless of how well your response is organized, you must respond within 180 days. On the 181st day, your submission will be automatically withdrawn. The agency has granted extensions of an additional 180 days during the Covid-19 pandemic, but that will end and you should verify if you can obtain an extension from the reviewer rather than assume that this will happen. If the 180th day is on a weekend or US holiday, the Document Control Center (DCC) at the FDA will not receive your submission until the next business day. Therefore, you will need to ship your submission earlier to ensure the delivery is received on time. Since most companies are shipping their RTA response via FedEx or UPS to the FDA, you also will want to make sure you take into account customs clearance for international shipments and local holidays where you are. If you are shipping from the UK, for example, you can’t expect FedEx to ship on a British holiday. If you need help with printing and shipping your RTA response, Medical Device Academy offers an eCopy print and ship service for $99/eCopy (including the overnight FedEx fee).

If your 510k submission was placed on RTA Hold by the FDA, we can help you respond to the deficiencies identified by the FDA reviewer. We can also review your planned response to identify potential gaps. If you need help please use our calendly app to schedule a call with a member of our team.

About the Author

Robert Packard is a regulatory consultant with 25+ years of experience in the medical device, pharmaceutical, and biotechnology industries. He is a graduate of UConn in Chemical Engineering. Robert was a senior manager at several medical device companies—including the President/CEO of a laparoscopic imaging company. His Quality Management System expertise covers all aspects of developing, training, implementing, and maintaining ISO 13485 and ISO 14971 certification. From 2009-2012, he was a lead auditor and instructor for one of the largest Notified Bodies. Robert’s specialty is regulatory submissions for high-risk medical devices, such as implants and drug/device combination products for CE marking applications, Canadian medical device applications, and 510(k) submissions. The most favorite part of his job is training others. He can be reached via phone 802.258.1881 or email. You can also follow him on Google+, LinkedIn or Twitter.

What are the secrets to success in responding to an FDA RTA Hold? Read More »

Jun 10 2021

Which changes are forgotten in your MDR labeling procedure?

1 Comment / CE Marking / By Robert Packard

Did you forget any of the MDR labeling procedure requirements when you were updating your device labeling for CE Marking?

MDR Labeling Procedure

Don’t forget to subscribe to our YouTube channel for more medical device quality and regulatory training. The topic of this article is how to create an MDR labeling procedure for compliance with Regulation (EU) 2017/745 (MDR) for CE Marking of medical devices. The MDR does not actually include a requirement for a labeling procedure. In fact, the MDR doesn’t even specifically require that you have ISO 13485:2016 certification. ISO 13485:2016, clause 7.5.1 states that you shall implement “defined operations for labeling and packaging,” but the standard doesn’t specifically say that “the organization shall document procedures” for labeling. In 21 CFR 820.120, the FDA states that “each manufacturer shall establish and maintain procedures to control labeling activities.” But there is no similar requirement in the MDR.

MDR Quality System Requirements

Article 10 is the section of the MDR that defines the obligations for device manufacturers to create quality system procedures, but a labeling procedure is not specifically mentioned. Article 10(9)(a) states that your quality system shall include “a strategy for regulatory compliance, including…procedures for management of modifications to the devices covered by the system,” and this would include label changes and other control of other design changes. The next paragraph states that your quality system shall include, “identification of applicable general safety and performance requirements.” The general safety and performance requirements (GSPRs) are found in Annex I of the MDR, and the very last GSPR (i.e. GSPR 23) is for your label and instructions for use.

Then, which changes do you need to make for the MDR labeling procedure?

The GSPRs in Annex I of the MDR are longer than the Essential Requirements that were in the MDD. In addition to the new requirements for UDI compliance (which you should address in a UDI Requirements Procedure), GSPR 23 has new general requirements (i.e. 23.1) and new requirements for information on the sterile packaging (i.e. 23.3). There is also a more detailed specification for the information on the label (i.e. 23.2) and the information in the instructions for use (i.e. 23.4). The approach for demonstrating compliance with the GSPRs suggested in the MDR is to provide a checklist. Therefore, most manufacturers of CE Marked devices have replaced their Essential Requirements Checklist (ERC) with a GSPR checklist. However, if you are reviewing a draft label for approval, you don’t want to review and update your entire 22-page, GSPR checklist for every label.

The more efficient approach is to create one or more labeling checklists that are specific to the requirements in GSPR 23. If you create a separate checklist for the label, the information on the sterile packaging, and for the information in the instructions for use, then you would have three shorter checklists to complete. The label checklist and the checklist of the information on the sterile packaging would be only one page each, while the checklist for the instructions for use would be approximately four pages. There may be additional labeling requirements for specific countries and types of devices. Electrical medical equipment also has specific labeling requirements in IEC 60601-1 and IEC 60601-1-2. You will also need to create a user needs specification that can be used as criteria for summative usability testing (i.e. validation that the design and risk controls implemented meet the user needs specification). You should also document a use-related risk analysis (URRA), and perform formative testing, in order to identify critical tasks which need to be in the instructions for use to prevent use errors.

Are there any other MDR requirements that you should address in a labeling procedure?

There are two other requirements that should be addressed in your labeling procedure. The first is the general labeling requirements in GSPR 23.1. Withing GSPR 23.1, there are actually nine “sub-requirements.” The first “sub-requirement” in GSPR 23.1 is to provide the identity of the device, your company, and any safety and performance information needed by the user on the packaging or the instructions for use, and on your website. Many manufacturers do not want to make this information available on their website, because it makes it easier for competitors to copy the instructions for use, but this is not optional. This requirement and the other eight requirements in GSPR 23.1 could be included in your procedure or as part of a fourth labeling checklist associated with your MDR labeling procedure.

The second requirement is the requirement to translate your instructions for use into an official Union language(s) determined by the member state where your device will be made available to the intended user or patient. Creating these translations, and verifying the accuracy of the translations, can be expensive and burdensome–especially if your device is sold in most of the member states.

You might also consider implant cards as labeling requirements and try to add them to your MDR labeling procedure. However, if the requirement for implant cards (see Article 18 of the MDR) is applicable to your company you should create an implant card procedure instead because this is a detailed and critical requirement that will not apply to most of the other labels in your company. You should make sure that the implant card procedure is compliant with MDCG 2021-11 released in May 2021 and MDCG 20201-8 v2 release in March 2020. These guidance documents also have great examples of how to design your implant cards.

Other changes in labeling requirements

The ISO 15223-1:2016 standard has been revised and was expected for release at the end of 2020. However, only draft versions are currently available (i.e. ISO/DIS 15223-1:2020). This new version of the standard for symbols to be used with labeling will also need to be updated shortly in your MDR labeling procedure. This new version is already referenced in the medical device standard for information provided by the manufacturer (i.e. EN ISO 20417:2021)–which supersedes EN 1041:2008. Consultants and chat rooms have argued over whether the requirement for identifying the importer must be on the label or if it could be presented in other documents. EN ISO 20417:2021 resolves this dispute in section 7.1: “Where necessary, the label of a medical device or accessory shall include the name or trade name and full address of the importer to which the responsible organization can refer.” In the note following that clause, it clarifies that “This can be required by the authority having jurisdiction.” There is even a new symbol referenced for importers (i.e. Symbol 5.1.8 in ISO 15223-1).

If you have specific questions about device labeling or MDR compliance, please use our calendly app to schedule a call with a member of our team. You can also purchase our labeling and translation procedure (SYS-030) to save yourself the time and effort of making your own versions of the labeling checklist described above.

About the Author

Which changes are forgotten in your MDR labeling procedure? Read More »

May 20 2021

Before 510k clearance, 10 quality tasks you need to prevent unexpected delays

Leave a Comment / 510(k) / By Matthew Walker

The US FDA does not require that 100% of your quality system be implemented before 510k clearance, but these 10 activities need to be done.

The form above allows you to register for a live webinar we are hosting on Friday, May 21, 2021 @ 1 pm EDT. The webinar will share the 510k project management lessons learned by our team since 2016. In addition to 510k project management, MedTech companies also need to implement their quality system in parallel with their regulatory submissions. Some people say that you need to implement your quality system before you submit your 510k. That is not an FDA requirement, but you do have quality system activities that need to be done before you will have all of the technical documentation you need to submit a 510k. This article describes 10 quality tasks you need to prevent unexpected delays.

Design & Risk Management Planning

Design & Risk Management Planning is your 1st priority because you want to identify all of the major activities that need to be completed in your design and risk management processes and which activities are critical path items. Otherwise, you will have unexpected delays. You can and should add details to the plan as you go, but items 2-9 listed below should be included in that initial plan–along with your design and risk management activities.

Risk Management Activities are Needed Before 510k Clearance

Risk Management is your 2nd priority because it’s an input to almost everything else listed below – this includes hazard identification, creating a use-related risk analysis (URRA), and identifying cybersecurity risks if you have software/firmware. Reference: ISO 14971:2019 Medical devices — Application of risk management to medical devices. Cybersecurity depending on the device should evaluate security as an overlapping but separate area from risk management. (Reference AAMI TIR57: 2016 Principles For Medical Device Security – Risk Management.)

Formative Usability Testing

Formative Usability Testing is your 3rd priority because this helps you evaluate your device design while it’s still evolving. Formative testing helps you identify opportunities for improvement, provides confirmation that your design is moving in the right direction, and identifies potential use errors while there is still time to implement effective risk controls such as alarms and other safety features. References:

Software Validation is Needed Before 510k Clearance

Software Validation is your 4th priority because it must precede electrical safety testing for electromedical devices and most companies underestimate the time required to document software validation in accordance with IEC 62304:2006 / AMD 1:2015 and the FDA’s five guidance documents:

Supplier Qualification is Needed Before 510k Clearance

Supplier qualification is your 5th priority because you do not want to order all of your prototype parts for the initial testing parts and then find out that the supplier is not capable of supporting you commercially. If you have to switch suppliers you might be forced to repeat biocompatibility testing and other design verification testing due to changes in the manufacturing process. Implementation of a supplier qualification process before 510k clearance is needed.

Label & IFU Requirements Specifications

Label requirements and instructions for use requirements specifications is your 6th priority because you cannot perform electrical safety testing or design validation (including summative usability testing) of your device without labeling and instructions. These requirements are the design inputs for information provided to the user and these must be controlled under design controls rather than document control.

Packaging Specifications

Packaging specifications is the 7th priority you should implement before 510k clearance because the packaging is needed to maintain sterility, to ensure product stability, and to protect the product from shipping. Companies are also frequently surprised by the long lead times associated with ordering custom packaging and you may not have the budget to validate sub-optimal “stock” packaging for your 510(k) submission and then repeat the validation for the optimized packaging later.

Quality System Implementation

Quality system implementation is the 8th priority for implementation before 510k clearance because you will need a fully functional quality system by the time your 510(k) is cleared. Quality system implementation typically takes 6+ months while the 510(k) review should take 4 months or less. Quality system implementation includes writing 25+ procedures, reviewing and approving those procedures, training your employees, and actually using those procedures to begin generating quality system records. For companies that are pursuing Canadian Licensing or CE Marking, the quality system must be fully implemented and certified before the regulatory submission is possible. (Quality System Requirements for the U.S. FDA are outlined within 21 CFR 820-Quality System Regulation)

Summative Usability Testing

Summative usability testing should happen after Design Freeze or you risk having to backtrack in your design process if this validation test reveals a need for device changes. The FDA’s 2016 Usability Guidance explicitly defines this validation testing as just a portion of overall design validation. (Reference Applying Human Factors and Usability Engineering to Medical Devices Guidance for Industry and Food and Drug Administration Staff (2016))

Apply for Small Business Status Before 510k Clearance

Application for small business status should be the 10th priority for implementation before 510k clearance because this can save your company $16,000+ but it requires that you submit your application at least 60 days before you need to pay the 510(k) user fee.

About the Author

Matthew Walker – QMS, Risk Management, Usability Testing, Cybersecurity

Matthew came to us with a regulatory background that focused on OSHA and NFPA regulations when he was a Firefighter/EMT. Since we kidnapped him from his other career, he now works in Medical Device Quality Management Systems, Technical/Medical Writing and is a Lead Auditor. He is currently a student in the Champlain College’s Cybersecurity and Digital Forensics program, and we are proud to say that he is also a member of both the Golden Keys and Phi Theta Kappa Honor Societies! Matthew participates as a member of our audit team and has a passion for risk management and human factors engineering. Always the mad scientist, Matthew pairs his professional life in regulatory affairs with hobbies in the culinary arts as he also holds a Butchers/Meat Cutters certificate from Vermont Technical College.

Email: matthew@fdaestar.com

Connect on Linkedin: http://www.linkedin.com/in/matthew-walker-214718101/

Before 510k clearance, 10 quality tasks you need to prevent unexpected delays Read More »

Jan 5 2021

Contract Manufacturers Need Strong Risk Management Processes

1 Comment / ISO 14971:2019 (Risk Management) / By Robert Packard / contract manufacturers, risk analysis, Risk Management

This blog discusses why contract manufacturers need to have a strong risk management process, and your company needs to help your contract manufacturers. This article was updated on April 28, 2022, and the original publication was January 05, 2011. Please ignore the date of publication at the top of the post for articles that are more than a year old.

Can contract manufacturers exclude risk management from the scope of their quality system?

Most contract manufacturers in the medical device industry exclude design from their Quality Management Systems. Unfortunately, most of the contract manufacturers also associate risk management with only the design process. Risk Management cannot be “not applicable” in an ISO 13485 Quality Management System. The requirement of section 7.1 is: “The organization shall establish documented requirements for risk management throughout product realization. Records arising from risk management shall be maintained.” The Standard also references ISO 14971 as a source of guidance on Risk Management.

Medical Device Academy also offers a Two-Part Risk Management Training Webinar for ISO 14971:2019.

Have you experienced an audit dialogue at a contract manufacturer similar to this?

The auditor asks, “How do you manage risk throughout the production process?” Then the auditee responds, “That is the responsibility of our customers. We will prepare a risk analysis if customers pay for it, but usually, customers do the risk analysis.”

For a contract manufacturer, compliance with ISO 14971 is not my primary concern as an auditor. My primary concern is to verify that contract manufacturers analyze risks associated with the processes that they perform and do their best to minimize those risks. What I don’t understand is why more companies don’t want to have strong risk management processes. Risk management is how we prevent bad things from happening. Bad stuff like scrap, complaints, and recalls. Should we expect our suppliers to have a strong risk management process?

Duh.

Why your company needs to be involved in the risk management process?

Contract manufacturers should be doing everything they can to get better at risk management. During pre-production planning, they should be asking, “What happens if…” The contract manufacturer knows best HOW things will fail in production, while the customer knows best WHAT happens when things fail in production. To be safe and effective, both companies need to collaborate on risk analysis.

In any risk analysis, you need to estimate the severity of potential harm and the probability of occurrence of that harm. For production defects, the contract manufacturer can estimate the probability of occurrence of defects (i.e., P1 in Annex E of ISO 14971:2007), but the likelihood of occurrence of harm is less. The probability of occurrence of harm is the product of multiplying P1 and P2. The probability that occurrence will result in harm is P2, and P2 is a number that is less than 100% or 1. Your company can gather pre-market clinical data and post-market clinical data to estimate P2, but before launching your product, you can only guess at the value of P2. Your contract manufacturer, however, is not able to estimate P2 at all. It’s ok to estimate risk without P2 during the design phase because this will overestimate risks and result in more conservative decisions.

In addition to P2, your contract manufacturer is also not capable of estimating the severity of potential harm. As the designer of the medical device, you will know best how your device is used and what the likely clinical outcomes are when a device malfunctions. There may even be multiple possible clinical outcomes. The contract manufacturer knows what can go wrong during manufacturing, but you will need to define the clinical outcomes due to malfunctions.

Why do contract manufacturers avoid doing risk analysis?

The reason contract manufacturers avoid doing risk analysis is because it’s time-consuming and tedious.

Too bad, so sad.

Balancing my checkbook is time-consuming and tedious too, but I balance my checkbook to prevent an overdraft charge. Not doing a risk analysis can be much more painful. Scrapping out a part can cost tens or hundreds of dollars. Complaints can cost thousands of dollars. Recalls can cost millions of dollars.

If I owned a contract manufacturing company, I would ensure that everyone in the company is involved in risk management. We don’t want scrap, we can’t afford mistakes that lead to complaints, and a recall could put us out of business.

How Medical Device Academy Can Help?

Medical device academy can help both the contract manufacturer and the specification developer utilizing a contract manufacturer as a supplier! We offer training on 14971:2019 as well as procedures on risk management and supplier quality management.

Two-part Risk Management Training Webinar for ISO 14971:2019 – Part 1 of this webinar will be presented live on Tuesday, March 29 @ 9-10:30 am EDT. Part 2 of this webinar series will be presented live on Tuesday, April 5 at 9-10:30 am EDT. Purchase of this webinar series will grant the customer access to both live webinars. They will also receive the native slide decks and recording for the two webinars.

Contract Manufacturers Need Strong Risk Management Processes Read More »

Nov 17 2020

Supplier Qualification: How To Get The Best Results

1 Comment / Supplier Quality Management / By Robert Packard / ISO, supplier qualification

In this article, you will learn strategies for better supplier qualification to obtain the highest quality components and services.

Supplier Qualification in ISO 13485:2016

Section 7.4 of EN ISO 13485:2016 states that companies shall “evaluate and select suppliers… based on their ability to supply product in accordance with the organization’s requirements.” This requirement is quite vague, but the medical device industry has developed a surprisingly limited number of approaches to address the requirement of this clause.

The most common approach is to ask for some combination of the following:

ISO certification,
a copy of the Supplier’s Quality System Manual,
completion of a Supplier Questionnaire and
performing a Supplier Audit.

Unfortunately, all four selection criteria are flawed.

ISO Certification

I think the best way to explain why these criteria are flawed is to use an analogy. Let’s compare qualifying a new supplier with recruiting a new employee. ISO certification is sort of like a college degree. You can make some general assumptions about a potential job candidate based upon which school they got their engineering degree from, but the degree is still just a piece of paper on the wall. As the old joke goes:

” What do you call the person that graduated last in their class at medical school?“

Doctor

Some registrars have a better reputation than others. Still, the name of the registrar is only as good as its worst client—who had four major nonconformities during their last audit and is about to lose that certificate. To improve this approach to supplier qualification, a potential customer could ask for a copy of the most recent audit report. This information is dependent upon the quality of the audit, but this would be a significant improvement over requesting a copy of the certificate.

CAUTION: Audits are still just samples—tiny samples.

Again, like degrees, certification must be relevant. ISO 9001:2015 may be a ‘nice-to-have’ quality for potential suppliers. However, it doesn’t hit the mark if you need them to have ISO 13485:2016 certification. Perhaps you need a European Normative version, or A11:2021 as well. For example, sometimes any law degree might be appropriate. Sometimes you specifically need a degree in healthcare law.

This makes it important to establish the criteria for your supplier evaluation early on in the process. Not just because it is required for standard compliance. It is difficult to evaluate a supplier with no guidance on how or what to evaluate them against.

Supplier Quality Manual

The second selection criteria mentioned is The Quality Manual. The Quality Manual is analogous to a resume. The purpose of a resume is two-fold: 1) to provide an interviewer with information, so they can ask the interviewee questions without looking like an idiot, and 2) to provide objective evidence that a company did not illegally discriminate against a candidate that the hiring manager did not like.

I suppose you could argue that the purpose is to help candidates get a job, but in my own experience, less than 10% of resumes submitted result in a job interview—let alone a job offer. The purpose of a Quality Manual is NOT to help a company get new customers. If I am wrong about this, I need to do a much better job of marketing my Quality Manuals in the future.

Some suppliers have the nerve to say that their Quality Manual is proprietary. Humbug! Proprietary information should not be in the Quality Manual. You can copy a manual from another company and edit a few of the details. I will gladly write you a Quality Manual in less than a week that will pass any auditor’s review. You can even buy a Quality Manual online (In fact, Medical Device Academy sells one… Online! POL-001 Quality Manual). This almighty document just explains the intent of the Quality System—which is to conform to the requirements of the ISO Standard. Several auditors will tell you that this can be done in just four pages.

When you request a Quality Manual from a supplier, your primary intent for supplier qualification should be to use this document for planning a supplier audit. Any other purpose is just a waste of your time—unless you need to write a Quality Manual of your own.

Supplier Qualification Questionnaire

The third selection criteria I mentioned was: a supplier questionnaire or supplier survey. Questionnaires are analogous to employment applications. Coincidently, supplier questionnaires are often required by companies when a Quality Manual or ISO Certificate is not available. Do you find the similarities eerie?

Questionnaires are typically 15-20 page documents that someone has plagiarized from a previous employer. I have seen various versions of this questionnaire, but several of them appear suspiciously similar. Hmmm?

I am not sure what the original intent of this type of document was, but I think it was intended to capture detailed information about potential suppliers for a company in the Fortune 500^®.

For most companies, 80% of the information on the questionnaire is meaningless. Customer requirements for a supplier are typically few in number and specific to the product or service being purchased. Therefore, please use your MRP system as a template and ensure that the questionnaire answers all the information you need to add the supplier to your system as an approved supplier. You should also have a product or service specification that gives you some more questions to ask.

Ideally, your questionnaire will be organized in the same order that you enter the information into the MRP system. Then this questionnaire will make the data entry easier for the purchasing agent, adding the supplier to the database. Questionnaires and surveys are great, but brevity is next to Godliness.

Supplier Qualification Audits

Finally, we come to the auditor’s favorite—supplier audits. Audits are similar to job interviews. Ideally, you want a cross-functional audit team, and you might need to visit more than once. Unfortunately, most companies cannot afford to audit every supplier. Some companies supplement with remote audits. I guess I think of a desktop audit as a “phone interview.” I use phone interviews to prescreen candidates before I pay more money and waste other people’s time with on-site interviews. Desktop audits of suppliers should not be used as a replacement for an on-site audit, so your supplier quality engineers do not have to spend so many nights at the Hampton Inn.

If audits are your best selection criteria, how can you make the most of your auditing resources? Also, how can you audit for supplier qualification if you only have enough auditors to audit 5% of the approved supplier list? I have the following suggestion: “Start at the end.” You might consider reviewing our article on hiring an auditor.

ISO 13485:2016 Clauses 8.5.2 / 8.5.3 CAPA

What I mean by this cryptic, four-word phrase is that auditors should start at the end of the ISO Standard with sections 8.5.2 & 8.5.3 (Corrective and Preventive Action (CAPA) Process). This is the heart of a Quality System. If you disagree, remember that FDA inspectors are required to look at the CAPA system during every Level 1 inspection. Registrars also look at the CAPA process during every assessment—not just the certification audits. The purpose of the CAPA process is to fix problems, so they don’t come back—ever.

If you think that a new supplier is never going to make a mistake, you might as well quit looking. You want suppliers with strong CAPA systems. If a supplier has a strong CAPA system, problems will be fixed quickly and permanently. To sample the CAPA process, an auditor only needs the following: 1) the CAPA procedure(s), 2) the CAPA log(s), and 3) a handful of completed CAPA records—selected not so randomly from the log(s). This can all be done remotely in a desktop audit. If suppliers are resistant to giving you the log or actual records, ask them to redact any sensitive information. If you have executed a nondisclosure agreement, the supplier should agree with this approach.

Analysis of Data for Supplier Qualification

ISO 13485:2016 Clause 8.4 Analysis of Data

Working from the back of the Standard, the next process to sample is clause 8.4 (Analysis of Data). There are four requirements of this clause. If the company has a requirement for customer satisfaction to be measured (ISO 9001:2008 section 8.4a), this is a great place to focus. There are also requirements to look at the trend of product conformity (8.4b), process metrics (8.4c), and trends in supplier data—such as on-time delivery and raw material nonconformities (8.4d). The quality of the analysis will tell an auditor as much about the company as the data itself. This process audit can also be performed remotely as a desktop audit.

A lot has changed since this article was first written. For example, if your potential supplier isn’t using ISO 9001:2015 you may want to verify that other areas of their quality management system aren’t outdated as well.

ISO 13485:2016 Clause 8.3 Control of Nonconforming Materials

Clause 8.3, Control of Nonconforming Materials, is the third area to look at. To sample this area, you will need the “Holy Trinity” again: 1) procedure, 2) log, and 3) records. In this desktop audit, you want to look very closely at any nonconforming materials that are reworked or accepted “as is” (i.e., UAI). Either of these two dispositions should be ULTRA-RARE. Everything else should be processed efficiently as scrap or returned to the Vendor (i.e., – RTV).

If a potential supplier passes all three “tests” described above, you are ready to address clause 8.2.4—Monitoring & Measurement of Product. In this section, there is a requirement to maintain records of product releases and to verify that product requirements are met. for supplier qualification, if you think you can effectively audit this by paperwork alone, the supplier is a good candidate for “desktop only.” However, if the lot release paperwork, batch record, or Device History Record (DHR) is a 50-page tome—then you better make your flight plans.

The good news is that very few suppliers will pass the first three tests and implode during the on-site audit. Also, with three process audits complete, you should be able to reduce the duration of your on-site audit. Finally, for low-risk suppliers, you have a strong basis for provisional approval of suppliers to proceed with prototype runs before you schedule an on-site audit. If you need a procedure for supplier qualification, please check our Supplier Quality Management Procedure (SYS-011).

For more information on supplier controls, quality systems, auditing, and regulatory submissions visit our YouTube Channel!

Supplier Qualification: How To Get The Best Results Read More »

Jul 5 2020

What is 510k Content Format

1 Comment / 510(k) / By Robert Packard

This article defines the 510k content format for an FDA 510k pre-market notification submission in accordance with the September 13, 2019, FDA guidance.

What is a 510k?

A 510k submission is a pre-market notification submission to the FDA. The “510(k)” designation refers to the applicable section and sub-section of the Food Drug & Cosmetic Act. The “pre-market” designation is a reminder that companies must submit a 510k submission before marketing their products. Finally, the “notification” part of the phrase is used instead of the word “approval” because the FDA does not consider the 510k review process to be an endorsement or approval of your product. Instead, the 510k review process is a review by the FDA to determine if your product meets the requirements of substantial equivalence with a predicate device. The FDA initially performs a prescreening of the 510k submission to verify that it meets the minimum requirements for 510 content format. Then during the 510k substantive review process, the reviewer must answer six questions in the substantial equivalence decision tree:

Is the predicate device legally marketed?
Do the devices have the same intended use?
Do the devices have the same technological characteristics?
Do the different technical characteristics of the devices raise different questions of safety and effectiveness?
Are the methods acceptable?
Do the data demonstrate substantial equivalence?

The 510k process was not intended to be the primary process for regulatory approval by the FDA. The 510k process was intended to be a simplified approach for clearance of devices that are of moderate-risk and similar in design and intended use to another moderate-risk device that is already on the market. However, the process was manipulated as a loophole by device companies to avoid the more rigorous pre-market approval (PMA) process that requires conducting a clinical investigation.

Recent changes to the 510k review process are much deeper than the 510k content format

In approximately 2010, the FDA gradually started making changes to the 510k process. The FDA started publishing more guidance documents specifying both collateral guidance documents that apply to all device classifications (e.g., biocompatibility and human factors ), and particular guidance documents that apply to only a small number of product classifications (e.g., CADe). In 2012, the FDA implemented a new policy called the Refusal to Accept (RTA) Policy for 510(k)s. The FDA implemented this policy to improve the general quality of 510k submissions. All submissions are now subject to a 15-day review of the 510k content format to ensure that the submission includes all 20 required sections required by the FDA, the submission includes a table of contents and page numbering, and the various sections of the 510k include basic elements that are frequently forgotten by companies. Initially, more than 60% of the 510k submissions were rejected during the RTA screening process. Still, submissions have improved, and training of the FDA personnel performing the RTA screening has resulted in a more consistent application of the RTA policy. The FDA also systematically converted each of the remaining Class 3 devices that were eligible for 510k clearance to Class 3 devices requiring a PMA. The most recent changes were the elimination of requiring the submission to include a printed hardcopy of the submission (i.e., FDA eCopy only) and no longer allowing predicates that are more than ten years old.

FDA requirements for 510k Content Format

The FDA requires that your 510k submission is organized into 20 sections as described in section V of the table of contents of the September 13, 2019, FDA 510k guidance document. The FDA no longer requires a hardcopy of the submission. Now the FDA only requires an electronic copy (i.e., FDA eCopy) with a hardcopy of the 510k cover letter. The cover letter may be included in the eCopy, but it is not required. The FDA eCopy guidance document was updated on December 16, 2019.

The FDA eCopy guidance gives you the option of organizing the 20 sections of a 510k into 20 volumes with multiple documents in each volume or to submit sequentially numbered documents. The word “volume” refers to electronic folders in the FDA eCopy rather than physical binders. There is no right or wrong choice regarding volumes—if your eCopy uploads. The answer to this question is personal preference. The FDA recommends that multiple volumes be used for more extensive submissions, but using the same process for every 510(k) submission makes submission teams more efficient. It also is more comfortable for the FDA to navigate between documents when they are not in separate volumes. Therefore, the document structure is generally best for the FDA, and the volume structure is usually best for the company to prevent the need for renumbering files and file names. We always use the volume structure for every submission, even pre-submissions. Submissions are organized into 20 volumes to match the 20 sections of a 510k submission. If we include an RTA Checklist, then we add a 21st volume. The FDA recommends using the 21st volume for miscellaneous appendices, but the volume structure of the submission makes it easy to insert miscellaneous content directly into the applicable sections by adding documents after the initial section summary document.

Overall Numbering or Numbering within Sections?

Again, this is a personal preference. However, there are always last-minute changes to documents. Therefore, whichever numbering system you use should minimize the need for the last-minute renumbering of the entire submission. This is especially painful when you number the overall submission, and then you add a page to the middle of the submission when you are trying to ship out your submission that day. By numbering only the sections, you reduce the amount of rework required. Our firm deviates slightly from the “numbering within sections” requirement. In the table of contents, we indicate how many pages are associated with each document in a volume, and then we start each document with page 1. One FDA reviewer recently requested that we modify this to “page x of y,” where “x” is the page number of that document, and “y” is the total number of pages in the document. Therefore, we updated all of our templates to reflect the “page x of y” format for page numbering.

510k Format Content: Using Your Table of Contents for Project Management

When I was less experienced, I used project management software and action item lists to manage submission projects. Experience has taught me to simplify. Now I only use an action item list to track the progress of individual tasks. To track the overall submission, I now use the table of contents as my project management “report.” If you color-code the rows of your table of contents, you can communicate the status of each document in the submission. At the beginning of the project, all the rows indicate documents are not yet started—signified by the color red. Once I being a document, I change the color to yellow. Finally, when the document is completed, I change the color of the row to green. Three documents require the signature of the official correspondent with the FDA:

510k Cover Letter
Certification Regarding Confidentiality
Truthful and Accuracy Statement

Once these three documents are completed, they still need a signature that should only be applied just before we prepare the eCopy. Therefore, I signify the status of documents waiting for signatures with blue rows. A couple of people struggle with reformatting row colors, but every single person on your team will understand that they want the table of contents to gradually change from red, to yellow and finally to 100% green.

What is 510k Content Format Read More »

Jul 1 2020

Why remote audit duration should never exceed 90 minutes

1 Comment / Auditing, ISO Auditing, Remote Auditing / By Robert Packard

This article explains why remote audit duration should not exceed 90 minutes and the unique opportunities created by a series of short remote audits.

Parkinson’s Law and the subject of audit duration

On November 19, 1995, Cyril Northcote Parkinson published an essay in the Economist. The title of the article was “Parkinson’s Law.” In the first sentence of the essay, Parkinson says, “It is a commonplace observation that work expands to fill the time available for its completion.” This essay refers to the observation that work is elastic concerning the demands on time when completing paperwork. When I first trained as an auditor, trainers emphasized that the most significant challenge faced by auditors is to complete an audit within the time available. An auditor’s task is to achieve the audit objectives within the time specified by the audit program manager. Time is precious, and you cannot easily extend the audit duration after scheduling the audit.

How much time is needed for a full quality system audit?

This question is a silly question to ask a consultant that works on an hourly basis. A consultant working on an hourly basis will make more money if they work more hours. Therefore, there is little incentive to underestimate the time required to complete the objectives of an audit. However, after completing hundreds of audits, I can honestly state that eight hours is not enough time to perform a full quality system audit of a medical device company’s quality system. However, I completed a full quality system audit of a small company in less than two days. I also had difficulty completing an audit of a larger company in four days. An FDA inspector typically requires four days to complete a routine inspection, even at foreign manufacturers where English is a second language, and they only need to return on the fifth day to prepare their FDA 483 observations to give to the company. Therefore, three days is typically the absolute minimum time required to complete a full quality system audit.

Does Parkinson’s Law apply to audit duration?

Parkinson’s Law certainly applies to the audit duration. If the lead auditor assigns a team member to review the CAPA process, the task is unlikely to be completed in 30 minutes, and most auditors would struggle to appear busy for more than three hours. You need enough notes to provide objective evidence of conformity for your audit report, but if you finish too quickly, then others may perceive that you were not thorough. Therefore, most auditors will begin any process audit by asking for a copy of the procedure and a log of the records available. The auditor will quickly review the procedure’s revision history to determine when the last revision was made and if there have been any significant revisions since the last audit. Next, the auditor will review the log to estimate how many records should be sampled. The auditor will then estimate how much time is needed to review the sampled records. Finally, a quick mental calculation is made to determine how much time remains for procedure review before the auditor must move on to interview the next subject matter expert.

Why are auditors always behind schedule?

An auditor begins with small, close-ended questions that are designed to put the auditee at ease. The auditor may even comment on unrelated subjects to build rapport first. Records may not be readily available, but auditors almost always have to wait for record retrieval. The request is recorded, copies are made, and the subject matter expert may need a little time to review before handing the auditor the requested record. Auditors will ask clarifying questions, and auditees will need a few moments to check their facts. Any one of these delays is insignificant by itself, but collectively there may be two-and-half minutes of delay cumulatively for each record requested if you sample five records, which represents a combined delay 12.5 minutes. If you average only seven minutes to review each record, then a sampling of five records will require 47.5 minutes. This will leave you only 12.5 minutes for introductions, review of the procedure, and conclusions. If you want to interview any of the people that investigated root-cause, then you will need more than an hour to complete your audit, and you will not finish in the one hour scheduled.

Why is it so hard to complete a full quality system audit in three days?

Most of your process audits require a few more minutes than you expected, but you will also need time to walk to the next subject matter expert, or you will be waiting for the next subject matter expert to enter the conference room. If the quality system consists of only the minimum twenty-eight required procedures, your full quality system audit will require more than 28 hours to complete. If there are additional regulatory requirements for CE Marking or ISO 13485 certification, you will need even more time to audit every process. You should also expect certain processes to require more time to properly sample records, such as technical documentation and design controls. Even the most experienced auditors struggle to review a technical file and/or design history file in less than two hours.

What happens to an auditor after auditing all day?

As a Notified Body auditor, I used to leave my home in Vermont on Sunday afternoon and drive two hours to the nearest major airport. Then I would be gone all week conducting audits. On Friday, I would drive home and arrive in the middle of the night. Each day audits would begin early in the morning, and I would complete the day after 8.5 to 9 hours of work. Jet lag, sleep deprivation, too little exercise, and constantly eating at restaurants took its toll. I would consult my Google calendar to learn what city I was in each morning, and to remember what company I was on my schedule for the day. I would purposely try to do as much walking around during the day just to keep my blood flowing and to help stay awake. I would read documents while pacing back-and-forth in conference rooms, and I would always make sure that we had to audit the most remote area of a facility after lunch to make sure that I didn’t fall asleep. I will tell stories and jokes to entertain my hosts, but it was necessary to break up the monotony of auditing quality systems seven days a week. I would make sure I drank at least six liters of water each day for health, but this also gave me an excuse to go to take frequent bathroom breaks. Somehow I managed to survive that lifestyle for more than three years. Each day my feet, legs, back, and neck were in severe pain. I had constant headaches, and I know the quality of my work gradually declined throughout each day. The most valuable lesson I learned was, you need to move frequently, or you will die.

What happens when you sit in front of a computer for eight hours?

I can sit in front of a computer longer than almost anyone I know. When I focus on work, four hours can elapse without me getting up from a chair even once. I might pick up my empty coffee mug four or five times to take a sip before I am conscious of the need to get another cup. On days where my schedule consists primarily of Zoom meetings, I may sit through as many as six consecutive meetings before I take the time to get up and go to the bathroom and get a drink of water. Clients may perceive that I have tremendous endurance, but there are negative consequences to this work pattern. My wrist becomes sore, and I need to switch my mouse pad and the style of the mouse I am using every day. I change computers, switch microphones, and take a short walk. My neck, back, and legs will hurt worse than any of the audits during my years as a Notified Body auditor. Sitting at a computer all day has resulted in mild symptoms of restless legs syndrome. Sitting at a computer continuously for the audit duration is physically exhausting and tedious. If you must complete a remote audit on a continuous eight-hour day, you can, but it is not healthy or productive. The negative health consequences and negative impact on productivity are equally applicable to auditees.

What can you do to reduce audit fatigue during a remote audit?

The most straightforward strategy for reducing fatigue is to take breaks. Instead of auditing for eight hours continuously, try auditing in two or three 90-minutes segments each day. If you are auditing someone in a different time zone, you may only be able to accommodate an audit duration of one 90-minute session per day without working through the night. Taking breaks will allow you to leave your computer, eat food, and even go to the bathroom. You can recharge your headset during a break too. You should consider taking a walk outside. It is incredible how much better you feel when you get some exercise, stretch, and experience a little natural light instead of the unnatural glow of your computer’s monitor. The person you are auditing will appreciate the breaks, but they will also enjoy the improvement in your overall demeanor. A simple smile after a 30-minute break has a tremendous positive impact.

How can we utilize breaks more effectively during remote audits?

Auditors need documents and records to review as objective evidence. The most obvious way to make use of breaks is for the auditor to give the auditee a list of documents and records to gather during the break. This will give the auditee an excuse to go and get the documents and records if they are stored in another location. The auditee might also scan records during a break. A break also gives subject matter experts time to re-familiarize themselves with the documents and records before resuming the audit. Auditees and auditors will need to recharge batteries, but the auditor might take time to convert their notes into a summary for the final audit report. The auditor might also review the audit criteria one more time before writing a nonconformity. The auditee might take advantage of the break to initiate a new CAPA and write a draft of the corrective action plan. Then when the audit resumes, the auditee can review the draft plan with the auditor to ensure that the plan is appropriate and nothing was accidentally omitted from the CAPA plan.

Why are 90 minutes a magical audit duration?

Auditing one process in a single 45-60 minute session is ok, but if you audit two processes in a single 90-minute session, you can reduce the time spend starting and stopping the audit session by half. Adding a third process to a single session will have a smaller impact, and the meeting will need to be so long that most participants will begin to lose concentration, and fatigue becomes a significant factor. Ninety minutes is not quite long enough to audit two processes effectively. Still, an auditor can request procedures in advance of the session or spend time after the session reviewing procedures. Therefore, by paying an additional 30 minutes reviewing two procedures “off-line,” the auditor can dedicate 100% of the “on-line” time to reviewing records and interviewing subject matter experts. The result is a fast-paced, 90-minute session where each subject matter expert typically is only needed for 45 minutes. Alternatively, if you are auditing more complex records like a design history file, you can spend all 90 minutes discussing that area.

Why remote audit duration should never exceed 90 minutes Read More »

Jun 25 2020

How to make a supplier questionnaire for remote auditing

Leave a Comment / ISO Auditing, Supplier Quality Management / By Robert Packard

You already have a supplier questionnaire, but do you know how to make a supplier questionnaire to assess a supplier’s ability to support a remote audit?

The four most significant mistakes people make when designing a supplier questionnaire

In Medical Device Academy’s supplier qualification webinar, you learn how to improve your supplier qualification process by replacing the traditional methods of supplier qualification with more effective approaches to supplier evaluation. The following are four examples of how to improve your supplier questionnaire.

Supplier questionnaires should be specific to the product or service provided

The first mistake people make is to use a generic questionnaire. It would be best if you asked your supplier questions that are important to the work that the supplier will be performing. Therefore, each category of product or service should have its own set of questions. For example, important questions related to ethylene oxide contract sterilization services are the maximum size limitations for pallets in the sterilization chamber and whether the facility can conduct sterility testing on-site. However, an injection molding supplier might delay the return of your supplier questionnaire if these questions were on the survey that you send to them because they don’t understand the questions.

Supplier surveys should be more than checkboxes

The second mistake people make is to ask questions that can be answered with a “yes” or “no” response or a checkbox. These are closed-ended questions. It would be best if you always were asking open-ended questions because the response will give you more information about the supplier. In addition, most people resist responding with a “no” response even if the real answer is “no.” For example, “What is your FDA registration number?” is more useful than “Is your company FDA registered?” Another example is, “How many production lines use SPC charts?” instead of “Do you use SPC charts?” In fact, in the open-ended version of this question, you will learn if the use of SPC charts is widespread, and you learn how many production lines the supplier has.

Remember to ask suppliers to update survey surveys every year

The third mistake people make is to request that a supplier questionnaire be completed only during the initial supplier qualification process. Every year companies grow, shrink, or change. If you ask suppliers to update their questionnaire, you can use that information to determine the health of your supplier’s business. You might also discover that one supplier just added a new production capability that will allow you to consolidate more of your outsourced work with that supplier and eliminate another problem supplier. Every company has a turnover in personnel as well. It is a great idea to ask suppliers to provide contact information for multiple people in the organization, such as quality contact, billing contact, and a production planner. Eventually, you will probably need to speak with each of these people, and if one of the contacts is no longer at your supplier, you will still have two other contacts. Updating this information also gives you a hint of whether turnover is widespread or limited to a specific individual.

Supplier questionnaires should be in spreadsheet format

The fourth mistake people make is to send a Word Document for suppliers to complete (PDF format is even worse). Word and PDF formats are time-consuming to complete, and they are harder for you to analyze than a spreadsheet. Most people provide a Word document or a PDF because they are focusing on the requirement for control of records. However, if you have an electronic quality system, the supplier survey information will be part of your electronic system as soon as you enter the data into your software. Alternatively, if you have a paper-based quality system, then you can print the spreadsheet out, sign it, and date it. The huge advantage of using Excel spreadsheets is that you can copy the new data into a column next to the previous year’s responses. Then you can quickly see what changes your supplier made in the past year.

What should you add to your supplier questionnaire?

Most private companies will not share what their revenues are for the business, but as a customer, you should be more concerned with how many human resources your supplier has. Therefore, you should consider asking, “How many employees, or full-time equivalents (FTEs), work for your company?” You might also want to know if your supplier is relying on a temporary workforce. For example, “What percentage of the FTEs are temporary workers?” Many questionnaires will ask for the square footage of the facility, but this doesn’t provide you with any details about the facility layout. Alternatively, you could ask for a copy of the pest-control map for the facility. This would give you a detailed layout of the facility, and it also confirms that your supplier has a pest control plan for the facility. Another related question to ask is, “Please describe any expansion/construction projects that have been implemented in the past year or projects that are in progress (e.g., the addition of a mezzanine).” If the company added 30,000 square feet to their production area, but there was no change to the pest control plan, you might have some clarification questions for your supplier. In general, a good strategy for developing your questionnaire is to think of at least one open-ended question related to each clause of the ISO 13485:2016 standard without referencing the standard. The following are some examples that might help you:

When was the last software re-validation for quality system software?
How many active external standards is your company currently maintaining?
Please provide a list of procedures and identify the person who would be interviewed during an audit for each procedure (i.e., process owner or subject matter expert).
In the absence of the management representative, who is designated as the liaison for an FDA inspector?
What are the upper control limits for particulate counts, air viable counts, and surface viable counts in your controlled environment(s)?
On what dates was the environmental monitoring of controlled environments conducted in the last year?
Please identify how many quality inspectors are responsible for the incoming inspection?
Please list the calibration ID and equipment name for any inspection equipment that requires specialized training (e.g., CMM)?
How many suppliers are on your approved supplier list (ASL)? And how many suppliers did you audit in the past year?
How many nonconforming material reports (NCMRs) were opened in the past year? And how many NCMRs currently remain open?
How many partial or complete lots were returned to your company by customers in the past year?
Please list any corrections and removals (i.e., recalls) that your company has been involved in during the past year and the current status?

How many questions should your supplier questionnaire include?

There are 28 required procedures in ISO 13485:2016, and there are even more subclauses within the standard. It is an excellent idea to create a list of questions you might ask for each subclause, but a supplier questionnaire should not include all of those questions. Just as audits are just a sampling, your supplier survey questions should be sampling as well. You should review last year’s questions and eliminate questions that you think are not especially useful for that supplier. Some questions should be asked each year to assess if the quality system has changed significantly, and you should consider adding a few new questions each year. The best questions will require the person to perform some research to answer the questions. But it is unreasonable to expect a supplier to spend more than two hours completing a supplier questionnaire if you plan to purchase less than $20,000 in product or services.

Supplier questionnaires specific to remote auditing

In many ways, a well-designed supplier questionnaire is similar to a remote audit, because you are asking the supplier to answer multiple open-ended questions about their quality system to verify that the quality system is fully implemented and remains effective. However, due to the Covid-19 pandemic, many employees are now required to work from home, and it is not possible to physically visit certain facilities. Therefore, you should be adding three elements to your supplier questionnaire to assess your supplier’s ability to support a remote audit and to determine their ability to maintain the effectiveness of the quality system during a viral outbreak. The three elements are 1) policies for personal protective equipment for employees and visitors, 2) business continuity plans to maintain internal operations and to ensure redundancy of crucial suppliers, and 3) availability of digital documents and records or paper documents and records via video conference software. These three areas were also the subject of a previous blog on changes triggered by Covid-19. It would help if you also asked about the availability of hardware and software communication tools for conducting a remote audit. You might ask your supplier, “Which areas of your facility can we observe during a remote audit using live video conferencing (e.g., Zoom mobile application)?” and “What experience does your company have in the use of Zoom as a video conferencing tool?”

Access to documents and records during remote audits

During a remote audit, you will need to access documents and records virtually. If your supplier can participate via a video conferencing tool with a high definition web camera or smartphone, then you should be able to see any documents and records that you could normally see during an on-site audit. However, your supplier will need to hold the document or records steady, possibly by using a music stand and a camera tripod so that you can take notes regarding the contents of the document or record. You will also need a way to record your notes. You might try using a Pixelbook or similar computer to write your audit notes. At the same time, you watch the video conference using a second computer–possibly on a conference room projector screen or large flat screen monitor. You could also use a tablet, such as remarkable. Of course, you can always use a pad of paper and a pen and then transcribe your notes later. All of these methods will be faster and more convenient than digitally scanning each document and uploading the documents to a shared folder or sending the scanned document by email.

It would help if you also were asking your supplier which records are already available digitally. You can expect all of the quality system procedures to be available in digital formats, but many records may already be available electronically as well. For example, purchase orders, quality system certificates, drawings, and blank forms should be available in digital format. In a supplier audit, you typically will focus on a subset of the quality system records that are related to production process controls, purchasing, incoming inspection, shipping, and control of the nonconforming product. Asking your supplier which of these records are available in digital format will help you determine which records you need to request from the supplier in advance and which records can be requested on-demand.

How to obtain our supplier questionnaire template (FRM-004)

If you are interested in purchasing our supplier questionnaire template, FRM-004, it is included with the purchase of our supplier qualification webinar. If you think of any new questions to add to this template, please email me at rob@13485cert.com. Just put “FRM-004 Suggestion” in the subject line.

How to make a supplier questionnaire for remote auditing Read More »

Jun 9 2020

How to avoid the most common supplier evaluation mistakes

1 Comment / Supplier Quality Management / By Robert Packard / supplier qualification

The focus of this article is on the process of supplier evaluation and re-evaluation for medical device companies and how to document your evaluations.

You have several suppliers today, but did you have a rigorous supplier evaluation process when you first hired those suppliers? If your business is going to be successful, you need to treat your supplier evaluation process as a critical strategic process. Supplier qualification and is more important than the hiring of any senior manager. ISO 13485:2016 requires you to have a procedure for supplier evaluation and re-evaluation, but the type and extent of your supplier controls are not specified.

Which of your suppliers are critical or crucial?

Crucial suppliers were defined in a draft policy published by the European Commission as part of the introduction of the requirement for unannounced audits. Essential suppliers make a component or subassembly that is high-risk, or your firm cannot easily purchase the component or subassembly from another supplier. Critical suppliers for medical device manufacturers fall into one of three categories: 1) a contract manufacturer, 2) a contract sterilizer, or 3) a contract packager or labeler. These three types of suppliers may be selected for unannounced audits by a Notified Body. The FDA also requires these three categories of suppliers to register their facility.

Should you establish other supplier evaluation categories?

The short answer is no. The purpose of categories is to ensure that a large number of suppliers are consistently managed. Instead, try reducing the number of suppliers you are managing. Give your best suppliers more work, and fire the worst suppliers. If a component is “single-source,” encourage another supplier to quote that business before you look for a new supplier. It would be best if you took the time to evaluate each supplier thoroughly. If you don’t have the supply chain resources to do this, then you have three choices: 1) hire another person to help manage your supply chain, 2) fire suppliers that are not meeting your requirements, or 3) replace the weakest member of your supply chain team.

How do you re-evaluate existing suppliers now?

There are a lot of possible answers to this question, but unfortunately, the most common answer is, “because that’s who we’ve always used.” This practice, referred to as “grandfathering,” is a horrible approach to supplier re-evaluation. Suppliers that miss your requested delivery dates, and suppliers that ship nonconforming product should be required to implement supplier corrective actions immediately. You need to follow-up on these corrective actions and verify that the corrective actions were effective. If the corrective actions are not effective, or if new supplier issues occur, then you should find an alternate supplier as soon as possible.

Another stupid reason for selecting a supplier is “because they were the lowest bidder.” There’s an old government contracting joke about this strategy. It sounds something like this, “a million mission-critical parts, designed by engineers that have no clue what the real world is like, built by the lowest bidder, and inspected by a bureaucrat that can be bribed with a bottle of wine and some prime rib.” I tend to discount the quality of the lowest bidder every time. I always wonder what they forgot to consider when they bid on the job. If the lowest bidding supplier can explain why they have an inherent advantage over their competition, then maybe you should consider hiring them. If there is no rational reason why a supplier’s pricing is below their competition, this usually means that the supplier is desperate, or they plan to increase their pricing after you are a customer.

What should be your supplier evaluation and re-evaluation criteria?

All medical device suppliers should have a quality system, but ISO certification is not required. Therefore, if a supplier has ISO 13485 certification, you might abbreviate your initial supplier qualification process. However, ISO 13485 certification should have minimal impact upon your on-going supplier evaluation process. You need to know how well your supplier’s quality system is being maintained. If your supplier is sharing copies of their annual surveillance audits and FDA inspection reports with you, this will give you a better indication of the quality system effectiveness.

Consider performing supplier audits for supplier evaluation

Although it is not required, the best way to evaluate the effectiveness of a supplier’s quality system is to perform a supplier audit. Specifically, you should focus on the processes that are directly related to your product or component. Production process controls and final inspection are the most critical areas to audit. Other areas that are important to consider for supplier audits are 1) incoming inspection, 2) purchasing controls, 3) shipping, and 4) control of nonconforming materials. Conducting a supplier audit using the process approach is the most effective method. The process approach method of auditing will ensure that document control, record control, calibration, process validation, and training are sampled as support processes. The supplier audits may also be conducted as on-site audits or remote audits.

Certificate of Conformity (CoC) vs. Certificate of Analysis (CoA)

Another supplier evaluation criteria should be product conformity. You should be reviewing more than whether your supplier shipped the correct product and the correct quantity. Did your supplier provide a Certificate of Analysis (CoA) that summarized the inspection methods, acceptance criteria, and the inspection results? Or do you verify that a Certificate of Conformity (CoC) was included and accept the lot you received? If your company is only receiving a CoC from a supplier, you should be sampling the product at incoming inspection and verifying that the product is conforming with your requirements. Even if the supplier is providing a CoA, you should still perform periodic sampling and inspection of the product to make sure the CoA provided matches the actual product you are receiving.

Considering Improving your supplier questionnaires

If your company is requesting that suppliers complete supplier questionnaires, make sure that you are asking the most relevant questions. You need to know if your supplier can support remote audits. You need to know if there have been any significant changes to the quality system. You need to know if the company has had any significant non-conformities resulting from certification body audits. You need to know if there have been FDA inspections and what the results of the inspection were. You should also be obtaining monitoring and measurement data related to process conformity and product conformity. Asking your supplier to identify any shutdown periods or planned renovations is a required input for critical and crucial suppliers for CE Marked medical devices subject to unannounced audits. It would help if you also were asking your supplier to update the names, titles, and contact information for key management personnel. Would you like a copy of our supplier questionnaire?

What should you be doing to address the Covid-19 pandemic?

As a consequence of the Covid-19 pandemic, many suppliers have had significant disruptions to their supply chains, workforce availability, and transportation vendors. Since many medical device products are urgently needed during this pandemic, it is important to ask suppliers to provide a summary of their current situation and any analysis they have done to assess potential risks that could disrupt your supply chain. Does your supplier have adequate personal protective equipment (PPE)? What type of precautions is being taken to ensure that employees don’t exhibit symptoms of Covid-19 illness? Does your supplier have a policy for self-quarantining if an employee is exposed to someone that has the virus? Does your supplier have a disaster recovery plan?

Consider using size for supplier evaluation

Bigger is not always better. If you are a small customer of a large supplier, your needs will seldom be important to your supplier. Alternatively, if your company is much larger than your supplier, your supplier may not have the resources to grow with you and keep up with your current demand. When you are initially qualifying suppliers, try to select suppliers that are approximately the same size as your company or slightly larger. You should also consider identifying more suitably sized suppliers if you have a significant size mismatch or one develops over time.

What if you don’t have the resources to evaluate your suppliers?

Supplier evaluation and re-evaluation is a strategic function that impacts your profits, your ability to deliver product on-time to your customers, and nonconforming product can tarnish your company’s reputation. Therefore, your company needs to invest resources to analyze your supply chain. It would help if you had suppliers that have excellent quality and suppliers that will encourage your company to improve. Are there best practices you can learn from your suppliers? Is your supplier able to help you manage your inventory? Can your suppliers help you solve production problems? Supplier evaluation should only be secondary in importance to your design process and post-market surveillance. As they say, “garbage in equals garbage out.”

Do you need additional training on supplier evaluation?

On June 25, 2020, at 11 am EDT, and we are hosting a live webinar on how to qualify your suppliers. In this webinar, you will learn how to qualify new suppliers even if they don’t have ISO certification and best practices in supplier evaluation. We will be sharing a new supplier questionnaire that includes questions to help you assess whether a supplier is capable of supporting remote audits. We will help you develop a strategy for the allocation of supply chain personnel, and show you how to convince top management to prioritize supplier audits.

How to avoid the most common supplier evaluation mistakes Read More »

May 26 2020

Remote audit resources – software and hardware tools

2 Comments / Remote Auditing / By Robert Packard

If you are planning a remote audit, you will need more remote audit resources than a webcam and web conferencing software. Matthew Walker is a significant contributor as co-author of this article.

Clause 5 of ISO 19011:2018 is titled “Managing an audit program,” and subclause 5.4.4 is specific to determining audit program resources. For conducting audits remotely, you will need remote audit resources. Almost every laptop has a built-in webcam and microphone, and that is the minimum functionality you will need to conduct a remote audit. However, adding other software and hardware technology can improve the efficiency and effectiveness of your audit team.

What remote audit resources do you need?

Remote audits are not the same as a desktop audit, because a remote audit requires remote access to more than emails containing procedures and records. Auditors need access to people and access to physical areas of your facility. This creates one of the most significant challenges for this type of audit method. Call me a Negative Nancy, but I suspect that most audit plans do not specifically include logistical preparations to support this audit method. On the surface, it seems like a simple concept. Internet access and a scanner should cover most of the needs for the auditee to survive this digital encounter. In practice, conducting a remote audit that genuinely adds value and does more than checkboxes, requires serious planning.

Let’s start with the obvious; a remote audit needs a way for the auditor and the auditee to communicate with each other. Ideally, you need more than your phone. We recommend Zoom for video conferencing, but we list several other video conferencing software applications below. Here are the features of Zoom that we typically use during a remote audit:

Video Chat – Using Zoom, two or more parties can communicate using video input from webcams. This is nice because it allows for a more visual conversation, and you can see more of the facial expressions and body language of the person you are speaking with than you can with a traditional phone call. It also allows for sign language to be used if necessary.
Screen Sharing – Screen sharing is an essential tool you will use during a remote audit because it allows you to share documents and records on your screen even if you are not the host. The more records you have electronically, the more valuable screen sharing will be during the audit. An auditor can say, “Can you show me that quality system certificate again?” or “Can you show me where Isomedix is on your approved supplier’s list?” Being able to facilitate those verification activities saves the auditee the hassle of emailing documents or uploading content to a shared folder. This ability to share your screen is also essential for an auditee to demonstrate training effectiveness and competency.
Recording – Meetings can be recorded in their entirety or sections. This allows the auditee to record the opening or closing meetings of the audit to share with others that were unable to attend. If there are questions regarding non-conformities or opportunities for improvement, a recording of the conversation ensures that the auditor has an accurate record of complex objective evidence that would slow down the audit and gives managers a perfect record to demonstrate the issue when corrective actions are initiated.
Chat Record – Zoom, and most other video conferencing software, provides a chat box that can be used to take notes. If someone runs to the bathroom, and you don’t want to forget your question, you can enter it in the chatbox. Chat boxes are especially helpful when there is a language barrier, or someone’s accent is hard to understand. Text typed in the chatbox also serves as a place to record information that may be difficult to remember if you cannot access your audit report. If a production area has too much background noise, the chat feature might be the best way to communicate important details, such as: “That information is found in section 7.5.6 of the Quality Manual; POL-001 rev A.” The chatbox can also be used to communicate a list of documents, or records in a specific date range, that you want an auditee to make available for you to review off-line. Other participants observing the audit may also be responsible for collecting those documents in real-time to ensure the audit can continue without any delay. Finally, content in the chatbox can be recorded as a text file automatically.
Tour Guide – Video chat allows auditees to bring auditors into physical places of their facility as if the auditor were there in person. Production employees can be interviewed, in person and in real-time, while the employee demonstrates processes. You can show how nonconforming materials are labeled and segregated to keep them from accidentally being used for production. When requesting this audit method in an audit agenda, the lead auditor should recommend a dedicated “camera person” with a mobile phone and selfie stick, because it is challenging to answer auditor questions and operate a video camera simultaneously. Remember, remote audit resources consist of hardware, software, and people.

My favorite remote auditing tools (hardware)

My favorite hardware resource is the Pixelbook that I am using to write this article. We write audit reports with Google Docs instead of Microsoft Word because multiple team members can simultaneously edit the same document without creating conflicting versions. We operate Zoom video web conferencing software to speak with auditees and clients, but we use the Pixelbook to type our notes and audit reports. The Pixelbook is lightning fast, and it is a little smaller, so there is just enough room on your desk next to a laptop. The most significant advantage of using Google Docs is realized when you are the lead auditor of an audit team. As a lead auditor, you can type notes in the section of the audit report that other team members are working on, to make sure that they include audit trails from other members of the audit team. This is also an extremely useful technique when you are training a new auditor, and you want to guide them without disrupting the flow of an interview with a subject matter expert.

My second favorite hardware resource is an HD webcam mounted on a flexible arm with a clamp (see picture above). The video quality is 1080p instead of the 720p that is typical of a laptop camera. The flexible arm is equally essential because you can look directly at the camera while I’m simultaneously looking at the monitor. The only thing I dislike about the webcam I am using is the audio quality. Therefore, I use a gaming headset with a microphone to record the audio, so I can hear the people I am interviewing better. Another alternative is high-quality microphone and headphones, as typically seen in use by podcasters. Even though the sound quality is ideal with a separate microphone and headphones, the cost is higher than most gaming headsets, and you will be tethered to microphone–either physically or at least virtually by the need to maintain a consistent distance between your mouth and the microphone. The more hours you spend at the computer, the more you will appreciate the ability to stand up, adjust the camera, and move your legs a little.

Finally, the last piece of essential remote auditing hardware is your mobile phone. Even with a desktop running Zoom, and a Pixelbook running Google Docs, I still need to ask audit team members questions and conduct quick internet searches. Therefore, your mobile phone is essential to keep with you, in silent mode, during your audit. If you don’t have your phone, then you need to stop sharing your screen and send a message during your audit. Your phone is much less disruptive. I use the phone to keep track of time, to set reminder alarms, and to send Slack messages with other people. You can also join a separate Zoom session on your phone, where an audit team member may need you (the lead auditor) to provide input on objective evidence or evaluation of conformity regarding specific quality system requirements. You might also want to take a quick picture of something you observe on video during the audit. If you record the Zoom session, you can always extract a still image, but taking a picture with your mobile phone is more convenient and takes less time. You can then share the image with a Google Drive folder for your remote audit and copy the image into your audit report. As they say, a picture is worth 1,000 words.

One last note on hardware: a 48” flat screen is great for virtual bike rides on your trainer (as seen in the picture above), but it’s just a little too big for a desktop monitor. It’s excellent for side-by-side viewing, but dual monitors are a better approach.

Remote Auditing Resources for Web Conferencing

Currently, we are using Zoom as our video web conferencing software. Still, we used to use GoToMeeting, and there is very little difference in the functionality of the two software platforms. One of the consequences of the COVID19 pandemic is that everyone is more familiar with web conferencing software. Here are a few other options you could consider, including Slack, which we use as a messaging tool, and we have integrated with Zoom within our team’s channel.

Remote Audit Resources for Scheduling Your Audit

Currently, we are using Calendly as the automated appointment scheduling software application for our consulting business. However, the functionality of software applications has changed dramatically in the past few years with better integration tools, such as Zappier. Therefore, don’t be surprised if we change to one of the applications listed below. These applications allow you to manage people, equipment, and conference rooms, but you can also integrate these applications with accounting business processes.

Remote Auditing Accessories

We hosted three international training workshops, and we record training videos for medical device companies every week. Therefore, we gradually accumulated all of the accessories listed below. Technology gadgets for recording videos are continually changing, and our best advice is to save your money. Instead, rely upon a mobile phone and an extra person with “the original selfie sticks” (i.e., arms). Once you complete your first remote audit, then you can think about which of the latest gadgets might make your life easier.

Selfie Sticks
Tripod
External microphones
Portable Batteries
Additional lighting

If you have any suggestions for additional hardware and software for remote auditing, please add a comment to this article so we can keep this up to date with the latest technology.

Future Articles & Webinars

Thank you for reading. This article is our third in a ten-part blog series specific to remote auditing techniques:

Remote audit opening meeting – 4 changes – May 12
Audit team communications – May 19
Remote audit resources – software and hardware tools – May 26
How to apply a risk-based auditing approach to audits and remote audits – June 2
How to make a supplier questionnaire for remote auditing – June 25
Remote audit duration less than 90 minutes – June 30
Remote auditing work instruction – July 14
Planning partial remote audits – July 21
Remote audit invitations – 4 things to remember – August 4
Training new audit team members and lead auditors – August 11

Five (5) new webinars planned on related topics:

Opening Meetings Webinar (free) – May 14, 2020
Audit team communication during a remote audit (free) – June 4, 2020
How to qualify your suppliers webinar (pre-order by June 1) – June 25, 2020
Remote auditing techniques webinar (pre-order by July 1) – July 16, 2020
MDSAP Certification Body Interviews (free) – August 6, 2020

Remote audit resources – software and hardware tools Read More »