title

Nov 12 2024

Inspection Results: Understanding FDA Requirements

2 Comments / ISO 13485 / By Robert Packard / 21 CFR 820.80

Learn three valuable tips for efficiently recording your inspection results in medical device manufacturing while remaining FDA-compliant.

What are the best ways to record inspection results?

If you are inspecting a lot of material at an incoming inspection, and the inspection plan calls for inspecting ten samples for length, what is the best way to record the inspection results?

The person who sent me this question also provided three options (read on for better suggestions):

Record the maximum and minimum dimensions
Record all ten measurements in a data collection table
Circle “pass” or “fail” next to each sample number

FDA requirements for incoming inspection results

The first method fails to meet the requirement as specified in 21 CFR 820.80(b) because recording only the maximum and minimum dimensions of the ten samples does not include the inspection results for the eight samples in between the extremes. The second method meets the requirements, but this method takes the most amount of time. The third method appears to meet the requirements. However, if you read the FDA requirements more carefully, 21 CFR 802.80(e)(3) states that “[Inspection] records shall include…the results.” If the test method is pass/fail, circling pass or fail makes sense, but if the test measures a dimension, the result should be a measurement. Also, if you have to investigate a complaint or non-conforming product, this dimensional information might be critical to the analysis.

The FDA has provided an official interpretation of these requirements in the QSR preamble:

“Comment # 147: One comment stated that record keeping this dimensional information might be critical to the analysis if you have to investigate a complaint or non-conforming product is a significant cost factor in the operation of a total quality system and that the revised CGMP regulation should not add cost through duplication of documentation. The comment said recording all quantitative data is inappropriate and of little value.

FDA agrees that unnecessary duplication of documentation should be avoided. They also believe that the Quality System Regulation requires the minimum documentation necessary to ensure that safe and effective devices are designed and produced. FDA similarly believes that maintaining records of results of acceptance activities is imperative to ensure that non-conforming product is not inadvertently used or distributed. FDA has, however, deleted from Sec. 820.80(a) the requirement for recording the results of inspections and testing, because Sec. 820.80(e) requires that the results of acceptance activities be recorded. The requirement in Sec. 820.80(a) was, therefore, unnecessary. Further, the regulation does not specify quantitative data, but simply requires that the results be recorded.

The FDA believes that it is essential for the manufacturer to maintain records which provide evidence that required acceptance activities were completed. These records must clearly show whether the product has passed or failed the acceptance activities according to the defined acceptance criteria. If a product fails to pass acceptance activities, you must identify the product as a non-conforming product and conduct an investigation. If the acceptance records are not clear about how the product failed, then the manufacturer may end up duplicating the acceptance to perform appropriate investigations.”

Here are three other methods that can save you time and add value.

Method 1: Run Charts

If you create an inspection results form that is in the form of a “Run Chart,” then you can put an “X” on the appropriate location of the Run Chart for each sample (see Chart 1 below). It is less time-consuming to write an “X” than the actual value. However, if you need to conduct an investigation, you can convert the “X” into a quantitative number and enter the values into a spreadsheet or statistical analysis software (e.g., Minitab). Also, inspectors and supervisors can visually glance at a Run Chart and determine if the measurement is “in control” or “out of control.” This is done by marking the upper and lower specifications on the Run Chart. Over time, alert limits can be established as a preventive action, as well. You can also use this data as a rationale for eliminating certain inspections, reducing sampling, qualifying suppliers, and even converting a part from statistical sampling to a “dock-to-stock” inspection.

One disadvantage of Method 1 is that it takes time to create inspection forms, and the forms need to be maintained as a controlled document, with the drawings for each part–as paper records or electronically. Therefore, I recommend that companies create a quality plan that calls for creating one of these charts every time an NCR is initiated for a part. That way, you only are creating this type of chart for parts that are found to be out of specification. This approach allows you to implement the work over a reasonable period of time. You can also habitually review historical data when you have an NCR that does not already have a Run Chart created.

Method 2: Automating Inspection Results

If you have critical inspection activities and a high volume of parts to inspect, you can automate recording measurements and performing data analysis. This can be done by purchasing digital inspection devices that automatically send the values to a computer system. Devices with this capability only require pressing a button to record the value, and the computer system will often provide the inspector with the sampling plan for each lot automatically. These sophisticated software systems require validation, giving manufacturers extensive real-time data on supplier performance, in-process inspection, and final product acceptance. The primary disadvantage of this method is the cost of installation and set-up.

Method 3: Pass/Fail with Go/No-Go Gauges

If a supplier can make good parts with high certainty, you may not need routine monitoring of part dimensions. In this case, you can reduce your inspection time by using a “go/no-go” gauge for critical attributes instead of measuring the dimensions. This type of gauge would be ideal if the tolerance for a part with a tolerance of +/- 3 mm. The length of a part can be verified to be between two lines, representing the upper and lower specifications for the tolerance. This method can also be used for precise tolerance if magnification is used. Still, performing a gauge R&R study of any go. If this type of inspection is used, you can use an inspection record that only records pass/fail. However, this inspection method is not recommended for parts that are occasionally out of conformity because re-measurement of parts will be necessary to investigate non-conforming products.

Statistical Techniques

The most significant advantage of methods one and two is that they facilitate statistical data analysis. Chart one shows too much variation for the tolerance of 6.50 mm to 6.60 mm. Some companies qualify suppliers for a new part by establishing a threshold for a minimum Cpk value (i.e., process capability coefficient). A typical Cpk minimum is 1.33. Often, the company will require that suppliers provide data for 100% inspection of the initial production lot. This data is then used to create a sampling plan based on the likelihood of parts being out-of-specification. High-risk dimensions might require 99.5% confidence, medium-risk dimensions might require 99% confidence, and lower-risk dimensions might require 95% confidence. Each confidence level corresponds to a different Cpk value. It is not possible to do this type of analysis for Method 3.

Inspection Results: Understanding FDA Requirements Read More »

Oct 6 2024

EO Sterilization – When is requalification required?

This article discusses the need to requalify EO sterilization validation and explains what is included in our EO sterilization procedure.

Your cart is empty

Do you need an EO sterilization procedure?

ISO 11135-1 is the international standard for sterilization validation for Ethylene Oxide (EO or EtO) sterilizers. The standard describes multiple methods of sterilization validation: 1) overkill approach, 2) single lot release, and 3) parametric release. The overkill approach is the most common method for validation of your EO sterilization process. The overkill approach is the method recommended by Medical Device Academy’s EO sterilization procedure. If you use a contract sterilizer, the sterilizer will already have completed an Installation Qualification (IQ) and an Operational Qualification (OQ). You must complete a Performance Qualification (PQ) for your product. A typical PQ for initial process validation consists of the following:

Process Challenge Device (PCD) validation
Bioburden measurement
EO residual measurement (as per ISO 10993-7)
Fractional Cycle (at least one)
3 Half Cycles
3 Full Cycles (or 1 Full Cycle, if performed in parallel with the three half-cycles)

Purchase the EO Sterilization Validation Procedure (SYS-031) – $299

EO Sterilization Cycle 1 150x150 EO Sterilization When is requalification required?

SYS-031 EO Sterilization Validation Procedure

This procedure was updated in 2024 to include recent versions of various standards and to incorporate changes to make the procedure consistent with other procedures in Medical Device Academy's turnkey quality system. The updated procedure defines the requirements for ethylene oxide (EO) sterilization validation and revalidation/requalification outsourced to a contract sterilizer.

Price: $299.00

What do MPQ and PPQ mean?

In the ISO 11135 standard, steps #4 and #5 listed above are referred to as the microbial performance qualification (MPQ), while #6 is the physical performance qualification (PPQ). For a successful MPQ, some PCDs must be non-sterile after a fractional cycle to demonstrate the ability to recover the BI challenge organism. After a half-cycle, however, all biological indicators should be sterile.

What are BIs, CIs, and PCDs?

To avoid destructive testing, EO sterilization processes verify sterility by using process challenge devices (PCDs) located outside the device’s primary and secondary packaging. PCDs are more challenging to sterilize than the native bioburden on your device, and the PCDs can be quickly removed from a sterilized pallet without disturbing the wrapping of the pallet. PCDs are also referred to as external biological indicators (BIs). Biological indicators are used internally and externally to your primary sterile barrier packaging during the EO sterilization validation process, but only external BIs are used during routine EO sterilization. You can create your own customized PCD for devices that are especially difficult to EO sterilize (e.g., stopcocks), but you must verify that the PCDs are more challenging to kill than an internal BI in a fractional cycle. Commercially available PCDs often incorporate a chemical indicator (CI) into the label or the cap of the PCD, and some are incorporated into sophisticated tracking software with automatic incubators that read a barcode on the PCD label and detect the results of incubating the BIs in media. These systems are rapid, self-contained BIs that provide validated results in hours, minutes, or seconds.

Outsourcing EO sterilization and requalification

Ethylene oxide sterilization is usually outsourced to a contract sterilizer due to the environmental and safety requirements of working with EO. The contract sterilizer will provide a generic protocol for full validation that is compliant with ISO 11135-1. However, the ISO 11135-1 standard requires that manufacturers perform annual process reviews to evaluate the need to requalify/re-validate the sterilization process. Assuming there have been no problems or changes to the product or EO sterilization process, re-validation is not required at the end of the first year. However, companies are required to re-validate the process after two years–even if there have been no changes.

Longer frequencies for requalification cycles

If there have been no changes to the sterilization process, the product, or the biological indicators, then the manufacturer can use this as a justification for waiting until two years have elapsed before re-validating the ethylene oxide sterilization process. Also, there should be no evidence of sterilization failures or other problems with the validated process. However, that alone is not necessarily enough to justify extending the duration between validations beyond two years. Companies that justify intervals of three or more years have multiple products that use the same EO sterilization process.

In this case, the manufacturer may alternate annually between three, four, or even five different product families that are using the same EO sterilization process. In this case, one of the product families is being re-validated each year or every two years, but the interval between validations for any one product family is longer. This approach is valid if the products are made of similar materials and use the same EO sterilization process. If you only have one product, then you need to re-validate the sterilization process once every two years to verify the process remains active.

Minimum revalidation requirements

When you determine that it is time to re-validate your ethylene oxide sterilization process, you need to perform the following tests to meet the minimum requirements of ISO 11135-1:

Re-validation of PCD
Bioburden measurement
EO residual measurement
1 Half Cycle
1 Full cycle (to verify the EO residuals are acceptable)

The purpose of #1 is to verify that the resistance of internal BIs used in the half-cycle is more resistant than the product bioburden. The purpose of #2 is to verify that bioburden levels have not changed, and the type of organisms has not changed. In practice, most companies monitor bioburden quarterly, and therefore this step should be routine. Step 3, EO residual measurement, should be performed to verify that there have not been minor changes to the product or process that would increase the concentration of EO, Ethylene Chlorohydrin (ECH), or Ethylene Glycol (EG) beyond the Tolerable Contact Limit (TCL). The purpose of this third test is to prevent localized irritation caused by residual chemicals from the ethylene oxide sterilization process.

Step 4 of the re-validation is intended to verify that a full injection of EO is more than required to kill the bioburden present for the number of injections required for a half-cycle.

The final step is to perform a full cycle. The product from the full cycle is typically used for EO residual testing. Any product from the full cycle that is not used for testing can be sold after sterility testing is complete.

Partial loads & rework

If you occasionally sterilize loads that are less than “full loads,” then you need to ensure that you have validated a minimum load or a specific partial load (e.g., half-pallet, instead of a full pallet). In the case of a partial or minimum load, you may identify different locations in your load that is considered “worst-case.” These are the locations that had PCDs that were not sterile in a fractional cycle.

Most companies do not have concerns about the cost of the actual sterilization runs during re-validation, and biological indicators are typically less expensive than boxes of products. The primary cost concern for re-validation is any product that must be scrapped. Therefore, many companies will accumulate dunnage (i.e., empty packaging or scrap product) over time to fill a sterilizer. This dunnage may be used to ensure that every load is full, or it may only be used for re-validation.

Another alternative to using dunnage for re-validation is to validate a rework process. Any product exposed to a fractional or half-cycle can be re-sterilized in a full cycle. To justify the commercial use of that product, a company needs to validate that the product will not be damaged by exposure to two full cycles. One of the key acceptance criteria for rework is the EO residual levels in the product. However, the manufacturer also needs to determine if any product deterioration by a second exposure to EO would affect performance.

Other EO sterilization considerations

Many companies do a poor job of reviewing the potential impact of changes to a product, packaging, and biological indicators. Ideally, initial validation involves different lots of product, packaging, and biological indicators to assess lot-to-lot variability. However, the packaging and biological indicators often consist of only one lot during validation. Minor changes to the tolerances may reduce the amount of ethylene oxide that is absorbed by the product or change the resistance of the biological indicator to the sterilization process. Therefore, these minor changes should trigger a re-validation.

Changes in suppliers with the same specification can also be difficult to evaluate. If a component is made of a material that absorbs EO, then it may be recommended to re-validate sterilization for any changes to suppliers of those components. Re-validation in these cases may consist of only a fractional cycle, half cycle, or full cycle to evaluate risks associated with the change.

Who should evaluate the need for EO sterilization requalification?

Evaluating the need for re-validation should include inputting three types: 1) microbiological, 2) materials, and 3) performance. To make these assessments, typically, a cross-functional team is needed. Someone responsible for design and development can assess the performance impact of changes. A materials engineer is generally needed to assess the interaction between components and EO. Finally, a microbiologist is needed to confirm that there is no impact related to biological indicators or bioburden.

Additional Sterilization Training

Medical Device Academy has two webinar recordings related to sterilization validation:

Bioburden Failure Analysis (March 27, 2015)
Sterilization Validation Webinar (October 10, 2024)

If you need assistance with sterilization validation or bioburden failure analysis, please schedule a call with us by visiting our Contact Us page.

EO Sterilization – When is requalification required? Read More »

Sep 24 2024

Supplier Audit – Where should you spend your time?

3 Comments / ISO 13485 / By Robert Packard / Supplier Quality Management

In this article, you will learn how to spend your time during a supplier audit. We’ll teach you what is important and what you can skip.

Which suppliers need a supplier audit?

Before you start scheduling supplier audits, you should first decide which suppliers you need to audit. You are required to use a risk-based approach for supplier quality management but have specific recommendations. We recommend that you create five risk-based supplier quality categories:

Critical suppliers
Crucial suppliers
Off-the-shelf component suppliers
Service providers
Consultants

Your critical suppliers are contract sterilizers, contract manufacturers, and contract packagers. Your crucial suppliers are suppliers manufacturing custom components or subassemblies. Off-the-shelf components speak for themselves, but examples of service providers include a company doing plating and other secondary processes. The last supplier category, but not the least, is the consultant category, such as the quality system auditors you hired to do an internal audit.

Which supplier categories require a supplier audit?

The FDA regulations don’t specifically require supplier audits. However, if an inspector finds any nonconformities among your purchased components, you will need to demonstrate how you have addressed the quality issues. If the corrective actions taken are not sufficient, you will need to conduct supplier audits as part of your corrective action plan or effectiveness check. Other countries have different expectations with regard to supplier auditing, but the most common supplier categories that you will be conducting a supplier audit of are “critical suppliers” and “crucial suppliers.” These two supplier categories are also the two supplier categories that you will need to make sure are prepared and willing to accommodate unannounced audits by Notified Bodies. Click on the image below if you would like to read the requirements for audits conducted by Notified Bodies.

What is the purpose of a supplier audit?

When you attend a lead auditor course, the focus is on quality system auditing. However, when you perform a supplier audit—the quality system is not the focus. The focus of a supplier audit can fall into two primary categories: 1) qualifying the supplier or 2) re-evaluating the supplier.

Suppliers are not required to have a registered quality system or ISO 13485 certification. Therefore, many of the things that an auditor might learn about audit agendas in a lead auditor course just don’t apply. However, one thing always applies: reviewing previous quality issues. When we audit internal auditing and supplier auditing programs, we find that one of the most common mistakes is the failure to close out previous nonconformities. Therefore, the second section of my audit report template is a review of prior audit findings. If you have no previous findings, ensure your audit report states that. If you are qualifying a new supplier, ensure that the new supplier doesn’t have the same problems you are having with current suppliers.

When you close the previous issues, there are two approaches. The first approach is to close previous issues at the beginning of the audit—immediately after the opening meeting. This is the most common strategy. The second approach is to close previous issues as you audit the applicable area. For example, if you have previous problems in the area of incoming inspection and maintenance records, it might make sense to close these findings when you audit these areas. The advantage of this second approach is that it ensures that the process owner is closing the previous finding and facilitates the sampling of additional records.

What has little value in the supplier audit agenda? Auditing the management review process has the least value because the supplier is not required to have a quality management system. In fact, subcontractor audits for BSI do not include management reviews, CAPAs, or internal audits—the three required areas for every quality system audit.

What are the most valuable areas to audit?

Incoming inspection, control of nonconforming materials, preservation of the product, production controls, training, and process validation are the areas we typically audit. We would like to start with the nonconforming material area and see which materials are on hold. Then, we would like to sample the incoming inspection records for those raw materials. Next, we want to see how the company is storing those raw materials—if they are accepted. We typically cover these three areas as one process approach audit. This also happens to be the process audit we like to use for training new auditors because the audit of incoming inspection results in numerous audit trails in the support process areas of document control, training, calibration, etc.

The next area we visit is the production area. For this portion of the audit, we are doing a process audit of the production process. We usually request that we schedule the audit for a time when the production area is running the product(s) of interest. A process flow chart helps plan this portion of the audit, and we will often write some notes directly on a copy of the process flow chart.

We conclude the audit with follow-up trails in the areas of 1) document control (to ensure the supplier has the most current versions of all documentation “we” provided), 2) calibration (to ensure that all measurement devices used for inspection are calibrated), and 3) training (to ensure that all personnel working on “our” product are appropriately trained).

What are the advantages and disadvantages of skipping areas?

Since we do not have to spend time on quality system issues during a supplier audit, we spend more time sampling records in the other areas. Therefore, we might sample 5-10 records in each of the above areas instead of 3-4 records. If the number of samples available to sample is small, we may even sample 100% of the records. We also have a supplier auditor tool kit to help your supplier auditor team prepare.

Did you consider confidentiality and security issues during your supplier audit?

Historically, it has always been easy to identify a missing or out-of-date confidentiality agreement during audits, but do you include this in your internal and supplier audits? The new cybersecurity requirements that the FDA released in October 2023 certainly changed what companies need to provide in a 510(k) submission, and the latest FDA eSTAR template has a lot of specific documentation that companies need to include their 510(k). If you want to learn more about the 510(k) requirements, please visit our webpage for the cybersecurity work instruction and webinar.

How will this impact your supplier audit program?
Do you include cybersecurity questions in your supplier audits?
Do your supplier quality agreements address cybersecurity?
Do you have cybersecurity testing vendors added to your approved supplier list?
Is cybersecurity embedded in your post-market surveillance activities?
Do you and your supplier have a schedule for cybersecurity retesting?

Supplier Audit – Where should you spend your time? Read More »

Sep 17 2024

Procedure Review and Approval – Management Review SOP

1 Comment / ISO 13485 / By Robert Packard / management review procedure, management review procedure case study, medical device management review, medical device management review case study

This procedure case study describes an error-proof method for procedure review and approval of quality system procedures.

My first training in procedure review

The first time I was formally trained on how to conduct a procedure review was during a lead auditor course. I thought the topic of procedure review seemed out of place, but as I audited more companies, I realized that missing regulatory requirements in a procedure are quite common. Regardless of who reviews a procedure, or how many times it is reviewed, something is always missed. Unfortunately, a desktop audit of procedures is not an effective corrective action or verification method. Auditing procedures is an ineffective method for reviewing procedures because audits are limited by sampling.

A better approach to procedure review than auditing

Instead of random sampling, a systematic review of 100% of regulatory requirements is needed to ensure that none of the regulatory requirements are accidentally omitted. Systematically reviewing regulatory requirements for each country your company is selling in is tedious at best. You need a tool to make the reviewing process error-proof and straightforward. You also need each procedure reviewer to have a defined function to eliminate the duplication of work.

Procedure reviewer and approver roles

There are 3-5 reviewers of procedures in most companies. Some companies make the mistake of having as many as 8-10 reviewers of procedures, but more is not better. There are four primary roles for procedure review, but you could have as few as two people approving most procedures:

process owner (must review and approve)
quality management (must review and approve)
regulatory (must review, but optional approver)
independent (optional review, but not an approver)

You are not required to have all four of these reviewer roles, but including these four roles in your document control process is a best practice. Differentiating between reviewers and approvers should also be considered in your document control procedure. The only documents we recommend top management be a reviewer and approver of are:

Quality Policy
Risk Management Policy
Quality Manual
Management Review Procedure

The reason for top management reviewing these four documents is because top management has a regulatory responsibility related to each of these documents.

Process owner role

The process owner is the owner of the procedure for that process. Therefore, the process owner needs to approve that procedure. It would make no sense to own a process without the ability to approve changes. The process owner may also be the procedure author, but we don’t recommend it. Editing someone else’s work is more effective than editing your own work. Instead, we recommend that the process owner delegate the responsibility for writing and updating procedures to a subordinate who performs the procedure. Then, the process owner is responsible for reviewing and approving the procedure.

Quality management role

The quality management person needs responsibility for reviewing and approving all procedures because this person is responsible for the entire quality system. They need to make sure the procedure is accurate in the context of the entire quality system. The quality management person is the best person to review interactions with other processes. For example, the management review process has twelve required inputs (i.e., ISO 13485, Clause 5.6.2A-L). Each of those inputs comes from another process and procedure. It is essential to ensure that if you are reviewing the complaint handling procedure, somewhere in that procedure, it should state that the monitoring and measuring of complaint trends should be input into the management review process.

Regulatory role

Usually, the regulatory person is responsible for verifying that a procedure meets 100% of the regulatory requirements. This person should verify that the scope of the procedure identifies the relevant markets. If there are references to documents of external origin, the regulatory person should verify that these references are accurate. The best way to do this is by performing a gap analysis. Sometimes the quality management role and the regulatory role are combined in a small company, but larger companies will keep these roles separate. Just because the regulatory person performs a gap analysis as a reviewer, that doesn’t automatically translate to the need for approval of the procedure. We recommend making the decision on whether a regulatory person should approve a procedure based on whether the procedure has specific regulatory requirements (e.g., annual registration or regulatory reporting).

Independent reviewer role

Finally, the independent reviewer is looking for two things:

Does the procedure make sense–to someone who performs the procedure (if that person was not the author); and to an external auditor, such as a certification body (internal auditors can fill this role)?
Are there typos, spelling, or grammar mistakes?

The independent reviewer does not need to be a manager. It needs to be someone who writes well. Editing is tedious, but apparent mistakes in spelling or grammar prompt auditors to review procedures more carefully. If available, we recommend asking an internal auditor to be the independent reviewer. Depending upon the experience of the independent reviewer with regard to performing a gap analysis, the person with regulatory responsibility may delegate the task of gap analysis to independent reviewers. This role can also be satisfied by a consultant with technical writing ability. Medical Device Academy’s resident expert at this is Matthew Walker.

Procedure case study – The most common auditor findings

The two most common reasons for audit findings are:

the procedure is not being followed, and
a regulatory requirement is missing from your procedure.

Not following the procedure

The first problem is the most common reason for audit nonconformity, as companies include requirements in the procedure that are not regulatory requirements. Auditors look for objective requirements to audit. Therefore, if you include objective requirements in your procedure an auditor is more likely to select those requirements to sample than subjective requirements–even if the requirement is not a regulatory requirement. This is one of the reasons we recommend having processing owners review and edit procedures. If you purchase a procedure, it’s important for the person who will be performing the procedure to carefully review the procedure to ensure it matches how they intend to perform that process. If it’s a manufacturing procedure, we recommend training personnel with a draft procedure and handing out red pens. That also dramatically reduces complaints from the people who do the work.

Regulatory requirements missing

For regulatory requirements, your regulatory reviewer needs to create a checklist that includes 100% of the requirements for that procedure. This approach is called a gap analysis. The model for gap analysis documentation we like to follow is the General Safety and Performance Requirement (GSPR) Checklist used for technical documentation (i.e., for CE Marking). There are 23 GSPRs in the MDR and 20 GSPRs in the IVDR. Most of the GSPR requirements have multiple subparts. The regulatory person who completes the GSPR Checklist must indicate the following information next to the applicable requirement in the checklist table:

yes, the requirement applicable or justification if it’s not applicable
a reference to any applicable standards
a cross-reference to the record where evidence of meeting the requirement can be found (e.g., the risk management file)

Regulatory personnel can revise this approach slightly by doing the following for the review of procedures:

yes, the requirement applicable or justification if it’s not applicable
a reference to the applicable specific sub-clause in a Standard or a regulation
a cross-reference to the subsection of the procedure where evidence of meeting the requirement can be found (e.g., section 5.1 of the SYS-003)

Procedure Case Study of the Management Review Procedure (SYS-003)

In Medical Device Academy’s Management Review Procedure, Section 8 is the “procedure section.” Sub-section 8.3 of the procedure lists all the required inputs for a Management Review meeting. Next to each input, we included a cross-reference to the sub-clause in ISO 13485:2016 for the Management Review input.

There is also a requirement in ISO 13485:2016 for conducting Management Reviews at scheduled intervals. This requirement is met by sub-section 8.1 of the Management Review procedure. We used the same approach to identify and cross-reference to this requirement.

Teaching auditors by performing your own procedure case study

Now, when we teach our Lead Auditor Course, we ask attendees to split into small groups to review a procedure–one procedure for each group. In one of the companies where we did this, each of the four teams found a regulatory requirement that was missing from the procedures they were reviewing. All four procedures the teams selected were already reviewed, approved, and currently in use at the time of the auditor training. The four teams created their own procedure case study to demonstrate the importance of reviewing procedures for regulatory requirements.

Management Review Procedure & Webinar – Free Download

Procedure Review and Approval – Management Review SOP Read More »

Jul 11 2023

How do you demonstrate training competence?

7 Comments / ISO 13485 / By Robert Packard / ISO 14971, Training

Anyone can sign and date training records, but how do you demonstrate the effectiveness of training and competence?

What are the requirements for training?

The requirements for training are found in ISO 13485:2016, Clause 6.2 (i.e., Human Resources). Auditors and inspectors usually only ask for training records, but the requirement for records is the last item in the clause (i.e., “6.2(e) – maintain appropriate records of education, training, skills, and experience (see 4.2.5).”). The first four items in Clause 6.2 all include one word, but it’s not “records.” The most critical word in the requirements is “competence.”

What is the difference between training requirements, training records, training effectiveness, and training competence?

Training requirements define the “appropriate education, training, skills, and experience.” Specifically, what degree(s) is required, if any? What training curriculum needs to be completed? What skills are needed to perform the work? And how many years of experience are needed?
Training records are documented evidence that all training requirements have been met. Records may include a job application, resume, individual training records, group training records, or a training certificate. Records may also include the results of any quizzes to demonstrate training effectiveness and any evaluation of training competence.
Training effectiveness is how well a person understands the information communicated during training. Using terms from human factors engineering (i.e., the PCA Process), the person must have the correct perception and cognition. Cognition can be evaluated by giving people quizzes or asking them questions. Written and verbal exams may also include pictures and/or video. Performing these types of tasks on a quiz or exam are “knowledge tasks.”
Training competence is possessing the skill or ability to perform tasks. To demonstrate competence, someone that is already competent (i.e., a subject matter expert) must observe the trainee performing tasks. A person that once possessed the skill or ability can also judge competency, and a person that does not possess the skill or ability can be trained to evaluate skill and ability (e.g., an Olympic Judge or referee). Skills and abilities can be physical or cognitive, but there are also social skills. Examples of each are provided in the table below:

What keeps me awake at night? (a story from April 2, 2011)

I am in Canada, it’s almost midnight, and I can’t sleep. I’m here to teach a Canadian client about ISO 14971—the ISO Standard for Risk Management of medical devices. Most companies requesting this training are doing so for one of two reasons: 1) some design engineers have no risk management training, or 2) the engineers have previous training on risk management, but the training is out-of-date. This Canadian company falls into the second category, and engineers with previous training ask the most challenging questions. This group of engineers forced me to re-read the Standard several times and reflect on the nuances of almost every single phrase. While teaching this risk management course, I learned more about risk management than I ever knew.

The four levels of the Learning Pyramid

The image at the beginning of this blog is a learning model that explains my experiences training Canadian design engineers. I call this model the “Learning Pyramid.” At the base of the pyramid, there are “Newbies.”

This is the first of four levels. At the base, students read policies and procedures, hoping to understand.

The student is now asked to watch someone else demonstrate proper procedures in the second level of the pyramid. One of my former colleagues has a saying that explains the purpose of this process well, “A picture tells a thousand words, but a demonstration is like a thousand pictures.” Our children call this “sharing time,” but everyone over 50 remembers this as “show and tell.”

The student is now asked to perform their tasks in the third level of the pyramid. This is described as “doing,” but in my auditing courses, I refer to this process as “shadowing.” Trainees will first read the procedures for Internal Auditing (level 1). Next, trainees will shadow the trainer during an audit to demonstrate the proper technique (level 2). During subsequent audits, the trainees will audit, and the trainer will shadow the trainee (level 3). During this “doing” phase, the trainer must watch, listen, and wait for what I call the “teachable moment.” This is a moment when the trainee makes a mistake, and you can use this mistake as an opportunity to demonstrate a complex subject.

Finally, in the fourth level of the Learning Pyramid, we now allow the trainee to become a trainer. This is where I am at. I am an instructor, but I am still learning. I am learning what I don’t know.

Teaching forces you back to the bottom of the Learning Pyramid

After teaching, the next step in the learning process is to return to the first level. I re-read the Standards and procedures until I understood the nuances I was unaware of. Then, I search for examples in the real world that demonstrate the complex concepts I am learning. After searching for examples, I tested my knowledge by applying the newly acquired knowledge to an FDA 510(k) or De Novo submission for a medical device client. Finally, I prepared to teach again. This reiterative process reminds me of the game Chutes and Ladders, but one key difference is that we never really reach the level of “Guru.” We continue to improve but never reach our goal of perfection.

Where is training competence in the Learning Pyramid?

Most people feel that a person is competent in a position when they can consistently perform a task. However, the ISO 13485 standard uses the phrase “necessary competence” to suggest that competency for any given task might not be the same for all people. For example, in some cases, it may be sufficient to perform a task with written instructions in front of you, while an instructor might be expected to perform the task without written instructions. The speed at which a person performs a task might also differ. For example, a secretary might be required to touch type at a speed of 60+ wpm with a QWERTY keyboard, while a stenographer must be able to use a STENO keyboard and write at 225 wpm. The accuracy requirements may differ for those two positions as well. Therefore, your company may decide that the training competence requirement for a design engineer is that they can pass an exam on risk management. However, the training competency requirement for the design project lead or Engineering Manager might include teaching inexperienced design engineers to apply the basic risk management principles. Demonstrating the ability to teach inexperienced design engineers might be demonstrated by an auditor interviewing members of your design team.

How do you demonstrate training competence? Read More »

Mar 28 2023

Nine easy ways to organize and improve quality system procedures

2 Comments / ISO 13485 / By Robert Packard / PDCA, Standard, Writing Procedures

Would you like to learn nine ways to improve your quality system procedures? One method is precisely the opposite of our advice from 2011.

During a CAPA course I taught on Friday, January 28, 2011, one of the attendees asked if we teach a course on “How to write better quality system procedures.” Unfortunately, we could only offer material from a course about “Training the trainer.” That “Training the trainer” course focused on visual communication. Several books related to Lean Manufacturing explain how to use visual communication to replace text (i.e., “a picture says a thousand words”). During my ride home, however, I thought of a few other ideas that might help anyone writing or re-writing a procedure. The article was updated and posted as a new blog on Tuesday, March 28, 2023.

1. Use a standardized template for your procedures

In 2013 we published a blog about using a procedure template where we described our 12-part procedure template (i.e., TMP-001). You don’t have to mimic our template, but using a template will accelerate the speed of your writing when you create procedures, and it makes sure you don’t forget any of the essential elements. In addition, using templates ensures a consistent format that makes it easier for everyone to find the information they are looking for. Just make sure that your document control procedure allows flexibility to deviate from the template. The ISO 13485:2016 standard does require a “mandatory” format. Referring to your template as “suggested formatting” will avoid unnecessary nonconformities.

2. Create a process “turtle diagram” for each quality procedure

All of the procedures that Medical Device Academy created have a flow chart at the beginning of the procedure showing the procedures and forms associated with processes that are inputs to that procedure and outputs from that procedure. To systematically improve our procedures, we will be systematically replacing those flow charts with turtle diagrams for each process. This will give more detail than our current flow charts, and internal and external auditors can use the turtle diagrams to understand process interactions.

3. Avoid making unnecessary references to regulations and standards

If you are writing a procedure on risk management—it makes sense to reference ISO 14971. It does not make sense to reference all the other risk analysis standards unless you specifically use them to perform risk analysis. ISO 14971:2019, Clause 4.1, also states that you “shall establish, implement, document, and maintain an ongoing process for” risk management activities. However, the ISO 14971 standard is not directly linked to other procedures. Therefore, ISO 14971 should only be referenced in another if you are using it in that procedure or referencing it directly. For example, the Quality Manual (i.e., POL-001) explicitly references ISO 14971. In contrast, the design control procedure (i.e., SYS-008) references the risk management procedure (SYS-010) but doesn’t reference ISO 14971.
Concerning regulations, you should only reference regulations if the procedure meets a specific requirement. Color coding with symbols should demonstrate traceability to requirements (see method #5 below for further explanation). Rather than adding a reference to regulations in a procedure where there is no requirement, a better approach is to indicate in the Quality Manual that only procedures that have specific requirements will reference the regulations, such as 21 CFR 820 or Part 1 of the Canadian MDR.

4. Track standards, regulations, and the version used in your procedures

In the original 2011 version of this article, we advised quality managers to “avoid including the revision of a standard” because “this is just another opportunity for unnecessary nonconformities.” However, we find that our team has trouble identifying every procedure that a change in regulation or a standard might impact. A systematic process is needed to identify every procedure referencing a regulation or standard. Therefore, we will reference all impacted procedures next to the regulation or standard in our Master Document List (i.e., LST-001). References to the regulations will be added to the main tab for policies, procedures, and work instructions (i.e., [POL, SYS, and WI]). References to the standards will be added to the tab for documents of external origin (i.e., [Doc Ext Origin]).

Many people feel that you should not reference the version of a standard in a procedure because adding the version of the standard increases the number of documents that need to be updated when a standard changes. However, if you are only referencing standards in procedures when it is necessary, then that procedure should be reviewed and updated for the need to be changed. Updating the version of the Standard referenced is the best way to document that a gap analysis against the new version has been completed and the necessary updates were made to the procedure.

5. Use color coding and symbols in your quality system procedures

Matthew Walker, Medical Device Academy’s manager of the human factors team, has systematically updated many of our procedures to the EU Medical Device Regulations 2017/745 and the In Vitro Diagnostic Regulations 2017/746. When he updates our procedures, he references the regulations and applicable ISO 13485:2016 clauses. During certification audits, certification body auditors sometimes have difficulty finding where specific requirements are located in the procedures. Therefore, Matthew added color-coded clause references for our clients and auditors as a corrective action. To make the procedures inclusive for people that are color-blind, Matthew added symbols to supplement the color coding. The extra addition of symbols has proven invaluable because now anyone can search the documents electronically for a symbol to find where all the references are located.

6. Indicate the process owner and training requirements associated with each procedure

Identifying the process owner and training requirements in every procedure makes it easier to define who is responsible for reviewing and revising procedures. For the training requirements, the process owner should specify who needs to be trained on the process. Why? They know the procedure best. If there is a “grey area,” this should be resolved with the department manager for the job function. In addition, retraining requirements should be specified. The training section should also clarify if retraining is required when revising a procedure. If the revision is minor, training should only be necessary for people not trained on a previous revision.

7. Adopt the Plan-Do-Check-Act (PDCA) model for the structure of quality system procedures

For the “Plan” portion, the procedure should explain how to prepare to do something. This planning activity can apply to anything from planning to perform an audit to planning to inspect incoming raw materials. The “Do” portion is what most people refer to as the “Procedure” section. The “Check” portion of the procedure is a great place to specify the monitoring and measurement requirements for the process (see Section 8.1 of the Standard). Finally, the “Act” portion of the procedure should indicate what to do when target metrics are unmet. For example, what should be done when an alert limit is reached? What should be done when an action limit is reached?

8. Include the revision history of quality system procedures

It’s helpful to know which Document Change Notice (DCN) approved the document revision, why the changes were made, the nature of the changes, whether there is a related corrective action, and when the change was made. This will also tell auditors whether there is anything new to audit since the previous internal or external audit. This section is usually near the beginning of our procedures, but it doesn’t matter if the revision history is at the end or the beginning. However, it does help to be consistent.

9. Identify the form number, location, and retention period for each record

We have a section about quality system records near the end of every procedure. This section lists each quality system record that is associated with the procedure. The relevant form is referenced, but we recommend storing these records in electronic or paper folders labeled with the form number. If the files are digital, a hyperlink should be included. If the files are paper, then you should list the physical location of storage. The retention period can be listed in each procedure. Still, it will be essential to ensure that this information matches the regulatory requirements and record retention requirements in your “Control of Records” procedure (i.e., SYS-002).

Nine easy ways to organize and improve quality system procedures Read More »

Feb 28 2023

5 ways to ensure you are a valuable management representative

1 Comment / ISO 13485 / By Robert Packard / ISO, Management Representative, Management Responsibilities, Quality Management Systems

This article gives you five ways a management representative can demonstrate value to medical device top management teams.

Align quality objectives with the company first and the FDA second

A fast way to alienate yourself as a management representative is to begin every conversation with a quote from the FDA regulations. Instead, ensure that quality objectives align with the company’s overall goals. For example:

Is your company trying to launch a new product?
Is your company trying to reduce scrap?
Is your company trying to increase productivity?

Next, reword the company’s goals as quality objectives:

Complete the design verification and validation of our new product by August 15.
Reduce nonconforming products from the molding process by 50% this year.
Increase the number of production lots released each week from four to five lots of 1,000 units per lot.

Next, ensure that your quality objectives are achievable, measurable, and have clear timelines for completion. Quality objectives should not be stretch goals. If you have to initiate a corrective action because you didn’t achieve a quality objective, you just create more work for yourself and the company.

Teach people to focus on the process and not the procedure

The FDA and the ISO 13485 standard require procedures to be established. However, if you focus on the documentation of processes, your company will do stupid things faster. Instead, management representatives need to be able to teach people how to make processes more effective before the processes are documented. Lean manufacturing techniques are not limited to manufacturing. You can apply lean methods to administrative processes too. For example:

What information needs to be in a form?
What is the correct order of tasks for the process?
Is there duplicate or unnecessary information?

A management representative helps identify what to measure

In a management review meeting, the effectiveness of the quality system is reviewed, and improvements are identified. This does not mean the management representative needs to measure or create slides and graphs. As a management representative, you should ask the CEO the most important information they want from each department or member of top management. Once you know what information the CEO wants, please work with the other members of top management to find the most efficient way to get that information and graph it. Help the other managers identify who can generate the graph with the least effort (it’s seldom a manager), and help that person build the reporting of that information into their routine.

A management representative needs to share the spotlight

A management review meeting is only effective if the top management is engaged in the process. Therefore, the management representative should not create 100% of the slides or present 100% of the slides. Everyone should have a piece they are responsible for and can be proud of. When an individual or a team achieves a goal, we can celebrate the achievement in a management review. When an individual or team struggles, we can ask for help in a management review. If other members of top management are not engaged in preparation for a management review, they will not be enthusiastic about listening to the presentation either.

Have a positive attitude as a management representative

Everyone hates to listen to someone that has a negative attitude. As managers, we sometimes need to report bad news. However, we need to develop ideas to solve problems instead of just reporting gloom and doom. We also need to ensure we never miss an opportunity to report good news.

Management representatives should schedule reviews more often

This last section is a bonus (i.e., a sixth way to ensure you are a valuable management representative). Most management review procedures require a management review at least once per year. Unfortunately, there is little point in reviewing quality information from last February during this January. If changes to your quality system are planned or implemented, more frequent reviews are needed. Examples of changes that should prompt you to schedule an extra management review include mergers, new product launches, and employee turnover.

FREE Procedure and Training Webinar

If you want a free management review procedure and training webinar, please sign-up.

5 ways to ensure you are a valuable management representative Read More »

Jan 21 2023

Effective Management Skills for Managers

1 Comment / ISO 13485 / By Robert Packard / management skills, managers

This blog revies some practical and effective management skills that all managers should possess.

Sometimes we hear phrases like: “Well, that’s just an ISO requirement.” This apparent lack of support by top management is what frustrates every Management Representative in the world.

Peer Support

For a Quality Manager or any manager, it is vital to gain support from our peers, as failure to do so can lead to challenges. While the Quality Department plays a crucial role in recommending improvements, providing training, and assisting with implementation, it cannot address all problems on its own. Therefore, I strongly believe in assigning corrective actions to the process owner (i.e., the Manager) responsible for the area where the problems originated. This approach creates an opportunity for QA/RA to collaborate with the area manager and work together as a team towards the shared goal of improvement.

Good managers build people up and improve processes, they don’t point fingers or blame individuals. It is the process, not the person.

sKKP5YsxxUbjMPmSNnZr 4 hrptd 300x300 Effective Management Skills for Managers — Example of ‘not-an-effective-manager’

Persuading Skeptics

If you encounter resistance when trying to persuade skeptics, focus on a crucial project for the individual opposing your ideas. Demonstrate how applying Quality principles can effectively resolve their problems, potentially gaining their support. Converting one person often leads to strong support from them. If the resistant individual holds a senior position such as the CEO, take time to understand the CEO’s initiatives (These shouldn’t be hard to identify as they likely talk about them rather constantly). Illustrate how their actions can align with Quality Objectives, using graphs and presenting well-thought-out solutions to their challenges. Utilize the CAPA (Corrective and Preventive Action) process as a framework to show how the management team can collaboratively address issues.

If nothing seems to be working, you can always try reviewing some FDA MedWatch reports too–just to scare your boss.

Here is a list of tips to deal with unsupportive top management in a quality management system using effective management skills:

Clearly communicate the benefits of the quality management system:

Articulate the advantages that a well-implemented quality management system can bring to the organization, such as improved efficiency, reduced costs, and enhanced customer satisfaction. Don’t just leave the conversation at “The QSR/13485 says that we SHALL have one”.

Address specific concerns and show how quality initiatives overcome challenges:

Listen to the concerns of top management and present how quality initiatives directly address those issues, fostering a more positive outlook towards the system. Just like the old saying,

“An ounce of prevention is worth more than a pound of the cure”

Consider how ISO 13485:2016 has separate sub-clauses for Corrective Actions and Preventive Actions. Explain how something like pushing for preventive actions shows compliance with clause 8.5.3. which auditors, and inspectors will be looking for, but also that every Preventive Action represents a dodged 483 letter or recall.

Or how beefing up incoming inspection is likely to save time and money in reworked product and less scrap dispositions because any non-conforming materials are stopped before they can make their way into finished devices.

Demonstrate how quality aligns with overall business objectives:

Connect the quality management system to the organization’s strategic goals, highlighting how it contributes to long-term success and profitability. Reframe the Quality Policy and Quality Objectives as tools to support a successful business. Not just, “We have to have them for compliance….”

Start with small projects and showcase measurable results:

Begin with pilot projects or smaller initiatives that demonstrate tangible improvements, instilling confidence and support from top management.

Create a compelling business case for the quality management system:

Develop a well-researched and data-driven business case that outlines the return on investment and the long-term benefits of implementing the system. Effective management skills will involve encorporating topics like regulatory compliance. Not only how they align with, but are a part of business goals.

Engage top management in the decision-making process. Seeking their input and making them feel invested in shaping the quality management system. It is important that the entire organization be ‘quality focused’ at all times. Not just when an audit or management review is approaching.

https://medicaldeviceacademy.com/management-review-webinar

Consider the potential consequences of non-compliance with quality standards:

Emphasize the impact of not adhering to quality standards, such as regulatory penalties or reputational damage. This will underscore the necessity of the system’s implementation. This can be validated externally if need be. Auditors or consultants can assess quality processes and provide independent validation of a systems strengths of weaknesses.

7 Steps to writing an FDA 483 response

Effective Management Skills for Managers Read More »

Jan 10 2023

Why modernize 21 CFR 820 to ISO 13485?

Leave a Comment / ISO 13485 / By Robert Packard

The FDA patches the regulations with guidance documents, but there is a desperate need to modernize 21 CFR 820 to ISO 13485.

FDA Proposed Amendment to 21 CFR 820

On February 23, 2022, the FDA published a proposed rule for medical device quality system regulation amendments. The FDA planned to implement amended regulations within 12 months, but the consensus of the device industry is that a transition of several years would be necessary. In the proposed rule, the FDA justifies the need for amended regulations based on the “redundancy of effort to comply with two substantially similar requirements,” creating inefficiencies. In public presentations, the FDA’s supporting arguments for the proposed quality system rule change rely heavily upon comparing similarities between 21 CFR 820 and ISO 13485. However, the comparison table provided is quite vague (see the table from page 2 of the FDA’s presentation reproduced below). The FDA also provided estimates of projected cost savings resulting from the proposed rule. What is completely absent from the discussion of the proposed rule is any mention of the need to modernize 21 CFR 820.

Are the requirements “substantively similar”?

The above table provided by the FDA claims that the requirements of 21 CFR 820 are substantively similar to the requirements of ISO 13485. However, there are some aspects of ISO 13485 that will modernize 21 CFR 820. The areas of impact are 1) software, 2) risk management, 3) human factors or usability engineering, and 4) post-market surveillance. The paragraphs below identify the applicable clauses of ISO 13485 where each of the four areas are covered.

Modernize 21 CFR 820 to include software and software security

Despite the limited proliferation of software in medical devices during the 1990s, 21 CFR 820 includes seven references to software. However, there are some Clauses of ISO 13485 that reference software that are not covered in the QSR. Modernizing 21 CFR 820 to reference ISO 13485 will incorporate these additional areas of applicability. Clause 4.1.6 includes a requirement for the validation of quality system software. Clause 7.6 includes a requirement for the validation of software used to manage calibrated devices used for monitoring and measurement. Clause 7.3 includes a requirement for validation of software embedded in devices, but that requirement was already included in 21 CFR 820.30. The FDA can modernize 21 CFR 820 further by defining Software as a Medical Device (SaMD), referencing IEC 62304 for management of the software development lifecycle, referencing IEC/TR 80002-1 for hazard analysis of software, referencing AAMI TIR57 for cybersecurity, and referencing ISO 27001 for network security. Currently, the FDA strategy is to implement guidance documents for cybersecurity and software validation requirements, but ISO 13485 only references IEC 62304. The only aspect of 21 CFR 820 that appears to be adequate with regard to software is the validation of software used for automation in 21 CFR 820.75. This requirement is similar to Clause 7.5.6 (i.e., validation of processes for production and service provisions).

Does 21 CFR 820 adequately cover risk management?

The FDA already recognizes ISO 14971:2019 as the standard for the risk management of medical devices. However, the risk is only mentioned once in 21 CFR 820. In order to modernize 21 CFR 820, it will be necessary for the FDA to identify how risk should be integrated throughout the quality system requirements. The FDA recently conducted two webinars related to the risk management of medical devices, but implementing a risk-based approach to quality systems is a struggle for companies that already have ISO 13485 certification. Therefore, a guidance document with examples of how to implement a risk-based approach to quality system implementation would be very helpful to the medical device industry.

Modernize 21 CFR 820 to include Human Factors and Usability Engineering

ISO 13485 references IEC 62366-1 as the applicable standard for usability engineering requirements, but there is no similar requirement found in 21 CFR 820. Therefore, human factors are an area where 21 CFR 820 needs to be modernized. The FDA has released guidance documents for the human factors content to be included in a 510k pre-market notification, but the guidance was released in 2016 and the guidance does not reflect the FDA’s current thoughts on human factors/usability engineering best practices. The FDA recently released a draft guidance for the format and content of human factors testing in a pre-market 510k submission, but that document is not a final guidance document and there is no mention of human factors, usability engineering, or even use errors in 21 CFR 820. Device manufacturers should be creating work instructions for use-related risk analysis (URRA) and fault-tree analysis to estimate the risks associated with use errors as identified in the draft guidance. These work instructions will also need to be linked with the design and development process and the post-market surveillance process.

Modernize 21 CFR 820 to include Post-Market Surveillance

ISO/TR 20416:2020 is a new standard specific to post-market surveillance, but it is not recognized by the FDA. There is also no section of 21 CFR 820 that includes a post-market surveillance requirement. The FDA QSR focuses on reactive elements such as:

21 CFR 820.100 – CAPA
21 CFR 820.198 – Complaint Handling
21 CFR 803 – Medical Device Reporting
21 CFR 820.200 – Servicing
21 CFR 820.250 – Statistical Techniques

The FDA does occasionally require 522 Post-Market Surveillance Studies for devices that demonstrate risks that require post-market safety studies. In addition, most Class 3 devices are required to conduct post-approval studies (PAS). For Class 3 devices, the FDA requires the submitter to provide a plan for a post-market study. Once the study plan is accepted by the FDA, the manufacturer must report on the progress of the study. Upon completion of the study, most manufacturers are not required to continue PMS.

How will the FDA enforce compliance with ISO 13485?

It is not clear how the FDA would enforce compliance with Clause 8.2.1 in ISO 13485 because there is no substantively equivalent requirement in the current 21 CFR 820 regulations. The QSR is 26 years old, and the regulation does not mention cybersecurity, human factors, or post-market surveillance. Risk is only mentioned once by the regulation, and software is only mentioned seven times. The FDA has “patched” the regulations through guidance documents, but there is a desperate need for new regulations that include critical elements. The transition of quality system requirements for the USA from 21 CFR 820 to ISO 13485:2016 will force regulators to establish policies for compliance with all of the quality system elements that are not in 21 CFR 820.

Companies that do not already have ISO 13485 certification should be proactive by 1) updating their quality system to comply with the ISO 13485 standard and 2) adopting the best practices outlined in the following related standards:

AAMI/TIR57:2016 – Principles For Medical Device Security – Risk Management
IEC 62366-1:2015 – Medical devices — Part 1: Application of usability engineering to medical devices
ISO/TR 20416:2020 – Medical devices — Post-market surveillance for manufacturers
ISO 14971:2019 – Medical Devices – Application Of Risk Management To Medical Devices
IEC 62304:2015 – Medical Device Software – Software Life Cycle Processes
ISO/TR 80002-1:2009 – Medical device software — Part 1: Guidance on the application of ISO 14971 to medical device software
ISO/TR 80002-2:2017 – Medical device software — Part 2: Validation of software for medical device quality systems

What is the potential impact of the US FDA requiring software, risk management, cybersecurity, human factors, and post-market surveillance as part of a medical device company’s quality system?

Why modernize 21 CFR 820 to ISO 13485? Read More »

Apr 26 2022

Is monitoring every procedure required?

1 Comment / ISO 13485 / By Robert Packard

Process monitoring is required but do you know whether monitoring every procedure is required by the FDA QSR or ISO 13485?

One of the elements that Medical Device Academy has incorporated into each procedure we created in our turnkey quality system is a section titled, “monitoring and measurement.” The purpose of this section is to force each process owner to identify a process metric for monitoring every procedure. In some cases, we suggest a metric that would be appropriate for most companies establishing a new quality system. In other procedures, we use the following default text:

“Enter a quality metric that you want to track for this process in accordance with ISO 13485:2016, Clause 8.2.5 and the procedure for Monitoring, Measurement, and Analysis (SYS-017).”

Where are the requirements for process monitoring in 21 CFR 820?

Some of the companies that have purchased our turnkey quality system have asked, “Is it required to monitor and measure something in every procedure?” In general, it is not a specific requirement to have a metric specified in each procedure. In fact, if your quality system is not ISO 13485 certified, there are actually only a few places where the US FDA requires monitoring. The FDA does not have a section specific to monitoring and measurement of processes, but there is a section of the regulations specific to statistical techniques (i.e. 21 CFR 820.250). However, it does not state in the QSR that statistical analysis is required for all processes. In fact, there are only six instances where the word “statistical” is used:

21 CFR 820.100(a)(1) – “Analyzing processes, work operations, concessions, quality audit reports, quality records, service records, complaints, returned product, and other sources of quality data to identify existing and potential causes of nonconforming product, or other quality problems. Appropriate statistical methodology shall be employed where necessary to detect recurring quality problems;”
21 CFR 820.200(b) – “Each manufacturer shall analyze service reports with appropriate statistical methodology in accordance with § 820.100.”
21 CFR 820.250 – “(a) Where appropriate, each manufacturer shall establish and maintain procedures for identifying valid statistical techniques required for establishing, controlling, and verifying the acceptability of process capability and product characteristics. (b) Sampling plans, when used, shall be written and based on a valid statistical rationale. Each manufacturer shall establish and maintain procedures to ensure that sampling methods are adequate for their intended use and to ensure that when changes occur the sampling plans are reviewed. These activities shall be documented.” Note: the other two instances are the title of 21 CFR 820.250.

The word “monitoring” is equally rare (i.e. 4x) in the QSR:

21 CFR 820.70(a) – “Each manufacturer shall develop, conduct, control, and monitor production processes to ensure that a device conforms to its specifications…Where process controls are needed…(2) Monitoring and control of process parameters and component and device characteristics during production.”
21 CFR 820.75(b) – “Each manufacturer shall establish and maintain procedures for monitoring and control of process parameters for validated processes to ensure that the specified requirements continue to be met…(2) For validated processes, the monitoring and control methods and data, the date performed, and, where appropriate, the individual(s) performing the process or the major equipment used shall be documented.”

Where are the requirements for process monitoring in ISO 13485:2016?

ISO 13485:2016 has a section specific to monitoring and measurement of processes (i.e. Clause 8.2.5). In addition, the word “monitoring” occurs 52 times in the standard and there are 60 incidents of some variant or the exact word. , but there is a section of the regulations specific to statistical techniques (i.e. 21 CFR 820.250). However, it does not state in the QSR that statistical analysis is required for all processes. In fact, there are only six instances where the word “statistical” is used. There are four Clause headings that actually include the word monitoring:

Clause 7.6, Control of monitoring and measuring equipment
Clause 8.2, Monitoring and measurement
Clause 8.2.5, Monitoring and measurement of processes
Clause 8.2.6, Monitoring and measurement of product

In Clause 1, Scope, and Clause 4.1.5, the Standard states that any outsourced processes remain the responsibility of the company and must be accounted for in the quality system by monitoring, maintaining, and controlling the processes.

Monitoring of risk is included in the definition of “risk management” in the Standard (i.e. Clause 3.18).

Clause 4.1.3 states that the organization shall, “b) ensure the availability of resources and information necessary to support the operation and monitoring of these processes…d) monitor, measure as appropriate, and analyze these processes.”

Clause 4.2.3 states that the contents of the Medical Device File (i.e. MDR or TF), shall include, “d) procedures for measuring and monitoring.”

Monitoring and measurement of processes and product are required inputs to the Management Review in Clauses 5.6.2e) and f).

Clause 6.4.1 requires a procedure for monitoring the work environment if it can have an effect on product quality.

Clause 7.1 requires the company to consider including monitoring in product realization planning.

Clause 7.4.1 requires a plan for monitoring suppliers.

Clause 7.5.1 requires monitoring production and service, including the monitoring of process parameters and product characteristics.

Clause 7.5.6 requires monitoring of validated process parameters.

Clause 7.5.8 requires identification of status with regard to product monitoring and measurement (i.e. inspection status).

Clause 7.6 requires monitoring and measurement of calibrated devices and validation of any computer software used to monitor calibrated devices.

Clause 8.1 states that companies shall plan and implement monitoring and measurement of processes.

Clause 8.2 is titled, “Monitoring and measurement.”

Clause 8.2.1 requires monitoring of customer feedback.

Clause 8.2.5 requires monitoring of processes to ensure planned results are achieved.

Clause 8.2.6 requires monitoring of products to ensure product requirements have been met.

Clause 8.4 requires data analysis of monitoring data from at least six different processes:

Feedback
Conformity to product requirements
Characteristics and trends of processes and products, including opportunities for improvement
Suppliers
Audits
Service reports, as appropriate

In summary, while not every single clause that requires a procedure includes a requirement for monitoring, there are a number of processes where the requirement to monitor the process is explicitly stated.

Why do all of our procedures include the requirement for metrics?

Medical Device Academy expanded the requirement for monitoring to all procedures for five reasons:

Quality objectives must be “established at relevant functions and levels within the organization.” Therefore, establishing monitoring requirements for each procedure ensures that top management has metrics for every process and a lack of data is never an excuse for not establishing a new quality objective when improvement is needed.
If every procedure has a requirement for monitoring, then employees don’t have to remember which processes require monitoring and which processes do not explicitly require monitoring.
The process approach to auditing includes metrics of the process as one of the seven items that are included in every process turtle diagram, and therefore, including metrics for each procedure facilitates the process approach to auditing.
If a company does not have a process metric already established, it is often difficult to perform an investigation of the root cause of quality issues. If a metric is already being monitored for the process, this facilitates the investigation of the root cause and you can use the baseline monitoring data to help you establish effectiveness criteria for the corrective action.
Finally, most companies struggle to identify preventive actions as required by Clause 8.5.3, and we have found that data analysis of monitoring data is the best source of identifying new preventive actions.

What are the disadvantages when you monitor and measure something in every procedure?

The primary reason for resistance to identifying a metric for monitoring in every procedure is that it will increase the workload for the employees responsible for that process. However, monitoring of data does not always increase workload. In fact, when process data is recorded in real-time on a run chart it is often possible to identify a trend much earlier than when data is simply recorded and subjected to monitoring.

Example #1: The automatic tracking of toner in a printer tells HP when to ship you a new toner cartridge before you need it. This ensures that there is no loss in productivity because you never run out of ink or the ability to print documents.
Example #2: Companies will use project management software (e.g. Monday.com) to monitor labor utilization. This will help identify when a specific resource is nearing capacity. When this occurs, the project manager can add time buffers to prerequisite steps and adjust the starting date of the resource-limited tasks to an earlier starting date. This ensures that more time is available to finish the task or to take advantage of resource availability at an earlier date.
Example #3: Monitoring the revision date for procedures helps the document control process owner identify procedures that should be evaluated for the need to be revised and updated. Often this is articulated as a quality objective of reviewing and updating all procedures within 2 years. This also ensures that procedures remain current and compliant with regulatory requirements.

What are the advantages of monitoring every procedure?

The phrase “what gets measured gets managed” is a popular business philosophy that implies measuring employee activity increases the likelihood that employees will complete a task or perform it well. In contrast, if a process is not monitored, employees may assume that it is not important and the tasks may be skipped or completely forgotten. Setting quantitative goals is also sometimes integrated with economic incentives or bonuses that are granted to individuals and teams.

FDA transition from QSR to ISO 13485

The US FDA is planning its transition from 21 CFR 820 to ISO 13485 as the quality system criteria. This will force companies to make adjustments to their quality systems and increase the amount of process monitoring performed. My general advice is to work with employees that are performing tasks to identify streamlined methods for monitoring those tasks without being overly burdensome. Then you and the employees you manage can analyze the data together and identify opportunities for improvement. When you do this, experiment with manual methods using whiteboards and paper charts that are visible in public areas first. Only implement automated solutions after you have optimized the data being collected and the frequency of data collection, and remember that not every process will benefit from automated statistical process control. Sometimes the simple approach is best.

Is monitoring every procedure required? Read More »

Filter posts by category

ISO 13485