Filter posts by category

ISO 13485

This sub-category is dedicated to articles about the new version of ISO 13485:201x that is expected to be published at the end of this year or Q1 2016.

Stage 2 Audit – How to Prepare (Part 1 of 2)

1 Comment / ISO 13485 / By / , , ,

This blog teaches you how to prepare for a stage 2 audit on your pathway to ISO 13485 certification, and this blog is part 1 of 2.last prep Stage 2 Audit How to Prepare (Part 1 of 2)

Stage 2 Audit

If you are not sure what ISO 13485 is, please consider our 2-part training webinar on the topic. Health Canada requires ISO 13485 certification as a requirement for all Medical Device License Applications, and most companies choose ISO 13485 certification as their method for demonstrating conformity to the requirements of the European Medical Device Regulations (MDR)–instead of a special MDD audit.

To achieve ISO 13485 certification, you must successfully complete a Stage 1 and Stage 2 certification audit with your chosen certification body. If you are interested in an overview of this certification process, you can download Medical Device Academy’s white paper on this topic, or you can watch a webinar we recorded recently on 6 steps to ISO 13485 Certification.

Management Processes are covered during the Stage 1 and Stage 2 audit

The Stage 1 audit is typically a one-day audit where the auditor is evaluating your readiness for the Stage 2 audit. The auditor will review your Quality Manual, and your procedures (19 are required) to ensure compliance with ISO 13485. Also, the auditor will sample records from critical processes to assess your readiness for the Stage 2 audit. Typically, these processes will be:

  1. Management Review
  2. CAPA
  3. Internal Auditing

After you complete the Stage 1 audit, you may have a few nonconformities identified by the auditor. Responding to these nonconformities is the first step in preparing for your Stage 2 certification audit. You need to initiate a CAPA for each of the auditor’s findings and begin implementation before the Stage 2 audit. Typically, you will have about six weeks to implement these actions. This is not usually enough time to complete your CAPAs because you need more time before you can verify the effectiveness of corrective actions.

Preparing CAPA Records is critical for your Stage 2 audit

In preparation for your Stage 2 audit, prepare for the auditor to review any CAPAs that you completed since the Stage 1 audit–especially if you have evidence of completing an effectiveness check. You may think this is unnecessary because the auditor previously reviewed CAPAs during Stage 1. However, you probably received a nonconformity related to your CAPA process (almost everyone does), and you should expect auditors to review your CAPA process during every audit.

CAPA Effectiveness Graph 300x218 Stage 2 Audit How to Prepare (Part 1 of 2)Each CAPA record you present should be provided in a separate folder as a paper, hardcopy. The paper, hardcopy makes it easier for the auditor to review. The folder should include documentation of the investigation, a concise statement of the root cause, and copies of records for all corrections and corrective actions implemented. Corrective actions include procedure revisions and training records. If there is a quantitative measurement of effectiveness, include a graph of current progress with the record. Ideally, the graph will be one of your quality objectives. The graph to the right is an example.

Production Process Controls will get the auditor out of the conference room 

Every company has at least some production and process controls implemented before the Stage 2 certification audit. Most auditors and inspectors spend too much time in conference rooms reviewing paperwork and too little time interviewing people that are performing work. However, many companies also outsource production activities. Therefore, unless you have a software product, you can expect your auditor to review incoming inspection activities. The auditor is also likely to review the finished device inspection, storage, and distribution. If the auditor is thorough, they will also follow the trail from inspection activities to calibration activities, nonconforming materials, and data analysis.

Design Controls

If your company is a contract manufacturer, then you probably are excluding design controls (ISO 13485, Section 7.3) from the scope of your Quality System. However, if you are a manufacturer that performs design and development, then it is an element of the quality system that warrants special attention. During the Stage 1 certification audit, the auditor reviewed only your Design Control procedure. During Stage 2, the auditor will look for evidence of implementing design controls. Therefore, even if your company has not completed your first design project, the auditor will still want to see some evidence of implementation. The auditor will expect at least one design plan to be written, and at least one design review should be completed.

If you are familiar with the FDA Quality System Inspection Technique (QSIT) process for inspection, you might have noticed that this blog is divided into the same subsections identified in the QSIT Manual.

Stage 2 Audit – How to Prepare (Part 1 of 2) Read More »

Effective training – six steps to teach QMS procedures

1 Comment / ISO 13485 / By / , , ,

Six steps to conducting effective training on medical device QMS procedures, including questions to ask for building consistent procedures.

%name Effective training six steps to teach QMS proceduresEffective Training on QMS Procedures

There are six steps to conducting effective training on medical device QMS procedures, including questions to ask for building consistent procedures.

Your Quality Management System (QMS) needs to provide objective evidence (i.e., records) that your staff is trained on the procedures they use and that their training was effective. You must also establish documented requirements for competency. The following examples might help:

  1. A record of you attending a course is a training record.
  2. A record of your taking and passing an exam related to that course is a record of training effectiveness.
  3. A record of you performing a procedure, witnessed by the trainer, is a record of competency. Your resume can also be a record of competency.

Unless a change is trivial in nature, signing a piece of paper that states you read and understood a procedure does not demonstrate training effectiveness. Learning and training are active processes that require engagement and interaction.

In a previous blog, I described a slightly different procedure structure with some extra sections. There are a number of benefits to that structure, one of which is that the structure facilitates training. The additional sections are referred to in this blog. Whatever template you use, consistency of structure, and presentation across your procedures makes the procedures easier to learn and increases usability.

6 Points to Consider for Effective Training on Medical Device QMS Procedures

  1. Training requirements. For a new procedure, decide early in your writing which roles require training, what content is needed, and to what level is competency necessary. The example below is a table from a Quality Auditing procedure. The table shows the different requirements for different roles. I prefer to put this information in the procedure document—where it is unlikely to be overlooked or forgotten.training procedure Effective training six steps to teach QMS procedures
  2. Open book? For each of the roles listed above, determine whether you need trainees to be able to follow the procedure without the document at hand, or to know the procedure, and be able to find what they need.
  3. Training method. One-on-one or group? Classroom style, on-job, or remote? This depends on your company, the nature of the procedure, and your requirements above.
  4. PowerPoint or not? My preference is to walk trainees through the procedure, actually, have them flip the pages and write notes on it. If I use PowerPoint, it’s to clarify the structure and emphasize important points.
  5. Control of training copies. Paper copies of procedures and forms used for training should be controlled. Your Document Control procedure should allow for clearly marked “Training” copies to be available before the effective date. Make sure your training also reminds trainees where to find the officially released copy of procedures after training is completed.
  6. Control of training material. Include your slides, training scenarios, quizzes, etc. in your document control system. Review and revise them each time you change a procedure. 

Building Consistent Procedures: Questions to Ask and Recommendations

Use a consistent structure for your procedures, then build a consistent training structure around that. The predictability in structure will improve the effectiveness of your training.

  1. Purpose. Why are we doing this? What is the outcome we are after?
  2. Scope. When do I use this procedure? When do I not, and what do I do as an alternative?
  3. References. How does this interface with other procedures? Turtle diagrams or interface maps are useful here
  4. Definitions. Unfamiliar jargon, and terms that are used in a very specific way in this procedure
  5. Risk. What risks does this procedure address? How does this affect the design of the procedure – why are we doing it that way? Refer to our earlier blog where we explain how to include this in each procedure
  6. The procedure. Walkthrough the flowchart, explain the accompanying notes, and relate the procedure flow to the responsibilities and authorities outlined earlier in the procedure
  7. Records. What do I do with the completed records from this procedure? Where do I find a copy when I need it?
  8. Examples. I suggest a training version of the form (which should be available later for reference) with guidance and examples
  9. Practice. Provide a scenario and a blank form for trainees to work through, individually or in groups
  10. Testing. Check that the training has been effective. The role competencies that were defined earlier are the basis for the effectiveness criteria for a procedure. This training module may be enough to achieve that level, or a broader training program may be required to ensure operational-level competence. See our blog on training exams for more advice on testing.

Effective training – six steps to teach QMS procedures Read More »

Quality Management System Training Presentations and Exams

3 Comments / ISO 13485 / By / , , , , ,

Methods for developing a quality management system training presentation and exam to demonstrate training effectiveness for QMS procedures.

Certificate of Participation 1024x768 Quality Management System Training Presentations and Exams

Quality Management System Training

Training records are a basic expectation for any quality system (i.e., Clause 6.2.2 of ISO 13485), but demonstrating effectiveness (Sub-Clause 6.2.2c) and competency (Sub-Clause 6.2.2a) is also required. Verifying training competency will be the subject of a future blog, but this blog focuses on the most common method for demonstrating training effectiveness—an exam.

Resource Needs

The challenge with creating a training exam is that it takes a serious time commitment to create a training presentation, to write an exam, to grade the exam each time an employee is trained, and issue training certificates. Each time you revise the procedure, you need to decide if retraining is required and how you will verify the effectiveness of training on the revised procedure. Finally, you need qualified trainers with appropriate documentation of their competency.

The larger your company is, the more value you will realize from creating training exams. Unfortunately, larger companies usually have more procedures too. It typically takes me 2-4 hours to develop a new training presentation for a process or procedure. I am currently developing training presentations for a small drug/device company that will have approximately 30 procedures. Therefore, it could take 60-80 hours to create training presentations for all the procedures.

Quality Management System Training Presentation Content

We have developed training courses for critical processes, such as CAPA, internal auditing, and design controls. Medical Device Academy will also be offering a free webinar in November on the topic of conducting more effective Management Review meetings. For other processes, such as calibration, we recommend the following step-by-step approach:

  1. Overview slide of requirements
  2. A slide for each sub-clause
  3. An example of how the procedure is applied
  4. An overview of the procedures’ key points

Our calibration procedure required a total of 11 slides—including a title slide and a slide for contact information. We also included a cross-reference to the applicable section of the procedure for each sub-clause of the ISO 13485 Standard (i.e., 7.6a, 7.6b, etc.). A balance used to weigh components was the training example, and there was a slide that explained essential considerations that can affect the accuracy of a balance.

During the process of creating the training presentation, we noticed that one of the sub-clauses of ISO 13485, 7.6, was not addressed by the procedure. Therefore, our systematic approach simplified the creation of a training presentation, and the strategy helped to identify a non-conformity in the procedure before it was released.

Exam Content

Verifying effective training is easiest with the use of quizzes or exams to test what the person learned. For training exams, we try to ensure that exam questions are objective and easy to grade. Therefore, most exams are ten questions. Questions are typically the fill-in-the-blank type of questions or multiple-choice questions. “Trick questions” are not recommended, but we do recommend using questions that force the trainee to look up the answers. This will force the trainee to become more familiar with the procedure.

For our calibration training exam, we could easily have one question corresponding to each slide, but not every sub-clause requirement is equally important. Therefore, we always try to include a question related to the most common things auditors and FDA inspectors will be looking for.

The calibration process includes a requirement to assess the impact on a product if a measurement device used for inspections is found to be Out-Of-Tolerance (OOT). Is there a need to retest or even recall products?

Almost every auditor I meet asks the above question during an audit, and most will even request records of calibrated devices that were found OOT.

Grading & Certificates

We typically use 70% as the criteria for passing an exam. The exams are protected forms with spaces to fill in and checkboxes. There are also spaces for the trainee’s name, title, and date of the training. Exams are emailed to the instructor, and the instructor will unprotect the document. The correct answers are indicated by highlighting the choice in green. Incorrect answers are indicated by highlighting the choice in red. Explanations for why an answer is incorrect are added after the question and highlighted in yellow. The graded exam is then emailed back to the trainee—along with a training certificate similar to the one shown at the beginning of this blog.

Retraining

In one of our blog posts, we recommended including a section on training and retraining requirements in each procedure. The challenge with revised procedures is that retraining is not always required. If retraining is needed, we recommend the following approach:

  1. Create a separate retraining exam
  2. Include a question(s) specific to the procedural revisions
  3. Include a question(s) specific to recent nonconformities in the process (if any)

If you are interested in learning more about procedures, records, and training as it relates to ISO 13485 Certification, please consider our ISO 13485 webinar training.

 

Quality Management System Training Presentations and Exams Read More »

Procedure template for ISO ISO 13485:2016 quality systems

5 Comments / ISO 13485 / By / , , , ,

This 12-part procedure template for your medical device QMS can result in writing shorter, more effective documents that facilitate training.%name Procedure template for ISO ISO 13485:2016 quality systems

Procedure Template

We all have a standard template for our quality system procedures. Typically, we begin with purpose, scope, and definitions. This 12-part procedure template for your medical device QMS  can result in shorter, more effective documents that are easier to train personnel on.

1. Purpose. Often I read something like, “This purpose of this document is to describe the CAPA procedure.” That necessary information is the reason why we title procedures. A better statement of purpose would be, “The purpose of this procedure is to provide a process for identifying, preventing and eliminating the causes of an actual or potential nonconformity, and using risk management principles.” The second version gives readers a better indication of the purpose of the procedure.

2. Scope. This section should identify functions or situations that the procedure applies to, but it is even more critical to identify which situations the procedure does not apply to.

3. References and Relationships. Reference documents that apply to the entire quality management system (e.g., – ISO 13485 and 21 CFR 820) only need to be listed in the Quality Manual. This reduces the need for future revisions to the procedures. I list here any procedure-specific external standard (e.g., – ISO 14971) in the applicable procedure. The relationship between procedures is more important than the references. Therefore, I prefer to use a simple flow diagram, with inputs and outputs, similar to the one below for a document control process.

sys 001 Procedure template for ISO ISO 13485:2016 quality systems

4. Document Approval. Who must sign off on the procedure? Keep this list short. Ideally, just the primary process owner and Quality Manager (to ensure consistency and integrity across the quality management system).

5. Revision History. A brief listing of each revision and a brief description of what was changed in the procedure.

6. Responsibilities and Authorities. A listing of the main areas of responsibility for each role. Remember to include the title of managers who may be required to approve forms, or make key decisions.

7. Procedure. I prefer to create a detailed flowchart outlining each step of a process before writing the procedure. Each task box in the flowchart will include a reference number. If you organize the reference numbers in an outline format, then you can write the text of your procedure to match the flowchart—including the numbering of the flowchart task boxes.

example Procedure template for ISO ISO 13485:2016 quality systemscapa Procedure template for ISO ISO 13485:2016 quality systems

8. Monitoring and Measurement. An explanation of how the process is monitored and measured, who does it, how often, format, method of communicating the analysis, and what process that analysis will be input into, e.g., Management Review.

9. Training/Retraining. Tabulated, which roles need to be trained in this procedure, and to what level? The example below is also from a Document Control procedure.role Procedure template for ISO ISO 13485:2016 quality systems

10. Risk Management. This section identifies risks associated with each procedure and how the procedure controls those risks. As well as complying with the requirement to apply risk management throughout product realization (i.e., Clause 7 of ISO 13485), including a section specific to risk management forces the author of the procedure to think of ways the process can fail and to develop ways to avoid failure. Risks can also be a starting point for training people on the procedure.

11. Records. Tabulated, form number and names, a brief description of its purpose, and a column for retention and location. This column also allows for reference to compilations if the record becomes part of, e.g., the Design History File, Device Master Record, or the Risk Management File.

12. Flowcharts. Step-by-step through the process, saying who performs the step when it isn’t apparent. I keep task shapes simple: rectangles for tasks, rounded rectangles for beginnings and endings, diamonds for decision boxes, and off-page reference symbols.

When the task needs supporting text, e.g., guidance or examples, put a number in the box and a corresponding number in the table in (7) above.  Ideally, the flowcharts are placed in the document with the Notes table on the same page or the opposite page. In practice, I often put them at the end to simplify the layout. One of my clients loves her flowcharts and puts them on the front page.

Benefits of this Approach

Information is well structured and presented consistently across procedures, more so than can be achieved through narrative.

  • The flowchart is the primary means of documenting the procedure.
  • Tables provide details that are not clear in the flowchart.

The procedure structure described above facilitates a consistent training approach built around the document. Purpose and scope are presented first, and then the Risk section is presented to explain what is essential in the procedure and why. The flowchart, the table, and the formwork together describe each step of the procedure. Finally, a PowerPoint template can be used to guide process owners in developing their training.

And to make it even easier, you have already spelled out who needs to be trained and to what level.

Procedure template for ISO ISO 13485:2016 quality systems Read More »

Certification Body Selection

4 Comments / ISO 13485 / By

 

The author reviews the certification body selection process for ISO 13485 certification, MDSAP Certification, and CE Marking.

Cropped Front of Card Certification Body Selection

What is a Certification Body?

A certification body is a third-party company that is accredited by an organization like the ANSI-ASQ National Accreditation Board (ANAB) or Standards Council of Canada (SCC) to perform certification audits against ISO Standards, such as ISO 9001 or ISO 13485. Accreditation bodies verify the conformity of certification audits to the ISO/IEC 17021 Standard. Some certification bodies are not accredited or may be self-accredited. Still, you will need a certification body that is accredited to meet the regulatory requirements of Health Canada and European Competent Authorities.

Certification body selection for your company is a critical step on the journey toward ISO 13485 certification. When I first joined one of my previous companies, I was assigned the task of implementing ISO 13485 to comply with the Canadian Medical Device Regulations (CMDR) under the Medical Device Single Audit Program (MDSAP). First, I discovered that the company already had two certification bodies. The company initially received an ISO 9001 certificate from one certification body, and then a few years later, an ISO 13485 certificate was issued by another certification body. Unfortunately, neither certification body was recognized by Health Canada. Therefore, when I joined the company, and we were seeking a Canadian Medical Device License, we had to find a third certification body. This time, I selected a registrar recognized by Health Canada. Then I was able to transfer our ISO 9001 certificate to the new registrar and eliminate the other two certification bodies.

When conducting certification body selection, you will find that there are different names for the term, depending on the country to which you are seeking your certificate. For some of the biggest markets, they are named as follows:

  • Europe – notified bodies
  • Canada – registrars
  • Japan – registered certification bodies
  • Australia – conformity assessment bodies

8 Points to Consider When Selecting a Certification Body

  1. Refer to the official Europa page that helps you identify the complete list of “possible” Notified Body candidates based on the product category.
  2. The size and reputation of the notified body can have an impact on your customer’s confidence in your QMS. If they are savvy, they know who the key players are, and who has the more credible reputations in the medical device field. Before transitioning to BSI, I experienced “eye-rolling” during customer audits when asked for the name of our notified body.
  3. Consider the level of risk associated with the classification of the medical devices that are currently marketed and those that may be planned for future distribution. The EU Commission and Competent Authorities (US FDA equivalent in European member states) throughout Europe are currently re-evaluating all the Notified Bodies to determine if they will continue to be allowed to issue CE Design Examination Certificates (Annex II.4) and CE Type Examination Certificates (Annex III) for the highest risk devices (i.e., – Class IIb and Class III).
  4. Identify all your regulatory needs unless you want to contract multiple certification bodies (not recommended). Certification bodies are not created equal, and some may not be qualified to provide all the services needed. A certification body qualified to issue a certificate for ISO 13485 may not be able to provide a CE certificate for CE Marking required by the EU, and only 15 certification bodies are recognized by Health Canada as MDSAP Auditing Organizations. To avoid the need for additional certification bodies in the future, you need to identify your long-term certification requirements for the international markets you will be distributed in.
  5. Compare price quotes from each certification body you are considering and make sure that you provide the same criteria to each potential certification body to ensure that you are getting a fair quote. This is also the time to determine ALL costs associated with audits, certificates, and any other fees. Be sure to include any travel costs, as they are part of the fees that will be included in the contract. If you have multiple sites, consider the benefit of utilizing the same auditor for each site for consistency. However, using one auditor can also incur higher travel costs.
  6. Evaluate each certification body’s customer service before the initial certification audits by asking for “360-degree” evaluations by everyone in your organization that will interact with the certification body directly. This includes planners scheduling the certification audits, the accounts receivable department handling invoices for the certification body, and your sales team that may be able to represent a customer’s opinion of the various certification bodies you are considering. Responsiveness is one of the best criteria to evaluate this customer service against. If the certification body is difficult to work with before certification, it won’t get better.
  7. What is your regulatory strategy? Are you looking for a certification body that will conduct an audit that barely meets requirements? Or maybe you want a certification body that will work with you as a partner to build a QMS made up of best practices. I recommend a “picky” certification body. This will ensure that you choose a partner that forces you to improve your QMS and remain competitive with other medical device companies that have embraced the principles of an ISO QMS.
  8. Finally, if your medical devices or the manufacturing process is complex or innovative, you should select a certification body with auditors that have the technical expertise to understand your product and processes. For example, if your company makes special plastic implants that require “gas plasma,” or vapor-hydrogen peroxide sterilization, you want to ensure that the certification body has auditors that understand this sterilization process.

Strategic Decision-Making

For certification body selection, a spreadsheet may help keep track of information. However, the best practice for making this type of strategic supplier decision is a “Proposal A3 Report”. This special type of A3 Report is explained in Dan Matthew’s workbook. Rob Packard, the founder of the Medical Device Academy, used this approach for the certification body selection of a new Notified Body to transfer to for a recent client.

If you need assistance with ISO 13485 Certification or are interested in training on medical device regulations for the United States, Europe, or Canada, please email the Medical Device Academy at rob@13485cert.com, or contact Rob Packard by phone @ +1.802.258.1881.

Certification Body Selection Read More »

QMS Implementation Tasks

3 Comments / ISO 13485 / By / ,

Learn 12 QMS implementation tasks you need to include in your quality plan for successfully implementing ISO 13485.%name QMS Implementation Tasks

QMS Implementation Tasks 

For your ISO 13485 implementation project, use a planning tool that you are comfortable with (e.g., – a spreadsheet or project planning software). Your plan should include the following:

  1. Identification of each task
  2. Target dates for completion of each task
  3. Primary person responsible for each task
  4. Major milestones throughout the project

Regular progress reports to top management and implementation meetings with all process owners are recommended to track your progress to plan. Weekly meetings are also recommended so that no tasks can fall too far behind schedule. Be sure to invite top management to weekly meetings, and communicate the progress toward completion of each task to everyone within your company. The list below identifies 12 of the most important tasks that should be included in your plan.

12 QMS Implementation Tasks to Consider for Implementing ISO 13485

  • 1. Select a certification body and schedule your certification audits (i.e., – Stage 1 and Stage 2). If you want to place devices on the market in the EU, Japan, or Canada, make sure your certification body meets the specific regulatory requirements for that market.
  • 2. Establish a Quality Manual and at least 28 required procedures. If you have purchased a copy of the excellent AAMI Guidance Document, this lists the required procedures for you. There are a few extra procedures or work instructions needed to meet regulatory requirements (e.g., – training, mandatory problem reporting, and post-market surveillance).
  • 3. Document training on the procedures comprising the quality system. A signed form indicating that employees “read and understand” the procedures is not enough. Training records should include evidence of the effectiveness of training, and you should be able to demonstrate the competency of the people performing those procedures.
  • 4. You must complete at least one full quality system internal audit. The timing of your internal audit should be late enough in the quality plan that that most elements of your quality system have been implemented. However, you want to allow enough time to initiate CAPAs in response to internal audit findings before your Stage 1 audit. If your internal auditor(s) have been heavily involved in the implementation of the quality system, you may need to hire an external consultant to perform your first internal audit.
  • 5. You need to complete at least one management review, which can be done just before the Stage 1 audit. My preference, if there is time, is to have at least two management reviews. The first review might occur three months before the Stage 1 audit, just before you plan to perform an internal audit of the management processes. There may be limited data to review at that time, but this first review provides an opportunity to train top management on their roles and responsibilities during a management review.

The second management review must cover all the requirements identified in ISO 13485, Clause 5.6. The second management review is also your last chance to identify any gaps in your quality system, and initiate a CAPA or action items before your certification auditor arrives.

  • 6. Compliance with regulatory requirements must be a commitment stated in your company’s Quality Policy. Specific regulatory requirements should be traceable to a specific procedure(s).

If you are seeking ISO 13485 Certification as part of the Canadian Medical Device Conformity Assessment System (CMDCAS) or the CE Marking process, then these regulatory requirements will be specifically included in your certification audit.

  • 7. Systematically incorporate customer and regulatory requirements into the quality management system. For contract manufacturers, this is especially important, and the Supplier Quality Agreements your company executes are the best source of these customer requirements. If your company is a legal manufacturer (the company named on the product label), this task is probably addressed sufficiently in tasks #1 and 6.
  • 8. You need to implement a supplier quality management process. If you already have a strong supplier quality program, then this may be a small task involving a few changes to your procedure. If you don’t have much of a supplier program yet, then this may involve identifying your suppliers, ranking them all according to type and risk, qualifying or disqualifying them, and executing supplier quality agreements.

Note: If you need training on Supplier Quality Management, you might consider participating in Medical Device Academy’s webinars.

  • 9. If product design is within the scope of your QMS, which is typical of legal manufacturers, but not for contract manufacturers, then you must establish a design control procedure(s). Product development projects often operate in a timeframe that is longer than your implementation project, and you may need ISO 13485 certification as part of the regulatory approval process.

Therefore, the minimum expectation is to initiate at least one development project before the certification audits. For records of implementation, you should have a design project plan, an initial risk management plan, reviewed and approved design inputs for your first product, and conduct at least one design review.

  • 10. Document what your Certification Body expects (e.g., – notifying them of significant changes). These expectations are likely to be stated in your contract with the Certification Body.
  • 11. Appoint the management representative and a deputy. Ideally, this is formally documented with a letter of appointment signed by the CEO and the management representative. This letter should be maintained in the management representative’s personnel file, along with a copy of the job description explaining the job responsibilities of the management representative. This may also be achieved by identifying the management representative and a deputy in your company’s organizational chart.
  • 12. After the certification audit, your last task should be to “Create Quality Plan #2”—another PDCA loop through the system. The reason for a new quality plan is to implement improvements based on what you learned while you were building the quality system for the initial certification audit.

If your company wants to achieve ISO 13485 certification, you may be interested in YouTube video on this topic.

QMS Implementation Tasks Read More »

Implementing ISO 13485: Planning the Project

1 Comment / ISO 13485 / By /

In this article, you will learn five reasons why implementing ISO 13485 takes longer than you expect and tips to help avoid pitfalls
%name Implementing ISO 13485: Planning the Project

Implementing ISO 13485

Your company wants to achieve ISO 13485 certification. How are you going to get there? In a recent blog, I reviewed setting objectives for implementing an ISO 13485 certification project. Once you’re clear on those, then you’re ready to create your first quality plan. The basic elements of any strategy will be:

  • Task breakdown (which I will cover in a separate blog)
  • Timeline
  • Resources (skills and hours available)

Timeframes and Trade-offs of ISO 13485 Certification Planning 

The endpoint of planning for the certification project is the certification audit. The earlier you choose your registrar or Notified Body and book the audit, the more choice you will have regarding the date. This should be one of the earliest tasks in the task breakdown. To be able to do that, you need a timeframe as to when you will be ready for the certification audit. How long it takes to implement ISO 13485 and be ready for a certification audit depends upon your starting point and your available resources. If you have no QMS in place, it will take you longer than if you already have a strong, documented QMS that complies with 21 CFR Part 820.

It May Take More Work

If you already have ISO 9001 certification, though you already have a structure in place, the upgrade to ISO 13485 is likely to take more work than you expect because:

  1. There are fewer procedures required by ISO 9001
  2. Most of your existing procedures will require revision
  3. Your employees will need training on the new procedures
  4. You will need time to generate records using new procedures
  5. You will need to complete a full quality system audit of the new procedures

Many companies also underestimate the required resources for ISO 13485 certification. If you have a knowledgeable consultant, and people available to write procedures, then ISO 13485 implementation will progress faster than an organization that has little expertise and little time available, so plan accordingly. Ideally, you will determine the length of time each task will take and decide on an endpoint for the project based on that information and available resources. This approach works well if you already have a well-documented, regulated QMS.

6 Months-Reasonable Timeframe?

Six months is my rule of thumb for the time needed to implement a quality system compliant with ISO 13485. If the implementation schedule is longer, organizational enthusiasm may wane. If the timeframe is shorter than six months, it’s difficult to complete all the required tasks. No matter how carefully you plan, you still need to write procedures, train personnel, and implement procedures, so there is adequate time to generate records. Six months is aggressive for most companies, but the objective of achieving certification in six months is reasonable.

You may find it interesting that in Rob Packard’s white paper on ISO 13485 implementation. He also recommends that you allocate six months of one Full-Time Equivalent (FTE). This is a reasonable starting point, but you may want to adjust your resource allocation up or down depending on the level of experience within the implementation team. Experience has taught me that smaller organizations are more successful at building an effective quality system when effectiveness is achieved in reiterative steps (i.e., – revision 1, revision 2, etc.). This is also the basis of the Deming/Shewhart Plan-Do-Check-Act (PDCA) cycle. This is also what I meant in a recent blog, where I suggested that you should “throw perfectionism out the window.”

Your understanding of how the quality system links together will grow as you implement each process in your implementation plan. As knowledge grows, you may reconsider some of your procedures. Instead of delaying the certification process (i.e., – revision 1), you may want to implement improvements as a second revision to procedures after the Stage 2 certification audit (i.e., – revision 2). During your Stage 1 and Stage 2 certification audits, your understanding of how the standard is interpreted and audited will build. After you achieve the initial ISO 13485 certification, you will have a much greater understanding of how all the elements of the quality system need to work together. You will also understand what parts of your quality system are easy for an outsider to audit.

After the ISO 13485 Certification Audit

During the initial planning stage, you should also imagine your future state after the certification audit. Your boss may assume that once the audit has been and gone, then everything will settle back to “normal” again. The reality is that after you deal with any nonconformities, and you take off a few days like you promised your family, you will have a long list of improvement ideas waiting for you. You will also need to prepare for next year’s surveillance audit. Therefore, I recommend that you manage expectations by adding “Create Quality Plan #2” as the last step of your ISO 13485 certification plan.

Implementing ISO 13485: Planning the Project Read More »

Implementing ISO 13485: Dealing with Delays

1 Comment / ISO 13485 / By / ,

By Guest Blogger,  Brigid Glass

%name Implementing ISO 13485: Dealing with DelaysThe author provides tips, practical examples, and six steps to follow if your ISO 13485 implementation project falls behind schedule.

In the best-planned project, with plentiful, skilled resources and diligent monitoring, things can still go awry. We need to be watchful for signs of our plans falling behind schedule, and develop contingency plans to prevent delays.

Walk Around the Mountains

Identify major obstacles early and develop a plan to deal with them. The major obstacles are usually the tasks that take the longest—such as process validation. Specifically, name these tasks in your pitch to management for resources before you start. This approach will ensure that everyone is focused on the biggest challenges.

If your plan to climb over those mountains is failing, work out a route around them. Maybe your R&D Manager can’t yet accept that there will now be design controls. In this case, an alternate path might be to leave design controls for last purposely. If you write a concise procedure and release it as your last procedure, then you have a built-in excuse for why you have very few records to demonstrate an implementation of design controls. You will still need at least one design project plan and training records to demonstrate that the process is implemented.

If this plan is successful, your auditor will write in the report that “design controls are implemented, but there are limited records to demonstrate implementation at this time.” If this plan is unsuccessful, you will need to provide additional design control records before you can be recommended for ISO certification—typically within 90 days.

Another approach is to initiate a CAPA and implement some of the tasks after the audit. For example, you have more suppliers than you can audit before certification. In this case, qualify all your suppliers, and use a risk-based approach to help you prioritize which suppliers need to be audited first. In your plan, identify that you will start by auditing the three highest-risk suppliers. Lower risk suppliers can be scheduled for audits after certification.

Be Watchful

Keep a close eye on your project plan. One of the most critical factors for success is keeping the plan and progress against the plan in front of the key players and senior management. Do this in such a way that progress, or the lack of it, is very clearly visible. It’s a basic maxim of Quality that we act on what we measure.

ISO 13485 Implementation: If Your Project Falls Behind Schedule

If you find yourself lagging seriously behind in your project, the following steps will assist you in recovering sufficiently to still be able to attain certification.

  1. Enlist management support when you need it, especially if you need them to free up resources.
  2. Prioritize. Before the Stage 1 audit, ensure that those procedures which are required by ISO 13485 are released (there are 19). There’s always room for improvement, but leave some of it for the second revision, instead of delaying certification.
  3. Ensure that you have at least a few examples of all the required records. Your auditor will be unable to tick off his checklist if a record is absent. Make it easy for the auditor.
  4. If there is a sizeable gap that you won’t be able to close before certification (i.e., – you have a validation procedure, but validations have not been completed), write a CAPA outlining your action plan to address the gap. During the audit, act confidently when you are questioned about the gap. Many auditors will give you credit for identifying the problem yourself.
  5. Don’t panic. The worst the auditor can do is to identify a nonconformity you will have to address with a CAPA plan before you can be recommended for certification. At most, this will result in a delay of a few weeks.
  6. Throughout your certification preparations and during the certification audits, you will identify issues you may not have time to resolve before the certification process is complete. If you are planning to revise procedures and make other corrections, make sure you track these issues as CAPAs or with some other tool (e.g., – an action item list). You want to address each issue prior to the first surveillance audit (no more than 12 months from the date of the Stage 2 audit).

Best wishes for your project. Success is the result of good planning, good communication, and good monitoring.

This blog is part of a series of blogs that leads up to our Roadmap to Iso 13485 Certification Courses

Implementing ISO 13485: Dealing with Delays Read More »

Quality objectives for achieving your goals

2 Comments / ISO 13485 / By / ,

This article, updated in 2020, describes two different approaches to establishing quality objectives to achieve your business goals.
BHAG JFK Quality objectives for achieving your goalsGoal setting and communicating a vision of the future is not just the responsibility of the company President. Every manager should be setting goals for the teams they manage, and you can set yourself apart from your peers by building a vision with clear benefits to employees, customers, and the bottom line. Establishing quality objectives, and monitoring the progress toward those objectives is one of the greatest tools you can use to achieve your business goals. There are two different approaches to setting quality objectives, and you should use both.

Two Types of Quality Objectives

The most popular type of quality objective is a visionary goal. The phrase that I think captures this idea is the “Big Hairy Audacious Goal” (BHAG). Jim Collins and Jerry Porras coined this phrase in Built to Last. Visionary goals are long-term quality objectives that will require many smaller, coordinated changes intended to “level up” your business.

The second type of quality objective is a short-term goal. Short-term goals are not nearly as “sexy,” but achieving short-term goals builds momentum and creates long-term habits that are crucial to success. The two books that capture this concept best are The Compound Effect by Darren Hardy and The Slight Edge by Jeff Olsen. Both books emphasize the importance of consistency and small improvements to achieve success. The secret to establishing short-term goals is to make sure that your short-term goals are aligned toward helping you achieve long-term goals.

In our quality system procedures, we include a section for monitoring, measurement, and data analysis. For every process in your quality system, you should have at least one defined quality metric that you consistently measure. Everyone involved in that process should be aware of the metric, and data analysis should be shared with everyone in the company. Some of those quality metrics will be more important than others, but everyone must expect to achieve the goals that are set. You can pick anything you want to measure for a process, but for the metric to be used as a quality objective, it must be measurable and consistent with your quality policy. I like to define measurable by saying, “You must be able to graph it.”

6 Steps to Achieving Big Hairy Audacious Goals (BHAG)

Not all quality objectives have to be small, dull, or easy. You are required to establish quality objectives. Both the QSR (21 CFR 820.20, management responsibility) and the ISO Standard (ISO 13485:2016, Clause 5.4.1, require that top management establish quality objectives. These objectives must also be reviewed during management reviews, and they should be established at all levels throughout your company. Some of these objectives will be small, but you should make at least one of your quality objectives big, exciting, and hard to achieve. If you want to set your first BHAG for your team, try following these six steps.

STEP 1: Involve your team in setting quality objectives

Weak managers dictate goals, but leaders get teams involved in the goal-setting process. Getting your team involved gives them ownership of the goal. If you’re unsure of how to get your team involved, you might try a brainstorming session. A good brainstorming session is relatively short (i.e., – < 1 hour). Everyone needs to understand the goal of the brainstorming session: to generate many ideas for a possible BHAG. Everyone needs to understand what a BHAG is. These examples might help:

  1. Reduce average monthly scrap by 80% with a Pareto Chart
  2. Reduce the average number of nonconforming material reports by 50%
  3. Increase the ratio of preventive actions to corrective actions to > 1.00

Finally, negative comments should not be tolerated. Bad, good, and silly ideas should all be encouraged because the purpose of brainstorming is to generate many ideas. After you have 100+ ideas, you and your team can schedule another meeting to select the best goal(s).

STEP 2: Predict the bottom-line impact of quality objectives

Top management’s perception of a BHAG will be directly proportional to the impact on the bottom line. If the impact is small, the “B” in BHAG is a “b.” You and your team should use the potential impact on the bottom line as the first selection criteria for picking the best BHAG from the brainstorming list. The accuracy of these estimates doesn’t matter initially. Still, once you choose the goal, you will need to verify the accuracy of the financial impact and define how that impact will be measured.

STEP 3: Look to the future, but focus on the next milestone

Picking a five and ten-year goals is appropriate for discussions with Human Resources about your career, but companies are measured on quarterly financials. Therefore, you will need to focus on the goals you can achieve in three to six quarters. The number of milestones you set should also be few, and you should focus on one at a time. If the goal is only three quarters away, you might have monthly targets, while longer projects need interim milestones.

STEP 4: Milestone momentum

Longer projects often become delayed because people will procrastinate, and teams will lose momentum. When you break your long-term goals into smaller chunks, everyone can focus on the next milestone and see the progress. Each piece should be a sound stage of the project, and completion of the stage must be clearly defined. To create momentum, you must achieve each milestone–always. The pattern of consistent milestone achievement builds confidence, and your team will gradually develop the habits needed to sustain your progress.

STEP 5: Assign the Skeptic to Report on Quality Objectives

A good statistician can make the numbers look any way you want, but skeptics in other departments (and within your team) will criticize your claims of success. One way to silence the skeptics on your team is to make them responsible for measuring and reporting the team’s progress. This approach ensures that progress reports are conservative and accurate, rather than inflated or unbelievable. Progress should also be reported publicly because public victories are something your team can be proud of.

STEP 6: Promise a Reward for Achieving Quality Objectives

Some managers believe that the reward for hard work should be a paycheck. That’s sort of like telling your children that they get to eat for doing something you’re proud of. Employees are not children, but you are responsible for developing them into more valuable employees so that they can be promoted. If there is no incentive, your team will not be engaged. Therefore, pick a reward that is proportional to the bottom-line impact. Five percent of the bottom-line impact is what I like to target, but you would be amazed at how effective a few small rewards at each milestone can be. If you have trouble getting management approval for rewards, remind your boss of the bottom-line impact and link the rewards closely to the impact.

Quality objectives for achieving your goals Read More »

Implementing the ISO 13485 Standard: Objectives

1 Comment / ISO 13485 / By /

By Guest Blogger Brigid Glass The author discusses implementing the ISO 13485 standard, including seven questions to clarifying your objectives and six considerations in shaping your objectives.%name Implementing the ISO 13485 Standard: Objectives

Implementing ISO 13485 is such an enormous undertaking for an organization that it pays to approach the planning strategically to ensure that all objectives are met.  Often, some objectives are made explicit, and others are unspoken. It is worth taking the time to ensure that all objectives are clearly stated to achieve the outcomes you want. Begin with the end in mind. Then, ensure that you are taking the organization with you and are headed to the same destination.

7 Questions to Clarify Your Objectives

  1. What are your regulatory drivers for ISO 13485 implementation? Are there dates associated with marketing plans that you need to consider? Are there other regulatory requirements that must be built into the QMS and the implementation plan (e.g., incident reporting for Canada or a Technical File for CE marking?)
  2. What other regulatory requirements must you meet to get into international markets? ISO 13485 requires that you meet applicable regulations for each market, such as a training procedure to address 21 CFR 820.25, a post-market surveillance plan to address CE Marking requirements and a Mandatory Problem Reporting Procedure for Canada.
  3. If you are a supplier to medical device manufacturers, what do your customers expect of your QMS? If they haven’t made this explicit already, ask them. Meeting their needs and their audits of your system may be as important to you as the certification audit.
  4. Do you want to achieve business improvements by implementing a QMS? If you include this in your stated objectives, and everyone “buys into” the program, then you will build procedures that deliver business improvements rather than just being regulatory overhead.
  5. Do you have real buy-in from your CEO? You may have buy-in for certification, but if you don’t already have a regulated QMS, does she or he fully understand the cultural change that he or she must lead? If not, make this one of your unwritten objectives and keep it in mind.
  6. Do you have organizational buy-in?  Ensure that it is clear who owns each process and that those process owners have the ultimate responsibility for the compliance of their process and ownership of documentation that is created for those processes. Keep the project progress visible. Develop a communication plan with its objectives and targets, even if your organization is small.
  7. Do you want to align with other systems? If you already have a QMS, you will want to integrate ISO 13485 compliance. Do you also need to implement ISO 14971, the risk management standard? Since you will be doing this much work on your QMS, maybe you could take the opportunity to align it with your health and safety or environmental management systems.

Timeframes and Trade-offs

How long it takes to implement ISO 13485 will be covered in another blog soon.  Six months is a workable rule of thumb.

So what do you do if you don’t have that long and must meet a pressing deadline?  Or you don’t have the resources available to implement as well as you want in the time available?  Compromises must be made, and now it’s necessary to set short-term and long-term objectives.

6 Considerations in Shaping Your ISO 13485 Standard Implementation Objectives

If you are constrained from structuring the implementation project ideally, the following considerations below will assist you in shaping your objectives:

  1. Get a qualified consultant who understands your business. If you have a large company, find someone who spends more of their time working with corporates, and vice versa for a small company.
  2. Throw perfectionism out the window. The goal is not perfect procedures. The essence of a Quality System is documentation to explain the intent, records to capture reality, internal auditing and monitoring to identify the gaps, and CAPA to improve and maintain effectiveness. The Deming Plan-Do-Check-Act cycle assumes that you are never perfect.)
  3. Accept that you then have another round of work to do to improve procedures.
  4. Organizational buy-in is even more critical. Be very careful about setting expectations. Adjusting to the extra requirements of a regulated QMS is already tricky. In these circumstances, you may be asking people to live with procedures that are not as usable as they would like.
  5. Be especially careful to ensure that the auditor can tick off all the essential points and find how you have fulfilled the requirements without hunting too hard. All the required procedures and records must be in place. It’s more important to address 100% of the requirements than to perfect 80% and skip the last 20%.
  6. Accept that nonconformities may have to be dealt with after the certification audit. Set the organizational expectation around this and build time for it into your schedule. Ask your certification body early to tell you the timeframe for dealing with nonconformities.

Setting Expectations

Objectives need to be communicated clearly to everyone in the organization. For a project (and many other things in life),

Satisfaction (or Disappointment) = Actual Result – Expectation

The certification audit is not the end. You will still need people to align their efforts to make the implementation succeed after the pressure and obvious deadline of the certification audit has passed.  Setting their expectations appropriately early in the project is essential to keeping their (and your) motivation going. This is especially important if you are building your QMS, short on time or resources, and therefore, know that you need to do a lot of work in the year following certification to develop improved workable procedures and generate a recorded history of compliance.

 

This blog is part of a series of blogs that leads up to our Roadmap to Iso 13485 Certification Courses

Implementing the ISO 13485 Standard: Objectives Read More »

Scroll to Top