Filter posts by category

ISO 13485

This sub-category is dedicated to articles about the new version of ISO 13485:201x that is expected to be published at the end of this year or Q1 2016.

A 6 Step Approach if You Disagree With a Notified Body Auditor

2 Comments / ISO 13485 / By / ,

My first certification audit experience is discussed and review six different approaches to take if you disagree with a notified body auditor.

My first certification audit ever didn’t go so well. It didn’t go well because the auditor wrote nonconformities that my boss and our regulatory consultant disagreed with. At the time, I was too inexperienced to know how to handle it. My boss and the consultant, however, totally lost it. I’ve never seen veins that big in someone’s forehead–even in cartoons.

I asked them both to leave the room because I feared to “push back” on the auditor. Many Management Representatives feel like I did during that initial certification audit. The best way to summarize our concerns is with the following picture:

kodiak A 6 Step Approach if You Disagree With a Notified Body Auditor

Recently, another LinkedIn group member emailed me to say that they have seen several auditors for registrars identifying nonconformities that represented their personal opinions rather than specific requirements of the Standard. For example, there is a requirement to assign and document management responsibilities, but there is no requirement to have an organizational chart.

Another common mistake is when auditors insist that a company must create a turtle diagram for every single process. I support using turtle diagrams 100%, but the only requirement in the Standard is to use the process approach–not specifically turtle diagrams.

My favorite is my own personal mistake. I wrote a nonconformity for not having a process for implant registration cards for a company planning to ship a high-risk implant product to Canada. There is a requirement for implant registry cards, but I forgot that Canada defines “implants” in this case as only a very short list of implant devices–not implants in general.

Auditors are human. These are audit findings–not a jail sentence. Everyone needs to remember that the worst that can happen is that you receive a nonconformity. If the auditor finds a nonconformity, you must develop a CAPA plan. If the auditor finds nothing, you still need to do your own internal audits to identify non-conformities and continuously improve processes.

What Should You Do When an Auditor is Wrong?

I recommend you “push back,” but you need know-how. Many consultants suggest saying, “Can you show me in the Standard where it says I have to do that?” That’s just like poking a bear. If you do it once, it isn’t very pleasant. If you do it multiple times, an auditor might just eat you.

One Management Representative did that to me after I took the time to review the requirements with him. I responded by holding the ISO 13485 Standard in front of him and reciting clause 7.3.2. He replied, “Well, that’s up for interpretation.” I offered to recite the ISO 14969 guidance document for him, but his boss told him to shut up.

This certainly wasn’t the only time a client pushed back during a registration audit, but other clients have had the sense to argue about things they understood.

One of the clients I audited said he would change the topic to the auditor’s favorite sports team. That’s one approach. I’m sure that more than one client has taken the approach of asking me to explain where they can learn about best practices. I’m sure that they were somewhat successful. Another approach is to slide the lunch menu in front of them; I have only met one auditor who would not be distracted by a lunch menu.

6-Step Approach When You Disagree With an Auditor

1. Shut up and look it up (before you open your mouth, grab the applicable external Standard and locate the information you are looking for).

2. If you are still convinced that the auditor is wrong, then tell that you are having trouble finding the requirement. Show them where you are looking, and then ask them to help you find the requirement.

3. If the auditor can’t show you where you are wrong, or it appears that the auditor is interpreting the Standard as they see fit, then focus on asking the auditor for guidance on what they will be looking for in your CAPA plan.

4. If the CAPA plan the auditor is looking for is something you think is a good idea, then shut up and implement the improvements. If the CAPA plan is not acceptable to you, then you should ask what the process is for resolving disputes.

5. No matter what, don’t start an argument with the registrar. They enjoy it. They like a challenge and resent people who have less experience criticizing them.

6. If you still disagree with your auditor, then you should ask if the auditor can explain the process for appealing findings and follow that process.

A 6 Step Approach if You Disagree With a Notified Body Auditor Read More »

3 Tools for Effectively Qualifying Suppliers

4 Comments / ISO 13485 / By / ,

%name 3 Tools for Effectively Qualifying Suppliers
Do you have the right tools to qualify your suppliers?


For every task, you have a choice of tools that you can use. Are you using the correct tools to qualify your suppliers? 

This blog reviews how to utilize statistical process control, process validation, and supplier auditing to qualify suppliers effectively.
Only qualified suppliers would be approved if you could afford to audition suppliers against hundreds of other competitors for a few months. Unfortunately, you don’t have the same budget as American Idol. So what should you do instead?

Most companies use the same three tired tools to qualify suppliers: ISO Certification, Quality Manuals, and questionnaires. ISO certification is a weak tool because certification is only as good as the registrar’s worst client. Quality Manuals are intended to define the intent of your supplier’s Quality Management System, while most of the details are located in procedures. You only need a copy of your supplier’s Quality Manual to help you plan audits. Supplier questionnaires seem to be the most popular tool, but most questions require a “Yes/No” response that suppliers rarely answer negatively. To assess the qualifications of potential suppliers more effectively, try using the following tools instead:

Tool # 1: Statistical Process Control

Most companies require a Certificate of Compliance (CoC) with every shipment. A CoC is useless. Like the “Yes/No” questionnaire responses, you will never see a CoC that indicates something is wrong. A Certificate of Analysis (CoA) is much more helpful because the CoA has actual data, and the tolerance range is typically indicated for each test or measurement the supplier performed. The best report you can get from a supplier is a statistical analysis of each specification during the prototype production lot. When you have a Statistical Process Control (SPC) run chart, you know quantitatively if the supplier can make an acceptable product. The run chart can also be used to develop an appropriate sampling plan for incoming inspection.

Tool # 2: Process Validation

Process validation is much more than determining if a process is capable of producing a consistent product. An SPC run chart can do that. Process validation tells you what range of operating parameters will create a consistent product. Therefore, when you have process deviations or measurement devices that are slightly out-of-calibration, you will know if your supplier’s process will still make an acceptable product. The validation of a process should also identify which variables are critical indicators of the process. This information can be used to reduce the number of variables and specifications that are monitored for a production process and focus both your supplier’s resources and your own.

Tool # 3: Supplier Auditing

A multi-disciplinary team audit of a potential supplier is an effective tool for assessing a supplier’s qualifications. It will help build a stronger relationship between your team and the supplier’s team. Before you conduct an audit, it is important to plan the audit to ensure you get the most significant possible value. The following recommendations are essential to supplier auditing:

  1. Use a risk-based approach to auditing suppliers (this goes beyond just critical and non-critical)
  1. Strategically select auditors and train them well
  2. Plan the auditing goals and objectives for the team in advance
  3. Create a formal audit agenda that defines which processes each auditor will be focusing on

Auditing 100% of your critical suppliers may seem impossible due to limited resources, but have you ever seen a cost/benefit analysis?

What’s the cost of rejects, rework, and product redesign?

Supplier Quality Management Webinars Available 

Are your Suppliers Qualified? Prove It! 

http://robertpackard.wpengine.com/suppliers-qualified-prove/

Supplier Auditing and Remote Auditing: Tips to Save You Time and Money 

http://robertpackard.wpengine.com/supplier-auditing-and-remote-auditing-tips-save-time-money/

 

 

3 Tools for Effectively Qualifying Suppliers Read More »

Quality Management System Information Sources

3 Comments / ISO 13485 / By /

This blog reviews a number of quality management system information sources.

A blog follower from Jon Speer’s website, Creo Quality, recently sent me a message asking for information sources on  Quality Management System (QMS) subject matter.

The single best guidance document on the implementation of a QMS system in accordance with ISO 13485 is “13485 Plus” (type in the words in quotes to the CSA Group search engine).

There are also a bunch of pocket guides you can purchase for either ISO 9001 or ISO 13485 to help you quickly access information you are having trouble remembering. One of my lead auditor students recommended one pocket guide in particular and she was kind enough to give me her copy.

There are some webinars out there that provide an overview of QMS Standards. Some are free and some have a modest fee. I’m not sure of the value for these basic overview webinars, but if you need to train a group, it’s a great solution. I know BSI has several webinars that are recorded for this purpose.

AAMI has an excellent course on the Quality System Regulations (QSR) which combines 21 CFR 820 and ISO 13485.

There are a number of blogs I recommend on my website.

You can try to identify a local mentor–either in your own company, or at your local ASQ Section.

You can join the following LinkedIn subgroup: Medical Device: QA/RA. You will need to become a member of the parent group (Medical Device Group)–if you are not already one of the 140,000+ members connected with Joe Hage. George Marcel and I manage this subgroup for Joe.

You can visit the Elsmar Cove website and participate in the discussions you find there. I wrote a blog about Elsmar Cove a while back (wow almost 2 years ago now).

The best way to learn this stuff is to do all of the above.

Quality Management System Information Sources Read More »

Wiki Document Control

3 Comments / ISO 13485 / By / ,

The author read an article about Wiki document control, and he shares a “genius idea that is coming of age.”

Wiki Document Control

Procedures can constantly be improved, but our goal is to make better products—not better procedures. So, what could be so exciting about document control that I feel compelled to write another post about “blah, blah, blah?” I read an article about using Wiki for document control. A Wiki is a collaborative environment where anyone can add, delete, and edit content. All changes are saved, and Wiki can be controlled—while simultaneously being available to everyone. The most famous of all Wiki is Wikipedia. In 2009, Francisco Castaño (a.k.a. – Pancho) began a discussion thread to explain how his company used Wiki to manage its documentation system. Last month, ASQ published an update on the status of Pancho’s Wiki process for document control. Depending upon how you implement a Wiki and what software tools you use, it might be a virtual quality system or an eQMS.

Writing Procedures

The process owner writes procedures in most companies, and other people rarely comment on minor errors. In the most dysfunctional companies, the Quality Department writes the procedures for the rest of the company or outsources them to consultants. Reviewing and editing procedures should be the responsibility of everyone in the company. Still, I never considered the possibility of having everyone within the company edit procedures simultaneously—until I saw Pancho’s thread. Throughout the discussion, others have indicated that they also tried using Wiki to optimize content. This is a genius idea that is coming of age.

Many QMS consultants, including myself, have written procedures for clients. Sometimes, this is part of the consulting business model. In these cases, the consultant writes a procedure once and edits it forever—while getting paid a modest fee each time a client asks for a “new” procedure. I often think that it would make more sense to do something like Linux developers have done—use the collaboration of QMS experts around the world to create a general procedure that is free to everyone. This is possible using Wiki’s that are publicly available.

Very soon (hopefully in 2013), the responsibilities section of our procedures will fundamentally change. Instead of reading and understanding, everyone will be responsible for writing and editing (oh no, I’ll have to create a new learning pyramid).

Quality will no longer be responsible for writing procedures. Instead, the quality function can focus on monitoring, measuring, data analysis, and improving processes and products. The downside is that we will need less personnel in document control.

If you want to learn more about Wiki for document control, follow this thread on Elsmar Cove. It’s rich in content, and even the moderators have been forced to rethink their preconceptions.

You should also read two articles by Pancho:

  1. Using a Wiki for Document Control
  2. Using a Wiki to Implement a Quality Management System

Wiki Document Control Read More »

Best In Class Process Validation Program

Leave a Comment / ISO 13485 / By /

This blog reviews a best in class CNC machining process validation program. Our author writes, “In general, the best approach is a risk-based approach.”

The original question from a former client was: “What does a best in class CNC machining process validation program look like?” Although I intend to answer this question, I know a few other clients that have done a great job of this. Hopefully, they will add their own opinions as a comment. Therefore, I am expanding the scope of this question to validation in general.

Process Validation

The problem with validation is that you can always do a more thorough validation. Only in the cases of processes, such as sterilization, do we have ISO Standards that tell us what is required. Otherwise, we are usually the experts, and we have to use our judgment as to what is necessary. In general, the best approach is a risk-based approach.

For each design specification established for a component, we also need to identify what process risks are associated with failure to meet the specification. Most companies perform a process Failure Modes and Effects Analysis (pFMEA). This risk analysis has three quantitative components: 1) severity of the failure’s effect, 2) probability of occurrence, and 3) detectability. The first factor, severity, is based upon the intended use of the device and how that component failure impacts that use. Usually, it is important to have a medical professional involved in this portion of the estimation.

The second factor, probability, is typically quantified during process validation activities. One company I audited developed a ranking scale for the probability that was linked directly to the CpK of the process. Higher CpK values received lower scores because the process was less likely to result in an out-of-specification component. Another company I worked for used a six-point logarithmic scale (i.e., – 10e-6 = 1, 10e-5 = 2, 10e-4 = 3, 10e-3 = 4, 10e-2 = 5, and 10e-1 = 6). This logarithmic scale was based on sterilization validation, where a sterility assurance level of 10e-6 is considered “validated.”

The third factor, detectability, is best estimated by using a quantitative scale that is based upon a gauge R&R study or some other method of inspection method validation.

Most companies struggle with the determination of what is acceptable for design risk analysis. However, for process risk analysis, it is usually much easier to quantify the acceptable risk level.

Corrective Action

Once you have determined that a process is not acceptable at the current residual risk level, then you must take corrective actions to reduce the risk. The first step to achieve this should be to review the process flow. There are critical control points that can be identified in the process flow. One of those places is at the end of the process at the inspection step in the process.

The inspection step in the process flow affects the detectability of defects. For many automated processes, such as CNC machining, it is not reasonable to perform 100% inspection. Therefore, these processes require validation. Most engineers make the mistake of trying to validate every dimension that is machined. However, only some of the aspects result in device failures. These are the dimensions that are critical to validate. The best practice is to calculate the process capability for meeting each of these critical specifications (i.e., – CpK). A minimum threshold should be established for the CpK (refer back to the process risk analysis for ideas on linking CpK to risk acceptance). Any CpK values below the threshold require a more consistent process. These are the component specifications that should be the focus of process validation efforts.

During a process validation, it is often advisable to perform a Design Of Experiment (DOE) in order to quantify the effects of each process variable. Typically a DOE will evaluate the impact on CpK for each variable at a high, low, and middle value, while other variables are maintained at nominal values. Any variables that appear to have a significant impact on the CpK are candidates for performing an Operational Qualification (OQ). For a machining process, this could include spindle speeds, feed rates, and material hardness. If variation of the variable has little or no impact upon the CpK, then there is probably little benefit to the inclusion of this variable in an OQ.

The output of an OQ validation should be high and low limits for each process variable that will result in a “good” part. Performance Qualification (PQ) validation is the final step of process validation. In the PQ, most companies will conduct three repeat lots at nominal values for the variables. If the OQ is designed well, there is often little added value in the PQ. Therefore, the sample size is typically three lots of 10 samples each. If the OQ validation does not clearly identify safe operating limits for the variables, or the process has the marginal capability (i.e., – a low CpK), then the OQ should be repeated, and an additional DOE may be needed.

Information Resources

Here are a few information resources for those of you that are in “Deviceland”

  1. Guidelines for the Validation of Chemical Methods for the FDA Foods Program (3/22/2012) – http://www.fda.gov/downloads/ScienceResearch/FieldScience/UCM298730.pdf
  2. Process Validation: General Principles and Practices (January 2011) –  http://www.fda.gov/downloads/Drugs/…/Guidances/UCM070336.pdf
  3. Guidelines for the Validation of Analytical Methods for the Detection of Microbial Pathogens in Foods (9/8/2011) –  http://www.fda.gov/downloads/ScienceResearch/FieldScience/UCM273418.pdf
  4.  CPG Sec. 490.100 Process Validation Requirements for Drug Products and Active Pharmaceutical Ingredients Subject to Pre-Market Approval (3/12/2004) –  http://www.fda.gov/ICECI/ComplianceManuals/CompliancePolicyGuidanceManual/ucm074411.htm?utm_campaign=Google2&utm_source=fdaSearch&utm_medium=website&utm_term=validation&utm_content=3
  5. Q2 (R1) Validation of analytical procedures: text and methodology (June 1995)http://www.ema.europa.eu/ema/index.jsp?curl=pages/regulation/general/general_content_000431.jsp&mid=WC0b01ac0580029593&jsenabled=true

Best In Class Process Validation Program Read More »

Scroll to Top