Blog

Archive for ISO Certification

How to get ISO 13485 certified, time for success?

In this article, you will learn how to get ISO 13485 certified, and you will be successful while avoiding the stress that tortures other quality managers.

ISO 13485 Certified How to get ISO 13485 certified, time for success?

There is a big difference between being ISO 13485 certified and being compliant with ISO 13485:2016, the medical devices quality management systems standard. Anyone can claim compliance with the standard. Certification, however, requires that an accredited certification body has followed the requirements of ISO 17021:2015, and they have verified that your quality system is compliant with the standard. To maintain that certification, you must maintain your quality system’s effectiveness and endure both annual surveillance audits and a re-certification audit once every three years.

Step 1 – Planning for ISO 13485 certification

There are six steps in the ISO 13485 certification process, but that does not mean there are only six tasks. The first step in every quality system is planning. Most people refer to the Deming Cycle or Plan-Do-Check-Act (PDCA) Cycle when they describe how to implement a quality system. However, when you are implementing a full quality system, you need to break the “doing” part of the PDCA cycle into many small tasks rather than one big task. You also can’t implement a quality system alone. Quality systems are not the responsibility of the quality manager alone. Implementing a quality system is the responsibility of everyone in top management.

Below you will find seven tasks listed. I did NOT identify these nine tasks as “Steps” in the ISO 13485 certification process, because these tasks are typically repeated for each process in your quality system. Most quality systems are implemented over time, and the scope of the quality system usually grows. Therefore, you are almost certain to have to perform all of the following nine tasks multiple times–even after you receive the initial ISO 13485 certification. As the saying goes, “How do you eat an elephant? One bite at a time.” Therefore, avoid the inevitable heartburn caused by trying to do too much at one time. Implement your quality system one “bite” at a time.

Task 1 – Purchase applicable standards

The first task in implementing an ISO 13485 quality system is to purchase a copy of the ISO 13485:2016 standard, such as the MDSAP Companion Document. You will also need other applicable medical device standards. Some of these standards are general standards that apply to most, if not all, medical devices, such as ISO 14971:2019 for risk management. There are also guidance documents that explain how to use these general standards, such as ISO/TR 24971:2020, guidance on how to apply ISO 14971:2019. Finally, there are testing standards that identify testing methods and acceptance criteria for things such as biocompatibility and electrical safety. You will need to monitor these standards for new and revised versions. When these standards are updated, you will need to identify the revised standard and develop a plan for addressing the changes.

When you purchase a standard, be sure to buy an electronic version of the standard so you can search the standard for keywords efficiently. You should also consider purchasing a multi-user license for the standard because every manager in your company will need to look-up information in the standard. Alternatively, you could buy a paper copy of the standard and locate the standard where everyone in your company can access it. Often I am asked what the difference is between the EN version of the standard and the ISO version of the standard. “EN” is an abbreviation meaning European Standards or “European Norms,” which is based upon the literal translation from the French (i.e., “normes”) and German (i.e. “norm”) languages. “ISO” versions are international standards. In general, the body of the standard is typically identical, but harmonized EN standards for medical devices include annexes ZA, ZB, and ZC that identify any deviations from the requirements in three medical device directives (i.e., MDD, AIMD, and IVDD).

Task 2 – Identify which processes are applicable

Clause 1 of ISO 13485 is specific to the scope of a quality system. ISO 9001, the general quality system standard, allows you to “exclude” any clause from your quality system certification. However, ISO 13485 will only allow you to exclude design controls (i.e., clause 7.3). Other clauses within ISO 13485 may be identified as “non-applicable” based upon the nature of your medical device or service. You must also document the reason for non-applicability in your quality manual. Typically, the following clauses are common clauses identified for non-applicability:

  1. Clause 4.1.6 – quality system software
  2. Clause 6.4 – work environment
  3. Clause 7.5.2 – cleanliness of the product
  4. Clause 7.5.3 – installation
  5. Clause 7.5.4 – servicing
  6. Clause 7.5.5 – sterile devices
  7. Clause 7.5.6 – process validation
  8. Clause 7.5.7 – sterilization validation
  9. Clause 7.5.9.2 – implantable devices
  10. Clause 7.5.10 – customer property
  11. Clause 8.3.4 – rework

Task 3 – Assign a process owner to each process 

The third task is to assign a process owner to each of the processes in your quality system. Typically, you create a master list of each of the required processes. Usually, the assignments are made to managers in the company who may delegate some or all of a specific process. You should expect most managers to be responsible for more than one process because there are 28 required procedures in ISO 13485:2016, but most companies have fewer than ten people when they first implement a quality system.

Task 4 – Prioritize and schedule the implementation of each process

The fourth task is to identify which processes need to be created first and to schedule the implementation of procedures from first to last. You can and should build flexibility into the schedule, but some procedures are needed at the beginning. For example, you need document control, record control, and training processes to manage all of your other procedures. You also need to implement the following processes to document your Design History File (DHF): 1) design controls, 2) risk management, 3) software development (if applicable), and 4) usability. Therefore, these represent the seven procedures that most companies will implement as early as possible. Procedures such as complaint handling, medical device reporting, and advisory notice procedures are usually reserved for last. These procedures are last because they are not needed until you have a medical device in use.

Task 5 – Create forms, flowcharts, and procedures for each process

Forms create the structure for records in your quality system, and a well-designed form can reduce the need for lengthy explanations in a procedure or work instruction. Therefore, you should consider developing forms first. The form should include all required information that is specified in the applicable standard or regulations, and the cells for that information should be presented in the order that the requirements are listed in the standard. You might even consider numbering the cells of the form to provide an easy cross-reference to the corresponding section of the procedure. Once you create a form, you might consider creating a flowchart next. Flowcharts provide a visual representation of the process. You might consider included numbers in the flow chart that cross-reference to the form as well.

Once you have created a form and a flowchart, you are now ready to write your quality system procedure. Many sections are typically included in a procedure template. It is recommended that you use a template to ensure that none of the basic elements of a procedure are omitted. You might also consider adding two sections that are uncommon to a procedure: 1) risk analysis of the procedure with the identification of risk controls to prevent risks associated with the procedure, and 2) a section for monitoring and measurement of the process to objectively measure the effectiveness of the process. These metrics are the best sources of preventive actions, and some of the metrics might be potential quality objectives to be identified by top management. 

Task 6 – Perform a gap analysis of each procedure

Most companies rely upon internal audits to catch and missing elements in their procedures. However, audits are intended to be a sampling rather than a 100% comprehensive assessment. Therefore, when a draft procedure is being reviewed and approved for the first time, or a major re-write of a procedure is conducted, a thorough gap analysis should be done before the approval of the draft procedure. Matthew Walker created an article explaining how to conduct a gap analysis of procedures. In addition, Matthew has been gradually adding cross-references to ISO 13485:2016 requirements in each procedure. He is color-coding the cross-referenced clauses in blue font as well. This makes it much easier for auditors to verify that a procedure is compliant with the regulations with minimal effort. The success of these two methods has taught us the importance of conducting a gap analysis of all new procedures.

Task 7 – Train applicable personnel for each process 

You are required to document the training requirements for each person or each job in your company. Documentation of training requirements may be in a job description or within a procedure. In addition to defining who should be trained, you also need to identify what type of training should be provided. We recommend recording your training to ensure that new future employees receive the same training. This will ensure consistency. You are also required to maintain records of the training. You must verify that training was effective, and you need to check the person is competent in performing the tasks. This training may require days or weeks to complete. Therefore, you may want to start training people several weeks before your procedure is approved. Alternatively, you can swap the order of tasks and conduct training after the procedure approval. If that approach is taken, then the procedure should indicate the date the procedure becomes effective–typical 30 days after approval to allow time for training.

Task 8 – Approve the procedure 

Approval of a procedure may be accomplished by signing and dating the procedure itself, while another approach is to create a document that lists all the procedures and forms being approved at one time. The second method is the method we use in our turn-key quality system. Companies can review and approve as many procedures at one time as they wish. Since this process needs to be defined to ensure that all of the procedures you implement are approved, the document control process is typically the first procedure that companies will approve in a new quality system. The second procedure generally is for control of records. Then the next procedures implemented will typically be focused on the documentation of design controls: design controls, risk management, usability testing, and software development. The last procedures to be approved are typically complaint handling, medical device reporting, and recalls. These procedures are left for last because you don’t need them until you are selling your medical device.

Task 9 – Start using the procedure and generating records

The last task required for the implementation of a new quality system is to start using the procedures to generate records. All of the procedures will need records before the process can be verified to be effective. Records can be paper-based, or the records can be electronic. Whichever format you use for the record retention needs to be communicated to everyone in the company through your Control of Records procedure and/or within each procedure. If you include the information in each procedure, the records of each procedure should be listed in the procedure, and the location where those records are stored should be identified. Generally, there is no specific minimum number of records to have for a certification audit, but you should have at least a few records for each process that you implement.

Step 2 – Conducting your first internal audit

The purpose of the internal audit is to verify the effectiveness of the quality system and to identify nonconformities before the certification body auditor finds them. To successfully achieve this secondary objective, it is essential to have a more rigorous internal audit than you expect for the certification audit. Therefore, the internal audit should be of equal duration or longer in duration than the certification audit. The internal audit should not consist of a desktop review of procedures. Reviewing procedures should be part of gap analysis (i.e., task 6 above) that is conducted on draft procedures before they are approved. Internal audits should utilize the process approach to auditing, and the auditor should apply a risk-based approach (i.e., focus on those processes that are most likely to contribute to the nonconforming products, result in a complaint, or cause severe injuries and death).

After your internal audit, you will receive an internal audit report from the auditor. You should also expect findings from the internal auditor, and you should expect opportunities for improvement (OFI) to be identified. Experienced auditors can typically identify the root cause of a nonconformity more quickly than most process owners. Therefore, it is recommended for each process owner and subject matter expert to review nonconformities with the auditor and discuss how the nonconformity should be investigated. The root cause must be correctly identified during the CAPA process, and the effectiveness check must be objective to ensure that problems do not recur.

Step 3 – Initiating corrective actions

Corrective actions should be initiated for each internal audit finding immediately, to make sure the findings are corrected and prevented from repeat occurrence before the Stage 1 audit. It will take a minimum of 30 days to implement the most corrective actions. Depending upon the scheduling of the internal audit, there may not be sufficient time to complete the corrective actions. However, you should at least initiate a CAPA for each finding, perform an investigation of the root-cause, and begin to implement corrective actions.

Also, to taking corrective actions related to internal audit findings, you should look for internal audits from other sources. The diagram below shows several different sources of potential corrective and preventive actions.

Risk based CAPA Process Diagram How to get ISO 13485 certified, time for success?

Monitoring and measuring of each process is the best source of preventive actions, while internal audits are typically the best source of corrective actions.  Any quality problems identified during validation are also excellent sources of corrective actions because the validation can be repeated as a method of demonstrating that the corrective actions are effective. However, your ISO 13485 certification auditor will focus on non-conforming products, complaints, and service as the most critical sources of corrective actions. These three sources are prioritized because these three sources have the greatest potential for resulting in a serious injury, death, or recall if corrective actions are not implemented to prevent problems from recurring.

Step 4 – Conducting your first management review 

In addition to completing a full quality system audit before your stage 1 audit, you are also expected to complete at least one management review. To make sure that you have inputs for each of the 12 requirements in the ISO 13485:2016 standard, it is recommended to conduct your management review only after you have completed your full quality system audit and initiated some corrective actions. If possible, you should also conduct supplier audits for any contract manufacturers or contract sterilizers. It is recommended to use a template for that management review that is organized in the order of the required inputs to ensure that none of the necessary inputs are skipped. Quality objectives will need to be established long before the management review so that the top management team has sufficient time to gather data regarding each of the quality objectives. Also, you should consider delegating the responsibility for creating the various slides for each input to different members of top management. This will ensure that everyone invited to the meeting is engaged in the process, and it will spread the workload for meeting preparation across multiple people.

At the end of the meeting, top management will need to create a list of action items to be completed before the next management review meeting. Meeting minutes will need to be documented for the meeting, including the list of action items and each of the four required outputs of the management review process. We recommend using the notes section of a presentation slide deck to document the meeting minutes related to each slide. Then the slide deck can be converted into notes pages and saved as a PDF. The PDF notes pages will be your final meeting minutes for the management review. An example of one of these notes pages is provided in the figure below.

Print PDF of Meeting Minutes Notes Page Example How to get ISO 13485 certified, time for success?

One of the more common non-value-added findings by auditors is when an auditor issues a nonconformity because you do not have your next internal audit and your next management review scheduled–even though each may have occurred only a month prior to the Stage 1 audit. Therefore, we recommend that you document your next 12-month cycle for internal audits and schedule your next management review as action items in every management review meeting. The schedule can be adjusted if needed, but this allows top management to emphasize various areas in internal audits that may need improvement. You might even set a quality objective to conduct a minimum of three management reviews per year at the end of your first management review.

Step 5 – Stage 1, Initial ISO 13485 Certification Audit

In 2006, the ISO 17021 Standard was introduced for assessing certification bodies. This is the standard that defines how certification bodies shall go about conducting your initial certification audit, annual surveillance of your quality system, and the re-certification of your quality system. In the past, certification bodies would typically conduct a “desktop” audit of your company before the on-site visit to make sure that you have all the required procedures. However, ISO 17021 requires that certification bodies conduct a Stage 1 audit that assesses the readiness of your company before conducting a Stage 2 audit. Therefore, even if the Stage 1 audit is conducted remotely, the certification body is expected to interview process owners and sample records to verify that the quality system has been implemented. Certification body auditors will also typically verify that your company has conducted a full quality system audit and at least one management review. Finally, the auditor will usually select a process such as corrective action and preventive action (CAPA) to make sure that you are identifying problems with the quality system and taking appropriate measures to address those problems.

Your goal for the Stage 1 audit should not be perfection. Instead, your focus is to make sure that there are no “major” nonconformities. The term “major” used to have a specific definition:

  1. Absence of a documented procedure or process
  2. Release of nonconforming product
  3. Repeat nonconformities (not possible during a Stage 1)

Under the MDSAP, the grading system for nonconformities now uses a numbering system for grading of nonconformities: “Nonconformity Grading System for Regulatory Purposes and Information Exchange Study Group 3 Final Document GHTF/SG3/N19:2012.” Any nonconformity is graded on a scale of one to four, and then two potential escalation rules are applied. If any nonconformities are graded as a four or a 5, then the auditor must assess whether a five-day notice to Regulatory Authorities is required. A five-day notice is required for in either of the following situations: 1) one or more finding grading of “5”; or 2) three or more findings graded as “4.” If your Stage 1 audit results in a five-day notice, then you are not ready for your Stage 2 audit. For example, a complete absence of two required procedures in clauses 6.4 through 8.5 of ISO 13485:2016 would result in two findings with a grading of “4.” This would not result in a five-day notice, but the absence of a third required procedure would result in a five-day notice.

The duration of your Stage 1 audit will be one or two days, but a 1.5-day audit is quite common for MDSAP Stage 1 audits. The reason for the 1.5-day Stage 1 audit is that it is challenging to assess readiness for Stage 2 in one day, and if the total duration of Stage 1 and Stage 2 is 5.5 days, then the Stage 2 audit could be completed in four days. The four-day audit is more convenient than a three-day audit for a two-person audit team.

After your Stage 1 audit, you will receive an audit report, and you should expect findings. You should initiate corrective actions for each finding immediately, to make sure the findings are corrected and prevented from repeat occurrence before the Stage 2 audit. The duration between the audits is typically about 4-6 weeks. That does not leave much time for you to initiate a CAPA, perform an investigation of the root-cause, and implement corrective action. At a minimum, you must submit a corrective action plan for each finding to your MDSAP auditing organization (AO) within 15 calendar days of receiving the finding. For any findings graded as a “4” or higher, you will need to provide evidence of implementing the corrective action plan to the AO with 30 calendar days of receiving the finding. You are also unlikely to have enough time to conduct an effectiveness check prior to the Stage 2 audit.

Step 6 – Stage 2, Initial ISO 13485 Certification Audit

The Stage 2 initial ISO 13485 certification audit will verify that all regulatory requirements have been met for any market you plan to distribute in. The auditor will complete an MDSAP checklist that includes all of the regulatory requirements for each of the countries that recognize MDSAP: 1) the USA, 2) Canada, 3) Brazil, 4) Austria, and 5) Japan. The auditor will also sample records from every process in your quality system to verify that the procedures and processes are fully implemented. This audit will typically be at least four days in duration unless multiple auditors are working in an audit team.

The audit objectives for the Stage 2 ISO 13485 certification audit specifically include evaluating the effectiveness of your quality system in the following areas:

  1. Applicable regulatory requirements
  2. Product and process-related technologies
  3. Technical documentation

All procedures will be reviewed for compliance with ISO 13485:2016 and the applicable regulations. The auditor will also sample records from each process. If the auditor identifies any nonconformities during the audit, it is important to record the findings and begin planning corrective actions immediately. If you have any questions regarding the expectations for the investigation of the root-cause, corrections, corrective actions, and effectiveness checks, you should ask the auditor during the audit or the closing meeting. At a minimum, you must submit a corrective action plan for each finding to your MDSAP auditing organization (AO) within 15 calendar days of receiving the finding. For any findings graded as a “4” or higher, you will need to provide evidence of implementing the corrective action plan to the AO with 30 calendar days of receiving the finding. The auditor will not be able to recommend you for ISO 13485 certification until your corrective action plans are accepted.

If you receive a finding with a grading of “5,” or three or more findings graded as “4,” then the MDSAP auditor is required to issue a five-day notification to the regulators. The auditor will also need to return to your facility for a follow-up audit to close as many findings as they can. It is not necessary to eliminate all of the findings in order to be recommended for ISO 13485 certification, but the grading of the findings must be reduced to at least a “3” before recommending the company for certification. The number of findings also determines whether the auditor recommends your company for certification.

In addition to reviewing the findings and conclusions of the audit during the closing meeting, the auditor will also review the plan for the annual surveillance and re-certification with you. Each certification cycle is three years in duration. There will be two surveillance audits of approximately one-third the duration of the combined duration of stage 1 and stage 2 initial certification audits, and the first surveillance audit must be completed within 12 months of the initial certification audit. In the third year, there will be a re-certification audit for two-thirds of the duration of the combined duration of stage 1 and stage 2 initial certification audits. The initial ISO 13485 certificate will be issued with a three-year expiration, and the certificate is typically received about one month after the acceptance of your corrective action plan.

Other resources related to ISO 13485 certification:

Posted in: ISO Certification

Leave a Comment (0) →

Purchasing Controls and Supplier Qualification

This article identifies the requirements for purchasing controls and supplier qualification procedures, as well as best practices for implementation.

Purchasing Controls

Sourcing suppliers in the medical device industry is not as simple as going on the internet and finding your material and purchasing it. As part of a compliant quality management system, purchasing controls must be in place to ensure that quality products and materials are going into your device and that any service providers that your company uses in the production of your product or within your quality management system are qualified.

ISO 13485 Requirements

In light of that, ISO 13485:2016 sections 7.4.1 Purchasing process, 7.4.2 Purchasing information, and section 7.4.3 Verification of purchased product outline the purchasing requirements. The following are requirements for the evaluation and selection of suppliers:

  • The organization must have established criteria for the evaluation and selection of suppliers.
  • The criteria need to evaluate the supplier’s ability to provide a product that meets the requirements.
  • It needs to take into consideration the performance of the supplier.
  • It must consider the criticality and the effect that the purchased product may have on the quality of the medical device.
  • The level of supplier assessment and monitoring should be proportionate to the level of risk associated with the medical device.

Maintaining Purchasing Controls

To start, in the most basic sense, purchasing controls involve procedures that ensure you are only purchasing from suppliers who can meet your specifications and requirements. The best way to keep track of your qualified suppliers is to maintain an Approved Supplier List (ASL). You should only purchase products or services that affect your product or quality management system from companies on the ASL (you would not necessarily need to qualify things like office supplies or legal assistance through purchasing controls).

When used effectively, the Approved Supplier List can be a great tool to manage the key facets of purchasing control and keep track of supplier monitoring. Items that you can capture on the ASL include:

  • Supplier Name
  • Scope of Approved Supplies
  • Contact Information
  • Status of Approval (Approved, Pending, Unapproved, etc.)
  • Qualification Criteria
  • Supplier Certification and expiry dates
  • Monitoring Requirements/Activities
    • Date of Last Review
    • Date of Next Review

The first step in your purchasing procedure should involve checking to see if the supplier is under active approved status on the ASL. The second step will be to ensure that you are purchasing an item/service that is within the scope of approval of that supplier. If you have not approved the supplier, or the intended purchase is beyond the scope of that supplier, your purchaser will need to go through the necessary channels to add the supplier to the ASL or modify their scope on the ASL.

Supplier Qualification Criteria

As required by the FDA, the level of supplier assessment should be proportionate to the level of risk associated with the medical device. The FDA is not prescriptive about the use of specific qualifications or assessments for different types of suppliers, so that is up to your company to determine. This is a somewhat grey area but based on years working with companies and suppliers, as well as participating in FDA and ISO 13485 audits, there are some general expectations of vendor qualifications that we have observed and would recommend.

It is good practice to have a form or template that guides your supplier evaluation process. Using input from engineering and QA to first determine the level of risk and the requirements of that supplier, and then base your qualification plan on that information. If you have a higher risk supplier who may be supplying a critical component to your device, or providing a critical service such as sterilization, then your qualification process will be much more involved.

Here is an example of two different levels of criteria based on the type of supplier (the intent is not for the following items to be rules, and your company is responsible for determining the adequate acceptance criteria for suppliers, but this is a general example of what you may expect).

  • Critical Custom Component Supplier
    • ISO 13485 Certification
    • On-site audit of supplier’s facility
    • References
    • Provides Certificates of Analysis (CoA)
    • A written agreement that the supplier will communicate with the company regarding any changes that could affect their ability to meet requirements and specifications.
    • You validate a production sample, and it meets requirements
  • Non-Critical Consumable Supplier
    • Product available that meets the needs of the company.
    • An associate has previously used by an associate who recommends the supplier.
    • Adequate customer service returns allowed.

Additional Function of Supplier Evaluation Forms

The supplier evaluation form can also be used as the plan to assign responsibility and track completion and results during the initial evaluation. It can also include the plan for ongoing monitoring and control of the supplier. This evaluation form should be maintained as a quality record, and auditors will frequently ask to see supplier evaluations.

Are Supplier Audits Required as Purchasing Controls?

Also valuable, supplier audits may be included as part of an evaluation plan for a new supplier, the change of scope of a supplier, a routine audit as part of ongoing monitoring, or as part of a nonconformity investigation of a high-risk product. While it is not required by ISO 13485, nor does the FDA does specify in the CFR that you must audit suppliers, it is a very good idea to audit your critical suppliers. If an auditor or FDA inspector sees evidence that your current purchasing controls are inadequate, performing supplier audits may be forced as a corrective action.

Beyond that, you can gain so much value, and gather countless clues and important information in an audit that you just cannot get without visiting your critical supplier. You can see where they plan to/are making/cleaning/sterilizing/storing your product. Talk to the people on the line, are they competent and trained? Does the company maintain their facility well? How secure is it? Do they maintain adequate records and traceability? Have there been any nonconformities relating to your product that have been detected? Etc.

Supplier audits should also include evaluation of the procedures, activities, and records of the supplier that could have an impact on the product or service they are providing your company. If it is not the first audit of the company, you should be sure to review the previous audit report findings and ensure the company has addressed any nonconformities, review supplier performance data, information about any changes that may have occurred at the supplier since your last visit, etc.

Record Maintenance and Ongoing Evaluation of Suppliers

No matter the method of supplier qualification, it is best practice to maintain supplier files that contain useful information relative to the supplier that may include:

  • The original supplier qualification form
  • Supplier certificates
  • References
  • Audit reports
  • Subsequent performance evaluations
  • Expanded scope qualifications
  • Supplier communications
  • Current contact information
  • Copies of any non-conforming material reports related to the supplier, etc.

ISO 13485 requires monitoring and re-evaluation of suppliers, and maintaining detailed supplier files will assist in meeting this requirement, and will help in the feedback system to identify and recurring problems or issues with a supplier. On a planned basis, whether that is annually, or every order (dependent on the criticality of the product), your company should conduct a formal supplier evaluation to determine whether the supplier has continued to meet requirements – In general, annual supplier reviews are standard. Additionally, you must specify this frequency in your procedure (auditors will look for what period you specify in your procedure, and then will check your ASL to make sure all of your suppliers have been reviewed within that timeframe).

During the supplier evaluation, if you find there have been issues, you need to determine and weigh the risks associated with staying with that supplier, and document that in the supplier file. If you determine the supplier should no longer be qualified, then you must also indicate on the ASL that the company no longer approves of the supplier.

Making the Purchase

When you have verified your supplier is approved on the ASL, you are authorized to purchase a product. Engineering is usually responsible for identifying the product specifications, requirements for product acceptance, and adequacy of specified purchasing requirements before communication to the supplier. The specifications may be in the form of drawings or written specifications. Additional information communicated to the supplier should also include, as applicable, an agreement between your company and the supplier that the supplier will notify you before the implementation of changes relating to the product that could affect its ability to meet specified purchasing requirements. When the first batch of product is received from a particular supplier, it is a good idea to verify that the product performs as intended before entering into production with new material or components.

Supplier Nonconformity

From time to time, you may encounter issues with a supplier. Sources of nonconformity include incoming inspections, production nonconformities, final inspection, or customer complaints. You must notify your supplier of the nonconformity and record their response and assessment. Depending on the level of criticality of the vendor, it is reasonable to require them to perform a root cause analysis to determine and alleviate the cause of failure. You should also request documentation of an effectiveness check to ensure the supplier has taken corrective actions. You should maintain copies of supplier nonconformity reports in the supplier file, and discuss nonconformities during ongoing supplier evaluations.

If the supplier does not cooperate or fails to address the nonconformity in an acceptable manner, or if there is a pattern of nonconformities with the vendor, then you should disqualify the supplier, and indicate that the supplier is “not approved” on the ASL.

Purchasing Controls Procedures You Might Need

Medical Device Academy developed a Supplier Qualification Procedure, Purchasing Procedure, and associated forms that will meet purchasing controls regulatory requirements for ISO 13485:2016 and 21 CFR 820.50. These procedures will help you ensure that goods and services purchased by your company meet your requirements and specifications. If you have any questions or would like help in developing a custom procedure or work instructions that meet your company’s unique needs, please feel free to email me or schedule a call to discuss.

Posted in: ISO 13485:2016

Leave a Comment (1) →

Updating Training Procedure for Compliance with ISO 13485:2016

This article explains my process for updating training procedure SYS-004 for compliance with ISO 13845:2016 while the procedure was also simplified.

Training and Competency 1 Updating Training Procedure for Compliance with ISO 13485:2016

In addition to weekly blogging for the Medical Device Academy website, I am also updating each of my procedures for ISO 13485:2016 compliance. This week the training procedure (SYS-004) was updated. You are updating your procedures for compliance with the revised standard, but are you making any other strategic changes at the same time?

Changes to Training in ISO 13485:2016

The primary change to Clause 6.2 in ISO 13485 was the addition of the phrase, “shall document the process(es) for establishing competence, providing training, and ensuring awareness.” This doesn’t represent a change in the intent of the standard. Still, it does signal that certification bodies should be emphasizing the importance of assessing the effectiveness of training and competency–not just verifying the existence of training records.

Updating Training Procedure

The original version of SYS-004 had eight pages and included three different flow charts to explain the process. The procedure also required the use of a training plan for each employee. While I agree that managers should plan training if you make this a formal requirement with a controlled form, it creates an unnecessary burden for managers.

Therefore, when the procedure was updated to the requirements of ISO 13485:2016, the procedure was also simplified for smoother implementation by start-up companies. When you upgrade your procedures, you might look for similar opportunities to simplify and streamline the processes.

The updated procedure now has suggestions for how to consolidate specific roles for smaller companies. The procedure still references a training record for documenting training, but now there is also a reference to a training matrix to help document training requirements for each employee.

The FDA also requires that there are documented training requirements. Therefore, the procedure identifies the need to create a job description that includes training and competency requirements. The procedure does not, however, require that the job descriptions be maintained as controlled documents. If your company has multiple people with the same job function (e.g., customer service), then it might make sense to have a controlled document that is a job description for customer service. A company with four employees does not need controlled documents, and instead, a unique record for each employee makes more sense.

Updating Training Procedure to Explain How to Complete Forms?

Another option is to make your procedure very detailed to explain how to complete each section of a form, such as the training record (FRM-002) or the training matrix (FRM-026). However, I see very few managers struggle with completing training records. Therefore, instead, I plan to record a brief training webinar that explains how to fill in the forms. This will be provided as a free update to anyone that purchases the training competency procedure. This makes it easier to review the procedure for regulatory compliance and puts the details on how to complete forms in the training curriculum where it belongs.

If you have questions about how to update any of your procedures to ISO 13485, please email me at rob@13485cert.com. Maybe I’ll use your question as a topic for a future blog.

Posted in: ISO 13485:2016, ISO Certification

Leave a Comment (0) →

Control of Records – Updating Your Procedure for ISO 13485:2016

The Article reviews changes recommended for your control of records procedure to ensure compliance with ISO 13485:2016 and applicable regulatory requirements.

VA File Storage Control of Records   Updating Your Procedure for ISO 13485:2016

Nine months have already passed since the release of the 2016 version of ISO 13485. In 2015, you were told to update your quality system procedures early before the new European Regulations were released. There is a three year transition period, and you decided to do it next year. Now it’s 2017. It’s time to update your procedures.

Quality Plan for Revising Procedures to ISO 13485:2016

I plan to update one procedure each week from the 2003 version of ISO 13485 to the 2016 version. Some of the procedures were already updated last year, but just like you, I decided to finish the work next year. For the next six months, we will be busy revising procedures.

Training on the requirements for Control of Records

In addition to a procedure for control of records, you also need to train employees on good documentation practices. Initially, I created a webinar called “GDP 101” that combined control of documents, control of records, and training. Several people recommended that the webinar be revised to focus on the control of records. New webinars will be recorded each week to explain the updates to each procedure and to ensure that there is a training webinar for each procedure.

Three Generic Updates to Control of Records Procedure (SYS-002)

When you update a procedure, you need to do more than change the reference to the version of ISO 13485. For all procedures I recommend that you make three general improvements:

  1. identify a risk-based approach for that procedure,
  2. identify methods for documenting training effectiveness and competency, and
  3. verify that you have updated the procedure to address regulatory requirements.

In the case of control of records, the most important records should have more rigorous controls and more frequent monitoring of record control to ensure it is effective. For example, the following critical records are frequently sampled by FDA inspectors and should be carefully stored, organized, and monitored:

  • CAPAs
  • Complaints
  • Adverse Event Reports
  • Recalls
  • Nonconforming Material Records
  • Design History Files
  • Training Records

FDA inspectors are not permitted to review records of your management reviews, internal audit records, and supplier records. However, all three records will be sampled by certification bodies, and therefore these three records exempt from the requirements of 21 CFR 820.180 should also be a priority for risk-based control of records.

To address the third of the generic procedural updates, you should be aware that the new EU Medical Device Regulations are expected to increase the required record retention period for non-implant devices from 5 years to 10 years. Implants are expected to remain at 15 years.

Three Procedure-Specific Updates to Control of Records Procedure (SYS-002)

In addition to the generic procedural updates, three changes in the Standard are specific to control of records. First, in the section for control of documents (renumbered as Clause 4.2.4), there is now a requirement to prevent the deterioration and loss of documents.

Second, there is now a requirement in Clause 7.3.10 for maintaining design and development files for devices. This may have previously been addressed as a requirement to meet the FDA requirements for maintaining a Design History File (DHF), but not all ISO 13485 certified companies sell a product in the USA.

Third, there is a new requirement related to the protection of confidential health information, such as the information gathered during complaint investigations and clinical studies. Many companies refer to this as HIPAA compliance.

Updated Procedure & Webinar Bundle

If you need to update your control of records procedure and train your employees, you might consider our new procedure and webinar bundle.

Posted in: ISO 13485:2016, ISO Certification

Leave a Comment (2) →

Implementing Procedures for CAPA, NCMR & Receiving Inspection

The article shares lessons learned from implementing procedures for a new ISO 13485 quality system. This is the second in a series. The first month of procedure implementation was covered in a previous article titled, “How to implement a new ISO 13485 quality system plan in 2016.”

Implementing Procedures Implementing Procedures for CAPA, NCMR & Receiving Inspection

Typically, I recommend implementing a new ISO 13485 quality system over six months. Still, recently I a few clients have requested my assistance with implementing a quality management system within four months. In November, I wrote an article about implementing a new ISO 13485 quality system. That article described implementing procedures for the first month. Specifically, the implementation of the following procedures was covered:

  1. SYS-027, Purchasing
  2. SYS-001, Document Control
  3. SYS-002, Record & Data Control
  4. SYS-004, Training & Competency
  5. SYS-011, Supplier Quality Management
  6. SYS-008, Product Development
  7. SYS-010, Risk Management
  8. SYS-006, Change Control

These eight procedures are typically needed first. This article covers the implementation of the next set of procedures. During this month, I recommend conducting company-wide quality management system training for the ISO 13485 and 21 CFR 820.

Implementing Receiving Inspection Procedures

During the first month, procedures for purchasing components and services are implemented. As these products are shipped and received by your company, you need to create records of incoming inspection. It is not sufficient to merely have a log for receiving inspection. You need records of the results of the inspection. You may outsource the inspection activities, but receiving personnel must review the records of inspection for accuracy and completeness before moving product to your storage warehouse or production areas. Even if the inspection is 100% outsourced, it is still recommended to verify the inspection results independently on a sampling basis periodically. This should be a risk-based sampling that takes into account the importance of the item being inspected and the existence of in-process and final inspection activities that will identify potential nonconformities.

The most challenging part of this process typically is identifying inspection procedures and calibrated devices for inspection. Your company must find a balance between inspections performed by suppliers, incoming inspection, in-process inspection, and final inspection. Each of these process controls requires time and resources, but implementation should be risk-based and take into account the effectiveness of each inspection process–as determined by process validation. Sample sizes for inspection should also be risk-based.

Implementing Procedures for Identification and Traceability

The lot or a serial number of components must be identified throughout product realization–including incoming inspection, storage, production, final inspection, and shipping. In addition to determining what things are, you must also identify the status of each item throughout the product realization process. For example:

  • Is the product to be inspected or already inspected?
  • After the inspection, is product accepted or rejected?
  • Which production processes have been completed?
  • Is the product released for the final shipment?

The procedure for identification and traceability should be implemented immediately after the purchasing process, implemented during 1st month, because traceability requirements should be communicated to suppliers as part of supplier quality agreements and as part of each purchase order.

Initially, when this process is implemented, there is a tendency to complete forms for every step of the process and to distribute copies of the forms to communicate status. Completing forms and copying paperwork requires labor and adds no value. Therefore, learn manufacturing methods and visual indicators such as color-coding are recommended as best practices for identifying products and their status.

Implementing CAPA Procedures

When a product is identified as nonconforming, corrective actions need to be implemented to prevent a recurrence. Procedures need to include the requirement for planning corrective actions, containing a nonconforming product, correcting nonconformities, and implementing actions to prevent any future nonconformities. These procedures also need to address negative trends to prevent nonconformities before the product is out of specification (i.e., preventive actions). Procedures also need to provide guidelines on how to verify the effectiveness of corrective and preventive actions. Initially, the actions implemented will be specific to a purchased product that is received and rejected. However, over time data analysis of process monitoring and internal auditing will identify additional corrective and preventive actions that are needed.

The effectiveness of CAPA processes, in general, requires three key elements:

  1. A well-designed CAPA form
  2. Proper training on root cause analysis
  3. Performing effectiveness checks

In the CAPA training provided during the second month, the best practices for CAPA form design are covered. The training includes several methods for root causes analysis too. Finally, the training emphasizes using quantitative measurements to verify the effectiveness of corrective actions. It is recommended to identify the quantitative acceptance criteria for an effective corrective action before initiating actions to ensure that the actions planned are sufficient to prevent a recurrence.

Monitoring Your Procedure Implementation Process

As indicated in November’s article, I recommend using quantitative metrics to track the progress of procedure implementation. For example:

  1. % of procedures implemented,
  2. duration of document review and approval process, and
  3. % of required training completed.

Implementing Procedures for ISO 13485:2016

If you already have a quality system in place, you are implementing procedures that are modified for ISO 13485:2016 compliance, some of the same lessons learned to apply. If you are interested in learning more about the changes required for compliance with the 2016 version of the standard, we recorded two live webinars on March 24, 2016.

Posted in: ISO 13485:2016

Leave a Comment (0) →

Management review revisions for ISO 13485:2016

The article explains management review revisions required for ISO 13485:2016 compliance. The article tells a story about a recent re-certification audit nonconformity and how the revised ISO 13485:2016 Standard will help prevent this type of quality issue in the future. The article includes links to information about new and revised regulatory requirements, how to write a procedure, and there is a link for downloading a free management review webinar.

Management Review 20161 Management review revisions for ISO 13485:2016

One of my clients recently had a re-certification audit in December with their Notified Body, and they received a nonconformity in the first couple of hours of the four-day audit. Here’s what happened.

First, they had an opening meeting with the auditor from 8:30 am – 9:05 am. Next, they took the auditor on a tour of the facility to show her some of the areas of the facility that had been renovated since last year’s surveillance audit. The management representative and the auditor returned to the conference room at 9:40 am, and the auditor began with a review of the management review revisions to the procedure. The procedure had not changed since the previous year, so the auditor asked to see the most recent management review. The company conducted a management review on Tuesday, December 8, 2015. The audit reviewed all the required inputs since the previous management review–which was held on Tuesday, December 9, 2014.

When the auditor reviewed data analysis of complaints, she noticed a spike in complaints related to shipping errors that occurred in February through May. When she asked for an explanation, the management representative explained that the renovations caused some misplacement of inventory that resulted in shipping delays and a few mistakes. The auditor asked when the trend was first observed. The management representative indicated that the pattern was observed in April, and the warehouse manager made corrections in May. The trend was confirmed to have reversed in the data from the third quarter.

The auditor asked if a formal corrective action was implemented. The management representative said that no formal CAPA was initiated because the problem did not appear to be a systemic problem due to the small volume of complaints relative to the large volume of shipments. The auditor asked if shipping complaints were a quality objective. The management representative confidently indicated that they were. The auditor then asked when top management was notified of the negative trend and reviewed the spike in the performance of the quality objective. The management representative said that the objective quality performance is evaluated by top management during the management reviews. Since the corrections appeared to be effective, no further action was warranted.

The auditor responded that she would be issuing a minor nonconformity against the management review process. The reason the auditor provided was that top management and the management representative did not maintain the effectiveness of the quality management system during a major renovation, because they did not monitor quality objectives on a sufficient frequency to react to quality issues in a timely manner. Furthermore, they failed to modify there planned interval for management reviews to take into account significant changes in the facility that could negatively impact quality.

At the closing meeting, top management asked what should have been done to avoid this finding. The auditor was hesitant to provide advice, but she indicated that management could have been more proactive and taken measures to prevent the shipping complaints in the first place. A quality plan for the renovation could have included increased management oversight and a more frequent review of quality objectives related to the areas being renovated. Instead of reviewing quality metrics quarterly, a monthly schedule might have been used during the renovations. Instead of scheduling the management review for December, top management might have planned a management review during or immediately after the renovations to address any quality issues with corrective actions or action items in the management review outputs. Another possible and less proactive approach would have been for the warehouse manager to initiate a formal corrective action as soon as the negative trend was observed. Then top management would have been aware of the quality issue through the CAPA process. Unfortunately, none of these actions were taken.

The auditor indicated that she could have written the finding against a number of different clauses (e.g., CAPA, monitoring, and measurement of processes, quality system planning). She chose to reference the management review process in the finding because the company will need to make management review revisions in 2016 to document the justification for management review intervals. There are also management review revisions required to address new and revised regulatory requirements in the meeting outputs. Therefore, the company’s corrective action plan might also address the requirements of the revised ISO 13485:2016 Standard.

Management review revisions to the frequency of planned intervals

Most companies satisfy the requirement for conducting a management review (i.e., 21 CFR 820.20 and ISO 13485, Clause 5.6) in one of the following ways:

  1. conducting one meeting each year
  2. conducting one meeting each quarter

If your company is conducting only annual reviews, your reviews will be far more useful if you switch to a quarterly schedule. In the case of my client, top management would have discussed the negative trend in shipping complaints in April 2015 instead of December 2015–8 months earlier. Reviewing data from 9-10 months ago is too late to take action.

Management Review Revisions Medical Device Academy Made

You can download the management review procedure from this website that was just updated for compliance with ISO 13485:2016. If you have your procedure, you might want to read my blog about improving your management review procedure. The key to writing a procedure is to link the procedure to a template that will be used as a starting point for each management review. The template should include each of the eight required inputs (i.e., Clause 5.6.2), the 3 required outputs (i.e., Clause 5.6.3), and a slide for covering both the Quality Policy and the overall effectiveness of the Quality Management System. The procedure should be short, and the bullets should match the requirements verbatim.

Training Top Management

The biggest reason why management reviews are ineffective is that there is little engagement by most of the people in the room. Everyone in the room should be familiar with the requirements and contribute to the preparation for a management review and management review revisions. The best management representatives anticipate the needs of top management and give them tools that explain precisely what they need to do to prepare for a management review and their responsibilities during the meeting.

Additional Management Review Resources

If you are looking for more information on this topic, here are some resources:

  1. How to Improve Your Medical Device Management Review Procedure
  2. Management Review Procedure Case Study
  3. Management Review Webinar: Making your meetings more effective
  4. Medical Device Management Review Meetings: 3 Compliance Issues

Posted in: ISO 13485:2016, ISO Certification

Leave a Comment (10) →

How to write a quality system plan template (free download)

This article explains how to write a quality system plan template to revise and update your quality system for compliance with ISO 13485:2016. If you want to download our free template, there is a form to complete at the end of this article.

Screenshot 2015 11 19 at 5.52.44 PM How to write a quality system plan template (free download)

Templates are the key to writing a quality system plan

Plan, do check, and act (PDCA) is the mantra of the Deming disciples, but does anyone know what should be in your quality system plan template. Everyone focuses on the steps–the “What’s.” Unfortunately, people forget to include the other important pieces of an all-inclusive quality system plan. Why? When? Who? And How much?

The table in the template is an example of “What?” steps to perform, but it is specific to my procedures. You will need to revise the table to reference your procedures, and the changes you make will be specific to your quality system plan. The other sections of the template tell you what needs to be included in that section, but I did not provide examples for those sections.

Why should you create a quality system plan template?

The purpose section of the quality system plan answers the question of “Why?” You need to specify if the purpose of your quality system plan is compliance with new and revised regulatory requirements, preventing recurrence of quality issues, or maybe a faster development cycle. The purpose section of the plan also provides guidance with regard to the monitoring and measurement section of your quality system plan template.

When should you create a plan for quality system changes?

Most changes have deadlines. In the case of ISO 13485:2016, there will be a 3-year transition period. Still, most companies establish internal goals for early implementation by the end of the fiscal year or the end of a financial quarter. Some of the changes can be made in parallel, while other changes need to be sequential. Therefore, there may be specific milestones within your quality system plan that must be completed by specific dates. These dates define “When?” the steps in the quality system plan must be implemented.

Who should write your quality plan?

As my quality system plan template indicates, I recommend defining both individual process owners and teams of process owners where processes can be grouped together. For example, I typically group the following four processes together as part of “Good Documentation Practices (GDPs)”: 1) control of documents (SYS-001), 2) control of records (SYS-002), 3) training (SYS-004), and 4) change control (SYS-006). I cover all four processes in a webinar called “GDP 101.”

It is important to have one person that is accountable and has the authority to implement changes for each process, but only one person should be in control of each process. If you have four related procedures, then the team of four people will need to coordinate their efforts so that changes are implemented swiftly and accurately. For the overall quality system plan template, I recommend assigning a team leader for the team of four process owners described above. One of those people should be responsible for team leadership and writing the quality system plan template.

Monitoring implementation of your quality plan?

Monitoring the progress of your plan ensures the successful implementation of the plan. Sometimes things don’t work as planned, and corrections need to be made. Additional resources might be needed. The plan may have been too optimistic with regard to the implementation time required. I recommend assigning one person the task of retrieving team status reports from each of the teams and consolidating the team reports into an overall progress report.

Free download of ISO 13485:2016 quality system plan template

The sign-up form below will allow you to receive an email with the ISO 13485:2016 quality system plan template attached. This is a two-step process that will require you to confirm the sign-up.

Posted in: ISO Certification

Leave a Comment (5) →

How to implement a new ISO 13485 quality system plan in 2016

This article is a case study that explains how to implement a new ISO 13485 quality system plan at an accelerated schedule of just four months. The quality system will also be compliant with 21 CFR 820.

QMS Implementation Plan How to implement a new ISO 13485 quality system plan in 2016

Typically, I recommend implementing a new ISO 13485 quality system plan over a period of 6 months. The reason for this is that people can only read procedures and complete training at an individual pace. Since there are approximately 30 procedures required for a full quality system, an implementation pace of one procedure per week allows a company to complete 90% of the reading and training in six months.

In October, a new client asked me for a proposal to implement a new ISO 13485 quality system plan. The proposed quality system plan indicated that the project would start in October and finish in March. The client accepted my proposal, but they asked me to help them implement the quality system plan in four months, as indicated in the table above. We just started the implementation of the quality system plan last week, and I have discovered some secrets that dramatically simplify the process.  This blog shares some of the lessons learned that help implement the quality system plan at this faster pace.

Outsourcing ISO 13485 quality system development

Not everyone has the skill and experience to write a quality system procedure. Still, if you have a good template, you understand quality systems–then you can write quality system procedures. Depending upon the length of the procedure, it may take four to eight hours of writing for each procedure. Therefore, an in-house quality manager needs to allocate one day per week if they plan to write all the procedures for their quality system in six months. For a four-month implementation of an ISO 13485 quality system plan, you need to allocate two days per week to writing.

Alternatively, you can outsource the writing of your quality system. However, someone must be responsible for “customizing” generic procedures to fit your company, or the procedures need to be written from scratch. A third and final option is to have a hybrid of in-house procedures and outsourced procedures. If your quality manager has limited time resources, then you can supplement the managers’ time with procedures that are purchased and customized to fit your template. If there are specific procedures that the quality manager needs help with, such as risk management, then you can also purchase just those procedures.

ISO 13485 quality system plan

One of the basic principles of quality management systems is “continuous improvement.” The continuous improvement cycle is also known as the “Deming Cycle.” There are four parts to the cycle:

  1. Plan
  2. Do
  3. Check
  4. Act

When you are developing an ISO 13485 quality system, the first step is to develop the quality system plan. I recommend the following guidelines for a quality system plan. First, plan to implement the quality system at a steady pace. Second, organize the implementation into small groups of related procedures.

In this case study, I have 29 procedures that we are implementing, and there are 11 recorded training webinars. During each of the four months, approximately the same number of procedures are implemented. Then I organized the small groups of procedures around the scheduled webinar training. For example, the month of November will have a total of 24 documents (i.e., eight procedures and 16 associated forms and lists) implemented, and there are four webinar trainings scheduled. Therefore, four procedures related to “Good Documentation Practices 101 will be implemented as a group under document change notice (DCN) 15-001. Two procedures associated with “Are your Suppliers Qualified? Prove it! will be implemented as a group under DCN 15-002. The remaining two procedures, design controls, and risk management, will be implemented as a group under DCN 15-003 with two related webinars on design controls and ISO 14971.

Document Change Notice (DCN)

The next step in the Deming Cycle is to “Do.” For the implementation of an ISO 13485 quality system plan, “doing” involves the creation of procedures, forms, and lists, but “doing” also involves the review and approval of these documents. The form we use to review and approve procedures is called a document change notice or DCN.

It’s been almost 20 years since I completed my first DCN. For anyone unfamiliar with the review and approval of new and revised documents, most quality systems document the review and approval of procedures and forms on a separate form. The reason for this is that when you make one change, it often affects several other documents and forms. Therefore, it is more efficient to list all the documents and forms that are affected by the change on one form. This results in fewer signatures for reviewers and approvers. Several of the companies that I have helped to implement an ISO 13485 quality system plan for failure to review and approve the documents and forms in a timely manner. I think there are two reasons for this:

  1. they haven’t been responsible for document control before, and
  2. they don’t want to have to create and maintain quality system records any sooner than required.

The first reason can be addressed quickly with training. The second reason, however, is flawed. It is essential to implement the procedures as soon as possible to begin creating quality system records that can be audited by an ISO 13485 certification auditor or FDA inspectors. I have struggled with this hesitation in the past, but for this project, I am completing DCNs for the initial release of all the procedures and forms. This ensures that all the procedures and forms will be reviewed and approved shortly after the webinar training is completed. Also, this gives my client multiple examples of DCNs to follow as they make revisions to the procedures and forms over time.

Quality Objectives & Data analysis

The third step in the Deming Cycle is to “check.” I recommend using quantitative metrics to track progress toward your goal of completing the quality system implementation. For example, if you have 50 documents to review and approve, you can track the % complete by just multiplying each document that is approved by 2%. You can also track the implementation of documents separately by type. Every DCN you route for approval will take a certain number of days to complete. You might consider tracking the duration of DCN approval. As a benchmark, an efficient paper-based DCN process should average about four days from initiation to completion. I have seen average durations measured in months, but hopefully, your average duration of DCN approval will be measured in days. Another metric to consider is the % of required training that has been completed for the company, for each department and each employee. Regardless of which metrics you choose to evaluate your quality system implementation, you should pick some of these metrics as quality objectives (i.e., a requirement of ISO 13485, Clause 5.4.1). You should also analyze this data for positive and negative trends as required by ISO 13485, Clause 8.4.

Your first CAPAs

The fourth and final step in the Deming Cycle is to “act.” Acting involves taking corrective action(s) when your data analysis identifies processes that are not functioning as well as they should be. To achieve ISO 13485 certification, you will need some examples of corrective and preventive actions (CAPAs) that you have implemented. The steps you take in response to observed trends during data analysis are all potential CAPAs.

Download an ISO 13485 quality system plan

Later this week, I will be posting a follow-up blog that explains how to write an ISO 13485 quality system plan for establishing a new quality system. There will also be a link for downloading a free ISO 13485 quality system plan.

Posted in: ISO Certification

Leave a Comment (1) →

Good Documentation Practices (GDP 101) Webinar

good documetnation practice GDP101 300x261 Good Documentation Practices (GDP 101) Webinar

No White Out!

Medical Device Academy released a new webinar this week for training companies on good documentation practices.

Have you ever wondered where the FDA regulation is that says, “…shall not use white-out to correct quality system records.”

Don’t bother looking, because you won’t find it. You also won’t find any regulations against the use of red pens, highlighters, pencils, or markers. You can’t even find a guidance document that tells you not to put a single line through mistakes, initial and date it.

The applicable regulation is 21 CFR 820.180, but the regulation doesn’t specifically say these things. Instead, the regulation states: “Records shall be legible and shall be stored to minimize deterioration and to prevent loss.” The ISO 13485 Standard is not much different. It states that you must establish a procedure that will “Define the controls needed for the identification, storage, protection, retrieval, retention time and disposition of records.”

Over time medical device companies have developed some standard approaches to meet the requirements for Document Control, Control of Records, and Training. These are the three core processes that I call “good documentation practices.” If you need training or you need tools for training employees, click on the link below to purchase our new webinar on good documentation practices.

http://robertpackard.wpengine.com/good-documentation-practices-webinar/

The webpage also includes an exam for training people on good documentation practices. The exam serves as a useful check for the training, but we recommend that process owners monitor these processes–especially if the process is manual. For example, QC inspectors will complete inspection records and file the record as a quality system record. The QC supervisor, or process owner, should periodically review these records for completeness and accuracy. If the supervisor notices an error, the supervisor should notify the inspector and have them correct the mistake. The supervisor should also track how many times each error is made and specifically where errors are occurring. The collection of this data gives the supervisor trend data to help them identify which forms need to be updated to prevent mistakes and which employees require retraining. This data also provides evidence of competency for each employee concerning good documentation practices.

After you have completed the training, you might also be interested in downloading our procedures for Document Control, Control of Records and Training:

http://robertpackard.wpengine.com/standard-operating-procedures-medical-device-academy/

Posted in: ISO Certification

Leave a Comment (0) →

Management Review Procedure Case Study Example

This article, “Management Review Procedure Case Study” describes an error-proof method for review and approval of procedures.

Redlined Management Review Procedure Management Review Procedure Case Study Example

The first time I was ever formally trained on how to conduct a document review was during a lead auditor course. I thought the topic seemed out of place, but as I audited more companies, I realized that missing a regulatory requirement in a procedure was quite common. Regardless of who reviews a procedure, or how many times it is reviewed, something is always missed. Unfortunately, a desktop audit of procedures is not an effective corrective action or verification method. Auditing procedures is an ineffective method for reviewing procedures because audits are limited by sampling.

Instead of random sampling, a systematic review of 100% of regulatory requirements is needed to ensure that none of the regulatory requirements are accidentally omitted. Systematically reviewing the requirements for each country your company is selling in is tedious at best. You need a tool to make the reviewing process error-proof and straightforward. You also need each reviewer of the procedure to have a defined function to eliminate the duplication of work.

Procedure Reviewer Roles

Typically, there are 3-5 reviewers of procedures in most companies. Some companies make the mistake of having as many as 8-10 reviewers of procedures, but more is not better in this case. There are four primary roles for review and approval of procedures:

  1. process owner
  2. quality management
  3. regulatory
  4. independent

The process owner may be the author of a procedure, but I don’t recommend it. Editing someone else’s work is much more useful than editing your own work. Therefore, I recommend that department managers delegate the responsibility for writing a draft of a procedure to a subordinate that needs to perform the procedure. Then the department manager, who should also be the process owner, is responsible for reviewing and approving the initial draft.

The quality management person should be responsible for reviewing the procedure for accuracy and interactions with other processes. For example, the management review process has eight required inputs (i.e., ISO 13485, Clause 5.6.2a-h). Each of those inputs comes from another process and procedure. It is essential to ensure that if you are reviewing the complaint handling procedure, somewhere in that procedure, it should state that the monitoring and measuring of complaint trends should be input into the management review process.

The regulatory person is responsible for verifying that the procedure meets 100% of the regulatory requirements. This person should verify that the scope of the procedure identifies the relevant markets. If there are references to documents of external origin, the regulatory person should verify that these references are accurate. It is recommended to eliminate references to revisions of documents of external origin and internal procedure revisions because the inclusion of revisions will increase the frequency of minor revisions to procedures that add no value.

Finally, the independent reviewer is looking for two things:

  1. Does the procedure make sense–to someone that performs the procedure (if that person was not the author); and to an external auditor, such as a certification body (internal auditors can fill this role)?
  2. Are there typos, spelling, or grammar mistakes?

The independent reviewer does not need to be a manager. It needs to be someone that writes well. Copy editing is tedious, but apparent mistakes in spelling or grammar prompt auditors to review procedures more carefully. I recommend asking an internal auditor to be the independent reviewer.

Reviewing Regulatory Requirements

The two most common reasons for audit findings are:

  1. the procedure is not being followed, and
  2. a regulatory requirement is not being met.

The first problem should be addressed by having processing owners review and write procedures instead of asking quality assurance to provide a procedure. If you are purchasing a procedure, it’s important for the person that will be performing the procedure to carefully review the procedure to ensure it matches how they intend to perform that process. If it’s a manufacturing procedure, I like to conduct the training of personnel with a draft procedure and hand out red pens. That also dramatically reduces complaints from the people that do the work.

For regulatory requirements, your regulatory reviewer needs to create a checklist that includes 100% of the requirements for that procedure. The model I like to follow is the Essential Requirements or Essential Principles Checklist used for technical documentation (i.e., for CE Marking). There are 13 Essential Requirements, and most of the requirements have multiple subparts. The regulatory person that completes an Essential Requirements Checklist must indicate the following information next to the applicable requirement in the checklist table:

  • yes, the requirement applicable or justification if it’s not applicable
  • a reference to any applicable standards
  • a cross-reference to the record where evidence of meeting the requirement can be found (e.g., the risk management file)

Regulatory personnel can revise this approach slightly by doing the following for a review of procedures:

  • yes, the requirement applicable or justification if it’s not applicable
  • a reference to the applicable specific sub-clause in a Standard or a regulation
  • a cross-reference to the subsection of the procedure where evidence of meeting the requirement can be found (e.g., section 5.1 of the SYS-003)

Case Study of SYS-003, Management Review Procedure

In the Medical Device Academy Management Review Procedure, Section 8 is the “procedure section.” Sub-section 8.3 of the procedure lists all the required inputs to a Management Review meeting. Next to each input, I have included a cross-reference to the sub-clause in ISO 13485:2003 for the Management Review input. There is also a requirement in 21 CFR 820.20 for conducting Management Reviews as scheduled intervals. This requirement is met by sub-section 8.1 of the Management Review procedure.

Teaching Auditors to Review Regulatory Requirements

Now, when I teach my version of the Lead Auditor Course, I ask attendees to split into small groups and review one of their procedures. In the last company I did this, each of the four teams found a regulatory requirement missing in the procedure they were reviewing. All four procedures the teams selected were reviewed, approved, and currently in use.

Management Review Procedure – Free Download

[convertkit form=4961282]

Posted in: ISO Certification

Leave a Comment (1) →
Page 1 of 4 1234