ISO 13485:2016

This sub-category is dedicated to articles about the new version of ISO 13485:201x that is expected to be published at the end of this year or Q1 2016.

Nine easy ways to organize and improve quality system procedures

Would you like to learn nine ways to improve your quality system procedures? One method is precisely the opposite of our advice from 2011.

During a CAPA course I taught on Friday, January 28, 2011, one of the attendees asked if we teach a course on “How to write better quality system procedures.” Unfortunately, we could only offer material from a course about “Training the trainer.” That “Training the trainer” course focused on visual communication. Several books related to Lean Manufacturing explain how to use visual communication to replace text (i.e., “a picture says a thousand words”). During my ride home, however, I thought of a few other ideas that might help anyone writing or re-writing a procedure. The article was updated and posted as a new blog on Tuesday, March 28, 2023.

1. Use a standardized template for your procedures

In 2013 we published a blog about using a procedure template where we described our 12-part procedure template (i.e., TMP-001).  You don’t have to mimic our template, but using a template will accelerate the speed of your writing when you create procedures, and it makes sure you don’t forget any of the essential elements. In addition, using templates ensures a consistent format that makes it easier for everyone to find the information they are looking for. Just make sure that your document control procedure allows flexibility to deviate from the template. The ISO 13485:2016 standard does require a “mandatory” format. Referring to your template as “suggested formatting” will avoid unnecessary nonconformities.

2. Create a process “turtle diagram” for each quality procedure

All of the procedures that Medical Device Academy created have a flow chart at the beginning of the procedure showing the procedures and forms associated with processes that are inputs to that procedure and outputs from that procedure. To systematically improve our procedures, we will be systematically replacing those flow charts with turtle diagrams for each process. This will give more detail than our current flow charts, and internal and external auditors can use the turtle diagrams to understand process interactions.

3. Avoid making unnecessary references to regulations and standards

If you are writing a procedure on risk management—it makes sense to reference ISO 14971. It does not make sense to reference all the other risk analysis standards unless you specifically use them to perform risk analysis. ISO 14971:2019, Clause 4.1, also states that you “shall establish, implement, document, and maintain an ongoing process for” risk management activities. However, the ISO 14971 standard is not directly linked to other procedures. Therefore, ISO 14971 should only be referenced in another if you are using it in that procedure or referencing it directly. For example, the Quality Manual (i.e., POL-001) explicitly references ISO 14971. In contrast, the design control procedure (i.e., SYS-008) references the risk management procedure (SYS-010) but doesn’t reference ISO 14971.
Concerning regulations, you should only reference regulations if the procedure meets a specific requirement. Color coding with symbols should demonstrate traceability to requirements (see method #5 below for further explanation). Rather than adding a reference to regulations in a procedure where there is no requirement, a better approach is to indicate in the Quality Manual that only procedures that have specific requirements will reference the regulations, such as 21 CFR 820 or Part 1 of the Canadian MDR.

4. Track standards, regulations, and the version used in your procedures

In the original 2011 version of this article, we advised quality managers to “avoid including the revision of a standard” because “this is just another opportunity for unnecessary nonconformities.” However, we find that our team has trouble identifying every procedure that a change in regulation or a standard might impact. A systematic process is needed to identify every procedure referencing a regulation or standard. Therefore, we will reference all impacted procedures next to the regulation or standard in our Master Document List (i.e., LST-001). References to the regulations will be added to the main tab for policies, procedures, and work instructions (i.e., [POL, SYS, and WI]). References to the standards will be added to the tab for documents of external origin (i.e., [Doc Ext Origin]).

Many people feel that you should not reference the version of a standard in a procedure because adding the version of the standard increases the number of documents that need to be updated when a standard changes. However, if you are only referencing standards in procedures when it is necessary, then that procedure should be reviewed and updated for the need to be changed. Updating the version of the Standard referenced is the best way to document that a gap analysis against the new version has been completed and the necessary updates were made to the procedure.

5. Use color coding and symbols in your quality system procedures

Example of Cluase Cross references in quality system procedures 1024x517 Nine easy ways to organize and improve quality system procedures

Matthew Walker, Medical Device Academy’s manager of the human factors team, has systematically updated many of our procedures to the EU Medical Device Regulations 2017/745 and the In Vitro Diagnostic Regulations 2017/746. When he updates our procedures, he references the regulations and applicable ISO 13485:2016 clauses. During certification audits, certification body auditors sometimes have difficulty finding where specific requirements are located in the procedures. Therefore, Matthew added color-coded clause references for our clients and auditors as a corrective action. To make the procedures inclusive for people that are color-blind, Matthew added symbols to supplement the color coding. The extra addition of symbols has proven invaluable because now anyone can search the documents electronically for a symbol to find where all the references are located.

6. Indicate the process owner and training requirements associated with each procedure

Identifying the process owner and training requirements in every procedure makes it easier to define who is responsible for reviewing and revising procedures. For the training requirements, the process owner should specify who needs to be trained on the process. Why? They know the procedure best. If there is a “grey area,” this should be resolved with the department manager for the job function. In addition, retraining requirements should be specified. The training section should also clarify if retraining is required when revising a procedure. If the revision is minor, training should only be necessary for people not trained on a previous revision.

7. Adopt the Plan-Do-Check-Act (PDCA) model for the structure of quality system procedures

For the “Plan” portion, the procedure should explain how to prepare to do something. This planning activity can apply to anything from planning to perform an audit to planning to inspect incoming raw materials. The “Do” portion is what most people refer to as the “Procedure” section. The “Check” portion of the procedure is a great place to specify the monitoring and measurement requirements for the process (see Section 8.1 of the Standard). Finally, the “Act” portion of the procedure should indicate what to do when target metrics are unmet. For example, what should be done when an alert limit is reached? What should be done when an action limit is reached?

8. Include the revision history of quality system procedures

It’s helpful to know which Document Change Notice (DCN) approved the document revision, why the changes were made, the nature of the changes, whether there is a related corrective action, and when the change was made. This will also tell auditors whether there is anything new to audit since the previous internal or external audit. This section is usually near the beginning of our procedures, but it doesn’t matter if the revision history is at the end or the beginning. However, it does help to be consistent.

9. Identify the form number, location, and retention period for each record

We have a section about quality system records near the end of every procedure. This section lists each quality system record that is associated with the procedure. The relevant form is referenced, but we recommend storing these records in electronic or paper folders labeled with the form number. If the files are digital, a hyperlink should be included. If the files are paper, then you should list the physical location of storage. The retention period can be listed in each procedure. Still, it will be essential to ensure that this information matches the regulatory requirements and record retention requirements in your “Control of Records” procedure (i.e., SYS-002).

 

Nine easy ways to organize and improve quality system procedures Read More »

Why modernize 21 CFR 820 to ISO 13485?

The FDA patches the regulations with guidance documents, but there is a desperate need to modernize 21 CFR 820 to ISO 13485.

FDA Proposed Amendment to 21 CFR 820

On February 23, 2022, the FDA published a proposed rule for medical device quality system regulation amendments. The FDA planned to implement amended regulations within 12 months, but the consensus of the device industry is that a transition of several years would be necessary. In the proposed rule, the FDA justifies the need for amended regulations based on the “redundancy of effort to comply with two substantially similar requirements,” creating inefficiencies. In public presentations, the FDA’s supporting arguments for the proposed quality system rule change rely heavily upon comparing similarities between 21 CFR 820 and ISO 13485. However, the comparison table provided is quite vague (see the table from page 2 of the FDA’s presentation reproduced below). The FDA also provided estimates of projected cost savings resulting from the proposed rule. What is completely absent from the discussion of the proposed rule is any mention of the need to modernize 21 CFR 820.

Overview of Similarities and Differences between QSR and ISO 13485 1006x1024 Why modernize 21 CFR 820 to ISO 13485?

Are the requirements “substantively similar”?

The above table provided by the FDA claims that the requirements of 21 CFR 820 are substantively similar to the requirements of ISO 13485. However, there are some aspects of ISO 13485 that will modernize 21 CFR 820. The areas of impact are 1) software, 2) risk management, 3) human factors or usability engineering, and 4) post-market surveillance. The paragraphs below identify the applicable clauses of ISO 13485 where each of the four areas are covered.

Modernize 21 CFR 820 to include software and software security

Despite the limited proliferation of software in medical devices during the 1990s, 21 CFR 820 includes seven references to software. However, there are some Clauses of ISO 13485 that reference software that are not covered in the QSR. Modernizing 21 CFR 820 to reference ISO 13485 will incorporate these additional areas of applicability. Clause 4.1.6 includes a requirement for the validation of quality system software. Clause 7.6 includes a requirement for the validation of software used to manage calibrated devices used for monitoring and measurement. Clause 7.3 includes a requirement for validation of software embedded in devices, but that requirement was already included in 21 CFR 820.30. The FDA can modernize 21 CFR 820 further by defining Software as a Medical Device (SaMD), referencing IEC 62304 for management of the software development lifecycle, referencing IEC/TR 80002-1 for hazard analysis of software, referencing AAMI TIR57 for cybersecurity, and referencing ISO 27001 for network security. Currently, the FDA strategy is to implement guidance documents for cybersecurity and software validation requirements, but ISO 13485 only references IEC 62304. The only aspect of 21 CFR 820 that appears to be adequate with regard to software is the validation of software used for automation in 21 CFR 820.75. This requirement is similar to Clause 7.5.6 (i.e., validation of processes for production and service provisions).

Does 21 CFR 820 adequately cover risk management?

The FDA already recognizes ISO 14971:2019 as the standard for the risk management of medical devices. However, the risk is only mentioned once in 21 CFR 820. In order to modernize 21 CFR 820, it will be necessary for the FDA to identify how risk should be integrated throughout the quality system requirements. The FDA recently conducted two webinars related to the risk management of medical devices, but implementing a risk-based approach to quality systems is a struggle for companies that already have ISO 13485 certification. Therefore, a guidance document with examples of how to implement a risk-based approach to quality system implementation would be very helpful to the medical device industry. 

Modernize 21 CFR 820 to include Human Factors and Usability Engineering

ISO 13485 references IEC 62366-1 as the applicable standard for usability engineering requirements, but there is no similar requirement found in 21 CFR 820. Therefore, human factors are an area where 21 CFR 820 needs to be modernized. The FDA has released guidance documents for the human factors content to be included in a 510k pre-market notification, but the guidance was released in 2016 and the guidance does not reflect the FDA’s current thoughts on human factors/usability engineering best practices. The FDA recently released a draft guidance for the format and content of human factors testing in a pre-market 510k submission, but that document is not a final guidance document and there is no mention of human factors, usability engineering, or even use errors in 21 CFR 820. Device manufacturers should be creating work instructions for use-related risk analysis (URRA) and fault-tree analysis to estimate the risks associated with use errors as identified in the draft guidance. These work instructions will also need to be linked with the design and development process and the post-market surveillance process.

Modernize 21 CFR 820 to include Post-Market Surveillance

ISO/TR 20416:2020 is a new standard specific to post-market surveillance, but it is not recognized by the FDA. There is also no section of 21 CFR 820 that includes a post-market surveillance requirement. The FDA QSR focuses on reactive elements such as:

  • 21 CFR 820.100 – CAPA
  • 21 CFR 820.198 – Complaint Handling
  • 21 CFR 803 – Medical Device Reporting
  • 21 CFR 820.200 – Servicing
  • 21 CFR 820.250 – Statistical Techniques

The FDA does occasionally require 522 Post-Market Surveillance Studies for devices that demonstrate risks that require post-market safety studies. In addition, most Class 3 devices are required to conduct post-approval studies (PAS). For Class 3 devices, the FDA requires the submitter to provide a plan for a post-market study. Once the study plan is accepted by the FDA, the manufacturer must report on the progress of the study. Upon completion of the study, most manufacturers are not required to continue PMS.

How will the FDA enforce compliance with ISO 13485?

It is not clear how the FDA would enforce compliance with Clause 8.2.1 in ISO 13485 because there is no substantively equivalent requirement in the current 21 CFR 820 regulations. The QSR is 26 years old, and the regulation does not mention cybersecurity, human factors, or post-market surveillance. Risk is only mentioned once by the regulation, and software is only mentioned seven times. The FDA has “patched” the regulations through guidance documents, but there is a desperate need for new regulations that include critical elements. The transition of quality system requirements for the USA from 21 CFR 820 to ISO 13485:2016 will force regulators to establish policies for compliance with all of the quality system elements that are not in 21 CFR 820.

Companies that do not already have ISO 13485 certification should be proactive by 1) updating their quality system to comply with the ISO 13485 standard and 2) adopting the best practices outlined in the following related standards:

  • AAMI/TIR57:2016 – Principles For Medical Device Security – Risk Management
  • IEC 62366-1:2015 – Medical devices — Part 1: Application of usability engineering to medical devices
  • ISO/TR 20416:2020 – Medical devices — Post-market surveillance for manufacturers
  • ISO 14971:2019 – Medical Devices – Application Of Risk Management To Medical Devices
  • IEC 62304:2015 – Medical Device Software – Software Life Cycle Processes
  • ISO/TR 80002-1:2009 – Medical device software — Part 1: Guidance on the application of ISO 14971 to medical device software
  • ISO/TR 80002-2:2017 – Medical device software — Part 2: Validation of software for medical device quality systems

What is the potential impact of the US FDA requiring software, risk management, cybersecurity, human factors, and post-market surveillance as part of a medical device company’s quality system?

Why modernize 21 CFR 820 to ISO 13485? Read More »

Is monitoring every procedure required?

Process monitoring is required but do you know whether monitoring every procedure is required by the FDA QSR or ISO 13485?

One of the elements that Medical Device Academy has incorporated into each procedure we created in our turnkey quality system is a section titled, “monitoring and measurement.” The purpose of this section is to force each process owner to identify a process metric for monitoring every procedure. In some cases, we suggest a metric that would be appropriate for most companies establishing a new quality system. In other procedures, we use the following default text:

Enter a quality metric that you want to track for this process in accordance with ISO 13485:2016, Clause 8.2.5 and the procedure for Monitoring, Measurement, and Analysis (SYS-017).

Where are the requirements for process monitoring in 21 CFR 820?

Some of the companies that have purchased our turnkey quality system have asked, “Is it required to monitor and measure something in every procedure?” In general, it is not a specific requirement to have a metric specified in each procedure. In fact, if your quality system is not ISO 13485 certified, there are actually only a few places where the US FDA requires monitoring. The FDA does not have a section specific to monitoring and measurement of processes, but there is a section of the regulations specific to statistical techniques (i.e. 21 CFR 820.250). However, it does not state in the QSR that statistical analysis is required for all processes. In fact, there are only six instances where the word “statistical” is used:

  • 21 CFR 820.100(a)(1) – “Analyzing processes, work operations, concessions, quality audit reports, quality records, service records, complaints, returned product, and other sources of quality data to identify existing and potential causes of nonconforming product, or other quality problems. Appropriate statistical methodology shall be employed where necessary to detect recurring quality problems;”
  • 21 CFR 820.200(b) – “Each manufacturer shall analyze service reports with appropriate statistical methodology in accordance with § 820.100.”
  • 21 CFR 820.250 – “(a) Where appropriate, each manufacturer shall establish and maintain procedures for identifying valid statistical techniques required for establishing, controlling, and verifying the acceptability of process capability and product characteristics. (b) Sampling plans, when used, shall be written and based on a valid statistical rationale. Each manufacturer shall establish and maintain procedures to ensure that sampling methods are adequate for their intended use and to ensure that when changes occur the sampling plans are reviewed. These activities shall be documented.” Note: the other two instances are the title of 21 CFR 820.250.

The word “monitoring” is equally rare (i.e. 4x) in the QSR:

  • 21 CFR 820.70(a) – “Each manufacturer shall develop, conduct, control, and monitor production processes to ensure that a device conforms to its specifications…Where process controls are needed…(2) Monitoring and control of process parameters and component and device characteristics during production.”
  • 21 CFR 820.75(b) – “Each manufacturer shall establish and maintain procedures for monitoring and control of process parameters for validated processes to ensure that the specified requirements continue to be met…(2) For validated processes, the monitoring and control methods and data, the date performed, and, where appropriate, the individual(s) performing the process or the major equipment used shall be documented.”

Where are the requirements for process monitoring in ISO 13485:2016?

ISO 13485:2016 has a section specific to monitoring and measurement of processes (i.e. Clause 8.2.5). In addition, the word “monitoring” occurs 52 times in the standard and there are 60 incidents of some variant or the exact word. , but there is a section of the regulations specific to statistical techniques (i.e. 21 CFR 820.250). However, it does not state in the QSR that statistical analysis is required for all processes. In fact, there are only six instances where the word “statistical” is used. There are four Clause headings that actually include the word monitoring:

  • Clause 7.6, Control of monitoring and measuring equipment
  • Clause 8.2, Monitoring and measurement
  • Clause 8.2.5, Monitoring and measurement of processes
  • Clause 8.2.6, Monitoring and measurement of product

In Clause 1, Scope, and Clause 4.1.5, the Standard states that any outsourced processes remain the responsibility of the company and must be accounted for in the quality system by monitoring, maintaining, and controlling the processes.

Monitoring of risk is included in the definition of “risk management” in the Standard (i.e. Clause 3.18).

Clause 4.1.3 states that the organization shall, “b) ensure the availability of resources and information necessary to support the operation and monitoring of these processes…d) monitor, measure as appropriate, and analyze these processes.”

Clause 4.2.3 states that the contents of the Medical Device File (i.e. MDR or TF), shall include, “d) procedures for measuring and monitoring.”

Monitoring and measurement of processes and product are required inputs to the Management Review in Clauses 5.6.2e) and f).

Clause 6.4.1 requires a procedure for monitoring the work environment if it can have an effect on product quality.

Clause 7.1 requires the company to consider including monitoring in product realization planning.

Clause 7.4.1 requires a plan for monitoring suppliers.

Clause 7.5.1 requires monitoring production and service, including the monitoring of process parameters and product characteristics.

Clause 7.5.6 requires monitoring of validated process parameters.

Clause 7.5.8 requires identification of status with regard to product monitoring and measurement (i.e. inspection status).

Clause 7.6 requires monitoring and measurement of calibrated devices and validation of any computer software used to monitor calibrated devices.

Clause 8.1 states that companies shall plan and implement monitoring and measurement of processes.

Clause 8.2 is titled, “Monitoring and measurement.”

Clause 8.2.1 requires monitoring of customer feedback.

Clause 8.2.5 requires monitoring of processes to ensure planned results are achieved.

Clause 8.2.6 requires monitoring of products to ensure product requirements have been met.

Clause 8.4 requires data analysis of monitoring data from at least six different processes:

  1. Feedback
  2. Conformity to product requirements
  3. Characteristics and trends of processes and products, including opportunities for improvement
  4. Suppliers
  5. Audits
  6. Service reports, as appropriate

In summary, while not every single clause that requires a procedure includes a requirement for monitoring, there are a number of processes where the requirement to monitor the process is explicitly stated.

Why do all of our procedures include the requirement for metrics?

Medical Device Academy expanded the requirement for monitoring to all procedures for five reasons:

  1. Quality objectives must be “established at relevant functions and levels within the organization.” Therefore, establishing monitoring requirements for each procedure ensures that top management has metrics for every process and a lack of data is never an excuse for not establishing a new quality objective when improvement is needed.
  2. If every procedure has a requirement for monitoring, then employees don’t have to remember which processes require monitoring and which processes do not explicitly require monitoring.
  3. The process approach to auditing includes metrics of the process as one of the seven items that are included in every process turtle diagram, and therefore, including metrics for each procedure facilitates the process approach to auditing.
  4. If a company does not have a process metric already established, it is often difficult to perform an investigation of the root cause of quality issues. If a metric is already being monitored for the process, this facilitates the investigation of the root cause and you can use the baseline monitoring data to help you establish effectiveness criteria for the corrective action.quantitative effectiveness check 300x209 Is monitoring every procedure required?
  5. Finally, most companies struggle to identify preventive actions as required by Clause 8.5.3, and we have found that data analysis of monitoring data is the best source of identifying new preventive actions.

What are the disadvantages when you monitor and measure something in every procedure?

The primary reason for resistance to identifying a metric for monitoring in every procedure is that it will increase the workload for the employees responsible for that process. However, monitoring of data does not always increase workload. In fact, when process data is recorded in real-time on a run chart it is often possible to identify a trend much earlier than when data is simply recorded and subjected to monitoring.

  • Example #1: The automatic tracking of toner in a printer tells HP when to ship you a new toner cartridge before you need it. This ensures that there is no loss in productivity because you never run out of ink or the ability to print documents.
  • Example #2: Companies will use project management software (e.g. Asana) to monitor labor utilization. This will help identify when a specific resource is nearing capacity. When this occurs, the project manager can add time buffers to prerequisite steps and adjust the starting date of the resource-limited tasks to an earlier starting date. This ensures that more time is available to finish the task or to take advantage of resource availability at an earlier date.
  • Example #3: Monitoring the revision date for procedures helps the document control process owner identify procedures that should be evaluated for the need to be revised and updated. Often this is articulated as a quality objective of reviewing and updating all procedures within 2 years. This also ensures that procedures remain current and compliant with regulatory requirements.

What are the advantages of monitoring every procedure?

The phrase “what gets measured gets managed” is a popular business philosophy that implies measuring employee activity increases the likelihood that employees will complete a task or perform it well. In contrast, if a process is not monitored, employees may assume that it is not important and the tasks may be skipped or completely forgotten. Setting quantitative goals is also sometimes integrated with economic incentives or bonuses that are granted to individuals and teams.

FDA transition from QSR to ISO 13485

The US FDA is planning its transition from 21 CFR 820 to ISO 13485 as the quality system criteria. This will force companies to make adjustments to their quality systems and increase the amount of process monitoring performed. My general advice is to work with employees that are performing tasks to identify streamlined methods for monitoring those tasks without being overly burdensome. Then you and the employees you manage can analyze the data together and identify opportunities for improvement. When you do this, experiment with manual methods using whiteboards and paper charts that are visible in public areas first. Only implement automated solutions after you have optimized the data being collected and the frequency of data collection, and remember that not every process will benefit from automated statistical process control. Sometimes the simple approach is best.

Is monitoring every procedure required? Read More »

How to create an IVDR checklist

This article provides an IVDR checklist for updating your ISO 13485 quality system to comply with EU Regulation 2017/746.

IVD Checklist 1024x474 How to create an IVDR checklist

Why I created an IVDR checklist?

Hundreds (if not thousands) of IVD manufacturers are currently updating their ISO 13485:2016 certified quality system from compliance with the In Vitro Diagnostic Directive (i.e. Directive 98/79/EC) or IVDD to the new EU In Vitro Diagnostic Regulation (i.e. Regulation 2017/746). Revision of technical files and the associated procedures for creating your technical files is a big part of these updates. However, there is much more that needs to be updated than just the technical documentation. Therefore, IVD manufacturers are asking Medical Device Academy to conduct remote internal audits of their quality system to identify any gaps. Usually, we conduct internal audits using the process approach to auditing, but this is one of the scenarios where the element approach and an audit checklist are invaluable.

If you would like to download our IVDR checklist for FREE, please fill in the form below.

How do you use an audit checklist?

An audit checklist is used by quality system auditors to collect objective evidence during an audit. This objective evidence verifies compliance with regulatory requirements or internal procedural requirements. If the auditor is unable to find supporting evidence of compliance, the auditor may continue to search for data or identify the requirement as a nonconformity. Typically the checklist is in four columns using a tabular form. The left-hand column lists each requirement. The next column is where the auditor documents records sampled, procedures reviewed, and personnel interviewed. In the third column, the auditor indicates what they were looking for in the records, procedures, or during the interview. Some of the information in the second and third columns can often be entered prior to starting the audit by reviewing audit preparation documents (e.g. procedures and previous audit reports). In the fourth column the auditor will enter the objective evidence for conformity collected during the audit.

How to create an IVDR quality plan

Most of the companies that are preparing for an IVDR audit by their notified body already have ISO 13485:2016 certification and they are using the self-declaration pathway for CE Marking under the IVDD. Under the IVDR, a notified body must now review and approve the technical file. The notified body must also confirm that their quality system has been updated to include the IVDR requirements. The Technical File requirements are found in Annex II and III; while most of the quality system requirements are found in the Articles.  The quality system requirements include:

  1. a risk management process in accordance with Annex I – deviations from ISO 14971:2019 will be necessary)
  2. conduct a performance evaluation–including a post-market performance follow-up (PMPF). This requirement is defined in Article 52 and Annex XIII
  3. create and maintain a technical file in accordance with Annex II & III
  4. create and maintain a Declaration of Conformity in accordance with Article 17
  5. CE Mark the product in accordance with Article 18
  6. implement a UDI system in accordance with Article 24, 26, and 28
  7. record retention requirements for the technical file, Declaration of Conformity, and certificates shall be increased from 5 years to 10 years
  8. set-up, implement, and maintain a post-market surveillance system in accordance with Article 78
  9. document a procedure for communication with Competent Authorities, Notified Bodies, Economic Operators, Customers, and/or other Stakeholders
  10. update procedures for reporting of serious incidents and field safety corrective actions in the context of vigilance to require reporting within 15 calendar days
  11. update the product labeling to comply with Annex I, section 20
  12. revise the translation procedure to ensure translations of the instructions for use are available in all required languages of the member states, and make sure these translations are available on the company website
  13. create a procedure for utilization of the Eudamed database for registration, CE Marking applications, UDI data entry, and vigilance reporting

Which IVDR requirements are already met by your quality system?

Some companies also manufacture medical devices that must comply with Regulation (EU) 2017/745. For those companies, many of the above requirements are already incorporated into their quality system. In this case, you should still include all of the IVDR checklist requirements in your plan, but you should indicate that the requirement has already been met and audited previously.

Content related to our IVDR checklist

On Friday, April 1, 2022 @ 11 am EDT (8 am Pacific), Rob Packard will be Joe Hage’s guest speaker on the weekly MDG Premium Live video (please click on the link to register). The topic of the live presentation will be “How to create an IVDR quality plan.” #MedicalDevices #MDGpremium

How to create an IVDR checklist Read More »

Purchasing Controls and Supplier Qualification

This article identifies the requirements for purchasing controls and supplier qualification procedures, as well as best practices for implementation.

Suppler qualification 1024x377 Purchasing Controls and Supplier Qualification

Purchasing Controls

Sourcing suppliers in the medical device industry is not as simple as going on the internet and finding your material and purchasing it. As part of a compliant quality management system, purchasing controls must be in place to ensure that quality products and materials are going into your device and that any service providers that your company uses in the production of your product or within your quality management system are qualified.

ISO 13485 Requirements

In light of that, ISO 13485:2016 sections 7.4.1 Purchasing process, 7.4.2 Purchasing information, and section 7.4.3 Verification of purchased product outline the purchasing controls for medical device manufacturers. The following are requirements for the evaluation and selection of suppliers:

  • The organization must have established criteria for the evaluation and selection of suppliers.
  • The criteria need to evaluate the supplier’s ability to provide a product that meets the requirements.
  • It needs to take into consideration the performance of the supplier.
  • It must consider the criticality and the effect that the purchased product may have on the quality of the medical device.
  • The level of supplier assessment and monitoring should be proportionate to the level of risk associated with the medical device.

Maintaining Purchasing Controls

To start, in the most basic sense, purchasing controls involve procedures that ensure you are only purchasing from suppliers who can meet your specifications and requirements. The best way to keep track of your qualified suppliers is to maintain an Approved Supplier List (ASL). You should only purchase products or services that affect your product or quality management system from companies on the ASL (you would not necessarily need to qualify things like office supplies or legal assistance through purchasing controls).

When used effectively, the Approved Supplier List can be a great tool to manage the key facets of purchasing control and keep track of supplier monitoring. Items that you can capture on the ASL include:

  • Supplier Name
  • Scope of Approved Supplies
  • Contact Information
  • Status of Approval (Approved, Pending, Unapproved, etc.)
  • Qualification Criteria
  • Supplier Certification and expiry dates
  • Monitoring Requirements/Activities
    • Date of Last Review
    • Date of Next Review

The first step in your purchasing procedure should involve checking to see if the supplier is under active approved status on the ASL. The second step will be to ensure that you are purchasing an item/service that is within the scope of approval of that supplier. If you have not approved the supplier, or the intended purchase is beyond the scope of that supplier, your purchaser will need to go through the necessary channels to add the supplier to the ASL or modify their scope on the ASL.

Supplier Qualification Criteria

As required by the FDA, the level of supplier assessment should be proportionate to the level of risk associated with the medical device. The FDA is not prescriptive about the use of specific qualifications or assessments for different types of suppliers, so that is up to your company to determine. This is a somewhat grey area but based on years working with companies and suppliers, as well as participating in FDA and ISO 13485 audits, there are some general expectations of vendor qualifications that we have observed and would recommend.

It is good practice to have a form or template that guides your supplier evaluation process. Using input from engineering and QA to first determine the level of risk and the requirements of that supplier, and then base your qualification plan on that information. If you have a higher risk supplier who may be supplying a critical component to your device, or providing a critical service such as sterilization, then your qualification process will be much more involved.

Here is an example of two different levels of criteria based on the type of supplier (the intent is not for the following items to be rules, and your company is responsible for determining the adequate acceptance criteria for suppliers, but this is a general example of what you may expect).

  • Critical Custom Component Supplier
    • ISO 13485 Certification
    • On-site audit of supplier’s facility
    • References
    • Provides Certificates of Analysis (CoA)
    • A written agreement that the supplier will communicate with the company regarding any changes that could affect their ability to meet requirements and specifications.
    • You validate a production sample, and it meets requirements
  • Non-Critical Consumable Supplier
    • Product available that meets the needs of the company.
    • An associate has previously used by an associate who recommends the supplier.
    • Adequate customer service returns allowed.

Additional Function of Supplier Evaluation Forms

The supplier evaluation form can also be used as the plan to assign responsibility and track completion and results during the initial evaluation. It can also include the plan for ongoing monitoring and control of the supplier. This evaluation form should be maintained as a quality record, and auditors will frequently ask to see supplier evaluations.

Are Supplier Audits Required as Purchasing Controls?

Also valuable, supplier audits may be included as part of an evaluation plan for a new supplier, the change of scope of a supplier, a routine audit as part of ongoing monitoring, or as part of a nonconformity investigation of a high-risk product. While it is not required by ISO 13485, nor does the FDA does specify in the CFR that you must audit suppliers, it is a very good idea to audit your critical suppliers. If an auditor or FDA inspector sees evidence that your current purchasing controls are inadequate, performing supplier audits may be forced as a corrective action.

Beyond that, you can gain so much value, and gather countless clues and important information in an audit that you just cannot get without visiting your critical supplier. You can see where they plan to/are making/cleaning/sterilizing/storing your product. Talk to the people on the line, are they competent and trained? Does the company maintain their facility well? How secure is it? Do they maintain adequate records and traceability? Have there been any nonconformities relating to your product that have been detected? Etc.

Supplier audits should also include evaluation of the procedures, activities, and records of the supplier that could have an impact on the product or service they are providing your company. If it is not the first audit of the company, you should be sure to review the previous audit report findings and ensure the company has addressed any nonconformities, review supplier performance data, information about any changes that may have occurred at the supplier since your last visit, etc.

Record Maintenance and Ongoing Evaluation of Suppliers

No matter the method of supplier qualification, it is best practice to maintain supplier files that contain useful information relative to the supplier that may include:

  • The original supplier qualification form
  • Supplier certificates
  • References
  • Audit reports
  • Subsequent performance evaluations
  • Expanded scope qualifications
  • Supplier communications
  • Current contact information
  • Copies of any non-conforming material reports related to the supplier, etc.

ISO 13485 requires monitoring and re-evaluation of suppliers, and maintaining detailed supplier files will assist in meeting this requirement, and will help in the feedback system to identify and recurring problems or issues with a supplier. On a planned basis, whether that is annually, or every order (dependent on the criticality of the product), your company should conduct a formal supplier evaluation to determine whether the supplier has continued to meet requirements – In general, annual supplier reviews are standard. Additionally, you must specify this frequency in your procedure (auditors will look for what period you specify in your procedure, and then will check your ASL to make sure all of your suppliers have been reviewed within that timeframe).

During the supplier evaluation, if you find there have been issues, you need to determine and weigh the risks associated with staying with that supplier, and document that in the supplier file. If you determine the supplier should no longer be qualified, then you must also indicate on the ASL that the company no longer approves of the supplier.

Making the Purchase

When you have verified your supplier is approved on the ASL, you are authorized to purchase a product. Engineering is usually responsible for identifying the product specifications, requirements for product acceptance, and adequacy of specified purchasing requirements before communication to the supplier. The specifications may be in the form of drawings or written specifications. Additional information communicated to the supplier should also include, as applicable, an agreement between your company and the supplier that the supplier will notify you before the implementation of changes relating to the product that could affect its ability to meet specified purchasing requirements. When the first batch of product is received from a particular supplier, it is a good idea to verify that the product performs as intended before entering into production with new material or components.

Supplier Nonconformity

From time to time, you may encounter issues with a supplier. Sources of nonconformity include incoming inspections, production nonconformities, final inspection, or customer complaints. You must notify your supplier of the nonconformity and record their response and assessment. Depending on the level of criticality of the vendor, it is reasonable to require them to perform a root cause analysis to determine and alleviate the cause of failure. You should also request documentation of an effectiveness check to ensure the supplier has taken corrective actions. You should maintain copies of supplier nonconformity reports in the supplier file, and discuss nonconformities during ongoing supplier evaluations.

If the supplier does not cooperate or fails to address the nonconformity in an acceptable manner, or if there is a pattern of nonconformities with the vendor, then you should disqualify the supplier, and indicate that the supplier is “not approved” on the ASL.

Purchasing Controls Procedures You Might Need

Medical Device Academy developed a Supplier Qualification Procedure, Purchasing Procedure, and associated forms that will meet purchasing controls regulatory requirements for ISO 13485:2016 and 21 CFR 820.50. These procedures will help you ensure that goods and services purchased by your company meet your requirements and specifications. If you have any questions or would like help in developing a custom procedure or work instructions that meet your company’s unique needs, please feel free to email me or schedule a call to discuss.

Purchasing Controls and Supplier Qualification Read More »

Implementing Procedures for CAPA, NCMR & Receiving Inspection

The article shares lessons learned from implementing procedures for a new ISO 13485 quality system. This is the second in a series. The first month of procedure implementation was covered in a previous article titled, “How to implement a new ISO 13485 quality system plan in 2016.”

Implementing Procedures Implementing Procedures for CAPA, NCMR & Receiving Inspection

Typically, I recommend implementing a new ISO 13485 quality system over six months. Still, recently I a few clients have requested my assistance with implementing a quality management system within four months. In November, I wrote an article about implementing a new ISO 13485 quality system. That article described implementing procedures for the first month. Specifically, the implementation of the following procedures was covered:

  1. SYS-027, Purchasing
  2. SYS-001, Document Control
  3. SYS-002, Record & Data Control
  4. SYS-004, Training & Competency
  5. SYS-011, Supplier Quality Management
  6. SYS-008, Product Development
  7. SYS-010, Risk Management
  8. SYS-006, Change Control

These eight procedures are typically needed first. This article covers the implementation of the next set of procedures. During this month, I recommend conducting company-wide quality management system training for the ISO 13485 and 21 CFR 820.

Implementing Receiving Inspection Procedures

During the first month, procedures for purchasing components and services are implemented. As these products are shipped and received by your company, you need to create records of incoming inspection. It is not sufficient to merely have a log for receiving inspection. You need records of the results of the inspection. You may outsource the inspection activities, but receiving personnel must review the records of inspection for accuracy and completeness before moving product to your storage warehouse or production areas. Even if the inspection is 100% outsourced, it is still recommended to verify the inspection results independently on a sampling basis periodically. This should be a risk-based sampling that takes into account the importance of the item being inspected and the existence of in-process and final inspection activities that will identify potential nonconformities.

The most challenging part of this process typically is identifying inspection procedures and calibrated devices for inspection. Your company must find a balance between inspections performed by suppliers, incoming inspection, in-process inspection, and final inspection. Each of these process controls requires time and resources, but implementation should be risk-based and take into account the effectiveness of each inspection process–as determined by process validation. Sample sizes for inspection should also be risk-based.

Implementing Procedures for Identification and Traceability

The lot or a serial number of components must be identified throughout product realization–including incoming inspection, storage, production, final inspection, and shipping. In addition to determining what things are, you must also identify the status of each item throughout the product realization process. For example:

  • Is the product to be inspected or already inspected?
  • After the inspection, is product accepted or rejected?
  • Which production processes have been completed?
  • Is the product released for the final shipment?

The procedure for identification and traceability should be implemented immediately after the purchasing process, implemented during 1st month, because traceability requirements should be communicated to suppliers as part of supplier quality agreements and as part of each purchase order.

Initially, when this process is implemented, there is a tendency to complete forms for every step of the process and to distribute copies of the forms to communicate status. Completing forms and copying paperwork requires labor and adds no value. Therefore, learn manufacturing methods and visual indicators such as color-coding are recommended as best practices for identifying products and their status.

Implementing CAPA Procedures

When a product is identified as nonconforming, corrective actions need to be implemented to prevent a recurrence. Procedures need to include the requirement for planning corrective actions, containing a nonconforming product, correcting nonconformities, and implementing actions to prevent any future nonconformities. These procedures also need to address negative trends to prevent nonconformities before the product is out of specification (i.e., preventive actions). Procedures also need to provide guidelines on how to verify the effectiveness of corrective and preventive actions. Initially, the actions implemented will be specific to a purchased product that is received and rejected. However, over time data analysis of process monitoring and internal auditing will identify additional corrective and preventive actions that are needed.

The effectiveness of CAPA processes, in general, requires three key elements:

  1. A well-designed CAPA form
  2. Proper training on root cause analysis
  3. Performing effectiveness checks

In the CAPA training provided during the second month, the best practices for CAPA form design are covered. The training includes several methods for root causes analysis too. Finally, the training emphasizes using quantitative measurements to verify the effectiveness of corrective actions. It is recommended to identify the quantitative acceptance criteria for an effective corrective action before initiating actions to ensure that the actions planned are sufficient to prevent a recurrence.

Monitoring Your Procedure Implementation Process

As indicated in November’s article, I recommend using quantitative metrics to track the progress of procedure implementation. For example:

  1. % of procedures implemented,
  2. duration of document review and approval process, and
  3. % of required training completed.

Implementing Procedures for ISO 13485:2016

If you already have a quality system in place, you are implementing procedures that are modified for ISO 13485:2016 compliance, some of the same lessons learned to apply. If you are interested in learning more about the changes required for compliance with the 2016 version of the standard, we recorded two live webinars on March 24, 2016.

Implementing Procedures for CAPA, NCMR & Receiving Inspection Read More »

How to reconcile the conflict between ISO 13485 and ISO 9001

This blog explains how to reconcile the conflict between ISO 13485 and ISO 9001, and discusses whether you should maintain dual certification.

how to reconcile diverging standards How to reconcile the conflict between ISO 13485 and ISO 9001

What is the conflict between ISO 13485 and ISO 9001?

The previous version of ISO 13485 was released in 2003. That standard was written following the same format and structure as the overall quality system standard at the time (i.e., ISO 9001:2000). In 2008, there was an update to the ISO 9001 standard, but the changes were minor, only clarified a few points, and the periodic review of ISO 13485 in 2008 determined there was not a need to update 13485 at that time. Unfortunately, the proposed structure of the ISO 9001 standard was radically different, and this forces companies with dual certification to reconcile the conflict between ISO 13485 and ISO 9001.

On December 1-5, 2014, the working group for the revision of ISO 13485 (i.e., TC 210 WG1), met at AAMI’s Standards week to review the comments and prepare a first Draft International Standard (DIS). We should have some updates on the progress of the DIS later in December, but hopefully, the news will not be delayed in publication until 2016. The following is a summary of the status before last that meeting.

Updated ISO 13485 and ISO 9001 Standards Being Released

In 2015, there will be a new international version of ISO 9001 released. This new version will have dramatic changes to the standard–including the addition of a new section on risk management and the adoption of the new High-Level Structure (HLS) changing from 9 sections to 11. The ISO 13485 standard is also anticipated to have a new international version released in 2015, but the ISO 13485 standard will maintain the current HLS with nine sections. The timing of the ISO 9001:2015 release and the ISO 13485:2015 release will likely be around the same time (Correction: the ISO 13485:2016 standard was released in February 2016). Both standards are expected to have a three-year transition period for implementation. The combination of the three-year transition and lessened requirements in the new version of ISO 9001 for a structured quality manual should allow most manufacturers to wait until the ISO 13485 release before they begin drafting a quality plan for compliance with the new standards. Some of my clients have already indicated that they may drop their ISO 9001 certification when it expires, instead of changing their quality system to comply with the ISO 9001:2015 requirements. However, my clients will not have the ability to allow their ISO 13485 certification to lapse. Will Health Canada be updating GD210 and continue to require ISO 13485 certification for medical device licensing? What should companies do?

Update on the reconciliation of ISO 13485:2016 and ISO 9001:2015 on May 29, 2020:

  • GD210 was never updated, and instead, it was replaced by MDSAP
  • ISO 13485:2016 certification, under the MDSAP program, is required for Canadian Medical Device Licensing
  • Many device companies have dropped the ISO 9001 certification.

Recommendations

From the experience of preparing for the ISO 13485:2016 and ISO 9001:2015 releases, I learned that obtaining draft versions of the standards before publication is invaluable. I was able to use the drafts to help prepare quality plans for the transition. Second, companies need to train their management teams and auditors on the differences between the current and the new standards to enable a gap analysis to be completed. Any manager that is responsible for a procedure required by the current version of a standard should receive training specific to the changes to understand how they will meet the requirements for documented information. Most companies will need to improve their risk management competency (which was updated again in December 2019). I recommend that companies begin drafting their quality plans and enter discussions with their certification body for quality system changes as early as possible. I also recommend that medical device companies maintain a quality manual structure that follows the ISO 13485:2016 standard rather than the ISO 9001:2015 standard. Following ISO 13485:2016 will help everyone locate information faster.

There is also specific text in the introduction of ISO 9001:2015 that states it is not the intent of the standard to imply the need to align your quality management system to the clause structure of the standard. Companies that maintain ISO 9001 certification should consider including cross-references between the two standards in their quality manual.

Historical Note

There are also European National (EN) versions of each standard (e.g., EN ISO 13485:2012). The EN versions are harmonized with the EU directives, but the content of the body or normative sections of the standards are identical. Historically, the differences were explained in Annex ZA, which was the last Annex in the EN version of the standard. In 2009 the harmonization annex for ISO 14971 (i.e., the medical device risk management standard) was split into three parts to match up with the three directives for medical devices (i.e., the MDD, AIMD, and IVDD). The new annexes (i.e., ZA, ZB, and ZC) were moved to the front of the EN version of the standard. The changes to ISO 14971 consisted of a correction and the change to Annex ZA. In 2012, there were new harmonization annexes created for ISO 13485 to follow the same format that was used for the EN ISO 14971 annexes. It is expected that these “zed” annexes will be released with a new EN version of the standard shortly after the international standard is published.

How to reconcile the conflict between ISO 13485 and ISO 9001 Read More »

Scroll to Top