Would you like to learn nine ways to improve your quality system procedures? One method is precisely the opposite of our advice from 2011.
During a CAPA course I taught on Friday, January 28, 2011, one of the attendees asked if we teach a course on “How to write better quality system procedures.” Unfortunately, we could only offer material from a course about “Training the trainer.” That “Training the trainer” course focused on visual communication. Several books related to Lean Manufacturing explain how to use visual communication to replace text (i.e., “a picture says a thousand words”). During my ride home, however, I thought of a few other ideas that might help anyone writing or re-writing a procedure. The article was updated and posted as a new blog on Tuesday, March 28, 2023.
1. Use a standardized template for your procedures
In 2013 we published a blog about using a procedure template where we described our 12-part procedure template (i.e., TMP-001). You don’t have to mimic our template, but using a template will accelerate the speed of your writing when you create procedures, and it makes sure you don’t forget any of the essential elements. In addition, using templates ensures a consistent format that makes it easier for everyone to find the information they are looking for. Just make sure that your document control procedure allows flexibility to deviate from the template. The ISO 13485:2016 standard does require a “mandatory” format. Referring to your template as “suggested formatting” will avoid unnecessary nonconformities.
2. Create a process “turtle diagram” for each quality procedure
All of the procedures that Medical Device Academy created have a flow chart at the beginning of the procedure showing the procedures and forms associated with processes that are inputs to that procedure and outputs from that procedure. To systematically improve our procedures, we will be systematically replacing those flow charts with turtle diagrams for each process. This will give more detail than our current flow charts, and internal and external auditors can use the turtle diagrams to understand process interactions.
3. Avoid making unnecessary references to regulations and standards
If you are writing a procedure on risk management—it makes sense to reference ISO 14971. It does not make sense to reference all the other risk analysis standards unless you specifically use them to perform risk analysis. ISO 14971:2019, Clause 4.1, also states that you “shall establish, implement, document, and maintain an ongoing process for” risk management activities. However, the ISO 14971 standard is not directly linked to other procedures. Therefore, ISO 14971 should only be referenced in another if you are using it in that procedure or referencing it directly. For example, the Quality Manual (i.e., POL-001) explicitly references ISO 14971. In contrast, the design control procedure (i.e., SYS-008) references the risk management procedure (SYS-010) but doesn’t reference ISO 14971.
Concerning regulations, you should only reference regulations if the procedure meets a specific requirement. Color coding with symbols should demonstrate traceability to requirements (see method #5 below for further explanation). Rather than adding a reference to regulations in a procedure where there is no requirement, a better approach is to indicate in the Quality Manual that only procedures that have specific requirements will reference the regulations, such as 21 CFR 820 or Part 1 of the Canadian MDR.
4. Track standards, regulations, and the version used in your procedures
In the original 2011 version of this article, we advised quality managers to “avoid including the revision of a standard” because “this is just another opportunity for unnecessary nonconformities.” However, we find that our team has trouble identifying every procedure that a change in regulation or a standard might impact. A systematic process is needed to identify every procedure referencing a regulation or standard. Therefore, we will reference all impacted procedures next to the regulation or standard in our Master Document List (i.e., LST-001). References to the regulations will be added to the main tab for policies, procedures, and work instructions (i.e., [POL, SYS, and WI]). References to the standards will be added to the tab for documents of external origin (i.e., [Doc Ext Origin]).
Many people feel that you should not reference the version of a standard in a procedure because adding the version of the standard increases the number of documents that need to be updated when a standard changes. However, if you are only referencing standards in procedures when it is necessary, then that procedure should be reviewed and updated for the need to be changed. Updating the version of the Standard referenced is the best way to document that a gap analysis against the new version has been completed and the necessary updates were made to the procedure.
5. Use color coding and symbols in your quality system procedures
Matthew Walker, Medical Device Academy’s manager of the human factors team, has systematically updated many of our procedures to the EU Medical Device Regulations 2017/745 and the In Vitro Diagnostic Regulations 2017/746. When he updates our procedures, he references the regulations and applicable ISO 13485:2016 clauses. During certification audits, certification body auditors sometimes have difficulty finding where specific requirements are located in the procedures. Therefore, Matthew added color-coded clause references for our clients and auditors as a corrective action. To make the procedures inclusive for people that are color-blind, Matthew added symbols to supplement the color coding. The extra addition of symbols has proven invaluable because now anyone can search the documents electronically for a symbol to find where all the references are located.
6. Indicate the process owner and training requirements associated with each procedure
Identifying the process owner and training requirements in every procedure makes it easier to define who is responsible for reviewing and revising procedures. For the training requirements, the process owner should specify who needs to be trained on the process. Why? They know the procedure best. If there is a “grey area,” this should be resolved with the department manager for the job function. In addition, retraining requirements should be specified. The training section should also clarify if retraining is required when revising a procedure. If the revision is minor, training should only be necessary for people not trained on a previous revision.
7. Adopt thePlan-Do-Check-Act (PDCA) model for the structure of quality system procedures
For the “Plan” portion, the procedure should explain how to prepare to do something. This planning activity can apply to anything from planning to perform an audit to planning to inspect incoming raw materials. The “Do” portion is what most people refer to as the “Procedure” section. The “Check” portion of the procedure is a great place to specify the monitoring and measurement requirements for the process (see Section 8.1 of the Standard). Finally, the “Act” portion of the procedure should indicate what to do when target metrics are unmet. For example, what should be done when an alert limit is reached? What should be done when an action limit is reached?
8. Include therevision history of quality system procedures
It’s helpful to know which Document Change Notice (DCN) approved the document revision, why the changes were made, the nature of the changes, whether there is a related corrective action, and when the change was made. This will also tell auditors whether there is anything new to audit since the previous internal or external audit. This section is usually near the beginning of our procedures, but it doesn’t matter if the revision history is at the end or the beginning. However, it does help to be consistent.
9. Identify the form number, location, and retention period for each record
We have a section about quality system records near the end of every procedure. This section lists each quality system record that is associated with the procedure. The relevant form is referenced, but we recommend storing these records in electronic or paper folders labeled with the form number. If the files are digital, a hyperlink should be included. If the files are paper, then you should list the physical location of storage. The retention period can be listed in each procedure. Still, it will be essential to ensure that this information matches the regulatory requirements and record retention requirements in your “Control of Records” procedure (i.e., SYS-002).
The FDA patches the regulations with guidance documents, but there is a desperate need to modernize 21 CFR 820 to ISO 13485.
FDA Proposed Amendment to 21 CFR 820
On February 23, 2022, the FDA published a proposed rule for medical device quality system regulation amendments. The FDA planned to implement amended regulations within 12 months, but the consensus of the device industry is that a transition of several years would be necessary. In the proposed rule, the FDA justifies the need for amended regulations based on the “redundancy of effort to comply with two substantially similar requirements,” creating inefficiencies. In public presentations, the FDA supporting arguments for the proposed quality system rule change relies heavily upon comparing similarities between 21 CFR 820 and ISO 13485. However, the comparison table provided is quite vague (see the table from page 2 of FDA’s presentation reproduced below). The FDA also provided estimates of projected cost savings resulting from the proposed rule. What is completely absent from the discussion of the proposed rule is any mention of the need to modernize 21 CFR 820.
Are the requirements “substantively similar”?
The above table provided by the FDA claims that the requirements of 21 CFR 820 are substantively similar to the requirements of ISO 13485. However, there are some some aspects of ISO 13485 that will modernize 21 CFR 820. The areas of impact are: 1) software, 2) risk management, 3) human factors or usability engineering, and 4) post-market surveillance. The paragraphs below identify the applicable clauses of ISO 13485 where each of the four areas are covered.
Modernize 21 CFR 820 to include software and software security
Despite the limited proliferation of software in medical devices during the 1990s, 21 CFR 820 includes seven references to software. However there are some Clauses of ISO 13485 that reference software that are not covered in the QSR. Modernizing 21 CFR 820 to reference ISO 13485 will incorporate these additional areas of applicability. Clause 4.1.6 includes a requirement for validation of quality system software. Clause 7.6 includes a requirement for validation of software used to manage calibrated devices used for monitoring and measurement. Clause 7.3 includes a requirement for validation of software embedded in devices, but that requirement was already included in 21 CFR 820.30. The FDA can modernize 21 CFR 820 further by defining Software as a Medical Device (SaMD), referencing IEC 62304 for management of the software development lifecycle, referencing IEC/TR 80002-1 for hazard analysis of software, referencing AAMI TIR57 for cybersecurity, and referencing ISO 27001 for network security. Currently the FDA strategy is to implement guidance documents for cybersecurity and software validation requirements, but ISO 13485 only references IEC 62304. Then only aspect of 21 CFR 820 that appears to be adequate with regard to software is validation of software used for automation in 21 CFR 820.75. This requirement is similar to Clause 7.5.6 (i.e., validation of processes for production and service provisions).
Does 21 CFR 820 adequately cover risk management?
The FDA already recognizes ISO 14971:2019 as the standard for risk management of medical devices. However, risk is only mentioned once in 21 CFR 820. In order to modernize 21 CFR 820, it will be necessary for the FDA to identify how risk should be integrated throughout the quality system requirements. The FDA recently conducted two webinars related to risk management of medical devices, but implementing a risk-based approach to quality systems is a struggle for companies that already have ISO 13485 certification. Therefore, a guidance document with examples of how to implement a risk-based approach to quality system implementation would be very helpful to the medical device industry.
Modernize 21 CFR 820 to include Human Factors and Usability Engineering
ISO 13485 references IEC 62366-1 as the applicable standard for usability engineering requirements, but there is no similar requirement found in 21 CFR 820. Therefore, human factors is an area where 21 CFR 820 needs to be modernized. The FDA has released guidance documents for the human factors content to be included in a 510k pre-market notification, but the guidance was released in 2016 and the guidance does not reflect the FDA’s current thoughts on human factors / usability engineering best practices. The FDA recently released a draft guidance for the format and content of human factors testing in a pre-market 510k submission, but that document is not a final guidance document and there is no mention of human factors, usability engineering, or even use errors in 21 CFR 820. Device manufacturers should be creating work instructions for use-related risk analysis (URRA) and fault-tree analysis to estimate the risks associated with use errors as identified the draft guidance. These work instructions will also need to be linked with the design and development process and the post-market surveillance process.
Modernize 21 CFR 820 to include Post-Market Surveillance
ISO/TR 20416:2020 is a new standard specific to post-market surveillance, but it is not recognized by the FDA. There is also no section of 21 CFR 820 that includes a post-market surveillance requirement. The FDA QSR focuses on reactive elements such as:
21 CFR 820.100 – CAPA
21 CFR 820.198 – Complaint Handling
21 CFR 803 – Medical Device Reporting
21 CFR 820.200 – Servicing
21 CFR 820.250 – Statistical Techniques
The FDA does occasionally require 522 Post-Market Surveillance Studies for devices that demonstrate risks that require post-market safety studies. In addition, most Class 3 devices are required to conduct post-approval studies (PAS). For Class 3 devices, the FDA requires the submitter provide a plan for a post-market study. Once the study plan is accepted by the FDA, the manufacturer must report on the progress of the study. Upon completion of the study, most manufacturers are not required to continue PMS.
How will the FDA enforce compliance with ISO 13485?
It is not clear how the FDA would enforce compliance with Clause 8.2.1 in ISO 13485, because there is no substantively equivalent requirement in the current 21 CFR 820 regulations. The QSR is 26 years old, and the regulation does not mention cybersecurity, human factors, or post-market surveillance. Risk is only mentioned once by the regulation, and software is only mentioned seven times. The FDA has “patched” the regulations through guidance documents, but there is a desperate need for new regulations that include critical elements. The transition of quality system requirements for the USA from 21 CFR 820 to ISO 13485:2016 will force regulators to establish policies for compliance with all of the quality system elements that are not in 21 CFR 820.
Companies that do not already have ISO 13485 certification should be proactive by 1) updating their quality system to comply with the ISO 13485 standard and 2) adopting the best practices outlined in the following related standards:
AAMI/TIR57:2016 – Principles For Medical Device Security – Risk Management
IEC 62366-1:2015 – Medical devices — Part 1: Application of usability engineering to medical devices
ISO/TR 20416:2020 – Medical devices — Post-market surveillance for manufacturers
ISO 14971:2019 – Medical Devices – Application Of Risk Management To Medical Devices
IEC 62304:2015 – Medical Device Software – Software Life Cycle Processes
ISO/TR 80002-1:2009 – Medical device software — Part 1: Guidance on the application of ISO 14971 to medical device software
ISO/TR 80002-2:2017 – Medical device software — Part 2: Validation of software for medical device quality systems
What is the potential impact of the US FDA requiring software, risk management, cybersecurity, human factors, and post-market surveillance as part of a medical device company’s quality system?
Learn how to create a UDI procedure for compliance with the FDA and EU regulatory requirements for UDI compliance.
Your cart is empty
A Unique Device Identifier or UDI is required for all in vitro diagnostics (IVD) and devices in the USA and Europe as a tool for identifying the manufacturer, the device or IVD itself, and production-related details such as the date of manufacture and the lot number. To comply with these UDI requirements, you will need a UDI procedure compliant with the US regulations (i.e., 21 CFR 830 and parts of 21 CFR 801). To comply with European regulations, you will need a UDI procedure compliant with Article 24 and Annex VI of the IVDR and Article 27 and Annex VI of the MDR. The video below provides an overview of Medical Device Academy’s UDI procedure.
What’s included in our UDI Procedure?
The UDI procedure complies with ISO 13485:2016 as well as the European and US regulations. The procedure includes the following list of documents:
SYS-039 A D5 UDI Requirements Procedure
FRM-016 A D1 FDA UDI Checklist
FRM-017 A D2 EU UDI Checklist
We are including a training webinar explaining the FDA’s UDI System and the native presentation slide deck, and we will provide an exam (i.e., a 10-question quiz) to verify training effectiveness. If you submit the completed exam to us by email in the native MS Word format, we will correct the exam and email you a training certificate with your corrected exam. The FDA website also provides information about the UDI system. We also provide email notifications of free updates to the procedure and forms when we update the procedure to comply with new and revised regulations.
Each month Alysha picks a new procedure or webinar that will be eligible for the “Alysha” 50% discount. Just type Alysha in the discount code box. June’s discounted procedure is SYS-039 for UID Requirements.
SYS-039 – UDI Requirements Procedure, Webinar and Exam Bundle
SYS-039, UDI Requirements Procedure Bundle; This training includes our procedure for UDI Requirements and the FDA template for the GUDID data elements. You will also receive a link to download our slide deck and webinar recording on UDI labeling. We also provide a 10 question quiz on the FDA’s UDI requirements and a training certificate when you complete the quiz and submit it to Medical Device Academy for grading.
Price: $299.00
What is a UDI?
UDI stands for ‘Unique Device Identifier.’ This is a two-part identification code that is used as part of the FDA’s Unique Device Identifier System. The FDA issued its final rule on Unique Device Identifier Systems on September 24, 2013, with an effective date of December 23, 2013. The full 44-page document can be viewed on the Federal Register Website.
The idea or concept of having an identifier unique to each medical device is not a flashy new concept and has been in use in other industries for many years now. A UDI could be comparable to a VIN and license plates for vehicles or even social security numbers and driver’s license numbers in people. The idea is that there is a trackable piece of information that identifies individual types of medical devices.
The Two Parts of a UDI
A UDI includes two parts. One is the ‘Device Identifier’ or DI, and the other is the ‘Production Identifier’ or PI. The DI portion is the ‘Device Identifier.’ This portion of the UDI is mandatory and serves to identify the labeler and the specific model of the labeled device. Once the DI has been assigned, it is permanent and cannot be changed. Every variable of the device will require its own DI. For example, if multiple sizing options were produced for a device, then each size available would require a DI. Other variances, such as color and cosmetic or ergonomic design differences, also require separate DI numbers.
The ‘Production Identifier’ or PI and unlike the device identifier the PI identifies one of several pieces of information. I feel the best way to explain what information the PI provides is to directly quote the FDA itself.
“a production identifier (PI), a conditional, variable portion of a UDI that identifies one or more of the following when included on the label of a device:
the lot or batch number within which a device was manufactured;
the serial number of a specific device;
the expiration date of a specific device;
the date a specific device was manufactured;
the distinct identification code required by §1271.290(c) for a human cell, tissue, or cellular and tissue-based product (HCT/P) regulated as a device.” (FDA, UDI Basics 2015).
If a company were to produce multiple batches or lots of a device, the DI would remain the same, but the PI would be different for each batch produced.
UDI Formats
Your UDI must be provided in two separate formats. One is a plain text version that is simply an alphanumeric code that correlates with the information that it is trying to convey. This is a DI/PI code that must be labeled on the packaging of your medical device or, in some cases, on the device itself.
A second format is a form that is AIDC compatible. AIDC stands for ‘Automatic Identification and Data Capture’. AIDC collects your information without having to manually enter all of your data. Generally, this is some type of barcode or QR code.
You can see examples of AIDC technology in our daily lives. Some of the most common examples are barcodes, as mentioned above, and magnetic strips and chips as we see in our credit and debit cards. RFID, Optical Scanners, and other various biometrics are also included as some of the less common AIDC methods.
For more information on AIDC technology in general, you can follow the 3rd party website.
Your UDI should be located on your device label. This is a general rule, but the FDA has multiple exemptions and alternatives based on the device use and classification. The UDI’s are required to be directly marked on the devices themselves should they be intended to be used more than once and be reprocessed before each use.
If you are writing a UDI procedure for your company, double-check that your device does not fall under any of the FDA’s exceptions.
An example of one of the exceptions that may apply to your device is, “If your device is Class I, you may use a Universal Product Code (UPC) to serve as the UDI on the device label and package. In addition, the UDI on your class I devices is not required to include a PI.” (FDA, Small Entity Compliance Guide, 2014).
Packaging Levels for UDI
Each ‘package level’ also requires a new DI. For example, if your medical device were an insulin syringe that you sold in packages of 10 and bulk in packages of 100, each would need an individual ‘Device Identifier’. This does not mean that each package of 10 or 100 needs its own DI. These are not a lot or batch numbers. These numbers are for the user’s information, so shipping materials such as pallets and shrink wrap do not require DI/PI labeling. However, different models or any substantial updates to the medical device will need its DI.
As long as your syringe is only sold as an individual syringe, the UDI and labeling are compliant. As soon as an additional packaging level is introduced, an additional UDI is required. Using the same syringe example, if the syringes are also sold in packages that contain five of your already labeled medical devices, that package needs its UDI number. Another UDI would be required if the syringes were sold in packages of ten, twenty-five, or fifty. Every level of packaging that the device is sold in requires a UDI.
What is not considered an additional packaging level? Measures to protect your products during shipping are not considered additional packaging levels. This includes palletizing and wrapping your products to protect them from damage during shipping. Pallets, shipping containers, and trailers do not require a UDI.
Updated Products and UDI’s
UDI’s are specific to individual models of products and devices. As each packaging level or product variance, such as size offered, requires a UDI, so does each device change and upgrade. Say you launched your device 2 years ago and, based on consumer feedback, decided to make some changes to your device. The new version of your device is now no longer the same as the one that had the previous UDI issued to it.
You would now need a UDI for the essentially ‘new product’. You will also need to address the same compliance requirements for packaging levels and variances as you did with the original product. As you update your product, be aware that you may also need to update your UDI.
UDI date format requirements
The date format on device labels should be in the ‘International Standard’, which consists of Year-Month-Day as opposed to what would normally be seen in the United States, which is Month-Day-Year. For example, the date for April 18, 2018, would need to be written 2018-04-18.
This format would need to be used on your labeling for things such as the manufacture and expiration date of your product or device.
For UDI labels, the compliance date for implementing the International Date Standard will be the same as the compliance dates for UDI/AIDC.
Compliance Dates for Class I and Unclassified Devices.
Below is the FDA’s UDI Compliance Dates Table.
To extend the compliance dates for lower-risk medical devices, the FDA plans to issue a guidance document to provide an enforcement discretion policy for labeling, GUDID data submission, standard date formatting, and direct mark requirements for class I and unclassified devices, as indicated in Figure 1 below. This enforcement discretion policy would not apply to class I or unclassified implantable, life-supporting, or life-sustaining devices1 because labelers of these devices must already comply with UDI requirements.
Type of Device
Label (21 CFR 801.20), GUDID Submission (21 CFR Part 830, subpart E), and Standard Date Format (21 CFR 801.18) Requirements
Direct Mark (21 CFR 801.45) Requirements
Class 1 devices2
September 24, 2020
September 24, 2022
Unclassified devices
September 24, 2020
September 24, 2022
Figure 1
1 For implantable, life-supporting or life-sustaining devices of all classes, the compliance date for all UDI requirements and the standard date format requirement (21 CFR 801.18) was September 24, 2015. 2 Class I CGMP-exempt devices are excepted from UDI requirements. 21 CFR 801.30(a)(2)
Compliance Dates Established by FDA in Conjunction with UDI Final Rule
Compliance Date
Requirement
1 year after publication of the final rule (September 24, 2014)
The labels and packages of class III medical devices and devices licensed under the Public Health Service Act (PHS Act) must bear a UDI. § 801.20. Dates on the labels of these devices must be formatted as required by § 801.18. Data for these devices must be submitted to the GUDID database. § 830.300. A 1-year extension of this compliance date may be requested under § 801.55; such a request must be submitted no later than June 23, 2014. Class III stand-alone software must provide its UDI as required by § 801.50(b).
2 years after publication of the final rule (September 24, 2015)
A device that is a life-supporting or life-sustaining device that is required to be labeled with a UDI must a bear UDI as a permanent marking on the device itself if the device is intended to be used more than once and intended to be reprocessed before each use. § 801.45. Stand-alone software that is a life-supporting or life-sustaining device must provide its UDI as required by § 801.50(b).
Data for implantable, life-supporting, and life-sustaining devices that are required to be labeled with a UDI must be submitted to the GUDID database. § 830.300.
3 years after publication of the final rule (September 24, 2016)
Class III devices required to be labeled with a UDI must bear a UDI as a permanent marking on the device itself if the device is a device intended to be used more than once and intended to be reprocessed before each use. § 801.45.
The labels and packages of class II medical devices must bear a UDI. § 801.20. Dates on the labels of these devices must be formatted as required by § 801.18. Class II stand-alone software must provide its UDI as required by § 801.50(b).
Data for class II devices that are required to be labeled with a UDI must be submitted to the GUDID database. § 830.300.
5 years after publication of the final rule (September 24, 2018)
A class II device that is required to be labeled with a UDI must bear a UDI as a permanent marking on the device itself if the device is a device intended to be used more than once and intended to be reprocessed before each use. § 801.45.
The labels and packages of class I medical devices and devices that have not been classified into class I, class II, or class III must bear a UDI. § 801.20. Dates on the labels of all devices, including devices that have been excepted from UDI labeling requirements, must be formatted as required by § 801.18.
Data for class I devices and devices that have not been classified into class I, class II, or class III that are required to be labeled with a UDI must be submitted to the GUDID database. § 830.300. Class I stand-alone software must provide its UDI as required by § 801.50(b).
7 years after publication of the final rule (September 24, 2020)
Class I devices, and devices that have not been classified into class I, class II, or class III that are required to be labeled with a UDI, must a bear UDI as a permanent marking on the device itself if the device is a device intended to be used more than once and intended to be reprocessed before each use. § 801.45.
Compliance dates for all other provisions of the final rule. Except for the provisions listed above, FDA requires full compliance with the final rule as of the effective date that applies to the provision.
UDI Quality System Requirements
To comply with both Part 803.22 Medical Device Reporting and 820.198 Quality System Regulation, the documentation of UDI numbers included on device labeling is either required specifically or applicable to fulfill specific documentation and reporting requirements.
CFR 21 Chapter I Sub Chapter H Medical Devices Part 803.33 Medical Device Reporting
“(a) You must submit to us an annual report on Form FDA 3419. You must submit an annual report by January 1, of each year. You may obtain this form from the following sources:
(iv) Product model, catalog, serial, and lot number and unique device identifier (UDI) that appears on the device label or on the device package.”
For handling complaints as part of your quality system, inclusion of the UDI in your record of investigation is a specifically listed portion of device identifications and control numbers needed for reporting and record keeping.
Quality System Regulation Sub Part M Records 820.198
“(e) When an investigation is made under this section, a record of the investigation shall be maintained by the formally designated unit identified in paragraph (a) of this section. The record of investigation shall include:
(1) The name of the device;
(2) The date the complaint was received;
(3) Any unique device identifier (UDI) or universal product code (UPC), and any other device identification(s) and control number(s) used;”
All UDIs are required to be issued under a system operated by an FDA-accredited “Issuing Agency”. At the time of writing this, the FDA currently only has three FDA-accredited IA’s. They are GS1, HIBCC, and the ICCBBA. The UDI rule provides a process through which an agency would seek FDA accreditation. specifies the information that the applicant must provide to FDA and the criteria FDA will apply in evaluating applications.
To seek accreditation by the FDA as a UDI issuing agency, your UDI procedure must define the process outlined in the 21 CFR 830 Subpart C. This specifies the information that must be provided to the FDA as well as the FDA evaluation criteria. The FDA also asks that agencies seeking an initial accreditation contact the FDA directly at gudidsupport@fda.hhs.gov.
UDI Procedure for Labelers
Labelers are ultimately the ones that are responsible for complying with the FDA’s UDI labeling requirements. Are you a labeler? In most cases, but not always, the brand owner is typically the labeler.
The FDA defines a labeler as “(1) Any person who causes a label to be applied to a device with the intent that the device will be commercially distributed without any subsequent replacement or modification of the label; and
(2) Any person who causes the label of a device to be replaced or modified with the intent that the device will be commercially distributed without any subsequent replacement or modification of the label, except that the addition of the name of, and contact information for, a person who distributes the device, without making any other changes to the label, is not a modification for the purposes of determining whether a person is a labeler” (FDA, Webinar UDI 101)
Distributors add contact information only
A distributor may add their contact information to a label. As long as they are not altering the label in any other way. Alterations made to the label beyond this may constitute a change in who exactly is the labeler of the product.
Do UDI requirements apply to Foreign device manufacturers?
UDI labeling rules apply to all medical devices sold within the United States and Europe. Therefore, even if your company is located outside the US or Europe, you will need a UDI procedure, and you must comply with the UDI regulations to distribute products in these two markets.
GUDID Requirements for your UDI Procedure
GUDID stands for Global Unique Device Identification Database. This database is a reference catalogue that is open for viewing by the public for every medical device with an ‘identifier’. This database can be accessed through AccessGUDID. Unlike submission, which requires an account, AccessGUDID may be accessed by anyone.
Under the UDI Rule, the FDA requires labelers who have medical devices that are labeled with a UDI to submit their device to the GUDID. If you are wondering if your device has such a labeler, we referenced above that the FDA considered the labeler to be “the person who causes a label to be applied to a device, or who causes the label to be modified, with the intent that the device will be introduced into interstate commerce without any subsequent replacement or modification of the label; in most instances, the labeler would be the device manufacturer, but the labeler may be a specification developer, a single-use device reprocessor, a convenience kit assembler, a repackager, or a relabeler.”
The GUDID is created with data about devices according to the compliance timeline table shared above and is published in conjunction with the UDI rule. The GUDID only contains the device identifier, which is the primary key to obtaining device information in the GUDID database. Production Identifiers are not submitted or stored in the GUDID.
Learn how to become ISO 13485 certified while avoiding the stress that tortures other quality system managers.
Your cart is empty
What is ISO 13485?
ISO 13485 is an international standard for quality management systems that is specific to the medical device industry. ISO 13485:2016 is the most recent version of the standard, and it has become the blueprint for medical device company quality systems globally. If your company wants to design, manufacture, or distribute medical devices you should consider becoming ISO 13485 certified.
Yes, you need to maintain a copy of the ISO 13485 standard as a “document of external origin.” This is needed for reference when you are making updates to procedures in your quality system. If you are looking for the best place to purchase a copy of the ISO 13485:2016 standard, we recommend the Estonian Centre for Standardisation and Accreditation. If you purchase a copy, we recommend selecting the option for a multi-user license so the standard can be used by more than one person in your company and printed. The only difference between the EN ISO version and the International ISO version is that the EN ISO version includes harmonization Annex ZA for compliance with the EU MDR and Annex ZB for compliance with the EU IVDR. This version is also referred to as A11:2021. Here’s a copy of the text from the beginning of the Standard:
“This Estonian standard EVS-EN ISO 13485:2016/A11:2021 consists of the English text of the European standard EN ISO 13485:2016/A11:2021. This standard has been endorsed with a notification published in the official bulletin of the Estonian Centre for Standardisation and Accreditation. Date of Availability of the European standard is 08.09.2021. The standard is available from the Estonian Centre for Standardisation and Accreditation.”
Medical Device Academy’s experience with ISO 13485 training
Rob Packard created his first quality system in the Spring of 2004. In October of 2009, after successfully managing quality systems for three different medical device manufacturers, Rob joined BSI as a Lead Auditor and instructor. In April of 2010, he purchased the 13485cert.com URL and he began to help companies implement quality systems as a consultant (while continuing to audit and train 140 days per year for BSI). In 2011 his medical device blog postings began as a way to help medical device companies. In 2012, Rob began building a library of quality system procedures for a turn-key quality system and selling the procedures from the Medical Device Academy website. Dozens and dozens of consulting clients have successfully achieved ISO 13485 certification with Medical Device Academy’s turnkey quality system procedures, and hundreds of quality systems were audited and/or improved. This ISO 13485 training webinar is also included as part of our turnkey quality system.
Projected Changes for 2023
On February 23, 2022, the FDA published a proposed rule for medical device quality system regulation amendments. The FDA planned to implement amended regulations within 12 months, but the consensus of the device industry is that a transition of several years would be necessary. In the proposed rule, the FDA justifies the need for amended regulations based on the “redundancy of effort to comply with two substantially similar requirements,” creating inefficiencies. The FDA also provided estimates of projected cost savings resulting from the proposed rule. What is completely absent from the proposed rule is any mention of the need for modernization of device regulations.
The QSR is 26 years old, and the regulation does not mention cybersecurity, human factors, or post-market surveillance. Risk is only mentioned once by the regulation, and software is only mentioned seven times. The FDA has “patched” the regulations with guidance documents, but there is a desperate need for new regulations that include critical elements. The FDA has “patched” the regulations through guidance documents, but there is a desperate need for new regulations that include critical elements. The transition of quality system requirements for the USA from 21 CFR 820 to ISO 13485:2016 will force regulators to establish policies for compliance with each of these quality system elements. Companies that do not already have ISO 13485 certification should be proactive by 1) updating their quality system to comply with the standard and 2) adopting the best practices outlined in the following related standards:
AAMI/TIR57:2016 – Principles For Medical Device Security – Risk Management
IEC 62366-1:2015 – Medical devices — Part 1: Application of usability engineering to medical devices
ISO/TR 20416:2020 – Medical devices — Post-market surveillance for manufacturers
ISO 14971:2019 – Medical Devices – Application Of Risk Management To Medical Devices
IEC 62304:2015 – Medical Device Software – Software Life Cycle Processes
ISO/TR 80002-1:2009 – Medical device software — Part 1: Guidance on the application of ISO 14971 to medical device software
ISO/TR 80002-2:2017 – Medical device software — Part 2: Validation of software for medical device quality systems
Previous versions of the ISO 13485 webinars
This 2-part webinar has been previously recorded three different times. Our previous webinar on the 2003 version of ISO 13485 was split into two parts: Stage 1 and Stage 2. That first webinar was recorded in 2015. The webinars were updated in 2016 and again in 2018. We followed the same format, 2-part Stage 1 and Stage 2, for all of the subsequent ISO 13485 training webinars. The Stage 1 webinar focuses on the following processes:
Management Review
CAPA
Internal Auditing
Quality System Documentation
The Stage 2 webinar on the rest of the standard, including but not limited to:
Change Control
Customer Related Processes
Design Controls
Supplier Controls
Servicing
Process Validation
Acceptance Activities
Incoming Inspection
UDI Requirements
The most recent version of ISO 13485 webinars
The webinars explaining the requirements for ISO 13485 were last updated for 2020. Anyone that purchases these webinars will receive free access to updated versions of the ISO 13485 training webinars. If you are making a new purchase of these two training webinars, the webinars are only being sold as a bundle for $258. You get:
access to the Stage 1 webinar recorded July 24, 2020
access to the Stage 2 webinar recorded July 28, 2020
native slide decks for both webinars
This pair of ISO 13485 training webinars explain precisely what you need to do to implement a quality system compliant with ISO 13485. After you create your own plan (a free template is provided with a subscription), then you can show the recording of these two webinars to your management team so they can implement your plan in the next several months. All deliveries of content will be sent via Aweber emails to confirmed subscribers.
Webinar duration & format
Webinars were hosted live via Zoom in 2020. The Stage 1 webinar was 64 minutes, and the duration of the Stage 2 webinar was 82 minutes. When you purchase this webinar bundle, you will receive a link to download both recorded webinars from our Dropbox folder. In addition, you will receive links to download the native slide deck for each webinar from Dropbox.
Purchase the ISO 13485 training bundle
ISO 13485:2016 Training Webinars – Stage 1 & Stage 2
The webinars explaining the requirements for ISO 13485 were last updated for 2020. Anyone that purchases these webinars will receive free access to updated versions of the ISO 13485 training webinars. If you are making a new purchase of these two training webinars, the webinars are only being sold as a bundle for $258. You get:
1 – access to the Stage 1 webinar recorded July 24, 2020
2 – access to the Stage 2 webinar recorded July 28, 2020
3 – native slide decks for both webinars
Price: $258.00
Exam and Training Certificate available
Exam – ISO 13485:2016 update
This is a 20 question quiz with multiple choice and fill in the blank questions. The completed quiz is to be submitted by email to Rob Packard as an MS Word document. Rob will provide a corrected exam with explanations for incorrect answers and a training effectiveness certificate for grades of 70% or higher.
Price: $49.00
There is a big difference between being ISO 13485 certified and being compliant with ISO 13485:2016, the medical devices quality management systems standard. Anyone can claim compliance with the standard. Certification, however, requires that an accredited certification body has followed the requirements of ISO 17021:2015, and they have verified that your quality system is compliant with the standard. To maintain that certification, you must maintain your quality system’s effectiveness and endure both annual surveillance audits and a re-certification audit once every three years.
Step 1 – Planning for ISO 13485 certification
There are six steps in the ISO 13485 certification process, but that does not mean there are only six tasks. The first step in every quality system is planning. Most people refer to the Deming Cycle or Plan-Do-Check-Act (PDCA) Cycle when they describe how to implement a quality system. However, when you are implementing a full quality system, you need to break the “doing” part of the PDCA cycle into many small tasks rather than one big task. You also can’t implement a quality system alone. Quality systems are not the responsibility of the quality manager alone. Implementing a quality system is the responsibility of everyone in top management.
Below you will find seven tasks listed. I did NOT identify these nine tasks as “Steps” in the ISO 13485 certification process, because these tasks are typically repeated for each process in your quality system. Most quality systems are implemented over time, and the scope of the quality system usually grows. Therefore, you are almost certain to have to perform all of the following nine tasks multiple times–even after you receive the initial ISO 13485 certification. As the saying goes, “How do you eat an elephant? One bite at a time.” Therefore, avoid the inevitable heartburn caused by trying to do too much at one time. Implement your quality system one “bite” at a time.
Task 1 – Purchase applicable standards
The first task in implementing an ISO 13485 quality system is to purchase a copy of the ISO 13485:2016 standard, such as the MDSAP Companion Document. You will also need other applicable medical device standards. Some of these standards are general standards that apply to most, if not all, medical devices, such as ISO 14971:2019 for risk management. There are also guidance documents that explain how to use these general standards, such as ISO/TR 24971:2020, and guidance on how to apply ISO 14971:2019. Finally, there are testing standards that identify testing methods and acceptance criteria for things such as biocompatibility and electrical safety. You will need to monitor these standards for new and revised versions. When these standards are updated, you will need to identify the revised standard and develop a plan for addressing the changes.
When you purchase a standard, be sure to buy an electronic version of the standard so you can search the standard for keywords efficiently. You should also consider purchasing a multi-user license for the standard because every manager in your company will need to look up information in the standard. Alternatively, you could buy a paper copy of the standard and locate the standard where everyone in your company can access it. Often I am asked what the difference is between the EN version of the standard and the ISO version of the standard. “EN” is an abbreviation meaning European Standards or “European Norms,” which is based upon the literal translation from the French (i.e., “normes”) and German (i.e. “norm”) languages. “ISO” versions are international standards. In general, the body of the standard is typically identical but harmonized EN standards for medical devices include annexes ZA, ZB, and ZC that identify any deviations from the requirements in three medical device directives (i.e., MDD, AIMD, and IVDD).
Task 2 – Identify which processes are applicable
Clause 1 of ISO 13485 is specific to the scope of a quality system. ISO 9001, the general quality system standard, allows you to “exclude” any clause from your quality system certification. However, ISO 13485 will only allow you to exclude design controls (i.e., clause 7.3). Other clauses within ISO 13485 may be identified as “non-applicable” based upon the nature of your medical device or service. You must also document the reason for non-applicability in your quality manual. Typically, the following clauses are common clauses identified for non-applicability:
Clause 4.1.6 – quality system software
Clause 6.4 – work environment
Clause 7.5.2 – cleanliness of the product
Clause 7.5.3 – installation
Clause 7.5.4 – servicing
Clause 7.5.5 – sterile devices
Clause 7.5.6 – process validation
Clause 7.5.7 – sterilization validation
Clause 7.5.9.2 – implantable devices
Clause 7.5.10 – customer property
Clause 8.3.4 – rework
Task 3 – Assign a process owner to each process
The third task is to assign a process owner to each of the processes in your quality system. Typically, you create a master list of each of the required processes. Usually, the assignments are made to managers in the company who may delegate some or all of a specific process. You should expect most managers to be responsible for more than one process because there are 28 required procedures in ISO 13485:2016, but most companies have fewer than ten people when they first implement a quality system.
Task 4 – Prioritize and schedule the implementation of each process
The fourth task is to identify which processes need to be created first and to schedule the implementation of procedures from first to last. You can and should build flexibility into the schedule, but some procedures are needed at the beginning. For example, you need document control, record control, and training processes to manage all of your other procedures. You also need to implement the following processes to document your Design History File (DHF): 1) design controls, 2) risk management, 3) software development (if applicable), and 4) usability. Therefore, these represent the seven procedures that most companies will implement as early as possible. Procedures such as complaint handling, medical device reporting, and advisory notice procedures are usually reserved for last. These procedures are last because they are not needed until you have a medical device in use.
Task 5 – Create forms, flowcharts, and procedures for each process
Forms create the structure for records in your quality system, and a well-designed form can reduce the need for lengthy explanations in a procedure or work instruction. Therefore, you should consider developing forms first. The form should include all required information that is specified in the applicable standard or regulations, and the cells for that information should be presented in the order that the requirements are listed in the standard. You might even consider numbering the cells of the form to provide an easy cross-reference to the corresponding section of the procedure. Once you create a form, you might consider creating a flowchart next. Flowcharts provide a visual representation of the process. You might consider including numbers in the flow chart that cross-reference to the form as well.
Once you have created a form and a flowchart, you are now ready to write your quality system procedure. Many sections are typically included in a procedure template. It is recommended that you use a template to ensure that none of the basic elements of a procedure are omitted. You might also consider adding two sections that are uncommon to a procedure: 1) risk analysis of the procedure with the identification of risk controls to prevent risks associated with the procedure, and 2) a section for monitoring and measurement of the process to objectively measure the effectiveness of the process. These metrics are the best sources of preventive actions, and some of the metrics might be potential quality objectives to be identified by top management.
Task 6 – Perform a gap analysis of each procedure
Most companies rely upon internal audits to catch missing elements in their procedures. However, audits are intended to be a sampling rather than a 100% comprehensive assessment. Therefore, when a draft procedure is being reviewed and approved for the first time, or a major re-write of a procedure is conducted, a thorough gap analysis should be done before the approval of the draft procedure. Matthew Walker created an article explaining how to conduct a gap analysis of procedures. In addition, Matthew has been gradually adding cross-references to ISO 13485:2016 requirements in each procedure. He is color-coding the cross-referenced clauses in blue font as well. This makes it much easier for auditors to verify that a procedure is compliant with the regulations with minimal effort. The success of these two methods has taught us the importance of conducting a gap analysis of all new procedures.
Task 7 – Train applicable personnel for each process
You are required to document the training requirements for each person or each job in your company. Documentation of training requirements may be in a job description or within a procedure. In addition to defining who should be trained, you also need to identify what type of training should be provided. We recommend recording your training to ensure that new future employees receive the same training. This will ensure consistency. You are also required to maintain records of the training. You must verify that the training was effective, and you need to check whether the person is competent in performing the tasks. This training may require days or weeks to complete. Therefore, you may want to start training people several weeks before your procedure is approved. Alternatively, you can swap the order of tasks and conduct training after the procedure approval. If that approach is taken, then the procedure should indicate the date the procedure becomes effective–typical 30 days after approval to allow time for training.
Task 8 – Approve the procedure
Approval of a procedure may be accomplished by signing and dating the procedure itself, while another approach is to create a document that lists all the procedures and forms being approved at one time. The second method is the method we use in our turn-key quality system. Companies can review and approve as many procedures at one time as they wish. Since this process needs to be defined to ensure that all of the procedures you implement are approved, the document control process is typically the first procedure that companies will approve in a new quality system. The second procedure generally is for the control of records. Then the next procedures implemented will typically be focused on the documentation of design controls: design controls, risk management, usability testing, and software development. The last procedures to be approved are typically complaint handling, medical device reporting, and recalls. These procedures are left for last because you don’t need them until you are selling your medical device.
Task 9 – Start using the procedure and generating records
The last task required for the implementation of a new quality system is to start using the procedures to generate records. All of the procedures will need records before the process can be verified to be effective. Records can be paper-based, or the records can be electronic. Whichever format you use for the record retention needs to be communicated to everyone in the company through your Control of Records procedure and/or within each procedure. If you include the information in each procedure, the records of each procedure should be listed in the procedure, and the location where those records are stored should be identified. Generally, there is no specific minimum number of records to have for a certification audit, but you should have at least a few records for each process that you implement.
Step 2 – Conducting your first internal audit
The purpose of the internal audit is to verify the effectiveness of the quality system and to identify nonconformities before the certification body auditor finds them. To successfully achieve this secondary objective, it is essential to have a more rigorous internal audit than you expect for the certification audit. Therefore, the internal audit should be of equal duration or longer in duration than the certification audit. The internal audit should not consist of a desktop review of procedures. Reviewing procedures should be part of gap analysis (i.e., task 6 above) that is conducted on draft procedures before they are approved. Internal audits should utilize the process approach to auditing, and the auditor should apply a risk-based approach (i.e., focus on those processes that are most likely to contribute to the nonconforming products, result in a complaint, or cause severe injuries and death).
After your internal audit, you will receive an internal audit report from the auditor. You should also expect findings from the internal auditor, and you should expect opportunities for improvement (OFI) to be identified. Experienced auditors can typically identify the root cause of a nonconformity more quickly than most process owners. Therefore, it is recommended for each process owner and subject matter expert to review nonconformities with the auditor and discuss how the nonconformity should be investigated. The root cause must be correctly identified during the CAPA process, and the effectiveness check must be objective to ensure that problems do not recur.
Step 3 – Initiating corrective actions
Corrective actions should be initiated for each internal audit finding immediately, to make sure the findings are corrected and prevented from repeat occurrence before the Stage 1 audit. It will take a minimum of 30 days to implement the most corrective actions. Depending upon the scheduling of the internal audit, there may not be sufficient time to complete the corrective actions. However, you should at least initiate a CAPA for each finding, perform an investigation of the root cause, and begin to implement corrective actions.
Also, to take corrective actions related to internal audit findings, you should look for internal audits from other sources. The diagram below shows several different sources of potential corrective and preventive actions.
Monitoring and measuring each process is the best source of preventive actions, while internal audits are typically the best source of corrective actions. Any quality problems identified during validation are also excellent sources of corrective actions because the validation can be repeated as a method of demonstrating that the corrective actions are effective. However, your ISO 13485 certification auditor will focus on non-conforming products, complaints, and services as the most critical sources of corrective actions. These three sources are prioritized because these three sources have the greatest potential for resulting in a serious injury, death, or recall if corrective actions are not implemented to prevent problems from recurring.
Step 4 – Conducting your first management review
In addition to completing a full quality system audit before your stage 1 audit, you are also expected to complete at least one management review. To make sure that you have inputs for each of the 12 requirements in the ISO 13485:2016 standard, it is recommended to conduct your management review only after you have completed your full quality system audit and initiated some corrective actions. If possible, you should also conduct supplier audits for any contract manufacturers or contract sterilizers. It is recommended to use a template for that management review that is organized in the order of the required inputs to ensure that none of the necessary inputs are skipped. Quality objectives will need to be established long before the management review so that the top management team has sufficient time to gather data regarding each of the quality objectives. Also, you should consider delegating the responsibility for creating the various slides for each input to different members of top management. This will ensure that everyone invited to the meeting is engaged in the process, and it will spread the workload for meeting preparation across multiple people.
At the end of the meeting, top management will need to create a list of action items to be completed before the next management review meeting. Meeting minutes will need to be documented for the meeting, including the list of action items and each of the four required outputs of the management review process. We recommend using the notes section of a presentation slide deck to document the meeting minutes related to each slide. Then the slide deck can be converted into notes pages and saved as a PDF. The PDF notes pages will be your final meeting minutes for the management review. An example of one of these notes pages is provided in the figure below.
One of the more common non-value-added findings by auditors is when an auditor issues a nonconformity because you do not have your next internal audit and your next management review scheduled–even though each may have occurred only a month prior to the Stage 1 audit. Therefore, we recommend that you document your next 12-month cycle for internal audits and schedule your next management review as action items in every management review meeting. The schedule can be adjusted if needed, but this allows top management to emphasize various areas in internal audits that may need improvement. You might even set a quality objective to conduct a minimum of three management reviews per year at the end of your first management review.
Step 5 – Stage 1, Initial ISO 13485 Certification Audit
In 2006, the ISO 17021 Standard was introduced for assessing certification bodies. This is the standard that defines how certification bodies shall go about conducting your initial certification audit, annual surveillance of your quality system, and the re-certification of your quality system. In the past, certification bodies would typically conduct a “desktop” audit of your company before the on-site visit to make sure that you have all the required procedures. However, ISO 17021 requires that certification bodies conduct a Stage 1 audit that assesses the readiness of your company before conducting a Stage 2 audit. Therefore, even if the Stage 1 audit is conducted remotely, the certification body is expected to interview process owners and sample records to verify that the quality system has been implemented. Certification body auditors will also typically verify that your company has conducted a full quality system audit and at least one management review. Finally, the auditor will usually select a process such as corrective action and preventive action (CAPA) to make sure that you are identifying problems with the quality system and taking appropriate measures to address those problems.
Your goal for the Stage 1 audit should not be perfection. Instead, your focus is to make sure that there are no “major” nonconformities. The term “major” used to have a specific definition:
Absence of a documented procedure or process
Release of nonconforming product
Repeat nonconformities (not possible during a Stage 1)
Under the MDSAP, the grading system for nonconformities now uses a numbering system for grading nonconformities: “Nonconformity Grading System for Regulatory Purposes and Information Exchange Study Group 3 Final Document GHTF/SG3/N19:2012.” Any nonconformity is graded on a scale of one to four, and then two potential escalation rules are applied. If any nonconformities are graded as a four or a 5, then the auditor must assess whether a five-day notice to Regulatory Authorities is required. A five-day notice is required in either of the following situations: 1) one or more findings grading of “5”; or 2) three or more findings graded as “4.” If your Stage 1 audit results in a five-day notice, then you are not ready for your Stage 2 audit. For example, a complete absence of two required procedures in clauses 6.4 through 8.5 of ISO 13485:2016 would result in two findings with a grading of “4.” This would not result in a five-day notice, but the absence of a third required procedure would result in a five-day notice.
The duration of your Stage 1 audit will be one or two days, but a 1.5-day audit is quite common for MDSAP Stage 1 audits. The reason for the 1.5-day Stage 1 audit is that it is challenging to assess readiness for Stage 2 in one day, and if the total duration of Stage 1 and Stage 2 is 5.5 days, then the Stage 2 audit could be completed in four days. The four-day audit is more convenient than a three-day audit for a two-person audit team.
After your Stage 1 audit, you will receive an audit report, and you should expect findings. You should initiate corrective actions for each finding immediately, to make sure the findings are corrected and prevented from repeat occurrence before the Stage 2 audit. The duration between the audits is typically about 4-6 weeks. That does not leave much time for you to initiate a CAPA, perform an investigation of the root cause, and implement corrective action. At a minimum, you must submit a corrective action plan for each finding to your MDSAP auditing organization (AO) within 15 calendar days of receiving the finding. For any findings graded as a “4” or higher, you will need to provide evidence of implementing the corrective action plan to the AO within 30 calendar days of receiving the finding. You are also unlikely to have enough time to conduct an effectiveness check prior to the Stage 2 audit.
Step 6 – Stage 2, Initial ISO 13485 Certification Audit
The Stage 2 initial ISO 13485 certification audit will verify that all regulatory requirements have been met for any market you plan to distribute in. The auditor will complete an MDSAP checklist that includes all of the regulatory requirements for each of the countries that recognize MDSAP: 1) the USA, 2) Canada, 3) Brazil, 4) Austria, and 5) Japan. The auditor will also sample records from every process in your quality system to verify that the procedures and processes are fully implemented. This audit will typically be at least four days in duration unless multiple auditors are working in an audit team.
The audit objectives for the Stage 2 ISO 13485 certification audit specifically include evaluating the effectiveness of your quality system in the following areas:
Applicable regulatory requirements
Product and process-related technologies
Technical documentation
All procedures will be reviewed for compliance with ISO 13485:2016 and the applicable regulations. The auditor will also sample records from each process. If the auditor identifies any nonconformities during the audit, it is important to record the findings and begin planning corrective actions immediately. If you have any questions regarding the expectations for the investigation of the root cause, corrections, corrective actions, and effectiveness checks, you should ask the auditor during the audit or the closing meeting. At a minimum, you must submit a corrective action plan for each finding to your MDSAP auditing organization (AO) within 15 calendar days of receiving the finding. For any findings graded as a “4” or higher, you will need to provide evidence of implementing the corrective action plan to the AO within 30 calendar days of receiving the finding. The auditor will not be able to recommend you for ISO 13485 certification until your corrective action plans are accepted.
If you receive a finding with a grading of “5,” or three or more findings graded as “4,” then the MDSAP auditor is required to issue a five-day notification to the regulators. The auditor will also need to return to your facility for a follow-up audit to close as many findings as they can. It is not necessary to eliminate all of the findings in order to be recommended for ISO 13485 certification, but the grading of the findings must be reduced to at least a “3” before recommending the company for certification. The number of findings also determines whether the auditor recommends your company for certification.
In addition to reviewing the findings and conclusions of the audit during the closing meeting, the auditor will also review the plan for the annual surveillance and re-certification with you. Each certification cycle is three years in duration. There will be two surveillance audits of approximately one-third the duration of the combined duration of stage 1 and stage 2 initial certification audits, and the first surveillance audit must be completed within 12 months of the initial certification audit. In the third year, there will be a re-certification audit for two-thirds of the duration of the combined duration of stage 1 and stage 2 initial certification audits. The initial ISO 13485 certificate will be issued with a three-year expiration, and the certificate is typically received about one month after the acceptance of your corrective action plan.
Q&A
There are no stupid questions, and we can save your weeks of wasted time if you just ask for help. We are always looking for new ideas for blogs, webinars, and videos on our YouTube channel. If you have any general questions about obtaining ISO 13485:2016 certification, please email Rob Packard atrob@13485cert.com. If you have a suggestion for new ISO 13485 training materials, you can also use our “Suggestion Box.” You can also schedule an initial free consultation with Rob using his calendly link.
Process monitoring is required but do you know whether monitoring every procedure is required by the FDA QSR or ISO 13485?
One of the elements that Medical Device Academy has incorporated into each procedure we created in our turnkey quality system is a section titled, “monitoring and measurement.” The purpose of this section is to force each process owner to identify a process metric for monitoring every procedure. In some cases, we suggest a metric that would be appropriate for most companies establishing a new quality system. In other procedures, we use the following default text:
Where are the requirements for process monitoring in 21 CFR 820?
Some of the companies that have purchased our turnkey quality system have asked, “Is it required to monitor and measure something in every procedure?” In general, it is not a specific requirement to have a metric specified in each procedure. In fact, if your quality system is not ISO 13485 certified, there are actually only a few places where the US FDA requires monitoring. The FDA does not have a section specific to monitoring and measurement of processes, but there is a section of the regulations specific to statistical techniques (i.e. 21 CFR 820.250). However, it does not state in the QSR that statistical analysis is required for all processes. In fact, there are only six instances where the word “statistical” is used:
21 CFR 820.100(a)(1) – “Analyzing processes, work operations, concessions, quality audit reports, quality records, service records, complaints, returned product, and other sources of quality data to identify existing and potential causes of nonconforming product, or other quality problems. Appropriate statistical methodology shall be employed where necessary to detect recurring quality problems;”
21 CFR 820.200(b) – “Each manufacturer shall analyze service reports with appropriate statistical methodology in accordance with § 820.100.”
21 CFR 820.250 – “(a) Where appropriate, each manufacturer shall establish and maintain procedures for identifying valid statistical techniques required for establishing, controlling, and verifying the acceptability of process capability and product characteristics. (b) Sampling plans, when used, shall be written and based on a valid statistical rationale. Each manufacturer shall establish and maintain procedures to ensure that sampling methods are adequate for their intended use and to ensure that when changes occur the sampling plans are reviewed. These activities shall be documented.” Note: the other two instances are the title of 21 CFR 820.250.
The word “monitoring” is equally rare (i.e. 4x) in the QSR:
21 CFR 820.70(a) – “Each manufacturer shall develop, conduct, control, and monitor production processes to ensure that a device conforms to its specifications…Where process controls are needed…(2) Monitoring and control of process parameters and component and device characteristics during production.”
21 CFR 820.75(b) – “Each manufacturer shall establish and maintain procedures for monitoring and control of process parameters for validated processes to ensure that the specified requirements continue to be met…(2) For validated processes, the monitoring and control methods and data, the date performed, and, where appropriate, the individual(s) performing the process or the major equipment used shall be documented.”
Where are the requirements for process monitoring in ISO 13485:2016?
ISO 13485:2016 has a section specific to monitoring and measurement of processes (i.e. Clause 8.2.5). In addition, the word “monitoring” occurs 52 times in the standard and there are 60 incidents of some variant or the exact word. , but there is a section of the regulations specific to statistical techniques (i.e. 21 CFR 820.250). However, it does not state in the QSR that statistical analysis is required for all processes. In fact, there are only six instances where the word “statistical” is used. There are four Clause headings that actually include the word monitoring:
Clause 7.6, Control of monitoring and measuring equipment
Clause 8.2, Monitoring and measurement
Clause 8.2.5, Monitoring and measurement of processes
Clause 8.2.6, Monitoring and measurement of product
In Clause 1, Scope, and Clause 4.1.5, the Standard states that any outsourced processes remain the responsibility of the company and must be accounted for in the quality system by monitoring, maintaining, and controlling the processes.
Monitoring of risk is included in the definition of “risk management” in the Standard (i.e. Clause 3.18).
Clause 4.1.3 states that the organization shall, “b) ensure the availability of resources and information necessary to support the operation and monitoring of these processes…d) monitor, measure as appropriate, and analyze these processes.”
Clause 4.2.3 states that the contents of the Medical Device File (i.e. MDR or TF), shall include, “d) procedures for measuring and monitoring.”
Monitoring and measurement of processes and product are required inputs to the Management Review in Clauses 5.6.2e) and f).
Clause 6.4.1 requires a procedure for monitoring the work environment if it can have an effect on product quality.
Clause 7.1 requires the company to consider including monitoring in product realization planning.
Clause 7.4.1 requires a plan for monitoring suppliers.
Clause 7.5.1 requires monitoring production and service, including the monitoring of process parameters and product characteristics.
Clause 7.5.6 requires monitoring of validated process parameters.
Clause 7.5.8 requires identification of status with regard to product monitoring and measurement (i.e. inspection status).
Clause 7.6 requires monitoring and measurement of calibrated devices and validation of any computer software used to monitor calibrated devices.
Clause 8.1 states that companies shall plan and implement monitoring and measurement of processes.
Clause 8.2 is titled, “Monitoring and measurement.”
Clause 8.2.1 requires monitoring of customer feedback.
Clause 8.2.5 requires monitoring of processes to ensure planned results are achieved.
Clause 8.2.6 requires monitoring of products to ensure product requirements have been met.
Clause 8.4 requires data analysis of monitoring data from at least six different processes:
Feedback
Conformity to product requirements
Characteristics and trends of processes and products, including opportunities for improvement
Suppliers
Audits
Service reports, as appropriate
In summary, while not every single clause that requires a procedure includes a requirement for monitoring, there are a number of processes where the requirement to monitor the process is explicitly stated.
Why do all of our procedures include the requirement for metrics?
Medical Device Academy expanded the requirement for monitoring to all procedures for five reasons:
Quality objectives must be “established at relevant functions and levels within the organization.” Therefore, establishing monitoring requirements for each procedure ensures that top management has metrics for every process and a lack of data is never an excuse for not establishing a new quality objective when improvement is needed.
If every procedure has a requirement for monitoring, then employees don’t have to remember which processes require monitoring and which processes do not explicitly require monitoring.
The process approach to auditing includes metrics of the process as one of the seven items that are included in every process turtle diagram, and therefore, including metrics for each procedure facilitates the process approach to auditing.
If a company does not have a process metric already established, it is often difficult to perform an investigation of the root cause of quality issues. If a metric is already being monitored for the process, this facilitates the investigation of the root cause and you can use the baseline monitoring data to help you establish effectiveness criteria for the corrective action.
Finally, most companies struggle to identify preventive actions as required by Clause 8.5.3, and we have found that data analysis of monitoring data is the best source of identifying new preventive actions.
What are the disadvantages when you monitor and measure something in every procedure?
The primary reason for resistance to identifying a metric for monitoring in every procedure is that it will increase the workload for the employees responsible for that process. However, monitoring of data does not always increase workload. In fact, when process data is recorded in real-time on a run chart it is often possible to identify a trend much earlier than when data is simply recorded and subjected to monitoring.
Example #1: The automatic tracking of toner in a printer tells HP when to ship you a new toner cartridge before you need it. This ensures that there is no loss in productivity because you never run out of ink or the ability to print documents.
Example #2: Companies will use project management software (e.g. Asana) to monitor labor utilization. This will help identify when a specific resource is nearing capacity. When this occurs, the project manager can add time buffers to prerequisite steps and adjust the starting date of the resource-limited tasks to an earlier starting date. This ensures that more time is available to finish the task or to take advantage of resource availability at an earlier date.
Example #3: Monitoring the revision date for procedures helps the document control process owner identify procedures that should be evaluated for the need to be revised and updated. Often this is articulated as a quality objective of reviewing and updating all procedures within 2 years. This also ensures that procedures remain current and compliant with regulatory requirements.
What are the advantages of monitoring every procedure?
The phrase “what gets measured gets managed” is a popular business philosophy that implies measuring employee activity increases the likelihood that employees will complete a task or perform it well. In contrast, if a process is not monitored, employees may assume that it is not important and the tasks may be skipped or completely forgotten. Setting quantitative goals is also sometimes integrated with economic incentives or bonuses that are granted to individuals and teams.
FDA transition from QSR to ISO 13485
The US FDA is planning its transition from 21 CFR 820 to ISO 13485 as the quality system criteria. This will force companies to make adjustments to their quality systems and increase the amount of process monitoring performed. My general advice is to work with employees that are performing tasks to identify streamlined methods for monitoring those tasks without being overly burdensome. Then you and the employees you manage can analyze the data together and identify opportunities for improvement. When you do this, experiment with manual methods using whiteboards and paper charts that are visible in public areas first. Only implement automated solutions after you have optimized the data being collected and the frequency of data collection, and remember that not every process will benefit from automated statistical process control. Sometimes the simple approach is best.
This article provides an IVDR checklist for updating your ISO 13485 quality system to comply with EU Regulation 2017/746.
Why I created an IVDR checklist?
Hundreds (if not thousands) of IVD manufacturers are currently updating their ISO 13485:2016 certified quality system from compliance with the In Vitro Diagnostic Directive (i.e. Directive 98/79/EC) or IVDD to the new EU In Vitro Diagnostic Regulation (i.e. Regulation 2017/746). Revision of technical files and the associated procedures for creating your technical files is a big part of these updates. However, there is much more that needs to be updated than just the technical documentation. Therefore, IVD manufacturers are asking Medical Device Academy to conduct remote internal audits of their quality system to identify any gaps. Usually, we conduct internal audits using the process approach to auditing, but this is one of the scenarios where the element approach and an audit checklist are invaluable.
If you would like to download our IVDR checklist for FREE, please fill in the form below.
How do you use an audit checklist?
An audit checklist is used by quality system auditors to collect objective evidence during an audit. This objective evidence verifies compliance with regulatory requirements or internal procedural requirements. If the auditor is unable to find supporting evidence of compliance, the auditor may continue to search for data or identify the requirement as a nonconformity. Typically the checklist is in four columns using a tabular form. The left-hand column lists each requirement. The next column is where the auditor documents records sampled, procedures reviewed, and personnel interviewed. In the third column, the auditor indicates what they were looking for in the records, procedures, or during the interview. Some of the information in the second and third columns can often be entered prior to starting the audit by reviewing audit preparation documents (e.g. procedures and previous audit reports). In the fourth column the auditor will enter the objective evidence for conformity collected during the audit.
How to create an IVDR quality plan
Most of the companies that are preparing for an IVDR audit by their notified body already have ISO 13485:2016 certification and they are using the self-declaration pathway for CE Marking under the IVDD. Under the IVDR, a notified body must now review and approve the technical file. The notified body must also confirm that their quality system has been updated to include the IVDR requirements. The Technical File requirements are found in Annex II and III; while most of the quality system requirements are found in the Articles. The quality system requirements include:
a risk management process in accordance with Annex I – deviations from ISO 14971:2019 will be necessary)
conduct a performance evaluation–including a post-market performance follow-up (PMPF). This requirement is defined in Article 52 and Annex XIII
create and maintain a technical file in accordance with Annex II & III
create and maintain a Declaration of Conformity in accordance with Article 17
CE Mark the product in accordance with Article 18
implement a UDI system in accordance with Article 24, 26, and 28
record retention requirements for the technical file, Declaration of Conformity, and certificates shall be increased from 5 years to 10 years
set-up, implement, and maintain a post-market surveillance system in accordance with Article 78
document a procedure for communication with Competent Authorities, Notified Bodies, Economic Operators, Customers, and/or other Stakeholders
update procedures for reporting of serious incidents and field safety corrective actions in the context of vigilance to require reporting within 15 calendar days
update the product labeling to comply with Annex I, section 20
revise the translation procedure to ensure translations of the instructions for use are available in all required languages of the member states, and make sure these translations are available on the company website
create a procedure for utilization of the Eudamed database for registration, CE Marking applications, UDI data entry, and vigilance reporting
Which IVDR requirements are already met by your quality system?
Some companies also manufacture medical devices that must comply with Regulation (EU) 2017/745. For those companies, many of the above requirements are already incorporated into their quality system. In this case, you should still include all of the IVDR checklist requirements in your plan, but you should indicate that the requirement has already been met and audited previously.
Content related to our IVDR checklist
On Friday, April 1, 2022 @ 11 am EDT (8 am Pacific), Rob Packard will be Joe Hage’s guest speaker on the weekly MDG Premium Live video (please click on the link to register). The topic of the live presentation will be “How to create an IVDR quality plan.” #MedicalDevices#MDGpremium
This article identifies the requirements for purchasing controls and supplier qualification procedures, as well as best practices for implementation.
Purchasing Controls
Sourcing suppliers in the medical device industry is not as simple as going on the internet and finding your material and purchasing it. As part of a compliant quality management system, purchasing controls must be in place to ensure that quality products and materials are going into your device and that any service providers that your company uses in the production of your product or within your quality management system are qualified.
ISO 13485 Requirements
In light of that, ISO 13485:2016 sections 7.4.1 Purchasing process, 7.4.2 Purchasing information, and section 7.4.3 Verification of purchased product outline the purchasing requirements. The following are requirements for the evaluation and selection of suppliers:
The organization must have established criteria for the evaluation and selection of suppliers.
The criteria need to evaluate the supplier’s ability to provide a product that meets the requirements.
It needs to take into consideration the performance of the supplier.
It must consider the criticality and the effect that the purchased product may have on the quality of the medical device.
The level of supplier assessment and monitoring should be proportionate to the level of risk associated with the medical device.
Maintaining Purchasing Controls
To start, in the most basic sense, purchasing controls involve procedures that ensure you are only purchasing from suppliers who can meet your specifications and requirements. The best way to keep track of your qualified suppliers is to maintain an Approved Supplier List (ASL). You should only purchase products or services that affect your product or quality management system from companies on the ASL (you would not necessarily need to qualify things like office supplies or legal assistance through purchasing controls).
When used effectively, the Approved Supplier List can be a great tool to manage the key facets of purchasing control and keep track of supplier monitoring. Items that you can capture on the ASL include:
Supplier Name
Scope of Approved Supplies
Contact Information
Status of Approval (Approved, Pending, Unapproved, etc.)
Qualification Criteria
Supplier Certification and expiry dates
Monitoring Requirements/Activities
Date of Last Review
Date of Next Review
The first step in your purchasing procedure should involve checking to see if the supplier is under active approved status on the ASL. The second step will be to ensure that you are purchasing an item/service that is within the scope of approval of that supplier. If you have not approved the supplier, or the intended purchase is beyond the scope of that supplier, your purchaser will need to go through the necessary channels to add the supplier to the ASL or modify their scope on the ASL.
Supplier Qualification Criteria
As required by the FDA, the level of supplier assessment should be proportionate to the level of risk associated with the medical device. The FDA is not prescriptive about the use of specific qualifications or assessments for different types of suppliers, so that is up to your company to determine. This is a somewhat grey area but based on years working with companies and suppliers, as well as participating in FDA and ISO 13485 audits, there are some general expectations of vendor qualifications that we have observed and would recommend.
It is good practice to have a form or template that guides your supplier evaluation process. Using input from engineering and QA to first determine the level of risk and the requirements of that supplier, and then base your qualification plan on that information. If you have a higher risk supplier who may be supplying a critical component to your device, or providing a critical service such as sterilization, then your qualification process will be much more involved.
Here is an example of two different levels of criteria based on the type of supplier (the intent is not for the following items to be rules, and your company is responsible for determining the adequate acceptance criteria for suppliers, but this is a general example of what you may expect).
Critical Custom Component Supplier
ISO 13485 Certification
On-site audit of supplier’s facility
References
Provides Certificates of Analysis (CoA)
A written agreement that the supplier will communicate with the company regarding any changes that could affect their ability to meet requirements and specifications.
You validate a production sample, and it meets requirements
Non-Critical Consumable Supplier
Product available that meets the needs of the company.
An associate has previously used by an associate who recommends the supplier.
Adequate customer service returns allowed.
Additional Function of Supplier Evaluation Forms
The supplier evaluation form can also be used as the plan to assign responsibility and track completion and results during the initial evaluation. It can also include the plan for ongoing monitoring and control of the supplier. This evaluation form should be maintained as a quality record, and auditors will frequently ask to see supplier evaluations.
Are Supplier Audits Required as Purchasing Controls?
Also valuable, supplier audits may be included as part of an evaluation plan for a new supplier, the change of scope of a supplier, a routine audit as part of ongoing monitoring, or as part of a nonconformity investigation of a high-risk product. While it is not required by ISO 13485, nor does the FDA does specify in the CFR that you must audit suppliers, it is a very good idea to audit your critical suppliers. If an auditor or FDA inspector sees evidence that your current purchasing controls are inadequate, performing supplier audits may be forced as a corrective action.
Beyond that, you can gain so much value, and gather countless clues and important information in an audit that you just cannot get without visiting your critical supplier. You can see where they plan to/are making/cleaning/sterilizing/storing your product. Talk to the people on the line, are they competent and trained? Does the company maintain their facility well? How secure is it? Do they maintain adequate records and traceability? Have there been any nonconformities relating to your product that have been detected? Etc.
Supplier audits should also include evaluation of the procedures, activities, and records of the supplier that could have an impact on the product or service they are providing your company. If it is not the first audit of the company, you should be sure to review the previous audit report findings and ensure the company has addressed any nonconformities, review supplier performance data, information about any changes that may have occurred at the supplier since your last visit, etc.
Record Maintenance and Ongoing Evaluation of Suppliers
No matter the method of supplier qualification, it is best practice to maintain supplier files that contain useful information relative to the supplier that may include:
The original supplier qualification form
Supplier certificates
References
Audit reports
Subsequent performance evaluations
Expanded scope qualifications
Supplier communications
Current contact information
Copies of any non-conforming material reports related to the supplier, etc.
ISO 13485 requires monitoring and re-evaluation of suppliers, and maintaining detailed supplier files will assist in meeting this requirement, and will help in the feedback system to identify and recurring problems or issues with a supplier. On a planned basis, whether that is annually, or every order (dependent on the criticality of the product), your company should conduct a formal supplier evaluation to determine whether the supplier has continued to meet requirements – In general, annual supplier reviews are standard. Additionally, you must specify this frequency in your procedure (auditors will look for what period you specify in your procedure, and then will check your ASL to make sure all of your suppliers have been reviewed within that timeframe).
During the supplier evaluation, if you find there have been issues, you need to determine and weigh the risks associated with staying with that supplier, and document that in the supplier file. If you determine the supplier should no longer be qualified, then you must also indicate on the ASL that the company no longer approves of the supplier.
Making the Purchase
When you have verified your supplier is approved on the ASL, you are authorized to purchase a product. Engineering is usually responsible for identifying the product specifications, requirements for product acceptance, and adequacy of specified purchasing requirements before communication to the supplier. The specifications may be in the form of drawings or written specifications. Additional information communicated to the supplier should also include, as applicable, an agreement between your company and the supplier that the supplier will notify you before the implementation of changes relating to the product that could affect its ability to meet specified purchasing requirements. When the first batch of product is received from a particular supplier, it is a good idea to verify that the product performs as intended before entering into production with new material or components.
Supplier Nonconformity
From time to time, you may encounter issues with a supplier. Sources of nonconformity include incoming inspections, production nonconformities, final inspection, or customer complaints. You must notify your supplier of the nonconformity and record their response and assessment. Depending on the level of criticality of the vendor, it is reasonable to require them to perform a root cause analysis to determine and alleviate the cause of failure. You should also request documentation of an effectiveness check to ensure the supplier has taken corrective actions. You should maintain copies of supplier nonconformity reports in the supplier file, and discuss nonconformities during ongoing supplier evaluations.
If the supplier does not cooperate or fails to address the nonconformity in an acceptable manner, or if there is a pattern of nonconformities with the vendor, then you should disqualify the supplier, and indicate that the supplier is “not approved” on the ASL.
Purchasing Controls Procedures You Might Need
Medical Device Academy developed a Supplier Qualification Procedure, Purchasing Procedure, and associated forms that will meet purchasing controls regulatory requirements for ISO 13485:2016 and 21 CFR 820.50. These procedures will help you ensure that goods and services purchased by your company meet your requirements and specifications. If you have any questions or would like help in developing a custom procedure or work instructions that meet your company’s unique needs, please feel free to email me or schedule a call to discuss.
This article explains my process for updating training procedure SYS-004 for compliance with ISO 13845:2016 while the procedure was also simplified.
In addition to weekly blogging for the Medical Device Academy website, I am also updating each of my procedures for ISO 13485:2016 compliance. This week the training procedure (SYS-004) was updated. You are updating your procedures for compliance with the revised standard, but are you making any other strategic changes at the same time?
Changes to Training in ISO 13485:2016
The primary change to Clause 6.2 in ISO 13485 was the addition of the phrase, “shall document the process(es) for establishing competence, providing training, and ensuring awareness.” This doesn’t represent a change in the intent of the standard. Still, it does signal that certification bodies should be emphasizing the importance of assessing the effectiveness of training and competency–not just verifying the existence of training records.
Updating Training Procedure
The original version of SYS-004 had eight pages and included three different flow charts to explain the process. The procedure also required the use of a training plan for each employee. While I agree that managers should plan training if you make this a formal requirement with a controlled form, it creates an unnecessary burden for managers.
Therefore, when the procedure was updated to the requirements of ISO 13485:2016, the procedure was also simplified for smoother implementation by start-up companies. When you upgrade your procedures, you might look for similar opportunities to simplify and streamline the processes.
The updated procedure now has suggestions for how to consolidate specific roles for smaller companies. The procedure still references a training record for documenting training, but now there is also a reference to a training matrix to help document training requirements for each employee.
The FDA also requires that there are documented training requirements. Therefore, the procedure identifies the need to create a job description that includes training and competency requirements. The procedure does not, however, require that the job descriptions be maintained as controlled documents. If your company has multiple people with the same job function (e.g., customer service), then it might make sense to have a controlled document that is a job description for customer service. A company with four employees does not need controlled documents, and instead, a unique record for each employee makes more sense.
Updating Training Procedure to Explain How to Complete Forms?
Another option is to make your procedure very detailed to explain how to complete each section of a form, such as the training record (FRM-002) or the training matrix (FRM-026). However, I see very few managers struggle with completing training records. Therefore, instead, I plan to record a brief training webinar that explains how to fill in the forms. This will be provided as a free update to anyone that purchases the training competency procedure. This makes it easier to review the procedure for regulatory compliance and puts the details on how to complete forms in the training curriculum where it belongs.
If you have questions about how to update any of your procedures to ISO 13485, please email me at rob@13485cert.com. Maybe I’ll use your question as a topic for a future blog.
The Article reviews changes recommended for your control of records procedure to ensure compliance with ISO 13485:2016 and applicable regulatory requirements.
Nine months have already passed since the release of the 2016 version of ISO 13485. In 2015, you were told to update your quality system procedures early before the new European Regulations were released. There is a three year transition period, and you decided to do it next year. Now it’s 2017. It’s time to update your procedures.
Quality Plan for Revising Procedures to ISO 13485:2016
I plan to update one procedure each week from the 2003 version of ISO 13485 to the 2016 version. Some of the procedures were already updated last year, but just like you, I decided to finish the work next year. For the next six months, we will be busy revising procedures.
Training on the requirements for Control of Records
In addition to a procedure for control of records, you also need to train employees on good documentation practices. Initially, I created a webinar called “GDP 101” that combined control of documents, control of records, and training. Several people recommended that the webinar be revised to focus on the control of records. New webinars will be recorded each week to explain the updates to each procedure and to ensure that there is a training webinar for each procedure.
Three Generic Updates to Control of Records Procedure (SYS-002)
When you update a procedure, you need to do more than change the reference to the version of ISO 13485. For all procedures I recommend that you make three general improvements:
identify a risk-based approach for that procedure,
identify methods for documenting training effectiveness and competency, and
verify that you have updated the procedure to address regulatory requirements.
In the case of control of records, the most important records should have more rigorous controls and more frequent monitoring of record control to ensure it is effective. For example, the following critical records are frequently sampled by FDA inspectors and should be carefully stored, organized, and monitored:
CAPAs
Complaints
Adverse Event Reports
Recalls
Nonconforming Material Records
Design History Files
Training Records
FDA inspectors are not permitted to review records of your management reviews, internal audit records, and supplier records. However, all three records will be sampled by certification bodies, and therefore these three records exempt from the requirements of21 CFR 820.180should also be a priority for risk-based control of records.
To address the third of the generic procedural updates, you should be aware that the new EU Medical Device Regulations are expected to increase the required record retention period for non-implant devices from 5 years to 10 years. Implants are expected to remain at 15 years.
Three Procedure-Specific Updates to Control of Records Procedure (SYS-002)
In addition to the generic procedural updates, three changes in the Standard are specific to control of records. First, in the section for control of documents (renumbered as Clause 4.2.4), there is now a requirement to prevent the deterioration and loss of documents.
Second, there is now a requirement in Clause 7.3.10 for maintaining design and development files for devices. This may have previously been addressed as a requirement to meet the FDA requirements for maintaining a Design History File (DHF), but not all ISO 13485 certified companies sell a product in the USA.
Third, there is a new requirement related to the protection of confidential health information, such as the information gathered during complaint investigations and clinical studies. Many companies refer to this asHIPAAcompliance.
Updated Procedure & Webinar Bundle
If you need to update your control of records procedure and train your employees, you might consider ournew procedure and webinar bundle.
The article shares lessons learned from implementing procedures for a new ISO 13485 quality system. This is the second in a series. The first month of procedure implementation was covered in a previous article titled, “How to implement a new ISO 13485 quality system plan in 2016.”
Typically, I recommend implementing a new ISO 13485 quality system over six months. Still, recently I a few clients have requested my assistance with implementing a quality management system within four months. In November, I wrote an article about implementing a new ISO 13485 quality system. That article described implementing procedures for the first month. Specifically, the implementation of the following procedures was covered:
SYS-027, Purchasing
SYS-001, Document Control
SYS-002, Record & Data Control
SYS-004, Training & Competency
SYS-011, Supplier Quality Management
SYS-008, Product Development
SYS-010, Risk Management
SYS-006, Change Control
These eight procedures are typically needed first. This article covers the implementation of the next set of procedures. During this month, I recommend conducting company-wide quality management system training for the ISO 13485 and 21 CFR 820.
Implementing Receiving Inspection Procedures
During the first month, procedures for purchasing components and services are implemented. As these products are shipped and received by your company, you need to create records of incoming inspection. It is not sufficient to merely have a log for receiving inspection. You need records of the results of the inspection. You may outsource the inspection activities, but receiving personnel must review the records of inspection for accuracy and completeness before moving product to your storage warehouse or production areas. Even if the inspection is 100% outsourced, it is still recommended to verify the inspection results independently on a sampling basis periodically. This should be a risk-based sampling that takes into account the importance of the item being inspected and the existence of in-process and final inspection activities that will identify potential nonconformities.
The most challenging part of this process typically is identifying inspection procedures and calibrated devices for inspection. Your company must find a balance between inspections performed by suppliers, incoming inspection, in-process inspection, and final inspection. Each of these process controls requires time and resources, but implementation should be risk-based and take into account the effectiveness of each inspection process–as determined by process validation. Sample sizes for inspection should also be risk-based.
Implementing Procedures for Identification and Traceability
The lot or a serial number of components must be identified throughout product realization–including incoming inspection, storage, production, final inspection, and shipping. In addition to determining what things are, you must also identify the status of each item throughout the product realization process. For example:
Is the product to be inspected or already inspected?
After the inspection, is product accepted or rejected?
Which production processes have been completed?
Is the product released for the final shipment?
The procedure for identification and traceability should be implemented immediately after the purchasing process, implemented during 1st month, because traceability requirements should be communicated to suppliers as part of supplier quality agreements and as part of each purchase order.
Initially, when this process is implemented, there is a tendency to complete forms for every step of the process and to distribute copies of the forms to communicate status. Completing forms and copying paperwork requires labor and adds no value. Therefore, learn manufacturing methods and visual indicators such as color-coding are recommended as best practices for identifying products and their status.
Implementing CAPA Procedures
When a product is identified as nonconforming, corrective actions need to be implemented to prevent a recurrence. Procedures need to include the requirement for planning corrective actions, containing a nonconforming product, correcting nonconformities, and implementing actions to prevent any future nonconformities. These procedures also need to address negative trends to prevent nonconformities before the product is out of specification (i.e., preventive actions). Procedures also need to provide guidelines on how to verify the effectiveness of corrective and preventive actions. Initially, the actions implemented will be specific to a purchased product that is received and rejected. However, over time data analysis of process monitoring and internal auditing will identify additional corrective and preventive actions that are needed.
The effectiveness of CAPA processes, in general, requires three key elements:
In the CAPA training provided during the second month, the best practices for CAPA form design are covered. The training includes several methods for root causes analysis too. Finally, the training emphasizes using quantitative measurements to verify the effectiveness of corrective actions. It is recommended to identify the quantitative acceptance criteria for an effective corrective action before initiating actions to ensure that the actions planned are sufficient to prevent a recurrence.
Monitoring Your Procedure Implementation Process
As indicated in November’s article, I recommend using quantitative metrics to track the progress of procedure implementation. For example:
% of procedures implemented,
duration of document review and approval process, and
% of required training completed.
Implementing Procedures for ISO 13485:2016
If you already have a quality system in place, you are implementing procedures that are modified for ISO 13485:2016 compliance, some of the same lessons learned to apply. If you are interested in learning more about the changes required for compliance with the 2016 version of the standard, we recorded two live webinars on March 24, 2016.