This sub-category is dedicated to articles about the new version of ISO 13485:201x that is expected to be published at the end of this year or Q1 2016.
Would you like to learn nine ways to improve your quality system procedures? One method is precisely the opposite of our advice from 2011.
During a CAPA course I taught on Friday, January 28, 2011, one of the attendees asked if we teach a course on “How to write better quality system procedures.” Unfortunately, we could only offer material from a course about “Training the trainer.” That “Training the trainer” course focused on visual communication. Several books related to Lean Manufacturing explain how to use visual communication to replace text (i.e., “a picture says a thousand words”). During my ride home, however, I thought of a few other ideas that might help anyone writing or re-writing a procedure. The article was updated and posted as a new blog on Tuesday, March 28, 2023.
1. Use a standardized template for your procedures
In 2013 we published a blog about using a procedure template where we described our 12-part procedure template (i.e., TMP-001). You don’t have to mimic our template, but using a template will accelerate the speed of your writing when you create procedures, and it makes sure you don’t forget any of the essential elements. In addition, using templates ensures a consistent format that makes it easier for everyone to find the information they are looking for. Just make sure that your document control procedure allows flexibility to deviate from the template. The ISO 13485:2016 standard does require a “mandatory” format. Referring to your template as “suggested formatting” will avoid unnecessary nonconformities.
2. Create a process “turtle diagram” for each quality procedure
All of the procedures that Medical Device Academy created have a flow chart at the beginning of the procedure showing the procedures and forms associated with processes that are inputs to that procedure and outputs from that procedure. To systematically improve our procedures, we will be systematically replacing those flow charts with turtle diagrams for each process. This will give more detail than our current flow charts, and internal and external auditors can use the turtle diagrams to understand process interactions.
3. Avoid making unnecessary references to regulations and standards
If you are writing a procedure on risk management—it makes sense to reference ISO 14971. It does not make sense to reference all the other risk analysis standards unless you specifically use them to perform risk analysis. ISO 14971:2019, Clause 4.1, also states that you “shall establish, implement, document, and maintain an ongoing process for” risk management activities. However, the ISO 14971 standard is not directly linked to other procedures. Therefore, ISO 14971 should only be referenced in another if you are using it in that procedure or referencing it directly. For example, the Quality Manual (i.e., POL-001) explicitly references ISO 14971. In contrast, the design control procedure (i.e., SYS-008) references the risk management procedure (SYS-010) but doesn’t reference ISO 14971.
Concerning regulations, you should only reference regulations if the procedure meets a specific requirement. Color coding with symbols should demonstrate traceability to requirements (see method #5 below for further explanation). Rather than adding a reference to regulations in a procedure where there is no requirement, a better approach is to indicate in the Quality Manual that only procedures that have specific requirements will reference the regulations, such as 21 CFR 820 or Part 1 of the Canadian MDR.
4. Track standards, regulations, and the version used in your procedures
In the original 2011 version of this article, we advised quality managers to “avoid including the revision of a standard” because “this is just another opportunity for unnecessary nonconformities.” However, we find that our team has trouble identifying every procedure that a change in regulation or a standard might impact. A systematic process is needed to identify every procedure referencing a regulation or standard. Therefore, we will reference all impacted procedures next to the regulation or standard in our Master Document List (i.e., LST-001). References to the regulations will be added to the main tab for policies, procedures, and work instructions (i.e., [POL, SYS, and WI]). References to the standards will be added to the tab for documents of external origin (i.e., [Doc Ext Origin]).
Many people feel that you should not reference the version of a standard in a procedure because adding the version of the standard increases the number of documents that need to be updated when a standard changes. However, if you are only referencing standards in procedures when it is necessary, then that procedure should be reviewed and updated for the need to be changed. Updating the version of the Standard referenced is the best way to document that a gap analysis against the new version has been completed and the necessary updates were made to the procedure.
5. Use color coding and symbols in your quality system procedures
Matthew Walker, Medical Device Academy’s manager of the human factors team, has systematically updated many of our procedures to the EU Medical Device Regulations 2017/745 and the In Vitro Diagnostic Regulations 2017/746. When he updates our procedures, he references the regulations and applicable ISO 13485:2016 clauses. During certification audits, certification body auditors sometimes have difficulty finding where specific requirements are located in the procedures. Therefore, Matthew added color-coded clause references for our clients and auditors as a corrective action. To make the procedures inclusive for people that are color-blind, Matthew added symbols to supplement the color coding. The extra addition of symbols has proven invaluable because now anyone can search the documents electronically for a symbol to find where all the references are located.
6. Indicate the process owner and training requirements associated with each procedure
Identifying the process owner and training requirements in every procedure makes it easier to define who is responsible for reviewing and revising procedures. For the training requirements, the process owner should specify who needs to be trained on the process. Why? They know the procedure best. If there is a “grey area,” this should be resolved with the department manager for the job function. In addition, retraining requirements should be specified. The training section should also clarify if retraining is required when revising a procedure. If the revision is minor, training should only be necessary for people not trained on a previous revision.
7. Adopt thePlan-Do-Check-Act (PDCA) model for the structure of quality system procedures
For the “Plan” portion, the procedure should explain how to prepare to do something. This planning activity can apply to anything from planning to perform an audit to planning to inspect incoming raw materials. The “Do” portion is what most people refer to as the “Procedure” section. The “Check” portion of the procedure is a great place to specify the monitoring and measurement requirements for the process (see Section 8.1 of the Standard). Finally, the “Act” portion of the procedure should indicate what to do when target metrics are unmet. For example, what should be done when an alert limit is reached? What should be done when an action limit is reached?
8. Include therevision history of quality system procedures
It’s helpful to know which Document Change Notice (DCN) approved the document revision, why the changes were made, the nature of the changes, whether there is a related corrective action, and when the change was made. This will also tell auditors whether there is anything new to audit since the previous internal or external audit. This section is usually near the beginning of our procedures, but it doesn’t matter if the revision history is at the end or the beginning. However, it does help to be consistent.
9. Identify the form number, location, and retention period for each record
We have a section about quality system records near the end of every procedure. This section lists each quality system record that is associated with the procedure. The relevant form is referenced, but we recommend storing these records in electronic or paper folders labeled with the form number. If the files are digital, a hyperlink should be included. If the files are paper, then you should list the physical location of storage. The retention period can be listed in each procedure. Still, it will be essential to ensure that this information matches the regulatory requirements and record retention requirements in your “Control of Records” procedure (i.e., SYS-002).
The FDA patches the regulations with guidance documents, but there is a desperate need to modernize 21 CFR 820 to ISO 13485.
FDA Proposed Amendment to 21 CFR 820
On February 23, 2022, the FDA published a proposed rule for medical device quality system regulation amendments. The FDA planned to implement amended regulations within 12 months, but the consensus of the device industry is that a transition of several years would be necessary. In the proposed rule, the FDA justifies the need for amended regulations based on the “redundancy of effort to comply with two substantially similar requirements,” creating inefficiencies. In public presentations, the FDA’s supporting arguments for the proposed quality system rule change rely heavily upon comparing similarities between 21 CFR 820 and ISO 13485. However, the comparison table provided is quite vague (see the table from page 2 of the FDA’s presentation reproduced below). The FDA also provided estimates of projected cost savings resulting from the proposed rule. What is completely absent from the discussion of the proposed rule is any mention of the need to modernize 21 CFR 820.
Are the requirements “substantively similar”?
The above table provided by the FDA claims that the requirements of 21 CFR 820 are substantively similar to the requirements of ISO 13485. However, there are some aspects of ISO 13485 that will modernize 21 CFR 820. The areas of impact are 1) software, 2) risk management, 3) human factors or usability engineering, and 4) post-market surveillance. The paragraphs below identify the applicable clauses of ISO 13485 where each of the four areas are covered.
Modernize 21 CFR 820 to include software and software security
Despite the limited proliferation of software in medical devices during the 1990s, 21 CFR 820 includes seven references to software. However, there are some Clauses of ISO 13485 that reference software that are not covered in the QSR. Modernizing 21 CFR 820 to reference ISO 13485 will incorporate these additional areas of applicability. Clause 4.1.6 includes a requirement for the validation of quality system software. Clause 7.6 includes a requirement for the validation of software used to manage calibrated devices used for monitoring and measurement. Clause 7.3 includes a requirement for validation of software embedded in devices, but that requirement was already included in 21 CFR 820.30. The FDA can modernize 21 CFR 820 further by defining Software as a Medical Device (SaMD), referencing IEC 62304 for management of the software development lifecycle, referencing IEC/TR 80002-1 for hazard analysis of software, referencing AAMI TIR57 for cybersecurity, and referencing ISO 27001 for network security. Currently, the FDA strategy is to implement guidance documents for cybersecurity and software validation requirements, but ISO 13485 only references IEC 62304. The only aspect of 21 CFR 820 that appears to be adequate with regard to software is the validation of software used for automation in 21 CFR 820.75. This requirement is similar to Clause 7.5.6 (i.e., validation of processes for production and service provisions).
Does 21 CFR 820 adequately cover risk management?
The FDA already recognizes ISO 14971:2019 as the standard for the risk management of medical devices. However, the risk is only mentioned once in 21 CFR 820. In order to modernize 21 CFR 820, it will be necessary for the FDA to identify how risk should be integrated throughout the quality system requirements. The FDA recently conducted two webinars related to the risk management of medical devices, but implementing a risk-based approach to quality systems is a struggle for companies that already have ISO 13485 certification. Therefore, a guidance document with examples of how to implement a risk-based approach to quality system implementation would be very helpful to the medical device industry.
Modernize 21 CFR 820 to include Human Factors and Usability Engineering
ISO 13485 references IEC 62366-1 as the applicable standard for usability engineering requirements, but there is no similar requirement found in 21 CFR 820. Therefore, human factors are an area where 21 CFR 820 needs to be modernized. The FDA has released guidance documents for the human factors content to be included in a 510k pre-market notification, but the guidance was released in 2016 and the guidance does not reflect the FDA’s current thoughts on human factors/usability engineering best practices. The FDA recently released a draft guidance for the format and content of human factors testing in a pre-market 510k submission, but that document is not a final guidance document and there is no mention of human factors, usability engineering, or even use errors in 21 CFR 820. Device manufacturers should be creating work instructions for use-related risk analysis (URRA) and fault-tree analysis to estimate the risks associated with use errors as identified in the draft guidance. These work instructions will also need to be linked with the design and development process and the post-market surveillance process.
Modernize 21 CFR 820 to include Post-Market Surveillance
ISO/TR 20416:2020 is a new standard specific to post-market surveillance, but it is not recognized by the FDA. There is also no section of 21 CFR 820 that includes a post-market surveillance requirement. The FDA QSR focuses on reactive elements such as:
21 CFR 820.100 – CAPA
21 CFR 820.198 – Complaint Handling
21 CFR 803 – Medical Device Reporting
21 CFR 820.200 – Servicing
21 CFR 820.250 – Statistical Techniques
The FDA does occasionally require 522 Post-Market Surveillance Studies for devices that demonstrate risks that require post-market safety studies. In addition, most Class 3 devices are required to conduct post-approval studies (PAS). For Class 3 devices, the FDA requires the submitter to provide a plan for a post-market study. Once the study plan is accepted by the FDA, the manufacturer must report on the progress of the study. Upon completion of the study, most manufacturers are not required to continue PMS.
How will the FDA enforce compliance with ISO 13485?
It is not clear how the FDA would enforce compliance with Clause 8.2.1 in ISO 13485 because there is no substantively equivalent requirement in the current 21 CFR 820 regulations. The QSR is 26 years old, and the regulation does not mention cybersecurity, human factors, or post-market surveillance. Risk is only mentioned once by the regulation, and software is only mentioned seven times. The FDA has “patched” the regulations through guidance documents, but there is a desperate need for new regulations that include critical elements. The transition of quality system requirements for the USA from 21 CFR 820 to ISO 13485:2016 will force regulators to establish policies for compliance with all of the quality system elements that are not in 21 CFR 820.
Companies that do not already have ISO 13485 certification should be proactive by 1) updating their quality system to comply with the ISO 13485 standard and 2) adopting the best practices outlined in the following related standards:
AAMI/TIR57:2016 – Principles For Medical Device Security – Risk Management
IEC 62366-1:2015 – Medical devices — Part 1: Application of usability engineering to medical devices
ISO/TR 20416:2020 – Medical devices — Post-market surveillance for manufacturers
ISO 14971:2019 – Medical Devices – Application Of Risk Management To Medical Devices
IEC 62304:2015 – Medical Device Software – Software Life Cycle Processes
ISO/TR 80002-1:2009 – Medical device software — Part 1: Guidance on the application of ISO 14971 to medical device software
ISO/TR 80002-2:2017 – Medical device software — Part 2: Validation of software for medical device quality systems
What is the potential impact of the US FDA requiring software, risk management, cybersecurity, human factors, and post-market surveillance as part of a medical device company’s quality system?
Learn how to create a UDI procedure for compliance with the FDA and EU regulatory requirements for UDI compliance.
Your cart is empty
A Unique Device Identifier or UDI is required for all in vitro diagnostics (IVD) and devices in the USA and Europe as a tool for identifying the manufacturer, the device or IVD itself, and production-related details such as the date of manufacture and the lot number. To comply with these UDI requirements, you will need a UDI procedure compliant with the US regulations (i.e., 21 CFR 830 and parts of 21 CFR 801). To comply with European regulations, you will need a UDI procedure compliant with Article 24 and Annex VI of the IVDR and Article 27 and Annex VI of the MDR. The video below provides an overview of Medical Device Academy’s UDI procedure.
What’s included in our UDI Procedure?
The UDI procedure complies with ISO 13485:2016 as well as the European and US regulations. The procedure includes the following list of documents:
SYS-039 A D5 UDI Requirements Procedure
FRM-016 A D1 FDA UDI Checklist
FRM-017 A D2 EU UDI Checklist
We are including a training webinar explaining the FDA’s UDI System and the native presentation slide deck, and we will provide an exam (i.e., a 10-question quiz) to verify training effectiveness. If you submit the completed exam to us by email in the native MS Word format, we will correct the exam and email you a training certificate with your corrected exam. The FDA website also provides information about the UDI system. We also provide email notifications of free updates to the procedure and forms when we update the procedure to comply with new and revised regulations.
SYS-039 - UDI Requirements Procedure, Webinar and Exam Bundle
SYS-039, UDI Requirements Procedure Bundle; This training includes our procedure for UDI Requirements and the FDA template for the GUDID data elements. You will also receive a link to download our slide deck and webinar recording on UDI labeling. We also provide a 10 question quiz on the FDA's UDI requirements and a training certificate when you complete the quiz and submit it to Medical Device Academy for grading.
Price: $299.00
What is a UDI?
UDI stands for ‘Unique Device Identifier.’ This is a two-part identification code that is used as part of the FDA’s Unique Device Identifier System. The FDA issued its final rule on Unique Device Identifier Systems on September 24, 2013, with an effective date of December 23, 2013. The full 44-page document can be viewed on the Federal Register Website.
The idea or concept of having an identifier unique to each medical device is not a flashy new concept and has been in use in other industries for many years now. A UDI could be comparable to a VIN and license plates for vehicles or even social security numbers and driver’s license numbers in people. The idea is that there is a trackable piece of information that identifies individual types of medical devices.
The Two Parts of a UDI
A UDI includes two parts. One is the ‘Device Identifier’ or DI, and the other is the ‘Production Identifier’ or PI. The DI portion is the ‘Device Identifier.’ This portion of the UDI is mandatory and serves to identify the labeler and the specific model of the labeled device. Once the DI has been assigned, it is permanent and cannot be changed. Every variable of the device will require its own DI. For example, if multiple sizing options were produced for a device, then each size available would require a DI. Other variances, such as color and cosmetic or ergonomic design differences, also require separate DI numbers.
The ‘Production Identifier’ or PI and unlike the device identifier the PI identifies one of several pieces of information. I feel the best way to explain what information the PI provides is to directly quote the FDA itself.
“a production identifier (PI), a conditional, variable portion of a UDI that identifies one or more of the following when included on the label of a device:
the lot or batch number within which a device was manufactured;
the serial number of a specific device;
the expiration date of a specific device;
the date a specific device was manufactured;
the distinct identification code required by §1271.290(c) for a human cell, tissue, or cellular and tissue-based product (HCT/P) regulated as a device.” (FDA, UDI Basics 2015).
If a company were to produce multiple batches or lots of a device, the DI would remain the same, but the PI would be different for each batch produced.
UDI Formats
Your UDI must be provided in two separate formats. One is a plain text version that is simply an alphanumeric code that correlates with the information that it is trying to convey. This is a DI/PI code that must be labeled on the packaging of your medical device or, in some cases, on the device itself.
A second format is a form that is AIDC compatible. AIDC stands for ‘Automatic Identification and Data Capture’. AIDC collects your information without having to manually enter all of your data. Generally, this is some type of barcode or QR code.
You can see examples of AIDC technology in our daily lives. Some of the most common examples are barcodes, as mentioned above, and magnetic strips and chips as we see in our credit and debit cards. RFID, Optical Scanners, and other various biometrics are also included as some of the less common AIDC methods.
For more information on AIDC technology in general, you can follow the 3rd party website.
Your UDI should be located on your device label. This is a general rule, but the FDA has multiple exemptions and alternatives based on the device use and classification. The UDI’s are required to be directly marked on the devices themselves should they be intended to be used more than once and be reprocessed before each use.
If you are writing a UDI procedure for your company, double-check that your device does not fall under any of the FDA’s exceptions.
An example of one of the exceptions that may apply to your device is, “If your device is Class I, you may use a Universal Product Code (UPC) to serve as the UDI on the device label and package. In addition, the UDI on your class I devices is not required to include a PI.” (FDA, Small Entity Compliance Guide, 2014).
Packaging Levels for UDI
Each ‘package level’ also requires a new DI. For example, if your medical device were an insulin syringe that you sold in packages of 10 and bulk in packages of 100, each would need an individual ‘Device Identifier’. This does not mean that each package of 10 or 100 needs its own DI. These are not a lot or batch numbers. These numbers are for the user’s information, so shipping materials such as pallets and shrink wrap do not require DI/PI labeling. However, different models or any substantial updates to the medical device will need its DI.
As long as your syringe is only sold as an individual syringe, the UDI and labeling are compliant. As soon as an additional packaging level is introduced, an additional UDI is required. Using the same syringe example, if the syringes are also sold in packages that contain five of your already labeled medical devices, that package needs its UDI number. Another UDI would be required if the syringes were sold in packages of ten, twenty-five, or fifty. Every level of packaging that the device is sold in requires a UDI.
What is not considered an additional packaging level? Measures to protect your products during shipping are not considered additional packaging levels. This includes palletizing and wrapping your products to protect them from damage during shipping. Pallets, shipping containers, and trailers do not require a UDI.
Updated Products and UDI’s
UDI’s are specific to individual models of products and devices. As each packaging level or product variance, such as size offered, requires a UDI, so does each device change and upgrade. Say you launched your device 2 years ago and, based on consumer feedback, decided to make some changes to your device. The new version of your device is now no longer the same as the one that had the previous UDI issued to it.
You would now need a UDI for the essentially ‘new product’. You will also need to address the same compliance requirements for packaging levels and variances as you did with the original product. As you update your product, be aware that you may also need to update your UDI.
UDI date format requirements
The date format on device labels should be in the ‘International Standard’, which consists of Year-Month-Day as opposed to what would normally be seen in the United States, which is Month-Day-Year. For example, the date for April 18, 2018, would need to be written 2018-04-18.
This format would need to be used on your labeling for things such as the manufacture and expiration date of your product or device.
For UDI labels, the compliance date for implementing the International Date Standard will be the same as the compliance dates for UDI/AIDC.
Compliance Dates for Class I and Unclassified Devices.
Below is the FDA’s UDI Compliance Dates Table.
To extend the compliance dates for lower-risk medical devices, the FDA plans to issue a guidance document to provide an enforcement discretion policy for labeling, GUDID data submission, standard date formatting, and direct mark requirements for class I and unclassified devices, as indicated in Figure 1 below. This enforcement discretion policy would not apply to class I or unclassified implantable, life-supporting, or life-sustaining devices1 because labelers of these devices must already comply with UDI requirements.
Type of Device
Label (21 CFR 801.20), GUDID Submission (21 CFR Part 830, subpart E), and Standard Date Format (21 CFR 801.18) Requirements
Direct Mark (21 CFR 801.45) Requirements
Class 1 devices2
September 24, 2020
September 24, 2022
Unclassified devices
September 24, 2020
September 24, 2022
Figure 1
1 For implantable, life-supporting or life-sustaining devices of all classes, the compliance date for all UDI requirements and the standard date format requirement (21 CFR 801.18) was September 24, 2015. 2 Class I CGMP-exempt devices are excepted from UDI requirements. 21 CFR 801.30(a)(2)
Compliance Dates Established by FDA in Conjunction with UDI Final Rule
Compliance Date
Requirement
1 year after publication of the final rule (September 24, 2014)
The labels and packages of class III medical devices and devices licensed under the Public Health Service Act (PHS Act) must bear a UDI. § 801.20. Dates on the labels of these devices must be formatted as required by § 801.18. Data for these devices must be submitted to the GUDID database. § 830.300. A 1-year extension of this compliance date may be requested under § 801.55; such a request must be submitted no later than June 23, 2014. Class III stand-alone software must provide its UDI as required by § 801.50(b).
2 years after publication of the final rule (September 24, 2015)
A device that is a life-supporting or life-sustaining device that is required to be labeled with a UDI must a bear UDI as a permanent marking on the device itself if the device is intended to be used more than once and intended to be reprocessed before each use. § 801.45. Stand-alone software that is a life-supporting or life-sustaining device must provide its UDI as required by § 801.50(b).
Data for implantable, life-supporting, and life-sustaining devices that are required to be labeled with a UDI must be submitted to the GUDID database. § 830.300.
3 years after publication of the final rule (September 24, 2016)
Class III devices required to be labeled with a UDI must bear a UDI as a permanent marking on the device itself if the device is a device intended to be used more than once and intended to be reprocessed before each use. § 801.45.
The labels and packages of class II medical devices must bear a UDI. § 801.20. Dates on the labels of these devices must be formatted as required by § 801.18. Class II stand-alone software must provide its UDI as required by § 801.50(b).
Data for class II devices that are required to be labeled with a UDI must be submitted to the GUDID database. § 830.300.
5 years after publication of the final rule (September 24, 2018)
A class II device that is required to be labeled with a UDI must bear a UDI as a permanent marking on the device itself if the device is a device intended to be used more than once and intended to be reprocessed before each use. § 801.45.
The labels and packages of class I medical devices and devices that have not been classified into class I, class II, or class III must bear a UDI. § 801.20. Dates on the labels of all devices, including devices that have been excepted from UDI labeling requirements, must be formatted as required by § 801.18.
Data for class I devices and devices that have not been classified into class I, class II, or class III that are required to be labeled with a UDI must be submitted to the GUDID database. § 830.300. Class I stand-alone software must provide its UDI as required by § 801.50(b).
7 years after publication of the final rule (September 24, 2020)
Class I devices, and devices that have not been classified into class I, class II, or class III that are required to be labeled with a UDI, must a bear UDI as a permanent marking on the device itself if the device is a device intended to be used more than once and intended to be reprocessed before each use. § 801.45.
Compliance dates for all other provisions of the final rule. Except for the provisions listed above, FDA requires full compliance with the final rule as of the effective date that applies to the provision.
UDI Quality System Requirements
To comply with both Part 803.22 Medical Device Reporting and 820.198 Quality System Regulation, the documentation of UDI numbers included on device labeling is either required specifically or applicable to fulfill specific documentation and reporting requirements.
CFR 21 Chapter I Sub Chapter H Medical Devices Part 803.33 Medical Device Reporting
“(a) You must submit to us an annual report on Form FDA 3419. You must submit an annual report by January 1, of each year. You may obtain this form from the following sources:
(iv) Product model, catalog, serial, and lot number and unique device identifier (UDI) that appears on the device label or on the device package.”
For handling complaints as part of your quality system, inclusion of the UDI in your record of investigation is a specifically listed portion of device identifications and control numbers needed for reporting and record keeping.
Quality System Regulation Sub Part M Records 820.198
“(e) When an investigation is made under this section, a record of the investigation shall be maintained by the formally designated unit identified in paragraph (a) of this section. The record of investigation shall include:
(1) The name of the device;
(2) The date the complaint was received;
(3) Any unique device identifier (UDI) or universal product code (UPC), and any other device identification(s) and control number(s) used;”
All UDIs are required to be issued under a system operated by an FDA-accredited “Issuing Agency”. At the time of writing this, the FDA currently only has three FDA-accredited IA’s. They are GS1, HIBCC, and the ICCBBA. The UDI rule provides a process through which an agency would seek FDA accreditation. specifies the information that the applicant must provide to FDA and the criteria FDA will apply in evaluating applications.
To seek accreditation by the FDA as a UDI issuing agency, your UDI procedure must define the process outlined in the 21 CFR 830 Subpart C. This specifies the information that must be provided to the FDA as well as the FDA evaluation criteria. The FDA also asks that agencies seeking an initial accreditation contact the FDA directly at gudidsupport@fda.hhs.gov.
UDI Procedure for Labelers
Labelers are ultimately the ones that are responsible for complying with the FDA’s UDI labeling requirements. Are you a labeler? In most cases, but not always, the brand owner is typically the labeler.
The FDA defines a labeler as “(1) Any person who causes a label to be applied to a device with the intent that the device will be commercially distributed without any subsequent replacement or modification of the label; and
(2) Any person who causes the label of a device to be replaced or modified with the intent that the device will be commercially distributed without any subsequent replacement or modification of the label, except that the addition of the name of, and contact information for, a person who distributes the device, without making any other changes to the label, is not a modification for the purposes of determining whether a person is a labeler” (FDA, Webinar UDI 101)
Distributors add contact information only
A distributor may add their contact information to a label. As long as they are not altering the label in any other way. Alterations made to the label beyond this may constitute a change in who exactly is the labeler of the product.
Do UDI requirements apply to Foreign device manufacturers?
UDI labeling rules apply to all medical devices sold within the United States and Europe. Therefore, even if your company is located outside the US or Europe, you will need a UDI procedure, and you must comply with the UDI regulations to distribute products in these two markets.
GUDID Requirements for your UDI Procedure
GUDID stands for Global Unique Device Identification Database. This database is a reference catalogue that is open for viewing by the public for every medical device with an ‘identifier’. This database can be accessed through AccessGUDID. Unlike submission, which requires an account, AccessGUDID may be accessed by anyone.
Under the UDI Rule, the FDA requires labelers who have medical devices that are labeled with a UDI to submit their device to the GUDID. If you are wondering if your device has such a labeler, we referenced above that the FDA considered the labeler to be “the person who causes a label to be applied to a device, or who causes the label to be modified, with the intent that the device will be introduced into interstate commerce without any subsequent replacement or modification of the label; in most instances, the labeler would be the device manufacturer, but the labeler may be a specification developer, a single-use device reprocessor, a convenience kit assembler, a repackager, or a relabeler.”
The GUDID is created with data about devices according to the compliance timeline table shared above and is published in conjunction with the UDI rule. The GUDID only contains the device identifier, which is the primary key to obtaining device information in the GUDID database. Production Identifiers are not submitted or stored in the GUDID.
Process monitoring is required but do you know whether monitoring every procedure is required by the FDA QSR or ISO 13485?
One of the elements that Medical Device Academy has incorporated into each procedure we created in our turnkey quality system is a section titled, “monitoring and measurement.” The purpose of this section is to force each process owner to identify a process metric for monitoring every procedure. In some cases, we suggest a metric that would be appropriate for most companies establishing a new quality system. In other procedures, we use the following default text:
Where are the requirements for process monitoring in 21 CFR 820?
Some of the companies that have purchased our turnkey quality system have asked, “Is it required to monitor and measure something in every procedure?” In general, it is not a specific requirement to have a metric specified in each procedure. In fact, if your quality system is not ISO 13485 certified, there are actually only a few places where the US FDA requires monitoring. The FDA does not have a section specific to monitoring and measurement of processes, but there is a section of the regulations specific to statistical techniques (i.e. 21 CFR 820.250). However, it does not state in the QSR that statistical analysis is required for all processes. In fact, there are only six instances where the word “statistical” is used:
21 CFR 820.100(a)(1) – “Analyzing processes, work operations, concessions, quality audit reports, quality records, service records, complaints, returned product, and other sources of quality data to identify existing and potential causes of nonconforming product, or other quality problems. Appropriate statistical methodology shall be employed where necessary to detect recurring quality problems;”
21 CFR 820.200(b) – “Each manufacturer shall analyze service reports with appropriate statistical methodology in accordance with § 820.100.”
21 CFR 820.250 – “(a) Where appropriate, each manufacturer shall establish and maintain procedures for identifying valid statistical techniques required for establishing, controlling, and verifying the acceptability of process capability and product characteristics. (b) Sampling plans, when used, shall be written and based on a valid statistical rationale. Each manufacturer shall establish and maintain procedures to ensure that sampling methods are adequate for their intended use and to ensure that when changes occur the sampling plans are reviewed. These activities shall be documented.” Note: the other two instances are the title of 21 CFR 820.250.
The word “monitoring” is equally rare (i.e. 4x) in the QSR:
21 CFR 820.70(a) – “Each manufacturer shall develop, conduct, control, and monitor production processes to ensure that a device conforms to its specifications…Where process controls are needed…(2) Monitoring and control of process parameters and component and device characteristics during production.”
21 CFR 820.75(b) – “Each manufacturer shall establish and maintain procedures for monitoring and control of process parameters for validated processes to ensure that the specified requirements continue to be met…(2) For validated processes, the monitoring and control methods and data, the date performed, and, where appropriate, the individual(s) performing the process or the major equipment used shall be documented.”
Where are the requirements for process monitoring in ISO 13485:2016?
ISO 13485:2016 has a section specific to monitoring and measurement of processes (i.e. Clause 8.2.5). In addition, the word “monitoring” occurs 52 times in the standard and there are 60 incidents of some variant or the exact word. , but there is a section of the regulations specific to statistical techniques (i.e. 21 CFR 820.250). However, it does not state in the QSR that statistical analysis is required for all processes. In fact, there are only six instances where the word “statistical” is used. There are four Clause headings that actually include the word monitoring:
Clause 7.6, Control of monitoring and measuring equipment
Clause 8.2, Monitoring and measurement
Clause 8.2.5, Monitoring and measurement of processes
Clause 8.2.6, Monitoring and measurement of product
In Clause 1, Scope, and Clause 4.1.5, the Standard states that any outsourced processes remain the responsibility of the company and must be accounted for in the quality system by monitoring, maintaining, and controlling the processes.
Monitoring of risk is included in the definition of “risk management” in the Standard (i.e. Clause 3.18).
Clause 4.1.3 states that the organization shall, “b) ensure the availability of resources and information necessary to support the operation and monitoring of these processes…d) monitor, measure as appropriate, and analyze these processes.”
Clause 4.2.3 states that the contents of the Medical Device File (i.e. MDR or TF), shall include, “d) procedures for measuring and monitoring.”
Monitoring and measurement of processes and product are required inputs to the Management Review in Clauses 5.6.2e) and f).
Clause 6.4.1 requires a procedure for monitoring the work environment if it can have an effect on product quality.
Clause 7.1 requires the company to consider including monitoring in product realization planning.
Clause 7.4.1 requires a plan for monitoring suppliers.
Clause 7.5.1 requires monitoring production and service, including the monitoring of process parameters and product characteristics.
Clause 7.5.6 requires monitoring of validated process parameters.
Clause 7.5.8 requires identification of status with regard to product monitoring and measurement (i.e. inspection status).
Clause 7.6 requires monitoring and measurement of calibrated devices and validation of any computer software used to monitor calibrated devices.
Clause 8.1 states that companies shall plan and implement monitoring and measurement of processes.
Clause 8.2 is titled, “Monitoring and measurement.”
Clause 8.2.1 requires monitoring of customer feedback.
Clause 8.2.5 requires monitoring of processes to ensure planned results are achieved.
Clause 8.2.6 requires monitoring of products to ensure product requirements have been met.
Clause 8.4 requires data analysis of monitoring data from at least six different processes:
Feedback
Conformity to product requirements
Characteristics and trends of processes and products, including opportunities for improvement
Suppliers
Audits
Service reports, as appropriate
In summary, while not every single clause that requires a procedure includes a requirement for monitoring, there are a number of processes where the requirement to monitor the process is explicitly stated.
Why do all of our procedures include the requirement for metrics?
Medical Device Academy expanded the requirement for monitoring to all procedures for five reasons:
Quality objectives must be “established at relevant functions and levels within the organization.” Therefore, establishing monitoring requirements for each procedure ensures that top management has metrics for every process and a lack of data is never an excuse for not establishing a new quality objective when improvement is needed.
If every procedure has a requirement for monitoring, then employees don’t have to remember which processes require monitoring and which processes do not explicitly require monitoring.
The process approach to auditing includes metrics of the process as one of the seven items that are included in every process turtle diagram, and therefore, including metrics for each procedure facilitates the process approach to auditing.
If a company does not have a process metric already established, it is often difficult to perform an investigation of the root cause of quality issues. If a metric is already being monitored for the process, this facilitates the investigation of the root cause and you can use the baseline monitoring data to help you establish effectiveness criteria for the corrective action.
Finally, most companies struggle to identify preventive actions as required by Clause 8.5.3, and we have found that data analysis of monitoring data is the best source of identifying new preventive actions.
What are the disadvantages when you monitor and measure something in every procedure?
The primary reason for resistance to identifying a metric for monitoring in every procedure is that it will increase the workload for the employees responsible for that process. However, monitoring of data does not always increase workload. In fact, when process data is recorded in real-time on a run chart it is often possible to identify a trend much earlier than when data is simply recorded and subjected to monitoring.
Example #1: The automatic tracking of toner in a printer tells HP when to ship you a new toner cartridge before you need it. This ensures that there is no loss in productivity because you never run out of ink or the ability to print documents.
Example #2: Companies will use project management software (e.g. Asana) to monitor labor utilization. This will help identify when a specific resource is nearing capacity. When this occurs, the project manager can add time buffers to prerequisite steps and adjust the starting date of the resource-limited tasks to an earlier starting date. This ensures that more time is available to finish the task or to take advantage of resource availability at an earlier date.
Example #3: Monitoring the revision date for procedures helps the document control process owner identify procedures that should be evaluated for the need to be revised and updated. Often this is articulated as a quality objective of reviewing and updating all procedures within 2 years. This also ensures that procedures remain current and compliant with regulatory requirements.
What are the advantages of monitoring every procedure?
The phrase “what gets measured gets managed” is a popular business philosophy that implies measuring employee activity increases the likelihood that employees will complete a task or perform it well. In contrast, if a process is not monitored, employees may assume that it is not important and the tasks may be skipped or completely forgotten. Setting quantitative goals is also sometimes integrated with economic incentives or bonuses that are granted to individuals and teams.
FDA transition from QSR to ISO 13485
The US FDA is planning its transition from 21 CFR 820 to ISO 13485 as the quality system criteria. This will force companies to make adjustments to their quality systems and increase the amount of process monitoring performed. My general advice is to work with employees that are performing tasks to identify streamlined methods for monitoring those tasks without being overly burdensome. Then you and the employees you manage can analyze the data together and identify opportunities for improvement. When you do this, experiment with manual methods using whiteboards and paper charts that are visible in public areas first. Only implement automated solutions after you have optimized the data being collected and the frequency of data collection, and remember that not every process will benefit from automated statistical process control. Sometimes the simple approach is best.
This article provides an IVDR checklist for updating your ISO 13485 quality system to comply with EU Regulation 2017/746.
Why I created an IVDR checklist?
Hundreds (if not thousands) of IVD manufacturers are currently updating their ISO 13485:2016 certified quality system from compliance with the In Vitro Diagnostic Directive (i.e. Directive 98/79/EC) or IVDD to the new EU In Vitro Diagnostic Regulation (i.e. Regulation 2017/746). Revision of technical files and the associated procedures for creating your technical files is a big part of these updates. However, there is much more that needs to be updated than just the technical documentation. Therefore, IVD manufacturers are asking Medical Device Academy to conduct remote internal audits of their quality system to identify any gaps. Usually, we conduct internal audits using the process approach to auditing, but this is one of the scenarios where the element approach and an audit checklist are invaluable.
If you would like to download our IVDR checklist for FREE, please fill in the form below.
How do you use an audit checklist?
An audit checklist is used by quality system auditors to collect objective evidence during an audit. This objective evidence verifies compliance with regulatory requirements or internal procedural requirements. If the auditor is unable to find supporting evidence of compliance, the auditor may continue to search for data or identify the requirement as a nonconformity. Typically the checklist is in four columns using a tabular form. The left-hand column lists each requirement. The next column is where the auditor documents records sampled, procedures reviewed, and personnel interviewed. In the third column, the auditor indicates what they were looking for in the records, procedures, or during the interview. Some of the information in the second and third columns can often be entered prior to starting the audit by reviewing audit preparation documents (e.g. procedures and previous audit reports). In the fourth column the auditor will enter the objective evidence for conformity collected during the audit.
How to create an IVDR quality plan
Most of the companies that are preparing for an IVDR audit by their notified body already have ISO 13485:2016 certification and they are using the self-declaration pathway for CE Marking under the IVDD. Under the IVDR, a notified body must now review and approve the technical file. The notified body must also confirm that their quality system has been updated to include the IVDR requirements. The Technical File requirements are found in Annex II and III; while most of the quality system requirements are found in the Articles. The quality system requirements include:
a risk management process in accordance with Annex I – deviations from ISO 14971:2019 will be necessary)
conduct a performance evaluation–including a post-market performance follow-up (PMPF). This requirement is defined in Article 52 and Annex XIII
create and maintain a technical file in accordance with Annex II & III
create and maintain a Declaration of Conformity in accordance with Article 17
CE Mark the product in accordance with Article 18
implement a UDI system in accordance with Article 24, 26, and 28
record retention requirements for the technical file, Declaration of Conformity, and certificates shall be increased from 5 years to 10 years
set-up, implement, and maintain a post-market surveillance system in accordance with Article 78
document a procedure for communication with Competent Authorities, Notified Bodies, Economic Operators, Customers, and/or other Stakeholders
update procedures for reporting of serious incidents and field safety corrective actions in the context of vigilance to require reporting within 15 calendar days
update the product labeling to comply with Annex I, section 20
revise the translation procedure to ensure translations of the instructions for use are available in all required languages of the member states, and make sure these translations are available on the company website
create a procedure for utilization of the Eudamed database for registration, CE Marking applications, UDI data entry, and vigilance reporting
Which IVDR requirements are already met by your quality system?
Some companies also manufacture medical devices that must comply with Regulation (EU) 2017/745. For those companies, many of the above requirements are already incorporated into their quality system. In this case, you should still include all of the IVDR checklist requirements in your plan, but you should indicate that the requirement has already been met and audited previously.
Content related to our IVDR checklist
On Friday, April 1, 2022 @ 11 am EDT (8 am Pacific), Rob Packard will be Joe Hage’s guest speaker on the weekly MDG Premium Live video (please click on the link to register). The topic of the live presentation will be “How to create an IVDR quality plan.” #MedicalDevices#MDGpremium
This article identifies the requirements for purchasing controls and supplier qualification procedures, as well as best practices for implementation.
Purchasing Controls
Sourcing suppliers in the medical device industry is not as simple as going on the internet and finding your material and purchasing it. As part of a compliant quality management system, purchasing controls must be in place to ensure that quality products and materials are going into your device and that any service providers that your company uses in the production of your product or within your quality management system are qualified.
ISO 13485 Requirements
In light of that, ISO 13485:2016 sections 7.4.1 Purchasing process, 7.4.2 Purchasing information, and section 7.4.3 Verification of purchased product outline the purchasing requirements. The following are requirements for the evaluation and selection of suppliers:
The organization must have established criteria for the evaluation and selection of suppliers.
The criteria need to evaluate the supplier’s ability to provide a product that meets the requirements.
It needs to take into consideration the performance of the supplier.
It must consider the criticality and the effect that the purchased product may have on the quality of the medical device.
The level of supplier assessment and monitoring should be proportionate to the level of risk associated with the medical device.
Maintaining Purchasing Controls
To start, in the most basic sense, purchasing controls involve procedures that ensure you are only purchasing from suppliers who can meet your specifications and requirements. The best way to keep track of your qualified suppliers is to maintain an Approved Supplier List (ASL). You should only purchase products or services that affect your product or quality management system from companies on the ASL (you would not necessarily need to qualify things like office supplies or legal assistance through purchasing controls).
When used effectively, the Approved Supplier List can be a great tool to manage the key facets of purchasing control and keep track of supplier monitoring. Items that you can capture on the ASL include:
Supplier Name
Scope of Approved Supplies
Contact Information
Status of Approval (Approved, Pending, Unapproved, etc.)
Qualification Criteria
Supplier Certification and expiry dates
Monitoring Requirements/Activities
Date of Last Review
Date of Next Review
The first step in your purchasing procedure should involve checking to see if the supplier is under active approved status on the ASL. The second step will be to ensure that you are purchasing an item/service that is within the scope of approval of that supplier. If you have not approved the supplier, or the intended purchase is beyond the scope of that supplier, your purchaser will need to go through the necessary channels to add the supplier to the ASL or modify their scope on the ASL.
Supplier Qualification Criteria
As required by the FDA, the level of supplier assessment should be proportionate to the level of risk associated with the medical device. The FDA is not prescriptive about the use of specific qualifications or assessments for different types of suppliers, so that is up to your company to determine. This is a somewhat grey area but based on years working with companies and suppliers, as well as participating in FDA and ISO 13485 audits, there are some general expectations of vendor qualifications that we have observed and would recommend.
It is good practice to have a form or template that guides your supplier evaluation process. Using input from engineering and QA to first determine the level of risk and the requirements of that supplier, and then base your qualification plan on that information. If you have a higher risk supplier who may be supplying a critical component to your device, or providing a critical service such as sterilization, then your qualification process will be much more involved.
Here is an example of two different levels of criteria based on the type of supplier (the intent is not for the following items to be rules, and your company is responsible for determining the adequate acceptance criteria for suppliers, but this is a general example of what you may expect).
Critical Custom Component Supplier
ISO 13485 Certification
On-site audit of supplier’s facility
References
Provides Certificates of Analysis (CoA)
A written agreement that the supplier will communicate with the company regarding any changes that could affect their ability to meet requirements and specifications.
You validate a production sample, and it meets requirements
Non-Critical Consumable Supplier
Product available that meets the needs of the company.
An associate has previously used by an associate who recommends the supplier.
Adequate customer service returns allowed.
Additional Function of Supplier Evaluation Forms
The supplier evaluation form can also be used as the plan to assign responsibility and track completion and results during the initial evaluation. It can also include the plan for ongoing monitoring and control of the supplier. This evaluation form should be maintained as a quality record, and auditors will frequently ask to see supplier evaluations.
Are Supplier Audits Required as Purchasing Controls?
Also valuable, supplier audits may be included as part of an evaluation plan for a new supplier, the change of scope of a supplier, a routine audit as part of ongoing monitoring, or as part of a nonconformity investigation of a high-risk product. While it is not required by ISO 13485, nor does the FDA does specify in the CFR that you must audit suppliers, it is a very good idea to audit your critical suppliers. If an auditor or FDA inspector sees evidence that your current purchasing controls are inadequate, performing supplier audits may be forced as a corrective action.
Beyond that, you can gain so much value, and gather countless clues and important information in an audit that you just cannot get without visiting your critical supplier. You can see where they plan to/are making/cleaning/sterilizing/storing your product. Talk to the people on the line, are they competent and trained? Does the company maintain their facility well? How secure is it? Do they maintain adequate records and traceability? Have there been any nonconformities relating to your product that have been detected? Etc.
Supplier audits should also include evaluation of the procedures, activities, and records of the supplier that could have an impact on the product or service they are providing your company. If it is not the first audit of the company, you should be sure to review the previous audit report findings and ensure the company has addressed any nonconformities, review supplier performance data, information about any changes that may have occurred at the supplier since your last visit, etc.
Record Maintenance and Ongoing Evaluation of Suppliers
No matter the method of supplier qualification, it is best practice to maintain supplier files that contain useful information relative to the supplier that may include:
The original supplier qualification form
Supplier certificates
References
Audit reports
Subsequent performance evaluations
Expanded scope qualifications
Supplier communications
Current contact information
Copies of any non-conforming material reports related to the supplier, etc.
ISO 13485 requires monitoring and re-evaluation of suppliers, and maintaining detailed supplier files will assist in meeting this requirement, and will help in the feedback system to identify and recurring problems or issues with a supplier. On a planned basis, whether that is annually, or every order (dependent on the criticality of the product), your company should conduct a formal supplier evaluation to determine whether the supplier has continued to meet requirements – In general, annual supplier reviews are standard. Additionally, you must specify this frequency in your procedure (auditors will look for what period you specify in your procedure, and then will check your ASL to make sure all of your suppliers have been reviewed within that timeframe).
During the supplier evaluation, if you find there have been issues, you need to determine and weigh the risks associated with staying with that supplier, and document that in the supplier file. If you determine the supplier should no longer be qualified, then you must also indicate on the ASL that the company no longer approves of the supplier.
Making the Purchase
When you have verified your supplier is approved on the ASL, you are authorized to purchase a product. Engineering is usually responsible for identifying the product specifications, requirements for product acceptance, and adequacy of specified purchasing requirements before communication to the supplier. The specifications may be in the form of drawings or written specifications. Additional information communicated to the supplier should also include, as applicable, an agreement between your company and the supplier that the supplier will notify you before the implementation of changes relating to the product that could affect its ability to meet specified purchasing requirements. When the first batch of product is received from a particular supplier, it is a good idea to verify that the product performs as intended before entering into production with new material or components.
Supplier Nonconformity
From time to time, you may encounter issues with a supplier. Sources of nonconformity include incoming inspections, production nonconformities, final inspection, or customer complaints. You must notify your supplier of the nonconformity and record their response and assessment. Depending on the level of criticality of the vendor, it is reasonable to require them to perform a root cause analysis to determine and alleviate the cause of failure. You should also request documentation of an effectiveness check to ensure the supplier has taken corrective actions. You should maintain copies of supplier nonconformity reports in the supplier file, and discuss nonconformities during ongoing supplier evaluations.
If the supplier does not cooperate or fails to address the nonconformity in an acceptable manner, or if there is a pattern of nonconformities with the vendor, then you should disqualify the supplier, and indicate that the supplier is “not approved” on the ASL.
Purchasing Controls Procedures You Might Need
Medical Device Academy developed a Supplier Qualification Procedure, Purchasing Procedure, and associated forms that will meet purchasing controls regulatory requirements for ISO 13485:2016 and 21 CFR 820.50. These procedures will help you ensure that goods and services purchased by your company meet your requirements and specifications. If you have any questions or would like help in developing a custom procedure or work instructions that meet your company’s unique needs, please feel free to email me or schedule a call to discuss.
The article shares lessons learned from implementing procedures for a new ISO 13485 quality system. This is the second in a series. The first month of procedure implementation was covered in a previous article titled, “How to implement a new ISO 13485 quality system plan in 2016.”
Typically, I recommend implementing a new ISO 13485 quality system over six months. Still, recently I a few clients have requested my assistance with implementing a quality management system within four months. In November, I wrote an article about implementing a new ISO 13485 quality system. That article described implementing procedures for the first month. Specifically, the implementation of the following procedures was covered:
SYS-027, Purchasing
SYS-001, Document Control
SYS-002, Record & Data Control
SYS-004, Training & Competency
SYS-011, Supplier Quality Management
SYS-008, Product Development
SYS-010, Risk Management
SYS-006, Change Control
These eight procedures are typically needed first. This article covers the implementation of the next set of procedures. During this month, I recommend conducting company-wide quality management system training for the ISO 13485 and 21 CFR 820.
Implementing Receiving Inspection Procedures
During the first month, procedures for purchasing components and services are implemented. As these products are shipped and received by your company, you need to create records of incoming inspection. It is not sufficient to merely have a log for receiving inspection. You need records of the results of the inspection. You may outsource the inspection activities, but receiving personnel must review the records of inspection for accuracy and completeness before moving product to your storage warehouse or production areas. Even if the inspection is 100% outsourced, it is still recommended to verify the inspection results independently on a sampling basis periodically. This should be a risk-based sampling that takes into account the importance of the item being inspected and the existence of in-process and final inspection activities that will identify potential nonconformities.
The most challenging part of this process typically is identifying inspection procedures and calibrated devices for inspection. Your company must find a balance between inspections performed by suppliers, incoming inspection, in-process inspection, and final inspection. Each of these process controls requires time and resources, but implementation should be risk-based and take into account the effectiveness of each inspection process–as determined by process validation. Sample sizes for inspection should also be risk-based.
Implementing Procedures for Identification and Traceability
The lot or a serial number of components must be identified throughout product realization–including incoming inspection, storage, production, final inspection, and shipping. In addition to determining what things are, you must also identify the status of each item throughout the product realization process. For example:
Is the product to be inspected or already inspected?
After the inspection, is product accepted or rejected?
Which production processes have been completed?
Is the product released for the final shipment?
The procedure for identification and traceability should be implemented immediately after the purchasing process, implemented during 1st month, because traceability requirements should be communicated to suppliers as part of supplier quality agreements and as part of each purchase order.
Initially, when this process is implemented, there is a tendency to complete forms for every step of the process and to distribute copies of the forms to communicate status. Completing forms and copying paperwork requires labor and adds no value. Therefore, learn manufacturing methods and visual indicators such as color-coding are recommended as best practices for identifying products and their status.
Implementing CAPA Procedures
When a product is identified as nonconforming, corrective actions need to be implemented to prevent a recurrence. Procedures need to include the requirement for planning corrective actions, containing a nonconforming product, correcting nonconformities, and implementing actions to prevent any future nonconformities. These procedures also need to address negative trends to prevent nonconformities before the product is out of specification (i.e., preventive actions). Procedures also need to provide guidelines on how to verify the effectiveness of corrective and preventive actions. Initially, the actions implemented will be specific to a purchased product that is received and rejected. However, over time data analysis of process monitoring and internal auditing will identify additional corrective and preventive actions that are needed.
The effectiveness of CAPA processes, in general, requires three key elements:
In the CAPA training provided during the second month, the best practices for CAPA form design are covered. The training includes several methods for root causes analysis too. Finally, the training emphasizes using quantitative measurements to verify the effectiveness of corrective actions. It is recommended to identify the quantitative acceptance criteria for an effective corrective action before initiating actions to ensure that the actions planned are sufficient to prevent a recurrence.
Monitoring Your Procedure Implementation Process
As indicated in November’s article, I recommend using quantitative metrics to track the progress of procedure implementation. For example:
% of procedures implemented,
duration of document review and approval process, and
% of required training completed.
Implementing Procedures for ISO 13485:2016
If you already have a quality system in place, you are implementing procedures that are modified for ISO 13485:2016 compliance, some of the same lessons learned to apply. If you are interested in learning more about the changes required for compliance with the 2016 version of the standard, we recorded two live webinars on March 24, 2016.
This blog explains how to reconcile the conflict between ISO 13485 and ISO 9001, and discusses whether you should maintain dual certification.
What is the conflict between ISO 13485 and ISO 9001?
The previous version of ISO 13485 was released in 2003. That standard was written following the same format and structure as the overall quality system standard at the time (i.e., ISO 9001:2000). In 2008, there was an update to the ISO 9001 standard, but the changes were minor, only clarified a few points, and the periodic review of ISO 13485 in 2008 determined there was not a need to update 13485 at that time. Unfortunately, the proposed structure of the ISO 9001 standard was radically different, and this forces companies with dual certification to reconcile the conflict between ISO 13485 and ISO 9001.
On December 1-5, 2014, the working group for the revision of ISO 13485 (i.e., TC 210 WG1), met at AAMI’s Standards week to review the comments and prepare a first Draft International Standard (DIS). We should have some updates on the progress of the DIS later in December, but hopefully, the news will not be delayed in publication until 2016. The following is a summary of the status before last that meeting.
Updated ISO 13485 and ISO 9001 Standards Being Released
In 2015, there will be a new international version of ISO 9001 released. This new version will have dramatic changes to the standard–including the addition of a new section on risk management and the adoption of the new High-Level Structure (HLS) changing from 9 sections to 11.The ISO 13485 standard is also anticipated to have a new international version released in 2015, but the ISO 13485 standard will maintain the current HLS with nine sections. The timing of the ISO 9001:2015 release and the ISO 13485:2015 release will likely be around the same time (Correction: the ISO 13485:2016 standard was released in February 2016). Both standards are expected to have a three-year transition period for implementation. The combination of the three-year transition and lessened requirements in the new version of ISO 9001 for a structured quality manual should allow most manufacturers to wait until the ISO 13485 release before they begin drafting a quality plan for compliance with the new standards.Some of my clients have already indicated that they may drop their ISO 9001 certification when it expires, instead of changing their quality system to comply with the ISO 9001:2015 requirements. However, my clients will not have the ability to allow their ISO 13485 certification to lapse. Will Health Canada be updating GD210 and continue to require ISO 13485 certification for medical device licensing? What should companies do?
Update on the reconciliation of ISO 13485:2016 and ISO 9001:2015 on May 29, 2020:
GD210 was never updated, and instead, it was replaced by MDSAP
ISO 13485:2016 certification, under the MDSAP program, is required for Canadian Medical Device Licensing
Many device companies have dropped the ISO 9001 certification.
Recommendations
From the experience of preparing for the ISO 13485:2016 and ISO 9001:2015 releases, I learned that obtaining draft versions of the standards before publication is invaluable. I was able to use the drafts to help prepare quality plans for the transition. Second, companies need to train their management teams and auditors on the differences between the current and the new standards to enable a gap analysis to be completed. Any manager that is responsible for a procedure required by the current version of a standard should receive training specific to the changes to understand how they will meet the requirements for documented information. Most companies will need to improve theirrisk managementcompetency (which was updated again in December 2019). I recommend that companies begin drafting their quality plans and enter discussions with their certification body for quality system changes as early as possible. I also recommend that medical device companies maintain a quality manual structure that follows the ISO 13485:2016 standard rather than the ISO 9001:2015 standard. Following ISO 13485:2016 will help everyone locate information faster.
There is also specific text in the introduction of ISO 9001:2015 that states it is not the intent of the standard to imply the need to align your quality management system to the clause structure of the standard. Companies that maintain ISO 9001 certification should consider including cross-references between the two standards in their quality manual.
Historical Note
There are also European National (EN) versions of each standard(e.g., EN ISO 13485:2012). The EN versions are harmonized with the EU directives, but the content of the body or normative sections of the standards are identical. Historically, the differences were explained in Annex ZA, which was the last Annex in the EN version of the standard. In 2009 the harmonization annex for ISO 14971 (i.e., the medical device risk management standard) was split into three parts to match up with the three directives for medical devices (i.e., theMDD, AIMD, and IVDD). The new annexes (i.e., ZA, ZB, and ZC) were moved to the front of the EN version of the standard. The changes to ISO 14971 consisted of a correction and the change to Annex ZA. In 2012, there were new harmonization annexes created for ISO 13485 to follow the same format that was used for the EN ISO 14971 annexes. It is expected that these “zed” annexes will be released with a new EN version of the standard shortly after the international standard is published.
