Blog

Archive for ISO Certification

How to reconcile the conflict between ISO 13485 and ISO 9001

This blog explains how to reconcile the conflict between ISO 13485 and ISO 9001, and discusses whether you should maintain dual certification.

how to reconcile diverging standards How to reconcile the conflict between ISO 13485 and ISO 9001

The previous version of ISO 13485 was released in 2003. That standard was written following the same format and structure of the overall quality system standard at the time (i.e., ISO 9001:2000). In 2008, there was an update to the ISO 9001 standard, but the changes were minor, only clarified a few points, and the periodic review of ISO 13485 in 2008 determined there was not a need to update 13485 at that time. Unfortunately, the proposed structure of the ISO 9001 standard was radically different, and this forces companies with dual certification to reconcile the conflict between ISO 13485 and ISO 9001.

On December 1-5, 2014, the working group for the revision of ISO 13485 (i.e., TC 210 WG1), met at AAMI’s Standards week to review the comments and prepare a first Draft International Standard (DIS). We should have some updates on the progress of the DIS later in December, but hopefully, the news will not be a delay of publication until 2016. The following is a summary of the status before last that meeting.

Updated ISO 13485 and ISO 9001 Standards Being Released

In 2015, there will be a new international version of ISO 9001 released. This new version will have dramatic changes to the standard–including the addition of a new section on risk management and adoption of the new High-Level Structure (HLS) changing from 9 sections to 11. The ISO 13485 standard is also anticipated to have a new international version released in 2015, but the ISO 13485 standard will maintain the current HLS with nine sections. Timing of the ISO 9001:2015 release and the ISO 13485:2015 release will likely be around the same time (Correction: the ISO 13485:2016 standard was released in February 2016). Both standards are expected to have a three-year transition period for implementation. The combination of the three-year transition and lessened requirements in the new version of ISO 9001 for a structured quality manual should allow most manufacturers to wait until the ISO 13485 release before they begin drafting a quality plan for compliance with the new standards. Some of my clients have already indicated that they may drop their ISO 9001 certification when it expires, instead of changing their quality system to comply with the ISO 9001:2015 requirements. However, my clients will not have the ability to allow their ISO 13485 certification to lapse. Will Health Canada be updating GD210 and continue to require ISO 13485 certification for medical device licensing? What should companies do?

Update on the reconciliation of ISO 13485:2016 and ISO 9001:2015 on May 29, 2020:

  • GD210 was never updated, and instead, it was replaced the MDSAP
  • ISO 13485:2016 certification, under the MDSAP program, is required for Canadian Medical Device Licensing
  • Many device companies have dropped the ISO 9001 certification.

Recommendations

From the experience of preparing for the ISO 13485:2016 and ISO 9001:2015 releases, I learned that obtaining draft versions of the standards before publication is invaluable. I was able to use the drafts to help prepare quality plans for the transition. Second, companies need to train their management teams and auditors on the differences between the current and the new standards to enable a gap analysis to be completed. Any manager that is responsible for a procedure required by the current version of a standard should receive training specific to the changes to understand how they will meet the requirements for documented information. Most companies will need to improve their risk management competency (which was updated again in December 2019). I recommend that companies begin drafting their quality plans and enter discussions with their certification body for quality system changes as early as possible. I also recommend that medical device companies maintain a quality manual structure that follows the ISO 13485:2016 standard rather than the ISO 9001:2015 standard. Following ISO 13485:2016 will help everyone locate information faster.

There is also specific text in the introduction of ISO 9001:2015 that states it is not the intent of the standard to imply the need to align your quality management system to the clause structure of the standard. Companies that maintain ISO 9001 certification should consider including cross-references between the two standards in their quality manual.

Historical Note

There are also European National (EN) versions of each standard (e.g., EN ISO 13485:2012). The EN versions are harmonized with the EU directives, but the content of the body or normative sections of the standards are identical. Historically, the differences were explained in Annex ZA, and that was the last Annex in the EN version of the standard. In 2009 the harmonization annex for ISO 14971 (i.e., the medical device risk management standard) was split into three parts to match up with the three directives for medical devices (i.e., the MDD, AIMD, and IVDD). The new annexes (i.e., ZA, ZB, and ZC) were moved to the front of the EN version of the standard. The changes to ISO 14971 consisted of a correction and the change to Annex ZA. In 2012, there were new harmonization annexes created for ISO 13485 to follow the same format that was used for the EN ISO 14971 annexes. It is expected that these “zed” annexes will be released with a new EN version of the standard shortly after the international standard is published.

Posted in: ISO 13485:2016, ISO 9001:2008, ISO Certification

Leave a Comment (2) →

Disposition of Nonconforming Materials-21 CFR 820.90 Compliance

Disposition of Nonconforming Materials-21 CFR 820.90 Compliance focuses on determining a disposition method, including scrap, return to supplier, rework, use as-is, etc. Part 3 in our series will address process interactions with the non-conforming material process.

Sorting Disposition of Scrap Disposition of Nonconforming Materials 21 CFR 820.90 Compliance

In our previous blog (http://bit.ly/Auditing-NCRs-Part1), we focused on requirements to identify and segregate non-conforming materials. Once nonconformities are labeled and locked in your quarantine cage, what do you do next?

The next step in the process for controlling non-conforming materials is to determine disposition. The most common dispositions are:

  • Scrap
  • Return to Supplier (RTS)
  • Rework
  • Use As Is (UAI)

Some companies also have dispositions of sort and repair. The sort is not a disposition, and often creates confusion for anyone auditing records of non-conforming materials. Sorting is the process that you must perform when a lot of material fails to meet acceptance criteria. Still, some of the individual units within the lot meet the acceptance criteria. In this scenario, the following sequence of events is recommended.

Sorting

First, the lot is segregated from a conforming product, and an NCR number is assigned. Next, the lot is 100% inspected for the defect, and the results of the inspection are recorded on the inspection record. It is important to record the specific number of non-conforming units on the NCR record–not the total amount inspected. The final step is to release a conforming product back into the production process or warehouse, and the Material Review Board (MRB) will disposition the units identified as non-conforming.

If identifying non-conforming product requires an inspection method that is not typically performed, then the inspection plan needs to be corrected, or a corrective action plan is needed. New and unforeseen defects may indicate a process change, a change in the raw materials, or inadequate training of personnel at your company or your supplier. An investigation of the root cause is needed, and it is recommended to consider documenting this investigation as an internal CAPA or a Supplier Corrective Action Request (SCAR).

Material Review Board (MRB)

Most companies have a “Material Review Board” (MRB) that is responsible for making the decision related to the disposition of non-conforming material. Typically, the MRB will be scheduled once per week to review the most recent nonconformities. The board usually consists of a cross-functional team, such as:

  • Quality Assurance
  • Research & Development
  • Manufacturing
  • Supply Chain
  • Regulatory

The reason for a cross-functional team is to review the potential adverse effects of rework and potential risks associated with a UAI disposition. If rework is required, the cross-functional team will typically have the necessary expertise to create a rework instruction and to review and approve that rework instruction–including any additional inspections that may be required beyond the standard inspection work instructions.

Scrap

If the material is going to be scrapped, there is no risk to patients or users. Therefore, the entire MRB team should not be required to scrap products. Because there may be a cost associated with a scrap of non-conforming products, it is recommended that someone from accounting and a quality assurance representative approve scrap dispositions. Other departments should be notified of scrap, but a trend analysis of all non-conforming products should be reviewed by each department and by top management during management reviews. Auditors and FDA inspectors, specifically, will be looking for evidence of statistical analysis of non-conforming material trends and the implementation of appropriate corrective actions.

Return to Supplier (RTS)

Returning non-conforming material to the supplier that produced it is the most common disposition, but the trend of RTS should continuously be improving. If the trend of RTS is not improving, your supplier qualification process or your supplier control may be inadequate. The best way to ensure that the trend is improving is to initiate a SCAR. Some companies automatically wait until they have a trend of non-conforming material before initiating a SCAR. However, if you wait until a defect occurs twice, you are doubling the number of nonconformities for that root cause. If you wait until a defect occurs three times, you are tripling the nonconformities. For this disposition, there also does not need to be approved from the entire MRB. Typically, only someone from the supply chain management and quality assurance are needed to return non-conforming product to a supplier.

Rework

Almost every auditor looks for a specific phrase in the procedure for Control of Nonconforming Material: “The MRB will review and document the potential adverse effects of rework.” Most companies are doing this, but the procedures often do not specifically state this requirement, and rework instructions are often missing any specific inspection instructions that have been added to reduce risks associated with the rework process. Repeating the normal inspection criteria is seldom adequate for reworked product, because the rework process typically results in different defects.

Another phrase that auditors and inspectors are looking for is the requirement to document the rework instructions, and to have the instructions reviewed and approved by the same functions that reviewed and approved the normal production process. This requirement is often not specifically stated in the procedure, and FDA 483 inspection observations are commonly issued for this oversight.

Use As Is (UAI)

The UAI disposition should be rare. When I see a large number of NCRs with a disposition of UAI, I expect one of two reasons for this situation. First, the NCRs are for cosmetic defects where the acceptance criteria are too subjective and inspectors need clear guidelines regarding acceptable blemishes and unacceptable nonconformities. The visual inspection guides used during solder joint inspection for printed circuit boards is an excellent example of best practices for clearly defining visual inspection criteria. Personally, I prefer to use a digital camera to take pictures of representative “good” and “bad” parts. Then I create a visual inspection chart with a green, smiley face for “good” and a red, frowny face for “bad.” The best inspection charts identify the proper inspection equipment and quantitative acceptance criteria with pictures and symbols instead of words.

The second reason for a larger percentage of UAI dispositions is that the product specifications exceed the design inputs. For example, if a threaded rod needs to be at least 1” long, but a 1.25” long is acceptable, then you should not approve a drawing with a specification of 1.00” +/- 0.05”. Often, the legend of drawings will define a default tolerance that is unnecessary. A more appropriate specification would be 1.13” +/- 0.12”. No matter how much work it is to specifically define tolerances for each dimension on a drawing, the work required to do this at the time of initial drawing approval is much less than the work required to justify a UAI disposition. FDA inspectors will consider a UAI disposition as a potential adulterated or misbranded product, and a formal Health Hazard Evaluation (HHE) may be required to justify the reason why product is not recalled.

Regardless of the disposition of product, the decision for disposition should be a streamlined process that is not delayed unnecessarily. In order to ensure that your non-conforming material dispositions are effective and processed in a timely manner, our next blog (http://bit.ly/MDA-Blog) in the series about control of non-conforming materials will focus on process interactions, monitoring and measuring of non-conforming product and when to initiate a CAPA or SCAR to prevent more NCRs.

Posted in: ISO Certification

Leave a Comment (4) →

Stage 2 audit preparation for ISO 13485 certification – Part 2

In this article, you will learn what ISO 13485 stage 2 audit preparation you should complete specific to training records and practice interviews.
ISO Stage 2 Cert Stage 2 audit preparation for ISO 13485 certification   Part 2
Create a training matrix to prepare for the Stage 2 audit

During your Stage 1 ISO 13485 Certification audit, the auditor verifies that your company has all 28 procedures required in ISO 13485:2016. During the Stage 2 audit preparation, however, the auditor will be reviewing training records for each employee. A training matrix is one of the best tools for verifying that your training records are completed. First, you create a table of all 28 required procedures in Excel (this is your far left column). Across the top of the table, you need to list each of the employees in your organization. This would be difficult for a large organization, but most companies seeking initial ISO 13485 certification have less than 20 employees. In your training matrix, you need to identify which procedures each employee must be trained on. This is one of the most common ways to identify training requirements, and color-coding the matrix works is helpful.

Once you have defined your training requirements, review and approve this document as a controlled document that you will maintain as the company grows. However, as the company grows, you may convert specific names to job functions. Once the training requirements matrix is reviewed and approved, you should enter the date that training was completed for each employee. This is a more effective check than the “checkbox” approach, and it enables you to verify that everyone was trained since the last revision of any procedure. Now, you have a summary document to prove that 100% of your employees have current training on each of the 28 required procedures.

Interview employees as part of your Stage 2 audit preparation

During the Stage 2 audit, any of the employees could be interviewed by the auditor. As part of your Stage 2 audit preparation, you should interview each employee on your training matrix by asking them the following open-ended questions:

  1. Can you show me where I can find the company’s quality policy?
  2. Please explain how the quality policy is relevant to your job?
  3. Can you show me a copy of the training procedure?
  4. What quality objectives do you or your department monitor?

The first question is typical of auditors. You don’t have to have the policy memorized, but every employee should know where to find it. My favorite location is the back of employee ID badges, but the quality policy needs to be updated periodically. If everyone has the policy on their ID badge, you might consider handing out updated stickers with the revised quality policy when you hand out paychecks. The second question is related to the first, and it verifies that each person understands the importance of their job function as it relates to quality.

The third question is a test to ensure every employee can locate procedures. Don’t help them, because the auditor won’t. After each employee answers the question, make sure you explain the correct answer concerning where the most current version of every procedure is. Redlined copies in a drawer do not exist. The person should also have read each procedure in their training matrix so that they can answer a question. It’s ok to say “I don’t remember,” but they shouldn’t guess.

The fourth question verifies that top management has established quality objectives for all functions and at all levels within the company. Every manager should have at least one quality objective they are tracking, and progress toward the quality objective should be visibly communicated to everyone in the department. Employees, especially managers, should also be aware of where quality objectives for the company as a whole are posted. Ideally, each employee will know how their job function contributes to one or more of these objectives.

Stage 2 audit preparation – How to handle “stage fright”

Anyone can get nervous when they are being interviewed by an auditor–even the most experienced managers. In particular, a large entourage of observers following an auditor can make the situation worse. Therefore, you should anticipate this and discuss this with every employee in your company when you are doing practice interviews. Tell them this is normal, and it’s ok to be nervous. Remind them to take a deep breath to settle their nerves. Assure employees that they will not get in trouble for being nervous, and the company will not fail and audit just because someone has difficulty answering a question. At worst, you will need to initiate a CAPA and do some more training. The best-case scenario for a certification audit is that you will need to initiate a CAPA and do some more training. Either way, the outcome is the same. 

Congratulations on your successful Stage 2 audit preparation

Do not stress everyone out the day before your Stage 2 certification audit. You had six months to prepare, and everyone worked hard to help prepare the company. Now is the time to celebrate with your family. Everyone should go home on time and get a good night’s rest. Positive attitudes and relaxing are as crucial as all the work that has been completed. I learned this lesson the hard way during my first ISO 13485 Certification in 2004. We received certification, but I don’t recommend letting your boss turn purple with rage during the audit–it might be career limiting.

I have only made the mistake of staying up late the night before on one other occasion–and the client was not recommended for certification at the end of the Stage 2 audit. Fortunately, the auditor was able to schedule a follow-up audit within a few weeks, and we were able to address all the open issues at that time. The client received their ISO 13485 certificate and CE Certificate within three months of starting the project, and the certificates were just in time for an important trade show in Germany.

Additional training resources to prepare for ISO 13485:2016 certification

If you are interested in learning more about ISO Certification, please download Medical Device Academy’s whitepaper and watch our six-part webinar training certification course for ISO 13485:2016 certification preparation.

Posted in: ISO Certification

Leave a Comment (0) →

How to Prepare for an ISO 13485 Certification Stage 2 Audit-Part 1

last prep How to Prepare for an ISO 13485 Certification Stage 2 Audit Part 1

This blog, How to Prepare For an ISO 13485 Certification Stage 2 Audit-Part 1, reviews CAPA records, design controls, and production process controls.

Health Canada requires ISO 13485 certification as a requirement for all Medical Device License Applications, and most companies choose ISO 13485 certification as their method for demonstrating conformity to the requirements of the Medical Device Directive (MDD)–instead of a special MDD audit.

To achieve ISO 13485 certification, you must successfully complete a Stage 1 and Stage 2 certification audit with your chosen certification body (http://bit.ly/SelectingRegistrar). If you are interested in an overview of this certification process, you can download Medical Device Academy’s white paper on this topic (http://bit.ly/wpiso13485), or you can watch a webinar we recorded recently on ISO 13485 Certification (http://bit.ly/6-steps-to-ISO13485).

Management Processes

The Stage 1 audit is typically a one-day audit where the auditor is evaluating your readiness for the Stage 2 audit. The auditor will review your Quality Manual, and your procedures (19 are required) to ensure compliance with ISO 13485. Also, the auditor will sample records from critical processes to assess your readiness for the Stage 2 audit. Typically, these processes will be:

  1. Management Review
  2. CAPA
  3. Internal Auditing

After you complete the Stage 1 audit, you may have a few nonconformities identified by the auditor. Responding to these nonconformities is the first step in preparing for your Stage 2 certification audit. You need to initiate a CAPA for each of the auditor’s findings and begin implementation before the Stage 2 audit. Typically, you will have about six weeks to implement these actions. This is not usually enough time to complete your CAPAs because you need more time before you can verify the effectiveness of corrective actions (http://bit.ly/CAPA-effectiveness-checks).

Preparing CAPA Records

In preparation for your Stage 2 audit, prepare for the auditor to review any CAPAs that you completed since the Stage 1 audit–especially if you have evidence of completing an effectiveness check. You may think this is unnecessary because the auditor previously reviewed CAPAs during Stage 1. However, you probably received a nonconformity related to your CAPA process (almost everyone does), and you should expect auditors to review your CAPA process during every audit.

CAPA Effectiveness Graph 300x218 How to Prepare for an ISO 13485 Certification Stage 2 Audit Part 1Each CAPA record you present should be provided in a separate folder as a paper, hardcopy. The paper, hardcopy makes it easier for the auditor to review. The folder should include documentation of the investigation, a concise statement of the root cause, and copies of records for all corrections and corrective actions implemented. Corrective actions include procedure revisions and training records. If there is a quantitative measurement of effectiveness, include a graph of current progress with the record. Ideally, the graph will be one of your quality objectives. The graph to the right is an example.

Production Process Controls

Every company has at least some production and process controls implemented before the Stage 2 certification audit. Most auditors and inspectors spend too much time in conference rooms reviewing paperwork and too little time interviewing people that are performing work. However, many companies also outsource production activities. Therefore, unless you have a software product, you can expect your auditor to review incoming inspection activities. The auditor is also likely to review finished device inspection, storage, and distribution. If the auditor is thorough, they will also follow the trail from inspection activities to calibration activities, nonconforming materials, and data analysis.

Design Controls

If your company is a contract manufacturer, then you probably are excluding design controls (ISO 13485, Section 7.3) from the scope of your Quality System. However, if you are a manufacturer that performs design and development, then it is an element of the quality system that warrants special attention. During the Stage 1 certification audit, the auditor reviewed only your Design Control procedure. During Stage 2, the auditor will look for evidence of implementing design controls. Therefore, even if your company has not completed your first design project, the auditor will still want to see some evidence of implementation. The auditor will expect at least one design plan to be written, and at least one design review should be completed.

If you are familiar with the FDA Quality System Inspection Technique (QSIT) process for inspection, you might have noticed that this blog is divided into the same subsections identified in the QSIT Manual (http://bit.ly/QSITManual). You should also consider downloading Medical Device Academy’s free webinar recording on the topic of FDA inspection (http://bit.ly/QSIT-Preparation).

Posted in: ISO Certification

Leave a Comment (0) →

Management Review Meetings: 3 Compliance Issues

Three (3) compliance issues are discussed regarding management review meetings, including procedural requirements, forms and records, and attendance.

poor management review meetings Management Review Meetings: 3 Compliance Issues

Has your company ever received an audit finding or FDA 483 observation for the failure to provide objective evidence of management with executive responsibility attending the management review?

This type of finding is typically followed by a sentence that begins with “Specifically,” and ends with a quotation from the company’s management review procedure. There are three reasons why this finding is so common:

  1. Procedural requirements for attending the management review meeting do not match the actual practice
  2. Forms and records used to document the management review meetings are inadequate
  3. One or more members of the management team just didn’t show up

There are no prescriptive requirements in ISO 13485 or 21 CFR 820 that specify who must attend a management review meeting. Therefore, let’s investigate each of the possible reasons for this finding.

Procedural Requirements

One of the auditors I worked with for several years used to say, “You need to make sure your procedures give you ‘wiggle room.’” He knew from practical experience that managers are busy, and sometimes they can’t attend meetings. He also knew that sometimes job titles change, but your company’s organizational chart and procedures will lag behind these changes. In one of my previous blogs, I indicated that your management review procedure should allow some flexibility. The following are three probable events related to management review attendance:

  1. Management review requires rescheduling,
  2. Some of the management team is unable to attend
  3. Some of the management team can only participate by conference call

Rescheduling Management Review Meetings

Most companies document the requirement for when reviews must be conducted in the management review procedure. For example, “The management review shall be conducted during the first month of each quarter to review quality metrics from the previous quarter.” Instead, I recommend stating that at least two management reviews shall be conducted each year, and the date of the next management review shall be scheduled as part of the action items during each management review. Your procedure should also state that additional management reviews should be scheduled during periods of significant change to ensure the continued effectiveness of the quality system.

Even if you follow my advice for scheduling management reviews, you still need a mechanism for rescheduling the management review if an emergency comes up. I recommend allowing only the most senior manager on-site and the management representative to have the authority to reschedule the meeting. You can use Microsoft Outlook as a tool for communicating the rescheduled date to top management, but action items from the previous management review should reflect the change. Action items in your management review are quality system records, while printouts of your calendar are not. You should also consider placing a time limit on how far in the future, a management review can be rescheduled.

Delegating Attendance of Management Review Meetings & Conference Calls

To address #2 in the possible scenarios listed above, I recommend that your procedure allows for management to send a delegate in their place to a management review. I also recommend that your procedure allow managers to attend meetings remotely (i.e., via conference call, Webex, etc.) to address #3 listed above. However, management should be making every effort to attend the management review live, and everyone should be able to review the review inputs (i.e., Clause 5.6.2a-h) before the meeting.

Forms & Records of the Management Review Meetings

Management review meeting minutes are records that must indicate who was in attendance. If your procedure indicates that a specific job function should be represented at the Management Review, you need a form that is designed specifically to provide objective evidence that this person attended. Therefore, instead of listing job titles on the attendance sheet, or just using blanks for attendees to sign, you should have a form that lists the job titles. If a delegate is sent, they should indicate that they are the delegate authorized to sign for the absent member of top management.

Skipping the Management Review Meetings

Management review meetings are regulatory requirements and are intended to improve your quality system. If you can’t attend, you need to review the review inputs before the meeting and provide feedback. You should also assign a delegate who is supposed to take notes and represent the function of the manager that is not present. If you have been assigned the responsibility of preparing an input slide to the review, then you still need to provide this even if you are not present. If you are the management representative, and someone fails to provide slides for the management review, I recommend asking the assigned person to provide hard copies for each of the attendees. If the person doesn’t do this, indicate in the meeting minutes that inputs in one area were not available, and add an action item to the meeting conclusions regarding the need to address this gap.

FREE Webinar

If you are interested in a free management review webinar on this topic, please sign-up for our webinar. The webinar will also be available as a free recording for anyone that is registered. Registrants will also receive a copy of the webinar slide deck and a copy of the Medical Device Academy’s Management Review template.

Posted in: ISO Certification

Leave a Comment (0) →

Medical Device Management Review Procedure Improvements

management review Medical Device Management Review Procedure ImprovementsThe author provides suggestions for improving the writing of your medical device management review, scheduling meetings, and engaging top management. 

If the US FDA is not allowed to see Management Review meeting minutes, why were there one-hundred and seven 483 inspection observations against the Management Review process in FY 2012?

The US FDA is also not allowed to view records for internal audits and supplier audits, but there are 483 observations for these processes too. The FDA will assess the effectiveness of these processes by reviewing your procedures by verifying that you have a schedule, and you’re sticking to it. The ultimate test is to look for CAPAs initiated from these processes.

To avoid a 483 inspection observation against your Management Review process, you need four things:

  1. Procedure for Management Reviews
  2. Schedule for your Management Reviews
  3. Template to prevent errors
  4. The top management team that is trained

Writing a Medical Device Management Review Procedure

There is no requirement for a Management Review procedure in ISO 13485, but 21 CFR 820.20c states that the quality system shall be reviewed “at defined intervals and with sufficient frequency according to established procedure.” This frequency may be documented in the Quality Manual, or a Management Review procedure.

If you choose to write a procedure, keep it simple and reference a controlled template that includes each of the requirements listed above. Your procedure should also allow flexibility for each of the following probable events:

  1. Management Review requires rescheduling
  2. Some of the Management Team is unable to attend
  3. Some of the Management Team can only attend by conference call
  4. An action item from a previous review is left incomplete
  5. An action item is changed after the Management Review
  6. There is insufficient time available to review all the inputs during a single Review

Your Schedule for a Medical Device Management Review

The most common procedural requirements for the frequency of Management Reviews are:

  1. At least once per year
  2. Semi-annually
  3. Quarterly

Most companies choose to require a schedule of “at least once per year,” but what’s the point of reviewing quality system data from last February in January?

13485 Plus is a guidance document for the implementation of ISO 13485. Section 5.6.1 of the guidance document states, “If changes are planned or being implemented, more frequent reviews are normally needed.” Some companies even include this statement in their Management Review procedure. Unfortunately, most companies do not remember to change their schedule when they plan significant changes to their quality management system—such as mergers, new product launches, or an employee lay-off.

Every Management Review should include an action item scheduling the next Management Review. The timing of the next Management Review should reflect changes planned for the quality system and improvements needed to maintain effectiveness.

Conducting more than one Management Review also gives you the flexibility, assuming your procedure allows it, to review only some of the required inputs during a single Management Review. If you are short of time during your next management review, you could intentionally skip a required element. However, this approach also requires that you track which elements have been covered during your annual schedule and which elements were not. Any skipped elements must be covered at least once during the annual schedule for Management Reviews.

A Template for Medical Device Management Review

One of the most common nonconformities during an ISO audit is a finding that one of the required inputs or outputs was not included in the Management Review. The best way to ensure you don’t forget something is to use a template that is maintained by your document control process. This template should include the following:

  1. Eight Inputs (ISO 13485, Clause 5.6.2)
  2. Three Outputs (ISO 13485, Clause 5.6.3)
  3. Review of the Quality Policy (ISO 13485, Clause 5.3)
  4. Review of the Quality Objectives (ISO 13485, Clause 5.4.1)
  5. Review of the QMS effectiveness (ISO 13485, Clause 5.6.1)

The last item should be a conclusion in your management review meeting minutes. Often, the conclusions are worded in the following way, “The Quality Management System remains suitable, adequate and effective—with the exception of the areas that have been identified as requiring corrective actions in this management review.”

Engaging Top Management

Roles and responsibilities for the Management Review must be assigned. Some leaders choose to assign 100% of the Management Review to the Management Representative, and then the same executives complain that reviews are boring and take too long. To get the management team engaged, the responsibility for preparing reviews must be assigned to all members of the team. The Management Representative is responsible for “reporting to top management on the performance of the quality management system and any need for improvement.” Still, the ISO Standard does not imply that the representative cannot seek help from the rest of the team.

Each member of top management should be assigned responsibility for preparing and reporting on the part of the Management Review. This approach will ensure that all members of the management team are involved and engaged in the process. Your team may be assigned to work in pairs or smaller teams. Your team’s responsibilities may also be rotated to ensure that each member of the team is cross-trained and understands the importance of each Management Review requirement.

Before you can expect your management team to accept responsibility for preparing and reporting on the performance of the quality management system and improvement needs, Top Management needs the training to understand each of the requirements.

Free Webinar Training

Medical Device Academy also offers free webinar training on the Management Review process. If you are interested in training your top management team, please register for this management review webinar. It will also be available as a free recording for anyone that is registered. Registrants will also receive a copy of the webinar slide deck and a copy of the Medical Device Academy’s Management Review template.

 

Posted in: ISO Certification

Leave a Comment (3) →

6 Points for Effective Training on Medical Device QMS Procedures

%name 6 Points for Effective Training on Medical Device QMS ProceduresThe author provides 6 points for conducting effective training on medical device QMS procedures, including questions to ask for building consistent procedures.

Your Quality Management System (QMS) needs to provide objective evidence (i.e., records) that your staff is trained on procedures they use, and that their training was effective. You must also establish documented requirements for competency. The following examples might help:

  1. A record of you attending a course is a training record.
  2. A record of your taking and passing an exam related to that course is a record of training effectiveness.
  3. A record of you performing a procedure, witnessed by the trainer, is a record of competency. Your resume can also be a record of competency.

Unless a change is trivial in nature, signing a piece of paper that states you read and understood a procedure does not demonstrate training effectiveness. Learning and training are active processes that require engagement and interaction.

In a previous blog (http://bit.ly/12PartSOPTemplate), I described a slightly different procedure structure with some extra sections. There are a number of benefits to that structure, one of which is that the structure facilitates training. The additional sections are referred to in this blog. Whatever template you use, consistency of structure, and presentation across your procedures makes the procedures easier to learn and increases usability.

6 Points to Consider for Effective Training on Medical Device QMS Procedures

  1. Training requirements. For a new procedure, decide early in your writing which roles require training, what content is needed, and to what level is competency necessary. The example below is a table from a Quality Auditing procedure. The table shows the different requirements for different roles. I prefer to put this information in the procedure document—where it is unlikely to be overlooked or forgotten.training procedure 6 Points for Effective Training on Medical Device QMS Procedures
  2. Open book? For each of the roles listed above, determine whether you need trainees to be able to follow the procedure without the document at hand, or to know the procedure, and be able to find what they need.
  3. Training method. One-on-one or group? Classroom style, on-job, or remote? This depends on your company, nature of the procedure, and your requirements above.
  4. PowerPoint or not? My preference is to walk trainees through the procedure, actually have them flipping the pages and writing notes on it. If I use PowerPoint, it’s to clarify the structure and emphasize important points.
  5. Control of training copies. Paper copies of procedures and forms used for training should be controlled. Your Document Control procedure should allow for clearly marked “Training” copies to be available before the effective date. Make sure your training also reminds trainees where to find the official released a copy of procedures after training is completed.
  6. Control of training material. Include your slides, training scenarios, quizzes, etc. in your document control system. Review and revise them each time you change a procedure. 

Building Consistent Procedures: Questions to Ask and Recommendations

Use a consistent structure for your procedures, then build a consistent training structure around that. The predictability in structure will improve the effectiveness of your training.

  1. Purpose. Why are we doing this? What is the outcome we are after?
  2. Scope. When do I use this procedure? When do I not, and what do I do as an alternative?
  3. References. How does this interface to other procedures? Turtle diagrams or interface maps are useful here
  4. Definitions. Unfamiliar jargon, and terms that are used in a very specific way in this procedure
  5. Risk. What risks does this procedure address? How does this affect the design of the procedure – why are we doing it that way? Refer to my earlier blog (http://bit.ly/12PartSOPTemplate) where I explain how to include this in each procedure
  6. The procedure. Walkthrough the flowchart, explain the accompanying notes, relate the procedure flow to the responsibilities and authorities outlined earlier in the procedure
  7. Records. What do I do with the completed records from this procedure? Where do I find a copy when I need it?
  8. Examples. I suggest a training version of the form (which should be available later for reference) with guidance and examples
  9. Practice. Provide a scenario and a blank form for trainees to work through, individually or in groups
  10. Testing. Check that the training has been effective. The role competencies that were defined earlier are the basis for the effectiveness criteria for a procedure. This training module may be enough to achieve that level, or a broader training program may be required to ensure operational level competence. See Rob Packard’s blog on training exams for more advice on testing (http://bit.ly/TrainingExams)

Posted in: ISO Certification

Leave a Comment (0) →

Creating Effective Quality Management System Training Presentations and Exams

The author reviews methods for developing a quality management system training presentation and exam to demonstrate training effectiveness for QMS procedures.

Training certificate Creating Effective Quality Management System Training Presentations and Exams

Training records are a basic expectation for any quality system (i.e., Clause 6.2.2 of ISO 13485), but demonstrating effectiveness (Sub-Clause 6.2.2c) and competency (Sub-Clause 6.2.2a) is also required (http://bit.ly/21CFR820-25 and http://bit.ly/13485Plus). Verifying training competency will be the subject of a future blog, but this blog focuses on the most common method for demonstrating training effectiveness—an exam.

Resource Needs

The challenge with creating a training exam is that it takes a serious time commitment to create a training presentation, to write an exam, to grade the exam each time an employee is trained, and issue training certificates. Each time you revise the procedure, you need to decide if retraining is required and how you will verify the effectiveness of training on the revised procedure. Finally, you need qualified trainers with appropriate documentation of their competency.

The larger your company is, the more value you will realize from creating training exams. Unfortunately, larger companies usually have more procedures too. It typically takes me 2-4 hours to develop a new training presentation for a process or procedure. I am currently developing training presentations for a small drug/device company that will have approximately 30 procedures. Therefore, it could take 60-80 hours to create training presentations for all the procedures.

Quality Management System Training Presentation Content

We have developed training courses for critical processes, such as CAPA, internal auditing, and design controls. Medical Device Academy will also be offering a free webinar in November on the topic of conducting more effective Management Review meetings. For other processes, such as calibration, we recommend the following step-by-step approach:

  1. Overview slide of requirements
  2. A slide for each sub-clause
  3. An example of how the procedure is applied
  4. An overview of the procedures’ key points

Our calibration procedure required a total of 11 slides—including a title slide and a slide for contact information. We also included a cross-reference to the applicable section of the procedure for each sub-clause of the ISO 13485 Standard (i.e., 7.6a, 7.6b, etc.). A balance used to weigh components was the training example, and there was a slide that explained essential considerations that can affect the accuracy of a balance.

During the process of creating the training presentation, we noticed that one of the sub-clauses of ISO 13485, 7.6, was not addressed by the procedure. Therefore, our systematic approach simplified the creation of a training presentation, and the strategy helped to identify a nonconformity in the procedure before it was released.

Exam Content

For training exams, we try to ensure that exam questions are objective and easy to grade. Therefore, most exams are ten questions. Questions are typically fill-in the blank type of questions or multiple-choice questions. “Trick questions” are not recommended, but we do recommend using questions that force the trainee to look-up the answers. This will force the trainee to become more familiar with the procedure.

For our calibration training exam, we could easily have one question corresponding to each slide, but not every sub-clause requirement is equally important. Therefore, we always try to include a question related to the most common things auditors and FDA inspectors will be looking for.

The calibration process includes a requirement to assess the impact on a product if a measurement device used for inspections is found to be Out-Of-Tolerance (OOT). Is there a need to retest or even recall products?

Almost every auditor I meet asks the above question during an audit, and most will even request records of calibrated devices that were found OOT.

Grading & Certificates

We typically use 70% as the criteria for passing an exam. The exams are protected forms with spaces to fill-in and checkboxes. There are also spaces for the trainee’s name, title, and date of the training. Exams are emailed to the instructor, and the instructor will unprotect the document. The correct answers are indicated by highlighting the choice in green. Incorrect answers are indicated by highlighting the choice in red. Explanations for why an answer is incorrect are added after the question and highlighted in yellow. The graded exam is then emailed back to the trainee—along with a training certificate similar to the one shown at the beginning of this blog.

Retraining

Brigid Glass wrote a blog posting recently (http://bit.ly/12PartSOPTemplate), where she recommended including a section on training and retraining requirements in each procedure. The challenge with revised procedures is that retraining is not always required. If retraining is needed, we recommend the following approach:

  1. Create a separate retraining exam
  2. Include a question(s) specific to the procedural revisions
  3. Include a question(s) specific to recent nonconformities in the process (if any)

If you are interested in learning more about procedures, records, and training as it relates to ISO 13485 Certification, Brigid Glass and I will be teaching a seminar hosted by FX Conferences on November 5. The following link includes a $50 discount code for the seminar: http://bit.ly/ISOCertStep4. This is part of a 6-part ISO Certification series that is available as recordings too.

 

Posted in: ISO Certification

Leave a Comment (3) →

Procedure template for ISO ISO 13485:2016 quality systems

This 12 part procedure template for your medical device QMS can result in writing shorter, more effective documents that are easier to train personnel on.%name Procedure template for ISO ISO 13485:2016 quality systems

We all have a standard template for our quality system procedures. Typically, we begin with purpose, scope, and definitions. This 12-part procedure template for your medical device QMS  can result in shorter, more effective documents that are easier to train personnel on.

1. Purpose. Often I read something like, “This purpose of this document is to describe the CAPA procedure.” That necessary information is the reason why we title procedures. A better statement of purpose would be, “The purpose of this procedure is to provide a process for identifying, preventing and eliminating the causes of an actual or potential nonconformity, and using risk management principles.” The second version gives readers a better indication of the purpose of the procedure.

2. Scope. This section should identify functions or situations that the procedure applies to, but it is even more critical to identify which situations the procedure does not apply too.

3. References and Relationships. Reference documents that apply to the entire quality management system (e.g., – ISO 13485 and 21 CFR 820) only need to be listed in the Quality Manual. This reduces the need for future revisions to the procedures. I list here any procedure-specific external standard (e.g., – ISO 14971) in the applicable procedure. The relationship between procedures is more important than the references. Therefore, I prefer to use a simple flow diagram, with inputs and outputs, similar to the one below for a document control process.

sys 001 Procedure template for ISO ISO 13485:2016 quality systems

4. Document Approval. Who must sign off on the procedure? Keep this list short. Ideally, just the primary process owner and Quality Manager (to ensure consistency and integrity across the quality management system).

5. Revision History. A brief listing of each revision and a brief description of what was changed in the procedure.

6. Responsibilities and Authorities. A listing of the main areas of responsibility for each role. Remember to include the title of managers who may be required to approve forms, or make key decisions.

7. Procedure. I prefer to create a detailed flowchart outlining each step of a process before writing the procedure. Each task box in the flowchart will include a reference number. If you organize the reference numbers in an outline format, then you can write the text of your procedure to match the flowchart—including the numbering of the flow chart task boxes.

example Procedure template for ISO ISO 13485:2016 quality systemscapa Procedure template for ISO ISO 13485:2016 quality systems

8. Monitoring and Measurement. An explanation of how the process is monitored and measured, who does it, how often, format, method of communicating the analysis, and what process that analysis will be an input into, e.g., Management Review.

9. Training/Retraining. Tabulated, which roles need to be trained in this procedure, and to what level? The example below is also from a Document Control procedure.role Procedure template for ISO ISO 13485:2016 quality systems

10. Risk Management. This section identifies risks associated with each procedure and how the procedure controls those risks. As well as complying with the requirement to apply risk management throughout product realization (i.e., Clause 7 of ISO 13485), including a section specific to risk management forces the author of the procedure to think of ways the process can fail and to develop ways to avoid failure. Risks can also be a starting point for training people on the procedure.

11. Records. Tabulated, form number and names, a brief description of its purpose, and a column for retention and location. This column also allows for reference to compilations if the record becomes part of, e.g., Design History File, Device Master Record, or the Risk Management File.

12. Flowcharts. Step-by-step through the process, saying who performs the step when it isn’t apparent. I keep task shapes simple: rectangles for tasks, rounded rectangles for beginnings and endings, diamonds for decision boxes, and off-page reference symbols.

When the task needs supporting text, e.g., guidance or examples, put a number in the box and a corresponding number in the table in (7) above.  Ideally, the flowcharts are placed in the document with the Notes table on the same page or the opposite page. In practice, I often put them at the end to simplify the layout. One of my clients loves her flowcharts and puts them on the front page.

Benefits of this Approach

Information is well structured and presented consistently across procedures, more so than can be achieved through narrative.

  • The flowchart is the primary means of documenting the procedure.
  • Tables provide details that are not clear in the flowchart.

The procedure structure described above facilitates a consistent training approach built around the document. Purpose and scope are presented first, and then the Risk section is presented to explain what is essential in the procedure and why. The flowchart, the table, and the formwork together to describe each step of the procedure. Finally, a PowerPoint template can be used to guide process owners in developing their training.

And to make it even easier, you have already spelled out who needs to be trained and to what level.

Posted in: ISO Certification

Leave a Comment (1) →

ISO 13485: Compliance with European, Canadian & 21 CFR 820 Regs

iso 13485 cert compliance ISO 13485: Compliance with European, Canadian & 21 CFR 820 Regsby Susan Christie

This blog reviews key regulatory requirements in Europe, Canada, and the U.S. (21 CFR 820) related to developing a quality plan for ISO 13485 certification.

Your medical device company developed a quality plan for ISO 13485 certification (http://bit.ly/ISOQualityPlan), and your plan is targeting the three most common markets for U.S. companies: 1) USA, 2) Europe and 3) Canada. Now that you’ve identified your target markets, what are the applicable regulatory requirements?

Three separate quality systems would be inefficient and confusing. The key to managing multiple markets is to create one Quality Management System (QMS) that meets the requirements for all your target markets. If you are doing this for the first time, this is a daunting task.

Where to Start

The basic foundation for achieving regulatory compliance is ISO 13485, but each of the three markets has additional regulatory requirements that must be incorporated into the QMS. Therefore, we recommend the following step-by-step approach:

  1. Organize your quality system and Quality Manual in accordance with ISO 13485
  2. Starting with Health Canada’s GD210 Guidance document, which includes a comparison table to ISO 13485, identify the unique requirements of the CMDR
  3. Next, identify the differences between the MDD and ISO 13485
  4. Finally, identify the differences between QSR requirements and ISO 13485

You might also review comparison tables from the IMDRF website (http://bit.ly/IMDRFDoc) to help you identify differences between the ISO 13485 Quality System documentation and international regulatory requirements. The person responsible for this review should also be able to prepare your company for inspection and audits from each regulatory body.

U.S. Market: 21 CFR 820

For the U.S. market, companies must comply with 21 CFR 820 (see link above). Fortunately, QSR and ISO 13485 are very similar. Key differences between 21 CFR 820 and ISO 13485 include the following:

  1. Training procedure, (21 CFR 820.25)…which satisfies ISO 13485, Clause 6.2.2
  2. Statistical techniques procedure, (21 CFR 820.250)…which could be combined with ISO 13485, Clause 8.4 for Data Analysis
  3. Recall procedure (http://bit.ly/21CFR806), which is typically combined with the requirement for an advisory notice procedure in ISO 13485, Clause 8.5.1
  4. Medical Device Reporting procedure, (http://bit.ly/21CFR803) which you may want to keep independent from your other adverse event reporting procedures
European Market

In the European market, devices must have approval for the CE Mark in accordance with one of the three device directives: the Medical Device Directive (MDD), Active Implantable Medical Devices (AIMD), or In Vitro Diagnostics Directive (IVDD). This process is defined in the MDD. There is also a similar directive for AIMD and IVDD. The European Commission issued a draft proposal to replace the three directives with two new regulations. The proposed medical device regulation (http://bit.ly/EUProposal) combines the MDD and the AIMD directives, while the proposed in vitro diagnostic regulation (http://bit.ly/EUIVDProposal) will replace the IVDD when it is finalized.

Canadian Market

In Canada, companies must conform to the Canadian Medical Device Regulations (CMDR) under the Canadian Medical Device Conformity Assessment System (CMDCAS). During the QMS certification process, the most critical sections of CMDR are those specific to distribution records (Section 52), Medical Device Licensing (Sections 44-51), Mandatory Problem Reporting (Section 59), recalls (Section 63), and Implant Registration (Section 66).

These sections of the CMDR are essential because each requirement must be addressed in your procedures. The reference documents identified above provide the information you need to properly prepare for CMDCAS certification. There is a cross-reference table in the back of the GD210 guidance document that is organized according to the ISO 13485 Standard. The table also includes audit checklist questions that your internal audit team should use to verify conformity to the CMDR during internal audits.

Medical Device Academy started a 6-part series on the Roadmap to ISO 13485 Certification on August 28. These six seminars are being recorded, and you can register at any time (http://bit.ly/roadmapiso). The 6th and final seminar in the series is specific to Stage 1 and Stage 2 ISO Certification Audits.

If you need assistance with ISO 13485 Certification, or you are interested in training on medical device regulations for the United States, Europe, or Canada, please email the Medical Device Academy at rob@13485cert.com or contact Rob Packard by phone @ +1.802.258.1881. For other blogs on the topic of “ISO Certification,” please view the following blog category page: http://robertpackard.wpengine.com/category/iso-certification/

Please join us on Social Medialinkedin 1 ISO 13485: Compliance with European, Canadian & 21 CFR 820 Regsgoogleplus ISO 13485: Compliance with European, Canadian & 21 CFR 820 Regstwitter ISO 13485: Compliance with European, Canadian & 21 CFR 820 Regs

Posted in: ISO Certification

Leave a Comment (3) →
Page 2 of 4 1234