Blog

Archive for ISO Certification

Selecting an ISO Certification Body for CE Marking and Health Canada

 

Guest Blogger,  Susan Christie, Regulatory Consultant

Cropped Front of Card Selecting an ISO Certification Body for CE Marking and Health Canada

Which Certification Body should you select?

The author reviews considerations for selecting an ISO Certification Body for CE Marking in Europe and Canadian Medical Device Licensing with Health Canada.
What is a Certification Body?

A certification body is a third-party company who is accredited by an organization like the ANSI-ASQ National Accreditation Board (ANAB) (http://bit.ly/ANABorg), United Kingdom Accreditation Service (UKAS) (http://bit.ly/UKASorg) or Standards Council of Canada (SCC) (http://bit.ly/SCC-org) to perform certification audits against ISO Standards, such as ISO 9001 or ISO 13485. Accreditation bodies verify the conformity of certification audits to the ISO/IEC 17021 Standard (http://bit.ly/IEC-ISO17021). Some certification bodies are not accredited or maybe self-accredited. Still, you will need a certification body that is accredited to meet the regulatory requirements of Health Canada and European Competent Authorities.

Selecting the right certification body for your company is a critical step on the journey towards ISO 13485 certification. When I first joined one of my previous companies, I was assigned the task of implementing ISO 13485 to comply with the Canadian Medical Device Regulations (CMDR, http://bit.ly/FindCMDR) under the Canadian Medical Device Conformity Assessment System (CMDCAS, http://bit.ly/CMDCAS). First, I discovered that the company already had two certification bodies. The company initially received an ISO 9001 certificate from one certification body, and then a few years later, an ISO 13485 certificate was issued by another certification body. Unfortunately, neither certification body was recognized by Health Canada (http://bit.ly/RecognizedRegistrars). Therefore, when I joined the company, and we were seeking a Canadian Medical Device License, we had to find a third certification body. This time, I selected a registrar recognized by Health Canada. Then I was able to transfer our ISO 9001 certificate to the new registrar and eliminate the other two certification bodies.

When searching for a certification body, you will find that there are different names for the term, depending on the country to which you are seeking your certificate. For some of the biggest markets, they are named as follows:

  • Europe – notified bodies
  • Canada – registrars
  • Japan – registered certification bodies
  • Australia – conformity assessment bodies
9 Points to Consider When Selecting a Certification Body
  1. Refer to the official Europa page that helps you identify the complete list of “possible” candidates based upon the product category (http://bit.ly/NBDatabase).
  2. Consider choosing a Notified body that has endorsed the Code of Conduct (COC) v3.0 as your short-list. The COC has set the bar high, and you will want to utilize a notified body that is aligned with this document. The last time I checked, there were only 12, but the expectation is that this will be mandatory (http://bit.ly/CoCNBV3).
  3. The size and reputation of the notified body can have an impact on your customer’s confidence in your QMS. If they are savvy, they know who the key players are, and who has the more credible reputations in the medical device field. Before transitioning to BSI, I experienced “eye-rolling” during customer audits when asked for the name of our notified body.
  4. Consider the level of risk associated with the classification of the medical devices that are currently marketed and those that may be planned for future distribution. The EU Commission and Competent Authorities (US FDA equivalent in European member states) throughout Europe are currently re-evaluating all the Notified Bodies to determine if they will continue to be allowed to issue CE Design Examination Certificates (Annex II.4) and CE Type Examination Certificates (Annex III) for the highest risk devices (i.e., – Class IIb and Class III).
  5. Identify all your regulatory needs unless you want to contract multiple certification bodies (not recommended). Certification bodies are not created equal, and some may not be qualified to provide all the services needed. A certification body qualified to issue a certificate for ISO 13485 may not be able to provide a CE certificate for CE Marking required by the EU, and only 15 certification bodies are recognized by Health Canada as CMDCAS registrars (http://bit.ly/RecognizedRegistrars). To avoid the need for additional certification bodies in the future, you need to identify your long-term certification requirements for the international markets you will be distributed in.
  6. Compare price quotes from each certification body you are considering and make sure that you provide the same criteria to each potential certification body to ensure that you are getting a fair quote. This is also the time to determine ALL costs associated with audits, certificates, and any other fees. Be sure to include any travel costs, as they are part of the fees that will be included in the contract. If you have multiple sites, consider the benefit of utilizing the same auditor for each site for consistency. However, using one auditor can also incur higher travel costs.
  7. Evaluate each certification body’s customer service before the initial certification audits by asking for “360-degree” evaluations by everyone in your organization that will interact with the certification body directly. This includes planners scheduling the certification audits, the accounts receivable department handling invoices for the certification body, and your sales team that may be able to represent a customer’s opinion of the various certification bodies you are considering. Responsiveness is one of the best criteria to evaluate this customer service against. If the certification body is difficult to work with before certification, it won’t get better.
  8. What is your regulatory strategy? Are you looking for a certification body that will conduct an audit that barely meets requirements? Or maybe you want a certification body that will work with you as a partner to build a QMS made up of best practices. I recommend a “picky” certification body. This will ensure that you choose a partner that forces you to improve your QMS and remain competitive with other medical device companies that have embraced the principles of an ISO QMS.
  9. Finally, if your medical devices or the manufacturing process is complex or innovative, you should select a certification body with auditors that have the technical expertise to understand your product and processes. For example, if your company makes special plastic implants that require “gas plasma,” or vapor-hydrogen peroxide sterilization, you want to ensure that the certification body has auditors that understand this sterilization process.
Strategic Decision-Making

To evaluate each certification body, a spreadsheet may help keep track of information. However, the best practice for making this type of strategic supplier decision is a “Proposal A3 Report”. This special type of A3 Report is explained in Dan Matthew’s workbook (http://bit.ly/A3Workbook). Rob Packard, the founder of the Medical Device Academy, used this approach for the selection of a new Notified Body to transfer to for a recent client.

If you need assistance with ISO 13485 Certification or are interested in training on medical device regulations for the United States, Europe, or Canada, please email the Medical Device Academy at rob@13485cert.com, or contact Rob Packard by phone @ +1.802.258.1881. For other blogs on the topic of “ISO Certification,” please view the following blog category page: http://robertpackard.wpengine.com/category/iso-certification/.

Posted in: ISO Certification

Leave a Comment (2) →

12 Important Tasks for Implementing ISO 13485

%name 12 Important Tasks for Implementing ISO 13485By Guest Blogger, Brigid Glass

The author describes 12 important tasks (training, auditing, etc.), which should be included in your plan for successfully implementing ISO 13485.

For your ISO 13485 implementation project, use a planning tool that you are comfortable with (e.g., – a spreadsheet or project planning software). Your plan should include the following:

  1. Identification of each task
  2. Target dates for completion of each task
  3. Primary person responsible for each task
  4. Major milestones throughout the project

Regular progress reports to top management and implementation meetings with all process owners are recommended to track your progress to plan. Weekly meetings are also recommended so that no tasks can fall too far behind schedule. Be sure to invite top management to weekly meetings, and communicate the progress toward completion of each task to everyone within your company. The list below identifies 12 of the most important tasks that should be included in your plan.

12 Tasks to Consider for Implementing ISO 13485
  • 1. Select a certification body and schedule your certification audits (i.e., – Stage 1 and Stage 2). If you want to place devices on the market in the EU, Japan, or Canada, make sure your certification body meets the specific regulatory requirements for that market (http://bit.ly/Sept24FX).
  • 2. Establish a Quality Manual and at least 19 required procedures. If you have purchased a copy of the excellent Canadian CSA publication “Plus 13485” (http://bit.ly/13485Plus), this lists required procedures for you. There are a few extra procedures or work instructions needed to meet regulatory requirements (e.g., – training, mandatory problem reporting, and post-market surveillance).
  • 3. Document training on the procedures comprising the quality system. A signed form indicating that employees “read and understand” the procedures is not enough. Training records should include evidence of the effectiveness of training, and you should be able to demonstrate the competency of the people performing those procedures.
  • 4. You must complete at least one full quality system internal audit. The timing of your internal audit should be late enough in the quality plan that that most elements of your quality system have been implemented. However, you want to allow enough time to initiate CAPAs in response to internal audit findings before your Stage 1 audit. If your internal auditor(s) have been heavily involved in the implementation of the quality system, you may need to hire an external consultant to perform your first internal audit.
  • 5. You need to complete at least one management review, which can be done just before the Stage 1 audit. My preference, if there is time, is to have at least two management reviews. The first review might occur three months before the Stage 1 audit, just before you plan to perform an internal audit of the management processes. There may be limited data to review at that time, but this first review provides an opportunity to train top management on their roles and responsibilities during a management review.

The second management review must cover all the requirements identified in ISO 13485, Clause 5.6. The second management review is also your last chance to identify any gaps in your quality system, and initiate a CAPA or action items before your certification auditor arrives.

  • 6. Compliance with regulatory requirements must be a commitment stated in your company’s Quality Policy. Specific regulatory requirements should be traceable to a specific procedure(s).

If you are seeking ISO 13485 Certification as part of the Canadian Medical Device Conformity Assessment System (CMDCAS) or the CE Marking process, then these regulatory requirements will be specifically included in your certification audit.

  • 7. Systematically incorporate customer and regulatory requirements into the quality management system. For contract manufacturers, this is especially important, and the Supplier Quality Agreements your company executes are the best source of these customer requirements. If your company is a legal manufacturer (the company named on the product label), this task is probably addressed sufficiently in tasks #1 and 6.
  • 8. You need to implement a supplier quality management process. If you already have a strong supplier quality program, then this may be a small task involving a few changes to your procedure. If you don’t have much of a supplier program yet, then this may involve identifying your suppliers, ranking them all according to type and risk, qualifying or disqualifying them, and executing supplier quality agreements.

Note: If you need training on Supplier Quality Management, you might consider participating in Medical Device Academy’s October 4th training workshop (http://bit.ly/MDAWorkshops).

  • 9. If product design is within the scope of your QMS, which is typical of legal manufacturers, but not for contract manufacturers, then you must establish a design control procedure(s). Product development projects often operate in a timeframe that is longer than your implementation project, and you may need ISO 13485 certification as part of the regulatory approval process.

Therefore, the minimum expectation is to initiate at least one development project before the certification audits. For records of implementation, you should have a design project plan, an initial risk management plan, reviewed and approved design inputs for your first product, and conduct at least one design review.

  • 10. Document what your Certification Body expects (e.g., – notifying them of significant changes). These expectations are likely to be stated in your contract with the Certification Body.
  • 11. Appoint the management representative and a deputy. Ideally, this is formally documented with a letter of appointment signed by the CEO and the management representative. This letter should be maintained in the management representative’s personnel file, along with a copy of the job description explaining the job responsibilities of the management representative. This may also be achieved by identifying the management representative and a deputy in your company’s organization chart.
  • 12. After the certification audit, your last task should be to “Create Quality Plan #2”—another PDCA (http://bit.ly/PDCAcycle) loop through the system. The reason for a new quality plan is to implement improvements based upon what you learned while you were building the quality system for the initial certification audit.

If your company wants to achieve ISO 13485 certification, you may be interested in our 6-part, “Road to Certification – The Series” (http://bit.ly/roadmapiso) audiocasts beginning on August 28, 2013 (also available as a recording).

Posted in: ISO Certification

Leave a Comment (2) →

Implementing ISO 13485: Planning the Project

By Guest Blogger,  Brigid Glass %name Implementing ISO 13485: Planning the Project

Five reasons why ISO 13485 certification may take longer than you expect, as well as tips and planning advice to help avoid pitfalls, are provided.

Your company wants to achieve ISO 13485 certification. How are you going to get there? In a recent blog, I reviewed setting objectives for implementing an ISO 13485 certification project. Once you’re clear on those, then you’re ready to create your first quality plan. The basic elements of any strategy will be:

  • Task breakdown (which I will cover in a separate blog)
  • Timeline
  • Resources (skills and hours available)
Timeframes and Trade-offs of ISO 13485 Certification Planning 

The endpoint of planning for the certification project is the certification audit. The earlier you choose your registrar or Notified Body and book the audit, the more choice you will have regarding the date. This should be one of the earliest tasks in the task breakdown. To be able to do that, you need a timeframe as to when you will be ready for the certification audit. How long it takes to implement ISO 13485 and be ready for a certification audit depends upon your starting point and your available resources. If you have no QMS in place, it will take you longer than if you already have a strong, documented QMS that complies with 21 CFR Part 820.

It May Take More Work

If you already have ISO 9001:2008 certification, though you already have a structure in place, the upgrade to ISO 13485 is likely to take more work than you expect because:

  1. There are fewer procedures required by ISO 9001
  2. Most of your existing procedures will require revision
  3. Your employees will need training on the new procedures
  4. You will need time to generate records using new procedures
  5. You will need to complete a full quality system audit of the new procedures

Many companies also underestimate the required resources for ISO 13485 certification. If you have a knowledgeable consultant, and people available to write procedures, then ISO 13485 implementation will progress faster than an organization that has little expertise and little time available, so plan accordingly. Ideally, you will determine the length of time each task will take and decide on an endpoint for the project based on that information and available resources. This approach works well if you already have a well-documented, regulated QMS.

6 Months-Reasonable Timeframe?

Six months is my rule of thumb for the time needed to implement a quality system compliant with ISO 13485. If the implementation schedule is longer, organizational enthusiasm may wane. If the timeframe is shorter than six months, it’s difficult to complete all the required tasks. No matter how carefully you plan, you still need to write procedures, train personnel, and implement procedures, so there is adequate time to generate records. Six months is aggressive for most companies, but the objective of achieving certification in six months is reasonable.

You may find it interesting that in Rob Packard’s white paper on ISO 13485 implementation. He also recommends that you allocate six months of one Full-Time Equivalent (FTE). This is a reasonable starting point, but you may want to adjust your resource allocation up or down depending upon the level of experience within the implementation team. Experience has taught me that smaller organizations are more successful at building an effective quality system when effectiveness is achieved in reiterative steps (i.e., – revision 1, revision 2, etc.). This is also the basis of the Deming/Shewhart Plan-Do-Check-Act (PDCA) cycle (http://bit.ly/PDCAcycle). This is also what I meant in a recent blog (http://bit.ly/ImplementationObjectives), where I suggested that you should “throw perfectionism out the window.”

Your understanding of how the quality system links together will grow as you implement each process in your implementation plan. As knowledge grows, you may reconsider some of your procedures. Instead of delaying the certification process (i.e., – revision 1), you may want to implement improvements as a second revision to procedures after the Stage 2 certification audit (i.e., – revision 2). During your Stage 1 and Stage 2 certification audits, your understanding of how the standard is interpreted and audited will build. After you achieve the initial ISO 13485 certification, you will have a much greater understanding of how all the elements of the quality system need to work together. You will also understand what parts of your quality system are easy for an outsider to audit.

After the ISO 13485 Certification Audit

During the initial planning stage, you should also imagine your future state after the certification audit (http://bit.ly/Beginwiththeendinmind). Your boss may assume that once the audit has been and gone, then everything will settle back to “normal” again. The reality is that after you deal with any nonconformities, and you take off a few days like you promised your family, you will have a long list of improvement ideas waiting for you. You will also need to prepare for next year’s surveillance audit. Therefore, I recommend that you manage expectations by adding “Create Quality Plan #2” as the last step of your ISO 13485 certification plan. If your company wants to achieve ISO 13485 certification, you may be interested in our 6-part, “Road to Certification – The Series” (http://bit.ly/roadmapiso) beginning on August 28, 2013 (also available as a recording).

Posted in: ISO Certification

Leave a Comment (0) →

Implementing ISO 13485: Dealing with Delays

By Guest Blogger,  Brigid Glass

%name Implementing ISO 13485: Dealing with DelaysThe author provides tips, practical examples, and six steps to follow if your ISO 13485 implementation project falls behind schedule.

In the best-planned project, with plentiful, skilled resources and diligent monitoring, things can still go awry. We need to be watchful for signs of our plans falling behind schedule, and develop contingency plans to prevent delays.

Walk Around the Mountains

Identify major obstacles early and develop a plan to deal with them. The major obstacles are usually the tasks that take the longest—such as process validation. Specifically, name these tasks in your pitch to management for resources before you start. This approach will ensure that everyone is focused on the biggest challenges.

If your plan to climb over those mountains is failing, work out a route around them. Maybe your R&D Manager can’t yet accept that there will now be design controls. In this case, an alternate path might be to leave design controls for last purposely. If you write a concise procedure and release it as your last procedure, then you have a built-in excuse for why you have very few records to demonstrate an implementation of design controls. You will still need at least one design project plan and training records to demonstrate that the process is implemented.

If this plan is successful, your auditor will write in the report that “design controls are implemented, but there are limited records to demonstrate implementation at this time.” If this plan is unsuccessful, you will need to provide additional design control records before you can be recommended for ISO certification—typically within 90 days.

Another approach is to initiate a CAPA and implement some of the tasks after the audit. For example, you have more suppliers than you can audit before certification. In this case, qualify all your suppliers, and use a risk-based approach to help you prioritize which suppliers need to be audited first. In your plan, identify that you will start by auditing the three highest-risk suppliers. Lower risk suppliers can be scheduled for audits after certification.

Be Watchful

Keep a close eye on your project plan. One of the most critical factors for success is keeping the plan and progress against the plan in front of the key players and senior management. Do this in such a way that progress, or the lack of it, is very clearly visible. It’s a basic maxim of Quality that we act on what we measure.

ISO 13485 Implementation: If Your Project Falls Behind Schedule

If you find yourself lagging seriously behind in your project, the following steps will assist you in recovering sufficiently to still be able to attain certification.

  1. Enlist management support when you need it, especially if you need them to free up resources.
  2. Prioritize. Before the Stage 1 audit, ensure that those procedures which are required by ISO 13485 are released (there are 19). There’s always room for improvement, but leave some of it for the second revision, instead of delaying certification.
  3. Ensure that you have at least a few examples of all the required records. Your auditor will be unable to tick off his checklist if a record is absent. Make it easy for the auditor.
  4. If there is a sizeable gap that you won’t be able to close before certification (i.e., – you have a validation procedure, but validations have not been completed), write a CAPA outlining your action plan to address the gap. During the audit, act confidently when you are questioned about the gap. Many auditors will give you credit for identifying the problem yourself.
  5. Don’t panic. The worst the auditor can do is to identify a nonconformity you will have to address with a CAPA plan before you can be recommended for certification. At most, this will result in a delay of a few weeks.
  6. Throughout your certification preparations and during the certification audits, you will identify issues you may not have time to resolve before the certification process is complete. If you are planning to revise procedures and make other corrections, make sure you track these issues as CAPAs or with some other tool (e.g., – an action item list). You want to address each issue prior to the first surveillance audit (no more than 12 months from the date of the Stage 2 audit).

Best wishes for your project. Success is the result of good planning, good communication, and good monitoring.

This blog is part of a series of blogs that leads up to our Roadmap to Iso 13485 Certification Courses

Posted in: ISO Certification

Leave a Comment (0) →

Quality objectives for achieving your goals

This article, updated in 2020, describes two different approaches to establishing quality objectives to achieve your business goals.
BHAG JFK Quality objectives for achieving your goalsGoal setting and communicating a vision of the future is not just the responsibility of the company President. Every manager should be setting goals for the teams they manage, and you can set yourself apart from your peers by building a vision with clear benefits to employees, customers, and the bottom line. Establishing quality objectives, and monitoring the progress toward those objectives is one of the greatest tools you can use to achieve your business goals. There are two different approaches to setting quality objectives, and you should use both.

Two Types of Quality Objectives

The most popular type of quality objective is a visionary goal. The phrase that I think captures this idea is the “Big Hairy Audacious Goal” (BHAG). Jim Collins and Jerry Porras coined this phrase in Built to Last. Visionary goals are long-term quality objectives that will require many smaller, coordinated changes intended to “level up” your business.

The second type of quality objective is a short-term goal. Short-term goals are not nearly as “sexy,” but achieving short-term goals builds momentum and creates long-term habits that are crucial to success. The two books that capture this concept best are The Compound Effect by Darren Hardy and The Slight Edge by Jeff Olsen. Both books emphasize the importance of consistency and small improvements to achieve success. The secret to establishing short-term goals is to make sure that your short-term goals are aligned toward helping you achieve long-term goals.

In our quality system procedures, we include a section for monitoring, measurement, and data analysis. For every process in your quality system, you should have at least one defined quality metric that you consistently measure. Everyone involved in that process should be aware of the metric, and data analysis should be shared with everyone in the company. Some of those quality metrics will be more important than others, but everyone must expect to achieve the goals that are set. You can pick anything you want to measure for a process, but for the metric to be used as a quality objective, it must be measurable and consistent with your quality policy. I like to define measurable by saying, “You must be able to graph it.”

6 Steps to Achieving Big Hairy Audacious Goals (BHAG)

Not all quality objectives have to be small, dull, or easy. You are required to establish quality objectives. Both the QSR (21 CFR 820.20, management responsibility) and the ISO Standard (ISO 13485:2016, Clause 5.4.1, require that top management establish quality objectives. These objectives must also be reviewed during management reviews, and they should be established at all levels throughout your company. Some of these objectives will be small, but you should make at least one of your quality objectives big, exciting, and hard to achieve. If you want to set your first BHAG for your team, try following these six steps.

STEP 1: Involve your team in setting quality objectives

Weak managers dictate goals, but leaders get teams involved in the goal-setting process. Getting your team involved gives them ownership of the goal. If you’re unsure of how to get your team involved, you might try a brainstorming session. A good brainstorming session is relatively short (i.e., – < 1 hour). Everyone needs to understand the goal of the brainstorming session: to generate many ideas for a possible BHAG. Everyone needs to understand what a BHAG is. These examples might help:

  1. Reduce average monthly scrap by 80% with a Pareto Chart
  2. Reduce the average number of nonconforming material reports by 50%
  3. Increase the ratio of preventive actions to corrective actions to > 1.00

Finally, negative comments should not be tolerated. Bad, good, and silly ideas should all be encouraged because the purpose of brainstorming is to generate many ideas. After you have 100+ ideas, you and your team can schedule another meeting to select the best goal(s).

STEP 2: Predict the bottom-line impact of quality objectives

Top management’s perception of a BHAG will be directly proportional to the impact on the bottom line. If the impact is small, the “B” in BHAG is a “b.” You and your team should use the potential impact on the bottom line as the first selection criteria for picking the best BHAG from the brainstorming list. The accuracy of these estimates doesn’t matter initially. Still, once you choose the goal, you will need to verify the accuracy of the financial impact and define how that impact will be measured.

STEP 3: Look to the future, but focus on the next milestone

Picking a five and ten-year goals is appropriate for discussions with Human Resources about your career, but companies are measured on quarterly financials. Therefore, you will need to focus on the goals you can achieve in three to six quarters. The number of milestones you set should also be few, and you should focus on one at a time. If the goal is only three quarters away, you might have monthly targets, while longer projects need interim milestones.

STEP 4: Milestone momentum

Longer projects often become delayed because people will procrastinate, and teams will lose momentum. When you break your long-term goals into smaller chunks, everyone can focus on the next milestone and see the progress. Each piece should be a sound stage of the project, and completion of the stage must be clearly defined. To create momentum, you must achieve each milestone–always. The pattern of consistent milestone achievement builds confidence, and your team will gradually develop the habits needed to sustain your progress.

STEP 5: Assign the Skeptic to Report on Quality Objectives

A good statistician can make the numbers look any way you want, but skeptics in other departments (and within your team) will criticize your claims of success. One way to silence the skeptics on your team is to make them responsible for measuring and reporting the team’s progress. This approach ensures that progress reports are conservative and accurate, rather than inflated or unbelievable. Progress should also be reported publicly because public victories are something your team can be proud of.

STEP 6: Promise a Reward for Achieving Quality Objectives

Some managers believe that the reward for hard work should be a paycheck. That’s sort of like telling your children that they get to eat for doing something you’re proud of. Employees are not children, but you are responsible for developing them into more valuable employees so that they can be promoted. If there is no incentive, your team will not be engaged. Therefore, pick a reward that is proportional to the bottom-line impact. Five percent of the bottom-line impact is what I like to target, but you would be amazed at how effective a few small rewards at each milestone can be. If you have trouble getting management approval for rewards, remind your boss of the bottom-line impact and link the rewards closely to the impact.

Posted in: ISO Certification

Leave a Comment (1) →

Implementing the ISO 13485 Standard: Objectives

By Guest Blogger, Brigid Glass

The author discusses implementing the ISO 13485 standard, including seven questions to clarifying your objectives and six considerations in shaping your objectives.%name Implementing the ISO 13485 Standard: Objectives

Implementing ISO 13485 is such an enormous undertaking for an organization that it pays to approach the planning strategically to ensure that all objectives are met.  Often, some objectives are made explicit, and others are unspoken. It is worth taking the time to ensure that all objectives are clearly stated to achieve the outcomes you want. Begin with the end in mind. Then, ensure that you are taking the organization with you, and you are all headed to the same destination.

7 Questions to Clarify Your Objectives
  1. What are your regulatory drivers for ISO 13485 implementation? Are there dates associated with marketing plans that you need to take into account? Are there other regulatory requirements that need to be built into the QMS and the implementation plan, (e.g., incident reporting for Canada or a Technical File for CE marking?)
  2. What other regulatory requirements must you meet to get into international markets? ISO 13485 requires that you meet applicable regulations for each market, such as a training procedure to address 21 CFR 820.25, a post-market surveillance plan to address CE Marking requirements, and a Mandatory Problem Reporting Procedure for Canada.
  3. If you are a supplier to medical device manufacturers, what do your customers expect of your QMS? If they haven’t made this explicit already, ask them. Meeting their needs and their audits of your system may be as important to you as the certification audit.
  4. Do you want to achieve business improvements by implementing a QMS? If you include this in your stated objectives, and everyone “buys into” the program, then you will build procedures that deliver business improvements, rather than just being regulatory overhead.
  5. Do you have real buy-in from your CEO? You may have buy-in for certification, but if you don’t already have a regulated QMS, does she or he fully understand the cultural change that he or she must lead? If not, make this one of your unwritten objectives and keep it front of mind.
  6. Do you have organizational buy-in?  Ensure that it is clear who owns each process, and that those process owners have the ultimate responsibility for the compliance of their process and ownership of documentation that is created for those processes. Keep the project progress visible. Develop a communication plan with its objectives and targets, even if your organization is small.
  7. Do you want to align with other systems? If you already have a QMS, you will want to integrate ISO 13485 compliance with that. Do you also need to implement ISO 14971, the risk management standard? Since you are going to be doing this much work on your QMS, maybe you could take the opportunity to align it with your health and safety or environmental management systems.
Timeframes and Trade-offs

How long it takes to implement ISO 13485 will be covered in another blog soon.  Six months is a workable rule of thumb.

So what do you do if you don’t have that long, and have to meet a pressing deadline?  Or you don’t have the resources available to implement, as well as you want in the time available?  Compromises have to be made, and now it’s necessary to set short-term and long-term objectives.

6 Considerations in Shaping Your ISO 13485 Standard Implementation Objectives

If you are constrained from structuring the implementation project ideally, the following considerations below will assist you in shaping your objectives:

  1. Get a qualified consultant who understands your business. If you have a large company, find someone who spends more of their time working with corporates, and vice versa for a small company.
  2. Throw perfectionism out the window. The goal is not perfect procedures. The essence of a Quality System is documentation to explain the intent, records to capture reality, internal auditing, and monitoring to identify the gaps and CAPA to improve and maintain effectiveness. The Deming Plan-Do-Check-Act cycle assumes that you are never perfect.)
  3. Accept that you then have another round of work to do to improve procedures.
  4. Organizational buy-in is even more critical. Be very careful about setting expectations. Adjusting to the extra requirements of a regulated QMS is already tricky. In these circumstances, you may be asking people to live with procedures that are not as usable as they would like.
  5. Be especially careful to ensure that the auditor can tick off all the essential points, and find how you have fulfilled the requirements without hunting too hard. All the required procedures and records must be in place. It’s more important to address 100% of the requirements than to perfect 80% and skip the last 20%.
  6. Accept that there may be nonconformities that have to be dealt with after the certification audit. Set the organizational expectation around this and build time for it into your schedule. Ask your certification body early to tell you the timeframe for dealing with nonconformities.
Setting Expectations

Objectives need to be communicated clearly to everyone in the organization. For a project (and many other things in life),

Satisfaction (or Disappointment) = Actual Result – Expectation

The certification audit is not the end. You will still need people to align their effort into making the implementation succeed after the pressure and obvious deadline of the certification audit has passed.  Setting their expectations appropriately early in the project is essential to keeping their (and your) motivation going. This is especially important if you are building your QMS, short on time or resource, and therefore know that you need to do a lot of work in the year following certification to develop improved workable procedures and generate a recorded history of compliance.

 

This blog is part of a series of blogs that leads up to our Roadmap to Iso 13485 Certification Courses

Posted in: ISO Certification

Leave a Comment (0) →

A 6 Step Approach if You Disagree With a Notified Body Auditor

The author’s first certification audit experience is discussed, and we review six different approaches to take if you disagree with a notified body auditor.

My first certification audit ever didn’t go so well. The reason it didn’t go well is that the auditor wrote nonconformities that my boss and our regulatory consultant didn’t agree with. At the time, I was too inexperienced to know how to handle it. My boss and the consultant, however, totally lost it. I’ve never seen veins that big in someone’s forehead–even in cartoons.

I asked them both to leave the room because I was afraid to “push back” on the auditor. Many Management Representatives feel the same way that I did during that initial certification audit. The best way to summarize our concerns is with the following picture:

kodiak A 6 Step Approach if You Disagree With a Notified Body Auditor

Recently another LinkedIn group member emailed me to say that they have seen several auditors for registrars identifying nonconformities that represented their own personal opinions rather than specific requirements of the Standard. For example, there is a requirement to assign management responsibilities and document it, but there is no requirement to have an organization chart.

Another common mistake is when auditors insist that a company must create a turtle diagram for every single process. I support the use of turtle diagrams 100%, but the only requirement in the Standard is to use the process approach–not turtle diagrams specifically.

My favorite is my own personal mistake. I wrote a nonconformity for not having a process for implant registration cards for a company that was planning to ship a high-risk implant product to Canada. There is a requirement for implant registry cards, but I forgot that Canada defines “implants” in this case as only a very short list of implant devices–not implants in general.

Auditors are human. These are audit findings–not a jail sentence. Everyone needs to remember that the worst that can happen is that you receive a nonconformity. If the auditor finds a nonconformity, then you need to develop a CAPA plan. If the auditor finds nothing, you still need to do your own internal audits to identify nonconformities and continuously improve processes.

What Should You Do When an Auditor is Wrong?

I recommend that you “push back,” but you need to know-how. Many consultants suggest saying, “Can you show me in the Standard where it says I have to do that?” That’s just like poking a bear. If you do it once, it’s annoying. If you do it multiple times, an auditor might just eat you.

One Management Representative did that to me after I had taken the time to review the requirements with him. I responded by holding the ISO 13485 Standard in front of him and reciting clause 7.3.2. He responded by saying, “Well, that’s up for interpretation.” I offered to recite the ISO 14969 guidance document for him, but his boss told him to shut up.

This certainly wasn’t the only time a client pushed back during a registration audit, but other clients have had the sense to argue about things they understood.

One of the clients I audited said that he would change the topic to the auditor’s favorite sports team. That’s one approach. I’m sure that more than one client has taken the approach of asking me to explain where they can learn about best practices. I’m sure that they were somewhat successful. Another approach is to slide the lunch menu in front of them; I have only met one auditor that would not be distracted by a lunch menu.

6 Step Approach When You Disagree With an Auditor

1. Shut-up and look it up (before you open your mouth, grab the applicable external Standard and locate the information you are looking for).

2. If you are still convinced that the auditor is wrong, then tell that you are having trouble finding the requirement. Show them where you are looking, and then ask them to help you find the requirement.

3. If the auditor can’t show you where you are wrong, or it appears that the auditor is interpreting the Standard as they see fit, then focus on asking the auditor for guidance on what they will be looking for in your CAPA plan.

4. If the CAPA plan the auditor is looking for is something you think is a good idea, then shut up and implement the improvements. If the CAPA plan is not acceptable to you, then you should ask what the process is for the resolution of disputes.

5. No matter what, don’t start an argument with the registrar. They enjoy it. They like a challenge and resent people with less experience criticizing them.

6. If you still disagree with your auditor, then you should ask if the auditor can explain the process for appealing findings and follow that process.

Posted in: ISO Certification

Leave a Comment (0) →

Preparing for ISO 13485 Certification in 5 Steps

The author provides five steps in preparing for the ISO 13485 certification process, and his insights and tips for each step are reviewed.

A LinkedIn connection of mine recently asked for sources of good guidance on ISO 13485 registration. I wrote a blog recently about Quality Management Systems in General, but I had trouble finding resources specific to the ISO 13485 registration process. Therefore, I decided to write a blog to answer this question.

Typically, people learn the hard way by setting up a system from scratch. The better way to discover it is to take a course on it. I used to teach a two-day course on the topic for BSI. The link for this course is http://bit.ly/Get13485; I shortened the link to the BSI website.

Other registrars offer this course too. I suspect you can find a webinar on this through TUV SÜD, BSI, SGS, LNE/GMED, Dekra, etc. from time to time.

The only registrar I could find that described the process step-by-step was Dekra. I have copied their steps below:

 ISO 13485 Certification: Inquiry to Surveillance in 5 Steps

1. Inquiry

An initial meeting between [THE REGISTRAR] and the client can take place on-site or via teleconference. At this time, the client familiarizes [THE REGISTRAR] with company specifics, and it’s quality assurance certification requirements; [THE REGISTRAR] explains its working methods and partnering philosophy, and previews the details of the process.

%name Preparing for ISO 13485 Certification in 5 Steps

Rob’s 2 Cents

As a client, I have completed two initial certifications personally and three transfers, but I have only once had the sales representative visit my company. I think this process is typically accomplished by phone and email. If any registrars are reading this, you will close on more accounts if you visit prospective clients personally. The one that visited my company (Robert Dostert) has been on speed dial for almost a decade, and he’s received repeat business.

 

 

2. Application Form

The client chooses to move forward by filling out an online application form. Based on the information obtained during the inquiry stage, along with the application form, [THE REGISTRAR] prepares a quote, free of charge, for the entire certification process. A client-signed quotation or purchase order leads to the first stage of the certification process.

my two cents1 Preparing for ISO 13485 Certification in 5 Steps

Rob’s 2 Cents

For both of the Notified Body transfers I completed, I completed application forms and requested quotes from multiple Notified Bodies. During the quoting process, my friend Robert was more responsive and able to answer my questions better than the competition. Robert was also able to schedule earlier audit dates than the competition. To this day, I am still amazed that Notified Bodies are not more responsive during this initial quoting process. All of the Notified Bodies are offering a certificate (a commodity). The customer service provided by each Notified Body, however, is not a commodity. Each Notified Body has its own culture, and every Notified Body has good and bad auditors. Therefore, you need to treat this selection process, just like any other supplier selection decision. I have guided this specific selection process on more than one occasion, but I am definitely biased.

 3. Phase One: Document Review and Planning Visit
%name Preparing for ISO 13485 Certification in 5 Steps

LNE/GMED Flow Diagram for the process of ISO 13485 Certification

At this stage, [THE REGISTRAR] performs a pre-certification visit, which entails verifying the documented quality systems against the applicable standard. [THE REGISTRAR] works with the client to establish a working plan to define the [THE REGISTRAR] quality auditing process. If the client wishes, [THE REGISTRAR] will perform a trial audit or “dress rehearsal” at this stage. This allows the client to choose business activities for auditing, and to test those activities against the applicable standard. It also allows the client to learn and experience [THE REGISTRAR] ‘s quality auditing methods and style. The results of the trial audit can be used toward certification. Most clients elect for one or two days of trial auditing.

%name Preparing for ISO 13485 Certification in 5 Steps

Rob’s 2 Cents

Dekra’s statement that “The results of the trial audit can be used toward certification,” is 100% opposite from BSI’s policy. BSI calls this a pre-assessment. The boilerplate wording used in BSI quotations is, “The pre-assessment is an optional service that is an informal assessment activity intended to identify areas of concern where further attention would be beneficial and to assess the readiness of the quality management system for the initial formal assessment.” During these pre-assessments, BSI auditors explain that any findings during the pre-assessment will not be used during the Stage 1 and Stage 2 certification audits, and the client will start with a “clean slate.” Most of the clients I conducted pre-assessments for were skeptical of this. Still, most auditors are ethical and make every effort to avoid even the perception of biasing their sampling during Stage 1 and Stage 2 audits.

I highly recommend conducting a pre-assessment. You want an extremely thorough and tough pre-assessment so that the organization is well prepared for the certification audits. If the auditor that will be conducting the Stage 1 and Stage 2 audit is not available to do a pre-assessment, try to find a consultant that knows the auditor’s style and “hot buttons” well. FYI…You can almost always encourage me to do a little teaching when I’m auditing (I just can’t resist), and my “hot buttons” are CAPA,  internal auditing, and design controls.

 4. Phase Two: Final Certification Audit

Once the client’s documented systems have met the applicable standards, [THE REGISTRAR] will conduct an audit to determine its effective implementation.  [THE REGISTRAR] uses a professional auditing interview-style instead of a simple checklist approach. This involves interviewing the authorized and responsible personnel as designated in the documented quality system.

%name Preparing for ISO 13485 Certification in 5 Steps

Rob’s 2 Cents

For certification audits, ISO 17021 requires a Stage 1 and Stage 2 audit to be conducted. The combined duration of the certification audits must be in accordance with the IAF MD9 guidance document–which is primarily based upon the number of employees in the company. The “interview style” that Dekra is referring to is called the “Process Approach.” This is required in section 0.2 of the ISO 13485 Standard, and this is the primary method recommended by the ISO 19011 Standard for auditing–although other methods of auditing are covered, as well.

 

5. Surveillance

[THE REGISTRAR] arranges for surveillance audits semi-annually or annually, as requested by the client.

%name Preparing for ISO 13485 Certification in 5 Steps

Rob’s 2 Cents

I highly recommend annual surveillance audits, because the short duration of surveillance audits becomes unrealistically short when the auditor is asked to split their time between two semi-annual visits. A few clients have indicated that the semi-annual audits help them by maintaining pressure on the organization to be ready for audits all year-round, and prevents them from procrastinating to implement corrective actions. This is an issue of management commitment that needs to be addressed by the company. Scheduling semi-annual surveillance audits don’t address the root cause. The only good argument I have for semi-annual cycles is if you have very large facilities that would have an audit duration of at least two days on a semi-annual basis.

The most important consideration related to scheduling surveillance audits is to ensure that you schedule the audits well before the anniversary date. I recommend 11 months between audits. By doing this, you end up scheduling the re-certification audits three months before the certificate expires. BSI has a different policy. They want auditors to schedule the first surveillance audit ten months after the Stage 2 audit, the second surveillance audit 12 months after the first surveillance audit, and then the re-certification audit must be scheduled at least 60 days before certificate expiration (i.e.,  – no more than 12 months after the second surveillance audit). No matter what, schedule early.

If you have additional questions about becoming ISO 13485 registered, please post a discussion question in the following LinkedIn subgroup: Medical Device: QA/RA. For example, on Monday, a new discussion question was posted asking for help with the selection of a Notified Body for CE Marking. You will need to become a member of the parent group (Medical Device Group)–if you are not already one of the 140,000+ members connected with Joe Hage. George Marcel and I manage this subgroup for Joe. George is out in the Bay Area, and I’m in the Green Mountains.

Posted in: ISO Certification

Leave a Comment (5) →

Quality Management System Information Sources

This blog reviews a number of quality management system information sources.

A blog follower from Jon Speer’s website, Creo Quality, recently sent me a message asking for information sources on  Quality Management System (QMS) subject matter.

The single best guidance document on the implementation of a QMS system in accordance with ISO 13485 is “13485 Plus” (type in the words in quotes to the CSA Group search engine).

There are also a bunch of pocket guides you can purchase for either ISO 9001 or ISO 13485 to help you quickly access information you are having trouble remembering. One of my lead auditor students recommended one pocket guide in particular and she was kind enough to give me her copy.

There are some webinars out there that provide an overview of QMS Standards. Some are free and some have a modest fee. I’m not sure of the value for these basic overview webinars, but if you need to train a group, it’s a great solution. I know BSI has several webinars that are recorded for this purpose.

AAMI has an excellent course on the Quality System Regulations (QSR) which combines 21 CFR 820 and ISO 13485.

There are a number of blogs I recommend on my website.

You can try to identify a local mentor–either in your own company, or at your local ASQ Section.

You can join the following LinkedIn subgroup: Medical Device: QA/RA. You will need to become a member of the parent group (Medical Device Group)–if you are not already one of the 140,000+ members connected with Joe Hage. George Marcel and I manage this subgroup for Joe.

You can visit the Elsmar Cove website and participate in the discussions you find there. I wrote a blog about Elsmar Cove a while back (wow almost 2 years ago now).

The best way to learn this stuff is to do all of the above.

Posted in: ISO Certification

Leave a Comment (2) →

13 Tips for Learning New Regulations

Everyone learns through different methods. This blog discusses three levels of the learning pyramid and provides 13 tips for learning new regulations.

Last week I mentioned the draft EU regulations that were released, and I am still reading them. I am sure some of you have already finished at least one of the two regulations, but I am a slow reader. Sure I have skimmed the regulations, but I really need to read every word of the regulations several times before I have absorbed the bulk of the content. While I was reading during my lunch today, I was wondering how other regulatory experts learn new material. After all, there is nobody to take a course from yet, and a one hour webinar is not enough.

Some people like to listen to books on tape during their morning ride, but I think the market might be a little small for medical device regulations. We could use technology to convert the PDF format into an eBook format that can be read electronically to us on our commute to work. Still, I learn Standards visually rather than verbally.

“Never Stop Learning”

Last year I published a blog titled “Never Stop Learning.”

In that post, I presented a model for learning that I find helpful for explaining my philosophy for training people. The first level in my Learning Pyramid is to “Read and Understand.” I call this the “newbie” stage. That is the level most of us are at right now for the draft EU regulations. The next level of the Learning Pyramid is “Show and Tell.” A course or seminar related to the draft regulations would involve training telling us about the draft regulations, and showing us some PowerPoint slides to help us visualize the changes. I think the technical term for this type of torture is “Death by a Million PowerPoint Bullets.” If your instructor is thorough in their efforts to torture you, then you will conclude this training with a quiz to demonstrate training “effectiveness.”

If you are lucky, you will start using some of that new-found knowledge immediately after the course. If you just had your 400th birthday, as I did last week, then you might have a little trouble remembering all the details you “learned” in that training course in a matter of weeks. Now, what can you do?

Look it up! Isn’t that what your teachers told you when you were growing up?

If you need to know what the proposed requirements are for Authorized Representative Agreements, you can use the search function in Adobe Reader to search for the word “agreement.” After just six clicks of the mouse, you will find where this is mentioned in Article 10 of the draft. As you read Article 10, you will rejoice! Instead of the 17-page voluminous guidance document identified as MEDDEV 2.5/10 (released in January of 2012), we now have 144 words with just four simple minimum requirements. This is streamlined.

Over the next year or two, I expect that most of the regulatory experts will gradually work their way up the Learning Pyramid to the top of the third level. This is the point where we can now claim competency.

So how do you become an expert? In order to achieve the mighty title of “Guru,” you must teach others. My blog, “Never Stop Learning,” explains how the action of teaching actually teaches the instructor as much as it teaches the student.

So what’s my point? 

Don’t Be Normal

  1. Skim the draft regulations now
  2. Take a course on the regulations in 2013
  3. Start revising procedures and technical documentation in 2014
  4. Start developing an in-house training course on the new regulations in 2015
  5. Finish training all the employees in 2016

Definitely Don’t Be Lazy

  1. Wait for the final approval of the regulations in 2014
  2. Take a webinar on the new regulations in 2015
  3. Get a nonconformity for noncompliance in 2016
  4. Hire a consultant to fix your procedures in 2017
  5. Start looking for a course on the regulations in 2018

13 Tips For Learning New Regulations

1. Read and re-read the draft regulations now

2. Read blogs and discussion threads related to the draft regulations for the next couple of months

3. Take a webinar on the draft regulations this November 28th (mark your calendar)

4. Draft a plan for revising procedures in 2013 and updating technical documentation in 2014

5. Get management approval for a training course in 2013 and resources to update procedures as per your plan

6. Take a course on the draft regulations in the first quarter of 2013; you should have quite a few questions now that you have a plan and resources

7. Make adjustments to your plan and execute it on schedule

8. Create a training program for the company just prior to final approval in late 2013

9. Make revisions to the procedures based upon feedback from trainees in your in-house course

10. Develop a detailed team plan for updating technical documentation

11. Retrain everyone and review the updated plan

12. Make updates to technical documentation in 2014 as a team

13. Be one of the first companies to get a CE certificate to the new regulations in 2015

 

 

 

Posted in: ISO Certification

Leave a Comment (0) →
Page 3 of 4 1234