Blog

Archive for ISO Certification

Using a Wiki for Document Control

The author read an article on using Wiki’s for document control, and he shares a “genius idea that is coming of age.”

Procedures can always be improved, but our goal is to make better products—not better procedures. So what could possibly be so exciting about document control that I feel compelled to write another post about “blah, blah, blah?”

I read an article about using Wiki’s for document control.

A Wiki is just a collaborative environment where anyone can add, delete, and edit content. All changes are saved, and Wiki’s can be controlled—while simultaneously being available to everyone. The most famous of all Wiki’s is Wikipedia.

In 2009, Francisco Castaño (a.k.a. – Pancho) began a discussion thread to explain how his company was using a Wiki to manage their documentation system. In the last month, ASQ published an update on the status of Pancho’s Wiki process for document control.

Writing Procedures

In most companies, the process owner writes procedures, and other people in the company rarely comment on minor errors. In the most dysfunctional companies, the Quality Department writes the procedures for the rest of the company or outsources it to consultants. Reviewing and editing procedures should be the responsibility of everyone in the company. Still, I never considered the possibility of having everyone within the company edit procedures simultaneously—until I saw Pancho’s thread. Throughout the discussion, others have indicated that they also tried using Wiki’s to optimize content. This is a genius idea that is coming of age.

Many QMS consultants, including myself, have written procedures for clients. Sometimes this is part of the consulting business model. In these cases, the consultant writes a procedure once and edits it forever—while getting paid a modest fee each time a client asks for a “new” procedure. I often think that it would make more sense to do something like Linux developers have done—use the collaboration of QMS experts around the world to create a general procedure that is free to everyone. This is possible using Wiki’s that are publicly available.

Very soon (hopefully 2013), the responsibilities section of our procedures will fundamentally change. Instead of reading and understanding, everyone will be responsible for writing and editing (oh no, I’ll have to create a new learning pyramid).

Quality will no longer be responsible for writing procedures. Instead, the quality function can focus on monitoring, measuring, data analysis, and improvement of processes and products. The downside is that we will need fewer personnel in document control.

If you want to learn more about Wiki for document control, follow this thread I found on Elsmar Cove. It’s rich in content, and even the moderators have been forced to rethink their preconceptions.

You should also read two articles by Pancho:

  1. Using a Wiki for Document Control
  2. Using a Wiki to Implement a Quality Management System

Posted in: ISO Certification

Leave a Comment (3) →

Best In Class Process Validation Program

This blog reviews a best in class CNC machining process validation program. Our author writes, “In general, the best approach is a risk-based approach.”

The original question from a former client was: “What does a best in class CNC machining process validation program look like?” Although I intend to answer this question, I know a few other clients that have done a great job of this. Hopefully, they will add their own opinions as a comment. Therefore, I am expanding the scope of this question to validation in general.

Process Validation

The problem with validation is that you can always do a more thorough validation. Only in the cases of processes, such as sterilization, do we have ISO Standards that tell us what is required. Otherwise, we are usually the experts, and we have to use our judgment as to what is necessary. In general, the best approach is a risk-based approach.

For each design specification established for a component, we also need to identify what process risks are associated with failure to meet the specification. Most companies perform a process Failure Modes and Effects Analysis (pFMEA). This risk analysis has three quantitative components: 1) severity of the failure’s effect, 2) probability of occurrence, and 3) detectability. The first factor, severity, is based upon the intended use of the device and how that component failure impacts that use. Usually, it is important to have a medical professional involved in this portion of the estimation.

The second factor, probability, is typically quantified during process validation activities. One company I audited developed a ranking scale for the probability that was linked directly to the CpK of the process. Higher CpK values received lower scores because the process was less likely to result in an out-of-specification component. Another company I worked for used a six-point logarithmic scale (i.e., – 10e-6 = 1, 10e-5 = 2, 10e-4 = 3, 10e-3 = 4, 10e-2 = 5, and 10e-1 = 6). This logarithmic scale was based on sterilization validation, where a sterility assurance level of 10e-6 is considered “validated.”

The third factor, detectability, is best estimated by using a quantitative scale that is based upon a gauge R&R study or some other method of inspection method validation.

Most companies struggle with the determination of what is acceptable for design risk analysis. However, for process risk analysis, it is usually much easier to quantify the acceptable risk level.

Corrective Action

Once you have determined that a process is not acceptable at the current residual risk level, then you must take corrective actions to reduce the risk. The first step to achieve this should be to review the process flow. There are critical control points that can be identified in the process flow. One of those places is at the end of the process at the inspection step in the process.

The inspection step in the process flow affects the detectability of defects. For many automated processes, such as CNC machining, it is not reasonable to perform 100% inspection. Therefore, these processes require validation. Most engineers make the mistake of trying to validate every dimension that is machined. However, only some of the aspects result in device failures. These are the dimensions that are critical to validate. The best practice is to calculate the process capability for meeting each of these critical specifications (i.e., – CpK). A minimum threshold should be established for the CpK (refer back to the process risk analysis for ideas on linking CpK to risk acceptance). Any CpK values below the threshold require a more consistent process. These are the component specifications that should be the focus of process validation efforts.

During a process validation, it is often advisable to perform a Design Of Experiment (DOE) in order to quantify the effects of each process variable. Typically a DOE will evaluate the impact on CpK for each variable at a high, low, and middle value, while other variables are maintained at nominal values. Any variables that appear to have a significant impact on the CpK are candidates for performing an Operational Qualification (OQ). For a machining process, this could include spindle speeds, feed rates, and material hardness. If variation of the variable has little or no impact upon the CpK, then there is probably little benefit to the inclusion of this variable in an OQ.

The output of an OQ validation should be high and low limits for each process variable that will result in a “good” part. Performance Qualification (PQ) validation is the final step of process validation. In the PQ, most companies will conduct three repeat lots at nominal values for the variables. If the OQ is designed well, there is often little added value in the PQ. Therefore, the sample size is typically three lots of 10 samples each. If the OQ validation does not clearly identify safe operating limits for the variables, or the process has the marginal capability (i.e., – a low CpK), then the OQ should be repeated, and an additional DOE may be needed.

Information Resources

Here are a few information resources for those of you that are in “Deviceland”

  1. Guidelines for the Validation of Chemical Methods for the FDA Foods Program (3/22/2012) – http://www.fda.gov/downloads/ScienceResearch/FieldScience/UCM298730.pdf
  2. Process Validation: General Principles and Practices (January 2011) –  http://www.fda.gov/downloads/Drugs/…/Guidances/UCM070336.pdf
  3. Guidelines for the Validation of Analytical Methods for the Detection of Microbial Pathogens in Foods (9/8/2011) –  http://www.fda.gov/downloads/ScienceResearch/FieldScience/UCM273418.pdf
  4.  CPG Sec. 490.100 Process Validation Requirements for Drug Products and Active Pharmaceutical Ingredients Subject to Pre-Market Approval (3/12/2004) –  http://www.fda.gov/ICECI/ComplianceManuals/CompliancePolicyGuidanceManual/ucm074411.htm?utm_campaign=Google2&utm_source=fdaSearch&utm_medium=website&utm_term=validation&utm_content=3
  5. Q2 (R1) Validation of analytical procedures: text and methodology (June 1995)http://www.ema.europa.eu/ema/index.jsp?curl=pages/regulation/general/general_content_000431.jsp&mid=WC0b01ac0580029593&jsenabled=true

Posted in: ISO Certification

Leave a Comment (0) →

How to Write A Procedure: 6 Secrets to Improve Effectiveness

The author, an experienced trainer, shares six secrets for how to write a procedure and improves its effectiveness.

During a CAPA course I taught earlier today, one of the attendees asked if I have a course on “How to Write Better Procedures.” Unfortunately, the only material I could offer was material from a course I taught on Training the Trainer.” That training course focused on visual communication. There are several books related to Lean Manufacturing that explain indepth how to use visual communication to replace text (i.e., – “a picture says a thousand words”). During my ride home, however, I thought of a few other ideas that might help anyone that is in the process of writing or re-writing a procedure.

1. Develop a standardized format for procedures. If you have a procedure for writing procedures, ensure you allow the flexibility to deviate from the standardized format. The Standard does require that procedures have a “mandatory” format. Referring to the standardized formatting as “suggested formatting” will avoid unnecessary nonconformities.

2. Avoid making unnecessary references to other external standards. If you are writing a procedure on risk management—it makes sense to reference ISO 14971. It does not make sense to reference all the other risk analysis standards, unless you are specifically using them to perform risk analysis. Included in this category would be references to other regulatory requirements, such as 21 CFR 820 or Part 1 of the Canadian MDR. Companies can claim compliance with other requirements in the Quality Manual instead. What should be referenced in a document is any related procedures or forms.

3. Avoid including the revision of a Standard. This is just another opportunity for unnecessary nonconformities. If you don’t specify the revision, then an auditor can only assume that the most current revision of the Standard is implied. If changes to a Standard are minor, no changes to a procedure may be warranted and a revision to the procedure can be avoided—assuming that the revision of the Standard is not specified. Some argue that you should include the revision and update the reference to document that the procedure was reviewed to determine if changes were warranted. This is unnecessary. A review of procedures, where the decision is made for “no change,” can easily be documented in the Management Review under the category of “New and Revised Regulatory Requirements.”

4. Indicate the process owner and training requirements associated with each procedure. By doing this, it is easier to define who is responsible for reviewing and revising procedures—as well as who is assigned CAPAs if there are findings related to the process in question.

For the training requirements, the process owner should specify who needs to be trained on the process. Why? They know the procedure best. If there is a “grey area,” this should be resolved with the department manager for the job function in question. In addition, retraining requirements should be specified. By this, I mean that it is a good idea to indicate if retraining is required when a procedure has been revised. If the revision is minor, training should only be required for people that have not been trained to a previous revision.

5. Adopt the Plan-Do-Check-Act (PDCA) model for the structure of procedures. For the “Plan” portion, the procedure should explain how to prepare to do something. This planning activity can apply to anything from planning to perform an audit to planning to inspect incoming raw materials. The “Do” portion is what most people refer to as the “Procedure” section. The “Check” portion of the procedure is a great place to specify the monitoring and measurement requirements for the process (see Section 8.1 of the Standard). Finally, the “Act” portion of the procedure should indicate what to do when target metrics are not met. For example, what should be done when an alert limit is reached? What should be done when an action limit is reached?

6. Include revision history. It’s extremely helpful to know which Engineering Change Order (ECO) approved the document revision, why the changes were made, the nature of changes, whether there is a related corrective action and when the change was made.

 

Posted in: ISO Certification

Leave a Comment (1) →

Effective Management Skills for Managers

This blog reviews some practical management skills that managers should possess.

Are you frustrated?

Sometimes we hear phrases like: “Well, that’s just an ISO requirement.” This apparent lack of support by top management is what frustrates every Management Representative in the world.

There was a question posted on the Elsmar Cove website on January 10, 2011. In just ten days, there have been 153 postings in response to the original question. As I read through the various postings, I saw several comments about a lack of support from top management.

A little over a decade ago, I was still learning how to supervise people. In an effort to educate myself further, I read a book (sorry I can’t be sure which book anymore). In this book, the boss gave an employee a card with a picture of a baseball bat on it. The instructions provided with this magical card were to use it only when the boss failed to pay attention, and the employee had something important to tell him.

As managers, we assume the impressive title, along with the awesome responsibility. Managers are responsible for leading others. Subordinates are not the “others” I am referring too. The “others” are peers. If you cannot persuade your peers to support you, then you will fail as a manager. The Quality Department cannot fix all the problems. My philosophy is that Quality is responsible for recommending improvements, training people, and helping to implement. We assign corrective actions, but we should be assigning them to the process owner (i.e., – Manager) that is responsible for the area where the problems were created.

Effective Management Skills

If you need help persuading the unenlightened, try picking a project that is critical to the success of the stubborn one. If you can show someone that is currently a detractor how they can apply the Quality principles to help solve their problems, then you will have a convert. Converts become strong supporters. If the stubborn one happens to be at the top, figure out what the CEO’s initiatives are. Initiatives are easy to identify; they talk about it at least twenty times a week. Try showing the CEO how their actions can become Quality Objectives. Show them with graphs. Show up with solutions to their problem. Use the CAPA process as a framework. Show them how the management TEAM can fix it.

If nothing seems to be working, you can always try reviewing some FDA MedWatch reports too–just to scare your boss.

Posted in: ISO Certification

Leave a Comment (0) →

Management Representative Requirement: ISO 9001:2008

The author reviews the Management Representative section 5.5.2 of ISO 9001:2008 requirement and provides eight (8)  proposed actions to take for companies who receive a finding against this section.

The idea for this posting was from a thread I found on Elsmar Cove: http://elsmar.com/Forums/showthread.php?t=45658

One person posted a question about the requirement for the Management Representative (MR) to be a member of the organization’s management (see section 5.5.2 of ISO 9001:2008). Companies that are seeking initial certification sometimes struggle with this requirement. Some struggle because they do not have anyone in-house that is sufficiently trained to be the MR. Other companies struggle because they are very small and outsource their QA functions to a consultant. The following blog is targeted at helping these companies.

Auditing

I audit companies to the ISO 13485 (medical Quality Management System (QMS) & 9001 (QMS) Standards. The intent of both Standards was always to have the MR be part of management, but some companies did not interpret the Standards in this way. With the 2008 revision of 9001, the possibility of misinterpreting the meaning is much less likely. Companies that receive findings during the Stage 1 or Stage 2 audit for this requirement usually fall into one of two categories. Category #1: our company is small, and the only person that knows enough about ISO requirements is not a member of management. Category #2: our company is small, and we outsource QA functions.

The good news is that any manager can be assigned the responsibility of being MR. One of my clients assigned this responsibility to the VP of Sales. Another company appointed this responsibility to the Director of R&D. Both of these individuals had to put in the time to learn about their quality management systems, but both have embraced the challenge, and I have learned much from them. They have a different perspective and bring a lot of value to the MR role. The bad news is: whomever you assign has to learn enough to be competent in the position.

The definition of “Management” is typically a stumbling block. Most people think of managers requiring that they have other people reporting to them. This is not absolute. The MR should report directly to a top manager, such as the President or CEO, to prevent conflicts of interest. As a manager, they should not require a great deal of direct supervision, and the President or CEO should not be overly burdened by adding one person to their list of direct reports. Some auditors like to see a “deputy MR” identified. My advice is to have the CEO or President sufficiently trained that they can be the “back-up” when the MR is on vacation.

Every manager should know enough about their subordinate’s job duties that they can “fill in. MR’s should be involved in senior staff meetings too, but not necessarily at the same frequency as every other senior staff manager. Typically, operations and sales have the most frequent meetings with the CEO–often weekly. Finance generally is monthly. HR and the MR might be bi-monthly or quarterly. Communication of the status of quality objectives should be regular reports to all senior staff, but you don’t have to have a Management Review to communicate the status. If the company is small enough to have only one QA person, there probably isn’t a need for more than one or two management review meetings per year.

Management Representative Finding: 8 Proposed Actions to Take

If your company has a finding against clause 5.5.2, I recommend the following actions:

1. Assign a person that is already a member of your senior staff as MR.

2. Document the responsibility in the person’s job description.

3. Document the responsibility in the org chart.

4. Assign the person’s direct supervisor (typically the CEO or President) as a “deputy MR.”

5. Find an excellent webinar on ISO training for the new MR and their boss (ideally one with a quiz and a certificate).

6. Have the new MR develop a 45-minute presentation for the senior staff on the topic of Management Responsibilities. This training should cover all of section 5 in the Standard.

7. Give the senior staff a 15-minute multiple-choice quiz to evaluate the effectiveness of the training.

8. Have the new MR discuss the delegation of various management review inputs (see section 5.6.2) with their boss. Quality should be a shared responsibility, and Management Reviews will be more effective if everyone participates.

Posted in: ISO 9001:2008, ISO Certification

Leave a Comment (0) →

Elsmar Cove – Wikipedia for QA Professionals

The author discusses The Elsmar Cove Forum as a great information resource on best practices and trends for Quality Assurance professionals.

Most of the people reading my blog are probably aware of a website called Elsmar Cove, but I think most people visit this site only when they need a quick answer to a question. It’s sort of like Wikipedia for Quality Assurance. Marc Smith is the creator of Elsmar Cove, http://elsmar.com/, and the forum just had its 15th anniversary. This is a no-frills website that has fantastic content and very little advertising. People from all over the world (~18,000 active participants) are contributing daily to this forum, and many of the contributors are Quality and Regulatory experts. I like to use the site to keep up on best practices and trends in Quality. It also allows me to learn from other types of Quality Systems, such as AS9100, TS16949, and ISO14001.

Someone I used to work with had a saying he learned from his first boss: “A picture tells a thousand words, but a demonstration is better than a thousand pictures.” Therefore, I thought I would try to demonstrate the power of Elsmar Cove by researching best practices in supplier evaluation.

Step 1: The first thing you do is to visit the site.

Step 2: Type “supplier evaluation” into the Google™ custom search. This will produce hundreds of links within the Elsmar Cove Forum related to supplier evaluation.

Step 3: Skim the search results to find the entry or entries you are looking for. These search results include a supplier evaluation survey that you can download and adapt to your own company. If you need a quick solution, this is fast and free.

Another approach is to limit your search to Forum discussion threads. You can do this by going to the Forum Discussion page: http://elsmar.com/Forums/index.php.

If you click on the toolbar link for “search,” a pop-up window will appear. If you type “supplier evaluation” in this search bar, you will see 531 results presented in reverse chronological order. Below are a couple of threads that I thought were particularly good:

Benchmarking Supplier Certification Programs

http://elsmar.com/Forums/showthread.php?t=42595&highlight=supplier+evaluation

Service Supplier Rating where objective pass/fail data is not available

http://elsmar.com/Forums/showthread.php?t=44412&highlight=supplier+evaluation

Choosing Supplier Evaluation Methods – Determining what a Critical Supplier is

http://elsmar.com/Forums/showthread.php?t=10951&highlight=supplier+evaluation

Supplier Approval for Distributors of Equipment

http://elsmar.com/Forums/showthread.php?t=43508&highlight=supplier+evaluation

Second-party audits – Supplier audits or product audits?

http://elsmar.com/Forums/showthread.php?t=30966&highlight=supplier+evaluation

How you do Receiving Inspection for Chemicals?

http://elsmar.com/Forums/showthread.php?t=44951&highlight=supplier+evaluation

Supplier Evaluation Responsibility

http://elsmar.com/Forums/showthread.php?t=43756&highlight=supplier+evaluation

I hope you find Elsmar Cove to be a useful information resource.

Posted in: ISO Certification

Leave a Comment (2) →
Page 4 of 4 1234