You searched for 13485 - Page 22 of 27

Jan 25 2015

Supplier Quality Management Procedures (SYS-011)

Supplier Quality Management Procedures/Forms (SYS-011) and Webinar Bundle

SYS-011 - Supplier Quality Management Procedures/Forms

SYS-011 Supplier Quality Management Procedures/Forms - This procedure package includes 8 documents. The procedure is compliant with ISO 13485:2016 and 21 CFR 820.50. The procedure also meets the requirements of the Canadian Medical Devices Regulation (SOR 98/282) and the European Medical Device Regulation (2017/745).

Price: $299.00

This Supplier Quality Management procedure is written with the intent to meet the regulatory requirements for ISO 13485:2016, Clause 7.4 and 21 CFR 820.50. The procedure is 11 pages in length.

What you will receive

Document control lists and forms are also included within this procedure. These documents are updated for the US FDA Quality System Regulation (QMSR), ISO 13485:2016, and the new European Regulations. The following is a list of documents included:

SYS-011 v0.10 Supplier Quality Management
TMP-003 v0.5 Supplier-Internal Audit Report Template
TMP-002 v0.1 Supplier Evaluation Report Template
SYS-011 Supplier Quality Management Training 4-15-2024
Quality Agreement Table
LST-008 v0.1 Nonconformity Report Register
LST-003 v0.3 Approved Supplier List
FRM-037 v0.1 Supplier Quality Agreement
FRM-008 v0.4 Nonconformity Report (NCR)
FRM-005 v0.1 New Supplier Approval Request Form
FRM-004 v0.1 Supplier Questionnaire

If you would like to ask specific questions about the document control procedure and process, please submit them via email or schedule a call using the calendar app on our contact us page. All content deliveries will be sent via AWeber emails to confirmed subscribers. Please check your spam folder if you don’t receive the content automatically.

Please note: This product will be delivered to the email address provided in the shopping cart transaction. After the transaction is verified, please check your email for the download.

To view all available procedures click here

To review a sample Medical Device Academy procedure click below:

About Your Instructor

Rob Packard is a regulatory consultant with ~25 years of experience in the medical device, pharmaceutical, and biotechnology industries. He is a graduate of UConn in Chemical Engineering. Rob was a senior manager at several medical device companies—including the President/CEO of a laparoscopic imaging company. His Quality Management System expertise covers all aspects of developing, training, implementing, and maintaining ISO 13485 and ISO 14971 certifications. From 2009 to 2012, he was a lead auditor and instructor for one of the largest Notified Bodies. Rob’s specialty is regulatory submissions for high-risk medical devices, such as implants and drug/device combination products for CE marking applications, Canadian medical device applications, and 510(k) submissions. The most favorite part of his job is training others. He can be reached via phone at +1.802.281.4381 or by email. You can also follow him on YouTube, LinkedIn, or Twitter.

Supplier Quality Management Procedures (SYS-011) Read More »

Jan 19 2015

FDA Inspections-Complaint Investigation Requirements-Part I

“FDA Inspections-Complaint Investigation Requirements-Part I” is a two-part series that provides an overview of 21 CFR 820.198 requirements.

Last week, I received a message from someone asking for advice on how to perform a complaint investigation. She has a complaint handling procedure that explains how to determine if complaints are reportable (http://bit.ly/Medical-Device-Reporting), and she is the complaint coordinator. Her procedure includes a list of pre-determined cause codes for the most common complaints the company has received in previous years. Her system does not require a complaint investigation if an existing cause code is identified. She would like to know how to perform an investigation if she receives a complaint that does not fit one of the existing cause codes.

Is It a Complaint?

Most discussions about complaint handling begin with the definition of a complaint [i.e., 21 CFR 820.3(b); http://bit.ly/21CFR820-3]. However, if a complaint is received during an investigation of a device rather than the use of the device, the FDA will still consider this as being “after releasing for distribution.” The reason is that release for distribution occurs at final inspection. If the device breaks during installation, the device was still distributed.

One last question. Is it correct to consider a complaint only when the device is live and not during the settings and installation process of the device? (The definition states “after it is released for distribution,” what do they mean by this?).

What is Required?

The FDA QSR section specific to complaint handling is 21 CFR 820.198 (http://bit.ly/820-198). There are seven subsections (i.e., “A” through “H”) that comprise the regulation.

Manufacturers shall maintain complaint files and establish procedures for complaint handling.
Manufacturers must review and evaluate if an investigation is needed.
Manufacturers must perform an investigation automatically for any complaint involving a device malfunction–unless an investigation has already been performed for a similar complaint.
Separate files shall be maintained for complaints that involve adverse events that are reportable under 21 CFR 803 (http://bit.ly/21-CFR-803).
The content of a complaint investigation record is specified in this subsection.
When the complaint handling unit is located at another facility, the records of investigations shall be reasonably accessible to the manufacturing establishment.
When the complaint handling unit is located outside the USA, then the records must be reasonably accessible at a U.S. manufacturer or the location of an initial distributor.

What Does the FDA Expect to See?

FDA inspectors are guaranteed to sample complaint records and CAPA records during every routine inspection. The complaint records sampled will typically be limited to a specific product family that has been selected as the focus of the investigation. Most companies have an electronic log of the complaints, and the investigator may request a sorted list that only includes complaints specific to that one product family. The investigator will already be aware of all of your reported adverse events associated with the product family, and there may be one or two records they specifically want to investigate. The investigator will also review the complaint log to see if there are any complaints with a description that sounds like it might be reportable–even though the complaint was not reported.

The investigator will verify that each complaint record includes the content specified in subsection “E”:

name of the device;
the date the complaint was received;
any device identification(s) and control number(s) used;
the name, address and phone number of the complainant;
the nature and details of the complaint;
the dates and results of the investigation;
any corrective action is taken; and
any reply to the complainant.

In my response to the question that I received, I also included advice on how to conduct an investigation. In general, the investigation is no different than an investigation for any CAPA. The first step is to perform a root cause analysis. The second part of this article will explain the investigation process in more detail.

Register to receive email notification of new blog postings (http://bit.ly/MDA-Blog), so you can read the second part of this article next week. If you are interested in learning more about complaint handling, you might be interested in downloading the webinar that Medical Device Academy recorded last year for complaint handling and vigilance reporting (http://bit.ly/Complaint-Webinar-Landing). We can also help you one-on-one with a current complaint investigation you are conducting. Please don’t hesitate to contact me and ask for help: Mobile: 802.281.4381 or rob@13485cert.com.

FDA Inspections-Complaint Investigation Requirements-Part I Read More »

Jan 13 2015

Obtaining a Health Canada Medical Device License (Case Study)

7 Comments / Health Canada / By Robert Packard / canadian medical device license, health canada medical device license, obtaining a canadian medical device license, obtaining a Health Canada medical device license

This article explains the process for obtaining a Health Canada Medical Device License through a hypothetical case study. Canadian Medical Device Licensing is generally a more straightforward process than the 510(k) submission process for the US FDA and the European CE Marking Process. Therefore, launching a new product in Canada is one of the fastest ways for start-up medical device companies to achieve initial cash flow.

For this case study, I chose the maker of Krazy Glue^® as a hypothetical new client. The company wants to start selling their products as medical devices. Fortunately for them, companies have been selling cyanoacrylate (e.g., – Krazy Glue^®) as a medical device for years. Therefore, my client needs to decide if they want to sell the product as 1) a liquid bandage, 2) a topical adhesive to replace sutures, or 3) a vascular repair device for use inside the body during surgery. The client indicates that they want to sell cyanoacrylate as a medical device all over the world. Therefore, after a little homework, the client decided that a “topical adhesive” application will give the company higher margins of a medical device for prescription use. Still, it will also avoid the costly Pre-Market Approval (PMA) process at the FDA. I recommend that the client try a pilot launch in Canada first to evaluate their new packaging ideas on a smaller market than the USA or Europe.

Even though I have submitted multiple-device license applications to Canada, my first job in Regulatory Affairs taught me the most valuable lesson of all: “Always check the source.” Therefore, I went to the “helpful links” (http://bit.ly/RA-Resources) page of my website to find the Canadian Medical Device Regulations (CMDR), but for those of you that just don’t want to work that hard, here’s the direct link: http://bit.ly/SOR-98-282. The CMDR was most recently updated on December 8, 2014, but there have been no amendments to the regulations since December 16, 2011. If you want to know what the difference is between the current version and the previous version, I wrote an entire blog posting on just that topic (http://bit.ly/CMDRChange). The posting is 701 words long, but the two-word answer is: “Not much.”

Once I find the most recent version of the CMDR, I skip ahead to the bottom of page 54. Rule 4 states that “all non-invasive devices that are intended to come into contact with injured skin are classified as Class 2.” This is the applicable rule for a topical adhesive, but with device classifications, I always verify the Classification by looking up the license for a competitor product. The competitor product I selected was “Surgiseal.” I wasn’t sure who the manufacturer was for Surgiseal™, so I used Health Canada’s Medical Device Active License Database and searched by “Device Name.” In this case, I quickly found the license information I needed. Still, sometimes I use the US FDA website’s Registration and Listing Database (http://bit.ly/CDRH-Registration-Listing-Database) to identify device names and the name of manufacturers. The Canadian Device License information for Surgiseal™ is shown below:

After verifying, this is a Class 2 device in Canada, I reviewed the Canadian Licensing Process for Class 2 devices. Starting on page 16 of the CMDR, Section 32, I reviewed the process of applying for a Medical Device License. I also reviewed the Guidance Document for “How to complete a new medical device license application.” The location of that Health Canada Guidance Document is http://bit.ly/Canadian-Device-License. Fortunately, this is a Class 2 device, and the requirements are primarily to complete the application form for a new Class 2 device license (http://bit.ly/Canadian-Device-License-Form), sign attestations regarding compliance with the safety and effectiveness requirements (Section 10-20 of the CMDR) and compliance with the labeling requirements (Section 21-23 of the CMDR). The application form has a new section requiring information about the phthalate content of the device in the application. However, this tissue adhesive would only have phthalates if it was contained in the packaging.

Obtaining a Health Canada Medical Device License: The Process

After reviewing all the requirements for a device license application, I meet with the client to explain the next steps of the process:

The client needs to upgrade its existing ISO 9001:2008 Quality Management Certificate to an ISO 13485:2003 Certificate with CMDCAS. “CMDCAS” is the Canadian Medical Device Conformity Assessment System (http://bit.ly/CMDCAS-Certification-Part2). The Quality System Auditor from the registrar will look for additional requirements specific to the CMDR, but all of these requirements are identified in GD210—another guidance document from Health Canada. This will only require a one-day external audit to upgrade the scope of the current certification.
The labeling needs to be revised to meet the requirements for Sections 21-23 of the CMDR. Since this product will be used by Medical Professionals, rather than an over-the-counter product, the labeling requirements are similar to Europe and the U.S. The most important thing to do will be to implement the use of appropriate symbols found in ISO 15223:2012—an Internal Standard for Labeling and Symbols.
The client will need to conduct an internal audit to the CMDR requirements before the certification upgrade audit. If I make revisions to the client’s quality system, then another auditor on my team will conduct the internal audit remotely. If the client makes the changes to the quality system themselves, then I can conduct the internal audit myself.
Finally, once the new CMDCAS Quality System Certificate is received, we can complete the medical device license application and submit the application with a copy of the new certificate.

In my proposal to the client, I estimate that the entire process will require less than 60 days. When the client gets an upgrade quotation from their registrar, the earliest date available is in 10 weeks, but their annual surveillance audit is already scheduled for 13 weeks. Therefore, the client decided to combine the upgrade audit and the annual surveillance audit to save money on the travel costs and to give themselves more time to prepare for the upgrade to CMDCAS certification.

Not all applications are this easy. For higher-risk devices (i.e., Class 3 and 4), Summary Technical Documentation (STED) must be submitted in both paper and electronically. Health Canada provides guidance documents for this, and there is a Global Harmonization Task Force (GHTF) document that explains how to prepare these documents. Depending upon the Classification and complexity of the device being submitted, this documentation can take weeks or months to prepare.

The STED documents described above meet the European CE Marking requirements for the content of a Technical File, and most of the STED documents can be modified to meet 510(k) submission requirements of the US FDA. Preparation of STED documents, including STEDs for biocompatibility testing and sterilization validation, can be prepared in parallel with obtaining ISO 13485:2003 certification. The only item that should require additional time is the clinical summary–if clinical studies are required.

If your company needs help with Canadian Medical Device Licensing, please contact Rob Packard.

Obtaining a Health Canada Medical Device License (Case Study) Read More »

Jan 7 2015

11 Steps to Obtaining CMDCAS Certification-Part 2

2 Comments / Health Canada / By Robert Packard / 11 Steps to Obtaining CMDCAS Certification-Part 2, CMDCAS, CMDCAS certification

“11 Steps to Obtaining CMDCAS Certification-Part 2” focuses on the process of updating the quality system and preparing for your certification audit. The first three steps focus on classification and selecting a registrar.

Steps 4: Writing a Licensing Procedure

Nowhere in the Canadian Medical Devices Regulations (CMDR), or ISO 13485, does it require that you have a procedure for licensing or writing your technical documentation. However, most of the registrar auditors I have observed expect to see a procedure for this. You can reference Health Canada’s guidance documents (http://bit.ly/CanadianGuidance) and the CMDR (http://bit.ly/CanadianMDR), but that’s not enough. Typical audit questions I see on regulatory checklists include:

Is the company required to notify Health Canada of changes to the certificate within 30 days?
Is the classification rationale documented?
What is the procedure for maintaining technical documentation for Health Canada?
Is there a procedure for identifying significant changes that require notification of Health Canada (http://bit.ly/Canada-Significant-Change)?

Step 5: Mandatory Problem Reporting (MPR)

Some companies choose to have one procedure for adverse event reporting that covers all the countries that they distribute the product(s) in. However, I recommend having a separate procedure for each country that is shorter and will require updates less often. It’s a personal preference, but I find people are intimidated by a longer, combined procedure. The following are the key elements for the MPR procedure:

decision tree for when to report
timescale for reporting deadlines
form references
address for reporting
reminder to report the event to the US FDA if the product is also sold in the USA

Step 6: Recall Procedure

Unlike the MPR procedure, I recommend having only one recall/advisory notice procedure to comply with Health Canada’s requirements and the rest of the worlds’ regulatory requirements. I typically choose this approach, because the recall/advisory notice procedure is less complex than the adverse event reporting procedures. The key element I look for in this procedure is the address for notifying Health Canada of a recall because there is a different address in each region of Canada.

Step 7: Finding a Distributor

A Canadian Medical Device License is a license to distribute medical devices. Only Class I devices require an establishment license. Therefore, your company will be able to sell directly to physicians prescribing your device if you have a Class II, III, or IV Medical Device License. If you choose to use a distributor in Canada, the distributor must meet the requirements for record-keeping, and demonstrate the ability to conduct a recall, if necessary. Often, this is done by having a quality agreement in place, which stipulates the retention of distribution records. Also, your company should conduct a mock recall once distribution has begun. This will ensure that the distributor is compliant with the requirements for maintaining distribution records. The instructions for conducting a mock recall will be included in the revisions to the recall/advisory notice procedure described in Step 6.

Step 8: Training

The most common root cause of audit findings related to the CMDR is a lack of understanding with regard to the regulatory requirements. A better procedure can help, but there is no substitution for training on the CMDR. The CMDR is relatively easy to understand when compared to European Regulations, and the CMDR is shorter in length than US FDA regulations. However, most people have a lot of difficultly understanding the jargon of medical device regulations unless they are a regulatory expert. Therefore, it is essential to develop training that summarizes the CMDR for anyone in your company that will be involved with complaint handling, adverse event reporting, recalls and regulatory submissions–including design changes.

Medical Device Academy has a recorded webinar designed explicitly for company-wide training when companies are preparing for CMDCAS certification: http://bit.ly/CMDCAS-webinar. The cost of the webinar is $129, and there is a 10-question exam to verify the effectiveness of training. The exam costs $49 to grade, correct answers are explained for each question, and a certificate is issued for a passing grade of 70% or more.

Step 9: Internal Auditing

Your registrar will verify that you conducted an internal audit of the quality system for compliance with applicable sections of the CMDR. This can be performed by one of your internal auditors or a consultant. The audit can be completed on-site, but sometimes a remote desktop audit will suffice. Since there will be no records of distribution, licensing, complaints, or recalls before the CMDCAS certification–there is little value in conducting an on-site audit before certification. The duration of the internal audit should not exceed a day. It typically can be completed in four hours by an experienced auditor–plus a couple of hours of audit report writing.

Step 10: Conducting the CMDCAS Certification Audit

Your registrar conducts this step. Any audit findings will require a corrective action plan that is accepted by the auditor before the new certificate can be issued. The new CMDCAS certificate will look very similar to the existing certificate, but there is typically an additional logo indicating compliance with CMDCAS. This is not the same as the SCC logo indicating accreditation by the Standards Council of Canada. Once the initial extension to the scope is completed, the continued certification is evaluated as part of the normal surveillance audits and re-certification audits.

Step 11: License Application Submission

For a Class 2 device license application, you need to complete a form, send a check, and include a copy of your new ISO 13485 Certificate with CMDCAS. The response from Health Canada is typically within 15 days or less–depending upon the current workload. Class III and IV device license applications are more complex and require technical documentation–including a clinical evaluation.

The timelines for approval of a Class III or IV device license is closer to the timeline for a 510(k) clearance letter from the US FDA. Health Canada’s Device Licensing Division is quite responsive to email inquiries, and they will respond to voicemail messages. Once a license is issued, it is typically faxed to the company, and a hardcopy is mailed. I recommend a dedicated fax number for your regulatory affairs department.

Medical Device Academy, Inc. has a complete set of generic quality system procedures–including Canadian Medical Device Licensing and Mandatory Problem Reporting. Since the requirements for reporting adverse events is quite different in each country, it is not recommended to combine these procedures with other procedures. The cost of purchasing generic procedures from Medical Device Academy in a native MS Word Format is $300/procedure. Purchase grants your company a non-exclusive license to the content of the procedure for internal use. Please email Rob Packard if you are interested.

11 Steps to Obtaining CMDCAS Certification-Part 2 Read More »

Jan 2 2015

11 Steps to Obtaining CMDCAS Certification: Part I

4 Comments / Health Canada / By Robert Packard

“11 Steps to Obtaining CMDCAS Certification-Part I” focuses on the process of verifying the classification, selecting a registrar, and more.

Step 1: Verify Classification

There are four device risk classifications in Canada: I, II, III, and IV. If your device is Class I, then you can work with a distributor in Canada that has an establishment license. However, if your device is Class II, III, or IV, then ISO 13485 certification with CMDCAS is required as a prerequisite for a Canadian Medical Device License Application. Therefore, before you waste time and money on upgrading your ISO 13485 certification to include CMDCAS, you should ensure that your device is Class II-IV.

Each country has slightly different regulations. Often the risk classification is different between the two countries. However, in the following example, the classification is identical. If a device is an active, therapeutic device, then the device is typically classified as Class 2, as per Rule 9 of the CMDR. The rule and the rationale are identical to the EU classification of Class IIa, per rule 9 in Annex IX of the MDD. A manufacturer can confirm this classification by sending an email to the Device Licensing Division, asking them to confirm the classification rationale. Including a copy of the draft, IFU is recommended, so that Health Canada is aware of the intended use when they are verifying your classification rationale. Verification typically is completed within ten days, and there is no charge. If you need help determining the classification, please contact Rob Packard.

Step 2: Health Canada recognizes a verified Registrar

The process for becoming a CMDCAS auditor is one of the most challenging examinations that I have ever taken (http://bit.ly/Instructor-Effectiveness). However, the process of becoming a recognized registrar for CMDCAS is even more challenging. Health Canada acknowledges only 15 registrars. Therefore, ensure that your registrar is on the list first http://bit.ly/RecognizedRegistrars.

If you are selecting a critical subcontractor (i.e., “subcontractors in charge of processes which are essential for ensuring compliance with legal requirements”), you should verify that the company has a registrar that is recognized by Health Canada, as well. If not, this may result in the need for additional scrutiny of the critical subcontractor by the registrar–including the potential for an audit. If you need help selecting a registrar from the 15 recognized registrars, you should read our blog on this topic: http://bit.ly/SelectingRegistrar.

If your registrar is not one of these 15, then you will either need a second registrar, or you will need to transfer to a new registrar. The transfer process is a little different from each registrar. Still, generally, the new registrar must review previous audit reports, your certificate, and any corrective actions that are associated with the previous regulatory audit. This is typically completed in a one day audit that may be on-site or remotely conducted. The next step is to obtain a quote.

Step 3: Obtaining a Quote for CMDCAS Certification

Every registrar I know has a long application form that needs to be completed before they can provide a quote for CMDCAS certification. You will need company information about the various locations for each site covered by the quality system certificate–including the number of people, shifts, and types of activities conducted at each location. If you already have ISO 13485 certification, the quotation will be for an extension to the scope of the original quality system certification. An extension to scope audit is typically one day in duration. Upon successful completion of the audit, your company is recommended for CMDCAS certification, and the existing ISO 13485 certificate is replaced with a CMDCAS Certificate. For some companies, the scope of activities requires that you maintain your original certificate and the new CMDCAS certificate.

Once you obtain your quote(s) for upgrading to CMDCAS, then you must schedule your audit. Typically, auditors are booked at least 90 days in advance. Since the process of making upgrades to your quality system takes no more than 90 days, I don’t recommend waiting to make changes. Just go ahead and schedule the audit, and now you have a real deadline for everyone to work toward.

Part 2 of this article will explain the changes you need to make to the quality system to prepare for your CMDCAS audit.

11 Steps to Obtaining CMDCAS Certification: Part I Read More »

Oct 22 2014

Medical Device Validation Document Resources

1 Comment / Validation / By Robert Packard / medical device validation, medical device validation document resources

This blog provides a list of medical device validation resources and explains how to create your resource list.

The first step to understanding how to conduct successful validations are always to read and re-read the requirements of the documents below:

21 CFR 820.30(g)
21 CFR 820.75
ISO 13485, Clause 7.3
ISO 13485, Clause 7.5.2

Unfortunately, we sometimes need to consult a reference guide that explains aspects of the requirements.

Max Sherman (http://bit.ly/MaxSherman) is finishing a new handbook on design and process validation that will be published through RAPS. The following is a list of resources for the process and design validation that I am submitting for publication in the book. Many of these resources are free, and these are the resources I use to learn and teach principles of validation.

GHTF/SG3/N99-10:2004 – Process Validation Guidance (http://bit.ly/N99-10)
ISO 14969 – ISO Guidance document for ISO 13485 (http://bit.ly/iso14969)
13485 Plus – CSA Guidance document for ISO 13485 (http://bit.ly/13485Plus)
AAMI The Quality System Compendium: Bundled Set of Textbook & CD (http://bit.ly/AAMI-Store)
The preamble to the QSR (http://bit.ly/QSR-preamble)
ICH Q2: Validation of Analytical Procedures: Text and Methodology (http://bit.ly/Q2-Analytical-Validation)
FDA Guidance for Part 11: Electronic Records (http://bit.ly/Part11Guidance)
FDA Guidance for Software Validation (http://bit.ly/FDA-Software-Validation)
FAQs about Implementation of IEC 62304:2006 (http://bit.ly/Team-NB-IEC62304)

In addition to these resources, you may also need additional resources for design validation. Here are some examples of design validation resources I use in my design controls training “tool kit:”

As regulatory affairs professional, it is critical to maintain a list of the most current standards and an organized list of links to those standards. I used to keep a list of favorites in my web browser for this purpose, but my database now exceeds the utility of “favorites.” Now, I use my webpage for this purpose. You can do this yourself by creating a free WordPress blog, and having one of the webpages to the blog be specifically to maintain a list of applicable Standards. Here’s a link to my webpage that I share: http://bit.ly/RA-Resources

Medical Device Validation Document Resources Read More »

Aug 20 2014

What is the mdsap pilot?

1 Comment / MDSAP / By Robert Packard / mdsap, medical device audit, medical device audits, medical device single audit program

This article explains what is the MDSAP pilot, and how is the pilot program likely to impact medical device manufacturers.

The acronym “MDSAP” stands for “medical device single audit program.” This is a three-year pilot program that began on January 1, 2014. Regulatory bodies are attempting to use a single regulatory audit to meet the requirements for all countries. The MDSAP pilot is one of the direct results of medical device regulatory bodies forming the new International Medical Device Regulators Forum (IMDRF) organization (http://bit.ly/imdrf).

The FDA’s Kim Trautman is the working group chairperson for IMDRF. There is a limited amount of information on the IMDRF webpage (http://bit.ly/imdrf-mdsap), but you can find more information on the US FDA website (http://bit.ly/MDSAP). Four countries are currently participating in the MDSAP pilot:

Japan is an official observer for the program, with the participation of both their device agency (http://bit.ly/Japan-MHLW) and pharmaceutical agency (http://bit.ly/Japan-PMDA). China and Europe are also represented in the mdsap working group at the IMDRF.

Currently, there are 15 recognized registrars for the CMDCAS (http://bit.ly/CMDCAS-webinar) program for medical device companies that want to obtain a medical device license in Canada. Health Canada plans to participate in the mdsap pilot for three years, and then the MDSAP program will become a mandatory replacement for the CMDCAS certification program in 2017.

How will auditors approach MDSAP audits?

The current CMDCAS audit program benefits significantly from Health Canada’s alignment of the Canadian Medical Device Regulations (CMDR) with the ISO 13485 Standard used by third-party auditors. The tool that Health Canada uses to ensure that auditors are consistent is the GD210 audit checklist (http://bit.ly/GD210Guidance). The MDSAP will need to harmonize the regulations of Canada, Australia, Brazil, and the USA. This may seem like an impossible task, but Notified Bodies and consultants have been using multi-national regulatory comparison checklists for years to ensure that all the applicable regulations are covered during audits.

Auditors currently relying primarily upon audit checklists should quickly adapt to the MDSAP with longer lists. However, those third-party auditors that are now using the process approach will need to study the comparison checklists being developed carefully. The process approach will still be the best approach for auditing. Still, auditors will need to be familiar with a larger number of requirements for step in the population of their turtle diagrams (http://bit.ly/Process-Approach).

I recommend looking at what aerospace and automotive auditors do. Auditees are expected to create and maintain process flow charts for each process, but the auditors will also compare previous versions they created in past audits. This makes the process much more efficient–except the first time they create the diagrams.

How will MDSAP audits be different?

The biggest difference between the current CMDCAS audits and the MDSAP will be the duration of audits. SGS indicated on its website (http://bit.ly/MDSAP-SGS) that manufacturers should expect these audits to be 35-100% longer in duration. The typical ISO 13485 audit might be two days, and CMDCAS might add no additional time or as much as a half-day to the duration. However, the MDSAP program will require gathering objective evidence for Australian, Brazilian, and U.S. regulations. Even if this only added a half-day for each country, the combined effect would be four days instead of two and one-half days.

At first glance, this may seem to be a burden, but this should be a relief. Currently, manufacturers might have a CMDCAS audit every year, an FDA inspection every other year, and they are still waiting for an ANVISA inspection so that they can launch a product in Brazil. Instead of a worst-case scenario of three audits/inspections in one year, the MDSAP program will enable companies to schedule a single audit to address each major market at one time. When Japanese and Europeans adopt the MDSAP as well, then companies will realize an even greater overall reduction in the number of audit days each year.

How important will the MDSAP pilot be?

Historically, Health Canada is the only country that made ISO 13485 certification mandatory. However, making ISO 13485 certification mandatory essentially made ISO 13485 a global prerequisite for medical device manufacturers–which has not happened with ISO 9001 certification. Health Canada indicated that it intends to make the MDSAP program mandatory at the end of the 3-year pilot. If Health Canada makes MDSAP audits mandatory, MDSAP may become the new defector auditing standard globally.

In addition to the impact of Health Canada, Brazil has agreed to accept the MDSAP audits instead of initial audits by ANVISA. The current backlog of ANVISA audits more than a year, and companies have resorted to filing lawsuits against ANVISA to get to the “top of the list.” Therefore, all of the companies on the waiting list are likely to jump at the opportunity to participate in the MDSAP pilot.

Let me know if you want to understand specifics about the MDSAP program. Please submit your suggestions for future blogs to our suggestion portal.

What is the mdsap pilot? Read More »

Jul 29 2014

Medical Device Academy-5 Proven Audit Approaches

Leave a Comment / ISO Auditing / By Robert Packard / medical device academy effective audit approaches, medical device academy effective audit strategies, medical device academy FDA audits, medical device academy notified body audits, medical device academy-5 proven audit approaches

This article, Medical Device Academy-5 Proven Audit Approaches, reviews how our clients benefit from our tried and true audit principles.

1. Process Approach

I am an advocate for using turtle diagrams (i.e., the process approach) for auditing, instead of audit checklists. Beyond the obvious visual differences between using audit checklists and using turtle diagrams, these two tools result in very different types of observations. An auditor using a checklist typically starts with a regulatory requirement, and then the auditor samples record to verify if the records meet the requirement. Once this verification has been successful once, it is unlikely that the process will have a problem in the future.

Turtle diagrams and the process approach focus on inputs and outputs to a process–instead of specific regulatory requirements. For example, when an auditor uses the element approach to auditing, the auditor will sample one or more process validations from a master validation plan to ensure compliance with 21 CFR 820.75. However, step four of the process approach includes sampling process validation for each process being auditing. If there is a lack of process validation for any process, the auditor will identify the gap. Step four also involves verifying the calibration of devices used in the process and maintenance of any equipment. Therefore, the process approach is sampling requirements for process validation, calibration of measurement devices, and preventive maintenance for each process–instead of once for each regulatory element.

2. Where Audits are Conducted

Most auditors spend an extraordinary amount of time in conference rooms. If I can audit your records in a conference room, I can also audit your records from my office in Vermont. Remote auditing eliminates the cost of travel. More than half of your quality system records can be effectively audited remotely. Therefore, when any auditor on our team visits your facility, they want to spend more time seeing you demonstrate production processes and interviewing people–instead of reviewing records in your conference room. This also happens to be the only effective method to audit production and process controls, which is one of the four major quality system processes the FDA focuses on during Level 2, comprehensive QSIT inspections.

3. Read Less and Listen More

Most auditors like to start with a procedure and then look for compliance with the procedure. We begin with an interview of the process owner or a person performing a step in the process. Then we ask for a demonstration, and records and procedures last. I coach new auditors to ask people they are interviewing to show them where a requirement can be found in their procedure. This has several hidden benefits. First, auditors don’t have to spend a lot of time hunting for a requirement because the auditee will find it for the auditor. Second, the auditor will quickly learn how familiar the auditee is with the specific procedure. Finally, if the company is not following a procedure, the auditee is unlikely to be able to locate the requirement in its procedure.

4. Start at the End with Problems

Most people prefer to follow a process from beginning to end. More specifically, the opening is step one of a procedure, and the end is a product and paperwork resulting from the process. Since most product and paperwork is done correctly, we seldom find anything wrong with a process if we start at the beginning. Alternatively, we can start at the end of a process with a cage of nonconforming material, or a log sheet of complaints. Then we can work our way back to the beginning of the process, and hopefully, we will see what went wrong in the process during our investigation. Therefore, my internal audit agenda often begins with a tour of the facility that will arrive at the location where a quarantined product is stored. Then I work my way back through the process to incoming inspection, then the purchasing process, and finally to the design controls process where specifications were initially created. Using this approach often results in the discovery of problematic processes that have the potential to cause other problems beyond the one example we found in the quarantine area.

5. Focus on Effectiveness Checks

The last sub-clause of ISO 13485:2016, Clause 8.5.2, is specific to the requirement for verifying the effectiveness of corrective actions. This is not the same as verifying implementation. If an internal audit identifies that there are no maintenance records, then you might attempt to prevent recurrence by creating a procedure that requires maintenance records. A copy of the procedure, records of procedure review, and approval and training records are evidence of implementing the corrective action.

Effectiveness verification requires more (http://bit.ly/CAPA-effectiveness-checks). You need to go back and verify that maintenance records are being created and maintained. Therefore, whenever we write an audit finding, we also review potential corrective actions with the client and suggest possible effectiveness checks to ensure corrective actions work.

If your company needs help with internal auditing and would like a quote, please email Matthew Walker. We also are teaching a lead auditor course in partnership with AAMI starting fall 2020.

Medical Device Academy-5 Proven Audit Approaches Read More »

Jul 22 2014

How to Audit Your Labeling Process for 21 CFR 820 Compliance

Leave a Comment / ISO Auditing / By Robert Packard / 21 CFR 820 compliance, auditing labeling process for 21 CFR compliance, FDA medical device labeling regulations, how to audit your labeling process for 21 CFR 820 compliance, medical device labeling, medical device labeling requirements

This article reviews how to audit your labeling process for 21 CFR 820 compliance with the six requirements of section 820.120.

The most common cause of recalls is labeling errors. Therefore, one of the best ways to avoid a recall is to perform a thorough audit of your labeling process. Unfortunately, most auditors receive no specific training related to labeling. The primary reason for the lack of labeling-specific training is because most auditor training focuses on ISO certification requirements.

ISO 13485 Requirements for the Labeling Process

ISO 13485 only requires the following labeling requirements: “The organization shall plan and carry out production and service provision under controlled conditions. Controlled conditions shall include, as applicable…g) the implementation of defined operations for labeling and packaging.” ISO 14969 is the guidance document for ISO 13485, and the guidance includes additional recommendations for control of the labeling process to prevent errors. Unfortunately, auditors are trained to audit for compliance with regulations, while guidance documents are neglected almost entirely. ISO labeling requirements are vague. Therefore, auditors need to focus on the six requirements of 21 CFR 820.120–the section of the FDA QSR specific to labeling. Most auditors are taught to develop a regulatory checklist to verify requirements. However, the process approach to auditing is a more effective approach to identify ways that the labeling process can break down. Below examples of how the two approaches differ are provided for each of the six requirements:

1. Labeling Procedure

Most auditors, and FDA inspectors, request a copy of a labeling procedure to verify compliance with the first requirement. In their notes, they record the document number and revision of the procedure. The auditor may also review the procedure to ensure that the procedure includes each of the other five regulatory requirements listed below. The process approach to auditing also verifies compliance with the requirement for a procedure. Still, auditors using the process approach ask the process owner to describe the process, and the process description provided is compared with the procedure.

I also teach auditors to ask the process owner to identify where in the procedure, each requirement can be found. This eliminates the need to spend valuable audit time reviewing a procedure and forces the process owner to demonstrate their familiarity with the procedure.

2. Label Integrity

A lack of labeling integrity is seldom raised as an observation by auditors, unless labels are falling off of the product, or if the label content is illegible. During hundreds of audits, I have never noticed a label falling off the product, but I have seen customer complaints about labels falling off. Another way to assess if there is a problem with labeling integrity is to ask how the labeling specifications were established, verified, and validated. The user environment is frequently the determining factor for labeling specifications. For example,

Does the label need to be waterproof?
Is the print likely to be exposed to abrasion that could rub off the ink?
Are the storage conditions likely to include high heat and humidity that could cause the adhesive to fail?

This type of approach links the labeling of products to customer focus and design inputs.

3. Labeling Process Inspection

The inspection of labeling is more than a visual examination. A thorough inspection requires a systematic review of the label content to ensure that the label information matches the requirements for the specific production lot. The requirements specify verification of:

correct expiration date
control number
storage instructions
handling instructions

There is also a requirement to document the date of inspection and the person that performed the inspection. An auditor can verify that the labeling inspection is being performed by reviewing records of the inspection, but you will rarely find an inspection record where the label is nonconforming. If you follow the process, you might ask the process owner where nonconforming labeling is recorded. The nonconforming material records should be an output of every inspection process. Auditors should also ask for metrics regarding a process. The frequency of labeling mix-ups and labeling errors identified during an inspection is an important metric that can be used as an indicator of weaknesses in labeling operations.

4. Labeling Storage

Most auditors will verify that labels are stored in a location to prevent deterioration or damage, but the highest risk is the mix-up of labels. Therefore, it is crucial to control the location of labels so that the incorrect labels cannot be accidentally distributed to the wrong manufacturing line.

In 21 CFR 820.150, there is also a requirement to establish “procedures that describe the methods for authorizing receipt from and dispatch to storage areas and stock rooms.” Therefore, as an auditor, you might consider asking the process owner what the input to the labeling distribution process is (e.g., a work order) and which distribution records are created during the process. A labeling requisition and/or “pick list” from production planning is often used as an input to the labeling process, while the distribution of labeling to manufacturing usually requires a log entry for distribution from a stockroom, or assignment of a lot number to the batch of labels that must be entered in a log.

5. Labeling Process

It is insufficient to review DHRs for the labeling process. When you interview the process owner, you should determine who is responsible for creating and inspecting labels. Then, I coach auditors to go and view labeling operations at the source. By interviewing operators and asking them to demonstrate entry of variable data for labels and printing of labels, you can answer each of the following questions without even asking:

Is validated software is being used?
Are label templates protected from inadvertent changes?
How do operators ensure that labels from different lots are not mixed up?

Interviewing inspectors can determine if calibrated tools are being used to verify labeling dimensions and the proper placement of labels. You should also observe how inspectors ensure that variable data is correct.

6. Control Number

Most auditors will sample DHR records to verify that lot control numbers are recorded for each batch of products. However, when an auditor is focusing on records, the auditor is unlikely to identify any aspects of label handling that could result in mix-ups. To ensure that processing and segregation of different lots are adequate, an auditor has to observe line clearance procedures and to verify that each lot of labels is identified with regard to the lot number, quantity, and the released status if the identification information about the label is separated from the physical labels, the potential for labeling mix-ups increases.

One final aspect of labeling and control numbers to consider is the impact of new UDI regulations. Labeling will need to indicate the date of manufacture and expiration of the product. This information needs to be incorporated into the variable content of labels. Therefore, if labels are pre-printed, it may be necessary to reprint labels when the date of manufacture changes. This additional requirement is likely to force companies into on-demand printing of labels and automated software control systems. Auditors can verify the successful implementation of labeling process changes by auditing for compliance with the revised procedures.

UDI states that production identifiers (PI) consist of Manufacturing Date, Expiration Date, Lot/Batch Number, Serial Number. The rule also states that if a labeler does not use any of the listed PI, they do not need to have it on their labels. This will most likely apply to Class I device labelers only as Class II, and III labelers usually have one or more of the PI on their labels. Due to the variable nature of the PI, many labelers are adding in-line label verifiers to make sure their labels are readable by scanners.

How to Audit Your Labeling Process for 21 CFR 820 Compliance Read More »

Jul 8 2014

Unannounced Audits

3 Comments / CE Marking / By Robert Packard / Notified Body, notified body unannounced audit, notified body unannounced audits have begun

This article provides an update on the status of unannounced audits by Notified Bodies for CE Marking of medical devices.

The EU Commission provided recommendations to Notified Bodies last Fall on how they should conduct three different kinds of audits: 1) product assessments, 2) quality system assessments, and 3) unannounced audits (http://bit.ly/Audit-Recommendations). The recommendations do not propose any changes to existing practices for product assessments (i.e., review of CE Marking applications) that are being conducted in accordance with the European Directives, or quality system assessments that are being conducted in accordance with ISO 17021. The recommendation does, however, propose new auditing practices specific to conducting unannounced audits (http://bit.ly/Unannounced-Audits).

The recommendation is addressed to the Member States, rather than Notified Bodies because the intent is for Competent Authorities in each member state to enforce these recommendations when they are reevaluating existing Notified Bodies for renewal. The intent is that the EU Commission and the Member States will use compliance with the “recommendation” for unannounced audits as one of the criteria for deciding which Notified Bodies would retain their status when the new European Medical Device Regulations were approved in 2015. Therefore, all of the Notified Bodies are scrambling to complete a number of unannounced audits before the end of 2014.

Who will be audited in 2014?

In 2014, the primary targets for unannounced audits will be manufacturers of high-risk, Class III devices. The prime targets for unannounced audits are unlikely to contract manufacturers, because Notified Bodies may not have access to all the technical documentation while they are auditing a contract manufacturer. I expect each of the Notified Bodies to plan at least one unannounced audit of a contract manufacturer for a Class III device that is outsourced. Still, I don’t expect this to be the focus of unannounced auditing activities in 2014.

It is already July, and only a handful of unannounced audits have been performed as “pilots.” Most of the Notified Bodies trained auditors on how to conduct unannounced audits in May or June during their annual auditor training. Therefore, we can expect a dramatic increase in the number of unannounced audits during the remaining months of 2014. If your firm has recently had CE Marking compliance issues with a Class III device, you should expect an auditor soon.

4 Ways unannounced audits are different

Unannounced audits differ from traditional quality system audits in four ways.

1. Unannounced audits are truly unannounced–with no warning at all. Even the US FDA inspectors have the courtesy to call on Friday to inform manufacturers of their intent to visit the following Monday or Tuesday. To ensure that auditors can conduct unannounced audits as planned, Notified Bodies are asking manufacturers to provide information about when production activities will be shut-down.

2. Unannounced audits will always be conducted by an auditing team with at least one person that is qualified to review the technical documentation (i.e., Technical File or Design Dossier) and compare it to the actual production activities. This is similar in some ways to how FDA inspectors review a Device Master Record (DMR) and then compare the DMR to production and process controls they observe in manufacturing. However, the technical experts from Notified Bodies typically have a minimum of five years experience similar designing devices, and a two-person team can spread your resources dangerously thin if you are a smaller company that is used to providing a guide for only one auditor or inspector.

3. Unannounced audits will involve more time spent by auditors in production areas, instead of reading documents in conference rooms. You can expect brief opening meetings because auditors need to review critical processes as quickly as possible. Specifically, the auditors are required to use a risk-based approach to select two of the following processes:

design controls
establishment of material specifications
purchasing control and incoming inspection
assembling
sterilization
batch-release
packaging
product quality control

If a company conducts sterilization on-site, I would expect this to be a likely prospect for sampling. However, the two areas I hope to be sampled most frequently are: 1) purchasing control & incoming inspection, and 2) batch-release. These two processes are expected to be sampled frequently because these processes facilitate ad hoc sampling and demonstration of testing. This is important because Notified Bodies are expected to observe product testing.

4. Unannounced audits will be conducted at suppliers when critical processes are outsourced. Therefore, if Class III device manufacturers outsource final inspection, packaging, and sterilization–the suppliers providing these services may be unannounced audit targets for multiple Notified Bodies. ISO 13485 certified suppliers have enjoyed a decade of little direct involvement by regulators, but unannounced audits are about to change this.

How will unannounced audits change in the future?

In 2015 and beyond, unannounced audits will be conducted at contract manufacturers and manufacturers. Unannounced audits will also be conducted for all risk classifications of devices–unless the device does not have Notified Body involvement (i.e., Class I, non-sterile, and non-measuring devices). The number of unannounced audits will also increase, because Notified Bodies are required to conduct an unannounced audit for each client at least once during three years–and more frequently for high-risk, Class III devices.

What should be done to prepare?

Preparation for unannounced audits should be very similar to your preparation for FDA inspections (http://bit.ly/FDA-Inspection-Webinar). Still, you will now need to evaluate your suppliers more rigorously to ensure they are also prepared for unannounced audits. The FDA rarely visits suppliers, and they are not allowed to review supplier auditing records. Notified Bodies will not have these restrictions. You will need to demonstrate a good balance between incoming inspection activities and other types of supplier controls. If your incoming inspection activities consist primarily of reviewing paperwork, then you need to balance this with supplier auditing (http://bit.ly/Supplier-Audits) and monitoring of in-process and final inspection nonconformities caused by supplier quality problems.

If you are interested in learning more about unannounced audits by Notified Bodies, please click on this link to pre-register for our webinar recording on the topic: http://bit.ly/unannounced-audits-webinar. Pre-registration pricing is $79, compared to our normal webinar price of $129. The pre-registration period ends on July 18.

Unannounced Audits Read More »

Search Results for: 13485