Search Results for: 13485

QMS Implementation Tasks

3 Comments / ISO Certification / By / ,

Learn 12 QMS implementation tasks you need to include in your quality plan for successfully implementing ISO 13485.%name QMS Implementation Tasks

QMS Implementation Tasks 

For your ISO 13485 implementation project, use a planning tool that you are comfortable with (e.g., – a spreadsheet or project planning software). Your plan should include the following:

  1. Identification of each task
  2. Target dates for completion of each task
  3. Primary person responsible for each task
  4. Major milestones throughout the project

Regular progress reports to top management and implementation meetings with all process owners are recommended to track your progress to plan. Weekly meetings are also recommended so that no tasks can fall too far behind schedule. Be sure to invite top management to weekly meetings, and communicate the progress toward completion of each task to everyone within your company. The list below identifies 12 of the most important tasks that should be included in your plan.

12 QMS Implementation Tasks to Consider for Implementing ISO 13485

  • 1. Select a certification body and schedule your certification audits (i.e., – Stage 1 and Stage 2). If you want to place devices on the market in the EU, Japan, or Canada, make sure your certification body meets the specific regulatory requirements for that market.
  • 2. Establish a Quality Manual and at least 28 required procedures. If you have purchased a copy of the excellent AAMI Guidance Document, this lists the required procedures for you. There are a few extra procedures or work instructions needed to meet regulatory requirements (e.g., – training, mandatory problem reporting, and post-market surveillance).
  • 3. Document training on the procedures comprising the quality system. A signed form indicating that employees “read and understand” the procedures is not enough. Training records should include evidence of the effectiveness of training, and you should be able to demonstrate the competency of the people performing those procedures.
  • 4. You must complete at least one full quality system internal audit. The timing of your internal audit should be late enough in the quality plan that that most elements of your quality system have been implemented. However, you want to allow enough time to initiate CAPAs in response to internal audit findings before your Stage 1 audit. If your internal auditor(s) have been heavily involved in the implementation of the quality system, you may need to hire an external consultant to perform your first internal audit.
  • 5. You need to complete at least one management review, which can be done just before the Stage 1 audit. My preference, if there is time, is to have at least two management reviews. The first review might occur three months before the Stage 1 audit, just before you plan to perform an internal audit of the management processes. There may be limited data to review at that time, but this first review provides an opportunity to train top management on their roles and responsibilities during a management review.

The second management review must cover all the requirements identified in ISO 13485, Clause 5.6. The second management review is also your last chance to identify any gaps in your quality system, and initiate a CAPA or action items before your certification auditor arrives.

  • 6. Compliance with regulatory requirements must be a commitment stated in your company’s Quality Policy. Specific regulatory requirements should be traceable to a specific procedure(s).

If you are seeking ISO 13485 Certification as part of the Canadian Medical Device Conformity Assessment System (CMDCAS) or the CE Marking process, then these regulatory requirements will be specifically included in your certification audit.

  • 7. Systematically incorporate customer and regulatory requirements into the quality management system. For contract manufacturers, this is especially important, and the Supplier Quality Agreements your company executes are the best source of these customer requirements. If your company is a legal manufacturer (the company named on the product label), this task is probably addressed sufficiently in tasks #1 and 6.
  • 8. You need to implement a supplier quality management process. If you already have a strong supplier quality program, then this may be a small task involving a few changes to your procedure. If you don’t have much of a supplier program yet, then this may involve identifying your suppliers, ranking them all according to type and risk, qualifying or disqualifying them, and executing supplier quality agreements.

Note: If you need training on Supplier Quality Management, you might consider participating in Medical Device Academy’s webinars.

  • 9. If product design is within the scope of your QMS, which is typical of legal manufacturers, but not for contract manufacturers, then you must establish a design control procedure(s). Product development projects often operate in a timeframe that is longer than your implementation project, and you may need ISO 13485 certification as part of the regulatory approval process.

Therefore, the minimum expectation is to initiate at least one development project before the certification audits. For records of implementation, you should have a design project plan, an initial risk management plan, reviewed and approved design inputs for your first product, and conduct at least one design review.

  • 10. Document what your Certification Body expects (e.g., – notifying them of significant changes). These expectations are likely to be stated in your contract with the Certification Body.
  • 11. Appoint the management representative and a deputy. Ideally, this is formally documented with a letter of appointment signed by the CEO and the management representative. This letter should be maintained in the management representative’s personnel file, along with a copy of the job description explaining the job responsibilities of the management representative. This may also be achieved by identifying the management representative and a deputy in your company’s organizational chart.
  • 12. After the certification audit, your last task should be to “Create Quality Plan #2”—another PDCA loop through the system. The reason for a new quality plan is to implement improvements based on what you learned while you were building the quality system for the initial certification audit.

If your company wants to achieve ISO 13485 certification, you may be interested in YouTube video on this topic.

QMS Implementation Tasks Read More »

Quality objectives for achieving your goals

2 Comments / ISO Certification / By / ,

This article, updated in 2020, describes two different approaches to establishing quality objectives to achieve your business goals.
BHAG JFK Quality objectives for achieving your goalsGoal setting and communicating a vision of the future is not just the responsibility of the company President. Every manager should be setting goals for the teams they manage, and you can set yourself apart from your peers by building a vision with clear benefits to employees, customers, and the bottom line. Establishing quality objectives, and monitoring the progress toward those objectives is one of the greatest tools you can use to achieve your business goals. There are two different approaches to setting quality objectives, and you should use both.

Two Types of Quality Objectives

The most popular type of quality objective is a visionary goal. The phrase that I think captures this idea is the “Big Hairy Audacious Goal” (BHAG). Jim Collins and Jerry Porras coined this phrase in Built to Last. Visionary goals are long-term quality objectives that will require many smaller, coordinated changes intended to “level up” your business.

The second type of quality objective is a short-term goal. Short-term goals are not nearly as “sexy,” but achieving short-term goals builds momentum and creates long-term habits that are crucial to success. The two books that capture this concept best are The Compound Effect by Darren Hardy and The Slight Edge by Jeff Olsen. Both books emphasize the importance of consistency and small improvements to achieve success. The secret to establishing short-term goals is to make sure that your short-term goals are aligned toward helping you achieve long-term goals.

In our quality system procedures, we include a section for monitoring, measurement, and data analysis. For every process in your quality system, you should have at least one defined quality metric that you consistently measure. Everyone involved in that process should be aware of the metric, and data analysis should be shared with everyone in the company. Some of those quality metrics will be more important than others, but everyone must expect to achieve the goals that are set. You can pick anything you want to measure for a process, but for the metric to be used as a quality objective, it must be measurable and consistent with your quality policy. I like to define measurable by saying, “You must be able to graph it.”

6 Steps to Achieving Big Hairy Audacious Goals (BHAG)

Not all quality objectives have to be small, dull, or easy. You are required to establish quality objectives. Both the QSR (21 CFR 820.20, management responsibility) and the ISO Standard (ISO 13485:2016, Clause 5.4.1, require that top management establish quality objectives. These objectives must also be reviewed during management reviews, and they should be established at all levels throughout your company. Some of these objectives will be small, but you should make at least one of your quality objectives big, exciting, and hard to achieve. If you want to set your first BHAG for your team, try following these six steps.

STEP 1: Involve your team in setting quality objectives

Weak managers dictate goals, but leaders get teams involved in the goal-setting process. Getting your team involved gives them ownership of the goal. If you’re unsure of how to get your team involved, you might try a brainstorming session. A good brainstorming session is relatively short (i.e., – < 1 hour). Everyone needs to understand the goal of the brainstorming session: to generate many ideas for a possible BHAG. Everyone needs to understand what a BHAG is. These examples might help:

  1. Reduce average monthly scrap by 80% with a Pareto Chart
  2. Reduce the average number of nonconforming material reports by 50%
  3. Increase the ratio of preventive actions to corrective actions to > 1.00

Finally, negative comments should not be tolerated. Bad, good, and silly ideas should all be encouraged because the purpose of brainstorming is to generate many ideas. After you have 100+ ideas, you and your team can schedule another meeting to select the best goal(s).

STEP 2: Predict the bottom-line impact of quality objectives

Top management’s perception of a BHAG will be directly proportional to the impact on the bottom line. If the impact is small, the “B” in BHAG is a “b.” You and your team should use the potential impact on the bottom line as the first selection criteria for picking the best BHAG from the brainstorming list. The accuracy of these estimates doesn’t matter initially. Still, once you choose the goal, you will need to verify the accuracy of the financial impact and define how that impact will be measured.

STEP 3: Look to the future, but focus on the next milestone

Picking a five and ten-year goals is appropriate for discussions with Human Resources about your career, but companies are measured on quarterly financials. Therefore, you will need to focus on the goals you can achieve in three to six quarters. The number of milestones you set should also be few, and you should focus on one at a time. If the goal is only three quarters away, you might have monthly targets, while longer projects need interim milestones.

STEP 4: Milestone momentum

Longer projects often become delayed because people will procrastinate, and teams will lose momentum. When you break your long-term goals into smaller chunks, everyone can focus on the next milestone and see the progress. Each piece should be a sound stage of the project, and completion of the stage must be clearly defined. To create momentum, you must achieve each milestone–always. The pattern of consistent milestone achievement builds confidence, and your team will gradually develop the habits needed to sustain your progress.

STEP 5: Assign the Skeptic to Report on Quality Objectives

A good statistician can make the numbers look any way you want, but skeptics in other departments (and within your team) will criticize your claims of success. One way to silence the skeptics on your team is to make them responsible for measuring and reporting the team’s progress. This approach ensures that progress reports are conservative and accurate, rather than inflated or unbelievable. Progress should also be reported publicly because public victories are something your team can be proud of.

STEP 6: Promise a Reward for Achieving Quality Objectives

Some managers believe that the reward for hard work should be a paycheck. That’s sort of like telling your children that they get to eat for doing something you’re proud of. Employees are not children, but you are responsible for developing them into more valuable employees so that they can be promoted. If there is no incentive, your team will not be engaged. Therefore, pick a reward that is proportional to the bottom-line impact. Five percent of the bottom-line impact is what I like to target, but you would be amazed at how effective a few small rewards at each milestone can be. If you have trouble getting management approval for rewards, remind your boss of the bottom-line impact and link the rewards closely to the impact.

Quality objectives for achieving your goals Read More »

How to Utilize CAPA Training To Avoid FDA 483 Citations

1 Comment / CAPA, FDA / By / , ,

The author discusses how formal CAPA training can help solve the four most common CAPA deficiencies and help avoid FDA 483 citations.

%name How to Utilize CAPA Training To Avoid FDA 483 Citations

Corrective And Preventive Action (CAPA) is considered to be one of the most critical processes in a Quality Management System (QMS). CAPAs prevent nonconformities from recurring, as well as identify potential problems that may occur within the QMS.

Both the Code of Federal Regulations (21 CFR 820.100) and the ISO 13485 Standard (8.5.2 and 8.5.3, respectively) include similar requirements for establishing and maintaining a compliant CAPA process. The concept seems pretty straightforward, right?

Then why do so many companies struggle with this process and go into panic mode during FDA inspections and Notified Body audits?

CAPA process deficiencies have long been the number one Good Manufacturing Practice (GMP) violation cited in FDA Warning Letters. Therefore, providing trained experts to teach the CAPA process is well worth the investment to provide your employees with the expertise needed to implement a sustainable, effective, and compliant process. Support from top management is a must for success.

7 Reasons Why There is LIttle Support for the CAPA Process
  1. Managers view CAPA as a necessary evil and apply minimum effort and resources to complete the required paperwork.
  2. All complaints, audit findings, shop floor nonconformities, etc., go straight into the CAPA system, resulting in what is known as “Death by CAPA.” There are hundreds of CAPAs to be dealt with, but the CAPAs languish and quickly become a mountain of overdue records.
  3. The lack of ability to conduct effective root cause analysis results in, at best, a band-aid solution, and recurrence of the same issues time and again.
  4. There is no risk-based or prioritization process that provides a triage for determining when a CAPA is appropriate, and how to classify its criticality.
  5. CAPA forms are either too restrictive, such as using “yes/no” questions, thereby stemming the creative flow of process thinking or, too open-ended, leaving the CAPA owner with little guidance for getting to the exact root cause.
  6. Trending and metrics that would highlight quality issues before they become complaints are lacking, so most CAPAs are last-minute reactions to a crisis, instead of proactive improvement projects.
  7. Senior management has not allocated sufficient time and resources to CAPA owners to develop expertise, and clearly do not understand the nuances of FDA compliance, the ISO Standard, and the responsibilities of CAPA ownership.
Consequences of an Ineffective CAPA System: FDA 483 Citations Are Possible

FDA 483 observations, Warning Letters, and loss of your ISO 13485 certification are possible consequences of failing to manage your CAPA process. Imagine explaining to your customers why you lost your certification, and why they should keep you as a trusted supplier. That is not a conversation you want to have.

A weak CAPA process allows nonconformities to recur, results in manufacturing downtime, requires to rework, and ends with the scrapping of product or lost customers. The consequences of a weak CAPA process negatively impact your company’s financial strategy and goals.

To prevent an increase in the cost of poor quality, your business cannot remain static. You need to improve and adopt best practices. Your CAPA process is a systematic way to make those improvements happen.

Characteristics of an Effective CAPA system?
  • Easy to follow the procedure
  • Defined CAPA inputs
  • Risk assessment and prioritization
  • Root-cause investigation tools
  • A well-defined action plan
  • Metrics to track progress
  • Communication of information and status
  • Effectiveness checks
  • Management support and escalation
What to Expect from Formal CAPA Training

Death by Powerpoint is not training. Effective CAPA training requires hands-on participation in working through root-cause analysis with an expert. One of the best training tools is case studies based upon recent 483 observations. A CAPA training course should teach you how to:

  1. Accurately identify the cause of problems
  2. Prioritize your corrective and preventive actions using a risk-based approach
  3. Implement an appropriate corrective and/or preventive action, and
  4.  Verify the effectiveness of your actions

CAPA training should teach you how to reduce the length and number of investigations. Training will also help you master current problem-solving methodologies to identify true root causes, utilizing facts, instead of guesswork or opinion. The proper identification of the exact root cause of a problem is critical because otherwise, your CAPA plan will fail to fix real problems.

Not all formal training needs to be in-person. Face-to-face training can be supplemented with more cost-effective training of concepts using webinars and recorded presentations. Interactive training is needed to supplement this training so that students can practice what they learn.

How Training Solves Common CAPA Deficiencies

The four most common CAPA deficiencies are:

  1. Inadequate procedures
  2. Incomplete investigations
  3. Overdue actions, and
  4. Failure to perform an effectiveness check

Each of these deficiencies is addressed directly by CAPA training. Formal CAPA training reviews each of the requirements for your CAPA process, and trainers will often share samples of CAPA procedures, and CAPA forms that they wrote and found to be effective. Learning multiple root cause investigation techniques, and practicing them using the case study technique, ensure that CAPAs are thoroughly investigated, rather than identifying superficial symptoms.

CAPA metrics are introduced during training to ensure that the CAPA process owner knows best practices for monitoring and analyzing the process. Finally, CAPA training includes specific examples of what is and what is not, a proper technique for performing an effectiveness check.

Results After Formal CAPA Training

The best reason for making formal CAPA training available to the people responsible for CAPAs are the results you will experience after the training. For example:

  1. Elimination of hundreds of overdue CAPAs
  2. Reduction in nonconformities, scrap, rework and customer complaints
  3. Lower overall costs associated with quality problems
  4. Better FDA inspection and Notified Body outcomes, and
  5. Safer products for your customer

%name How to Utilize CAPA Training To Avoid FDA 483 CitationsIf you are interested in learning more about CAPA, click here to register for Medical Device Academy’s Risk-Based CAPA webinar.

How to Utilize CAPA Training To Avoid FDA 483 Citations Read More »

How to perform a quantitative CAPA effectiveness check

18 Comments / CAPA / By / ,

This article review explains how to conduct a quantitative CAPA effectiveness check, and you will also learn three methods NOT recommended.

quantitative effectiveness check 1024x713 How to perform a quantitative CAPA effectiveness check

There are three methods NOT recommended for a CAPA effectiveness check:

  1. verifying the procedure was revised,
  2. verifying employees were retrained, and
  3. making sure mistakes don’t occur 3x in a row.

The best method is to establish quantitative criteria for effectiveness based upon data collected during the investigation of the root cause. The graph above is an example of objective evidence that preventive action was effective. The chart shows that the process capability (Cpk) was improved from 0.837 to 2.50 by changing a process set-point to adjust the mean of the dimension closer to the center of the specification range. This is typical of adjustments made during process validation and revalidation activities.

Incorrect Method 1: Verify the Procedure was Revised

When a nonconformity is identified during an ISO 13485 audit, the laziest way to “fix” the problem is to revise your procedure. Despite the fact that most FDA 483s identify inadequate procedures as the reason for observation, your procedures are seldom the problem. Your employees may not even be following the procedures. Repeatedly revising procedures may be part of the problem. If you must revise your procedures, please involve the people that use the procedures.

Incorrect Method 2: Verify Employees were Retrained

During your last surveillance audit, you may have revised the procedure, but your auditor noticed that there were no retraining records for employees that were performing the revised procedure. One interviewee was unable to identify where the new inspection step could be found in the revised procedure. It’s too bad the interviewee didn’t notice the bold and underlined text indicating recent revisions. Your auditor wonders how effective your retraining process is.

Incorrect Method 3: No Mistakes 3x in a Row

Last month a manufacturing engineer was assigned to perform an effectiveness check related to corrective actions implemented in the incoming inspection process. The procedure was revised to clarify the proper procedure for a statistical sampling of rolls of plastic film as a corrective action. The engineer sampled the three most recent lots of the same plastic film that was incorrectly sampled in the past. All three lots were correctly sampled in accordance with the revised procedure. The engineer reported that the corrective actions implemented were effective. However, you have two new nonconformities on your desk from manufacturing related to incorrect sampling procedures during an incoming inspection of other raw materials. Now you wonder if the incoming inspection procedure was the real root cause.

Corrective actions that are actually effective

Instead of adding something to your procedures each time someone makes a mistake, you might want to think about how you can simplify and streamline your procedures with fewer words. You can say things more clearly with pictures and flow charts instead of hundreds of words. Training effectiveness can be verified with exams that ensure employees “read and understand” your revised procedures. Finally, when you identify a nonconformity with one product, you need to ensure that you consider how similar mistakes might occur with similar products. Maybe you need a process for incoming inspection that doesn’t rely upon someone reading procedures.

You need to be objective to perform an effectiveness check

The biggest weakness of the auditing process is that it relies heavily upon the subjective opinion of an auditor. This is why auditors are supposed to audit against objective audit criteria in an international standard. The need for objectivity is also why there are guidance documents to clarify a consistent interpretation of those standards. Therefore, when you perform an effectiveness check, you also need objectivity. The best way to ensure objectivity is to establish documented criteria for effectiveness prior to finalizing your corrective action plan. Ideally, that will be in the form of a prospective process validation protocol with quantitative acceptance criteria.

How to ensure objectivity

The single best way to ensure objectivity when you are performing a CAPA effectiveness check is to define the post-implementation goal in terms of a quantitative quality objective. Ideally, you can graph the quality metric using historical data and current data. If you need statistical analysis to see a difference between pre- and post-implementation of the CAPA, then your CAPA was not effective. If your graph looks like a miracle happened and the metric changed almost overnight, and timing corresponds to the date your corrective action(s) was implemented, then your CAPA was effective.

How to set a quality objective for you CAPA effectiveness check

Some people have trouble with using a quantitative approach in performing effectiveness checks because some things are harder to measure than others. However, you can measure anything. For example, you can even measure employees forgetting to initial and date changes to quality records. This can be done by identifying critical control points where quality records are reviewed, and documentation errors are measured. You can measure by the employee, by form, by month, etc. The key to monitoring and measuring a process is to answer the following questions:

  1. Who will measure it?
  2. What will be measured?
  3. Where will it be measured?
  4. When will it be measured?
  5. How will it be measured?
  6. How will measurements be analyzed?
  7. Who will data analysis be communicated to?

When to Perform a CAPA Effectiveness Check

Many companies set arbitrary deadlines for performing an effectiveness check (e.g., – between 30 and 60 days of implementation of corrective actions). Some companies use a risk-based approach to their CAPA process, and the urgency of effectiveness checks may be a function of risk. I recommend a completely different approach. Instead of using an arbitrary or risk-based approach, I recommend monitoring your new quality metric to estimate how long it will take to reach your new quality objective.
%name How to perform a quantitative CAPA effectiveness check

If you are interested in learning more about CAPA, click here to register for Medical Device Academy’s Risk-Based CAPA webinar.

How to perform a quantitative CAPA effectiveness check Read More »

Where to Locate Preventive Action Sources

3 Comments / CAPA / By / , ,

%name Where to Locate Preventive Action Sources

The author discusses why preventive action is important in developing a sustainable and robust quality system and where to locate preventive action sources.

Most ISO auditors and FDA inspectors view CAPA as one of the most important processes in your quality system. Still, the approach to preventive actions is distinctly different between the ISO Quality System Standards (i.e., – ISO 9001 and ISO 13485) and FDA regulations (i.e., – 21 CFR 820.100). Throughout the FDA QSR, corrective action and preventive action are always found together, while in the ISO Standards, preventive action is a separate clause (i.e., – Clause 8.5.3). The wording of the two clauses is nearly identical, but ISO certification auditors tend to be purists. Therefore, your ISO certification auditor will expect you to have at least some examples of CAPAs that are 100% preventive. Many auditors will issue a nonconformity if you have no examples that are 100% preventive.

Why is Preventive Action Important?

While I was conducting certification audits, I noticed that the better quality systems tended to have several examples of preventive actions. There were a few companies that had more preventive actions than corrective actions, and the quality systems at those companies happened to be much stronger in general—not just their CAPA process. Is this a coincidence?

No, the CAPA process is how you correct and prevent quality problems. In order to find preventive actions, you have to develop your other quality system processes. These companies have strategically chosen to create their quality systems to a higher level of performance because they know that preventing quality problems results will cost substantially less than waiting until problems occur, and then fixing those problems. These companies often talk about the “Cost of Quality,” and when you tour their facility, you see quality objectives being communicated to everyone.

I have only had a couple of clients in the past decade that argued about the importance of preventive actions, but most clients ask me, “Where can we find more?”

Guidance Documents

As a certification auditor, I was not allowed to “consult,” but was able to mention guidance documents that might help. Therefore, the number one guidance document I recommend is 13485 Plus (a document sold by the Canadian Standards Association – http://bit.ly/ShopCSA).

13485 Plus includes all Clauses of the 13485 Standard, including text from ISO 14969—an international guidance document for the implementation of ISO 13485. In section 8.5.3 of the guidance document, you will find the following list of preventive action sources:

  1. The purchased product rejected on receipt
  2. Evidence that previous decisions affecting product conformity were false
  3. Products requiring rework
  4. In-process problems, wastage levels
  5. Final inspection failures
  6. Customer feedback,
  7. Warranty claims,
  8. Process measurements,
  9. Statistical process control documents,
  10. Identification of results that are out-of-trend, but not out-of-specification,
  11. Difficulties with suppliers,
  12. Service reports, and
  13. Need for concessions.
Practical Experience

In addition to the sources listed in guidance documents, there are three other sources that I like to recommend consulting clients. One source is your internal audit process. Auditors verify the conformity of processes, but internal auditors should also look for processes that are inefficient and need improvement. When auditors are performing a process audit, some process owners have difficulty identifying process metrics that are being tracked for each process. Auditors should be trained to follow the audit trail when process monitoring is absent because processes that are not already measured usually have more room for improvement than processes currently being measured.

Another source of preventive actions is the Total Product Lifecycle Database on the FDA website (http://bit.ly/FDATPLC). Every three-letter product code has a corresponding database report that you can use to identify product malfunctions and adverse events associated with competitor products. Learning from the mistakes of your competitors and implementing appropriate preventive actions internally is a great way to avoid the need for corrective actions—especially for design malfunctions.

The most fruitful source of preventive actions, however, is data analysis of process control monitoring. This source can identify negative trends within your company’s manufacturing process and suppliers’ processes. Catching a negative trend before products and components are nonconforming reduces the number of corrective actions needed, the cost of scrap or rework, and eliminates delays that result in customer complaints.

Setting a CAPA Quality Objective

As your company begins to develop additional sources of preventive actions, you may want to consider establishing a Quality Objective for your CAPA process. The most common Quality Objectives for a CAPA process are:

  1. Initiate at least one new preventive action per quarter
  2. Close all CAPAs within 90 days
  3. Reduce the average aging of CAPAs to <45 days

However, I would like to suggest another possible Quality Objective:

  1. Increase the ratio of preventive actions to corrective actions to > 1.00

To be successful in achieving this Quality Objective, you will need to increase your preventive actions and decrease the number of corrective actions. The reduction of corrective actions indicates that you are identifying potential problems before corrective action is required. In contrast, the increase in preventive actions indicates that your process for identifying potential problems is becoming more effective.

%name Where to Locate Preventive Action Sources

If you are interested in learning more about preventive action, please register for the Medical Device Academy’s CAPA Workshop on September 9 in Orlando, or on October 3 in San Diego. Click here to register for the event: http://bit.ly/MDAWorkshops.

Where to Locate Preventive Action Sources Read More »

Benefits of Incorporating Risk Management into Procedure Documents

1 Comment / ISO 14971:2019 (Risk Management) / By / , , ,

By Guest Blogger, Brigid Glass
8971385878 db2fe2e49a q Benefits of Incorporating Risk Management into Procedure DocumentsThe author discusses the benefits of incorporating risk management into procedure documents. An example procedure for Record Control is included.

When I was first introduced to FMEA many years ago, I loved it. I loved the systematic approach and particularly appreciated using a Process FMEA to explain to those involved with a production process why certain controls had been put in place. I enthusiastically taught FMEA to our engineers. At the time, our bubbly, buoyant, outcomes-focused Training Manager said to me, “You Quality people have such a negative outlook. You’re always looking for what can go wrong!”  Well, yes, but it’s our role to prevent things from going wrong!  I’d found a tool to help me with that.

Next, there was EN 1441, a risk analysis standard that never satisfied, and always felt incomplete. ISO 14971 followed, covering the entire lifecycle of a product, with closed feedback loops.  So now, risks in product and process design were well covered, but ISO 13485 section 7.1 asks us to “establish documented requirements for risk management throughout product realization.”  Many of us would acknowledge that we could do better, even though we pass audits.  And what about the rest of the quality management system?  I know that when we document a procedure, we already apply risk management principles in our heads, but we usually don’t apply them systematically or write down the results.

The Idea

Recently, Rob Packard and I started work on a project that requires us to generate a full set of documentation for a QMS, compliant with both U.S. and EU requirements, including ISO 13485 and ISO 14971. We each had our ideas on how best to write a procedure, but this project provided us an opportunity to get some synergy going. Rob wanted to address risk management in each procedure. “Yes!” I said, thinking that there was a chance to fill that gap. But then it was my job to develop the template for the procedures and work out how to accomplish this…

My first results looked very complicated, so I took the KISS (Keep It Simple, Stupid) approach: one column for the hazards and consequences, and one for the risk control measures.

What I didn’t include:

  • I started with more complex hazard documentation (hazard ID, impact, trigger event, etc.). Still, I felt the benefits in the context of a procedure document was not balanced by the extra complexity and work required for analysis and training. It would be a hard sell to users within an organization who were not used to the risk management approach.
  • I decided not to assess risks and controls quantitatively for the same reasons as in the bullet point above.
  • Initially, I included references to implementation, but this would be difficult to maintain as other documents changed.
  • I thought about verification of the implementation of risk controls, then decided to leave that verification to reviewers.

Below is an example from a procedure for Record Control where records are completed on paper, then scanned as a pdf. My list won’t be the same as your list, but it is illustrative.

brigid chart 1 Benefits of Incorporating Risk Management into Procedure Documents

Standards and regulations are essentially a set of risk controls, so they are the first starting point when identifying hazards. The list should include direct risks to products, risks to the integrity of the QMS, and regulatory risks. For those of us who have been in this industry for a while, experience, past mistakes, questions fielded in external audits, and observations of other systems will yield further hazards and appropriate controls. Audits provide the opportunity to update and refine the list and test the control measures.

Benefits of Incorporating Risk Management into Procedure Documents

  • Impresses your ISO 13485 auditor!
  • When first writing procedure documents, starting the writing process by reviewing the external requirements, and systematically writing the risk section, sharpens the mind as to what must be included in the procedure. This is the same approach as in design controls, where we include risk mitigators that apply to product design in the design inputs. This is part of planning in the PDCA cycle.
  • Supports future decision-making, in the same way, that the risk file for a product is considered when a design is changed. The risk control section of a procedure provides the criteria against which any improvement or change can be assessed. Will it enhance the risk controls, or might it introduce a new hazard?
  • Serves as the basis for training on the procedure. Making visible the link between potential hazards and procedural controls much more convincing than saying, “Do this because the procedure says so,” or, “It’s in the procedure because the regs say so.”

This is part 1 in a series of blogs that leads up to our Roadmap to Iso 13485 Certification Courses

 

Benefits of Incorporating Risk Management into Procedure Documents Read More »

CAPA Form – 15 tips to avoid CAPA failure

5 Comments / CAPA / By / ,

This blog reviews 15 tips for creating an effective CAPA form including source, quality issue description, and the root cause investigation.

Your cart is empty

CAPA Form 1024x362 CAPA Form 15 tips to avoid CAPA failure

The reason for creating a “great CAPA form” is to improve the effectiveness of your CAPA process. Anyone in your company could be assigned to a CAPA, but not everyone is a CAPA expert. Therefore, designing an effective CAPA form can reduce errors and improve the effectiveness of the actions taken. You can also purchase our CAPA procedure and CAPA form, which is compliant with ISO 13485:2016.

Corrective and Preventive Action CAPA Procedure CAPA Form 15 tips to avoid CAPA failure
SYS-024 Corrective and Preventive Action (CAPA) Procedure, Form, and Log
Medical Device Academy's newly updated CAPA procedure is a 6-page procedure. Your purchase will also include our CAPA form (FRM-009), our CAPA log (LST-005), and a training webinar. The procedure is compliant with ISO 13485:2016, 21 CFR 820.100, SOR 98/282, and the EU MDR. You will also receive free updates in the future.
Price: $299.00

Provide adequate space in CAPA form

The most important feature of a CAPA form is to ensure that there is adequate space for writing a complete response for each section. Having sufficient space is more important than the benefits of a shorter record.

Date your CAPA form was initiated

The date your CAPA form begins to be completed can be used to verify that there was no “undue delay” in the initiation of a CAPA in response to internal audit findings. The date of initiation is also used to calculate the due date for completing the investigation and providing a corrective/preventive action plan.

Include a cross-reference number in your CAPA form

This is typically a sequentially assigned CAPA log number. Ensure the number is prominent on all pages—just in case pages are separated.

CAPA source

The source of a CAPA is useful information when performing data analysis—especially for internal audits where the audit schedule should reflect the results of previous audits. Examples of CAPA sources include:

  • Complaints/Reportable Events
  • Internal, Supplier, and Third-Party Audits
  • Service Work Orders
  • Nonconforming Materials
  • Management Reviews

Description of CAPA issue

I use the word “issue” instead of nonconformity because you need a CAPA form that will work for potential nonconformities (i.e., – preventive actions), as well as nonconformities. Typically, the wording is identical to a customer complaint or an auditor’s text, but the description of the issue identifies the symptoms observed. Specific references to records, locations, times, equipment, products, and personnel involved may be necessary for the root cause investigation.

The investigator assigned and target due date for the plan

In ISO 13485:2016, the only change to the requirements for corrective actions and preventive actions was the clarification that planning is required. Since this was always implied in the standard, your procedure should already comply with clauses 8.5.2 and 8.5.3 in the 2016 version of ISO 13485.

This section of your CAPA form should identify who is going to investigate the root cause of the issue and the date that a corrective/preventive action plan is needed. The FDA requires submitting a corrective action plan for all 483 observations within 15 business days, or it will result in an automatic Warning Letter. Most certification bodies require a plan within 30 days. Your target due date should be risk-based unless there is a specific regulatory requirement. The date will also need to be based upon the date the issue was identified—not necessarily the date the CAPA was initiated.

Documenting the investigation of the root cause is the #1 item in a CAPA form

This section always reminds me of the story about the Ohno Circle. Every company asks if they can close a nonconformity during an audit, and the answer should always be “No.” You can correct a problem, but you cannot perform a root cause investigation and implement an effective corrective action during the same audit. You need to investigate the cause and the investigation documented. Some companies include a specific tool in this section, such as a “Fishbone Diagram.” This is also a mistake because there are many root cause analysis tools, and you need to select the best one for your specific situation. You might even need to use more than one tool.

Is your CAPA form missing containment of nonconforming product?

If the issue requires preventive action, there is nothing to contain. If the issue is specific to a procedure’s deficiency, there is also nothing to contain. If the issue requires corrective action and nonconforming materials or products are involved, then you need to quarantine the affected items. If the affected product has already left the company’s direct control (see 21 CFR 806.2(l) for a definition), then you have a potential recall. Regulators often look for “bracketing” or “bounding” of the upper and lower lot limits for an issue. Therefore, this section is where you document the rationale for why certain lots of products/materials are quarantined, and other lots are not.

Correction(s) – Your CAPA form must separate this from corrective actions

Fixing the immediate problem does not prevent a recurrence, but regulators will verify that each occurrence of the issue identified during the investigation of the root cause has been corrected. You should verify that each of the nonconformities identified in the original finding and the investigation is addressed in this section of your CAPA form. For preventive actions, this section is not applicable.

Corrective Action Plan/Target Due Date for Implementation

These are the steps planned to prevent a recurrence. If the plan changes, then it should be updated. There is no need to delete the old version of the plan, but the new version should include a date when the plan was revised. For preventive actions, this section is not applicable. The target date of implementation should reflect the risk associated with the issue.

Preventive action plan / target due date for implementation

These are the steps planned to prevent the occurrence of nonconformity. If an issue occurred for one product, but not for others, the actions taken for other products can be preventive. In this case, both the corrective action plan and the preventive action plan sections should be completed. The target date of implementation should reflect the risk associated with the issue.

Corrective and preventive actions implemented – Update your CAPA form weekly

This section details what specific actions were performed—both corrective and preventive actions can be documented here. The dates of completing actions should be documented, and reasons for delays and overdue actions should be identified.

How to document your plan for verification of effectiveness – CRITICAL

I recommend filling this section before the plan for corrective and preventive action is developed. This often helps the person developing the plan to ensure that the actions planned are adequate. Whenever possible, this should be quantitative, and it helps to identify a specific date for performing the effectiveness check.

Verification of effectiveness

This section of your CAPA form is where you document verification of effectiveness. Specifically, what verification activities were performed to ensure that the corrective and preventive actions you implemented were effective. The date verification of effectiveness was performed should be documented, and if the actions were not effective, then a new CAPA should be referenced here.

Signature and closure date

Someone needs to review, sign, and date your CAPA form when it is completed. Often, regulators will review only closed records.

CAPA Form – 15 tips to avoid CAPA failure Read More »

An Auditor’s Best Practices in Issuing a Major Nonconformity

4 Comments / ISO Auditing / By / , ,

%name An Auditors Best Practices in Issuing a Major Nonconformity

From the opening meeting through the audit and closing meeting, the author describes an auditor’s best practices in issuing a major nonconformity.

As an auditor, one of the most important (and difficult) things to learn is how to issue a nonconformity—especially a major. This is usually done at the closing meeting of an audit, but the closing meeting is not where the process of issuing the nonconformity begins. Issuing a nonconformity starts in the opening meeting.

ISO 19011:2011 is the official guidance document for auditors of Quality Management Systems, and ISO 13485 is the quality system standard for medical device manufacturers. Section 6.4.2 of this Standard explains best practices for an opening meeting. The last five items in this section are critical to preparing the client for potential nonconformities:

  1. Method of reporting audit findings, including grading, if any
  2. Conditions under which the audit may be terminated
  3. Time and place of the closing meeting
  4. How to deal with possible findings during the audit
  5. System for feedback from the auditee on findings or conclusions of the audit
  6. Process for complaints and appeals
Methods of Reporting and Grading Nonconformities

The auditor should be crystal clear in their description of minor and major nonconformities or any other grading that will be used. The auditor should also make it clear that they are looking for conformity rather than nonconformity. This is an audit—not an inspection. Typically, a minor nonconformity is described as “a single lapse in the fulfillment of a requirement,” while a major nonconformity is described as one of the following: 1) “a total absence in the fulfillment of a requirement,” 2) “repetition of a previous nonconformity,” 3) “failure to address a previously identified minor nonconformity,” or 4) “shipment of non-conforming product.” When the auditor is in doubt, then the finding is minor, and never a major. For a major nonconformity to be issued, there can be no doubt.

Conditions for Termination

The option to terminate an audit is typically reserved for a certification audit where a major nonconformity is identified, and there is no point in continuing. Termination is highly discouraged, because it is better to know about all minor and major nonconformities right away, instead of waiting until the certification audit is rescheduled. The certification body will charge you for their time anyway.

Another reason for termination is when an auditor is unreasonable or inappropriate. This is rare, but it happens. If the audit is terminated, you should communicate this to upper management at the certification body and the company—regardless of which side of the table you sit. For FDA inspections, this is not an option. For audits performed by Notified Bodies, there is the possibility of suspension of a certificate in response to audit termination. Therefore, I always recommend appealing after the fact, instead of termination. Appealing also works for FDA inspections.

How to Deal with Findings

All guides and auditees should be made aware of possible findings at the time an issue is discovered. This is important so that an auditee has the opportunity to clarify the evidence being presented. Often, nonconformities are the result of miscommunication between the auditor and the auditee. This frequently happens when the auditor has a poor understanding of the process being audited. It is a tremendous waste of time for both sides when this occurs. If there is an actual nonconformity, it is also important to gather as much objective evidence as possible for the auditor to write a thorough finding and for the auditee to prepare an appropriate corrective action plan in response to the discovery.

%name An Auditors Best Practices in Issuing a Major Nonconformity
Feedback from the Auditee

As an auditor, I always encourage auditees to provide honest feedback to me directly and to management, so that I could continue to improve. If you are giving feedback about an internal auditor or a supplier auditor, you should always give feedback directly before going to the person’s superior. You are both likely to work together in the future, and you should give the person every opportunity to hear the feedback first-hand.

When providing feedback from a third-party certification audit, you should know that there will be no negative repercussions against your company if you complain directly to the certification body. At most, the certification body will assign a new auditor for future audits and investigate the need for taking action against the auditor. In all likelihood, any action taken will be “retraining.” I never fired somebody for a single incident—unless they broke the law or did something unsafe. The key to providing feedback, however, is to be objective. Give specific examples in your complaint, and avoid personal feelings and opinions.

Complaints and Appeals

As the auditee, you should ask for the contact information of the certification body during the opening meeting. Ask with a smile—just in case you disagree, and so you can provide feedback (which might be positive). As the auditor, you should always make contact information for the certification body available. If you are conducting a supplier audit or an internal audit, you probably know the auditor’s boss, and there is perhaps no formal complaint or appeals process. In the case of a supplier audit, the customer is always right—even when they are wrong.

During the Audit

During the audit, you should always make the guide(s) and process owner(s) aware of any potential nonconformities as you find them. This is their opportunity to clarify the objective evidence for you and to explain why there is not a nonconformity. Often, at this point in the audit, I will refer to the Standard. I will identify the specific requirement(s) and show the process owner. I will say, “This is what I am trying to verify. Do you have anything that would help address this requirement?” If the process owner is unsure of how to meet the requirement, often, I will provide an example of how this requirement is addressed in other areas or at other companies.

If the audit is a multi-day audit, I will review the potential nonconformities at the end of the day and allow the auditee to provide additional objective evidence in the morning. If it is the last day of the audit, or it is a single-day audit, I will give auditees until the closing meeting to provide the objective evidence. Often, I will use this opportunity to explain what would be considered a minor nonconformity and what would be a major nonconformity. Usually, I can say, “This is not a major nonconformity because…”

%name An Auditors Best Practices in Issuing a Major Nonconformity

Closing Meeting

The closing meeting should be conducted as scheduled, and the time/location should be communicated to upper management in the audit agenda and during the opening meeting. Top management won’t be happy about nonconformities, but failure to communicate when the closing meeting will be conducted will irritate them further.

At the closing meeting, the auditee should never be surprised. If an issue remains unfulfilled at the closing meeting, the auditee should be expecting a minor nonconformity—unless the issue warrants a major nonconformity. Since a minor nonconformity is described as “a single lapse in the fulfillment of a requirement,” it is difficult for an auditee to argue that an issue does not warrant a minor nonconformity. Typically, the argument is that you are not consistent with other auditors. The most common response to that issue is, “Audits are just a sample, and previous auditors may not have seen the same objective evidence.” The more likely scenario, however, is that the previous auditor interprets requirements, instead of reviewing requirements with the client, and ensuring both parties agree before a finding is issued.

If a finding is major, the auditee should have very few questions. Also, I often find the reason for a major nonconformity is a lack of management commitment to address the root cause of a problem. Issuing a major nonconformity is sometimes necessary to get management’s attention.

Regardless of the grading, all audit findings will require a corrective action plan—even an FDA warning letter requires a CAPA plan. Therefore, a major nonconformity is not a disaster. You just need to create a more urgent plan for action.

An Auditor’s Best Practices in Issuing a Major Nonconformity Read More »

A 6 Step Approach if You Disagree With a Notified Body Auditor

2 Comments / ISO Certification / By / ,

The author’s first certification audit experience is discussed, and we review six different approaches to take if you disagree with a notified body auditor.

My first certification audit ever didn’t go so well. The reason it didn’t go well is that the auditor wrote nonconformities that my boss and our regulatory consultant didn’t agree with. At the time, I was too inexperienced to know how to handle it. My boss and the consultant, however, totally lost it. I’ve never seen veins that big in someone’s forehead–even in cartoons.

I asked them both to leave the room because I was afraid to “push back” on the auditor. Many Management Representatives feel the same way that I did during that initial certification audit. The best way to summarize our concerns is with the following picture:

kodiak A 6 Step Approach if You Disagree With a Notified Body Auditor

Recently another LinkedIn group member emailed me to say that they have seen several auditors for registrars identifying nonconformities that represented their own personal opinions rather than specific requirements of the Standard. For example, there is a requirement to assign management responsibilities and document it, but there is no requirement to have an organization chart.

Another common mistake is when auditors insist that a company must create a turtle diagram for every single process. I support the use of turtle diagrams 100%, but the only requirement in the Standard is to use the process approach–not turtle diagrams specifically.

My favorite is my own personal mistake. I wrote a nonconformity for not having a process for implant registration cards for a company that was planning to ship a high-risk implant product to Canada. There is a requirement for implant registry cards, but I forgot that Canada defines “implants” in this case as only a very short list of implant devices–not implants in general.

Auditors are human. These are audit findings–not a jail sentence. Everyone needs to remember that the worst that can happen is that you receive a nonconformity. If the auditor finds a nonconformity, then you need to develop a CAPA plan. If the auditor finds nothing, you still need to do your own internal audits to identify nonconformities and continuously improve processes.

What Should You Do When an Auditor is Wrong?

I recommend that you “push back,” but you need to know-how. Many consultants suggest saying, “Can you show me in the Standard where it says I have to do that?” That’s just like poking a bear. If you do it once, it’s annoying. If you do it multiple times, an auditor might just eat you.

One Management Representative did that to me after I had taken the time to review the requirements with him. I responded by holding the ISO 13485 Standard in front of him and reciting clause 7.3.2. He responded by saying, “Well, that’s up for interpretation.” I offered to recite the ISO 14969 guidance document for him, but his boss told him to shut up.

This certainly wasn’t the only time a client pushed back during a registration audit, but other clients have had the sense to argue about things they understood.

One of the clients I audited said that he would change the topic to the auditor’s favorite sports team. That’s one approach. I’m sure that more than one client has taken the approach of asking me to explain where they can learn about best practices. I’m sure that they were somewhat successful. Another approach is to slide the lunch menu in front of them; I have only met one auditor that would not be distracted by a lunch menu.

6 Step Approach When You Disagree With an Auditor

1. Shut-up and look it up (before you open your mouth, grab the applicable external Standard and locate the information you are looking for).

2. If you are still convinced that the auditor is wrong, then tell that you are having trouble finding the requirement. Show them where you are looking, and then ask them to help you find the requirement.

3. If the auditor can’t show you where you are wrong, or it appears that the auditor is interpreting the Standard as they see fit, then focus on asking the auditor for guidance on what they will be looking for in your CAPA plan.

4. If the CAPA plan the auditor is looking for is something you think is a good idea, then shut up and implement the improvements. If the CAPA plan is not acceptable to you, then you should ask what the process is for the resolution of disputes.

5. No matter what, don’t start an argument with the registrar. They enjoy it. They like a challenge and resent people with less experience criticizing them.

6. If you still disagree with your auditor, then you should ask if the auditor can explain the process for appealing findings and follow that process.

A 6 Step Approach if You Disagree With a Notified Body Auditor Read More »

3 Tools for Effectively Qualifying Suppliers

4 Comments / Supplier Quality Management / By / ,

%name 3 Tools for Effectively Qualifying Suppliers
Do you have the right tools for qualifying your suppliers?


For every task, you have a choice of tools that you can use. For qualifying your suppliers, are you using the correct tools? 

This blog reviews how to utilize statistical process control, process validation, and supplier auditing to qualify suppliers effectively.
If you could afford to audition suppliers for a few months against hundreds of other competitors, then only the qualified suppliers would be approved. Unfortunately, you don’t have the same budget that American Idol has. So what should you do instead?

Most companies use the same three, tired tools to qualify suppliers: ISO Certification, Quality Manuals, and questionnaires. ISO certification is a weak tool because certification is only as good as the registrar’s worst client. Quality Manuals are intended to define the intent of your supplier’s Quality Management System, while most of the details are located in procedures. You only need a copy of your supplier’s Quality Manual to help you plan audits. Supplier questionnaires seem to be the most popular tool, but most of the questions require a “Yes/No” response that suppliers rarely answer negatively. To assess the qualifications of potential suppliers more effectively, try using the following tools instead:

Tool # 1: Statistical Process Control

Most companies require a Certificate of Compliance (CoC) with every shipment. A CoC is useless. Just like the “Yes/No” responses to questionnaires, you will never see a CoC that indicates something is wrong. A Certificate of Analysis (CoA) is much more useful, because the CoA has actual data, and the tolerance range is typically indicated for each test or measurement that was performed by the supplier. The best report you can get from a supplier is a statistical analysis of each specification during the prototype production lot. When you have a Statistical Process Control (SPC) run chart, you know quantitatively if the supplier is capable of making an acceptable product. The run chart can also be used to develop an appropriate sampling plan for incoming inspection.

Tool # 2: Process Validation

Process validation is much more than determining if a process is capable of producing a consistent product. An SPC run chart can do that. Process validation tells you what range of operating parameters will produce a consistent product. Therefore, when you have process deviations or measurement devices are slightly out-of-calibration, you will know if your supplier’s process will still make an acceptable product. The validation of a process should also identify which variables are critical indicators of the process. This information can be used to reduce the number of variables and specifications that are monitored for a production process, and focus both your supplier’s resources and your own.

Tool # 3: Supplier Auditing

A multi-disciplinary team audit of a potential supplier is an effective tool for assessing a supplier’s qualifications and will help build a stronger relationship between your team and the supplier’s team. Before you conduct an audit, it is important to plan the audit to ensure you get the greatest possible value. The following recommendations are important to supplier auditing:

  1. Use a risk-based approach to auditing suppliers (this goes beyond just critical and non-critical)
  1. Strategically select auditors and train them well
  2. Plan the auditing goals and objectives for the team in advance
  3. Create a formal audit agenda that defines which processes each auditor will be focusing on

Auditing 100% of your critical suppliers may seem impossible, due to limited resources, but have you ever seen a cost/benefit analysis?

What’s the cost of rejects, rework, and product redesign?

Supplier Quality Management Webinars Available 

Are your Suppliers Qualified? Prove It! 

http://robertpackard.wpengine.com/suppliers-qualified-prove/

Supplier Auditing and Remote Auditing: Tips to Save You Time and Money 

http://robertpackard.wpengine.com/supplier-auditing-and-remote-auditing-tips-save-time-money/

 

 

3 Tools for Effectively Qualifying Suppliers Read More »

Scroll to Top