This procedure case study describes an error-proof method for procedure review and approval of quality system procedures.
My first training in procedure review
The first time I was formally trained on how to conduct a procedure review was during a lead auditor course. I thought the topic of procedure review seemed out of place, but as I audited more companies, I realized that missing regulatory requirements in a procedure are quite common. Regardless of who reviews a procedure, or how many times it is reviewed, something is always missed. Unfortunately, a desktop audit of procedures is not an effective corrective action or verification method. Auditing procedures is an ineffective method for reviewing procedures because audits are limited by sampling.
A better approach to procedure review than auditing
Instead of random sampling, a systematic review of 100% of regulatory requirements is needed to ensure that none of the regulatory requirements are accidentally omitted. Systematically reviewing regulatory requirements for each country your company is selling in is tedious at best. You need a tool to make the reviewing process error-proof and straightforward. You also need each procedure reviewer to have a defined function to eliminate the duplication of work.
Procedure reviewer and approver roles
There are 3-5 reviewers of procedures in most companies. Some companies make the mistake of having as many as 8-10 reviewers of procedures, but more is not better. There are four primary roles for procedure review, but you could have as few as two people approving most procedures:
- process owner (must review and approve)
- quality management (must review and approve)
- regulatory (must review, but optional approver)
- independent (optional review, but not an approver)
You are not required to have all four of these reviewer roles, but including these four roles in your document control process is a best practice. Differentiating between reviewers and approvers should also be considered in your document control procedure. The only documents we recommend top management be a reviewer and approver of are:
- Quality Policy
- Risk Management Policy
- Quality Manual
- Management Review Procedure
The reason for top management reviewing these four documents is because top management has a regulatory responsibility related to each of these documents.
Process owner role
The process owner is the owner of the procedure for that process. Therefore, the process owner needs to approve that procedure. It would make no sense to own a process without the ability to approve changes. The process owner may also be the procedure author, but we don’t recommend it. Editing someone else’s work is more effective than editing your own work. Instead, we recommend that the process owner delegate the responsibility for writing and updating procedures to a subordinate who performs the procedure. Then, the process owner is responsible for reviewing and approving the procedure.
Quality management role
The quality management person needs responsibility for reviewing and approving all procedures because this person is responsible for the entire quality system. They need to make sure the procedure is accurate in the context of the entire quality system. The quality management person is the best person to review interactions with other processes. For example, the management review process has twelve required inputs (i.e., ISO 13485, Clause 5.6.2A-L). Each of those inputs comes from another process and procedure. It is essential to ensure that if you are reviewing the complaint handling procedure, somewhere in that procedure, it should state that the monitoring and measuring of complaint trends should be input into the management review process.
Regulatory role
Usually, the regulatory person is responsible for verifying that a procedure meets 100% of the regulatory requirements. This person should verify that the scope of the procedure identifies the relevant markets. If there are references to documents of external origin, the regulatory person should verify that these references are accurate. The best way to do this is by performing a gap analysis. Sometimes the quality management role and the regulatory role are combined in a small company, but larger companies will keep these roles separate. Just because the regulatory person performs a gap analysis as a reviewer, that doesn’t automatically translate to the need for approval of the procedure. We recommend making the decision on whether a regulatory person should approve a procedure based on whether the procedure has specific regulatory requirements (e.g., annual registration or regulatory reporting).
Independent reviewer role
Finally, the independent reviewer is looking for two things:
- Does the procedure make sense–to someone who performs the procedure (if that person was not the author); and to an external auditor, such as a certification body (internal auditors can fill this role)?
- Are there typos, spelling, or grammar mistakes?
The independent reviewer does not need to be a manager. It needs to be someone who writes well. Editing is tedious, but apparent mistakes in spelling or grammar prompt auditors to review procedures more carefully. If available, we recommend asking an internal auditor to be the independent reviewer. Depending upon the experience of the independent reviewer with regard to performing a gap analysis, the person with regulatory responsibility may delegate the task of gap analysis to independent reviewers. This role can also be satisfied by a consultant with technical writing ability. Medical Device Academy’s resident expert at this is Matthew Walker.
Procedure case study – The most common auditor findings
The two most common reasons for audit findings are:
- the procedure is not being followed, and
- a regulatory requirement is missing from your procedure.
Not following the procedure
The first problem is the most common reason for audit nonconformity, as companies include requirements in the procedure that are not regulatory requirements. Auditors look for objective requirements to audit. Therefore, if you include objective requirements in your procedure an auditor is more likely to select those requirements to sample than subjective requirements–even if the requirement is not a regulatory requirement. This is one of the reasons we recommend having processing owners review and edit procedures. If you purchase a procedure, it’s important for the person who will be performing the procedure to carefully review the procedure to ensure it matches how they intend to perform that process. If it’s a manufacturing procedure, we recommend training personnel with a draft procedure and handing out red pens. That also dramatically reduces complaints from the people who do the work.
Regulatory requirements missing
For regulatory requirements, your regulatory reviewer needs to create a checklist that includes 100% of the requirements for that procedure. This approach is called a gap analysis. The model for gap analysis documentation we like to follow is the General Safety and Performance Requirement (GSPR) Checklist used for technical documentation (i.e., for CE Marking). There are 23 GSPRs in the MDR and 20 GSPRs in the IVDR. Most of the GSPR requirements have multiple subparts. The regulatory person who completes the GSPR Checklist must indicate the following information next to the applicable requirement in the checklist table:
- yes, the requirement applicable or justification if it’s not applicable
- a reference to any applicable standards
- a cross-reference to the record where evidence of meeting the requirement can be found (e.g., the risk management file)
Regulatory personnel can revise this approach slightly by doing the following for the review of procedures:
- yes, the requirement applicable or justification if it’s not applicable
- a reference to the applicable specific sub-clause in a Standard or a regulation
- a cross-reference to the subsection of the procedure where evidence of meeting the requirement can be found (e.g., section 5.1 of the SYS-003)
Procedure Case Study of the Management Review Procedure (SYS-003)
In Medical Device Academy’s Management Review Procedure, Section 8 is the “procedure section.” Sub-section 8.3 of the procedure lists all the required inputs for a Management Review meeting. Next to each input, we included a cross-reference to the sub-clause in ISO 13485:2016 for the Management Review input.
There is also a requirement in ISO 13485:2016 for conducting Management Reviews at scheduled intervals. This requirement is met by sub-section 8.1 of the Management Review procedure. We used the same approach to identify and cross-reference to this requirement.
Teaching auditors by performing your own procedure case study
Now, when we teach our Lead Auditor Course, we ask attendees to split into small groups to review a procedure–one procedure for each group. In one of the companies where we did this, each of the four teams found a regulatory requirement that was missing from the procedures they were reviewing. All four procedures the teams selected were already reviewed, approved, and currently in use at the time of the auditor training. The four teams created their own procedure case study to demonstrate the importance of reviewing procedures for regulatory requirements.
Pingback: Management review revisions for ISO 13485:2016