Packaging Complaint Investigation – Case Study

3 Comments / CAPA / By Robert Packard

This is part one of a case study on how to perform a packaging complaint investigation when packaging is found open by a customer.

Overview of Packaging Complaint Investigation

This case study example involves a flexible, peelable pouch made of Tyvek and a clear plastic film. This is one of the most common types of packaging used for sterile medical devices. In parallel with the complaint investigation, containment measures and corrections are implemented immediately to prevent the complaint from becoming a more widespread problem. The investigation process utilizes a “Fishbone Diagram” to identify the root cause of the packaging malfunction. This is just one of several root cause analysis tools that you can use for complaint investigations, but it works particularly well for examples where something has gone wrong in production process controls, but we are not sure which process control has failed.

Description of the packaging malfunction

The first step of the complaint handling process (see SYS-018, Customer Feedback and Complaint Handling) is to record a description of the alleged quality issue. A distributor reported the incident that was reported. The distributor told customer service that two pouches in a box containing 24 sterile devices were found to have a seal that appeared to be delaminating. Unfortunately, the distributor was unable to provide a sample of the delaminated pouches or the lot number of the units. Packaging issues and labeling issues are typically two of the most common complaint categories for medical devices. Often the labeling issues are operator errors or a result of labeling mixups, while the packaging errors may be due to customers who accidentally ordered or opened the wrong size of the product. Therefore they may complain about packaging when there is nothing wrong. It is essential to be diligent in the investigation of each packaging complaint because if there is a legitimate packaging quality issue, then there may be a need for a product recall as part of your corrective action plan.

Initiation of the packaging complaint investigation

In your complaint record, you need to assign a person to investigate the complaint. The only acceptable reason for not initiating an investigation is when a similar incident was already investigated for another device in the same lot or a related lot (i.e., packaging raw material lot is the same and the problem is related to the material). If the complaint was already investigated, then the complaint record should cross-reference the previous complaint record.

The person assigned to investigate the complaint must be trained in complaint investigations and should be technically qualified to investigate the processes related to the complaint (e.g., packaging process validation). The investigator must record which records were reviewed as part of the investigation, and the investigation should be completed promptly in case regulatory reporting is required or remedial actions are needed. It is also necessary to demonstrate that complaints are processed in a consistent and timely manner (e.g., average days to complaint closure may be a quality objective).

Regulatory reporting of packaging failures

We know everyone wants to avoid regulatory reporting because we are afraid that other customers will lose confidence in our product and bad publicity may impact sales. However, the consequences of failing to file medical device reports with the FDA are much worse. Even if an injury or death did not occur with a sterile medical device, the quality issue should still be reported as an MDR under 21 CFR 803 (see SYS-029, Medical Device Reporting) because a repeat incident could cause an infection that could result in sepsis and death. If you think that this is an extremely conservative approach, you might be surprised to learn that 251 MDRs were reported to the FDA in Q4 of 2023 for packaging issues. Of these reports, only one involved an actual injury, and the other 250 involved a device malfunction but no death or injury. The following event description and manufacturer’s narrative is an example:

Event Description

“It was reported by the sales rep in japan that during an unspecified surgical procedure on (b)(6) 2023 the rgdloop adjustable stnd device sterile package was not sealed and was unclean.Another like device was used to complete the procedure.There was an unknown delay in the procedure reported.There were no adverse patient consequences reported.No additional information was provided.”

Manufacturers Narrative

“This report is being submitted in pursuant to the provisions of 21 cfr, part 803.This report may be based on information which has not been able to investigate or verify prior to the required reporting date.This report does not reflect a conclusion by mitek or its employees that the report constitutes an admission that the device, mitek, or its employees caused or contributed to the potential event described in this report.If information is obtained that was not available for the initial medwatch, a follow-up medwatch will be filed as appropriate.Device was used for treatment, not diagnosis.If information is obtained that was not available for the initial medwatch, a follow-up medwatch will be filed as appropriate.H10 additional narrative: e3: reporter is a j&j sales representative.H4: the device manufacture date is unknown.Udi: (b)(4).”

Packaging complaint investigation when product IS NOT returned

What the narrative above does not elaborate on is what was the specific investigation details for “lot history reviewed.” One of the most useful tools for performing a packaging complaint investigation is the “Fishbone Diagram.” Other names include, “Ishikawa Diagram” and “Cause and Effect Diagram.” There are six parts (i.e., “6Ms”) to the diagram:

materials,
method,
machine,
“mother nature” or environment,
“manpower” or people, and
measurement.

What records can be investigated without the return of the product?

The following records could be reviewed and evaluated for potential root causes even if the customer does not return the packaging with the alleged malfunction:

review the complaint log for other complaints with the same lot number and/or from a similar period, lot of raw materials, or packaging machine
review the device history record for the lot to make sure that the number of units rejected as part of normal in-process and final inspection did not exceed pre-established thresholds for monitoring the sealing process
if retains of the lot are available, these might be retested to verify that the testing results after real-time aging remain acceptable
the maintenance and calibration records of the equipment for manufacture and testing may be reviewed to verify that no repairs were required and no equipment was identified as out-of-calibration

If all of the above fail to identify a potential cause for a packaging failure, then you might have a problem related to people or the environment. People include the people sealing the product package and the users. The environment consists of the temperature and humidity for storage of packaging raw materials, packaged products, sterilization conditions, storage conditions after sterilization, and shipping conditions–including any temporary extremes that might occur during transit.

In our case study, the product was not returned, and we did not have the lot numbers. Therefore, we may need to review distribution records to that distributor and/or the customer to narrow down the possible lots to one or more lots. Then we would need to perform the same type of review of lot history records for each potential lot. The best approach is to request a photo of the package labeling, including the UDI bar code, because that information will facilitate lot identification. Even if the product was discarded, often the UDI will be scanned into the patient’s electronic medical record (EMR) during surgery.

Conducting investigations when product IS returned

Sometimes you are fortunate enough to receive returned products. The product should be immediately segregated from your other products to prevent mixups and/or contamination. Normally the returned products are identified as non-conforming products and quarantined. After the quarantined product is evaluated for safety, the assigned investigator may inspect the packaging in a segregated area. Packaging investigations begin with visual inspection following ASTM F1886. If multiple packaging samples are available, or the packaging is large enough, the investigator may destructively test (i.e., ASTM F88) a 1” strip cut from the packaging seal to verify that the returned packaging meets the original specifications. If you kept retains of packaging with the same lot of flexible packaging, you may visually inspect and destructively test retains as well.

Next steps of the packaging complaint investigation

Once the root cause is identified for a packaging complaint, then you need to implement corrective actions to prevent a recurrence. Also, FDA Clause 21 CFR 820.100 and ISO 13485, Clause 8.5.3, require that you implement preventive actions to detect situations that might result in a potential packaging failure in the future and implement preventive measures so that similar packaging failures are not able to occur. If you are interested in learning more about conducting a root cause analysis, please read our blog on this topic: Effective Root Cause Analysis – Learn 4 Tools.

This article is the first half of the packaging complaint investigation case study. The second half of the two-part case study explains the necessary containment measures, corrections, corrective actions, and preventive actions to address the root cause of the packaging failure.

Additional packaging validation resources

There are many articles on the topic of package testing and package design for sterile medical devices. If you want to learn more, please register for our free webinar on packaging validation by Jan Gates.

Packaging Complaint Investigation – Case Study Read More »

Design Controls Implementation

Design controls can be overwhelming, but you can learn the process using this step-by-step guide to implementing design controls.
Design Controls Implementation

You can implement design controls at any point during the development process, but the earlier you implement your design process the more useful design controls will be. The first step of implementing design controls is to create and design controls procedure. You will also need at least two of the following additional quality system procedures:

A risk management file (in accordance with ISO 14971:2019) is required for all medical devices, and usability engineering or human factors engineering (in accordance with IEC 62366-1) is required for all medical devices. The software and cybersecurity procedures listed above are only required for products with 1) software and/or firmware, and 2) wireless functionality or an access point for removable media (e.g., USB flash drive or SD card).

Step 2: Design controls training

Even though the requirement for design controls has been in place for more than 25 years, there are still far too many design teams that struggle with understanding these requirements. Medical device regulations are complex, but design controls are the most complex process in any quality system. The reason for this is that each of the seven sub-clauses represents a mini-process that is equivalent in complexity to CAPA root cause analysis. Many companies choose to create separate work instructions for each sub-clause.

Medical Device Academy’s training philosophy is to distill processes down to discrete steps that can be absorbed and implemented quickly. We use independent forms to support each step and develop training courses with practical examples, instead of writing a detailed procedure(s). The approach we teach removes complexity from your design control procedure (SYS-008). Instead, we rely upon the structure of step-by-step forms completed at each stage of the design process.

If you are interested in design control training, Rob Packard will be hosting the 3rd edition of our Design Controls Training Webinar on Friday, August 11, 2023, @ 9:30 am EDT.

Step 3: Gathering post-market surveillance data

Post-market surveillance is not currently required by the FDA in 21 CFR 820, but it is required by ISO 13485:2016 in Clause 7.3.3c) (i.e., “[Design and development inputs] shall include…applicable outputs(s) of risk management”). The FDA is expected to release the plans for the transition to ISO 13485 in FY 2024, but most companies mistakenly think that the FDA does not require consideration of post-market surveillance when they are designing new devices. This is not correct. There are three ways the FDA expects post-market surveillance to be considered when you are developing a new device:

Complaints and adverse events associated with previous versions of the device and competitor devices should be identified as input to the risk management process for hazard identification.
If the device incorporates software, existing vulnerabilities of the off-the-shelf software (including operating systems) should be identified as part of the cybersecurity risk assessment process.
During the human factors process, you should search for known use errors associated with previous versions of the device and competitor devices; known use-related risks should also include any potential use errors identified during formative testing.

Even though the FDA does not currently require compliance with ISO 13485, the FDA does recognize ISO 14971:2019, and post-market surveillance is identified as an input to the risk management process in Clause 4.2 (see note 2), Clause 10.4, and Annex A.2.10.

Step 4: Creating a design plan

You are required to update your design plan as the development project progresses. Most design and development projects take a year before the company is ready to submit a 510k submission to the FDA. Therefore, don’t worry about making your first version of the plan perfect. You have a year to make lots of improvements to your design plan. At a minimum, you should be updating your design plan during each design review. One thing that is important to capture in your first version, however, is the correct regulatory pathway for your intended markets. If you aren’t sure which markets you plan to launch in, you can select one market and add more later, or you can select a few and delete one or more later. Your design plan should identify the resources needed for the development project, and you should estimate when you expect to conduct each of your design reviews.

Contents of your design plan

The requirement for design plans is stated in both Clause 7.3.1 of the ISO Standards, and Section 21 CFR 820.30b of the FDA QSR. You can make your plan as detailed as you need to, but I recommend starting simple and adding detail. Your first version of a design plan should include the following tasks:

Identification of the regulatory pathway based on the device risk classification and applicable harmonized standards.
Development of a risk management plan
Approval of your design plan (1^st design review)
Initial hazard identification
Documentation and approval of user needs and design inputs (2^nd design review)
Risk control option analysis
Reiterative development of the product design
Risk analysis
Documentation and approval of design outputs implementation of risk control measures (3^rd design review)
Design verification and verification of the effectiveness of risk control measures (4^th design review)
Design validation and verification of the effectiveness of risk control measures that could not be verified with verification testing alone
Clinical evaluation and benefit/risk analysis (5^th design review)
Development of a post-market surveillance plan with a post-market risk management plan
Development of a draft Device Master Record/Technical File (DMR/TF) Index
Regulatory approval (e.g., 510k clearance) and closure of the Design History File (DHF)
Commercial release (6^th and final design review)
Review lessons learned and initiate actions to improve the design process

Step 5: Create a detailed testing plan

Your testing plan must indicate which recognized standards you plan to conform with, and any requirements that are not applicable should be identified and documented with a justification for the non-applicability. The initial version of your testing plan will be an early version of your user needs and design inputs. However, you should expect the design inputs to change several times. After you receive feedback from regulators is one time you may need to make changes to design inputs. You may also need to make changes when you fail your testing (i.e., preliminary testing, verification testing, or validation testing). If your company is following “The Lean Startup” methodology, your initial version of the design inputs will be for a minimum viable product (i.e., MVP). As you progress through your iterative development process, you will add and delete design inputs based on customer feedback and preliminary testing. Your goal should be to fail early and fail fast because you don’t want to get to your verification testing and fail. That’s why we conduct a “design freeze,” prior to starting the design verification testing and design transfer activities.

Step 6: Request a pre-submission meeting with the FDA

Design inputs need to be requirements verified through the use of a verification protocol. If you identify external standards for each design input, you will have an easier time completing the verification activities, because verification tests will be easier to identify. Some standards do not include testing requirements, and there are requirements that do not correspond to an external standard. For example, IEC 62366-1 is an international standard for usability engineering, but the standard does not include specific testing requirements. Therefore, manufacturers have to develop their own test protocol for validation of the usability engineering controls implemented. If your company is developing a novel sterilization process (e.g., UV sterilization), you will also need to develop your own verification testing protocols. In these cases, you should submit the draft protocols to the FDA (along with associated risk analysis documentation) to obtain feedback and agreement with your testing plan. The method for obtaining written feedback and agreement with a proposed testing plan is to submit a pre-submission meeting request to the FDA (i.e., PreSTAR).

Step 7: Iterative development is how design controls really work

Design controls became a legal requirement in the USA in 1996 when the FDA updated the quality system regulations. At that time, the “V-diagram” was quite new and limited to software development. Therefore, the FDA requested permission from Health Canada to reprint the “Waterfall Diagram” in the design control guidance that the FDA released. Both diagrams are models. They do not represent best practices, and they do not claim to represent how the design process is done in most companies. The primary information that is being communicated by the “Waterfall Diagram” is that user needs are validated while design inputs are verified. The diagram is not intended to communicate that the design process is linear or must proceed from user needs, to design inputs, and then to design outputs. The “V-Diagram” is meant to communicate that there are multiple levels of verification and validation testing that occur, and the development process is iterative as software bugs are identified. Both models help teach design and development concepts, but neither is meant to imply legal requirements. One of the best lessons to teach design and development teams is that this is a need to develop simple tests to screen design concepts so that design concepts can fail early and fail fast–before the design is frozen. This process is called “risk control option analysis,” and it is required in clause 7.1 of ISO 14971:2019.

Step 8: “Design Freeze”

Design outputs are drawings and specifications. Ensure you keep them updated and control the changes. When you finally approve the design, this is approval of your design outputs (i.e., selection of risk control options). The final selection of design outputs or risk control measures is often conducted as a formal design review meeting. The reason for this is that the cost of design verification is significant. There is no regulatory or legal requirement for a “design freeze.” In fact, there are many examples where changes are anticipated but the team decides to proceed with the verification testing anyway. The best practice developed by the medical device industry is to conduct a “design freeze.” The design outputs are “frozen” and no further changes are permitted. The act of freezing the design is simply intended to reduce the business risk of spending money on verification testing twice because the design outputs were changed during the testing process. If a device fails testing, it will be necessary to change the design and repeat the testing, but if every person on the design team agrees that the need for changes is remote and the company should begin testing it is less likely that changes will be made after the testing begins.

Step 9: Begin the design transfer process

Design transfer is not a single event in time. Transfer begins with the release of your first drawing or specification to purchasing and ends with the commercial release of the product. The most common example of a design transfer activity is the approval of prototype drawings as a final released drawing. This is common for molded parts. Several iterations of the plastic part might be evaluated using 3D printed parts and machined parts, but in order to consistently make the component for the target cost an injection mold is typically needed. The cost of the mold may be $40-100K, but it is difficult to change the design once the mold is built. The lead time for injection molds is often 10-14 weeks. Therefore, a design team may begin the design transfer process for molded parts prior to conducting a design freeze. Another component that may be released earlier as a final design is a printed circuit board (PCB). Electronic components such as resistors, capacitors, and integrated circuits (ICs) may be available off-the-shelf, but the raw PCB has a longer lead time and is customized for your device.

Step 10: Verification of Design Controls

Design verification testing requires pre-approved protocols and pre-defined acceptance criteria. Whenever possible, design verification protocols should be standardized instead of being project-specific. Information regarding traceability to the calibrated equipment identification and test methods should be included as a variable that is entered manually into a blank space when the protocol is executed. The philosophy behind this approach is to create a protocol once and repeat it forever. This results in a verification process that is consistent and predictable, but it also eliminates the need for review and approval of the protocol for each new project. Standardized protocols do not need to specify a vendor or dates for the testing, but you might consider documenting the vendor(s) and duration of the testing in your design inputs to help with project management and planning. You might also want to use a standardized template for the format and content of your protocol and report. The FDA provides a guidance document specifically for the report format and content for non-clinical performance testing.

Step 11: Validation of Design Controls

Design validation is required to demonstrate that the device meets the user’s and patient’s needs. User needs are typically the indications for use–including safety and performance requirements. Design validation should be more than bench testing. Ensure that animal models, simulated anatomical models, finite element analysis, and human clinical studies are considered. One purpose of design validation is to demonstrate performance for the indications for use, but validating that risk controls implemented are effective at preventing use-related risks is also important. Therefore, human factors summative validation testing is one type of design validation. Human factors testing will typically involve simulated use with the final version of the device and intended users. Validation testing usually requires side-by-side non-clinical performance testing with a predicate device for a 510k submission, while CE Marking submissions typically require human clinical data to demonstrate safety and performance.

Step 12: FDA 510k Submission

FDA pre-market notification, or 510k submission, is the most common type of regulatory approval required for medical devices in the USA. FDA submissions are usually possible to submit earlier than other countries, because the FDA does not require quality system certification or summary technical documents, and performance testing data is usually non-clinical benchtop testing. FDA 510k submissions also do not require submission of process validation for manufacturing. Therefore, most verification and validation is conducted on “production equivalents” that were made in small volume before the commercial manufacturing process is validated. The quality system and manufacturing process validation may be completed during the FDA 510k review.

Step 13: The Final Design Review

Design reviews should have defined deliverables. We recommend designing a form for documenting the design review, which identifies the deliverables for each design review. The form should also define the minimum required attendees by function. Other design review attendees should be identified as optional—rather than required reviewers and approvers. If your design review process requires too many people, this will have a long-term impact upon review and approval of design changes.

The only required design review is a final design review to approve the commercial release of your product. Do not keep the DHF open after commercial release. All changes after that point should be under production controls, and changes should be documented in the (DMR)/Technical File (TF). If device modifications require a new 510k submission, then you should create a new design project and DHF for the device modification. The new DHF might have no changes to the user needs and design inputs, but you might have minor changes (e.g., a change in the sterilization method requires testing to revised design inputs).

Step 14: FDA Registration

Within 30 days of initial product distribution in the USA, you are required to register your establishment with the FDA. Registration must be renewed annually between October 1 and December 31, and registration is required for each facility. If your company is located outside the USA, you will need an initial importer that is registered and you will need to register before you can ship the product to the USA. Non-US companies must also designate a US Agent that resides in the USA. At the time of FDA registration, your company is expected to be compliant with all regulations for the quality system, UDI, medical device reporting, and corrections/removals.

Step 15: Post-market surveillance is the design control input for the next design project

One of the required outputs of your final design review is your DMR Index. The DMR Index should perform a dual function of also meeting technical documentation requirements for other countries, such as Canada and Europe. A Technical File Index, however, includes additional documents that are not required in the USA. One of those documents is your post-market surveillance plan and the results of post-market surveillance. That post-market surveillance is an input to your design process for the next generation of products. Any use errors, software bugs, or suggestions for new functionality should be documented as post-market surveillance and considered as potential inputs to the design process for future design projects.

Step 16: Monitoring your design controls process

Audit your design controls process to identify opportunities for improvement and preventive actions. Audits should include a review of the design process metrics, and you may consider establishing quality objectives for the improvement of the design process. This last step, and the standardization of design verification protocols in step five (5), are discussed in further detail in another blog by Medical Device Academy.

Design Controls Implementation Read More »

Auditor shadowing as an effective auditor training technique

2 Comments / ISO Auditing / By Robert Packard / auditor training

This article reviews auditor shadowing as an effective auditor training technique, but we also identify five common auditor shadowing mistakes.

How do you evaluate auditor competency?

Somewhere in your procedure for quality audits, I’ll bet there is a section on auditor competency. Most companies require that the auditor has completed either a course for an internal auditor or a lead auditor course. If the course had an exam, you might even have evidence of training effectiveness. Demonstrating training competence is much more challenging. One way is to review internal audit reports, but writing reports is part of what an auditor does. How can you evaluate an auditor’s ability to interview people, take notes, follow audit trails, and manage their time? The most common solution is to require the auditor “shadow” a more experienced auditor several times, and then the trainer will “shadow” the trainee.

auditor shadowing as an effective auditor quality training — If you are shadowing, you are taking notes, so you can discuss your observations with the person you are shadowing later.

Auditor shadowing in 1^st party audits

ISO 19011:2018 defines first-party audits as internal audits. When first-party auditors are being shadowed by a trainer or vice versa, there are many opportunities for training. The key to the successful training of auditors is to recognize teachable moments.

When the trainer is auditing, the trainer should look for opportunities to ask the trainee, “What should I do now?” or “What information do I need to record?” In these situations, the trainer asks the trainee what they should do BEFORE doing it. If the trainee is unsure, the trainer should immediately explain what, why, and how with real examples.

When the trainer is shadowing, the trainer should watch and wait for a missed opportunity to gather important information. In these situations, the trainer must resist guiding the trainee until after the trainee appears to be done. When it happens, sometimes the best tool is simply asking, “Are you sure you got all the information you came for?”

Here are five (5) mistakes that I observed trainers made when they were shadowing:

1. Splitting up, instead of staying together, is one of the more common mistakes I have observed. This happens when people are more interested in completing an audit rather than taking advantage of training opportunities. The trainee may be capable of auditing independently, but this is unfair to the trainee because they need feedback on their auditing technique. This is also unfair to the auditee because it is challenging to support multiple auditors simultaneously. When it is unplanned, trainers may not be available for both auditors. If an audit is running behind schedule, this is the perfect time to teach a trainee how to recover sometime in their schedule. Time management is, after all, one of the most challenging skills for auditors to master.

2. Staying in the conference room instead of going to where the work is done is a common criticism of auditors. If the information you need to audit can be found in a conference room, you could have completed the audit remotely. This type of audit only teaches new auditors how to take notes. These are necessary skills that auditors should master in a classroom before shadowing.

3. Choosing an administrative process is a mistake because administrative processes limit the number of aspects of the process approach that an auditor-in-training can practice. Administrative processes rarely have equipment that requires validation or calibration, and the process inputs and outputs consist only of paperwork, forms, or computer records. With raw materials and finished goods to process, the auditor’s job is more challenging because there is more to be aware of.

4. Not providing honest feedback is a huge mistake. Auditors need to be thick-skinned, or they don’t belong in a role where they will criticize others. Before you begin telling others how to improve, you must self-reflect and identify your strengths and weaknesses. Understanding your perspective, strengths, weaknesses, and prejudices is critical to being a practical assessor. As a trainer, it is your job to help new auditors to self-reflect and accurately rate their performance against objective standards.

5. “Silent Shadowing” has no value at all. By this, I mean shadowing another auditor without asking questions. You should mentally pretend you are doing the audit if you are a trainee. Whenever the trainer does something different from how you would do things, you should make a note to ask, “Why did you do that?” If you are the trainer, you should also mentally pretend you are doing the audit. It is not enough to be present. Your job is to identify opportunities for the trainee to improve. The better the trainee, the more challenging it becomes to identify areas for improvement. This is why training other auditors have helped me improve my auditing skills.

Auditor shadowing in 2nd party audits

Auditors responsible for supplier auditing are critical to supplier selection, supplier evaluation, re-evaluation, and the investigation of the root cause for any non-conformities related to a supplier. Auditor shadowing is a great tool to teach supplier auditors and other people responsible for supply-chain management what to look at and what to look for when they audit a supplier. If you are developing a new supplier quality engineer responsible for performing supplier audits, observing the auditor during some actual supplier audits is recommended. Supplier audits are defined as second-party audits in the ISO 19011 Standard. The purpose of these audits is not to verify conformity to all the aspects of ISO 13485. Instead, the primary purpose of these audits is to verify that the supplier has adequate controls to manufacture conforming products for your company consistently. Therefore, processes such as Management Review (Clause 5.6) and Internal Auditing (Clause 8.2.2) are not typically sampled during a second-party audit.

The two most valuable processes for a second-party auditor to sample are 1) incoming inspection and 2) production controls. Using the process approach to auditing, the second-party auditor will have an opportunity to verify that the supplier has adequate controls for documents and records for both of these processes. Training records for personnel performing these activities can be sampled. The adequacy of raw material storage can be evaluated by following the flow of accepted raw materials, leaving the incoming inspection area. Calibration records can be sampled by gathering equipment numbers from calibrated equipment used by both processes. Even process validation procedures can be assessed by comparing the actual process parameters being used in manufacturing with the documented process parameters in the most recent validation or re-validation reports.

I recommend having the trainee shadow the trainer during the process audit of the incoming inspection process and for the trainer to shadow the trainee during the process audit of production processes. The trainee should ask questions between the two process audits to help them fully understand the process approach to auditing. Supplier auditors should also be coached on techniques for overcoming resistance to observing processes involving trade secrets or where competitor products may also be present. During the audit of production processes, the trainer may periodically prompt the trainee to gather the information that will be needed for following audit trails to calibration records, document control, or for comparison with the validated process parameters. The “teachable moment” is immediately after the trainee misses an opportunity, but while the trainee is still close enough to go back and capture the missing details.

Are you allowed to shadow a 3rd party auditor or FDA inspector?

Consider using 3rd party audits and inspections as an opportunity to shadow experienced auditors to learn what they are looking at and what they look for. In addition to shadowing an expert within your own company or an auditor/consultant you hire for an internal audit, you can also shadow a 3rd party auditor or an FDA inspector. This concept was the subject of a discussion thread I ran across on Elsmar Cove from 2005. The comments in the discussion thread supported the idea of shadowing a 3rd party auditor. The process owner (i.e., the manager responsible for that process) should be the guide for whichever process is being audited, and the process owner is responsible for addressing any non-conformities found in the area., The process owner should be present during interviews, but the process owner should refrain from commenting. The 3rd party auditor and the process owner need to know if the person being interviewed was effectively trained and if they can explain the process under the pressure of an audit or FDA inspection. If you are interested in implementing this idea, I recommend using one of two strategies (or both):

Consider having the internal auditor that audited each process shadow the certification body auditor for the processes they audited during their internal audit. This approach will teach your internal auditor what they might have missed, and they will learn what the 3rd party auditors look for to simulate a 3rd party audit more effectively when conducting internal audits.
Consider having the internal auditor that is assigned to conduct the next process audit of each process shadow the certification body auditor for that process. This approach will ensure that any nonconformities observed during the 3rd party audit are checked for the effectiveness of corrective actions during the next internal auditor. Your internal auditor will know precisely how the original nonconformity was identified and the context of the finding.

Auditor shadowing as an effective auditor training technique Read More »

CAPA – Corrective/Preventative Action

8 Comments / CAPA / By Robert Packard / corrective and preventive action (CAPA), risk analysis

What is a CAPA? How do you evaluate the need to open a new CAPA, and who should be assigned to work on it when you do?

What is a CAPA?

“CAPA” is the acronym for corrective action and preventive action. It’s a systematic process for identifying the root cause of quality problems and identifying actions for containment, correction, and corrective action. In the special case of preventive actions, the actions taken prevent quality problems from ever happening, while the corrective actions prevent quality problems from happening again. The US FDA requires a CAPA procedure, and an inadequate CAPA process is the most common reason for FDA 483 inspection observations and warning letters. When I teach courses on the CAPA process, 100% of the people can tell me what the acronym CAPA stands for. If everyone understands what a CAPA is, why is the CAPA process the most common source of FDA 483 inspection observations and auditor nonconformities?

Most of the 483 inspection observations identify one of the following seven problems:

the procedure is inadequate
records are incomplete
actions planned did not include corrections
actions planned did not include corrective actions
actions planned were not taken or delayed
training is inadequate
actions taken were not effective

CAPA Resources – Procedures, Forms, and Training

Medical device companies are required to have a CAPA procedure. Medical Device Academy offers a CAPA procedure for sale as an individual procedure or as part of our turnkey quality systems. Purchase of the procedure includes a form for your CAPA records and a CAPA log for monitoring and measuring the CAPA process effectiveness. You can also purchase our risk-based CAPA webinar, which the turnkey quality system includes.

What’s special about preventive action?

I completed hundreds of audits of CAPA processes over the years. Surprisingly, this seems to be a process with more variation from company to company than almost any other process I review. This also seems to be a significant source of non-conformities. In the ISO 13485 Standard, clauses 8.5.2 (Corrective Action) and 8.5.3 (Preventive Action) have almost identical requirements. Third-party auditors, however, emphasize that these are two separate clauses. I like to refer to certification body auditors as purists. Although certification body auditors acknowledge that companies may implement preventive actions as an extension of corrective action, they also expect to see examples of strictly preventive actions.

You may be confused between corrective actions and preventive actions, but there is an easy way to avoid confusion. Ask yourself one question: “Why did you initiate the CAPA?” If the reason was: 1) a complaint, 2) audit non-conformity, or 3) rejected components—then your actions are corrective. You can always extend your actions to include other products, equipment, or suppliers that were not involved if they triggered the CAPA. However, for a CAPA to be purely preventive in nature, you need to initiate the CAPA before complaints, non-conformities and rejects occur.

How do you evaluate the need to open a CAPA?

If the estimated risk is low and the probability of occurrence is known, then alert limits and action limits can be statistically derived. These quality issues are candidates for continued trend analysis—although the alert or action limits may be modified in response to an investigation. If the trend analysis results in identifying events that require action, then that is the time when a formal CAPA should be opened. No formal CAPA is needed if the trend remains below your alert limit.

If the estimated risk is moderate or the probability of occurrence is unknown, then a formal CAPA should be considered. Ideally, you can establish a baseline for the occurrence and demonstrate that frequency decreases upon implementing corrective actions. If you can demonstrate a significant drop in frequency, this verifies the effectiveness of actions taken. If you need statistics to show a difference, then your actions are not effective.

A quality improvement plan may be more appropriate if the estimated risk is high or multiple causes require multiple corrective actions. Two clauses in the Standard apply. Clause 5.4.2 addresses the planning of changes to the Quality Management System. For example, if you correct problems with your incoming inspection process—this addresses 5.4.2. Clause 7.1 addresses the planning of product realization. For example, if you correct problems with a component specification where the incoming inspection process is not effective, this addresses 7.1. The plan could be longer or shorter Depending on the number of contributing causes and the complexity of implementing solutions. If implementing corrective action takes more than 90 days, you might consider the following approach.

Step 1 – open a CAPA

Step 2 – identify the initiation of a quality plan as one of your corrective actions

Step 3 – close the CAPA when your quality plan is initiated (i.e., – documented and approved)

Step 4 –verify effectiveness by reviewing the progress of the quality plan in management reviews and other meeting forums…you can cross-reference the CAPA with the appropriate management review meeting minutes in your effectiveness section

If the corrective action required is installing and validating new equipment, the CAPA can be closed as soon as a validation plan is created. The effectiveness of the CAPA is verified when the validation protocol is successfully implemented, and a positive conclusion is reached. The same approach also works for implementing software solutions to manage processes better. The basic strategy is to start long-term improvement projects with the CAPA system but monitor the status of these projects outside the CAPA system.

Best practices would be implementing six-sigma projects with formal charters for each long-term improvement project.

NOTE: I recommend closing CAPAs when actions are implemented and tracking the effectiveness checks for CAPAs as a separate quality system metric. If closure takes over 90 days, the CAPA should probably be converted to a Quality Plan. This is NOT intended to be a “workaround” to give companies a way to extend CAPAs that are not making progress on time.

Who should be assigned to work on a CAPA?

Personnel in quality assurance are usually assigned to CAPAs, while managers in other departments are less frequently assigned to CAPAs. This is a mistake. Each process should have a process owner, who should be assigned to the root cause investigation, develop a CAPA plan, and manage the planned actions. If the manager is not adequately trained, someone from the quality assurance department should use this as an opportunity to conduct on-the-job training to help them with the CAPA–not do the work for them. This will increase the number of people in the company with CAPA competency. This will also ensure that the process owner takes a leadership role in revising and updating procedures and training on the processes that need improvement. Finally, the process will teach the process owner the importance of using monitoring and measuring the process to identify when the process is out of control or needs improvement. The best practice is to establish a CAPA Board to monitor the CAPA process, expedite actions when needed, and ensure that adequate resources are made available.

What is a root cause investigation?

If you are investigating the root cause of a complaint, people will sample additional records to estimate the frequency of the quality issue. I describe this as investigating the depth of a problem. The FDA emphasizes the need to review other product lines, or processes, to determine if a similar problem exists. I describe this as investigating the breadth of a problem. Most companies describe actions taken on other product lines and/or processes as “preventive actions.” This is not always accurate. If a problem is found elsewhere, actions taken are corrective. If potential problems are found elsewhere, actions taken are preventive. You could have both types of actions, but most people incorrectly identify corrective actions as preventive actions.

Another common mistake is to characterize corrections as corrective actions.

The most striking difference between companies seems to be the number of CAPAs they initiate. There are many reasons, but the primary reason is the failure to use a risk-based approach to CAPAs. Not every quality issue should result in the initiation of a formal CAPA. The first step is to investigate the root cause of a quality issue. The FDA requires that the root cause investigation is documented, but if you already have an open CAPA for the same root cause…DO NOT OPEN A NEW CAPA!!!

What should you do if you do not have a CAPA open for the root cause you identify?

The image below gives you my basic philosophy.

Most CAPA investigations document the estimated probability of occurrence of a quality issue. This is only half of the necessary risk analysis I describe below. Another aspect of an investigation is documenting the severity of potential harm resulting from the quality issue. If a quality issue affects customer satisfaction, safety, or efficacy, the severity is significant. Risk is the product of severity and probability of occurrence.

How much detail is needed in your CAPAs?

One of the most common reasons for an FDA 483 inspection observation related to CAPAs is the lack of detail. You may be doing all the planned tasks but must document your activity. Investigations will often include a lot of detail identifying how the root cause was identified, but you need an equal level of detail for planned containment, corrections, corrective actions, and effectiveness checks. Who is responsible, when will it be completed, how will it be done, what will the records be, and how will you monitor progress? Make sure you include copies of records in the CAPA file as well because this eliminates the need for inspectors and auditors to request additional records that are related to the CAPA. Ideally, the person reviewing the CAPA file will not need to request any additional records. For example, a copy of the revised process procedure, a copy of training records, and a copy of graphed metrics for the process are frequently missing from a CAPA file, but auditors will request this information to verify all actions were completed and that the CAPA is effective.

What is the difference between corrections and corrective actions?

Every nonconformity identified in the original finding requires correction. By reviewing records, FDA inspectors and auditors will verify that each correction was completed. In addition, several new nonconformities may be identified during the investigation of the root cause. Corrections must be documented for the newly found nonconformities as well. Corrective actions are actions you take to prevent new nonconformities from occurring. Examples of the most common corrective actions include: revising procedures, revising forms, retraining personnel, and creating new process metrics to monitor and measure the effectiveness of a process. Firing someone who did not follow a procedure is not a corrective action. Better employee recruiting, onboarding, and management oversight should prevent employees from making serious mistakes. The goal is to have a near-perfect process that identifies human error rather than a near-perfect employee that has to compensate for weak processes.

Implementing timely corrective actions

Every correction and corrective action in your CAPA plan should include a target completion date, and a specific person should be assigned to each task. Once your plan is approved, you need a mechanism for monitoring the on-time completion of each task. There should be top management or a CAPA board this is responsible for reviewing and expediting CAPAs. If CAPAs are being completed on-schedule, regular meetings are short. If CAPAs are behind schedule, management or the CAPA board needs authority and responsibility to expedite actions and make additional resources available when needed. Identifying lead and lag metrics is essential to manage the CAPA process successfully–and all other quality system processes.

What is an effectiveness check?

Implementation of actions and effectiveness of actions is frequently confused. An action was implemented when the action you planned was completed. Usually, this is documented with the approval of revised documents and training records. The effectiveness of actions is more challenging to demonstrate, and therefore it is critical to identify lead and lag metrics for each process. The lead metrics are metrics that measure the routine activities that are necessary for a process, while the lag metrics measure the results of activities. For example, monitoring the frequency of cleaning in a controlled environment is a lead metric, while monitoring the bioburden and particulates is a lag metric. Therefore, effectiveness checks should be quantitative whenever possible. Your effectiveness is weak if you need to use statistics to show a statistical difference before and after implementing your CAPA plan. If a graph of the process metrics is noticeably improved after implementing your CAPA plan, then the effectiveness is strong.

About Your Instructor

Rob Packard is a regulatory consultant with ~25 years of experience in the medical device, pharmaceutical, and biotechnology industries. He is a graduate of UConn in Chemical Engineering. Rob was a senior manager at several medical device companies—including the President/CEO of a laparoscopic imaging company. His Quality Management System expertise covers all aspects of developing, training, implementing, and maintaining ISO 13485 and ISO 14971 certifications. From 2009 to 2012, he was a lead auditor and instructor for one of the largest Notified Bodies. Rob’s specialty is regulatory submissions for high-risk medical devices, such as implants and drug/device combination products for CE marking applications, Canadian medical device applications, and 510(k) submissions. The most favorite part of his job is training others. He can be reached via phone at 802.281.4381 or by email. You can also follow him on YouTube, LinkedIn, or Twitter.

CAPA – Corrective/Preventative Action Read More »

What is the De Novo review timeline?

4 Comments / De Novo / By Robert Packard

The new FDA goal is to reduce the De Novo review timeline to 150 days for 70% of De Novo submissions, but how long does it take now?

What is an FDA De Novo submission?

An FDA De Novo submission is an application submitted to the FDA for creating a new device product classification. There are three classifications of devices by the FDA: Class 1, Class 2, and Class 3. Class 1 devices are the lowest-risk devices, and they only require general controls. Class 2 devices are moderate-risk devices that require “Special Controls,” and Class 3 are high-risk devices that require Pre-Market Approval (i.e., PMA). De Novo applications can only be submitted for Class 1 and Class 2 devices, and most of the De Novo submissions require clinical data to demonstrate that the clinical benefits of the new device classification outweigh the risks of the device to patients and users. It’s the need for clinical data that is partly responsible for the longer De Novo review timeline.

What is the De Novo review timeline?

Initially, the FDA required that Class 2 devices must be first submitted as a 510k submission. If the device did not meet the criteria for a 510k, then the company could re-submit a De Novo Classification Request to the FDA. On July 9, 2012, the regulations were revised to allow companies to submit De Novo Classification Requests directly. This makes sense because some devices have novel indications for use, and submission of a 510k would be a complete waste of time in money. For example, the first SARS-COV-2 test had to be submitted as a De Novo by Biofire to obtain permanent approval for the test instead of emergency use authorization (EUA). This change in 2012 dramatically reduced the De Novo review timeline.

On October 4, 2021, the FDA published a final rule for De Novo Classification Requests. This new regulation identified the De Novo review timeline as 120 calendar days. Even though 120 days is 30 days longer than the FDA review clock for a 510k, the actual timeline to review De Novo submissions was much longer.

Every five years, when Congress reauthorizes user fee funding of the FDA, new MDUFA goals are established. The draft MDUFA performance goals (which impact FDA funding) were published recently. The specific performance goal to review De Novo submissions is:

FDA will issue a MDUFA decision within 150 FDA Days for 70% of De Novo requests.

There are two problems with this goal. First, the term “FDA Days” is based on calendar days minus the number of days the submission was placed on hold, and we don’t have any visibility into the number of days submissions are placed on hold. In the past, submissions could be placed on hold multiple times during the Refusal to Accept (RTA) screening process, and the “FDA Days” is reset to zero days each time the company receives an RTA hold letter. In addition, even after the submission is finally accepted, the FDA places the submission on hold when they request additional information (i.e., AI Hold). RTA and AI Hold periods can last up to 180 days, and during the Covid-19 pandemic, companies were allowed to extend this up to 360 days.

The second problem with the MDUFA goal is that we only have visibility into the outcome of De Novo submissions that were granted. More than 60 De Novo submissions are submitted each year, but the number of De Novo Classification Requests granted ranged between 21 and 30 over the past three years. Therefore, the 50%+ of De Novo applications denied could skew the % of submissions that meet the MDUFA goal for the De Novo review timeline.

What is the FDA track record in reviewing a De Novo?

Every CEO I speak with asks the same question: “How long does the FDA review take?” In preparation for a webinar I taught about De Novo Classification Requests in 2019, I researched the latest De Novo review timelines. I expected the review timelines to be close to 150 calendar days because the FDA decision goal was 150 FDA days. The 150-day goal was set in 2018 when Congress approved MDUFA IV. The 2019 data held two surprises:

only 21 De Novo requests were granted in 2019, and
the average review timeline was 307 calendar days (i.e., the range was 108 days to 619 days).

FDA days are not the same as calendar days. Only 23.8% of De Novo submissions were reviewed within 150 calendar days. The FDA doesn’t calculate the number of FDA days as calendar days, but there is no way to know how much time each De Novo spent on hold publicly. Upon seeing the announcement of a new decision goal for MDUFA V on October 5, 2022, I decided to revisit my previous analysis.

*Only 9+ months of data for 2022, because data was collected on October 17, 2022.

We can blame the Covid-19 pandemic for the slower De Novo review timeline during the past few years, but you would expect a longer average duration in 2020 if that was the root cause of the FDA’s failure to achieve the MDUFA IV target of 150 calendar days. You would also expect 2021 to have the longest review timelines. Instead, the review timelines are the slowest for 2022. The number of De Novo submissions remains small, and therefore it is hard to be conclusive regarding the root cause of the failure to reach the 150-day decision goal. In addition, the percentage of De Novo applications granted within 150 calendar days was lowest in 2021, as you would expect if the reason for delays is primarily due to the Covid-19 pandemic.

Is there any good news?

The FDA is allowing the new eSTAR templates to be used for De Novo Classification Requests. These new electronic submission templates standardize the format of all 510k and De Novo submissions for FDA reviewers. The eSTAR also forces companies to answer all questions in the FDA reviewer’s checklist to ensure the submission is complete and accurate before the new submission is submitted to the FDA.

The new eSTAR templates were first used in 2021, and our firm has observed shorter overall review timelines and fewer deficiencies identified by FDA reviewers when they submit an “Additional Information Hold” (AI Hold) to companies.

How can the FDA improve De Novo timelines?

The FDA, industry, and Congress seem to be taking the same approach pursued five years ago to improve the review timeline for De Novo submission. MDUFA V authorized additional user fees for De Novo submissions (i.e., 17.8% increase), and the FDA will be authorized to hire additional employees each year during MDUFA V if the performance goals are met. However, there are three other options that the FDA and industry should have seriously considered during the FDA-industry negotiations.

The first option that should have been considered is to allow third-party reviewers to review the elements of a De Novo that are identical to a 510k submission:

sterilization validation
shelf-life testing
biocompatibility testing
software validation
electrical safety testing
EMC testing
wireless testing
interoperability testing
benchtop performance testing
animal performance testing
human factors engineering

The above approach would require blended pricing where the FDA charges a smaller user fee than a Standard De Novo user fee, and the third-party reviewer charges a smaller fee than a 510k. The combined cost would be higher than the FDA Review of a De Novo, but this would reduce the number of hours the FDA needs to complete their review of a De Novo, and it would allow for pricing that is much lower than the De Novo standard user fee for qualified small businesses.

A second approach would be to pilot a modular review approach. A modular review would be similar to modular reviews for PMA submissions. In a modular review, the FDA can review most submission sections and provide feedback before the human clinical performance data is available. This would not help the few De Novo submissions that do not include human clinical performance data, but this would have a profound positive impact on most De Novo projects. First, the FDA would be able to complete the review of all sections in the submission except the human clinical performance data without delaying the final De Novo decision. Second, a successful review of non-clinical data by the FDA would give investors more confidence to fund pivotal clinical studies required to complete the De Novo submission.

A third approach would be for the FDA to force manufacturers to submit testing plans and protocols as pre-submissions to the FDA. This approach would give the FDA more familiarity with each device and the testing plan before reviewing the data. This approach would also reduce the hours FDA reviewers spend reviewing data that doesn’t meet the requirements and writing deficiencies. This approach would also give investors more confidence to fund De Novo projects for all V&V testing.

What is the De Novo review timeline? Read More »

What is a CAPA Board? and Do you need one?

1 Comment / CAPA / By Robert Packard

A CAPA Board is a team responsible for making sure that all CAPAs are completed on time and the actions taken are effective.

Many of the medical device companies we work with have to open a CAPA for their CAPA process because they fail to implement all the actions that were planned, they fail to implement corrective actions as scheduled, or the actions implemented fail to be effective. When we investigate any process, we typically see one of five common root causes:

top management is not committed to the CAPA process (we can’t fix this)
procedures and/or forms are inadequate
people responsible do not have sufficient training
management oversight of the process is neglected
there are not enough resources to do the work

Creating a CAPA Board can address four of these potential root causes, but the CAPA Board needs to understand how to work effectively.

Creating a CAPA Board shows a commitment to quality

Sometimes top management only pays lip service to quality. Top management’s actions demonstrate that quality is a cost-center, and they do not view quality as contributing to the revenue of the company. Instead, quality is viewed as a “necessary evil” like death and taxes. If this describes your company, sharpen your resume and find a new job. Quality is essential to selling medical devices and quality is the responsibility of everyone in the company. The Management Representative is responsible for “ensuring promotion and awareness” (see Clause 5.5.2c of ISO 13485) of regulatory and quality system requirements. This person should be training others on how to implement best practices in quality system management. One person or one department should never be expected to do most of the work related to the quality system.

A CAPA Board should be a cross-functional team of managers that help each other maintain an effective CAPA process. This means: 1) corrections are completed on time, 2) corrective and preventive actions are completed on time, and 3) each CAPA is effective. In order to do this consistently, the CAPA Board needs to work together as a team on the CAPA process. The CAPA Board doesn’t look for someone to blame. Instead, the CAPA Board rotates their responsibilities regularly, everyone is cross-trained on the roles within the CAPA Board, and the team passes tasks from one person or department that is overloaded to another person or department that has the resources to complete the tasks effectively and on time. A professional team must anticipate holes in task coverage, and someone on the team needs to communicate to the rest of the team which hole they are addressing. You can’t wait until the coverage gap is obvious and then have everyone jump into action. If you do this, your effectiveness will resemble a soccer team of 9-year-olds.

Is your CAPA procedure the root cause?

In most companies, the problem is not the CAPA procedure. Clauses 8.5.2 and 8.5.3 of ISO 13485 are quite specific about each step of the CAPA process, and therefore it is easy to write a procedure that includes all of the required elements. The CAPA procedure is also one of the first procedures that auditors and inspectors review, and therefore any deficiencies in your procedure are usually addressed after one or two audits. If you feel that your CAPA procedure needs improvement, the above link explains how to write a better CAPA procedure. You might also consider asking everyone that is responsible for the CAPA process to provide suggestions on how to improve your procedure to streamline the process and clarify the instructions. The best approach is to have a small group (i.e. 3 to 5 people) of middle-level managers, from different departments, assigned to a CAPA Board with the responsibility of improving the CAPA process and procedure. If you have a large company, you might consider rotating people through the CAPA Board each quarter instead of having a larger group.

Does your CAPA Board have sufficient training?

Everyone can benefit from more training–even instructors will periodically engage in refresher training. Before someone is assigned to work on a CAPA, that person needs to be trained. Nobody should be assigned to a CAPA Board unless they are prepared to become an expert in the CAPA process. Some companies will only require people to sign a training record that states they read and understood the CAPA procedure. However, you must also demonstrate that your training was effective and the person is competent at the task assigned. Therefore, we recommend training people on CAPAs by training them with a CAPA training webinar and evaluating the effectiveness of the training by having each person complete a quiz. The use of a training webinar will ensure that each employee receives the same training, and the quiz will provide objective evidence that they understood the training (i.e. it was effective). If you have a CAPA Board, each person on the board should be involved in your CAPA training, and it is their responsibility to make sure people in their department have been trained effectively.

Competency is the hardest thing to demonstrate for any task. You can do this by verifying that the person has performed this task in one or more prior jobs (e.g. resume). If the person does not have evidence of working on CAPAs in their previous employment, then you will need someone that is already competent in the CAPA process to observe each person completing CAPAs and providing feedback. Once each person has demonstrated successful completion of multiple CAPAs, then the expert can attest to their competency in a training record with references to each of the successful CAPAs that were completed. If you are the person assigning a CAPA or individual tasks to people, do not assign the role of investigation, or writing the CAPA, to anyone that has not already demonstrated competency unless you are assessing them for competency. Everyone on the CAPA Board should either already be competent in the CAPA process or another expert on the CAPA Board should be in the process of training them to become a CAPA expert.

CAPA Boards are responsible for management oversight of the CAPA process

The most common method for management oversight of the CAPA process is to discuss the status of CAPAs at a Management Review. This information can be presented by the Management Representative, but assigning the presentation of CAPA status to another person on your CAPA Board will delegate some of the Management Review tasks and gives other people practice at presenting to a group. Some companies only conduct a Management Review once per year, but this makes it impossible to review CAPAs that were initiated immediately after a Management Review unless the CAPA takes more than a year to implement. Even if your company conducts quarterly Management Reviews, the review of CAPA status during a Management Review should focus on the most important issues rather than discuss every CAPA in detail. The impact on safety, the impact on product performance, and the economic impact of a specific CAPA are all criteria for deciding which CAPAs to discuss during a Management Review.

The CAPA Board needs a metric or metrics for monitoring the effectiveness of the CAPA process. The simplest metric is to monitor the average aging of CAPAs. If that average is steadily rising week after week, then new CAPAs are not being initiated, and existing CAPAs are not being closed. You can also measure the time to write a CAPA plan and the time to perform an investigation or monitor the on-time completion of tasks. The most important thing is for someone to take action when these metrics are not aligned with your quality objectives for the CAPA process. Taking action after 90 days of neglect is not good enough. You need to be monitoring the CAPA process weekly, and you need to take action proactively. Therefore, your CAPA Board needs to meet weekly and you need to show evidence in your CAPA records of what actions were taken by the CAPA Board.

Who should be assigned to the CAPA Board?

Top management does not need to be directly involved in the CAPA Board. Top management already reviews the status of CAPAs during Management Reviews. In a small company (i.e. < 20 people) you might have no choice but to have the same people that are assigned to your CAPA Board also be members of top management. As your company gets larger, you should assign middle-level managers and people that are new to management as members of the CAPA Board. Participating in the CAPA Board will teach those managers to work together as a team to achieve shared company goals and to persuade their peers to help them. The experience of working on a CAPA Board will also expose less experienced managers to other departments outside of their expertise. Ideally, participation in the CAPA Board will build friendships between peers that might not speak to one another. Each CAPA represents a team-building opportunity. The team needs to find a way to pool its resources to complete CAPAs on time and effectively. It is also important to rotate the assignment to the CAPA Board so that eventually all of your middle-level managers are trained in the CAPA process and each of them has been evaluated on their demonstration of team leadership and effectiveness in working with peers cooperatively. In large companies, it is common to assign one member of top management to the CAPA Board to show that top management is supportive of the CAPA process and to provide authorization for additional resources and funding for actions when needed. The top management representative should also be rotated to make sure that all of the top management remains competent in the CAPA process.

How does the CAPA Board manage the CAPA process?

The CAPA Board should never be blaming an individual or department for the lack of CAPA success. The CAPA Board should be anticipating when a CAPA is falling behind schedule or might not be as effective as it should be. Nobody on the team should be afraid to voice their opinion or to make a suggestion. Each member of the team has the responsibility of asking for help when they need it and asking for help as early as possible. The CAPA assignments should be shared between the team members, and one person should be responsible for chairing the meetings. If everyone is experienced in participating in CAPA Boards, then the role of the chairperson can be rotated each week. If one or more team members are inexperienced, the person on the CAPA Board assigned to training them should be teaching them how to participate in the meetings and prepare them for acting as chairperson.

Every CAPA Board meeting should have a planned agenda and meeting minutes. Every open CAPA should be discussed during the meeting, but the amount of time devoted to each CAPA should be adjusted for the risk of the CAPA failing to be completed on time or failing to be effective. If a CAPA is going smoothly, the discussion might only last seconds. Any discussion or actions planned that are specific to a CAPA should be documented in the individual CAPA record as well as the meeting minutes. This will ensure that the CAPA records are maintained as required by the ISO 13485 standard and the regulations.

What is a CAPA Board? and Do you need one? Read More »

Is monitoring every procedure required?

1 Comment / ISO 13485 / By Robert Packard

Process monitoring is required but do you know whether monitoring every procedure is required by the FDA QSR or ISO 13485?

One of the elements that Medical Device Academy has incorporated into each procedure we created in our turnkey quality system is a section titled, “monitoring and measurement.” The purpose of this section is to force each process owner to identify a process metric for monitoring every procedure. In some cases, we suggest a metric that would be appropriate for most companies establishing a new quality system. In other procedures, we use the following default text:

“Enter a quality metric that you want to track for this process in accordance with ISO 13485:2016, Clause 8.2.5 and the procedure for Monitoring, Measurement, and Analysis (SYS-017).”

Where are the requirements for process monitoring in 21 CFR 820?

Some of the companies that have purchased our turnkey quality system have asked, “Is it required to monitor and measure something in every procedure?” In general, it is not a specific requirement to have a metric specified in each procedure. In fact, if your quality system is not ISO 13485 certified, there are actually only a few places where the US FDA requires monitoring. The FDA does not have a section specific to monitoring and measurement of processes, but there is a section of the regulations specific to statistical techniques (i.e. 21 CFR 820.250). However, it does not state in the QSR that statistical analysis is required for all processes. In fact, there are only six instances where the word “statistical” is used:

21 CFR 820.100(a)(1) – “Analyzing processes, work operations, concessions, quality audit reports, quality records, service records, complaints, returned product, and other sources of quality data to identify existing and potential causes of nonconforming product, or other quality problems. Appropriate statistical methodology shall be employed where necessary to detect recurring quality problems;”
21 CFR 820.200(b) – “Each manufacturer shall analyze service reports with appropriate statistical methodology in accordance with § 820.100.”
21 CFR 820.250 – “(a) Where appropriate, each manufacturer shall establish and maintain procedures for identifying valid statistical techniques required for establishing, controlling, and verifying the acceptability of process capability and product characteristics. (b) Sampling plans, when used, shall be written and based on a valid statistical rationale. Each manufacturer shall establish and maintain procedures to ensure that sampling methods are adequate for their intended use and to ensure that when changes occur the sampling plans are reviewed. These activities shall be documented.” Note: the other two instances are the title of 21 CFR 820.250.

The word “monitoring” is equally rare (i.e. 4x) in the QSR:

21 CFR 820.70(a) – “Each manufacturer shall develop, conduct, control, and monitor production processes to ensure that a device conforms to its specifications…Where process controls are needed…(2) Monitoring and control of process parameters and component and device characteristics during production.”
21 CFR 820.75(b) – “Each manufacturer shall establish and maintain procedures for monitoring and control of process parameters for validated processes to ensure that the specified requirements continue to be met…(2) For validated processes, the monitoring and control methods and data, the date performed, and, where appropriate, the individual(s) performing the process or the major equipment used shall be documented.”

Where are the requirements for process monitoring in ISO 13485:2016?

ISO 13485:2016 has a section specific to monitoring and measurement of processes (i.e. Clause 8.2.5). In addition, the word “monitoring” occurs 52 times in the standard and there are 60 incidents of some variant or the exact word. , but there is a section of the regulations specific to statistical techniques (i.e. 21 CFR 820.250). However, it does not state in the QSR that statistical analysis is required for all processes. In fact, there are only six instances where the word “statistical” is used. There are four Clause headings that actually include the word monitoring:

Clause 7.6, Control of monitoring and measuring equipment
Clause 8.2, Monitoring and measurement
Clause 8.2.5, Monitoring and measurement of processes
Clause 8.2.6, Monitoring and measurement of product

In Clause 1, Scope, and Clause 4.1.5, the Standard states that any outsourced processes remain the responsibility of the company and must be accounted for in the quality system by monitoring, maintaining, and controlling the processes.

Monitoring of risk is included in the definition of “risk management” in the Standard (i.e. Clause 3.18).

Clause 4.1.3 states that the organization shall, “b) ensure the availability of resources and information necessary to support the operation and monitoring of these processes…d) monitor, measure as appropriate, and analyze these processes.”

Clause 4.2.3 states that the contents of the Medical Device File (i.e. MDR or TF), shall include, “d) procedures for measuring and monitoring.”

Monitoring and measurement of processes and product are required inputs to the Management Review in Clauses 5.6.2e) and f).

Clause 6.4.1 requires a procedure for monitoring the work environment if it can have an effect on product quality.

Clause 7.1 requires the company to consider including monitoring in product realization planning.

Clause 7.4.1 requires a plan for monitoring suppliers.

Clause 7.5.1 requires monitoring production and service, including the monitoring of process parameters and product characteristics.

Clause 7.5.6 requires monitoring of validated process parameters.

Clause 7.5.8 requires identification of status with regard to product monitoring and measurement (i.e. inspection status).

Clause 7.6 requires monitoring and measurement of calibrated devices and validation of any computer software used to monitor calibrated devices.

Clause 8.1 states that companies shall plan and implement monitoring and measurement of processes.

Clause 8.2 is titled, “Monitoring and measurement.”

Clause 8.2.1 requires monitoring of customer feedback.

Clause 8.2.5 requires monitoring of processes to ensure planned results are achieved.

Clause 8.2.6 requires monitoring of products to ensure product requirements have been met.

Clause 8.4 requires data analysis of monitoring data from at least six different processes:

Feedback
Conformity to product requirements
Characteristics and trends of processes and products, including opportunities for improvement
Suppliers
Audits
Service reports, as appropriate

In summary, while not every single clause that requires a procedure includes a requirement for monitoring, there are a number of processes where the requirement to monitor the process is explicitly stated.

Why do all of our procedures include the requirement for metrics?

Medical Device Academy expanded the requirement for monitoring to all procedures for five reasons:

Quality objectives must be “established at relevant functions and levels within the organization.” Therefore, establishing monitoring requirements for each procedure ensures that top management has metrics for every process and a lack of data is never an excuse for not establishing a new quality objective when improvement is needed.
If every procedure has a requirement for monitoring, then employees don’t have to remember which processes require monitoring and which processes do not explicitly require monitoring.
The process approach to auditing includes metrics of the process as one of the seven items that are included in every process turtle diagram, and therefore, including metrics for each procedure facilitates the process approach to auditing.
If a company does not have a process metric already established, it is often difficult to perform an investigation of the root cause of quality issues. If a metric is already being monitored for the process, this facilitates the investigation of the root cause and you can use the baseline monitoring data to help you establish effectiveness criteria for the corrective action.
Finally, most companies struggle to identify preventive actions as required by Clause 8.5.3, and we have found that data analysis of monitoring data is the best source of identifying new preventive actions.

What are the disadvantages when you monitor and measure something in every procedure?

The primary reason for resistance to identifying a metric for monitoring in every procedure is that it will increase the workload for the employees responsible for that process. However, monitoring of data does not always increase workload. In fact, when process data is recorded in real-time on a run chart it is often possible to identify a trend much earlier than when data is simply recorded and subjected to monitoring.

Example #1: The automatic tracking of toner in a printer tells HP when to ship you a new toner cartridge before you need it. This ensures that there is no loss in productivity because you never run out of ink or the ability to print documents.
Example #2: Companies will use project management software (e.g. Monday.com) to monitor labor utilization. This will help identify when a specific resource is nearing capacity. When this occurs, the project manager can add time buffers to prerequisite steps and adjust the starting date of the resource-limited tasks to an earlier starting date. This ensures that more time is available to finish the task or to take advantage of resource availability at an earlier date.
Example #3: Monitoring the revision date for procedures helps the document control process owner identify procedures that should be evaluated for the need to be revised and updated. Often this is articulated as a quality objective of reviewing and updating all procedures within 2 years. This also ensures that procedures remain current and compliant with regulatory requirements.

What are the advantages of monitoring every procedure?

The phrase “what gets measured gets managed” is a popular business philosophy that implies measuring employee activity increases the likelihood that employees will complete a task or perform it well. In contrast, if a process is not monitored, employees may assume that it is not important and the tasks may be skipped or completely forgotten. Setting quantitative goals is also sometimes integrated with economic incentives or bonuses that are granted to individuals and teams.

FDA transition from QSR to ISO 13485

The US FDA is planning its transition from 21 CFR 820 to ISO 13485 as the quality system criteria. This will force companies to make adjustments to their quality systems and increase the amount of process monitoring performed. My general advice is to work with employees that are performing tasks to identify streamlined methods for monitoring those tasks without being overly burdensome. Then you and the employees you manage can analyze the data together and identify opportunities for improvement. When you do this, experiment with manual methods using whiteboards and paper charts that are visible in public areas first. Only implement automated solutions after you have optimized the data being collected and the frequency of data collection, and remember that not every process will benefit from automated statistical process control. Sometimes the simple approach is best.

Is monitoring every procedure required? Read More »

Testimonials

“While searching for guidance on how to validate an IFU, I came across the webinar on ‘IFU Validation and PMS’ sponsored by Medical Device Academy. It was very helpful – not only did I get an understanding of validating an IFU but learned more about Post Market Surveillance. I have always found articles by Rob extremely well-written, practical, and always helpful. This webinar was a reasonable cost and the payback was invaluable.”

-Barbara Rinaldi, Dir QA, Tepha, Inc

“It was a great opportunity of learning when Mr. Rob Packard was available at our facility and spent 4 days on knowledge transfer. His skill to identify the gap between requirement and practice was admiring. His guidance strengthens the compliance practice. His advice on the effectiveness of corrective action, design control elements and process approach concept added value to our quality system”

– Abdul Raheem, QA Manager, UNIMED, KSA

“I really enjoyed meeting Rob and taking his 2-day lead auditor course, but the learning didn’t stop when the course was over. When he returned my graded exam he took the time to explain the correct answers to questions I got wrong. Providing the correct answers was very helpful. I wish my previous auditing instructor had done the same.”

– Tony Sapp, Medical Device Supplier Auditor

“We had our FDA inspection mid last year. Your webinar and prep tips were genuinely useful to me in our preparation activities. The war room was a great success! It was actually my first FDA inspection and a great learning curve for me and our site.”

– Brian Mulcahy, QA Manager; Ireland

“I conducted a thorough search for a senior consultant to conduct a project which required specialized knowledge of medical devices, ISO 13485, and European directives. Mr. Robert Packard was by far the most qualified among the candidates; he not only met the technical profile but I found his emotional intelligence skills remarkable. In simple terms, Mr. Packard was:

Expert in the areas of implantable medical devices, ISO 13485, and CE marking,
Methodical in his work,
Knowledgeable in the ways of the medical device industry, and
Most importantly, he was very easy to work with.

I highly recommend Mr. Packard and vouch for him.”– Zak Kouloughli, President, Tradeline Medical; Austin, TX“Robert is by far the best quality practitioner and “partner” with whom I’ve worked. He is an expert in Quality Assurance including Regulatory Affairs for ISO 13485 (medical devices). Perhaps Robert’s best attribute however is his ability and eagerness to transfer his knowledge. He has a knack for taking often complex methodologies and breaking them down into simpler terms using examples and analogies so that his audience walks away with a complete understanding of the topic. I’m continually amazed at Robert’s breadth of knowledge and his recall. Robert is highly recommended for training Quality related topics including but certainly not limited to ISO certification, Auditing, Supplier evaluations, CAPA, Root Cause Investigation, and complaint handling. You’ll walk away with a thorough understanding of the topic and thinking about which topic you’d like Robert to present next.”– Alan Frechette, QA Supervisor, PEXCO Medical Products; Athol, MA“Rob Packard has a unique and special ability to train individuals in a manner that not only do they learn, but they have fun doing so! He is able to take a topic that is “boring” and make it interesting. He has a wealth of product, quality, and auditing knowledge that gives him a balance that I have not seen with any other trainer. I have been in quality for 25 years and have been through several training classes; however, I have never experienced or walked away with as much knowledge as I did with his training class. He is awesome!”– Julee Bankes, QA Manager, SmartPractice; Phoenix, AZ“One thing is certain with Bob – you will not find anyone more versed, not only in the obvious Regulatory/Audit/Certification area but also in all facets of operations. This is the real reason why his expertise is so valuable. He cannot be fooled and he will talk the talk with the experts at your company with ease and insight. Almost all the “trainers” out there have serious limitations. Not so with Bob.”– Dennis R. Cote, Supply Chain Manager, CAS Medical Systems, Inc.; Branford, CT“Rob Packard is an excellent teacher whether it is in a classroom setting, conference room setting, or the shop floor. His detailed recall of the key quality standards in the industry today allows him to provide his students with accurate information that ensures they will always have the correct training to navigate the perils of an external audit from any organization or government body. What makes Rob unique is his ability to show his students or clients how to reduce the details and requirements of the quality standards into a world-class QMS for each of their employers. Each time I interact with Rob, I come away with specific ideas that I implement to improve the quality system and products manufactured by KaZaK.”– Brian J. Smith, Director of Engineering, KaZaK Composites, Inc.; Woburn, MA

Testimonials Read More »

Device Supply Chain Disruptions

3 Comments / ISO 13485 / By Matthew Walker

What can you do to stay ahead of medical device supply chain disruptions and comply with reporting requirements of possible device shortages?

Device Supply Chain Disruptions - empty warehouses

Supply chain issues can be somewhat cyclical. As we approach the holiday season, we also approach the shipping season. Public shipping services such as FedEx and UPS see an increase in freight as the holiday seasons approach. Manufacturers need raw materials and components to stock the shelves with all of those holiday gifts. Since we are still living under pandemic conditions, I would be willing to bet there will be more care packages and mailed gifts in place of traditional gatherings. On top of the approaching increase in demand, staffing shortages can very quickly exacerbate supply chain bottlenecks. All the while importers are still expected to… well, import! If transportation affects all general industry you can bet it can also cause medical device supply chain disruptions.

So what does an overburdened mail service have to do with medical devices and quality systems?

Consider, how are your customers getting your product in their hands? How are you receiving raw materials and components? How about your contract manufacturer? Do they have supply chain redundancies? Does your supplier quality agreement address notifications for shipping disruptions?

Do you have a regulatory obligation to report a shortage/supply chain disruption or interruption of manufacturing to the FDA, or Health Canada? The FDA monitors for discontinuance and meaningful disruption of manufacturing certain devices and similarly Health Canada monitors their own list of devices for market shortages. Supply chain disruptions either through difficulty sourcing of raw materials and components, or through transportation breakdown of finished devices to market are just one way you could experience a reportable disruption or shortage.

Matthew did not choose the topic of medical device supply chain disruptions randomly. His signature brand of pessimistic cynicism is the reason we have him tasked with keeping his fingers on the pulse of global concerns and potential threats and risks. Potential supply chain disruptions will involve your quality staff in developing preventive actions and contingency plans in case there is an issue. Then, your regulatory team will be in charge of reporting and AHJ notification if you are an affected manufacturer (or importer in Canada!). Understaffed and overloaded shipping and transportation suppliers are about to be bombarded with seasonal freight. This makes them an attractive target for ransomware because, just like healthcare facilities, they will not be in a situation where they can afford any downtime.

U.S. FDA

The FDA requires reporting shortages and supply chain disruptions to CDHR of permanent discontinuance or interruption in manufacturing of a medical device in Section 506J of the FD&C Act. Especially so in response to the COVID-19 public health emergency. In part, the general public’s need for healthcare during the pandemic guides what devices the FDA needs notification about.

Currently, the FDA is concerned about specific device types by product code or any devices that are critical to public health during a public health emergency. For the most up to date list, the URL to the FDA website will show the specific product codes of the monitored device types;

Health Canada

As an Authority Having Jurisdiction, Health Canada also has reporting requirements for supply chain disruptions of specific types of medical devices. Health Canada is also an independent authority that uses a different device classification system than the U.S. FDA.

The table below shows the device types by their classification level that HC requires supply chain disruption notifications for. This information is current as of September 5^th, 2021, and the following link will take you to the HC webpage for the most up-to-date list.

Class I Medical Devices

Masks (surgical, procedure or medical masks) – Level 1, 2, 3 (ATSM)

N95 respirators for medical use

KN95 respirators for medical use

Face shields

Gowns (isolation or surgical gowns) – Level 2, 3 and 4

Gowns (chemotherapy gowns)

Class II Medical Devices

Ventilators (including bi-level positive airway pressure or BiPAP machines, and continuous positive airway pressure or CPAP machines)

Infrared thermometers

Digital thermometers

Oxygen Concentrators

Pulse Oximeters (single measurement)

Aspirators/suction pumps (portable and stationary)

Laryngoscopes

Endotracheal tubes

Manual resuscitation bags (individually or part of a kit)

Medical Gloves – Examination and Surgical (Nitrile, Vinyl)

Oxygen Delivery Devices

Class III Medical Devices

Ventilators (including bi-level positive airway pressure or BiPAP machines)

Pulse Oximeters (continuous monitoring)

Vital Signs Monitors

Dialyzers

Infusion Pumps

Anesthesia Delivery Devices

Class IV Medical Devices

Extracorporeal Membrane Oxygenation (ECMO) Devices

How to prevent device supply chain disruptions

Harden your supply chain with redundancies. Now is the time to qualify a second supplier as a contingency plan before it is too late…. Maybe even consider opening a Preventive Action? (HINT HINT for those ISO 13485 manufacturers that need to beef up their Clause 8.5.3. operations!)

Supply chains have both up and downstream functions. First, you likely need to source raw materials and components for production. Then you also need to ship those finished devices to distribution centers and your customers. Disrupt either of those and your ability to sell your devices is compromised or even completely halted.

Ask yourself, “Do I have a backup option for shipping?”, and “Do I have a backup option for raw materials and components?”.

Why?

Why go through all of that effort? Well, if you lose UPS and have to use FedEx instead, are their shipping procedures identical? Likely you will need a WI level document for each shipper to explain the process. It is easier to pre-qualify a contingency supplier and establish a WI now rather than in December when holiday shipping is at its peak. Consider if you also need to open accounts, etc. Scheduling pickup online may not be intuitive.

Just identifying a backup is important, but you can take that a step further and pre-qualify them. If they are a shipping and transportation supplier then give them a shipment or two in order to evaluate them. Hold them to the same standards you would for your primary supplier.

Did your shipment arrive on time? Was it damaged during transit? This is provisional, or pre-qualification. Did they perform adequately enough to use as a tentative supplier in the event the primary supplier is unable to perform? This is designed to make a full qualification of this supplier simple and easy… If you need to utilize them that is. Maintaining this pre-qualification should also be simple and easy as well. Once a year or so have them deliver a shipment for you.

That is just for importing or shipping finished devices. Do you have backup raw material or components suppliers identified? If not identifying or even pre-qualifying secondary suppliers might not be a bad idea either. You are probably tied down to a specific geographic area for shipping and transportation. You may not be for raw materials. If you need barrels of silicone consider a backup supplier from a different area than your primary supplier. Natural disasters create havoc for shipping. If your silicone comes from Company A, and they are closed down because of a hurricane then Company B ten miles away is likely affected as well.

For example, if you are in the U.S. and your primary supplier is in the Northeast then a backup supplier in the Southeast may be strategically important. Whereas a backup supplier from the Southwest may be cost-prohibitive.

What about your suppliers? Is your device high-risk enough that if your supply chain is disrupted, you have an obligation to report it to the FDA? In that scenario, if you use a contract manufacturer, it may be worth requiring supply chain contingencies and clearly identifying who owns what reporting responsibilities within your quality agreement with them.

There is an element of proactive responsibility in reporting these shortages, or projected shortages. In order to be able to predict medical device supply chain disruptions, there should be metrics that your quality system is monitoring. What is your monthly production capacity? How much raw material or components does your warehousing have on hand? How many units could you manufacture if the transport industry stopped right this second?

Determine what you need to track in order to identify a disruption before it occurs.

Prepare for notification now. This article looked at the problem from the point of view that transportation issues were the root cause of the supply chain disruption. However, many other things could be disruptive, such as natural disasters and supply availability. Therefore, develop a WI level document for conducting these types of regulatory reporting activities and train personnel before a disruption happens. It is easier to tackle these kinds of problems if you already have process controls in place and trained competent staff than if you wait until the reporting timeline clock is already ticking.

See also our blog article on Medical Device Shortage Reporting and Device Supply Chain Disruptions

Future blogs about device supply chain disruptions…Shortage Reporting

About the Author

Matthew Walker – QMS, Risk Management, Usability | Human Factors Engineering, Cybersecurity & DFIR

Matthew brings a unique background as a former Firefighter/EMT and Rope Rescue Tech with experience in OSHA and NFPA regulations. For the better part of a decade, he has worked as a Technical/Medical Writer and Lead Auditor. He holds degrees in Fire Science and Computer Forensics and Digital Investigations, graduating Summa Cum Laude from Champlain College. Matthew is also an active member of several academic honor societies including Omicron Sigma Sigma’s Order of the Sword and Shield. His professional focus includes Human Factors Engineering, Risk Management, and Cybersecurity with a special interest in applying Digital Forensics and Incident Response (DFIR) practices to medical technology. He combines regulatory expertise with technical insige to strengthen both product safety and oranizational resiliance. He can be reached by email. You can also follow him on LinkedIn or YouTube.

Device Supply Chain Disruptions Read More »

Auditing Services Quote

Who quotes auditing services?

The form below provides us with the basic information we need to prepare an auditing services quote for your company. There are instructions below the form that explain exactly what information we are looking for in each section of the form. The quotation process is not automated. A real person (i.e. Lindsey Walker) will get back to you with a quotation. She is our audit program manager. She creates the audit quote and assigns the auditors based on availability and your auditing needs. Her email is sales@medicaldeviceacademy.com. The quotation will be automatically emailed from Freshbooks once she is finished, and then she will follow up with a manual email–just in case your spam filters prevent delivery of the automated email generated by FreshBooks. If Lindsey is on vacation, or out sick, the proposal will be prepared by Rob Packard. His email is rob@13485cert.com.

General pricing of auditing services

If you are looking for the cheapest auditing services you can find, don’t even bother filling in the form. Our goal is to help you improve your quality system and provide valuable consulting advice to achieve improvements. We specialize in helping start-up companies achieve initial ISO 13485 certification, MDSAP certification, and CE Certification. We will assign an experienced lead auditor with an hourly consulting rate of $275/hour. Typically, we will charge $2,750 plus travel expenses for a one-day supplier audit because we expect to spend 30 minutes on audit preparation, eight hours on-site actively auditing, and 2+ hours generating an audit report. Most quotations are flat-fee quotations so you know exactly how much you will be charged. We also request a 50% deposit for audits.

Name, Company, Email & Phone

The name you enter is the name we enter as the client contact in our database and the quotation will be addressed to that name. The company field should include the legal name of your company. The email you enter is the email that we will send the quotation. Although a phone number is not required, it helps us to be able to call you if we have questions about the information you provided.

What is the audit type?

Internal Audit – This is also called a “1st party audit,” and these are conducted to evaluate the effectiveness of your quality system. You are required to conduct an audit of the full quality system each year. If you select “Internal Audit,” we will assume that you want us to provide an audit quote for your complete quality system. If you only want a partial quality system audit of one or more process areas, then please select “Individual Process” and specify which process or processes in the text box labeled “Process Areas to Audit.”
Supplier Audit – This is also called a “2nd party audit,” and these are conducted to evaluate the effectiveness of your supplier’s quality system. Other reasons for a supplier audit include verifying compliance with contractual requirements or identifying the root cause of a quality problem (i.e. nonconforming product). Please provide the details of what processes to audit in the text box labeled “Process Areas to Audit.” We generally recommend focusing supplier audits on the activities you are outsourcing (e.g. manufacturing) rather than general quality system requirements (e.g. management review).
Individual Process Audits – This is also a “1st party audit,” however, we will focus on one or more processes that you identify in the text box labeled “Process Areas to Audit.” This type of audit is ideal when you do not have a qualified auditor that is independent to audit a process. Another scenario where this type of audit is valuable is when you recently made a significant change to a process and you want to verify that the employees are following the new process, or if you want to verify the effectiveness of corrective actions implemented for a specific process. For example, you want to verify the effectiveness of a CAPA related to an FDA 483 or Notified Body Nonconformity.

Process areas that need auditing

In this text box, we need you to identify the process areas you want us to audit. You can ask us to audit just one process or multiple processes. For example, if you are the Quality Manager and the only qualified lead auditor in your company, you might want us to audit your internal auditing, CAPA, management review, control of documents, and control of records. For a single process audit, we generally recommend remote audits via Zoom in order to eliminate the cost of travel. This is also a great way to test us before you engage our firm for a full-quality system internal audit. This is also known as the “audit scope,” and should not be confused with “audit criteria” discussed below. The scope can also include the location of the audit.

Location (remote or on-site) for auditing services quote

Location for the audit (i.e., scope of the audit)

If you want us to conduct the audit remotely via Zoom, please enter “Remote” in the text box of the auditing services quote form. You can also specify another teleconferencing software of your choice. In general, we recommend that remote audits be split into 90-minute segments or less where one or two processes are covered during the 90-minute Zoom meeting. We explain this further in one of our blog articles: “Why remote audit duration should never exceed 90 minutes.” If you want us to conduct the audit on-site, please provide the address of the audit location and we will include the estimated travel costs in our proposal.

Desired Date or Dates

Date of the audit - image of a calendar for scheduling auditing services

Please enter the date or dates that you want us to conduct your audit. You can also specify before a specific deadline (e.g. before June 30th). If you want us to conduct an audit of multiple processes remotely, it would help to know what dates and or times of day you would prefer. You can also enter a phone number and say “call me” next to the phone number. Then Lindsey or one of our assigned auditors will contact you to schedule a date and time for your audit.

What is the audit duration in hours?

Auditing services duration (i.e., Length of time) - image of a stop watch

Please enter the desired duration of the auditing services you want to be quoted. We typically expect at least 30 minutes of audit preparation to review the audit preparation documents that you provide and to create an audit agenda. In addition, we expect to spend approximately two hours of report writing time for each eight-hour day of auditing. Therefore, a typically one-day supplier audit will require a duration of ten hours, while a three-day on-site internal audit will require a duration of 30 hours.

Auditing criteria for auditing services quote

Audit criteria - image of an audit checklist

It is important to specify the audit criteria for your auditing services quote, because otherwise, we might assign an auditor that does not have training on that criteria. Audit criteria are the standards, regulations, procedures, and contracts that may be used to evaluate your quality system or an individual process. Most of our audit team is qualified to audit against the following criteria:

21 CFR 820, 803, 806, and 830 – the US FDA regulations including medical device reporting, corrections and removals, and unique device identifier regulations
ISO 13485:2016/Amd 2021 – the international quality system standard for medical device manufacturers
Regulation (EU) 2017/745 – the European Medical Device Regulations
SOR 98/282 – the Canadian Medical Devices Regulation
MDSAP AU P0002.008 – the Medical Device Single Audit Program audit approach guidance document

Auditing Services Quote Read More »

Search Results for: root cause

Overview of Packaging Complaint Investigation

Description of the packaging malfunction

Initiation of the packaging complaint investigation

Regulatory reporting of packaging failures

Event Description

Manufacturers Narrative

Packaging complaint investigation when product IS NOT returned

What records can be investigated without the return of the product?

Conducting investigations when product IS returned

Next steps of the packaging complaint investigation

Additional packaging validation resources

Step 2: Design controls training

Step 3: Gathering post-market surveillance data

Step 4: Creating a design plan

Contents of your design plan

Step 5: Create a detailed testing plan

Step 6: Request a pre-submission meeting with the FDA

Step 7: Iterative development is how design controls really work

Step 8: “Design Freeze”

Step 9: Begin the design transfer process

Step 10: Verification of Design Controls

Step 11: Validation of Design Controls

Step 12: FDA 510k Submission

Step 13: The Final Design Review

Step 14: FDA Registration

Step 15: Post-market surveillance is the design control input for the next design project

Step 16: Monitoring your design controls process

How do you evaluate auditor competency?

Auditor shadowing in 1st party audits

Auditor shadowing in 2nd party audits

Are you allowed to shadow a 3rd party auditor or FDA inspector?

What is a CAPA?

CAPA Resources – Procedures, Forms, and Training

What’s special about preventive action?

How do you evaluate the need to open a CAPA?

Who should be assigned to work on a CAPA?

What is a root cause investigation?

How much detail is needed in your CAPAs?

What is the difference between corrections and corrective actions?

Implementing timely corrective actions

What is an effectiveness check?

What is an FDA De Novo submission?

What is the De Novo review timeline?

What is the FDA track record in reviewing a De Novo?

Is there any good news?

How can the FDA improve De Novo timelines?

Creating a CAPA Board shows a commitment to quality

Is your CAPA procedure the root cause?

Does your CAPA Board have sufficient training?

CAPA Boards are responsible for management oversight of the CAPA process

Who should be assigned to the CAPA Board?

How does the CAPA Board manage the CAPA process?

Where are the requirements for process monitoring in 21 CFR 820?

Where are the requirements for process monitoring in ISO 13485:2016?

Why do all of our procedures include the requirement for metrics?

What are the disadvantages when you monitor and measure something in every procedure?

What are the advantages of monitoring every procedure?

FDA transition from QSR to ISO 13485

Testimonials

Regulatory responsibilities related to device supply chain disruptions – Organized by Jurisdiction

How to prevent device supply chain disruptions

Why?

Future blogs about device supply chain disruptions…Shortage Reporting

About the Author

Who quotes auditing services?

General pricing of auditing services

Name, Company, Email & Phone

What is the audit type?

Process areas that need auditing

Location (remote or on-site) for auditing services quote

Desired Date or Dates

What is the audit duration in hours?

Auditing criteria for auditing services quote

Auditor shadowing in 1^st party audits