Procedure Case Study Example
This procedure case study describes an error-proof method for review and approval of quality system procedures.
My first procedure case study
The first time I was formally trained on how to conduct a procedure review was during a lead auditor course. I thought the topic of procedure review seemed out of place, but as I audited more companies, I realized that missing regulatory requirements in a procedure are quite common. Regardless of who reviews a procedure, or how many times it is reviewed, something is always missed. Unfortunately, a desktop audit of procedures is not an effective corrective action or verification method. Auditing procedures is an ineffective method for reviewing procedures because audits are limited by sampling.
A better approach to procedure review than auditing
Instead of random sampling, a systematic review of 100% of regulatory requirements is needed to ensure that none of the regulatory requirements are accidentally omitted. Systematically reviewing regulatory requirements for each country your company is selling in is tedious at best. You need a tool to make the reviewing process error-proof and straightforward. You also need each procedure reviewer to have a defined function to eliminate the duplication of work.
Procedure reviewer roles
There are 3-5 reviewers of procedures in most companies. Some companies make the mistake of having as many as 8-10 reviewers of procedures, but more is not better. There are four primary roles for review and approval of procedures:
- process owner
- quality management
- regulatory
- independent
You are not required to have all four of these reviewer roles, but including these four roles in your document control process is a best practice.
Process owner role
The process owner may be the author of a procedure, but we don’t recommend it. Editing someone else’s work is more effective than editing your own work. Instead, we recommend that the department manager delegate the responsibility for writing and updating procedures to a subordinate that needs to perform the procedure. Then the department manager, who should also be the process owner, is responsible for reviewing and approving the initial draft.
Quality management role
The quality management person should be responsible for reviewing the procedure for accuracy and interactions with other processes. For example, the management review process has twelve required inputs (i.e., ISO 13485, Clause 5.6.2A-L). Each of those inputs comes from another process and procedure. It is essential to ensure that if you are reviewing the complaint handling procedure, somewhere in that procedure, it should state that the monitoring and measuring of complaint trends should be input into the management review process.
Regulatory role
The regulatory person is responsible for verifying that the procedure meets 100% of the regulatory requirements. This person should verify that the scope of the procedure identifies the relevant markets. If there are references to documents of external origin, the regulatory person should verify that these references are accurate. It is recommended to eliminate references to revisions of documents of external origin and internal procedure revisions because the inclusion of revisions will increase the frequency of minor revisions to procedures that add no value.
Independent reviewer role
Finally, the independent reviewer is looking for two things:
- Does the procedure make sense–to someone that performs the procedure (if that person was not the author); and to an external auditor, such as a certification body (internal auditors can fill this role)?
- Are there typos, spelling, or grammar mistakes?
The independent reviewer does not need to be a manager. It needs to be someone that writes well. Copy editing is tedious, but apparent mistakes in spelling or grammar prompt auditors to review procedures more carefully. If available, we recommend asking an internal auditor to be the independent reviewer.
Procedure case study – The most common auditor findings
The two most common reasons for audit findings are:
- the procedure is not being followed, and
- a regulatory requirement is missing from your procedure.
Not following the procedure
The first problem is the most common reason for an audit nonconformity, because companies include requirements in the procedure that are not regulatory requirements. Auditors look for objective requirements to audit. Therefore, if you include objective requirements in your procedure an auditor is more likely to select those requirements to sample than subjective requirements–even if the requirement is not a regulatory requirements. This is one of the reasons we recommend having processing owners review and edit procedures. If you purchase a procedure, it’s important for the person that will be performing the procedure to carefully review the procedure to ensure it matches how they intend to perform that process. If it’s a manufacturing procedure, we recommend conducting the training of personnel with a draft procedure and hand out red pens. That also dramatically reduces complaints from the people that do the work.
Regulatory requirements missing
For regulatory requirements, your regulatory reviewer needs to create a checklist that includes 100% of the requirements for that procedure. This approach is called a gap analysis. The model for gap analysis documentation we like to follow is the General Safety and Performance Requirement (GSPR) Checklist used for technical documentation (i.e., for CE Marking). There are 23 GSPRs in the MDR and 20 GSPRs in the IVDR. Most of the GSPR requirements have multiple subparts. The regulatory person that completes the GSPR Checklist must indicate the following information next to the applicable requirement in the checklist table:
- yes, the requirement applicable or justification if it’s not applicable
- a reference to any applicable standards
- a cross-reference to the record where evidence of meeting the requirement can be found (e.g., the risk management file)
Regulatory personnel can revise this approach slightly by doing the following for the review of procedures:
- yes, the requirement applicable or justification if it’s not applicable
- a reference to the applicable specific sub-clause in a Standard or a regulation
- a cross-reference to the subsection of the procedure where evidence of meeting the requirement can be found (e.g., section 5.1 of the SYS-003)
Procedure Case Study of the Management Review Procedure (SYS-003)
In Medical Device Academy’s Management Review Procedure, Section 8 is the “procedure section.” Sub-section 8.3 of the procedure lists all the required inputs for a Management Review meeting. Next to each input, we included a cross-reference to the sub-clause in ISO 13485:2016 for the Management Review input.
There is also a requirement in ISO 13485:2016 for conducting Management Reviews at scheduled intervals. This requirement is met by sub-section 8.1 of the Management Review procedure. We used the same approach to identify and cross-reference to this requirement.
Teaching auditors by performing your own procedure case study
Now, when we teach our Lead Auditor Course, we ask attendees to split into small groups to review a procedure–one procedure for each group. In one of the companies where we did this, each of the four teams found a regulatory requirement that was missing from the procedures they were reviewing. All four procedures the teams selected were already reviewed, approved, and currently in use at the time of the auditor training. The four teams created their own procedure case study to demonstrate the importance of reviewing procedures for regulatory requirements.
Management Review Procedure & Webinar – Free Download
Procedure Case Study Example Read More »