Blog

Posts Tagged Quality Management System

What is a Gap Analysis?

This article describes what a gap analysis is in the context of managing your quality system when standards and regulations are updated.

Compliance Assessment Gap Analysis Picture 1024x683 What is a Gap Analysis?
Compliance Assessment/Gap Analysis

What is a Gap Analysis? An introductory look.

Well, that depends on the context. The dictionary definition is “A technique that businesses use to determine what steps need to be taken in order to move from its current state to its desired, future state. Also called need-gap analysis, needs analysis, and needs assessment.” (http://www.businessdictionary.com/definition/gap-analysis.html). 

For the most part, this is correct, but we need to tweak it just a little bit to fit better into our regulatory affairs niche, specifically medical device manufacturers. A Gap Analysis for financial investment or an advertising firm will be very different than one for a medical device distributor. It might even be better served to be called a Compliance Assessment/Gap Analysis, but I am sure someone else has thought of that long before me.

For our purposes, the Gap Analysis is a formal comparative review of an internal process or procedure against a standard, good practice, law, regulation, etc. This blog article will be an introductory look into that process.

What are the two BIG goals of a Gap Analysis?

It sounds like a simple exercise, but the Gap Analysis or GA for short can have two very different but complementary functions. Rather than simply hunting for areas of non-compliance, the first goal is to find and demonstrate areas of compliance. 

The second more obvious goal is to find the gaps between the process and the regulatory requirements they are being compared against. 

Why is demonstrating compliance important?

Because this is a formal documented review, a Gap Analysis provides documentation in a traceable manner of meeting the requirements that have been laid out. That traceability is important because it allows anyone to read the report, see the requirement, and locate the area of the procedure that demonstrates conformity with that requirement. 

The report itself is an objective tool, not something that is meant to be a witch hunt. The Gap Analysis will compare document contents. If you want to verify that the entire process is fully compliant, you will need to dig deeper and observe if the activities laid out within the procedure are being performed per the procedure instructions. It is possible to draft procedures that are compliant with text requirements but non-compliant in the manner that the actions are being performed and documented.

What about gaps?

The gaps, or areas of non-compliance highlight opportunities for improvement, if there are any. A Gap Assessment may not find any gaps and present a report that clearly and neatly outlines and explains how each regulatory requirement is being met. 

If there are any gaps identified, that does not mean that there is cause for concern. This should be viewed instead as an opportunity for improvement. Standards and procedures change over time, and, naturally, procedures and processes will have to change with them.

The very act of the Gap Analysis shows that there is a documented effort towards continual improvement as long as the gaps are addressed. 

Addressing the Gaps

The report is ideally the first and last step, and you have a wonderful piece of paper to show that someone checked, and all of the required areas are being met. However, this is not always the case. When there are gaps, they must be filled.

Addressing a gap should happen in a traceable manner, one that shows it was identified, acknowledged, and then how it was fixed. Something that might be addressed through a CAPA process, but that is a topic for a different time. 

In Closing

The Compliance Assessment/Gap Analysis is a singular tool used in the overall maintenance of a quality system. Its actions and performance are similar to a simplified type of audit, but the Gap Analysis itself is not going to replace your regularly scheduled audit activities. However, it will help you monitor and keep your fingers on the overall pulse of your quality system. This is also especially helpful in situations where standards and regulations are updated, and your quality system needs to be evaluated and updated accordingly.

For more in-depth education in specialized areas of the assessment, look into our training on Technical File Auditing for MDR compliance against Regulation (EU) 2017/745 at the link below.

Technical File Auditing for MDR Compliance

Posted in: Quality Management System

Leave a Comment (0) →

Procedure template for ISO ISO 13485:2016 quality systems

This 12 part procedure template for your medical device QMS can result in writing shorter, more effective documents that are easier to train personnel on.%name Procedure template for ISO ISO 13485:2016 quality systems

We all have a standard template for our quality system procedures. Typically, we begin with purpose, scope, and definitions. This 12-part procedure template for your medical device QMS  can result in shorter, more effective documents that are easier to train personnel on.

1. Purpose. Often I read something like, “This purpose of this document is to describe the CAPA procedure.” That necessary information is the reason why we title procedures. A better statement of purpose would be, “The purpose of this procedure is to provide a process for identifying, preventing and eliminating the causes of an actual or potential nonconformity, and using risk management principles.” The second version gives readers a better indication of the purpose of the procedure.

2. Scope. This section should identify functions or situations that the procedure applies to, but it is even more critical to identify which situations the procedure does not apply too.

3. References and Relationships. Reference documents that apply to the entire quality management system (e.g., – ISO 13485 and 21 CFR 820) only need to be listed in the Quality Manual. This reduces the need for future revisions to the procedures. I list here any procedure-specific external standard (e.g., – ISO 14971) in the applicable procedure. The relationship between procedures is more important than the references. Therefore, I prefer to use a simple flow diagram, with inputs and outputs, similar to the one below for a document control process.

sys 001 Procedure template for ISO ISO 13485:2016 quality systems

4. Document Approval. Who must sign off on the procedure? Keep this list short. Ideally, just the primary process owner and Quality Manager (to ensure consistency and integrity across the quality management system).

5. Revision History. A brief listing of each revision and a brief description of what was changed in the procedure.

6. Responsibilities and Authorities. A listing of the main areas of responsibility for each role. Remember to include the title of managers who may be required to approve forms, or make key decisions.

7. Procedure. I prefer to create a detailed flowchart outlining each step of a process before writing the procedure. Each task box in the flowchart will include a reference number. If you organize the reference numbers in an outline format, then you can write the text of your procedure to match the flowchart—including the numbering of the flow chart task boxes.

example Procedure template for ISO ISO 13485:2016 quality systemscapa Procedure template for ISO ISO 13485:2016 quality systems

8. Monitoring and Measurement. An explanation of how the process is monitored and measured, who does it, how often, format, method of communicating the analysis, and what process that analysis will be an input into, e.g., Management Review.

9. Training/Retraining. Tabulated, which roles need to be trained in this procedure, and to what level? The example below is also from a Document Control procedure.role Procedure template for ISO ISO 13485:2016 quality systems

10. Risk Management. This section identifies risks associated with each procedure and how the procedure controls those risks. As well as complying with the requirement to apply risk management throughout product realization (i.e., Clause 7 of ISO 13485), including a section specific to risk management forces the author of the procedure to think of ways the process can fail and to develop ways to avoid failure. Risks can also be a starting point for training people on the procedure.

11. Records. Tabulated, form number and names, a brief description of its purpose, and a column for retention and location. This column also allows for reference to compilations if the record becomes part of, e.g., Design History File, Device Master Record, or the Risk Management File.

12. Flowcharts. Step-by-step through the process, saying who performs the step when it isn’t apparent. I keep task shapes simple: rectangles for tasks, rounded rectangles for beginnings and endings, diamonds for decision boxes, and off-page reference symbols.

When the task needs supporting text, e.g., guidance or examples, put a number in the box and a corresponding number in the table in (7) above.  Ideally, the flowcharts are placed in the document with the Notes table on the same page or the opposite page. In practice, I often put them at the end to simplify the layout. One of my clients loves her flowcharts and puts them on the front page.

Benefits of this Approach

Information is well structured and presented consistently across procedures, more so than can be achieved through narrative.

  • The flowchart is the primary means of documenting the procedure.
  • Tables provide details that are not clear in the flowchart.

The procedure structure described above facilitates a consistent training approach built around the document. Purpose and scope are presented first, and then the Risk section is presented to explain what is essential in the procedure and why. The flowchart, the table, and the formwork together to describe each step of the procedure. Finally, a PowerPoint template can be used to guide process owners in developing their training.

And to make it even easier, you have already spelled out who needs to be trained and to what level.

Posted in: ISO Certification

Leave a Comment (1) →

Preparing for ISO 13485 Certification in 5 Steps

The author provides five steps in preparing for the ISO 13485 certification process, and his insights and tips for each step are reviewed.

A LinkedIn connection of mine recently asked for sources of good guidance on ISO 13485 registration. I wrote a blog recently about Quality Management Systems in General, but I had trouble finding resources specific to the ISO 13485 registration process. Therefore, I decided to write a blog to answer this question.

Typically, people learn the hard way by setting up a system from scratch. The better way to discover it is to take a course on it. I used to teach a two-day course on the topic for BSI. The link for this course is http://bit.ly/Get13485; I shortened the link to the BSI website.

Other registrars offer this course too. I suspect you can find a webinar on this through TUV SÜD, BSI, SGS, LNE/GMED, Dekra, etc. from time to time.

The only registrar I could find that described the process step-by-step was Dekra. I have copied their steps below:

 ISO 13485 Certification: Inquiry to Surveillance in 5 Steps

1. Inquiry

An initial meeting between [THE REGISTRAR] and the client can take place on-site or via teleconference. At this time, the client familiarizes [THE REGISTRAR] with company specifics, and it’s quality assurance certification requirements; [THE REGISTRAR] explains its working methods and partnering philosophy, and previews the details of the process.

%name Preparing for ISO 13485 Certification in 5 Steps

Rob’s 2 Cents

As a client, I have completed two initial certifications personally and three transfers, but I have only once had the sales representative visit my company. I think this process is typically accomplished by phone and email. If any registrars are reading this, you will close on more accounts if you visit prospective clients personally. The one that visited my company (Robert Dostert) has been on speed dial for almost a decade, and he’s received repeat business.

 

 

2. Application Form

The client chooses to move forward by filling out an online application form. Based on the information obtained during the inquiry stage, along with the application form, [THE REGISTRAR] prepares a quote, free of charge, for the entire certification process. A client-signed quotation or purchase order leads to the first stage of the certification process.

my two cents1 Preparing for ISO 13485 Certification in 5 Steps

Rob’s 2 Cents

For both of the Notified Body transfers I completed, I completed application forms and requested quotes from multiple Notified Bodies. During the quoting process, my friend Robert was more responsive and able to answer my questions better than the competition. Robert was also able to schedule earlier audit dates than the competition. To this day, I am still amazed that Notified Bodies are not more responsive during this initial quoting process. All of the Notified Bodies are offering a certificate (a commodity). The customer service provided by each Notified Body, however, is not a commodity. Each Notified Body has its own culture, and every Notified Body has good and bad auditors. Therefore, you need to treat this selection process, just like any other supplier selection decision. I have guided this specific selection process on more than one occasion, but I am definitely biased.

 3. Phase One: Document Review and Planning Visit
%name Preparing for ISO 13485 Certification in 5 Steps

LNE/GMED Flow Diagram for the process of ISO 13485 Certification

At this stage, [THE REGISTRAR] performs a pre-certification visit, which entails verifying the documented quality systems against the applicable standard. [THE REGISTRAR] works with the client to establish a working plan to define the [THE REGISTRAR] quality auditing process. If the client wishes, [THE REGISTRAR] will perform a trial audit or “dress rehearsal” at this stage. This allows the client to choose business activities for auditing, and to test those activities against the applicable standard. It also allows the client to learn and experience [THE REGISTRAR] ‘s quality auditing methods and style. The results of the trial audit can be used toward certification. Most clients elect for one or two days of trial auditing.

%name Preparing for ISO 13485 Certification in 5 Steps

Rob’s 2 Cents

Dekra’s statement that “The results of the trial audit can be used toward certification,” is 100% opposite from BSI’s policy. BSI calls this a pre-assessment. The boilerplate wording used in BSI quotations is, “The pre-assessment is an optional service that is an informal assessment activity intended to identify areas of concern where further attention would be beneficial and to assess the readiness of the quality management system for the initial formal assessment.” During these pre-assessments, BSI auditors explain that any findings during the pre-assessment will not be used during the Stage 1 and Stage 2 certification audits, and the client will start with a “clean slate.” Most of the clients I conducted pre-assessments for were skeptical of this. Still, most auditors are ethical and make every effort to avoid even the perception of biasing their sampling during Stage 1 and Stage 2 audits.

I highly recommend conducting a pre-assessment. You want an extremely thorough and tough pre-assessment so that the organization is well prepared for the certification audits. If the auditor that will be conducting the Stage 1 and Stage 2 audit is not available to do a pre-assessment, try to find a consultant that knows the auditor’s style and “hot buttons” well. FYI…You can almost always encourage me to do a little teaching when I’m auditing (I just can’t resist), and my “hot buttons” are CAPA,  internal auditing, and design controls.

 4. Phase Two: Final Certification Audit

Once the client’s documented systems have met the applicable standards, [THE REGISTRAR] will conduct an audit to determine its effective implementation.  [THE REGISTRAR] uses a professional auditing interview-style instead of a simple checklist approach. This involves interviewing the authorized and responsible personnel as designated in the documented quality system.

%name Preparing for ISO 13485 Certification in 5 Steps

Rob’s 2 Cents

For certification audits, ISO 17021 requires a Stage 1 and Stage 2 audit to be conducted. The combined duration of the certification audits must be in accordance with the IAF MD9 guidance document–which is primarily based upon the number of employees in the company. The “interview style” that Dekra is referring to is called the “Process Approach.” This is required in section 0.2 of the ISO 13485 Standard, and this is the primary method recommended by the ISO 19011 Standard for auditing–although other methods of auditing are covered, as well.

 

5. Surveillance

[THE REGISTRAR] arranges for surveillance audits semi-annually or annually, as requested by the client.

%name Preparing for ISO 13485 Certification in 5 Steps

Rob’s 2 Cents

I highly recommend annual surveillance audits, because the short duration of surveillance audits becomes unrealistically short when the auditor is asked to split their time between two semi-annual visits. A few clients have indicated that the semi-annual audits help them by maintaining pressure on the organization to be ready for audits all year-round, and prevents them from procrastinating to implement corrective actions. This is an issue of management commitment that needs to be addressed by the company. Scheduling semi-annual surveillance audits don’t address the root cause. The only good argument I have for semi-annual cycles is if you have very large facilities that would have an audit duration of at least two days on a semi-annual basis.

The most important consideration related to scheduling surveillance audits is to ensure that you schedule the audits well before the anniversary date. I recommend 11 months between audits. By doing this, you end up scheduling the re-certification audits three months before the certificate expires. BSI has a different policy. They want auditors to schedule the first surveillance audit ten months after the Stage 2 audit, the second surveillance audit 12 months after the first surveillance audit, and then the re-certification audit must be scheduled at least 60 days before certificate expiration (i.e.,  – no more than 12 months after the second surveillance audit). No matter what, schedule early.

If you have additional questions about becoming ISO 13485 registered, please post a discussion question in the following LinkedIn subgroup: Medical Device: QA/RA. For example, on Monday, a new discussion question was posted asking for help with the selection of a Notified Body for CE Marking. You will need to become a member of the parent group (Medical Device Group)–if you are not already one of the 140,000+ members connected with Joe Hage. George Marcel and I manage this subgroup for Joe. George is out in the Bay Area, and I’m in the Green Mountains.

Posted in: ISO Certification

Leave a Comment (5) →

Quality Management System Information Sources

This blog reviews a number of quality management system information sources.

A blog follower from Jon Speer’s website, Creo Quality, recently sent me a message asking for information sources on  Quality Management System (QMS) subject matter.

The single best guidance document on the implementation of a QMS system in accordance with ISO 13485 is “13485 Plus” (type in the words in quotes to the CSA Group search engine).

There are also a bunch of pocket guides you can purchase for either ISO 9001 or ISO 13485 to help you quickly access information you are having trouble remembering. One of my lead auditor students recommended one pocket guide in particular and she was kind enough to give me her copy.

There are some webinars out there that provide an overview of QMS Standards. Some are free and some have a modest fee. I’m not sure of the value for these basic overview webinars, but if you need to train a group, it’s a great solution. I know BSI has several webinars that are recorded for this purpose.

AAMI has an excellent course on the Quality System Regulations (QSR) which combines 21 CFR 820 and ISO 13485.

There are a number of blogs I recommend on my website.

You can try to identify a local mentor–either in your own company, or at your local ASQ Section.

You can join the following LinkedIn subgroup: Medical Device: QA/RA. You will need to become a member of the parent group (Medical Device Group)–if you are not already one of the 140,000+ members connected with Joe Hage. George Marcel and I manage this subgroup for Joe.

You can visit the Elsmar Cove website and participate in the discussions you find there. I wrote a blog about Elsmar Cove a while back (wow almost 2 years ago now).

The best way to learn this stuff is to do all of the above.

Posted in: ISO Certification

Leave a Comment (2) →

Qualifying a Supplier That Doesn’t Have a Quality Management System

This blog proposes a simple solution for how to qualify a supplier that doesn’t have a quality management system.

You are ignoring the obvious question of why doesn’t a medical device supplier have a quality management system. If you are a contract manufacturer, you should ensure that you have a clause in your supplier qualification procedure that says you don’t need to qualify suppliers that are mandated by your customers. If your response to this suggestion is “Duh,” you haven’t conducted many supplier audits of contract manufacturers. As my buddy, Tim says, “You need to leave somewiggle room’ in your procedures.” This is also good advice for all 19 of your top-level procedures that get audited each year.

For the remaining suppliers you are considering to add to your Approved Supplier List (ASL), you need a SIMPLE set of criteria for how you qualified the supplier. Guess what that magical document should be? (Answer to be provided shortly)

Many companies use a supplier self-evaluation survey. I’m almost certain that I have bashed these nearly useless documents before, but if I failed to do this, …most of them are problematic. A one-page supplier information form seems more appropriate. No signature required! And please make it a Word document.

The supplier qualification procedure needs to be generic for all raw materials and services you purchase. The problem is that everything you purchase has different requirements. So instead of wasting your time with writing one procedure that has wiggle room for every single product or service, you will ever purchase, don’t even try. Instead, write a SIMPLE procedure. This procedure needs only to be one page long. It needs four requirements:

1)      New suppliers must complete a supplier information form and submit it to the company. This should be updated at least once every 12 months and whenever there is a change to the information provided (i.e., – notification of change).

2)      You need at least two people to approve the addition to the Quality Management System. This can be done on your ECO or DCO form for changing the ASL. If the supplier is customer-mandated, you need the customer’s approval and the purchasing managers. If the supplier is internally selected, you need at least purchasing and QA to approve it.

3)      You should have an objective criterion (probably more than one requirement) that is product/service-related for acceptance of the supplier. This criterion SHALL be under document control, and the revision shall be communicated to the supplier when orders are placed. See ISO 13485:2003, section 7.4.2 (Purchasing Information).

4)      Finally, you need a reference to your purchasing procedure (one of the required 19 documents) and your supplier re-evaluation procedure.

If you have not already guessed, the “magical” document is called a purchasing specification or raw material specification for raw material items. For capital equipment, you may require that a capital expenditure justification be completed instead of the purchasing specification. For a calibrated instrument, tool, or fixture, you may request that requirements of the instrument/tool/fixture are documented in the applicable procedure or work instruction. For example, for measurement of this cannula, a calibrated optical comparator is required with 20x magnification. Reference the inspection procedure or drawing, and you are done.

For those of you that would like to keep your ASL shorter, which I recommend, if you don’t think you will be using the supplier more than once, you might want to give the buyer the option of documenting the purchasing specification on the purchasing requisition instead. This might be very helpful for those engineers that are doing R&D or validation work. For example, I need a bag of resin that meets the following raw material specifications—but we don’t currently use this material, and I’m not ready to submit one for approval. That’s why the engineer is ordering the bag of resin. She needs to test the material in the application and gather some preliminary data as justification for the new raw material specification.

There are 100’s of other ways to qualify your suppliers, and many of them work well if you follow your procedure. If your procedure is SIMPLE, your Monday’s will be better.

 

Posted in: Supplier Quality Management

Leave a Comment (0) →