ISO 14971 – Buy the new 2012 version?…comment please

I’m sure that there are some that disagree with my determination that the latest revision of EN 14971, revision 2012, is unnecessary (the European Commission certainly does).

 You will have to go to my website to read my cheeky posting on this topic.

And here’s another cheeky attitude from the UK…(sorry, this is not a family channel).

Therefore, I would like to clarify why I feel this way by reviewing how risk is addressed in the MDD (93/42/EEC as modified by 2007/47/EC).

1. The term risk is mentioned only 4 times in the Articles in the MDD
2. The term risk is mentioned once in Annex II and III, twice in Annex VII, and three times in Annex VIII and X—for a total of 10 times.
3. The other 41 times risk is mentioned are in the Essential Requirements (i.e. – Annex I).

When companies submit a Design Dossier for review by a Notified Body, an Essential Requirements Checklist is included. This references, in table format, how all the requirements of Annex I are being met—including those related to risks. Throughout Annex I, a similar phrase is repeated many times. For example, in the first Essential Requirement (ER1) it states: “…any risks which may be associated with [a device’s] intended use [shall] constitute acceptable risks when weighed against the benefits to the patient and are compatible with a high level of protection of health and safety.” In ER2 it states: “the manufacturer must…eliminate or reduce risks as far as possible…”. There is no room in the MDD for consideration of cost or economic impact when the manufacturer is designing a device with regard to risks and benefits.

If a company’s Risk Management Procedure has been found to be acceptable by a Notified Body, and the company has addressed all the Essential Requirements (ERs) with regard to risk, then there should be no impact from these 7 deviations identified in EN 14971:2012. However, if your company has not addressed each of these ERs, then you might want to consider each of these areas:

1. Treatment of negligible risks
2. Discretionary power of the manufacturer as to the acceptability of risks
3. Risk reduction “as low as possible” (ALAP) verses “as low as reasonably possible” (ALARP)
4. Discretion as to whether as risk benefit analysis needs to take place
5. Discretion as to the risk control option/measures
6. Deviation as to the first risk control method
7. Information of the users influencing the residual risk

My final advice is to review Annex I and Annex X from the perspective of risk management. You may realize that you have some gaps that nobody noticed. After all, audits are just a sample.

PS – I think it’s ironic that the origins of the ALARP principle are UK case law (see link above).

43.133884 -72.725746

Advertisement

Attention Auditors! – Have you read ISO 19011?

If you have ever taken a lead auditor course, one of the critical handouts for the class should have been ISO 19011. The title is “Guidelines for Auditing Management Systems”. In November of last year, this standard was updated and the changes were not superficial.

The background entertainment for this week is one of my favorite modern rock songs, but it never seemed to get much air time. I hope you enjoyed the 90’s.

ISO 19011 covers the topic of quality management system auditing. This Standard provides guidance on managing audit programs, conducting both internal and external audits, and how to determine auditor competency. Improvements to the New 2011 Version of the Standard include:

1. Broadening the scope to all management systems
2. Clarifying the relationship between ISO 17021 and ISO 19011
3. Introduction of the remote audit methods
4. Introduction of risk as an auditing concept
5. Confidentiality is a “new” principle
6. Clause 5, Managing an audit program, was reorganized
7. Clause 6, Performing an audit, was reorganized
8. Clause 7, Competence and evaluation of auditors, was reorganized & strengthened
9. Annex B is new and the contents of the help boxes was moved to this Annex
10. Annex A now includes examples of discipline-specific knowledge and skills

One of the most common points of confusion in the lead auditor course is the difference between 1^st, 2^nd and 3^rd party audits. In the previous revision of this Standard, this was just a note at the bottom of page 1 and the top of page two. The note was not very clear either. The new version of 19011, in Table 1 (reproduced below), the difference between these three types of auditing is crystal clear:

The above table is just an example of the improvements made to ISO 19011, and of course there is little value-add to clarifying a definition. Figure 1 from the new version, “Process flow for the management of an audit program, is a better example of a “value-add”. This vertical flow chart is reminiscent of Figure 1 from ISO 14971:2007. It categorizes the various stages of audit program management into the Plan-Do-Check-Act (PDCA) cycle. I highly recommend this style for presenting any process in your internal procedures as an example of best practices in writing an SOP. The flow chart even references each of the clauses in the Standard. Unfortunately Figure 2, “Typical audit activities”, does not categorize the stages of audit activities (Clauses 6.2 – 6.7 of the revised Standard) into the PDCA cycle. I guess they needed to leave some improvement for the next revision.

The new version retained the opening meeting checklist that was in the previous revision (Clause 6.4.2), and Clause 6.4.9 has a brief closing meeting checklist. Figure 3, “Overview of the process of collecting and verifying information”, is a poor example of a flow chart. Should I make a better one? (Send me an email if you think I should.)

The most valuable changes in this revision are Clause 5.3.2, “Competence of the person managing the audit program”, and all of Clause 7. Most of the audit procedures I read neglect to define the qualifications and method for determining competency of the audit program manager. Clause 5.3.2 tells you how. Put it in your own procedure. Most of the procedures I read include qualifications for a “Lead Auditor”, but I seldom see anything regarding competency. Unfortunately, this Standard only specifically addresses “Lead Auditor” competency in a two-sentence paragraph—Clause 7.2.5. When I teach people how to be a lead auditor, I spend more than an hour on this topic alone.

The Standard would be more effective by providing an example of how 3^rd party auditors become qualified as a Lead Auditor. 3^rd party accreditation requires the auditor to be an “acting lead” for audit preparation, opening meeting, conducting the audit, closing meeting, and final preparation/distribution of the audit report. This must be performed for 15 certification audits (i.e. – Stage 2 certification or recertification), and another qualified lead auditor must evaluate you and provide feedback.

The last big additions to this Standard were the Appendices. Annex A provides examples of discipline-specific knowledge and skills of auditors. This section is a little on the boring side. I prefer to tell a story about the internal auditor that was auditing incoming inspection—but they had no idea how to check for calibration or how to measure components. Appendix B, the finale, has a table (Table B.1) that provides some guidance on how to conduct remote audits (i.e. – desktop audits). I was pleased to see that conducting interviews is a major part of remote auditing in this table. Section B.7 provides some suggestions with regard to conducting interviews, but if you exhibit all 13 of the professional behavior traits found in Clause 7.2.2 then you really don’t need any advice on how to speak with people. For the rest of us mortals, we could use a five day course on interviewing alone.

Additional guidelines are available on the ISO website.

43.133884 -72.725746

FAQ #1: But what about the FDA requirements?

I thought I would expand my usual musical range to include some of the music I grew up with. I hope you enjoy this fantastic performance.

I hear this question, or a question with similar wording, quite frequently when I am auditing. Typically the question is in response to a better way to do something that seems simple and efficient. Most people seem to approach regulatory requirements with the approach of…let’s bury the regulator. While it’s true that we expect a certain amount of paperwork with each regulatory requirement, we frequently are accepting of a much broader range in stack heights. For example, a design controls procedure could be a one page flow-chart that references forms and work instructions. A design controls procedure could also be twelve separate documents with a minimum length of ten pages and a maximum of forty pages per document. As long as the procedure has sufficient detail for the people performing these tasks and all the required elements are included, ISO clauses 7.3.1-7.3.7, then we have no choice but to identify the procedure as conforming.

The above example is the perspective of an auditor looking for CONFORMITY!

However, some people are inspectors that are looking for NONCONFORMITY!

In the case of inspectors, it is critical to present your information in such a way that it is easy for the inspector to see how you meet the requirements of the regulations. One of the best ways to do that is to reference the requirements directly in your procedures.

For those that prefer finesse…try to organize information in accordance with the regulations. For example, if I am writing a procedure for an ISO registration audit, I write the procedure to specifically address the ISO sub-clauses. I might even use a document control number like: SOP-73 for my “Design and Development” procedure. Alternatively, if I’m writing a procedure for a JPAL audit, I might change my document control number to SOP-3036 for my “Design and Development” procedure. This matches up with JPAL Ministerial Ordinance #169, Articles 30 through 36. In this case, the document control number suggests compliance with the Japanese regulations. A little subconscious suggestion couldn’t hurt.

In my previous blog posting, I suggested a slight change to the scheduling of internal audits. In order to make sure this meets FDA requirements, the key is to READ THE REGULATIONS AGAIN. With regard to internal auditing, the applicable FDA regulation is: 21 CFR 820.22:

“Each manufacturer shall establish procedures for quality audits and conduct such audits to assure that the quality system is in compliance with the established quality system requirements and to determine the effectiveness of the quality system. Quality audits shall be conducted by individuals who do not have direct responsibility for the matters being audited. Corrective action (s), including a reaudit of deficient matters, shall be taken when necessary. A report of the results of each quality audit, and reaudit(s) where taken, shall be made and such reports shall be reviewed by management having responsibility for the matters audited. The dates and results of quality audits and reaudits shall be documented.”

The above requirement is quite vague with regard to how many auditors and how many days must be spent auditing. These are the variables I suggested changing in my previous posting. The FDA regulations are specific, however, with regard to documenting the “reaudit” of any deficiencies found during an audit. This prescriptive requirement can be met by reviewing previous audit findings of all audits with the audit program manager during the audit preparation process. The audit program manager can facilitate the assignment of which auditor will reaudit each finding. This may require a few more minutes of audit preparation, but this should not measurably impact the overall time allocated to an audit.

Somehow the above prescriptive requirement slipped my mind. I do this out of habit when I am performing internal audits on behalf of clients, but if I am auditing the internal audit process of a client—now I’ll remember to point out this additional requirement that is specific to the FDA and not included in the ISO Standard. This is why we should always READ THE REGULATIONS AGAIN.

43.133884 -72.725746

The Perfect Pecan Pie – Recipe # 14,971

Hats off to Woodson and the rest of the Packers! My team was the Patriots, but I’m happy to see that the Packers showed some real heart and overcame their injuries to win the trophy. As for the half time show…I thought it was more lights than music. I included a link to the half-time show at the end of this blog, but I thought the Black Eyed Peas video called “The Time (Dirty Bit)” is much more entertaining.

                For those of you familiar with the ISO 14791:2007 Risk Management Standard, you may have already figured out the topic of this blog. For the rest of you…did you really think I tried perfecting my recipe for pecan pie nearly 15,000 times?

                A couple of years ago, a client of mine asked me to give them a training course on Risk Management—specifically an overview of ISO 14971:2007. In my struggle to find a fresh way of engaging the interest of my client’s employees, I developed the concept of using the principles of Risk Management in a more tasty application. Back in 2006 I developed a five-minute presentation on how to make “The Perfect Pecan Pie.” For this new three-hour presentation, I tortured my students with a homemade pecan pie that I placed in the middle of the conference room table.

                This presentation included several tools to help my students remember the principles of Risk Management. First, the alliteration of the letter “P” throughout the presentation beat my message steadily into their subconscious. My second weapon was the smell of a warm, fresh, pecan pie. Third, I used analogies to the pecan pie making process for each aspect of the Risk Management Process. Fourth, I used vivid descriptions throughout my presentation to help everyone visualize the sweet, praline confection at each step of the baking process. And finally, I burned the experience into their brains forever with the taste of the Perfect Pecan Pie.

                Not everyone loves Pecan Pie as much as I do, and not everyone has tried making the Perfect Pecan Pie as many times as I have. I have made gooey pies, sickeningly sweet pies, pies that crack and crumble, pies that were barely cooked, pies without a crust, and pies without a filling. If you plan to coordinate your entire presentation around the concept of a homemade pecan pie you made in your kitchen last night, you had better have a proven Risk Management process to reduce the risk of embarrassing yourself.

                Please read my next several blogs as I unveil the secret to making the Perfect Pecan Pie—one slice at a time:)

                Here’s some of the half time show…(assuming the link is not taken down).

43.133884 -72.725746

How to Write Better Procedures

Knowing that we have the “Big Game” half-time show coming soon, I thought I would share a video of the 2007 show by Prince (Thank you for the suggestion Greg).

                During a CAPA course I taught earlier today, one of the attendees asked if I have a course on “How to Write Better Procedures.” Unfortunately, the only material I could offer was material from a course I taught on “Training the Trainer.” That training course focused on visual communication. There are several books related to Lean Manufacturing that explain in depth how to use visual communication to replace text (i.e. – “a picture says a thousand words”). During my ride home, however, I thought of a few other ideas that might help anyone that is in the process of writing or re-writing a procedure.

My first suggestion is to develop a standardized format for procedures. If you have a procedure for writing procedures, just make sure you allow the flexibility to deviate from the standardized format. The Standard does require that procedures have a “mandatory” format. Referring to the standardized formatting as “suggested formatting” will avoid unnecessary nonconformities.

My second suggestion is avoid making unnecessary references to other external standards. If you are writing a procedure on risk management—it makes sense to reference ISO 14971. It does not make sense to reference all the other risk analysis Standards unless you are specifically using them to perform risk analysis. Included in this category would be references to other regulatory requirements such as 21 CFR 820, the FDA QSR, or Part 1 of the Canadian MDR. Companies can claim compliance with other requirements in the Quality Manual instead. What should be referenced in a document is any related procedures or forms.

Another related suggestion is to avoid including the revision of a Standard. This is just another opportunity for unnecessary nonconformities. If you don’t specify the revision, then an auditor can only assume that the most current revision of the Standard is implied. If changes to a Standard are minor, no changes to a procedure may be warranted and a revision to the procedure can be avoided—assuming that the revision of the Standard is not specified. Some argue that you should include the revision and update the reference to document that the procedure was reviewed to see if changes were warranted. This is unnecessary. A review of procedures, where the decision is made for “no change”, can easily be documented in the Management Review under the category of “New and Revised Regulatory Requirements.”

My fourth suggestion is to indicate the process owner and training requirements associated with each procedure. By doing this, it is easier to define who is responsible for reviewing and revising procedures—as well as who is assigned CAPAs if there is finding related to the process in question. For the training requirements, the process owner should specify who needs to be trained on the process. Why? They know the procedure best. If there is a “grey area,” this should be resolved with the department manager for the job function in question. In addition, retraining requirements should be specified. By this, I mean that it is a good idea to indicate if retraining is required when a procedure has been revised. If the revision is minor, training should only be required for people that have not been trained to a previous revision.

There are a couple of great ways to identify when retraining is required for a revision and when no retraining is required, but I’ll leave those ideas for another blog…

My fifth suggestion is to adopt the Plan-Do-Check-Act (PDCA) model for the structure of procedures. For the “Plan” portion, the procedure should explain how to prepare to do something. This planning activity can apply to anything from planning to perform an audit to planning to inspect incoming raw materials. The “Do” portion is what most people refer to as the “Procedure” section. The “Check” portion of the procedure is a great place to specify the monitoring and measurement requirements for the process (see Section 8.1 of the Standard). Finally, the “Act” portion of the procedure should indicate what to do when target metrics are not met. For example, what should be done when an alert limit is reached? What should be done when an action limit is reached?

My final suggestion is to include revision history. It’s extremely helpful to know which ECO approved the document revision, why the changes were made, the nature of changes, whether there is a related corrective action, and when the change was made.

Sorry about the length of this blog…I hope this helps you Darcy.

43.133884 -72.725746

If I had a rocket launcher…

This week’s music video selection was recommended by my friend Greg. We were eating dinner together at 1776, and he was kind enough to share this amazing musician with me. I’m not a guitarist but he pointed out that Bruce Cockburn has a very unique style. He plays three different parts simultaneously. His thumb plays base on the top string while the other fingers play two separate melodies. WOW!

                 Are you frustrated? Do you wish for a rocket launcher? Maybe you would aim it at the C-level offices and pull the trigger.

                Sometimes we hear phrases like: “Well that’s just an ISO requirement.” This obvious lack of support by top management is what frustrates every Management Representative in the world.

                There was a question posted on the Elsmar Cove website on January 10^th (see previous blog for the link). In just 10 days there have been 153 postings in response to the original question. As I read through the various postings I saw several comments about a lack of support by top management. Rocket launchers are NOT the answer, but maybe a heavy bat…

                A little over a decade ago I was still learning how to supervise people. In an effort to educate myself further, I read a book (sorry can’t be sure which book anymore). In this book, the boss gave an employee a card with a picture of a baseball bat on it. The instructions provided with this magical card were to use it only when the boss failed to pay attention and the employee had something important to tell him.

                We all wish for a magical baseball bat, but unfortunately we are M-A-N-A-G-E-R-S. Along with the awesome title comes awesome responsibility. Managers are responsible for leading others. Subordinates are not the “others” I am referring to. The “others” are peers. If you cannot persuade your peers to support you, then you will fail as a manager. The Quality Department cannot fix all the problems. In fact, my philosophy is that Quality is responsible for recommending improvements, training people, and helping to implement. We assign corrective actions, but we should be assigning them to the process owner (i.e. – Manager) that is responsible for the area where the problems were created.

                If you need help persuading the unenlightened, try picking a project that is critical to the success of the stubborn one. If you can show someone that is currently a detractor how they can apply the Quality principles to help solve their problems, then you will have a convert. Converts become strong supporters. If the stubborn one happens to be at the top, figure out what the CEO’s initiatives are. Initiatives are easy to identify; they talk about it at least twenty times a week. Try showing the CEO how their initiatives can become Quality Objectives. Show them with graphs. Show up with solutions to their problem. Use the CAPA process as a framework. Show them how the management TEAM can fix it.

                If nothing seems to be working, you can always try reviewing some FDA MedWatch reports too–just to scare the crap out of the boss.

43.133884 -72.725746

The Secret to Successful Training

About 10 years ago my CD collection was stolen and I haven’t heard this tune since. Sass Jordan might be a little raw for your average professional but everyone needs to loosen up sometimes. Just-in-case you were wondering, I think this CD (Rat) was next to the Greatest Hits of Ella Fitzgerald—which they left behind. I love the singing by both women but for very different reasons.

Recently a client asked me to create a training course on how to train operators. I could have taught the operators myself, but there were so many people that needed training that we felt it would be more cost effective to train the trainers.

                Usually I have multiple presentations archived that I can draw upon, but this time I had nothing. I had never trained engineers on how to be trainers before—at least not formally. I thought about what kinds of problems other Quality Managers have had in training internal auditors and how I have helped the auditors improve. The one theme I recognized was that most auditors needed feedback.

                I finally decided to use the Deming Cycle (Plan-Do-Check-Act, or PDCA) as my framework for the training. Most QA Managers are very experienced and have little trouble planning an audit schedule. The next step is to do the auditing. The problem is that there is very little objective oversight of the auditing process. The Standard requires that “Auditors shall not audit their own work.” Therefore, most companies will opt for one of two solutions for auditing the internal audit process: 1) hire a consultant, or 2) ask the Director of Regulatory Affairs to audit the internal auditing process.

                Both of the above strategies meet the requirements of the Standard, but neither strategy helps to make internal auditors better. I have interviewed a lot of audit program managers, maybe 50+, and the most common feedback for auditors is “change the wording of this finding” or “you forgot to close this previous finding.” This type of feedback is related to the report writing phase of the audit process. I rarely hear program managers explain how they help auditors improve at the other parts of the process.

                When auditors are first being trained we typically will provide examples of best practices for audit preparation, checklists, interviewing techniques AND reports. After the auditors have been “shadowed” by the program manager for an arbitrary three times the auditors are now miraculously “trained.” Let’s see if I can draw an analogy that will make my point…

                That kind of sounds like watching your 16 year-old drive the family car three times and then giving them a license. I guess that’s why my new Ford Festiva was severely dented on all four sides within 6 months. You might think my father was a Saint, but I think he might have totaled his tenth car by age 18. At least I contained the damage to one vehicle.

                Anyway the key to training auditors to audit, or anyone on anything, is consistent follow-up over a long period of time.

                The question is…was my training successful?

                Well, how much follow-up training of the trainers did the client ask for?

43.133884 -72.725746

Risk Management – It’s Not My Job

There’s no deeper meaning to this week’s YouTube selection. I just thought I would share one of my favorite guitar soloists with you. The recording quality is only good, but just watching Tim play reveals how freakishly good he is. I highly recommend the live CD with Dave Matthews and Tim Reynolds. If someone knows of a better quality recording that I can post in my blog, please let me know.

Have you experienced a discussion similar to this?

Auditor: “How do you manage risk throughout the production process?”

Auditee: “That is the responsibility of our customers. We will prepare a risk analysis if customers pay for it, but usually customers do the risk analysis.”

Most contract manufacturers in the medical device industry exclude design from their Quality Management Systems. Unfortunately, most of the contract manufacturers also associate risk management with only the design process. Risk Management cannot be “not applicable” in an ISO 13485 Quality Management System. The requirement of section 7.1 is: “The organization shall establish documented requirements for risk management throughout product realization. Records arising from risk management shall be maintained.” The Standard also references ISO 14971 as a source of guidance on Risk Management.

                For a contract manufacturer, compliance with ISO 14971 is not my primary concern as an auditor. My primary concern is to verify that contract manufacturers analyze risks associated with the processes that they perform and do their best to minimize those risks. What I don’t understand is why more companies don’t want to have strong risk management process. Risk management is how we prevent bad things from happening. Bad things like scrap, complaints and recalls. Should we expect our suppliers to have a strong risk management process?

                Duh.

                Contract manufacturers should be doing everything they can to get better at risk management. During pre-production planning they should be asking, “What happens if…” The contract manufacturer knows best HOW things will fail in production, while the customer knows best WHAT happens when things fail in production. In order to be safe and effective, both companies need to collaborate on risk analysis.

                The reason companies avoid doing risk analysis is because it’s time consuming and tedious.

                 Too bad, so sad.

                 Balancing my checkbook is time consuming and tedious too, but I balance my checkbook to prevent an overdraft charge. Not doing risk analysis can be much more painful. Scrapping out a part can cost tens or hundreds of dollars. Complaints can cost thousands of dollars. Recalls can cost millions of dollars.

                If I owned a contract manufacturing company, I would make sure that everyone in the company is involved in risk management, because we don’t want scrap, we can’t afford mistakes that lead to complaints, and a recall will put us out of business.

43.133884 -72.725746

Supplier Evaluation – Take 5

This blog has been moved to the following location and the name has been changed: http://bit.ly/SupplierEval-take5.

This blog website and the blogs within it are gradually being transferred over to my new website: http://www.MedicalDeviceAcademy.com. The titles may change, and there may be minor revisions to the content as the blogs are reviewed and edited. There will be a subscription list created for the new blog site. If you would like to be added to the list for the new blog site, please email me directly at: rob@13485cert.com.

43.133884 -72.725746

Supplier Evaluation – Less is More

This blog has been moved to the following location: http://bit.ly/Less-is-more.

This blog website and the blogs within it are gradually being transferred over to my new website: http://www.MedicalDeviceAcademy.com. The titles may change, and there may be minor revisions to the content as the blogs are reviewed and edited. There will be a subscription list created for the new blog site. If you would like to be added to the list for the new blog site, please email me directly at: rob@13485cert.com.

43.133884 -72.725746