13485cert

Archive for the ‘Quality Management Systems’ Category

How do you prepare for ISO 13485 registration?

In ISO 13485, Quality Management Systems on December 6, 2012 at 2:40 am

A LinkedIn connection of mine recently asked for sources of good guidance on ISO 13485 registration. I wrote a blog recently about Quality Management Systems in General, but I had trouble finding resources specific to the ISO 13485 registration process. Therefore, I decided to write a blog to answer this question.

Here’s my favorite movie clip with a song for you.

Typically people learn the hard way by setting up a system from scratch. The better way to learn it is to take a course on it. I used to teach a 2-day course on the topic for BSI. The link for this course is: http://bit.ly/Get13485; I shortened the link to the BSI website.

Other registrars offer this course too. I suspect you can find a webinar on this through TUV SÜD, BSI, SGS, LNE/GMED, Dekra, etc. from time to time.

The only registrar I could find that described the process step-by-step was Dekra. I have copied their steps below:

Inquiry to Surveillance in 5 Steps

1. Inquiry
An initial meeting between [THE REGISTRAR] and the client can take place on site or via teleconference. At this time, the client familiarizes [THE REGISTRAR] with company specifics and its quality assurance certification requirements; [THE REGISTRAR] explains its working methods and partnering philosophy, and previews the details of the process.

Rob's 2 Cents

Rob’s 2 Cents

As a client I have completed two initial certifications personally and three transfers, but I have only once had the sales representative actually visit my company. I think this process is typically accomplished by phone and email. If any registrars are reading this, you will close on more accounts if you visit prospective clients personally. In fact, the one that actually visited my company (Robert Dostert) has been on speed dial for almost a decade and he’s received a bit of repeat business.

2. Application Form
The client chooses to move forward by filling out an online application form. Based on the information obtained during the inquiry stage, along with the application form, [THE REGISTRAR] prepares a quote, free of charge, for the entire certification process. A client-signed quotation or purchase order leads to the first stage of the certification process.

Rob's 2 Cents

Rob’s 2 Cents

For both of the Notified Body transfers I completed, I completed application forms and requested quotes from multiple Notified Bodies. During the quoting process, my friend Robert was more responsive and able to answer my questions better than the competition. Robert was also able to schedule earlier audit dates than the competition. To this day I am still amazed that Notified Bodies are not more responsive during this initial quoting process. All of the Notified Bodies are offering a certificate (a commodity). The customer service provided by each Notified Body, however, is not a commodity. Each Notified Body has it’s own culture, and every Notified Body has good and bad auditors. Therefore, you need to treat this selection process just like any other supplier selection decision. I have provided guidance on this specific selection process on more than one occasion, but I am definitely biased.

3. Phase One: Document Review and Planning Visit

LNE/GMED Flow Diagram for the process of ISO 13485 Certification

LNE/GMED Flow Diagram for the process of ISO 13485 Certification

At this stage, [THE REGISTRAR] performs a pre-certification visit, which entails verifying the documented quality systems against the applicable standard. [THE REGISTRAR] works with the client to establish a working plan to define the [THE REGISTRAR] Quality Auditing process. If the client wishes, [THE REGISTRAR] will perform a trial audit or “dress rehearsal” at this stage. This allows the client to choose business activities for auditing and to test those activities against the applicable standard. It also allows the client to learn and experience [THE REGISTRAR] ‘s Quality Auditing methods and style. The results of the trial audit can be used toward certification. Most clients elect for one or two days of trial auditing.

Rob's 2 Cents

Rob’s 2 Cents

Dekra’s statement that, “The results of the trial audit can be used toward certification,” is 100% opposite from BSI’s policy. BSI calls this a pre-assessment. The boilerplate wording used in BSI quotations is, “The pre-assessment is optional service that is an informal assessment activity intended to identify areas of concern where further attention would be beneficial and to assess the readiness of the quality management system for the initial formal assessment.” During these pre-assessments, BSI auditors explain that any findings during the pre-assessment will not used during the Stage 1 and Stage 2 certification audits, and the client will start with a “clean slate.” Most of the clients I conducted pre-assessments for were skeptical of this, but most auditors are ethical and make a every effort to avoid even the perception of biasing their sampling during the Stage 1 and Stage 2 audits. I highly recommend conducting a pre-assessment. You want an extremely thorough and tough pre-assessment so that the organization is well prepared for the certification audits. If the auditor that will be conducting the Stage 1 and Stage 2 audit is not available to conduct a pre-assessment, try to find a consultant that knows the auditors style and “hot buttons” well. FYI…You can almost always encourage me to do a little teaching when I’m auditing (I just can’t resist), and my “hot buttons” are CAPA,  Internal Auditing, and Design Controls.

4. Phase Two: Final Certification Audit 
Once the client’s documented systems have met the applicable standards, [THE REGISTRAR] will conduct an audit to determine its effective implementation.  [THE REGISTRAR] uses a professional auditing interview style instead of a simple checklist approach. This involves interviewing the authorized and responsible personnel as designated in the documented quality system.

Rob's 2 Cents

Rob’s 2 Cents

For certification audits, ISO 17021 requires a Stage 1 and Stage 2 audit to be conducted. The combined duration of the certification audits must be in accordance with the IAF MD9 guidance document–which is primarily based upon the number of employees in the company. The “interview style” that Dekra is referring to is called the “Process Approach”. This is required in section 0.2 of the ISO 13485 Standard, and this is the primary method recommended by the ISO 19011 Standard for auditing–although other methods of auditing are covered as well.

5. Surveillance 
[THE REGISTRAR] arranges for surveillance audits semi-annually or annually as requested by the client.

Rob's 2 Cents

Rob’s 2 Cents

I highly recommend annual surveillance audits, because the short duration of surveillance audits becomes unrealistically short when the auditor is asked to split their time between two semi-annual visits. A few clients have indicated that the semi-annual audits help them by maintaining pressure on the organization to be ready for audits all year-round and prevents them from procrastinating to implement corrective actions. This is really an issue of management commitment that needs to be addressed by the company. Scheduling semi-annual surveillance audits is doesn’t address the root cause. The only good argument I have for semi-annual cycles is if you have a very large facilities that would have an audit duration of at least 2 days on a semi-annual basis. The most important think to remember about scheduling surveillance audits is to make sure that you schedule the audits well before the anniversary. I recommend 11 months between audits. By doing this, you end up scheduling the re-certification audits 3 months before the certificate expires. BSI has a different policy. They want auditors to schedule the first surveillance audit 10 months after the Stage 2 audit, the second surveillance audit 12 months after the first surveillance audit, and then the re-certification audit must be scheduled at least 60 days prior to certificate expiration (i.e.  – no more than 12 months after the second surveillance audit). No matter what, schedule early.

If you have additional questions about becoming ISO 13485 registered, please post a discussion question in the following LinkedIn subgroup: Medical Device: QA/RA. For example, on Monday a new discussion question was posted asking for help with selection of a Notified Body for CE Marking. You will need to become a member of the parent group (Medical Device Group)–if you are not already one of the 140,000+ members connected with Joe Hage. George Marcel and I manage this subgroup for Joe. George is out in the Bay Area and I’m in the Green Mountains.

Where can I learn about this Quality Management System (QMS) stuff?

In ISO, ISO 13485, Quality Management Systems on November 10, 2012 at 7:03 pm

A blog follower from Jon Speer’s website, Creo Quality, recently sent me a message asking for sources of good guidance on this Quality Management System (QMS) Stuff. There are a bunch of links below for you to follow and some practical advice. Enjoy learning!

J’aime Pink Martini et le chant de China Forbes.

The single best guidance document on the implementation of a QMS system in accordance with ISO 13485 is “13485 Plus” (type in the words in quotes to the CSA search engine).

There are also a bunch of pocket guides you can purchase for either ISO 9001 or ISO 13485 to help you quickly look-up information you are having trouble remembering. One of my Lead Auditor students recommended one pocket guide in particular and she was kind enough to give me her copy.

There are some webinars out there that provide an overview of QMS Standards. Some are free and some have a modest fee. I’m not sure the value is there for these basic overview webinars, but if you need to train a group it’s a great solution. I know BSI has several webinars that are recorded for this purpose.

AAMI has an excellent course on the Quality System Regulations (QSR) which combines 21 CFR 820 and ISO 13485.

There are a number of blogs I recommend on my website.

You can try to identify a local mentor–either in your won company or at your local ASQ Section.

You can join the following LinkedIn subgroup: Medical Device: QA/RA. You will need to become a member of the parent group (Medical Device Group)–if you are not already one of the 140,000+ members connected with Joe Hage. George Marcel and I manage this subgroup for Joe. George is out in the Bay Area and I’m in the Green Mountains.

You can visit the Elsmar Cove website and participate in the discussions you find there. I wrote a blog about Elsmar Cove a while back (wow almost 2 years ago now).

The best way to learn this stuff is to do all of the above.

And for the encore performance…

Burn the binders and get a Wiki

In Document Control, Elsmar Cove, Procedures, Quality, Quality Management Systems, Wiki on August 10, 2012 at 12:11 pm

Procedures can always be improved, but our goal is to make better products—not better procedures. So what could possibly be so interesting about document control that I feel compelled to write another post about “blah, blah, blah?”

          I read an article about using Wiki’s for document control.

For today’s entertainment I selected another famous Brit, but this song is the only piece I have heard him sing in French.

A Wiki is just a collaborative environment where anyone can add, delete and edit content. All changes are saved and Wiki’s can be controlled—while simultaneously being available to everyone. The most famous of all Wikis is Wikipedia.

In 2009, Francisco Castaño (a.k.a. – Pancho) began a discussion thread to explain how his company was using a Wiki to manage their documentation system. In the last month, ASQ published an update on the status of Pancho’s Wiki process for document control.

In most companies, the process owner writes procedures and other people in the company rarely comment on minor errors. In the most dysfunctional companies, the Quality Department writes the procedures for the rest of the company or outsources it to consultants. Reviewing and editing procedures should be the responsibility of everyone in the company, but I never considered the possibility of having everyone within a company edit procedures simultaneously—until I saw Pancho’s thread. Throughout the discussion others have indicated that they also tried using Wikis to optimize content. This is a genius idea that is coming of age.

Many QMS consultants, including myself, have written procedures for clients. Sometimes this is part of the consulting business model. In these cases, the consultant writes a procedure once and edits it forever—while getting paid a modest fee each time a client asks for a “new” procedure. I often think that it would make more sense to do something like Linux developers have done—use the collaboration of QMS experts around the world to create a generic procedure that is free to everyone. Using Wiki’s that are publicly available this is entirely possible.

In the very near future (hopefully 2013), the responsibilities section of our procedures will fundamentally change. Instead of reading and understanding, everyone will be responsible for writing and editing (oh no, I’ll have to create a new learning pyramid).

Quality will no longer be responsible for writing procedures. Instead, the quality function can focus on monitoring, measuring, data analysis, and improvement of processes and product. The downside is that we will need fewer people in document control.

If you want to learn more about Wiki for document control, follow this thread I found on Elsmar Cove. It rich in content and even the moderators have been forced to rethink their preconceptions.

You should also read two articles by Pancho:

  1. Using a Wiki for Document Control
  2. Using a Wiki to Implement a Quality Management System

Attention Auditors! – Have you read ISO 19011?

In Audit Schedule, Internal Auditing, International Standard, ISO, ISO 19011, PDCA, Procedures, Quality Management Systems on July 20, 2012 at 2:58 pm

If you have ever taken a lead auditor course, one of the critical handouts for the class should have been ISO 19011. The title is “Guidelines for Auditing Management Systems”. In November of last year, this standard was updated and the changes were not superficial.

The background entertainment for this week is one of my favorite modern rock songs, but it never seemed to get much air time. I hope you enjoyed the 90’s.

ISO 19011 covers the topic of quality management system auditing. This Standard provides guidance on managing audit programs, conducting both internal and external audits, and how to determine auditor competency. Improvements to the New 2011 Version of the Standard include:

  1. Broadening the scope to all management systems
  2. Clarifying the relationship between ISO 17021 and ISO 19011
  3. Introduction of the remote audit methods
  4. Introduction of risk as an auditing concept
  5. Confidentiality is a “new” principle
  6. Clause 5, Managing an audit program, was reorganized
  7. Clause 6, Performing an audit, was reorganized
  8. Clause 7, Competence and evaluation of auditors, was reorganized & strengthened
  9. Annex B is new and the contents of the help boxes was moved to this Annex
  10. Annex A now includes examples of discipline-specific knowledge and skills

One of the most common points of confusion in the lead auditor course is the difference between 1st, 2nd and 3rd party audits. In the previous revision of this Standard, this was just a note at the bottom of page 1 and the top of page two. The note was not very clear either. The new version of 19011, in Table 1 (reproduced below), the difference between these three types of auditing is crystal clear:

The above table is just an example of the improvements made to ISO 19011, and of course there is little value-add to clarifying a definition. Figure 1 from the new version, “Process flow for the management of an audit program, is a better example of a “value-add”. This vertical flow chart is reminiscent of Figure 1 from ISO 14971:2007. It categorizes the various stages of audit program management into the Plan-Do-Check-Act (PDCA) cycle. I highly recommend this style for presenting any process in your internal procedures as an example of best practices in writing an SOP. The flow chart even references each of the clauses in the Standard. Unfortunately Figure 2, “Typical audit activities”, does not categorize the stages of audit activities (Clauses 6.2 – 6.7 of the revised Standard) into the PDCA cycle. I guess they needed to leave some improvement for the next revision.

The new version retained the opening meeting checklist that was in the previous revision (Clause 6.4.2), and Clause 6.4.9 has a brief closing meeting checklist. Figure 3, “Overview of the process of collecting and verifying information”, is a poor example of a flow chart. Should I make a better one? (Send me an email if you think I should.)

The most valuable changes in this revision are Clause 5.3.2, “Competence of the person managing the audit program”, and all of Clause 7. Most of the audit procedures I read neglect to define the qualifications and method for determining competency of the audit program manager. Clause 5.3.2 tells you how. Put it in your own procedure. Most of the procedures I read include qualifications for a “Lead Auditor”, but I seldom see anything regarding competency. Unfortunately, this Standard only specifically addresses “Lead Auditor” competency in a two-sentence paragraph—Clause 7.2.5. When I teach people how to be a lead auditor, I spend more than an hour on this topic alone.

The Standard would be more effective by providing an example of how 3rd party auditors become qualified as a Lead Auditor. 3rd party accreditation requires the auditor to be an “acting lead” for audit preparation, opening meeting, conducting the audit, closing meeting, and final preparation/distribution of the audit report. This must be performed for 15 certification audits (i.e. – Stage 2 certification or recertification), and another qualified lead auditor must evaluate you and provide feedback.

The last big additions to this Standard were the Appendices. Annex A provides examples of discipline-specific knowledge and skills of auditors. This section is a little on the boring side. I prefer to tell a story about the internal auditor that was auditing incoming inspection—but they had no idea how to check for calibration or how to measure components. Appendix B, the finale, has a table (Table B.1) that provides some guidance on how to conduct remote audits (i.e. – desktop audits). I was pleased to see that conducting interviews is a major part of remote auditing in this table. Section B.7 provides some suggestions with regard to conducting interviews, but if you exhibit all 13 of the professional behavior traits found in Clause 7.2.2 then you really don’t need any advice on how to speak with people. For the rest of us mortals, we could use a five day course on interviewing alone.

Additional guidelines are available on the ISO website.

How do you control design changes?

In Change Control, Class IIb, Class III, Design & Development, ISO, ISO 13485, ISO 14971, Medical Device, PMA, Quality, Quality Management Systems, Risk Management on May 4, 2012 at 4:59 am

Of JB’s recommended artists, the Josh Abbott Band was probably my favorite. I especially liked this one. I hope every man is lucky enough to know a girl like Texas. I’m lucky enough to have married a girl that grew up in Texas. They are something special.

We have been discussing the best ways to control design changes at work, and I thought it might present an opportunity to have more of an interactive discussion with my readers.

During my rounds as a 3rd party auditor, I have seen quite a few design control procedures. The most complex consisted of 19 procedures (NOT recommended, but there were no nonconformities). The most simple consisted of one 4-page procedure, which I wrote, but I would never recommend being this brief. I have created a couple of polls in my LinkedIn profile for you to respond to if you would like to share your own company’s “design control stats”:

http://linkd.in/IJtoBL

The problem I see is that most projects are not new product designs. Sometimes the projects are not even major design changes. I think most changes involve supplier changes, component specification improvements, and design for manufacturability. These changes require review and approval of changes. These changes must also be recorded and retained as a Quality Record.

My own personal preference is to always open a design project—no matter how small the change is. In order to make the process flexible, I also prefer to define how many design reviews each project will have in the design plan rather than mandating that design reviews be held in a stage-gate fashion for 100% of projects.

Most companies will have a table of requirements with columns added to indicate if the requirements are mandatory for the project or optional. For example, “risk management plan needs to be updated? Yes/No.” I like this approach, because the table of requirements makes the decision making systematic.

Sometimes a change is only to a work instruction for a step in the manufacturing process. In these cases, some companies will use a document change order process to supplement the engineering change order process.

My feeling is that more complex products (i.e. – Class IIb & Class III in EU and Class III/PMA in US) will require more stringent design controls for the change. What does your company do to control design changes?

How do you qualify a supplier that doesn’t have a Quality Management System?

In Forward to MDA, ISO 13485, Procedures, Purchasing, Quality Management Systems, Supplier Audit, Supplier Audits, Supplier Qualification, Supplier Quality, Supplier Survey on March 9, 2012 at 12:11 pm

This blog has been moved to the following location, and the title has been changed: http://bit.ly/NoQMSupplier.

This blog website and the blogs within it are gradually being transferred over to my new website: http://www.MedicalDeviceAcademy.com. The titles may change, and there may be minor revisions to the content as the blogs are reviewed and edited. There will be a subscription list created for the new blog site. If you would like to be added to the list for the new blog site, please email me directly at: rob@13485cert.com.

To cats from dogs–Thank you:-)

In ISO 13485, Quality Management Systems on February 29, 2012 at 2:57 am

I’m going on a new kind of journey, and this song just seemed to fit my mood.

Today was my last day as an external resource for BSI and tomorrow will be my last day as an independent consultant. On March 1st, I begin a new job as Sr. Regulatory Affairs Manager for Delcath Systems, Inc. in Queensbury, NY. I am grateful to everyone that I had the pleasure of meeting during the past two-and-half years as a 3rd party auditor, instructor and consultant. I have learned so much from you all. Your parting wishes were very kind and supportive. I sent out emails to as many of you as I could to notify you of this change. Instead of brief acknowledgement and “Good Luck!”, I received genuine words of thanks and compliments that made me feel very lucky that we have had such an unusual relationship for an auditor and auditee—very much like cats and dogs that learn to live together in the same house.

One of you described the typical relationship with an auditor quite well, “Having an auditor come to your place is always a somehow stressful time. You are always afraid of failing somewhere.” This same person sent me an email last night saying, “I feel like you are one of my friends.” Another auditee walked by me and another team member a few weeks ago while we were waiting for a ride. Instead of avoiding eye contact and walking right on by, he stopped and thanked us for really helping to bring attention to areas that need improvement. This same gentleman had endured a tough interview by me, where I pointed out mistakes in drawings, procedures and his own QC inspection of incoming raw materials. This person has the right attitude.

As an auditor we must come to a conclusion as to whether the evidence we collect demonstrates conformity or nonconformity. When we identify nonconformities, we must explain our conclusions. The toughest part of the job is how to “break the news.” If you do it well, the auditee will agree with you and thank you for helping to improve the quality system. If you do it poorly, the auditee will resent you and may even toss you on your ear.

In my first ever ISO certification audit, I was the auditee and the auditor that interrogated our team was horrible. Not only did the auditor “break the news” poorly, the conclusions were wrong in several instances. To make matters worse, the CEO and the regulatory consultant I had hired were so upset with our auditor that I had to play referee just to keep them from killing the auditor. We received a recommendation for ISO 13485 certification at end of that audit, but I learned a valuable lesson: “Always look at an audit as an opportunity to improve.” The worst that can happen is that the auditor will require you to implement a corrective action. The best that can happen is that you will need to perform internal audits to identify opportunities for corrective actions on your own. Who cares who finds the opportunities to improve?

Auditors and auditees may be cats and dogs, but we should learn to help each other get better without getting upset or feeling anxious.

My 3rd party auditing days may be done, but I will continue to share my thoughts through this blog and I hope you will share your feedback too.

Why 5 Why?

In CAPA, QA, Quality, Quality Management Systems, Root Cause, Root Cause Analysis on October 2, 2011 at 1:03 am

It’s been a while since I made the time for a posting, but I’ve seen a trend of companies overusing the “5 Why” technique so I just felt the need to share this. Enjoy one of my favorite songs too. If you could only hear me sing it in the shower too.

If an auditor finds a nonconformity, the process owner is assigned to a CAPA. The first step of the CAPA process is to investigate the cause or causes. Some auditors recommend using a technique called the “5 Why” process to identify the root cause. PLEASE TELL THEM TO STOP!

The purpose of investigating the causes of a nonconformity is to determine how big the problem is (i.e. – breadth) and what the underlying causes are (i.e. – depth). The 5 Why process only addresses depth. So why do auditors recommend using this tool? Because the concept is simple to understand.

Unfortunately, not every problem is deep. Other problems have more than one cause. There is no magic behind asking why five times. The principle behind this overly-used technique is to encourage process owners to look deeper into the underlying issues instead of stopping at the obvious specific causes. The intent behind implementing a mandatory “5 Why” process is admirable—but wrong.

There are other techniques. Please try using them.

Cause and Effect Diagrams, also known as “Fish Bone Diagrams” or “Ishikawa Diagrams”, are popular tools for investigating problems in the automotive and aerospace industries. This method involves systematically investigating six categories of potential causes. These six categories are often referred to as the six “M’s”: 1) manpower, 2) mother-nature, 3) machine, 4) material, 5) method, and 6) measurement. This technique is particularly effective, because it is a systematic technique that investigates breadth of problems. Is/Is Not Analysis is another tool used to help process owners narrow down the source of a problem when they really don’t know which category of potential causes matter. For example, an investigator might ask the following questions in conjunction with the Cause and Effect Diagrams: 1) “Is this problem observed with any other employees?”, 2) “Did this problem only occur during hot and humid summer months?”, 3) “Did this problem occur in cavity #4 of parts or all cavities?”, 4) “Is this problem observed in cobalt chrome parts only or titanium implants as well?”, 5) “Do we observe failed crystals for only circuit boards that are reworked by hand or for circuit boards that are built entirely by automated assembly as well?”, and 6) “Were all the defective parts inspected using the same thread gauge?”

The above questions are sophisticated questions that may require a cross-functional team to properly answer. It may be necessary to review lots of records from previous lots. It may be necessary to interview operators to gather information that is not included in the records. It might be necessary to design experiments to verify theories. Often it is necessary to use multiple techniques together. The point is that a thorough investigation is not simple.

If a finding is a simple administrative oversight, there are four common causes: 1) insufficient training, 2) insufficient resources, 3) insufficient management oversight, and 4) insufficiently detailed procedures. If multiple people believe that one of these four causes is the problem, look to other areas to see if a similar problem occurs elsewhere—this is investigation of breadth. If the problem is observed in other places, there is a systemic problem that requires asking “Why?” at least one more time. If the problem is isolated, to the area where it was found, then there is probably no need for asking “Why?” again and again.

If your company’s CAPA procedure requires that you use the “5 Why” technique, please consider rewriting the procedure to encourage process owners to “investigate the cause with an appropriate root cause investigation technique such as one of the following…”. This flexible approach requires more thorough training, resources, and management oversight. However, an overly prescriptive CAPA procedure is often ineffective at preventing recurrence of problems.

Death by CAPA

In CAPA, ISO, ISO 13485, Quality, Quality Management Systems on June 15, 2011 at 9:15 am

I have no theme to relate this song with my posting, but you just can’t go wrong with blue jeans and a black t-shirt…

You might want to play this video twice…it’s a long posting.

I completed almost 100 audits in the past two years, and I review the Corrective Action and Preventive Action (CAPA) process during every single audit. Surprisingly, this seems to be a process with more variation from company to company than almost any other process I review. This also seems to be a major source of non-conformities. In the ISO 13485 Standard, clause 8.5.2 (Corrective Action) and clause 8.5.3 (Preventive Action) have almost identical requirements. Third-party auditors, however, emphasize that these are two separate clauses. We are purists. Although we acknowledge that companies may implement preventive actions as an extension to a corrective action, we also expect to see examples of actions that are strictly preventive in nature.

Many companies seem to be confused, but it doesn’t need to be. Just ask yourself one question. What is the source of this action?

If the answer is a complaint, audit nonconformity, or rejected components—then your actions are corrective.

If the answer is, a negative trend that is still within specifications or an “opportunity for improvement” (OFI) identified by an auditor—then your actions are preventive.

If you are investigating the root cause of a complaint, people will sample additional records to estimate the frequency of the quality issue. I describe this as investigating the depth of a problem. The FDA emphasizes the need to look to other product lines, or processes, to see if a similar problem exists. I describe this as investigating the breadth of a problem. Most companies describe actions taken on other product lines and/or processes as “preventive actions.” This is not always accurate. If a problem is found elsewhere, actions taken are corrective. If potential problems are found elsewhere, actions taken are preventive. You could have both types of actions, but most people incorrectly identify corrective actions as preventive actions.

Another common mistake is to characterize corrections as corrective actions.

The most striking difference between companies seems to be the number of CAPAs they initiate. There are many reasons, but the primary reason is failure to use a risk-based approach to CAPAs. Not every quality issue should result in the initiation of a formal CAPA. The first step is to investigate the root cause of a quality issue. The FDA requires that the root cause investigation is documented, but if you already have an open CAPA for the same root cause…

DO NOT OPEN A NEW CAPA!!!

If you do not have a CAPA open for the root cause that you identify, then what should you do?

I know this will shock everyone, but…it depends.

The image below gives you my basic philosophy.

 

 

 

 

 

 

 

 

Most investigations document the estimated probability of occurrence for a quality issue. This is only half of the necessary risk analysis I describe below. Another aspect of an investigation is to document the severity of potential harm resulting from the quality issue. If customer satisfaction, safety or efficacy are affected by a quality issue—the severity is big. Risk is the product of severity and probability of occurrence.

If the estimated risk is low and probability of occurrence is known, then alert limits and action limits can be statistically derived. These quality issues are candidates for continued trend analysis—although the alert limit or action limit may be modified in response to an investigation. If the trend analysis results in identifying events that require action, then that is the time when a formal CAPA should be opened. If the trend remains below your alert limit, then no formal CAPA is needed.

If the estimated risk is moderate or the probability of occurrence is unknown, then a formal CAPA should be considered. Ideally, you will be able to establish a base-line for occurrence and demonstrate that frequency decreases upon implementation of corrective actions. If you can demonstrate a significant drop in frequency, this verifies effectiveness of actions taken. If you need statistics to show a difference, then your actions are not effective.

If estimated risk is high or there are multiple causes that require multiple corrective actions, a quality improvement plan may be more appropriate. There are two clauses in the Standard that apply. Clause 5.4.2 addresses planning of changes to the Quality Management System. For example, if you correct problems with your incoming inspection process—this addresses 5.4.2. Clause 7.1 addresses planning of product realization. For example, if you correct problems with a component specification where the incoming inspection process is not effective—this addresses 7.1. Depending upon the number of contributing causes and the complexity of implementing solutions, the plan could be longer or shorter. If it will take more than 90 days to implement a corrective action, you might consider the following approach.

Step 1 – open a CAPA

Step 2 – identify the initiation of a quality plan as one of your corrective actions

Step 3 – close the CAPA when your quality plan is initiated (i.e. – documented and approved)

Step 4 –verify effectiveness by reviewing the progress of the quality plan in management reviews and other meeting forums…you can cross-reference the CAPA with the appropriate management review meeting minutes in your effectiveness section

If the corrective action required is installation of new equipment and validating that equipment, the CAPA can be closed as soon as a validation plan is created. The effectiveness of the CAPA is verified when the validation protocol is successfully implemented and a positive conclusion is reached. The same approach also works for implementing software solutions to better manage processes. The basic strategy is to get the long-term improvement projects started with the CAPA system, but monitor the status of these projects outside the CAPA system.

Best practices would be the implementation of Six-sigma projects with formal charters for each long-term improvement project.

NOTE: I believe in closing CAPAs when actions are implemented, and tracking the effectiveness checks for CAPAs as a separate quality system metric. If closure takes more than 90 days, the CAPA should probably be converted to a Quality Plan. This is NOT intended to be a “work around” to give companies a way to extend CAPAs that are not making progress in a timely manner.

FAQ #1: But what about the FDA requirements?

In Internal Auditing, International Standard, ISO, ISO 13485, JPAL, MO # 169, Quality Management Systems on June 1, 2011 at 2:37 am

I thought I would expand my usual musical range to include some of the music I grew up with. I hope you enjoy this fantastic performance.

I hear this question, or a question with similar wording, quite frequently when I am auditing. Typically the question is in response to a better way to do something that seems simple and efficient. Most people seem to approach regulatory requirements with the approach of…let’s bury the regulator. While it’s true that we expect a certain amount of paperwork with each regulatory requirement, we frequently are accepting of a much broader range in stack heights. For example, a design controls procedure could be a one page flow-chart that references forms and work instructions. A design controls procedure could also be twelve separate documents with a minimum length of ten pages and a maximum of forty pages per document. As long as the procedure has sufficient detail for the people performing these tasks and all the required elements are included, ISO clauses 7.3.1-7.3.7, then we have no choice but to identify the procedure as conforming.

The above example is the perspective of an auditor looking for CONFORMITY!

However, some people are inspectors that are looking for NONCONFORMITY!

In the case of inspectors, it is critical to present your information in such a way that it is easy for the inspector to see how you meet the requirements of the regulations. One of the best ways to do that is to reference the requirements directly in your procedures.

For those that prefer finesse…try to organize information in accordance with the regulations. For example, if I am writing a procedure for an ISO registration audit, I write the procedure to specifically address the ISO sub-clauses. I might even use a document control number like: SOP-73 for my “Design and Development” procedure. Alternatively, if I’m writing a procedure for a JPAL audit, I might change my document control number to SOP-3036 for my “Design and Development” procedure. This matches up with JPAL Ministerial Ordinance #169, Articles 30 through 36. In this case, the document control number suggests compliance with the Japanese regulations. A little subconscious suggestion couldn’t hurt.

In my previous blog posting, I suggested a slight change to the scheduling of internal audits. In order to make sure this meets FDA requirements, the key is to READ THE REGULATIONS AGAIN. With regard to internal auditing, the applicable FDA regulation is: 21 CFR 820.22:

“Each manufacturer shall establish procedures for quality audits and conduct such audits to assure that the quality system is in compliance with the established quality system requirements and to determine the effectiveness of the quality system. Quality audits shall be conducted by individuals who do not have direct responsibility for the matters being audited. Corrective action (s), including a reaudit of deficient matters, shall be taken when necessary. A report of the results of each quality audit, and reaudit(s) where taken, shall be made and such reports shall be reviewed by management having responsibility for the matters audited. The dates and results of quality audits and reaudits shall be documented.”

The above requirement is quite vague with regard to how many auditors and how many days must be spent auditing. These are the variables I suggested changing in my previous posting. The FDA regulations are specific, however, with regard to documenting the “reaudit” of any deficiencies found during an audit. This prescriptive requirement can be met by reviewing previous audit findings of all audits with the audit program manager during the audit preparation process. The audit program manager can facilitate the assignment of which auditor will reaudit each finding. This may require a few more minutes of audit preparation, but this should not measurably impact the overall time allocated to an audit.

Somehow the above prescriptive requirement slipped my mind. I do this out of habit when I am performing internal audits on behalf of clients, but if I am auditing the internal audit process of a client—now I’ll remember to point out this additional requirement that is specific to the FDA and not included in the ISO Standard. This is why we should always READ THE REGULATIONS AGAIN.

%d bloggers like this: