Procedures can always be improved, but our goal is to make better products—not better procedures. So what could possibly be so interesting about document control that I feel compelled to write another post about “blah, blah, blah?”
I read an article about using Wiki’s for document control.
For today’s entertainment I selected another famous Brit, but this song is the only piece I have heard him sing in French.
A Wiki is just a collaborative environment where anyone can add, delete and edit content. All changes are saved and Wiki’s can be controlled—while simultaneously being available to everyone. The most famous of all Wikis is Wikipedia.
In 2009, Francisco Castaño (a.k.a. – Pancho) began a discussion thread to explain how his company was using a Wiki to manage their documentation system. In the last month, ASQ published an update on the status of Pancho’s Wiki process for document control.
In most companies, the process owner writes procedures and other people in the company rarely comment on minor errors. In the most dysfunctional companies, the Quality Department writes the procedures for the rest of the company or outsources it to consultants. Reviewing and editing procedures should be the responsibility of everyone in the company, but I never considered the possibility of having everyone within a company edit procedures simultaneously—until I saw Pancho’s thread. Throughout the discussion others have indicated that they also tried using Wikis to optimize content. This is a genius idea that is coming of age.
Many QMS consultants, including myself, have written procedures for clients. Sometimes this is part of the consulting business model. In these cases, the consultant writes a procedure once and edits it forever—while getting paid a modest fee each time a client asks for a “new” procedure. I often think that it would make more sense to do something like Linux developers have done—use the collaboration of QMS experts around the world to create a generic procedure that is free to everyone. Using Wiki’s that are publicly available this is entirely possible.
In the very near future (hopefully 2013), the responsibilities section of our procedures will fundamentally change. Instead of reading and understanding, everyone will be responsible for writing and editing (oh no, I’ll have to create a new learning pyramid).
Quality will no longer be responsible for writing procedures. Instead, the quality function can focus on monitoring, measuring, data analysis, and improvement of processes and product. The downside is that we will need fewer people in document control.
If you want to learn more about Wiki for document control, follow this thread I found on Elsmar Cove. It rich in content and even the moderators have been forced to rethink their preconceptions.
Of JB’s recommended artists, the Josh Abbott Band was probably my favorite. I especially liked this one. I hope every man is lucky enough to know a girl like Texas. I’m lucky enough to have married a girl that grew up in Texas. They are something special.
We have been discussing the best ways to control design changes at work, and I thought it might present an opportunity to have more of an interactive discussion with my readers.
During my rounds as a 3rd party auditor, I have seen quite a few design control procedures. The most complex consisted of 19 procedures (NOT recommended, but there were no nonconformities). The most simple consisted of one 4-page procedure, which I wrote, but I would never recommend being this brief. I have created a couple of polls in my LinkedIn profile for you to respond to if you would like to share your own company’s “design control stats”:
The problem I see is that most projects are not new product designs. Sometimes the projects are not even major design changes. I think most changes involve supplier changes, component specification improvements, and design for manufacturability. These changes require review and approval of changes. These changes must also be recorded and retained as a Quality Record.
My own personal preference is to always open a design project—no matter how small the change is. In order to make the process flexible, I also prefer to define how many design reviews each project will have in the design plan rather than mandating that design reviews be held in a stage-gate fashion for 100% of projects.
Most companies will have a table of requirements with columns added to indicate if the requirements are mandatory for the project or optional. For example, “risk management plan needs to be updated? Yes/No.” I like this approach, because the table of requirements makes the decision making systematic.
Sometimes a change is only to a work instruction for a step in the manufacturing process. In these cases, some companies will use a document change order process to supplement the engineering change order process.
My feeling is that more complex products (i.e. – Class IIb & Class III in EU and Class III/PMA in US) will require more stringent design controls for the change. What does your company do to control design changes?
This is one of the early music videos I remember from the 80’s.
The original question from a former client was: “What does a best in class CNC machining process validation program look like?” Although I intend to answer this question, I know a few other clients that have done a great job of this. Hopefully they will add their own opinions as a comment. Therefore, I am expanding the scope of this question to validation in general.
The problem with validation is that you can always do a more thorough validation. Only in the cases of processes such as sterilization, do we have ISO Standards that tell us what is required. Otherwise, we are normally the experts and we have to use our own judgment as to what is necessary. In general, the best approach is a risk-based approach.
For each design specification established for a component, we also need to identify what process risks are associated with failure to meet the specification. Most companies perform a process failure modes and effects analysis (pFMEA). This risk analysis has three quantitative components: 1) severity of the failure’s effect, 2) probability of occurrence, and 3) detectability. The first factor, severity, is based upon the intended use of the device and how that component failure impacts that use. Usually it is important to have a medical professional involved in this portion of the estimation.
The second factor, probability, is typically quantified during the process validation activities. One company I audited developed a ranking scale for probability that was linked directly to CpK of the process. Higher CpK values received lower scores, because the process was less likely to result in an out-of-specification component. Another company I worked for used a six-point logarithmic scale (i.e. – 10e-6 = 1, 10e-5 = 2, 10e-4 = 3, 10e-3 = 4, 10e-2 = 5, and 10e-1 = 6). This logarithmic scale was based on sterilization validation where a sterility assurance level of 10e-6 is considered “validated”.
The third factor, detectability, is best estimated by using a quantitative scale that is based upon a gauge R&R study or some other method of inspection method validation.
Most companies struggle with determination of what is acceptable for design risk analysis. However, for process risk analysis it is usually much easier to quantify the acceptable risk level.
Once you have determined that a process is not acceptable at the current residual risk level, then you must take corrective actions to reduce the risk. The first step to achieve this should be to review the process flow. There are critical control points that can be identified in the process flow. One of those places is at the end of the process at the inspection step in the process.
The inspection step in the process flow affects detectability of defects. For many automated processes, such as CNC machining, it is not reasonable to perform 100% inspection. Therefore, these processes require validation. Most engineers make the mistake of trying to validate every dimension that is machined. However, only some of the dimensions result in device failures. These are the dimensions that are critical to validate. Best practice is to calculate the process capability for meeting each of these critical specifications (i.e. – CpK). A minimum threshold should be established for the CpK (refer back to the process risk analysis for ideas on linking CpK to risk acceptance). Any CpK values below the threshold require a more consistent process. These are the component specifications that should be the focus of process validation efforts.
During a process validation, it is often advisable to perform a design of experiment (DOE) in order to quantify the affects of each process variable. Typically a DOE will evaluate the impact on CpK for each variable at a high, low and middle value while other variables are maintained at nominal values. Any variables that appear to have a significant impact on the CpK are candidates for performing an operational qualification (OQ). For a machining process, this could include spindle speeds, feed rates, and material hardness. If variation of the variable has little or no impact upon the CpK, then there is probably little benefit to inclusion of this variable in an OQ.
The output of an OQ validation should be high and low limits for each process variable that will result in a “good” part. Performance Qualification (PQ) validation is the final step of the process validation. In the PQ, most companies will conduct three repeat lots at nominal values for the variables. If the OQ is designed well, there is often little added value in the PQ. Therefore, the sample size is typically three lots of 10 samples each. If the OQ validation does not clearly identify safe operating limits for the variables, or the process has marginal capability (i.e. – a low CpK), then the OQ should be repeated and an additional DOE may be needed.
Here are a few resources for those of you that are in “Deviceland” and may not be aware of guidance on validation in other related industries:
It’s been a while since I made the time for a posting, but I’ve seen a trend of companies overusing the “5 Why” technique so I just felt the need to share this. Enjoy one of my favorite songs too. If you could only hear me sing it in the shower too.
If an auditor finds a nonconformity, the process owner is assigned to a CAPA. The first step of the CAPA process is to investigate the cause or causes. Some auditors recommend using a technique called the “5 Why” process to identify the root cause. PLEASE TELL THEM TO STOP!
The purpose of investigating the causes of a nonconformity is to determine how big the problem is (i.e. – breadth) and what the underlying causes are (i.e. – depth). The 5 Why process only addresses depth. So why do auditors recommend using this tool? Because the concept is simple to understand.
Unfortunately, not every problem is deep. Other problems have more than one cause. There is no magic behind asking why five times. The principle behind this overly-used technique is to encourage process owners to look deeper into the underlying issues instead of stopping at the obvious specific causes. The intent behind implementing a mandatory “5 Why” process is admirable—but wrong.
There are other techniques. Please try using them.
Cause and Effect Diagrams, also known as “Fish Bone Diagrams” or “Ishikawa Diagrams”, are popular tools for investigating problems in the automotive and aerospace industries. This method involves systematically investigating six categories of potential causes. These six categories are often referred to as the six “M’s”: 1) manpower, 2) mother-nature, 3) machine, 4) material, 5) method, and 6) measurement. This technique is particularly effective, because it is a systematic technique that investigates breadth of problems. Is/Is Not Analysis is another tool used to help process owners narrow down the source of a problem when they really don’t know which category of potential causes matter. For example, an investigator might ask the following questions in conjunction with the Cause and Effect Diagrams: 1) “Is this problem observed with any other employees?”, 2) “Did this problem only occur during hot and humid summer months?”, 3) “Did this problem occur in cavity #4 of parts or all cavities?”, 4) “Is this problem observed in cobalt chrome parts only or titanium implants as well?”, 5) “Do we observe failed crystals for only circuit boards that are reworked by hand or for circuit boards that are built entirely by automated assembly as well?”, and 6) “Were all the defective parts inspected using the same thread gauge?”
The above questions are sophisticated questions that may require a cross-functional team to properly answer. It may be necessary to review lots of records from previous lots. It may be necessary to interview operators to gather information that is not included in the records. It might be necessary to design experiments to verify theories. Often it is necessary to use multiple techniques together. The point is that a thorough investigation is not simple.
If a finding is a simple administrative oversight, there are four common causes: 1) insufficient training, 2) insufficient resources, 3) insufficient management oversight, and 4) insufficiently detailed procedures. If multiple people believe that one of these four causes is the problem, look to other areas to see if a similar problem occurs elsewhere—this is investigation of breadth. If the problem is observed in other places, there is a systemic problem that requires asking “Why?” at least one more time. If the problem is isolated, to the area where it was found, then there is probably no need for asking “Why?” again and again.
If your company’s CAPA procedure requires that you use the “5 Why” technique, please consider rewriting the procedure to encourage process owners to “investigate the cause with an appropriate root cause investigation technique such as one of the following…”. This flexible approach requires more thorough training, resources, and management oversight. However, an overly prescriptive CAPA procedure is often ineffective at preventing recurrence of problems.
I have no theme to relate this song with my posting, but you just can’t go wrong with blue jeans and a black t-shirt…
You might want to play this video twice…it’s a long posting.
I completed almost 100 audits in the past two years, and I review the Corrective Action and Preventive Action (CAPA) process during every single audit. Surprisingly, this seems to be a process with more variation from company to company than almost any other process I review. This also seems to be a major source of non-conformities. In the ISO 13485 Standard, clause 8.5.2 (Corrective Action) and clause 8.5.3 (Preventive Action) have almost identical requirements. Third-party auditors, however, emphasize that these are two separate clauses. We are purists. Although we acknowledge that companies may implement preventive actions as an extension to a corrective action, we also expect to see examples of actions that are strictly preventive in nature.
Many companies seem to be confused, but it doesn’t need to be. Just ask yourself one question. What is the source of this action?
If the answer is a complaint, audit nonconformity, or rejected components—then your actions are corrective.
If the answer is, a negative trend that is still within specifications or an “opportunity for improvement” (OFI) identified by an auditor—then your actions are preventive.
If you are investigating the root cause of a complaint, people will sample additional records to estimate the frequency of the quality issue. I describe this as investigating the depth of a problem. The FDA emphasizes the need to look to other product lines, or processes, to see if a similar problem exists. I describe this as investigating the breadth of a problem. Most companies describe actions taken on other product lines and/or processes as “preventive actions.” This is not always accurate. If a problem is found elsewhere, actions taken are corrective. If potential problems are found elsewhere, actions taken are preventive. You could have both types of actions, but most people incorrectly identify corrective actions as preventive actions.
Another common mistake is to characterize corrections as corrective actions.
The most striking difference between companies seems to be the number of CAPAs they initiate. There are many reasons, but the primary reason is failure to use a risk-based approach to CAPAs. Not every quality issue should result in the initiation of a formal CAPA. The first step is to investigate the root cause of a quality issue. The FDA requires that the root cause investigation is documented, but if you already have an open CAPA for the same root cause…
DO NOT OPEN A NEW CAPA!!!
If you do not have a CAPA open for the root cause that you identify, then what should you do?
I know this will shock everyone, but…it depends.
The image below gives you my basic philosophy.
Most investigations document the estimated probability of occurrence for a quality issue. This is only half of the necessary risk analysis I describe below. Another aspect of an investigation is to document the severity of potential harm resulting from the quality issue. If customer satisfaction, safety or efficacy are affected by a quality issue—the severity is big. Risk is the product of severity and probability of occurrence.
If the estimated risk is low and probability of occurrence is known, then alert limits and action limits can be statistically derived. These quality issues are candidates for continued trend analysis—although the alert limit or action limit may be modified in response to an investigation. If the trend analysis results in identifying events that require action, then that is the time when a formal CAPA should be opened. If the trend remains below your alert limit, then no formal CAPA is needed.
If the estimated risk is moderate or the probability of occurrence is unknown, then a formal CAPA should be considered. Ideally, you will be able to establish a base-line for occurrence and demonstrate that frequency decreases upon implementation of corrective actions. If you can demonstrate a significant drop in frequency, this verifies effectiveness of actions taken. If you need statistics to show a difference, then your actions are not effective.
If estimated risk is high or there are multiple causes that require multiple corrective actions, a quality improvement plan may be more appropriate. There are two clauses in the Standard that apply. Clause 5.4.2 addresses planning of changes to the Quality Management System. For example, if you correct problems with your incoming inspection process—this addresses 5.4.2. Clause 7.1 addresses planning of product realization. For example, if you correct problems with a component specification where the incoming inspection process is not effective—this addresses 7.1. Depending upon the number of contributing causes and the complexity of implementing solutions, the plan could be longer or shorter. If it will take more than 90 days to implement a corrective action, you might consider the following approach.
Step 1 – open a CAPA
Step 2 – identify the initiation of a quality plan as one of your corrective actions
Step 3 – close the CAPA when your quality plan is initiated (i.e. – documented and approved)
Step 4 –verify effectiveness by reviewing the progress of the quality plan in management reviews and other meeting forums…you can cross-reference the CAPA with the appropriate management review meeting minutes in your effectiveness section
If the corrective action required is installation of new equipment and validating that equipment, the CAPA can be closed as soon as a validation plan is created. The effectiveness of the CAPA is verified when the validation protocol is successfully implemented and a positive conclusion is reached. The same approach also works for implementing software solutions to better manage processes. The basic strategy is to get the long-term improvement projects started with the CAPA system, but monitor the status of these projects outside the CAPA system.
Best practices would be the implementation of Six-sigma projects with formal charters for each long-term improvement project.
NOTE: I believe in closing CAPAs when actions are implemented, and tracking the effectiveness checks for CAPAs as a separate quality system metric. If closure takes more than 90 days, the CAPA should probably be converted to a Quality Plan. This is NOT intended to be a “work around” to give companies a way to extend CAPAs that are not making progress in a timely manner.
One of my family’s favorite songs is “Come on Get Higher” by Matt Nathanson. Two years ago I tried to purchase this for my wife as a Christmas present. Unfortunately, I couldn’t remember who sang the song. I tried searching the web for the lyrics and found out that Sugarland sings it. I remembered the logo on the album cover, went to the store and bought the album. After I got home I realized that the song wasn’t on the album. Back to the store I went and found another version of the album with some live versions of songs—including “Come on Get Higher.” Just to make sure I had the right song, I decided to open the package and play it. My music video selection for this blog is what I heard. I guess we never stop learning, but I did fall in love with Country music at the age of 38…
I am in Canada, it’s almost midnight, and this client has me thinking so hard that I can’t sleep. I am here to teach the company’s Canadian facility about ISO 14971:2007—the ISO Standard for Risk Management of medical devices.
Most of the companies that request this training are doing so for one of two reasons: 1) several of their design engineers know almost nothing about risk management, or 2) they have several design engineers that are quite knowledgeable with regard to risk management but these engineers have not maintained their credentials and their last risk management training was to the 2000 version of the Standard. This company falls into the second category.
I always tell students that I learn something by teaching each course. From this company, however, I have learned so much. This company has forced me to re-read the Standard a number of times and reflect on the nuances of almost every single phrase. I have learned more about this Standard in one month than I learned in the 3.5 years since I first took the course I am now teaching.
I have developed a model for learning that explains this phenomenon. I call this model the “Learning Pyramid.” At the base of the pyramid there are “Newbies.”
This is the first of four levels. At the base, students read policies and procedures with the hope of understanding.
In the second level of the pyramid, the student is now asked to watch someone else demonstrate proper procedures. One of my former colleagues has a saying that explains the purpose of this process well, “A picture tells a thousand words, but a demonstration is like a thousand pictures.” This is what our children call “sharing time,” but everyone over 40 remembers this as “show and tell.”
In the third level of the pyramid, the student is now asked to perform the tasks they are learning. This is described as “doing,” but in my auditing courses I refer to this process as “shadowing.” Trainees will first read the procedures for Internal Auditing (level 1). Next trainees will shadow the trainer during an audit as a demonstration of proper technique (level 2). During subsequent audits, the trainees will audit and the trainer will shadow the trainee (level 3). During this “doing” phase, the trainer must watch, listen and wait for what I call the “Teachable Moment.” This is a moment when the trainee makes a mistake, and you can use this mistake as an opportunity to demonstrate a difficult subject.
Finally, in the fourth level of the Learning Pyramid we now allow the trainee to become a trainer. This is where I am at—so I thought. I am an instructor, but I am still learning. I am learning what I don’t know.
The next step in the learning process is to return to the first level. I am re-reading the Standard and procedures until I really understand the nuances that I was unaware of. Then I will search for examples in the real world that demonstrate these complex concepts I am learning. After searching for examples, I will test my knowledge by attempting to apply the newly acquired knowledge to a 510(k) or CE Marking project for a medical device client. Finally, I will be prepared to teach again.
This reiterative process reminds me of the game Chutes and Ladders, but one key difference is that we never really reach the level of “Guru.” We continue to improve, but never reach our goal of perfection…For further inspiration try reading “Toyota Under Fire.”
I hope everyone enjoys this selection for the music video. It’s one of my favorite songs by Sting—mostly because it seems to be more upbeat than many of his other tunes. I can almost hear him smiling as he wrote the lyrics.
This blog posting is a continuation of my previous post on the subject of Risk Management Training, specifically the ISO 14791:2007 Risk Management Standard. In my Risk Management Training, I use the example of making “The Perfect Pecan Pie” as a practical example of applying the principles of Risk Management.
The first step of the Risk Management Process, or any process, should be planning. My personal preference for planning Risk Management is to begin by brainstorming in order to create a list of potential Quality issues. During the brainstorming session, I will use a Cause & Effect Diagram (a.k.a – “Fishbone Diagram”) to ensure that I have covered as many of the important issues as possible. For those that are unfamiliar with this tool, there are six categories of causes for any problem. These are sometimes referred to as the six “M’s”, because each category begins with the letter “M”:
1) Materials
2) Method
3) Machine
4) Measurement
5) Manpower
6) Mother Nature
Materials are the single most important component of any product. As the saying goes, “Garbage in equals garbage out.” The right, fresh ingredients are just as important to baking pies as biocompatible materials are to manufacturing implantable medical devices. For example, stale pecans are plain nasty; while granular sugar produces a sickeningly, sweet syrup. Pecan pies are derived from “chess” pies—pies that were cheese-like due to the custard consistency created by cooking butter, eggs, milk and sugar at a low temperature. Therefore, the filling of a pecan pie requires a six tablespoons of unsalted butter, three large cage-free eggs (size matters—don’t get extra large), one cup dark brown sugar (light brown is also too sweet), three-quarters cup light corn syrup, one tablespoon natural vanilla (artificial vanilla tastes totally different and overwhelms the praline flavor), and one cup of pecan halves (I’m told that Georgia pecans picked fresh from the tree are amazing, and roasting them enhances the flavor even more.).
Manufacturing processes are always the second most important factor related to Quality. For the “Perfect Pecan Pie,” this is also true. Most people will try making their first pie by cooking the filling and the pie crust together. This can produce acceptable results if you are extremely lucky. For custards, however, it is much easier to get consistently beautiful pies by pre-cooking the pie-shell (and sealing it with egg yolk) and pre-cooking the filling separately in a double boiler (always use the right machine for the job). Once the filling gets to the desired temperature (~130F) then the filling should be poured into the pre-cooked crust for the final baking. The final baking should be at 275F for one hour (at sea level).
If you choose to deviate from any of the above directions regarding the manufacturing process, good luck finding a material review board to approve the release of your pie. If you don’t seal the pie crust, it will leak and you will never get be able to serve an intact slice of pie. If you don’t use a double boiler, you get a mixture of caramel and burnt candy. If you overcook the filling, the consistency will be off. If you undercook the filling, the pie will be uncooked…another way to make it impossible to serve an intact slide of pie.
When you are cooking a soup, stew or some other dish, measuring is a forgiving process. For baking, the ratio of ingredients, the degree of mixing, and the temperature for baking are critical. Any deviation usually leads to a disaster.
The next category, manpower, addresses the issue of training. You would think that baking is all about skill. However, like all validated manufacturing processes, proper use of process controls can transform the most inept person into a brilliant baker. Most people struggle with the crust. Packard Consulting, however, has developed a fool-proof method for making a crust. The key is to cool the dough ball and press it into a glass pie dish. The reason for a glass dish is so that you can hold the uncooked shell up to the light to inspect it for “thin spots.” Then you cover the shell with foil, poke it several times with a fork to allow it to vent, bake it for 15 minutes at 400F, uncover it, brush it with egg yolk to seal the crust, and continue baking it for 10 more minutes—or until the crust is a golden brown on the edges.
Finally, the oven temperature is most critical for the final baking—after pouring the pre-cooked filling into the pre-baked pie crust. In this case, we have an artificial environment (i.e. – Mother Nature). Unfortunately, very few ovens are calibrated accurately and the temperature is very inconsistent throughout the oven. Ovens are hottest on the top rack and the back of the oven is always hotter than the front. Therefore, you need to rotate the pie during the baking process or it gets cooked unevenly. Another critical step is to “map” the oven temperature. You must determine where in the oven (i.e. – which rack position) to place the pie when the oven is set at 275F. In some ovens, the temperature is so far off that it is necessary to raise or lower the setting by 15 degrees.
Now that I have given you the recipe for the “Perfect Pecan Pie,” you might be tempted to make one. Before you do, I recommend getting a piece of paper and documenting every step you take—including any visual observations, the taste of the dough, and the taste of the filling. This information will become your risk management file. As you perfect your technique, learn the idiosyncrasies of your kitchen appliances, and you find sources for each ingredient…you will need to prevent these secrets from becoming lost. Your collection of notes is a Risk Management File.
You have now completed Section 3 of the 14971:2007 Standard. Keep drooling and I promise to serve up another slice:)
PS – Here’s a cool drumming lesson that gave me a much better appreciation for the layers of rhythm within the song I chose for this blog’s background entertainment.
Knowing that we have the “Big Game” half-time show coming soon, I thought I would share a video of the 2007 show by Prince (Thank you for the suggestion Greg).
During a CAPA course I taught earlier today, one of the attendees asked if I have a course on “How to Write Better Procedures.” Unfortunately, the only material I could offer was material from a course I taught on “Training the Trainer.” That training course focused on visual communication. There are several books related to Lean Manufacturing that explain in depth how to use visual communication to replace text (i.e. – “a picture says a thousand words”). During my ride home, however, I thought of a few other ideas that might help anyone that is in the process of writing or re-writing a procedure.
My first suggestion is to develop a standardized format for procedures. If you have a procedure for writing procedures, just make sure you allow the flexibility to deviate from the standardized format. The Standard does require that procedures have a “mandatory” format. Referring to the standardized formatting as “suggested formatting” will avoid unnecessary nonconformities.
My second suggestion is avoid making unnecessary references to other external standards. If you are writing a procedure on risk management—it makes sense to reference ISO 14971. It does not make sense to reference all the other risk analysis Standards unless you are specifically using them to perform risk analysis. Included in this category would be references to other regulatory requirements such as 21 CFR 820, the FDA QSR, or Part 1 of the Canadian MDR. Companies can claim compliance with other requirements in the Quality Manual instead. What should be referenced in a document is any related procedures or forms.
Another related suggestion is to avoid including the revision of a Standard. This is just another opportunity for unnecessary nonconformities. If you don’t specify the revision, then an auditor can only assume that the most current revision of the Standard is implied. If changes to a Standard are minor, no changes to a procedure may be warranted and a revision to the procedure can be avoided—assuming that the revision of the Standard is not specified. Some argue that you should include the revision and update the reference to document that the procedure was reviewed to see if changes were warranted. This is unnecessary. A review of procedures, where the decision is made for “no change”, can easily be documented in the Management Review under the category of “New and Revised Regulatory Requirements.”
My fourth suggestion is to indicate the process owner and training requirements associated with each procedure. By doing this, it is easier to define who is responsible for reviewing and revising procedures—as well as who is assigned CAPAs if there is finding related to the process in question. For the training requirements, the process owner should specify who needs to be trained on the process. Why? They know the procedure best. If there is a “grey area,” this should be resolved with the department manager for the job function in question. In addition, retraining requirements should be specified. By this, I mean that it is a good idea to indicate if retraining is required when a procedure has been revised. If the revision is minor, training should only be required for people that have not been trained to a previous revision.
There are a couple of great ways to identify when retraining is required for a revision and when no retraining is required, but I’ll leave those ideas for another blog…
My fifth suggestion is to adopt the Plan-Do-Check-Act (PDCA) model for the structure of procedures. For the “Plan” portion, the procedure should explain how to prepare to do something. This planning activity can apply to anything from planning to perform an audit to planning to inspect incoming raw materials. The “Do” portion is what most people refer to as the “Procedure” section. The “Check” portion of the procedure is a great place to specify the monitoring and measurement requirements for the process (see Section 8.1 of the Standard). Finally, the “Act” portion of the procedure should indicate what to do when target metrics are not met. For example, what should be done when an alert limit is reached? What should be done when an action limit is reached?
My final suggestion is to include revision history. It’s extremely helpful to know which ECO approved the document revision, why the changes were made, the nature of changes, whether there is a related corrective action, and when the change was made.
Sorry about the length of this blog…I hope this helps you Darcy.
This week’s music video selection was recommended by my friend Greg. We were eating dinner together at 1776, and he was kind enough to share this amazing musician with me. I’m not a guitarist but he pointed out that Bruce Cockburn has a very unique style. He plays three different parts simultaneously. His thumb plays base on the top string while the other fingers play two separate melodies. WOW!
Are you frustrated? Do you wish for a rocket launcher? Maybe you would aim it at the C-level offices and pull the trigger.
Sometimes we hear phrases like: “Well that’s just an ISO requirement.” This obvious lack of support by top management is what frustrates every Management Representative in the world.
There was a question posted on the Elsmar Cove website on January 10th (see previous blog for the link). In just 10 days there have been 153 postings in response to the original question. As I read through the various postings I saw several comments about a lack of support by top management. Rocket launchers are NOT the answer, but maybe a heavy bat…
A little over a decade ago I was still learning how to supervise people. In an effort to educate myself further, I read a book (sorry can’t be sure which book anymore). In this book, the boss gave an employee a card with a picture of a baseball bat on it. The instructions provided with this magical card were to use it only when the boss failed to pay attention and the employee had something important to tell him.
We all wish for a magical baseball bat, but unfortunately we are M-A-N-A-G-E-R-S. Along with the awesome title comes awesome responsibility. Managers are responsible for leading others. Subordinates are not the “others” I am referring to. The “others” are peers. If you cannot persuade your peers to support you, then you will fail as a manager. The Quality Department cannot fix all the problems. In fact, my philosophy is that Quality is responsible for recommending improvements, training people, and helping to implement. We assign corrective actions, but we should be assigning them to the process owner (i.e. – Manager) that is responsible for the area where the problems were created.
If you need help persuading the unenlightened, try picking a project that is critical to the success of the stubborn one. If you can show someone that is currently a detractor how they can apply the Quality principles to help solve their problems, then you will have a convert. Converts become strong supporters. If the stubborn one happens to be at the top, figure out what the CEO’s initiatives are. Initiatives are easy to identify; they talk about it at least twenty times a week. Try showing the CEO how their initiatives can become Quality Objectives. Show them with graphs. Show up with solutions to their problem. Use the CAPA process as a framework. Show them how the management TEAM can fix it.
If nothing seems to be working, you can always try reviewing some FDA MedWatch reports too–just to scare the crap out of the boss.
The video music selection for this week was a tune I heard at a restaurant called “1776” in Crystal Lake, IL. The restaurant played Chris Isaak recordings for the entire meal. Maybe the satellite radio station was stuck on the letter “I”.
The idea for this posting was from a thread I found on Elsmar Cove:
One person posted a question about the requirement for the Management Representative (MR) to be a member of the organization’s management (see section 5.5.2 of ISO 9001:2008). Companies that are seeking initial certification sometimes struggle with this requirement. Some struggle because they do not have anyone in-house that is sufficiently trained to be the MR. Other companies struggle, because they are very small and outsource their QA functions to a consultant. The following blog is targeted at helping these companies.
I audit companies to the ISO 13485 (medical QMS) & 9001 (QMS) Standards. The intent of both Standards was always to have the MR be part of management, but some companies did not interpret the Standards in this way. With the 2008 revision of 9001, the possibility of misinterpreting the meaning is much less likely. The companies that receive findings during the Stage 1 or Stage 2 audit for this requirement usually fall into one of two categories. Category #1: our company is small and the only person that really knows enough about ISO requirements is not a member of management. Category #2: our company is small and we outsource QA functions.
The good news is that any manager can be assigned the responsibility of being MR. One of my clients assigned this responsibility to the VP of Sales. Another company assigned this responsibility to the Director of R&D. Both of these individuals had to put in the time to learn about Quality Management Systems, but both have embraced the challenge and I have learned a lot from them. They have a different perspective and bring a lot of value to the MR role.
The bad news is: whomever you assign has to learn enough to be competent in the role.
The definition of “Management” is typically a stumbling block. Most people think of managers requiring that they have other people reporting to them. This is not an absolute. The MR should report directly to a top manager such as the President or CEO to prevent conflicts of interest. As a manager, they should not require a lot of direct supervision and the President or CEO should not be overly burdened by adding one person to their list of direct reports.
Some auditors like to see a “deputy MR” identified. My advice is to have the CEO or President sufficiently trained that they can be the “back-up” when the MR is on vacation. Every manager should know enough about their subordinate’s job duties that they can “fill in.”
MR’s should be involved in senior staff meetings too, but not necessarily at the same frequency as every other senior staff manager. Typically operations and sales have the most frequent meetings with the CEO–often weekly. Finance is typically monthly. HR and the MR might be bi-monthly or Quarterly. Communication of the status of Quality Objectives should be regular reports to all senior staff, but you don’t have to have a Management Review to communicate the status. If the company is small enough to have only one QA person, there probably isn’t a need for more than one or two management review meetings per year.
If your company has a finding against clause 5.5.2, I recommend the following actions:
1. Assign a person that is already a member of your senior staff as MR
2. Document the responsibility in the person’s job description
3. Document the responsibility in the org chart
4. Assign the person’s direct supervisor (typically the CEO or President) as a “deputy MR”
5. Find a good webinar on ISO training for the new MR and their boss (ideally one with a quiz and a certificate)
6. Have the new MR develop a 45 minute presentation for the senior staff on the topic of Management Responsibilities. This training should cover all of section 5 in the Standard.
7. Give the senior staff a 15 minute multiple choice quiz to evaluate effectiveness of the training.
8. Have the new MR discuss delegation of various management review inputs (see section 5.6.2) with their boss. Quality should be a shared responsibility and Management Reviews will be more effective if everyone takes part.
I just wanted to thank everyone for reading my blog. It's hard to make the dry and boring worth reading about. I have also created a formal Thank You page on my personal website: http://13485cert.com/qc-is-dead/.
Blog Stats
113,240 Views All Time!
Countdown to 2-Day Course!
Best Practices in Audit Program ManagementMarch 9, 2013
13485cert
QC is Dead 