How do you prepare for ISO 13485 registration?

A LinkedIn connection of mine recently asked for sources of good guidance on ISO 13485 registration. I wrote a blog recently about Quality Management Systems in General, but I had trouble finding resources specific to the ISO 13485 registration process. Therefore, I decided to write a blog to answer this question.

Here’s my favorite movie clip with a song for you.

Typically people learn the hard way by setting up a system from scratch. The better way to learn it is to take a course on it. I used to teach a 2-day course on the topic for BSI. The link for this course is: http://bit.ly/Get13485; I shortened the link to the BSI website.

Other registrars offer this course too. I suspect you can find a webinar on this through TUV SÜD, BSI, SGS, LNE/GMED, Dekra, etc. from time to time.

The only registrar I could find that described the process step-by-step was Dekra. I have copied their steps below:

Inquiry to Surveillance in 5 Steps

1. Inquiry
An initial meeting between [THE REGISTRAR] and the client can take place on site or via teleconference. At this time, the client familiarizes [THE REGISTRAR] with company specifics and its quality assurance certification requirements; [THE REGISTRAR] explains its working methods and partnering philosophy, and previews the details of the process.

Rob’s 2 Cents

As a client I have completed two initial certifications personally and three transfers, but I have only once had the sales representative actually visit my company. I think this process is typically accomplished by phone and email. If any registrars are reading this, you will close on more accounts if you visit prospective clients personally. In fact, the one that actually visited my company (Robert Dostert) has been on speed dial for almost a decade and he’s received a bit of repeat business.

2. Application Form
The client chooses to move forward by filling out an online application form. Based on the information obtained during the inquiry stage, along with the application form, [THE REGISTRAR] prepares a quote, free of charge, for the entire certification process. A client-signed quotation or purchase order leads to the first stage of the certification process.

Rob’s 2 Cents

For both of the Notified Body transfers I completed, I completed application forms and requested quotes from multiple Notified Bodies. During the quoting process, my friend Robert was more responsive and able to answer my questions better than the competition. Robert was also able to schedule earlier audit dates than the competition. To this day I am still amazed that Notified Bodies are not more responsive during this initial quoting process. All of the Notified Bodies are offering a certificate (a commodity). The customer service provided by each Notified Body, however, is not a commodity. Each Notified Body has it’s own culture, and every Notified Body has good and bad auditors. Therefore, you need to treat this selection process just like any other supplier selection decision. I have provided guidance on this specific selection process on more than one occasion, but I am definitely biased.

3. Phase One: Document Review and Planning Visit

LNE/GMED Flow Diagram for the process of ISO 13485 Certification

At this stage, [THE REGISTRAR] performs a pre-certification visit, which entails verifying the documented quality systems against the applicable standard. [THE REGISTRAR] works with the client to establish a working plan to define the [THE REGISTRAR] Quality Auditing process. If the client wishes, [THE REGISTRAR] will perform a trial audit or “dress rehearsal” at this stage. This allows the client to choose business activities for auditing and to test those activities against the applicable standard. It also allows the client to learn and experience [THE REGISTRAR] ‘s Quality Auditing methods and style. The results of the trial audit can be used toward certification. Most clients elect for one or two days of trial auditing.

Rob’s 2 Cents

Dekra’s statement that, “The results of the trial audit can be used toward certification,” is 100% opposite from BSI’s policy. BSI calls this a pre-assessment. The boilerplate wording used in BSI quotations is, “The pre-assessment is optional service that is an informal assessment activity intended to identify areas of concern where further attention would be beneficial and to assess the readiness of the quality management system for the initial formal assessment.” During these pre-assessments, BSI auditors explain that any findings during the pre-assessment will not used during the Stage 1 and Stage 2 certification audits, and the client will start with a “clean slate.” Most of the clients I conducted pre-assessments for were skeptical of this, but most auditors are ethical and make a every effort to avoid even the perception of biasing their sampling during the Stage 1 and Stage 2 audits. I highly recommend conducting a pre-assessment. You want an extremely thorough and tough pre-assessment so that the organization is well prepared for the certification audits. If the auditor that will be conducting the Stage 1 and Stage 2 audit is not available to conduct a pre-assessment, try to find a consultant that knows the auditors style and “hot buttons” well. FYI…You can almost always encourage me to do a little teaching when I’m auditing (I just can’t resist), and my “hot buttons” are CAPA,  Internal Auditing, and Design Controls.

4. Phase Two: Final Certification Audit 
Once the client’s documented systems have met the applicable standards, [THE REGISTRAR] will conduct an audit to determine its effective implementation.  [THE REGISTRAR] uses a professional auditing interview style instead of a simple checklist approach. This involves interviewing the authorized and responsible personnel as designated in the documented quality system.

Rob’s 2 Cents

For certification audits, ISO 17021 requires a Stage 1 and Stage 2 audit to be conducted. The combined duration of the certification audits must be in accordance with the IAF MD9 guidance document–which is primarily based upon the number of employees in the company. The “interview style” that Dekra is referring to is called the “Process Approach”. This is required in section 0.2 of the ISO 13485 Standard, and this is the primary method recommended by the ISO 19011 Standard for auditing–although other methods of auditing are covered as well.

5. Surveillance 
[THE REGISTRAR] arranges for surveillance audits semi-annually or annually as requested by the client.

Rob’s 2 Cents

I highly recommend annual surveillance audits, because the short duration of surveillance audits becomes unrealistically short when the auditor is asked to split their time between two semi-annual visits. A few clients have indicated that the semi-annual audits help them by maintaining pressure on the organization to be ready for audits all year-round and prevents them from procrastinating to implement corrective actions. This is really an issue of management commitment that needs to be addressed by the company. Scheduling semi-annual surveillance audits is doesn’t address the root cause. The only good argument I have for semi-annual cycles is if you have a very large facilities that would have an audit duration of at least 2 days on a semi-annual basis. The most important think to remember about scheduling surveillance audits is to make sure that you schedule the audits well before the anniversary. I recommend 11 months between audits. By doing this, you end up scheduling the re-certification audits 3 months before the certificate expires. BSI has a different policy. They want auditors to schedule the first surveillance audit 10 months after the Stage 2 audit, the second surveillance audit 12 months after the first surveillance audit, and then the re-certification audit must be scheduled at least 60 days prior to certificate expiration (i.e.  – no more than 12 months after the second surveillance audit). No matter what, schedule early.

If you have additional questions about becoming ISO 13485 registered, please post a discussion question in the following LinkedIn subgroup: Medical Device: QA/RA. For example, on Monday a new discussion question was posted asking for help with selection of a Notified Body for CE Marking. You will need to become a member of the parent group (Medical Device Group)–if you are not already one of the 140,000+ members connected with Joe Hage. George Marcel and I manage this subgroup for Joe. George is out in the Bay Area and I’m in the Green Mountains.

43.133884 -72.725746

Advertisement

Where can I learn about this Quality Management System (QMS) stuff?

A blog follower from Jon Speer’s website, Creo Quality, recently sent me a message asking for sources of good guidance on this Quality Management System (QMS) Stuff. There are a bunch of links below for you to follow and some practical advice. Enjoy learning!

J’aime Pink Martini et le chant de China Forbes.

The single best guidance document on the implementation of a QMS system in accordance with ISO 13485 is “13485 Plus” (type in the words in quotes to the CSA search engine).

There are also a bunch of pocket guides you can purchase for either ISO 9001 or ISO 13485 to help you quickly look-up information you are having trouble remembering. One of my Lead Auditor students recommended one pocket guide in particular and she was kind enough to give me her copy.

There are some webinars out there that provide an overview of QMS Standards. Some are free and some have a modest fee. I’m not sure the value is there for these basic overview webinars, but if you need to train a group it’s a great solution. I know BSI has several webinars that are recorded for this purpose.

AAMI has an excellent course on the Quality System Regulations (QSR) which combines 21 CFR 820 and ISO 13485.

There are a number of blogs I recommend on my website.

You can try to identify a local mentor–either in your won company or at your local ASQ Section.

You can join the following LinkedIn subgroup: Medical Device: QA/RA. You will need to become a member of the parent group (Medical Device Group)–if you are not already one of the 140,000+ members connected with Joe Hage. George Marcel and I manage this subgroup for Joe. George is out in the Bay Area and I’m in the Green Mountains.

You can visit the Elsmar Cove website and participate in the discussions you find there. I wrote a blog about Elsmar Cove a while back (wow almost 2 years ago now).

The best way to learn this stuff is to do all of the above.

And for the encore performance…

43.133884 -72.725746

How do you audit software medical devices?

Software medical devices are used to assist medical professionals. For example, radiologists use software with identifying areas of interest for medical imaging. Do you know how to audit a software company?

When I was trying to find a good song selection for a music video to pair with this blog topic, I thought that the “Digital Man” would be perfect. However, I wasn’t impressed with the selection of videos available. Therefore, I selected this perennial fan favorite:

As a 3rd party auditor, I have had the pleasure of auditing software companies for CE Marking. When you audit a software company for the first time, this forces you to re-learn the entire ISO 13485 Standard. For example, if a company only produces software there is very little to sample for incoming inspection and purchasing records. This is because the product is not physical—it’s software. Clauses of ISO 13485 related to sterility, implants, and servicing are also not applicable to software products. If the software is web-based, the shipping and distribution clauses (i.e. – 7.5.5) might present a challenge to an auditor as well.

The aspects of the ISO 13485 Standard that I found to be the most important to auditing software products were design controls and customer communication. Many auditors are trained on auditing the design and development of software, but very few auditors have experience auditing technical support call centers. When auditing a call center, most of the calls represent potential complaints related to the software “bugs”, system incompatibilities with the operating system or hardware, and use errors resulting from the design of the user interface.

In most technical support call centers, the support person tries to find a work-around for problems that are identified. The problem with a “work-around” is that it is the opposite approach to the CAPA process. In order to meet the requirements of ISO 13485, software companies must show evidence of monitoring and measuring these “bugs”. There must also be evidence of management identifying negative trends and implementing corrective actions when appropriate.

As an auditor, you should focus on how the company prioritizes “bugs” for corrective actions. Most software companies focus on the severity to software operation and the probability of occurrence. This is the wrong approach. Failure to operate is not the most severe result of medical device software failure. Medical device software can result in injury or death to patients. Therefore, it is critical to use a risk-based approach to prioritization of CAPAs. This risk-based approach should focus upon severity of effects upon patients—not users. This focus on safety and efficacy is an essential requirement of the Medical Device Directive (93/42/EEC as modified by 2007/47/EC) and it is a requirement of ISO 14971:2007.

43.133884 -72.725746

How to Train an Auditor on the Process Approach

Country music fans are loyal blog readers too.

            I have been reviewing the trends for how people find my website, and a large number of you appear to be very interested in my auditing schedules and other audit-related topics. Therefore, this week’s blog is dedicated to training auditors on the process approach.

First, the process approach is just a different way of organizing audits. Instead of auditing by clause, or by procedure, instead you audit each process. Typical processes include:

1. Design & Development
2. Purchasing
3. Incoming inspection
4. Assembly
5. Final Inspection
6. Packaging
7. Sterilization
8. Customer Service
9. Shipping
10. Management Review
11. CAPA
12. Internal Auditing

There are two reasons why the process approach is recommended. First, the process approach identifies linkages between processes as inputs and outputs. Therefore, if there is a problem with communication between departments the process approach will catch it. If only a procedural audit is performed, the lack of communication to the next process is often overlooked. Second, the process approach is a more efficient way to cover all the clauses of the ISO Standard than auditing each clause (i.e. – the element approach).

My rationale for the claim of greater efficiency is simple: there are 19 required procedures in the ISO 13485 Standard, but there are only 12 processes identified above. The “missing” procedures are actually incorporated into each process audit. For example, each process audit requires a review of records as input and outputs. In addition, training records should be sampled for each employee interviewed during an audit. Finally, nonconforming materials can be identified and sampled at incoming inspection, in assembly processes, during final inspection, during packaging, and even during shipment.

The tool that BSI uses to teach the process approach is the “Turtle Diagram”. The following picture illustrates where the name came from.

Process Auditing – “Turtle Diagram”

The first skill to teach a new auditor is the interview. Each process audit should begin with an interview of the process owner. The process owner and the name of the process are typically documented in the center of the turtle diagram. Next most auditors will ask, “Do you have a procedure for ‘x process’?” This is a weak auditing technique, because it is an “closed-ended” or yes/no. This type of question does little to help the auditor gather objective evidence. Therefore I prefer to start with the question, “Could you please describe the process?” This should give you a general overview of the process if you are unfamiliar with it.

After getting a general overview of the process, I like to ask the question: “How do you know how to start the process.” For example, inspectors know that there is material for incoming inspection, because raw materials are in the quarantine area. I have seen visual systems, electronic and paper-based systems for notifying QC inspectors of product to inspect. If there is a record indicating that material needs to be inspected—that is the ideal scenario. A follow-up question is, “What are the outputs of the inspection process?” Once again, the auditor should be looking for paperwork. Sampling these records and other supporting records is how the process approach addresses Clause 4.2.4—control of records.

The next step of the process approach is to “determine what resources are used by incoming inspection.” This includes gages used for measurement, cleanliness of the work environment, etc. This portion of the process approach is where an auditor can review calibration, gowning procedures, and software validation. After “With What Resources,” the auditor then needs to identify all the incoming inspectors on all shifts. From this list the auditor should select people to interview and follow-up with a request for training records.

The sixth step of the process is to request procedures and forms. Many auditors believe that they need to read the procedure. However, if a company has long procedures this could potentially waste valuable time. Instead, I like to ask the inspector to show me where I can find various regulatory requirements in the procedures. This approach has the added benefit of forcing the inspector to demonstrate they are trained in the procedures—a more effective assessment of competency than reviewing a training record.

The seventh and final step of the turtle diagram seems to challenge process owners the most. This is where the auditor should be looking for department Quality Objectives and assessing if the department objectives are linked with company Quality Objectives. Manufacturing often measures first pass yield and reject rates, but every process can be measured. If the process owner doesn’t measure performance, how does the process owner know that all the required work is getting done? The seventh step also is where the auditor can sample and review monitoring and measurement of processes, and the trend analysis can be verified to be an input into the CAPA process.

In my brief description of the process approach I used the incoming inspection process. I typically choose this process for training new auditors, because it is a process that is quite similar in almost every company and it is easy to understand. More importantly, however, the incoming inspection process does a great job of covering more clauses of the Standard than most audits. Therefore, new auditors get a great appreciation for how almost all the clauses can be addressed in one process audit.

If you have questions, or you would like a copy of the turtle diagram I use for documentation of audits, please submit a request on my website contact us page.

43.133884 -72.725746

The Ultimate Design Control SOP

Disclaimer: There is no need to create the Ultimate Design Control SOP. We need medical devices that are safer and more effective.

If Adele is worthy of six Grammy Awards, she’s probably worthy of a blog link too. Rumor has it that this is my personal favorite from Adele.

In my previous blog posting, I indicated six things that medical device companies can do to improve design controls. While the last posting focused on better design team leaders (WANTED: Design Team Needs Über-Leader), this posting focuses on writing stronger procedures. I shared some of my thoughts on writing design control procedures just a few weeks ago, but my polls and LinkedIn Group discussions generated great feedback regarding design control procedures.

One of the people that responded to my poll commented that there was no option in the poll for “zero”. Design controls do not typically apply to contract manufacturers. These companies make what other companies design. Therefore, their Quality Manual will indicate that Clause 7.3 of the ISO 13485 Standard is excluded. If this describes your company, sit back and enjoy the music.

Another popular vote was “one”. If you only have one procedure for design controls, this meets the requirements. It might even be quite effective.

When I followed up to poll respondents asking how many pages their procedures were, a few people suggested “one page”. These people are subscribing to the concept of using flow charts instead of text to define the design control process. In fact, I use the following diagram to describe the design process all the time: The Waterfall Diagram!

From the US FDA Website.

I first saw this in the first AAMI course I took on Design Controls. This is on the FDA website somewhere too. To make this diagram effective as a procedure, we might need to include some references, such as: work instructions, forms, the US FDA guidance document for Design Controls, and Clause 7.3 of the ISO Standard.

The bulk of the remaining respondents indicated that their company has eight or more procedures related to design controls. If each of these procedures is short and specific to a single step in the Waterfall Diagram, this type of documentation structure works well. Unfortunately, many of these procedures are a bit longer.

If your company designs software, active implantable devices, or a variety of device types—it may be necessary to have more than one procedure just to address these more complex design challenges. If your company has eight lengthy procedures to design Class 1 devices that are all in the same device family, then the design process could lose some fat.

In a perfect world everyone on the design team would be well-trained and experienced. Unfortunately, we all have to learn somehow. Therefore, to improve the effectiveness of the team we create design procedures for the team to follow. As an auditor and consultant I have reviewed 100+ design control processes. One observation is that longer procedures are not followed consistently. Therefore, keep it short. Another observed I have made is that well-design forms help teams with compliance.

Therefore, if you want to rewrite your design control SOP try the following steps:

1. Use a flow chart or diagram to illustrate the overall process
2. Keep work instructions and procedures short
3. Spend more time revising and updating forms instead of procedures
4. Train the entire team on design controls and risk management
5. Monitor and measure team effectiveness and implement correct actions when needed

The following is a link to the guidance document on design controls from the US FDA website.

Refer to my LinkedIn polls and discussions for more ideas about design control procedures:

1. Medical Devices Group
2. Elsmar Cove Quality Forum Members Group

In addition to the comments I made in this blog, please refer back to my earlier blog on how to write a procedure.

43.133884 -72.725746

WANTED: Design Team Needs Über-Leader

“Mona Superwoman” by Teddy Royannez (France)

Last November Eucomed published a position paper titled, “A new EU regulatory framework for medical devices: Six steps guaranteeing rapid access to safe medical technology while safeguarding innovation.” While I have serious doubts that any government will ever be able to “guarantee” anything other than its own continued existence, I have an idea of how industry can help.

The position paper identified six steps. Each of these steps has a comparable action that could be taken in every medical device company. My list of six steps is:

Only the best leaders

1. Only one approach to design controls
2. Stronger internal procedures
3. Cross-pollination by independent reviewers
4. Clear communication of project status to management
5. Better project management skills

The most critical element to success is developing stronger design team leaders. Design teams are cross-functional teams that must comply with complex international regulations, while simultaneously the team must be creative and develop new products. This type of team is the most challenging type to manage. In order to be successful, design team leaders must be “Über-Leaders.”

The most critical skills are not technical skills, but team leadership skills. The role of a design team leader is to make sure that everyone is contributing without tromping on smaller personalities in the group. Unfortunately, there are more men in this role than women.

Why is this unfortunate? Because men suck at listening (takes one to know one).

We need a leader that will be strong but we also need someone that is in touch with the feelings of others and will use that skill to bring out the best of everyone on the team. This superwoman also needs to earn the respect of the male egos around the table. She needs to be an expert in ISO 14971, ISO 13485, Design Controls, Project Management, and managing meetings. Our beautiful heroine must also be a teacher, because some of our team members will not know everything—even if they pretend to.

The Über-Leader will always remind the team that Safety & Efficacy are paramount. As team leaders we must take the “high road” and do what’s right—even when it delays a project or fails to meet our boss’ unrealistic timetable. Superwoman must demand proof in the form of verification and validation data. It is never acceptable to go with an opinion.

She will remind us that compromise is the enemy, and we must be more creative to solve problems without taking shortcuts that jeopardize safety and efficacy. She will work harder on the project than anyone else on the team. She will keep us on schedule. She will whisper to get our attention, but she won’t be afraid to yell and kick our ass.

As Jim Croce says, “You don’t tug on Superman’s cape.” Superwoman is the only exception to this rule.

43.133884 -72.725746

Death by CAPA

I have no theme to relate this song with my posting, but you just can’t go wrong with blue jeans and a black t-shirt…

You might want to play this video twice…it’s a long posting.

I completed almost 100 audits in the past two years, and I review the Corrective Action and Preventive Action (CAPA) process during every single audit. Surprisingly, this seems to be a process with more variation from company to company than almost any other process I review. This also seems to be a major source of non-conformities. In the ISO 13485 Standard, clause 8.5.2 (Corrective Action) and clause 8.5.3 (Preventive Action) have almost identical requirements. Third-party auditors, however, emphasize that these are two separate clauses. We are purists. Although we acknowledge that companies may implement preventive actions as an extension to a corrective action, we also expect to see examples of actions that are strictly preventive in nature.

Many companies seem to be confused, but it doesn’t need to be. Just ask yourself one question. What is the source of this action?

If the answer is a complaint, audit nonconformity, or rejected components—then your actions are corrective.

If the answer is, a negative trend that is still within specifications or an “opportunity for improvement” (OFI) identified by an auditor—then your actions are preventive.

If you are investigating the root cause of a complaint, people will sample additional records to estimate the frequency of the quality issue. I describe this as investigating the depth of a problem. The FDA emphasizes the need to look to other product lines, or processes, to see if a similar problem exists. I describe this as investigating the breadth of a problem. Most companies describe actions taken on other product lines and/or processes as “preventive actions.” This is not always accurate. If a problem is found elsewhere, actions taken are corrective. If potential problems are found elsewhere, actions taken are preventive. You could have both types of actions, but most people incorrectly identify corrective actions as preventive actions.

Another common mistake is to characterize corrections as corrective actions.

The most striking difference between companies seems to be the number of CAPAs they initiate. There are many reasons, but the primary reason is failure to use a risk-based approach to CAPAs. Not every quality issue should result in the initiation of a formal CAPA. The first step is to investigate the root cause of a quality issue. The FDA requires that the root cause investigation is documented, but if you already have an open CAPA for the same root cause…

DO NOT OPEN A NEW CAPA!!!

If you do not have a CAPA open for the root cause that you identify, then what should you do?

I know this will shock everyone, but…it depends.

The image below gives you my basic philosophy.

 

 

 

 

 

 

 

 

Most investigations document the estimated probability of occurrence for a quality issue. This is only half of the necessary risk analysis I describe below. Another aspect of an investigation is to document the severity of potential harm resulting from the quality issue. If customer satisfaction, safety or efficacy are affected by a quality issue—the severity is big. Risk is the product of severity and probability of occurrence.

If the estimated risk is low and probability of occurrence is known, then alert limits and action limits can be statistically derived. These quality issues are candidates for continued trend analysis—although the alert limit or action limit may be modified in response to an investigation. If the trend analysis results in identifying events that require action, then that is the time when a formal CAPA should be opened. If the trend remains below your alert limit, then no formal CAPA is needed.

If the estimated risk is moderate or the probability of occurrence is unknown, then a formal CAPA should be considered. Ideally, you will be able to establish a base-line for occurrence and demonstrate that frequency decreases upon implementation of corrective actions. If you can demonstrate a significant drop in frequency, this verifies effectiveness of actions taken. If you need statistics to show a difference, then your actions are not effective.

If estimated risk is high or there are multiple causes that require multiple corrective actions, a quality improvement plan may be more appropriate. There are two clauses in the Standard that apply. Clause 5.4.2 addresses planning of changes to the Quality Management System. For example, if you correct problems with your incoming inspection process—this addresses 5.4.2. Clause 7.1 addresses planning of product realization. For example, if you correct problems with a component specification where the incoming inspection process is not effective—this addresses 7.1. Depending upon the number of contributing causes and the complexity of implementing solutions, the plan could be longer or shorter. If it will take more than 90 days to implement a corrective action, you might consider the following approach.

Step 1 – open a CAPA

Step 2 – identify the initiation of a quality plan as one of your corrective actions

Step 3 – close the CAPA when your quality plan is initiated (i.e. – documented and approved)

Step 4 –verify effectiveness by reviewing the progress of the quality plan in management reviews and other meeting forums…you can cross-reference the CAPA with the appropriate management review meeting minutes in your effectiveness section

If the corrective action required is installation of new equipment and validating that equipment, the CAPA can be closed as soon as a validation plan is created. The effectiveness of the CAPA is verified when the validation protocol is successfully implemented and a positive conclusion is reached. The same approach also works for implementing software solutions to better manage processes. The basic strategy is to get the long-term improvement projects started with the CAPA system, but monitor the status of these projects outside the CAPA system.

Best practices would be the implementation of Six-sigma projects with formal charters for each long-term improvement project.

NOTE: I believe in closing CAPAs when actions are implemented, and tracking the effectiveness checks for CAPAs as a separate quality system metric. If closure takes more than 90 days, the CAPA should probably be converted to a Quality Plan. This is NOT intended to be a “work around” to give companies a way to extend CAPAs that are not making progress in a timely manner.

43.133884 -72.725746