Each manufacturing batch, audit, complaint, training session, and more creates records. The output of nearly every process is at least one, sometimes many, records. And there are specific requirements around how those records must be identified, stored, retrieved, and retained.

If it’s not documented, it didn’t happen. Let’s go through the requirements to understand everything an organization must do to ensure they are meeting the record-keeping requirements of ISO 13485 section 4.2.5.

What are records?

Records are a special type of document that are generated as the output of processes. They can be initiated from:

• Design and development of medical devices/products
• Manufacturing processes
• Manufacturing batches of medical devices/products
• Distribution of products
• Quality Management System (QMS) Records

Almost every process within an ISO 13485 QMS will generate a record. Some records may be as minor as a sign-off on a PO, all the way up to a 20-page audit report. Companies should save as much information and outputs as possible to demonstrate the effectiveness of the QMS.

Unlike other documents, the nature and raw data of a record can vary wildly depending on the medium. While, even digitally, most Quality documents are a type of Word or PDF file, records can have many types of data entry. For example, they may be automated or be entered directly into different types of software or spreadsheets. 

All of this information is considered a record. Many times, it is helpful to have software that can present the raw record in a PDF or similar summary. This is useful during audits and regulatory inspections. 

When you transfer raw data into a different record or summary, you should maintain a copy of the original data. Both of these can be included as one record, or they should be linked.

What are the ISO 13485 Requirements for Records?

The requirements for records share many similarities with the requirements for document control, however, there are some meaningful differences between the two, especially digital records. 

For example, all documents are required to be reviewed and approved. Some records may be automatically generated, and it would not make sense for them to be approved. Other records that are entered digitally will maintain timestamps and identification of which user generated the information. 

As we work through the other requirements, you can see more of the other differences with records:

• Identification: Records can have a document number for identification; however, many times they are labeled with a case or ID number. For example, a nonconformance may be labeled as NCR-0179. This ID/case number can be referenced in other documents or records. 
• Storage: While documents need to be stored, it is inevitable that there are many times more records than documents. This can make their storage a challenge. If they are stored electronically, they may be kept in a different area than regular documents. Sometimes documents and procedures are stored electronically, but their corresponding records are stored in large file cabinets.

Additionally, paper records are sometimes transferred to digital records. If this is the case, the company should ensure that all of the information in the original document is transferred. They will also have to determine if they are able to obsolete or dispose of the original copy. 

• Security and Integrity: Companies should ensure that records cannot be altered or changed outside of documented mechanisms. It’s also useful to limit access to certain records. This can be done digitally or through locked filing cabinets for paper records. If records are being stored digitally, companies should determine their backup and cybersecurity needs to ensure records are kept safe.
• Retrieval: There are many times when a company will need to access a record. Some examples include audits and regulatory inspections, as well as CAPA and other root cause investigations. The company needs to have a clear method of ensuring that the correct individuals can access documents in a timely manner.

Organizations need to document all of the requirements related to records (identification, storage method and location, security, and retrieval). This can be documented in a control of records procedure, in the procedure or work instruction for which the record is an output, or some combination of the two.

Records Retention and Disposal

The timeline for retention of records depends on the type of record and the specific medical device.

Records for Batches of Devices

For records related to the manufacturing and distribution of a specific medical device or batch of medical devices, ISO 13485 states that:

The organization shall retain the records for at least the lifetime of the medical device as defined by the organization, or as specified by applicable regulatory requirements, but not less than two years from the medical devices release by the organization.

Note: for EU MDR/IVDR, the minimum retention time is 10 years.

The lifetime of a medical device can either be multiple decades or under two years for certain products (some people are surprised that the lifetime of a device can be under two years, but this is common for certain types of devices that expire).

Organizations need to determine the specific lifetime of their devices based on shelf-life, expiration date, degradation of packaging materials, expiration related to stability, servicing requirements, and more. The lifetime of a device should be recorded in the appropriate Medical Device File.

Records for Manufacturing/Design Processes

The next type of record is those related to the design and manufacturing process of the devices, including validation reports and design control records (design inputs, outputs, verification, validation). These documents need to be retained for at least the lifetime of the device based on the last device manufactured or sold.

QMS Records

The final type of records is those that are generated from QMS processes. These can include Management Review minutes, internal audits, evaluation and monitoring of suppliers, etc. Here, it is up to the organization to determine the retention period of the records based on the specific process and risks. However, a company never wants to be unable to access a record when requested by an auditor or regulatory body.

Carrying over what I said in our document control guide, a company is unlikely to face consequences for retaining a record later than is required. Especially if the records are stored digitally, it is a good practice to maintain records indefinitely. Digital records past the lifetime of the device can be transferred to a different system for storage, as long as they can still be accessed when necessary.

If organizations are going to dispose of records, they need to document the manner of the disposal. For paper records, this could include in-house shredding or the contracting of a paper shredding supplier. Digital records could be deleted manually or automatically through an algorithm.

In their procedure, organizations should state the retention period of different records, as well as the mechanism for the retention and disposal of records.

Confidential Health Information

Another requirement of ISO 13485 section 4.2.5 is that medical device organizations must ensure that they are protecting confidential health information in accordance with regulatory requirements.

Medical device companies receive health information in a variety of ways. Many different medical devices and IVDs contain electronic data related to patients, with this data sometimes being stored in a cloud or accessible during servicing. Organizations might also receive health information from customer complaints, during clinical trials/studies, and when creating a custom medical device.

All of this data and health information must have an extra layer of security for how it is received and maintained. Companies should be certain that all relevant information is protected according to the relevant regulatory requirements, such as HIPPA in the United States.

Changes to Records

There are two main times when a record would need to be changed.

The first is during the data entry process when a mistake is made. When documents are changed this way, companies need to maintain the original entry if possible.

For paper records, the best practice is to have a strikethrough of the mistake, as well as the date and initials of the person performing the correction. For digital records, the system should automatically capture any changes made to the record, as well as the date, time, and user who made the changes.

The second type of change is much rarer and is done after a record has been completed/finalized. 

For paper records, the mechanism of changing may be the same as above, however, there should be a comment or description of why the change was made. 

For digital records, the company can use its document change control procedure to create a new revision of the record with updated information. The original version of the record should be maintained, and the reason for the change should be included.

Good Practices for Records

Following Good Documentation Practices (GDP) can be very helpful for proper record-keeping. Note that while many of these are not listed in ISO 13485 or FDA requirements, not following them can result in audit findings and FDA Form 483s. 

• Pages should be numbered for completeness and to prevent changes.
• Headers or other identifying information should be carried over to each page of a record.
• Signatures should be accompanied by a printed name and date.
• Hand-written signatures should always be done with ink (not a pencil).
• All entry areas and checkboxes should be completed when filling out a form. If that field does not have any data, “N/A” can be entered into that area.
• Records and data cannot be “pre-dated” or “post-dated”. This is a common mistake when a form is printed to be signed. However, all dates need to be made at the same time as the signatures. 
• Another person’s signature or initials should not be used on a form.
• For an electronic signature to be valid, it must comply with the requirements of 21 CFR Part 11.
• It can be a good idea to have a second person verify critical data for accuracy and completeness. The identification and date of the second review should be recorded.

If a company is planning on having many records filled out on paper, it’s a good idea to ensure that all relevant employees are trained on GDPs. Otherwise, Quality will have to spend more time verifying records to ensure information is entered correctly.

Digital Records

Digital records are much more convenient than paper records, from both a usability and retrieval standpoint. However, there are some considerations that should be made for digital records.

There are certain regulatory requirements that surround digital records. One easy example is that records for devices sold in the US must be compliant with 21 CFR Part 11. Another is the cybersecurity requirements in ISO 27001.

For storage, companies need to factor in the lifespan of the relevant software. While this is becoming less common with cloud storage, there are older software systems where the records are not easily exportable, and the software is no longer being updated. This means that any issue could lead to a loss of records.

From a security standpoint, records should be protected from unauthorized access and entries coming from inside and outside the organization. Records can either be stored in such a way that they cannot be amended once filed, or access to records can be controlled digitally. Cybersecurity measures can protect from access outside of the organization.

Any software that will be used for creating or storing records must be validated. This is to ensure that the software meets the above requirements and complies with ISO 13485 section 4.1.6.

Paper-Based Records

While paper-based records are much more cumbersome than digital records, there are some advantages. For example, the systems do not need validation, there are fewer regulatory requirements, and they are cheaper in the short term.

However, besides the drawbacks to efficiency, there are other considerations for paper documents.

Paper documents require much more work around GDP. Entries cannot be limited or automated in forms, all handwriting must be clear, and there are specific requirements surrounding signatures. Information entered into paper records must also be accompanied by a signature and date. This means that a larger number of employees need to be trained in record-keeping processes.

Paper documents must also be maintained securely. It is typical for paper records to be stored in lockable fireproof cabinets to prevent the loss of records in an emergency. Companies need to be careful and maintain responsibility for all copies of paper documents.

Wrapping Up

Sometimes, when you are working in the medical device industry, it can feel like everything you do is related to records. And that’s not far from the case! By following the information laid out in this article, you can help your company meet the control of records requirements of ISO 13485.

If you have any questions or comments about medical device records, please leave a comment below. Also, if you found this article helpful, check out our ISO 13485 page and sign up for our newsletter below.

The post Managing Medical Device Records for ISO 13485 (4.2.5) appeared first on Hardcore QMS.

Section 5.5 of ISO 13485 (Responsibility, authority, and communication) may not require its own procedure, but it’s still important for an organization to meet the requirements and achieve a high level of quality in its processes and products. 

The Why

Quality is not something that you can leave employees to create on their own. By establishing clear responsibilities and enabling people through authority, people are better able to produce high-quality devices and help the QMS improve. 

The goal of the Management Representative is to have one person who is knowledgeable about the relevant standards and regulations and empowered to implement changes for the betterment of the QMS and the company.

Responsibility and Authority (5.5.1)

Top management must ensure that all roles within an organization are well-defined. Without roles being defined, it becomes easy to brush off aspects of a process as “not your job”. 

Typically, top management delegates authority to employees through job descriptions and organizational charts. If you read our Training Requirements Guide, you know that job descriptions need to be controlled within your organization’s QMS. 

Additionally, companies also list responsibilities for different processes within the relevant work instructions or SOPs. This can make it clear who will be doing each section of the process. If your organization is going this route, you can make sure responsibilities are added to documents following your document control procedure.

The Organizational Chart

An Org Chart needs to exist within a company’s QMS to show the interrelation of personnel. The level of detail and location of the Org Chart will depend on the size and needs of the company. 

For example, a large company may have an Org Chart specific to roles and departments, and does not go into granular detail about who is in each role. You’ll often find this type of Org Chart in a company’s Quality Manual, but it is perfectly acceptable to have it as a standalone document referenced in the Quality Manual.

Medium and large companies may also have human resources software that can show a full Org Chart, including each employee and their manager. However, it may be difficult to access this information during an audit, and the chart would be impossible to move through if it contained thousands of employees. For this reason, a company may choose to have both the software and a department-level Org Chart built into the Quality Manual.

At smaller companies, it can be feasible to include each individual employee and their role within the Org Chart. If you are taking this approach, I highly recommend having an Org Chart as a separate document referenced in the Quality Manual. That way, you do not need to change the Quality Manual every time the Org Chart is updated.

Independence

ISO 13485 section 5.5.1 includes the statement “personnel who manage, perform, and verify work affecting quality shall ensure the independence and authority necessary to perform these tasks”.

It’s useful to think about this both from an organizational level and a specific task level.

From an organizational level, it can be detrimental for certain members of Quality to report directly under Operations/Manufacturing. The employees in Quality may feel that they can’t be honest in their role without facing career repercussions. Many times, Medical Device companies will have a separate area for Quality on their Org Chart, including the Head of Quality having a connection or “dotted-line” connection to the CEO.

However, the feasibility of this approach will depend on the size of the organization. Smaller companies may have limited managers and no employees dedicated to Quality. These companies should focus on empowering employees to point out quality concerns with their work.

At the task level, all sizes of organizations need to maintain independence for certain activities. 

One of the main activities cited here is internal audits. Put simply, people should never be in a position to audit their own work. It’s also not advisable to have someone audit the work of their direct superior. 

At larger companies, it can be easier to train different employees in internal audits and have them audit areas outside of their work function. At smaller companies, there may be one or no member of the organization who is qualified to lead audits, and the company should look at outsourcing its internal audit.

The Management Representative (5.5.2)

The Management Representative is a strange role that exists in organizations following a QMS. The purpose is to have one specific individual who is responsible for making sure every part of the QMS is effective, meets the standards, and is communicated to top management and the rest of the organization.

What are the duties of a Medical Device Management Representative?

The specifics of what the Management Representative does will vary depending on the size of the organization; however, here are the responsibilities laid out in ISO 13485:

• Verify that the processes needed for the QMS conform to ISO 13485 and are documented
• Inform top management of the effectiveness of the QMS and areas where it can improve
• Promote awareness of the standard and applicable regulatory requirements throughout the company

While ISO 13485 lists these as requirements for the Management Representative, it’s important to note that any or all of these tasks can be delegated to different members of the organization. However, the Management Rep has ultimate responsibility for ensuring the activities are completed.

The first responsibility is setting up and/or maintaining the QMS. If there are needed procedures, they should be written or reviewed by the Management Representative or a designee. The maintenance of the QMS is also supported by the Management Representative’s involvement in internal audits.

The second responsibility is most often done through the Management Review Meeting. The Management Rep can either prepare the information and lead the entire review, or they can delegate information gathering and the presentation to different employees. Either way, the Management Rep must be involved and participate in the Management Review.

The third responsibility comes down to training. The training for employees should go beyond specific work duties and include information on how activities help meet the QMS and regulatory requirements. The Management Rep should also ensure that the Quality Policy and different Quality Objectives are communicated throughout the organization.

Who can be the Management Representative?

Per the standard, the Management representative must be a member of management. They do not necessarily need to be an executive, but if they are not, they should be a manager who reports to an executive.

As usual, the person who will be the Management Rep will depend on the organization. A company may have a Quality Manager or Quality Director that acts as the Management Rep. It could alternatively have a more Regulatory-specific position that includes the Management Rep duties.  

However, at smaller companies, there may not be a specific member of the organization who is focused on Quality. In these situations, it is acceptable to have a different member of the management team identified as the Management Rep. 

However, there are a couple of difficulties in this situation. The first is that it is critical that there are no conflicts of interest between the responsibilities of being the Management Rep and their other responsibilities. This can make it difficult for a manager of Operations, especially a manager of Operations who does not have a background in Quality, to be the Management Rep.

The second is that a Management Rep outside of Quality may not have the necessary expertise to understand the requirements of the role. 

No matter the situation, the Management Rep should have significant experience and training related to Quality requirements (sign up for the newsletter below). 

If someone outside of Quality/Regulatory is going to be the Management Rep, they should be given outside training to help them succeed in the role. It’s crucial for the Management Rep to have the appropriate knowledge and authority to be respected by other members of the management team.

How is the Management Representative identified?

I’ve seen companies use two approaches to identifying the Management Representative.

The first is a callout in the Quality Manual, Org Chart, or Management Review procedure, either to a specific person or a title (e.g. the Quality Manager is appointed as the Management Representative).

The second is a formal document stating the responsibilities of the Management Rep, signed by the Management Rep and a member or members of top management.

Can there be more than one Management Representative?

There can only be one Management Representative for a QMS.

At larger companies, there may be more than one Management Rep throughout the entire organization, but this is only applicable if the company has different Quality Management Systems that each have their own ISO 13485 certificate.

Internal Communication (5.5.3)

The last part of ISO 13485 section 5.5 is focused on communication, which is often taken for granted within organizations. 

Two-sided communication is necessary to maintain a successful QMS. Top management and the Management Rep must disseminate information about the effectiveness of the QMS and related goals throughout the company.

At the same time, anyone in the company should be able to communicate feedback and offer improvements related to the QMS. The feedback should be encouraged by top management and reviewed seriously and efficiently by the correct people. 

One piece of advice for encouraging employees to make suggestions about processes and the QMS is that it should not feel like homework. If employees have to navigate to a hard-to-find area in the company’s intranet or fill out a detailed form, they will be less likely to offer feedback.

The types of two-way communication will vary by company but can include meetings, feedback sessions, suggestion drop boxes, emails, posters, and more. Everyone in the company should know that top management is committed to the organization’s quality.

Wrapping Up

Quality starts with people understanding their roles and how they can contribute to products and the system. To conform to ISO 13485 section 5.5, an organization needs to have a documented organizational chart with clearly defined roles and responsibilities. They should also appoint a Management Representative who has responsibility for the Quality System and communicates the effectiveness of the QMS to other members of management and throughout the organization.

If you have any questions, please leave a comment. If you found this article helpful, be sure to sign up for the newsletter below and review the rest of our articles, which cover ISO 13485 requirements in-depth.

The post Management Representative and Responsibilites for ISO 13485 5.5 appeared first on Hardcore QMS.

Element 1: Management Responsibility

The single most important element in ISO 13485 is top management’s commitment to the Quality Management System (QMS). Employees can try their best to create high-quality, effective medical devices, but this will be impossible to achieve unless top management has bought into the process. 

Top management are the ones who can dedicate the needed personnel and resources for implementing and maintaining the QMS. They make key decisions about where to focus improvement efforts when there are major concerns or negative trends.

Everything involving Quality and the QMS is made easier with top management’s commitment. If they view Quality as a means to the end of conforming to regulations, that is what the QMS will become. However, if they view the QMS as a tool for improving every process in the company and supporting the production of safe medical devices, they will see how much more power lies in the processes found in ISO 13485.

ISO 13485 has an entire section on Management Responsibility (section 5). Some of the ways top management can demonstrate their commitment to the QMS are through participation in management reviews, creation of the Quality Policy and Objectives, and appointing a Management Representative.

Element 2: Customer Focus

The next key element of ISO 13485 is Customer Focus. Customers are essential for any business, but there are two types of customers that should be considered for a Medical Device company.

The first are the direct customers of the business, such as doctors, hospitals, or other medical device companies. Organizations need to understand and respond to their customers’ requirements as well as requirements not stated by their customers that are still essential for use. 

Section 7.2 of ISO 13485, titled Customer-Related Processes, is all about how the company will determine and meet these requirements.  However, many of the other sections, such as Installation, Servicing, Complaint Handling, and more, involve heavy interaction with customers, and the customers’ needs should be considered. Organizations should also examine how they can help doctors use their products during the design and development phases.

The second type of customers are the patients who depend on the medical devices being produced. A medical device company should do everything in its power to support the safety and performance of its devices. Sections related to design and development, cleanliness of product, and sterilization are not there to check a box but rather to support the safety of devices used with patients.

Element 3: Risk-Based Decision Making

One principle of ISO 13485 that is unique to medical device companies is the reliance on risk-based decision-making. While other standards involve the idea of risk, there is a definition of risk that is unique to medical devices, which is: 

The combination of the probability of the occurrence of harm and the severity of that harm.

If you are part of the medical device industry, you are familiar with the role risk plays. As part of supporting the patients who need their products, organizations need to look at many decisions through the lens of risk.

When a company is setting up a supplier management process, it should consider the risk the purchased products have on the device. When it is determining how to handle a nonconformity, it should consider the risk of different dispositions. Every step of the design and development process is deeply intertwined with the concept of risk.

While risk is mentioned many times in ISO 13485, there is an additional standard that talks about risk: ISO 14971. Both of these standards are essential to the operation of a medical device QMS.

Element 4: Document Everything

While risk is specific, the next key element of ISO 13485 applies to many QMS standards, and that is to document everything! 

Documentation is the foundation of a QMS. The first requirement in ISO 13485 is that:

The organization shall document a quality management system and maintain its effectiveness in accordance with the requirements of this International Standard and applicable regulatory requirements.

All of your processes, work instructions, specifications, labels, etc., need to be documented. Not only that, but the documents need to be controlled so that they are approved by appropriate functions, any changes are managed, and they are available where they are needed.

Once you’ve documented all of the processes, you also need to document the outputs of those processes. The outputs are considered records and should be kept as records for customers, auditors, and regulatory bodies to see evidence that you followed your documented process.

The ISO 13485 sections focused on documentation are 4.2.4 Control of Documents and 4.2.5 Control of Records. However, nearly every section of ISO 13485 states that a process must be “documented”, and when it’s not explicitly stated, it is implied.

So, get to writing!

Element 5: Improvement is Essential.

The final key element of ISO 13485 is that the organization must always be working to improve itself and its QMS.

A QMS should never be seen as a static system that can be set up and forgotten. There are constant changes to regulations, standards, and the business environment, and a company that does not update its QMS is at risk of losing its position or failing to remain in compliance.

The inputs for improvement can come from many places: internal and external audits, customer feedback, customer complaints, corrective and preventive actions, management reviews, and nonconformances. Improvement can also come from a desire to make the QMS as good as possible, both to support customers and different employees at the company.

Improvement ties in all of the principles discussed in this article. Management has a responsibility to determine which areas to improve and dedicate resources to improvement activities. Improving processes and devices is crucial for supporting customers. Risk-based decisions can help guide the organization to the specific issues that warrant the most attention.

Not only is improvement essential for the operation of a QMS, but it is also one area that can bring the most joy to employees. People want to be a part of improvement efforts and see processes change for the better. The ability to provide input to a company can go a long way to keeping employees interested and committed to the organization.

Wrapping Up

By learning these 5 key elements, you are on your way to understanding ISO 13485 and its role in the medical device industry. If you found this article helpful and want to learn more about the standard, the ISO 13485 page features articles on many of the different processes and requirements. To stay up to date, be sure to sign up for the newsletter below.

The post The 5 Key Elements of ISO 13485 appeared first on Hardcore QMS.

What are the requirements for verification of purchased product?

The variety in purchased product verification can be massive, which is one reason that ISO 13485 is not prescriptive in this section. What the requirement comes down to is that an organization must have established processes for the inspection or other verification activities needed to confirm purchased product meets purchasing requirements.

It is up to the organization to decide on the method they will use to check the products they purchase. Some of the inputs going into the decision are the type of product, risk level, effect the purchased product has on the medical device, and feasibility of verification. As I will discuss below, the most influential input is the supplier management process.

Relationship between Supplier Management and Verification

Companies should always strive to lower their appraisal costs. Inspection and other forms of verification are expensive and are one of the least effective means of guaranteeing the quality of their devices. 

For purchased products, a company does not have the option of further validating or improving the process. This means that the mechanism to lower appraisal costs is supplier management.

One way of understanding this is that, at similar risk levels, there is an inverse relationship between supplier management and verification of purchased products. Companies can choose to do 100% inspection for every purchase and have minimal supplier controls, but this is ineffective and expensive. 

Instead, they should utilize their supplier management process to establish tight relationships with high-quality suppliers. If an organization can trust that the materials coming in their door will meet specifications, they do not need to devote as much time to verification.

This idea can be built into your supplier management process. As you determine the different risk levels and requirements for various products, you can state the required verification activities for those risk levels. You can also lower the verification activities if the supplier meets the stated criteria.

For certain types of suppliers, such as sterilization suppliers, companies may not have easy methods of verifying that the activity was successfully completed. This is why sterilization suppliers are almost always in the highest risk category of a medical device company’s supplier management process. The verification is built into the supplier management process.

Verifications of Products

As usual, the type of verification activities a company should perform depends on its medical device and the purchased product.

Certain verification activities extend beyond medical devices and are good for any business. Namely, checking if all of the purchased products are there, identified, and undamaged.

Other initial activities can include checking the packing slip and any Certificates of Conformity (CoC) or Certificates of Analysis (CoA). For low-risk products and/or well-qualified suppliers, this could be the full extent of the verification activities. 

That said, it is still a good idea to occasionally verify the supplier’s claims. Confirming the results of a CoC/CoA can be done frequently when initially qualifying a supplier, with fewer checks performed once the relationship is established. Organizations can also choose to verify the supplier’s products according to different sampling plans.

Verification activities that require more resources include testing and inspection of purchased products. This could mean measuring products with mechanical tools to see if the dimensions are within specification, sending products out to 3rd party testing companies, etc.

The inspection and testing will need to be performed according to a specified sampling plan. It is a good idea to include items like the AQL criteria in a Quality Agreement with a supplier so that both parties can better agree on the inspection results. The sampling plan could also change based on the results of previous inspections, with increased inspection being performed if products are consistently outside of their specifications.

Verification of Services

While measuring a product makes sense to most people, it’s common to struggle with the idea of verifying services. 

No surprise, but the type of verification will depend on the specific service being provided.

As an example, it is standard for calibration suppliers to send certificates for the calibration of measuring equipment. Organizations should review the calibration certificates to ensure they contain the necessary information and include any organization-specific requirements. For a service supplier providing internal auditing, the verification could be the receipt and review of the audit report.

Sterilization suppliers perform a high-risk process that is difficult to verify. To verify the sterilization activities, companies should record the CoC in addition to having strong supplier controls. Remember, supplier management activities like auditing can be included as part of the verification of purchased product.

Supplier Nonconformities

Organizations also need to determine how they will respond when an incoming test or inspection determines that a product or service does not meet its specifications. 

Similar to an internal nonconformance process, companies have several options available. They can return the product to the supplier, rework the purchased product, accept the products use under concession, or scrap the material on site. The MDSAP audit approach has more information about dispositioning nonconforming purchased product. The decision should be approved and documented.

The organization should also notify the supplier about the nonconformance. If the nonconformance is serious or if there are repeated nonconformances, the issue may escalate to a Supplier Corrective Action Request, which we cover in more detail in our Supplier Management Guide.

Documentation Requirements

An organization should document or record the following information to support its processes for verifying purchased material:

• Process for verifying purchased products
• Process for handling nonconforming purchased products
• Inspection, test, and sampling plans for purchased products
• Records of verification of purchased products
• Records resulting from any nonconforming purchased products

I also recommended holding onto supplier-provided documents like CoCs with the verification records. 

Changes to Purchased Product

The next requirement in ISO 13485 section 7.4.3 involves changes a supplier makes to a purchased product.

As part of supplier management, organizations need to have a Change Notification Agreement in place with their supplier. This requirement covers what the organization should do once they are notified of a change.

The good thing is that if the supplier is following the agreement, an organization should have a significant amount of time to respond to a change. As soon as a company becomes aware of a change from a supplier, it should initiate the change in its own change control process.

The actions taken will depend on the specifics of the change. A change could have no effect on the device, a facility change could require a new audit, and a specification change might start a whole series of design control activities.

If the change has anything to do with the fit, form, or function of the device the change should be reviewed for its impact on the medical device. The change might be significant enough to require new design verification and validation activities.

While it is possible to grasp the full effects of the change based on the information in the notification, it’s also useful to test the newest version of the product once it is available. Additionally, it is common to perform a First Article Inspection on a new version of a product, which is a more thorough inspection, to ensure it matches the supplier’s and organization’s specifications.

Wrapping Up

Wrapping up, I will stress that while verifying purchased material may be necessary, organizations should have strong supplier controls to limit appraisal activities. It can be extremely difficult for a company to respond to nonconforming purchased material and seriously delay production. Having good supplier controls in place will not only lower appraisal costs but will also reduce the likelihood of having to handle nonconforming purchased products.

If you have any questions, please leave a comment. If you found this article helpful, be sure to sign up for the newsletter below and review the rest of our articles, which cover ISO 13485 requirements in-depth.

The post Verifying Purchased Product According to ISO 13485 7.4.3 appeared first on Hardcore QMS.

That being said, Medical Device companies that want to conform to standards and regulations should still record their process for purchasing goods and services. This article will break down the processes Medical Device companies need to conform with ISO 13485 clause 7.4.2 when purchasing materials.

Approved Supplier List

Having an up-to-date Approved Supplier List (ASL) makes it simple for companies to know which vendors can provide different materials and services. To learn more about supplier management and setting up an ASL, check out our guide, Effective Supplier Management for Medical Devices.

If you are purchasing any materials or services related to finished medical devices, the supplier must be on the ASL. If you need to purchase something that is not provided by a vendor on your ASL or if the approved supplier is not able to provide the material, Purchasing should work with Quality to get the vendor added as quickly as possible.

For this reason and to minimize supply issues, it can be beneficial to have multiple suppliers of the same material on your ASL. However, this must be weighed with the business risk of qualifying extra suppliers who will not be providing anything immediately, as well as the benefits of working with a single supplier.

Purchase Orders

Companies almost always use Purchase Orders (PO) to purchase from other companies. ISO 13485 lists four items required to be included or referenced in purchasing requirements:

• Purchase specifications
• Requirements for product acceptance
• Requirements for qualification of supplier personnel
• Quality Management System Requirements.

The last two requirements are best left to the Supplier Management system so that a company does not create them from scratch every time they have to purchase materials.

Purchase Orders typically focus on the first and second requirements, purchase specifications, and conditions for product acceptance. For low-risk off-the-shelf products, this could be as simple as a PO documenting the part/catalog number and quantity.

For POs of complex, higher-risk, or custom products, more information should be included, such as:

• Revision levels
• Packaging and shipping requirements
• Certificates of Analysis
• Inclusions of product verification data
• Labeling
• National or International standards (a commonly used example is RoHS compliance)
• And more depending on your organization

Engineering should be involved with communicating the specifications, part drawings, and product requirements to Purchasing. These documents can be sent alongside the PO to give the supplier as much information as possible.

Requirements for acceptance can be included in a PO, a Quality Agreement, or a combination of both. These might state that the supplier sends a Certificate of Conformance or other testing information with the materials. It could also reference an inspection plan and Acceptable Quality Limit (AQL) agreed upon by the company and supplier.

Do Purchase Orders Need to be Approved?

ISO 13485 suggests that POs be checked for adequacy before being sent to suppliers.

The first part of this check is done during device design and development. Companies must ensure they have approved all of the requirements regarding their products before anything is requested from suppliers.

The second part comes when it is time to send out the PO. One option is to have Quality or a defined member of Purchasing physically approve each PO. I would caution against this approach, as it will add unnecessary paperwork burden and slow down the purchasing process. 

The better option is to make sure that the entire Purchasing team is well-trained on the organization’s supplier management and purchasing processes. That way, everyone involved with purchasing can understand which suppliers are on the ASL and the correct revision levels of materials to purchase.

Change Notification Agreements

Quality agreements are essential to purchasing for Medical Device companies, however, the area that is highlighted in ISO 13485 is the Change Notification Agreement.

The Change Notification Agreement dictates that a vendor must notify the purchasing organization before changing any aspect of the process or product. 

For medium and high-risk products this is usually done through formal Quality Agreements. If you want to learn more about what is included in a Quality Agreement, please review our guide on Supplier Management.

For low-risk products and materials, the Change Notification Agreement can be as simple as a statement on the PO or in terms and conditions associated with the PO. Either way, this information needs to be communicated and agreed upon with the supplier.

Traceability and Records

Traceability is another important aspect of producing Medical Devices, however, the criticality varies based on the nature and risk level of the specific device.

For purchasing, companies should, at a minimum, maintain records of their POs. The PO number is a common point of reference for the organization and the supplier and can be used for communications if there are any product defects found during incoming inspection.

Organizations should also try to tie the PO number and supplier lot/batch number to their internal lot/batch numbers of products. This is a requirement for higher risk Medical Device companies, especially those producing implantable devices, but it is the best practice for all Medical Device organizations.

This level of traceability is important if there are defects found in stages of the production processes outside of incoming inspection, or in products that have been sent to customers. This information facilitates investigations and can be used as a starting point during supplier audits.

Other records of traceability that may need to be maintained, depending on the specific requirements of the organization,n include Certificates of Analysis or Conformance, purchased material revision number, and supplier-provided verification information.

Should Purchasing be its own SOP?

Whether an organization should have a specific SOP on the purchasing process is completely up to that organization’s needs.

It is common and perfectly acceptable to fold the purchasing process into a supplier management or similar procedure. The advantage is that it gives the company fewer SOPs to review and control as part of document management. It also means fewer documents must be accessed during audits and similar activities.

Personally, I like having a QMS with a greater number of SOPs that are shorter. The advantage is that if some part of the purchasing process changes, you don’t need to do a change order on the entire supplier management SOP. It also means that you can be more specific and only push out training for documents that are specific to an employee’s role.

The key is that an organization has to document a Purchasing process, however, it is free to make that its own SOP or include the processes as part of a larger SOP.

Wrapping Up

Medical device companies spend so much time focused on managing suppliers that they often overlook the act of buying the materials. However, as part of having a well-running QMS, organizations also need a process to ensure they purchase the correct parts and services from the right suppliers. By following this guide, you can set up your organization for success and conformance with ISO 13485 requirements.

If you liked this post, be sure to check out the other articles on the site and sign up for our newsletter below.

The post Practicle Guide to Medical Device Purchasing (ISO 13485 7.4.2) appeared first on Hardcore QMS.

Many medical device companies have difficulty with supplier management, and for good reason. If the supplier management process is too lenient, it can lead to bad finished products, complaints, and worse. However, if the supplier management process is too intense, it will become watered down and convoluted, resulting in constant struggle and continuous audit findings from massive paperwork requirements.

Your supplier management process needs to be right-sized for your company to ensure that it maintains good relationships with suppliers and is constantly provided with high-quality products and services. We’ll break down the requirements of ISO 13485 section 7.4.1 and help you construct a powerful and effective supplier management process for your company.

The Why

If a company wants to make a high-quality product, it must be supplied with high-quality materials. Effective supplier management is a great tool for ensuring an organization works with companies committed to the quality of what they produce.

Many people see supplier management as a massive undertaking that costs a company lots of time and money to implement, but this is backward. The expense of a recall resulting from a supplier concern costs much more than creating a worthwhile supplier management process.

Furthermore, if a medical device company wants to 100% inspect all of the material it receives, it can have minimal supplier controls. But I don’t recommend this approach.

The purpose of supplier management is to save time and money by building trusted relationships with talented suppliers.

Supplier Qualification and the ASL

Note: ISO 13485 does not have a section with “suppliers” in the title and instead includes requirements in section 7.4 on Purchasing. This article covers section 7.4.1 titled Purchasing Process which is not about the full purchasing process but focuses on supplier selection, qualification, and monitoring.

Approved Supplier List

The first step in your supplier management process involves the evaluation and selection of suppliers. You need to know if the supplier provides the type of material you need, what their quality system looks like, and if they can supply the quantities to meet your company’s demand.

The goal of this evaluation is to determine if the supplier meets your requirements and can be added to your Approved Supplier List (ASL). Nothing related to final product quality should be purchased from suppliers that are not on your ASL, as this puts you at serious risk of bad quality products, audit findings, and regulatory consequences. 

(The one exception is contracting an initial pilot build or first article with a company that is not on your ASL to see if they meet your specifications and can be added to the ASL. However, the purchased materials should never be used on final products).

Your ASL will be your guiding document for suppliers. It will determine which companies Purchasing is allowed to order from and will be one of the first things an auditor looks at regarding your supplier management process.

It must be up-to-date and accurate, and many different QMS software can help you manage your ASL. However, you can also have an ASL in a Word or Excel file that includes the relevant information. If you go this route, the ASL must be a controlled document within your document control system.

What type of information needs to be included in an ASL?

There are no specific requirements for what needs to be on a company’s ASL. In its most simple form, it could simply list company names and risk levels (discussed below). Depending on the software used, an ASL could also function more like an index that includes company names and links to more information about the company.

However, if you are building an ASL from scratch, here is the type of information that is commonly included:

• Supplier name
• Contact information (either a quality or distribution contact)
• Goods/services that are approved to be provided by the company
• Supplier approval and re-evaluation date
• Supplier classification or risk level
• Supplier status
• Links or references to supplier-related documents

What types of suppliers need to be on your ASL?

The short answer is a supplier that provides any material or service that affects the quality of your product or your quality management system. The longer answer depends on the specific needs of your organization and the type of medical device it is producing. 

Some companies might not seem like suppliers at first but notified bodies and regulatory agencies will tell you are suppliers. One example is distributors, especially if they are distributing products that can only be purchased by physicians. For this reason, these companies should also be added to your ASL.

Consultants also need to be added to your ASL depending on the type of service they are providing. Examples include consultants conducting internal audits at your organization or aiding in the creation of 510(k) submissions.

Here are the types of suppliers that may need to be included in your ASL, however, remember this is not comprehensive, and it depends on the needs of your organization:

• Contract Manufacturers
• Original Equipment Manufacturers (OEMs)
• Raw material suppliers
• Device component suppliers (both custom and off-the-shelf)
• Contract sterilization services
• Software companies that supply software related to your device
• Software companies that affect your QMS (such as an eQMS provider)
• Calibration and testing services
• Design and development services
• Consultants/contractors
• Distributors
• Packaging suppliers

Who doesn’t need to be on your ASL? 

There are some obvious answers, like companies that supply toilet paper, snacks, or anything else that does not affect product quality. This list can also include companies supporting your organization with accounting, marketing, general IT, and other services. Ultimately, it is up to you to determine which suppliers are appropriate to not include on your ASL.

Supplier Risk Classifications

Before you start qualifying suppliers for your supplier management process, you need to have criteria in place for determining whether a supplier can be added to your ASL. 

Because you are in the medical device industry, your qualification criteria should be based on the risk the purchased component or service has on the safety and performance of your products. It does not make sense to audit every single supplier or only receive a supplier survey from a contract manufacturer.

Additionally, the risk can be affected by the ability to verify the purchased product or service. Sterilization suppliers are usually considered high-risk because it is not feasible to verify the output of their service.

It is typical to start by breaking suppliers into classifications or tiers based on the product’s impact on device safety. You need to have enough levels to meaningfully distinguish different types of suppliers, but not so many that it creates confusion.

We’ll start with three classes of suppliers, which is common in the industry. 

• Class A Supplier (High Risk): Contract manufacturers and sterilizers.
• Class B Supplier (Medium Risk): Supplier of custom components for the device(s), internal packaging, and off-the-shelf products that have a significant impact on the device(s).
• Class C Supplier (Low Risk): Supplier of off-the-shelf products, calibration services, outside packaging, and labeling suppliers.

This is just one way to classify the suppliers to your organization. As usual, the exact ways suppliers fit into your classifications will depend on your company and product. If your company produces a high-risk device, you’ll likely need tighter controls on the majority of your suppliers.

You might notice that certain types of suppliers are missing from this list. Personally, I find that the three-tier system is useful, but it does not accurately capture specific suppliers.

Consultants are one example. It doesn’t make sense for a company to require that a consultant be ISO-certified, or have a change notification agreement established. Therefore, I usually place consultants into their own classification (Class D)  so that they can have different evaluation criteria.

Another example is distributors. Distributors play a different role than any other supplier, and the evaluation criteria will also be unique. This puts distributors into Class E.  

This may seem like a lot of classes, but you want a system that helps you with the rest of your supplier management process. If you have too few classes, suppliers end up lumped together with requirements that don’t make sense. 

Supplier Evaluation Criteria

Now that you have your different supplier risk classifications, it’s time to take the next step and specify the requirements for each class of supplier. At this stage, you are using the risk classifications to determine how much information or insurance of quality is needed from the different types of suppliers.

Your evaluation criteria can include:

• FDA Registration (required for contract manufacturers in the US)
• ISO Certification (ISO 13485 or ISO 9001)
• Quality Agreements
• Supplier Audits
• Change Notification Agreements
• First Article Inspection
• Supplier Surveys** (see section under Choosing Suppliers and Gathering Information)

Once you’ve established the criteria required for your suppliers, you can place the criteria in a matrix based on the supplier classes.

A supplier classification matrix like this will make it easy to understand if a supplier can be qualified for the ASL. It can also be referenced by auditors to ensure a certain supplier is meeting the requirements. 

It’s important to keep in mind that an organization should not rely solely on a 3rd-party accreditation (like ISO certification), and there should be other controls in place to ensure the supplier is in the company’s best interest.

What about consultants and distributors? The purpose of adding these suppliers to different classifications was so it would be easy to have unique criteria in place. For consultants, the minimum requirement I have is maintaining a resume on file. For distributors, you want a detailed distribution agreement in place that dictates their responsibilities regarding your products. 

One thing to consider at this stage is that you always want the ability to use a supplier that does not entirely meet the requirements. For example, there may only be one type of supplier in the world of a certain component that is required for your device, and they might not be ISO certified. You will have to provide a sufficient documented reason for why you are using the supplier, but you still want to have the option available.

Supplier Audits

Supplier audits can be one of the best ways to confirm information about a supplier’s quality. However, audits are also expensive and time-consuming. 

In the matrix above, Class A and B suppliers require an audit before they can be qualified in the supplier management system. That said, the nature of these audits does not necessarily need to be the same.

A Class A supplier might require an in-person audit, while a Class B supplier might require a virtual audit.  The audit frequency could also be different, with Class A suppliers requiring audits every one to two years and Class B suppliers only requiring audits up front and if there are quality issues.

There might not be anyone at your company who is qualified to perform audits. In this case, an employee can perform lead auditor training and receive the necessary credentials. 

Alternatively, start-ups and smaller organizations may only be required to audit a few suppliers. If so, the company can hire a contract auditor to perform the audit on their behalf. If you are going this route, make sure the contract auditor is qualified and on your ASL!

Another action that can be beneficial is an informal supplier visit that does not include a full audit. This is useful for establishing a relationship with a supplier and gaining an understanding of their facility. If your company makes a low-risk device, a supplier visit can even substitute for an audit with Class B and lower suppliers. 

Supplier Quality Agreements

Supplier Quality Agreements are legally binding documents that are put in place to govern the relationships with suppliers. Not only are they required in certain situations, but they are a great way of formalizing expectations. For these reasons, Supplier Quality Agreements are essential to supplier management.

While Supplier Quality Agreements are very helpful to a company, they can also be difficult to put into place. This is especially true of large organizations that provide off-the-shelf components. For this reason, it is best to require full Quality Agreements only from medium and high-risk suppliers.

What needs to be included in a Supplier Quality Agreement? As usual, it depends on the type of product or service being provided. Appendix 2 of this NBOG document related to supplier controls can be a good start.

Certain items I’ve seen in Quality Agreements include:

• When the supplier will send validation data to the company
• If the supplier will send testing or inspection reports to the company
• When the company has the right to audit the supplier, and if the supplier agrees to be audited by the company’s notified body. 
• The change notification agreement (more information below). 
• Traceability requirements of products
• Access to documents maintained by the supplier

Each Supplier Quality Agreement should be tailored to the specific supplier. Quality Agreements typically need a higher level of control and are reviewed by a company’s legal department, so it’s best to have discussions with companies beforehand to understand who will be included in sign-offs.

Change Notification Agreements

Change Notification Agreements are one piece of a Quality Agreement that is specifically required by ISO 13485. 

From section 7.4.2:

“Purchasing information shall include, as applicable, a written agreement that the supplier notify the organization of changes in the purchased product prior to implementation of any changes that affect the ability of the purchased product to meet specified purchase requirements.”

If you are going to put a Supplier Quality Agreement in place with a company, it’s best to include the Change Notification Agreement in that document. However, for lower-risk suppliers who may not have a full agreement in place, you should still obtain a Change Notification Agreement.

The good news is that many large medical device suppliers who it may be difficult to obtain written agreements with have a change notification system in place. Take this example from Sigma Aldrich with their M-Clarity program. If the supplier you are working with has a public change notification system, I’d highly recommend documenting this in your supplier management system instead of obtaining a separate agreement if possible.

The type of Change Agreement will also depend on the specific supplier and material/service being purchased. 

With custom products, the Change Agreement may specify that the supplier will not make any changes unless they have written approval from your company. However, with off-the-shelf components, this may be impossible to obtain, and the agreement can be limited to the supplier notifying the company before any changes are made.

What types of changes should be included in a Chance Notification Agreement?

Just like a company’s change control process, some of the types of changes that should be included in the agreement include:

• Facility changes
• Changes to specifications
• Material Changes
• Packaging changes
• Labeling changes
• Supplier changes
• Process changes

The timeline of the notification will also vary based on the supplier’s commitments. From a customer perspective, it’s best to be notified as early as possible about any upcoming changes. For changes to specifications, three to six months is typical. However, larger changes, such as changing a facility or material might require a longer notification period. The specific timeline should be detailed in the agreement.

Choosing Suppliers and Gathering Information

Once your supplier evaluation process is in place, you can start finding and qualifying suppliers. 

Initially, you need to find companies that provide the type of materials or services that you need. This can be done through Google searches or contacts in or around your organization. There is no point in qualifying a supplier and going through the process of adding them to your ASL if they aren’t capable of providing the product you need. 

After you have some potential suppliers picked out, it’s common for a cross-functional team, including Purchasing, Engineering, and Quality, to meet with the supplier. Each of these departments will be heavily involved with the supplier, so it’s useful for all of them to gather relevant information on the supplier. 

Some of the questions you are looking to get answered are:

• Are they capable of producing products to your specifications?
• Do they have the capacity to meet your needs?
• Will they be able to meet your supplier evaluation criteria?
• Are there any major changes coming to the organization, such as being bought out or moving locations?

You can also assess any public or private information on the reputation and expected reliability of the supplier. 

While cost can be a major factor in choosing a supplier, it should never be what decides a supplier (this is called out specifically in different documents, including the MDSAP audit approach). For this reason, avoid all mentions of cost in your quality-related supplier documentation.

At this stage, especially if a meeting isn’t conducted, it’s also typical to send a supplier survey to the company to document information related to their Quality Management System.

When you are preparing to move forward with a supplier, you’ll need to gather all of the information required by your supplier evaluation criteria. But before you reach out to the supplier, search their website for any of your listed requirements.

A large percentage of companies in the medical device space have their FDA registration number and ISO certification listed on their websites. They may also have a standard supplier survey and change notification system available. 

Make sure you check their website for this information before sending out requests! If a supplier has a current ISO 13485 certification easily available, it shows a lack of empathy to ask for it by email. You want to maintain a good relationship with the supplier, and they have already demonstrated that they are making it easier for you!

However, if the supplier does not have their certifications or FDA registration number publicly available, it is appropriate to reach out to them to gather those records.

If all the departments are happy with the information they have received from the supplier, you can move forward to the more resource-heavy elements of supplier qualification.

If they are providing a product, you can request a first article to ensure it meets specifications. If the supplier is high-risk, you can schedule or perform the supplier audit.

This is also the time to get the Quality Agreement drafted and in place. Once that is signed, you can celebrate since it’s time to add the supplier to your ASL!

Supplier Surveys

This is a personal note, but I’m not a fan of supplier surveys. I believe they rarely add value to the supplier management process or organization, slow down evaluation, and start the supplier relationship on a bad foot. 

Ultimately, you need a record that the supplier can make the product you want and meet your order timelines. However, if I go to a supplier’s website and it says: “We are an ISO 13485 certified injection molded part supplier”, and then I send them a survey that asks: “Are you ISO Certified?” and “What do you make?”, all I’ve done is create busy work for their Quality person.

In my opinion, you should be creative in how you meet this requirement. If you are meeting remotely with the supplier, ask them if you can record the meeting and save it with their record. Or, just take notes on the meeting and see if all of the necessary questions are answered. Perform a website review and document your findings. 

If they ask for a survey, sure, send them a survey. Outside of that, I do not believe surveys are the best way of gathering information about suppliers and that talking to the supplier is far more effective. As mentioned earlier, this can include an informal on-site visit. 

Neither ISO 13485, MDSAP, nor the FDA or any other regulation that I know of says: “You must have a completed supplier survey on your companies’ letterhead.” There is information you must have documented, and it is up to you as the quality professional to justify your approach to an auditor or notified body.

Supplier Management and Monitoring

Is the supplier management process complete once the supplier has been evaluated and added to your ASL? Absolutely not. In fact, it’s just getting started.  At this point, it’s time to start monitoring and re-evaluating your supplier as necessary.

Supplier monitoring hinges on some key aspects of a supplier’s performance.

• Is the purchased product meeting the stated specifications?
• Is the supplier fulfilling other obligations that have been listed in the Quality Agreement (sending batch reports or validation information)?
• Is the supplier shipping products by agreed-upon deadlines?

So how do you monitor suppliers? The MDSAP audit approach includes the following activities for motoring suppliers:

“supplier re-audits, statistical analysis of incoming acceptance results, monitoring of complaints and nonconformities related to supplied product, independent confirmation of certificate of conformance data, and consideration of the supplier’s responses to requests for corrective action”

As with everything Medical Device related, the breadth and frequency of monitoring will depend on the risk level of the supplier. High-risk suppliers will need more frequent re-audits and motoring of material, while for low-risk suppliers, you may need to do occasional reviews of the nonconformities and complaints.

A supplier scorecard can be a useful way of documenting your monitoring and re-evaluation of suppliers.

Taking the motoring activities listed above, build a specific weighted scoring approach for each element. For example, it is important that a supplier ships material on time, but it is more important that the material a supplier ships is correct. 

Using the score, you can put the suppliers into different categories such as preferred, acceptable, and at-risk. A preferred supplier may be the go-to supplier if you need a similar product or service in the future, and an at-risk supplier may be a supplier you are looking to replace.

Also, as part of your supplier re-evaluation process, you should ensure that the supplier’s certification status has not changed and that you have a record of their current certificate on file.

We’ll talk about SCARs down below, but I will note that I like the comment on SCARs in the MDSAP section I included. It is reasonable to have monitoring criteria that include the number of SCARs, and a surplus of SCARs should have you looking for a new supplier.

However, if you send one SCAR to a supplier and they become defensive and dismissive, I believe that supplier is worse than a supplier who has received three SCARs but has sent back excellent results each time and shown improvement. 

You should be trying to build healthy, long-standing relationships with suppliers. At times, you might need to visit a supplier on-site and help them through processes related to your products. If you do this, you will build a better, more resilient product in the long run, as opposed to jumping to different suppliers and starting over every time there are issues.

Supplier Nonconformances and SCARs

Another aspect of supplier management is addressing the non-fulfillment of purchasing requirements with suppliers. In the medical device industry, this is handled by sending your supplier a Supplier Corrective Action Request (SCAR). 

A SCAR is the supplier version of a CAPA and is a request by the company to have the supplier open a corrective action related to the company’s product. 

This is one reason it is useful to work with suppliers who are ISO certified, as you can be confident that they have a corrective action process in place to address issues. If they are not ISO certified, there is no harm in walking the supplier through the expected process to try and fix the problem.

There are many different reasons a SCAR might be initiated. It could be from a batch of incoming products that does not meet specifications. It could be an output of a Management Review Meeting. 

A SCAR could also be raised as the result of the supplier monitoring process. At times, a supplier being behind schedule or sending incorrect quantities might just be noted and communicated to the supplier. However, a pattern of this behavior might be escalated to a SCAR.

Should you send a SCAR form managed by your company to the supplier?

My preference is that if you are working with an ISO-certified supplier, they (hopefully) have a CAPA system in place. Many companies use different eQMS software to manage their CAPAs, and if not they should be recording the CAPA on specific forms within their QMS. 

Ask the supplier and see if they have a system in place that can send you a record of their CAPA. Since all of the steps of a CAPA are generally the same, this record should be able to meet your requirements. Making your supplier take all of their information and copy it into your form is another way of unnecessarily building bad blood with a supplier. But, if they do not have a form available, it’s fine to send them documentation to complete the activities.

Supplier Documentation

Everything you do related to supplier management should be documented.

Not only will you need to have a procedure in place for supplier evaluation and motoring, but you should also have records of your actions related to these activities. 

Outside of a supplier evaluation form (or similar electronic record), you will need to maintain copies of up-to-date supplier certifications, audit reports, surveys, supplier-provided documents (the supplier-controlled surveys and change notifications I mentioned), SCARs, and other actions related to suppliers.

And most importantly, your ASL should always be accurate and up-to-date.

A good eQMS system can go a long way in making supplier management simpler. Either way, you need to document everything you are doing related to suppliers.

Wrapping Up

Supplier management is a crucial aspect of producing high-quality medical devices. ISO 13485 and medical device regulations expect you to select, qualify, and monitor your suppliers to ensure you have control over what is going into your products. By following this guide, you can your company up for success and nail supplier management.

If you learned something from this article, please subscribe to our newsletter below and be sure to check out our other informative articles breaking down ISO 13485.

The post Effective Supplier Management for Medical Devices (ISO 13485 7.4.1) appeared first on Hardcore QMS.

Like many clauses of ISO 13485, customer-related processes will significantly vary based on the company’s nature and the product or service they produce. The way a company will interact with its customers is entirely different if it is supplying hospitals compared to a company that is a contract manufacturer of medical devices.

Let’s break down ISO 13485 clause 7.2 customer-related processes to understand what is required by ISO 13485, and how it can vary based on the nature of the company.

Determination of Requirements for Customer-Related Processes(7.2.1)

The first requirement is about a company determining what is needed to provide its customers with the correct product or service. It’s important to note that a company may not have a standalone procedure for determining customer requirements. The different elements of this clause may be fulfilled through a variety of processes, including the process for receiving orders and design control processes. This is okay as long as each element is included and can be identified during an audit.

Requirements specified by the customer

Companies need to consider the requirements of their customers. For some products, this applies to the end user and ties into the design process and the intended use of the device.

For other products, the requirements will be specified by the direct customer. A contract manufacturer, for instance, may be given product prints, assembly instructions, acceptance criteria, etc. from its customer. This makes it very easy to understand the customer’s requirements. Another example would be a sterilization supplier, which receives the product from their customer along with the sterilization criteria.

Another part of this clause is that the requirements include delivery and post-delivery activities. Using the example of the contract manufacturer, they may be given instructions from their customers on how to package the product in order to avoid damage during delivery. Post-delivery activities can include installation and servicing requirements for the product to function correctly.

Requirements not stated by the customer

The next clause includes the need to fulfill requirements not stated by the customer, but necessary for specified use. This may seem odd at first but makes sense when considered in the context of the medical device industry. Companies have a duty to supply medical devices that are both safe and effective. If an ISO 13485 certified company receives requirements that are incomplete or do not include an element that is necessary for a device to function safely, it needs to include that element anyway or reach out to its customer for further clarification.

We are going to use the example of an ISO 13485-certified sterilization supplier. Sterilizing companies will have a much greater understanding of sterilization than their customers. Even if a specific element of the sterilization is not received with the requirements of its customer, it should still perform these elements to properly sterilize the product. The customer’s ignorance is not justification for a company to do the wrong thing concerning its product or service.

This also ties into risk management when designing a device. Companies need to consider both the use of the device and any reasonably foreseeable misuse.

Regulatory requirements

Medical device companies should also consider any regulatory requirements when they are supplying products to a customer. This could include environmental or material-based regulations related to its product as well as product or process-based regulations. I’ve worked with companies that must follow specific dimensional requirements related to the connection point of a component (ISO 80369). The requirements should be determined during design control and carried out when the product is going to be sent to a customer.

This also includes the regulatory requirements of the different countries in which the product will be sold. The process of understanding where a medical device can be legally marketed should be incorporated into the design control process and considered when supplying products/services to a specific area.

User training

Medical device companies need to determine if the product they are providing will require user training. This is also a good time to consider the different types of customers of the product. For example, it’s important to understand if the person using the device will be a nurse, doctor, or someone in technical services.

The user of the product is the most essential person to train when the product is being supplied. Sometimes companies will include user training as part of their risk control measures, which puts greater importance on user training. Companies also have the option of providing training in a digital format where it makes sense.

Additional Requirements

The final aspect of clause 7.2.1 is that a company needs to determine any other customer-related requirements. This could include requirements for the design or labeling of a device. I won’t go into too much detail here as the additional requirements will be completely different depending on the nature of the medical device company.

Review of Requirements (7.2.2)

The next part of customer-related processes that we will cover is the review of requirements related to product. While the determination of requirements ties in heavily to the design control process of a company, the review of requirements is all about what happens when a company receives an order. The clause even specifies that the review should be conducted prior to the organization’s commitment to supply product to the customer.

The company must ensure that the product requirements of their customer are clear and understandable. If the company is unsure about any part of the requirements, this should be clarified with the customer before any orders are created. It must also make sure that any changes to orders or product requirements are properly documented.

At all times, companies should ensure that applicable regulatory requirements are being met. A company should not supply a product that runs counter to regulations, as this could cause legal issues for the company.

A medical device company must also make sure that if their product requires training they have the resources available to provide the training. Since user training has already been specified as a requirement for the safe delivery of a product, a company cannot agree to provide the product without the proper training.

When a company receives an order or a request for an order, it needs to verify that it can sufficiently meet the customer’s requirements. Does it have the products available? If it needs the product to be manufactured, does the company have the capacity and necessary raw materials? Will the product be able to be supplied by the customer’s due date?

Additionally, a contract or component manufacturer can ask if it can actually manufacture the requested. There is significant risk in producing medical devices and components, and the risk increases if a company is biting off more than it can chew.

The next requirement in this section is that the records of the results of the review shall be maintained. What does this look like? In many cases, this is just a copy of the customer’s purchase order with the signature (electronic or otherwise) of the individual who reviewed the purchase order. For a more complex product, there should be evidence of the review, which could be detailed in a formal contract.

A company should also be able to trace the customer’s order to the resulting sale order. What an auditor wants to see is a clear line from how orders are received to how orders are fulfilled. If there is more customer involvement than is typical, there may be other quality agreements and similar documents that can be included as well.

Finally, the standard states that when product requirements are changed, the organization shall ensure that relevant documents are amended. The changes could be something simple like the delivery date, or complex changes to the product. Depending on the extent of the change, the correct personnel should review and approve the change.

Again, I want to state that the review or product requirements do not need to be a standalone procedure. The requirements are also typically included in processes like “customer order fulfillment” or similar processes that match the spirit of this clause.

Communication (7.2.3)

The final section of customer-related processes is Communication, however, the communication extends beyond customers. Organizations must plan and document procedures for communication, related to;

• Product information. This includes product information listed on websites, catalogs, and information distributed through a sales team. Any piece of advertising material related to the device must have specific language used so it does not violate FDA regulations. It’s best if marketing personnel are trained on requirements related to advertising.
• Enquiries, Order Handling. This refers to a company having a well-defined process for receiving customer orders, that includes the ability to change orders when needed.
• Customer Feedback and Complaints. Once the product has been sent to a customer, the customer must have a way of communicating back to the company if there are any issues with the products or complaints. Timely complaint handling is an essential component of a medical device company, so the manner and responsibilities for complaint communication should be clearly defined.
• Advisory notices. Companies should again have clear processes and responsibilities for when complaints need to be reported to regulatory agencies.

Finally, companies must be able to communicate all other types of information to regulatory authorities. This can include 510(k) submissions, updates of products with a 510(k), and any other information that must be sent to regulatory agencies such as a company moving locations.

Wrapping Up

That was a review of section 7.2 Customer-Related Processes for ISO 13485. While many of these principles are broader business principles, they are still essential to a well-run medical device QMS.

If you have any questions or comments about customer-related processes, please leave a comment below. Also, if you found this article helpful, check out our ISO 13485 page for other ISO 13485 guides and sign up for our newsletter below.

The post Customer-Related Processes for ISO 13485 (7.2 Explained) appeared first on Hardcore QMS.

Change control is a term that is heard throughout the medical device industry. It can be found in FDA warning letters, job postings, and sprinkled through all types of QMS documents. Change control is one of the most important elements in maintaining the safety and performance of medical devices. And when changes are not properly controlled, there can be serious consequences related to devices failing or causing patient injury.

This article will cover ISO 13485 and FDA requirements for medical device change control. By following this guide, you can help your company implement a change control procedure that is compliant and achieves its goals.

The Why

The purpose of controlling changes is not just to meet ISO 13485 and regulatory requirements. Companies should perform change control because it’s the only thing that makes business sense when you are dealing with a complex product.

Changing any aspect of a medical device or component can have far-reaching unknown consequences. To give you one example, at a medical device component company I worked for we planned on changing a feature that we believed to be nonfunctional. However, once we notified our customers of the change, we found out that one of the customers had built their entire assembly line around that feature.

Change control is a way for every stakeholder to approve of a change. The only aspects of change control that are unique to medical device companies are specific documentation requirements (which are still a best practice in all industries), and regulatory assessment, but alas, such is life in regulated industries.

What changes require change control?

Changes can come from an enormous variety of sources. They can result from regulatory changes, device improvements, supplier changes, material upgrades, and more. With medical device companies having so many types of changes, it is important to learn what changes must go through an organization’s change control process.

To help understand the different types of changes, we will cover four different areas for changes related to medical devices; document changes, design changes, production process changes, and regulatory changes.

Document Changes

Any changes related to controlled documents must go through change control. The changes to the document need to be identified, reviewed, and approved by the same functions that initially released the document. This ensures that the full impact of the document changes can be properly understood.

While controlled documents require change control, the process does not need to be the same as the process to change the design or production process. Organizations often have an extremely in-depth design control process that requires different gate reviews and impact assessments. This can be overboard if you are making a simple change to a quality procedure or related document.

If you’d like to learn more about implementing an ISO 13485 document control procedure, check out our article Document Control for ISO 13485 Explained.

Design Changes

Any changes related to the device, specifications, materials, packaging, or labeling need to go through a company’s change control process. While document changes are important to a well-running medical device QMS, design changes should have the most resources and attention dedicated to their success. This is because unintended or improperly controlled changes can directly affect the safety of medical devices, and draw the ire of the FDA or other regulatory bodies.

Many different types of changes fit into this section. A good indication that a design change will require change control is that the area being changed is part of the Medical Device File, or was included in the initial device submission.

Let’s cover a few different kinds of design changes that need to be included in a company’s change control process:

• Specification changes. Even if the change should not impact the fit, form, or function of the device or component if a part print or specification is changing, it needs to go through the design control process. The specification changes can be the result of customer complaints, improvements in manufacturability, or changes in supplied parts.
• Material changes. Any changes related to the material of any component of a medical device should go through the change control process to understand the impact and risks related to the material change.
• Packaging changes. In the event of packaging changes coming from a supplier, process improvements, or as a result of shipping concerns, the packaging changes should be documented through the change control process.
• Labeling changes. Labeling is an important element of medical devices. While labeling can sometimes be considered a document change, either way, a change to the labeling will need to follow the change control process. Unlike updating a Work Instruction, a change to the label is likely to require notification to regulatory bodies.
• Supplier changes. In the event that the company must change the supplier for a part, the change should be reviewed and approved through the design control process.

Production and process changes

The next type of medical device change that needs to be included in a company’s change control process is change related to the production process. While the production process is rather broad, FDA 21 CFR 820.70 provides some hints about what is included in this section.

Below are a few different process changes that would require change control.

• Changes to work instructions / SOPs related to the manufacturing of a medical device. If the change is administrative or is done for improved clarity, it may only be considered a document change. However if the updated instructions are caused by a larger process change, they should be included as part of the design control change.
• Changes to facilities or buildings where medical devices are being manufactured.
• Changes related to inspection. This could include changes in the AQL criteria of a device, the inspection method, or the equipment being used during the inspection.
• Environment changes. One example would be a company switching its manufacturing to a different class of cleanroom.
• Process-related changes. Here we are talking about specific changes to the manufacturing process, such as switching manufacturing methods or equipment. Depending on the extent of the change, the change may also need to go through the design control process, and the process will likely require re-validation.

Regulatory changes

The final type of change we will review is regulatory changes. Some types of regulatory changes are self-explanatory, such as design changes related to updated standards. However, a medical device company can be impacted by many different types of regulatory changes.

One example would be if a company starts selling into a country with different regulatory requirements. Another example would be if a company switches medical device dealers or authorized sponsors (this would apply to companies selling medical devices in Australia). These types of changes should also go through the company’s change control process to ensure they are properly reviewed and documented.

FDA 21 CFR 820 change control requirements

An interesting aspect of change control is that it is essential to the operation of a medical device company, however, there is not a standalone FDA requirement for change control. Instead, the requirements for change control are broken into three different sections of FDA 21 CFR 820:

1. 21 CFR 820.30(i) Design Controls. “Each manufacturer shall establish and maintain procedures for the identification, documentation, validation or where appropriate verification, review, and approval of design changes before their implementation.“
2. 21 CFR 820.40(b) Document Control. “Changes to documents shall be reviewed and approved by an individual(s) in the same function or organization that performed the original review and approval, unless specifically designated otherwise. Approved changes shall be communicated to the appropriate personnel in a timely manner. Each manufacturer shall maintain records of changes to documents. Change records shall include a description of the change, identification of the affected documents, the signature of the approving individual(s), the approval date, and when the change becomes effective.“
3. 21 CFR 820.70(b) Production and process changes. “Each manufacturer shall establish and maintain procedures for changes to a specification, method, process, or procedure. Such changes shall be verified or where appropriate validated according to § 820.75, before implementation and these activities shall be documented. Changes shall be approved in accordance with § 820.40.“

The requirements are very broad and essentially state that a medical device company must have a change control process in place for each of these areas. We’ve already covered different types of changes related to each section and will cover how to set up a medical device change control procedure later in this article.

ISO 13485 change control requirements

ISO 13485 includes many different references to change control, and controlling change can be considered a theme of the standard.

Unlike FDA 21 CFR 820, ISO 13485 does include a standalone section for change control, section 4.1.4. This section states that medical device companies shall evaluate changes for both the impact on the QMS and the impact on the medical devices produced under the QMS. The changes should also be controlled in accordance with the requirements of this International Standard (referring to later parts of ISO 13485 that include change control) and applicable regulatory requirements (such as the FDA).

Being a theme of ISO 13485, change is referenced in a variety of other sections of the standard:

• 4.2.4, Control of Documents
• 4.2.4, Changes to records
• 5.4.2, Quality Management System Planning
• 5.6.2, in reference to Management Review Meetings and any changes that could impact the QMS.
• 7.2.2, Review of Requirements Related to Product.
• 7.3.9, Control of Design and Development Changes
• 7.4.2, Purchasing Information. This requirement specifically states that as part of supplier control, organizations should have a written agreement with suppliers that the supplier will notify the organization of any changes to purchased products before the supplier implements the change. This is typically called a Change Notification and is commonly found in the quality agreements of medical device companies.
• 7.5.6, Validation of Processes for Production and Service Provision
• 8.5.1, in reference to the need to implement Corrective or Preventive actions necessary to maintain the QMS and product safety.

As you can see, change control is a very broad process that applies to many different elements of a QMS. The root of most of the ISO 13485 requirements is that a company has a process in place to correctly control changes made to all areas of its QMS. Let’s move to the next section, where we will review some of the elements commonly included in a company’s change control procedure.

Common steps for a change control procedure

Now that we know what types of changes need to go through the change control process and the FDA and ISO 13485 requirements for changes, let’s dive into how a change control process typically functions at medical device companies.

Note on document changes

To make changes productive, following every one of the steps below may not be necessary for certain types of changes, specifically document changes. While many of the same components are relevant, updating an SOP can be a more streamlined process than updating a core component of a device. If you want to know more about document changes, be sure to read the change control section of our document control guide.

Change Initiation

Changes may need to be initiated for an assortment of reasons. They can be the result of a supplier, a complaint, an internal improvement, or a corrective action stemming from an audit finding. When someone in the organization becomes aware of the need for a change, they should submit a documented change request (change order or other terms may be used depending on the organization).

To make the change control process run as smoothly as possible, the change request should include the origin of the change, why the change is needed, and who is submitting the change request. If the cost savings, expense, or resource needs are known at this time, they should be included as well. Any information that can aid the change control board in assessing the change will be helpful.

It’s important to note that this step will vary depending on the size of the company and the specific change. At smaller companies, the change initiation and first approval phase may be a quick part of a separate meeting. Like many things, the scope of the change control actions needs to be based on the specific organization.

Review and Approval

Once a change request is submitted it needs to be reviewed by the change control board. The board is typically made of members from all of the different parties related to the change including quality, engineering, supply chain, production, and accounting. Sales and marketing may also need to be involved, especially if the company produces components and their customers need to be notified of the change.

Typically, the change control board meets on a weekly, bi-weekly, or monthly basis to review all of the different changes that have been initiated during that time period. They will discuss any concerns related to the change, including resource commitments, practicality, and financial benefits from a change. While a change might seem like a good idea at first, changing one component of a medical device can quickly lead to a cascade of other changes that evaporate any would-be cost savings or improvements.

Once the board has made its decision it should either approve or deny the change request. The reason for the decision should be documented and the approvals of the change should be kept as records.

One thing to note is that just because a change is originally approved does not mean the change must be implemented. There can be many different unknowns involved with a change that will come out through the rest of the change control process and make the change impractical.

It’s also important to point out that this step is not required by ISO 13485 but is a good idea from a business perspective. All of the changes can be made in a draft form, the change can be reviewed for impact, and the risk assessment can be conducted before the change is officially approved. However, getting as much buy-in as possible ensures that the change won’t be denied at a later stage, wasting the work that went into the change.

Justification

Once the change is approved, the justification for the change should be documented. The justification should include the exact benefits of the change in a way that will make sense both internally and to regulators. Evidence of the reason for the change should be included so that it is clear to everyone involved why the change was made.

Change Impact

A change can have a far-reaching impact that can affect nearly every department in a medical device company. Let’s review some of the different areas that may be impacted and should be considered when making a change:

• Other components in a device. A medical device can consist of hundreds or thousands of different components. When a change is made to one component, the organization will need to understand how the change impacts every other component in the device. If there is no change to the fit, form, or function the change may be simple, but if there is a change to the function other components may need to be updated as well. Understanding the impact of the change on the other components will help make clear the scope of the change and if the change is worth pursuing.
• Current inventory. Will the current inventory of a part need to be used up before the change can be implemented? Is there an exact date when the old revision of a product will be scrapped? Organizations need a way of determining the impact of a change on their current inventory and need to document this decision.
• Marketing materials. While this can be overlooked by engineering, the marketing team should know when they will need to update a catalog or website during the change control process. They may also need to create a new revision of the promotional material related to the device.
• Devices in the field. While a change may seem like a good idea, implementing a change could affect the devices already in the field. Organizations need to understand if they will need to send the updated revision or mating parts to their customers for the device to continue to function correctly. If the organization services its devices, it should understand how the change could impact the servicing process, and understand when it will need to keep an older revision of a component on hand.
• Validation activities. A change to a component or process may require validation or revalidation depending on the extent of the change.
• Notifying suppliers. Suppliers may need to be informed about any material changes, updated processes, or changes to specifications.
• Notifying customers. If the company is a supplier for a medical device company, it should consider when its customers will need to be notified of the change. Change notification is a specific element of ISO 13485, and the company must ensure it is not violating any of its quality agreements when it decides to move forward with a change.

These are just a few examples of the impact that a medical device change can have on an organization and is not intended to be an all-encompassing list. The organization should have a sense of how the change will impact all of the stakeholders of its device or component depending on the specific nature of the change.

Risk Assessment

Understanding risk is crucial for medical device change control. When a medical device company initiates a change, it needs to consider how the risk of the device will be impacted by the change. While a change may save the company a couple of dollars, if the change leads to the device being less safe for users the change should be avoided.

The organization must understand the risk of moving forward with the change. The organization may initiate updates to the process or product FMEA for a device, perform a new FMEA for the change, and/or update any other relevant risk documentation as well as the risk file.

The company may also choose to have two different risk assessments associated with the change. There can be a risk assessment at the beginning of the process to ensure that the company still wants to move forward with the change based on the risk level. Then, once the change is moving towards completion, another risk assessment can be performed to ensure there are not any new risks that have emerged from the change control process before the change is implemented.

Regulatory Review

Regulatory hurdles can be one of the main reasons that a company chooses to not move forward with a change. When a change is initiated, the organization should determine what regulatory steps are required. If the change has a large enough impact, the company may have to submit a new 510(k) or Special 510(k). The organization may also need to receive approval from regulatory bodies before the change is implemented.

For these reasons, any changes should be heavily reviewed by the regulatory or quality department before a change is implemented. This is especially true if the device is post-market and has already received regulatory approval.

The FDA has an entire 77-page guidance document for determining when an organization needs to submit a 510(k) for a change to an existing device. Understanding the regulatory impact is too much to cover in this article, so for now, the focus is having experienced regulatory personnel review the change.

Completing the Change

Once the change has been initially approved and the impact has been carefully considered, the change control process can be performed. The change control process will greatly vary depending on the nature of the change and the device being manufactured. For example, a document change may go through a different change control process than a design change.

The organization must have a well-written procedure that documents how change control will be completed. Many times change control is performed through a multi-step or gated approach, where certain actions will need to be completed before moving on to the next step. Each of these actions should be approved once they are completed so that there is evidence that the proper steps were followed.

In addition to the other actions listed above (impact assessment, risk assessment, regulatory review), the organization should determine what verification and validation actions need to be completed as part of the change control process. The organization may also need to update work instructions, bill of materials, medical device files, and a whole host of other documents related to the change. If the process is sufficiently impacted the organization may need to perform training as part of the change control process.

There should be clear documentation that includes every different step that was completed as part of the change.

Once all actions are complete, the change should have a final approval with a clear effective date. Anyone impacted by the change should be notified that the change has been made effective.

Documenting the Change

Throughout the entire medical device change control process, every decision, approval, justification, and step needs to be thoroughly documented. It should be clear to an outside observer what the change was and what actions were completed as part of the change. This information should be clear and traceable and should be understood throughout the entire life-cycle of the device.

The way that an organization chooses to document a change will vary based on the document control system of the company. If the company is using a computer-based eQMS system, the eQMS may have a built-in module for completing the change. If the company is using a paper-based system, each element of the change needs to be included in the change file.

Wrapping Up

A good change control process can be the heartbeat of a QMS, and this is especially true in an industry as heavily regulated as medical devices. By following the steps in this article, an organization can be well on its way to creating a change control procedure that works for the company as well as regulators and auditors. Change control is something that is always reviewed as part of QMS audits, so all aspects of a change must be carefully and deeply considered.

If you have any questions or comments about medical device change control, please leave a comment below. Also, if you found this article helpful, check out our ISO 13485 page for other ISO 13485 guides and sign up for our newsletter below.

The post Understanding Medical Device Change Control (ISO 13485) appeared first on Hardcore QMS.

This article will provide a guide for understanding and implementing the Control of Monitoring and Measurement Equipment by breaking down ISO 13485 section 7.6 in a way that’s practical and simple to understand.

What equipment needs to be controlled?

First, let’s break down some terminology. According to the ISO 13485:2016 Practical Guide:

• Monitoring is supervising, checking or observing over a period of time, and
• Measurement is determining a quantity, magnitude, or dimension, by using measuring equipment.

A big piece of controlling monitoring and measurement equipment is calibration. However, ISO 13485 does not provide specifics about what equipment needs to be calibrated, how it is calibrated, or the frequency of calibration. That means it is up to the organization to determine its own needs for calibration.

That being said, organizations cannot choose to forgo calibration completely. Measurement equipment that is used to verify the accuracy of a medical device or its components should be calibrated. The language in ISO 13485 is that “equipment needed to provide evidence of conformity of product to determined requirements” requires calibration.

Determining what equipment needs to be calibrated varies for organizations depending on the nature of their products. There are mechanical devices that rely on handheld tools for measurement such as micrometers and calipers, as well as devices that rely on heavily automated digital equipment. Software, cameras, pH meters, thermometers, time-keeping devices, and more could all require calibration depending on the situation.

An easy way of thinking about what measurement equipment should be calibrated is to work backward from an audit. During an audit, it is likely that process records, as well as incoming, in-process, and final inspection records, are reviewed. The records should include what equipment is being used during the process or inspection.

Therefore, if monitoring and measuring equipment is used during any type of inspection or for monitoring any processes, the equipment should be calibrated. Measuring equipment should also be calibrated if it will be used during design verification or validation testing.

What measurement equipment does not require calibration? Reference equipment is typically not included in the calibration requirements of ISO 13485. If measuring equipment is only used during R&D (and won’t be used for design verification or validation), or if it is used to aid in the construction of molds that will eventually produce medical devices, it may not fit into the requirements of the standard.

That said, measuring equipment that is not calibrated will never provide a confident result. Companies should strive to only use calibrated equipment to maintain accuracy through all processes.

Other types of equipment that do not need calibration include:

• General office instruments, such as clocks and thermometers in place for employee comfort that are no involved with process control.
• Equipment only used for indication, such as a process gage used to ensure the existence of line pressure

Ultimately, it is still up to the organization to determine the risks of not calibrating certain pieces of measuring equipment.

Requirements for a calibration procedure

ISO 13485 section 7.6 states that an organization must have a defined procedure for performing calibration of control of monitoring and measurement equipment. Let’s look through the specific requirements of this section to highlight what needs to be included in the procedure.

Calibration intervals and standards

Measuring equipment must be calibrated both before use and at specific intervals. If a piece of measuring equipment has been recently purchased the organization can sometimes rely on a calibration certificate provided by the manufacturer to satisfy these requirements. Other times, measuring equipment is installed on-site by the manufacturer or distributor and is calibrated at that time (this is common for CMMs and optical tools).

The intervals for calibration will also be determined by the organization, but they cannot get too liberal with the length of calibration intervals. Not only will calibrating a piece of equipment every five years not prove reliable, but it also means that a significantly larger amount of product is at risk. In general, companies should rely on the calibration interval specified by the equipment manufacturer if possible.

Calibration must be traceable to international or national measurement standards. There should be a line from all pieces of measuring equipment to the standard that it is calibrated against.

Sometimes there is no standard for a piece of measuring equipment, such as a gauge that is produced in-house. In this case, the organization must create its own standards and specifications for which the equipment will be calibrated. The company should justify its use of company-specific standards and they should validated and traced to product specifications.

Adjusting calibration equipment

The next requirement is related to adjusting or re-adjusting measuring equipment. Measuring equipment must sometimes be adjusted to perform properly or meet calibration standards.

If equipment does need to be adjusted, the adjustments should be recorded. That way, the organization can demonstrate that the adjustments were done to specified procedures, and show the effect of the adjustments on the equipment. Sometimes the device requiring adjustments will have been found out-of-calibration, which we will discuss later in this article.

Identifying calibration status

All of the measuring equipment a company uses must be easily identifiable. This means that there is a specific gauge or equipment number listed on the device. If a company has multiple micrometers, for instance, all of the micrometers must be able to be traced back to their specific calibration records.

A company has the option to rely solely on the original equipment manufacturer’s serial number, but these are often lengthier than needed. Most organizations choose to create their own gage-numbers and tie those into the manufacturer’s serial number in their records.

The calibration status also needs to be identifiable for all pieces of measuring equipment. This is often done through the use of calibration stickers which list when calibration was performed, when the next calibration is due, and the name of the person who performed the calibration. This is beneficial because production workers can quickly tell if a piece of equipment is out-of-calibration, and refrain from using the equipment (it is essential that measuring equipment that is out-of-calibration is not used for monitoring or measurement.

However, calibration stickers will not fully satisfy this requirement. The organization should also be able to determine the calibration status of all of its equipment without having the equipment present. This is typically achieved through the use of spreadsheets or calibration software. Some eQMS software includes a module for calibration, which the organization can easily access to pull the calibration status for its equipment.

During an ISO 13485 audit, an auditor will either look at the calibration stickers on different pieces of equipment to understand the calibration status, ask for the calibration status for all pieces of equipment, or both. For this reason, it is crucial that organizations are fully aware of their equipment’s calibration status. An auditor identifying a piece of equipment that is out of calibration while walking the floor is one of the easiest audit findings for an organization to receive.

The person performing the calibration should also be documented and included with the calibration record. This can be an employee of the organization or a contractor who is brought in to perform calibrations.

Safeguarding and protecting equipment

The next requirements are that calibration must be safeguarded from adjustments, and protected from damage during transportation and use.

Safeguarding a piece of equipment will vary based on the specific piece of equipment that is being used. Let’s look at the example of a coordinate-measuring machine (CMM). A CMM typically has a large number of adjustments that can be made via software so that it is properly calibrated and functions correctly. Typically, access to the adjustments is password protected so that operators cannot adjust the equipment either accidentally or intentionally. The password is what safeguards the equipment from adjustments.

Protecting the piece of equipment will also be dependent on what the equipment is and how it is used. Some gauges should be kept in boxes so that they are less prone to damage if dropped or exposed to the changes on the shop floor. Very technical pieces of equipment may need to be kept in a lab so that they are not impacted by dust or grease from the production floor.

An organization needs to consider how and where measurement equipment is being used when it puts protections in place. It should also train operators to bring pieces of equipment that have been dropped or damaged to the quality or metrology department immediately. That way, the metrology department can quickly adjust and recalibrate the equipment before it is used on production units.

Documenting calibration procedures

ISO 13845 states that organizations must have specific procedures in place for calibration and verification.

If organizations will be performing calibration themselves, they must have work instructions documented for the specific steps necessary to complete calibration. The work instructions should include what the tolerance requirements are for the calibration to be considered successful, the equipment that is used for the calibration, and any traceable standards related to the calibration. Employees who will be performing the calibration should have the work instructions readily available and be trained on the procedures.

If the organization is going to send out monitoring and measurement equipment for calibration by an outside company, they still maintain responsibility for the process. The calibration supplier should be qualified according to the organization’s supplier management process, and the organization should review the calibration records to ensure they include all needed information.

The calibration procedure should also include how calibration records will be stored, as this is a requirement of ISO 13485 and the FDA. The calibration records can follow the organization’s general document control procedures or be kept in the calibration software if that is available.

What happens when equipment fails calibration?

One significant piece of the control of monitoring and measuring equipment for medical devices is what must be done if measuring equipment is found to be out of calibration at any point.

If a piece of measuring equipment is being calibrated it must first be checked to see if it meets its specified requirements. The result needs to be recorded and included in the calibration record. If an organization is working with outside contractors it must ensure that the “as-received” condition is recorded on the calibration certs.

If a piece of measuring equipment fails calibration or does not meet its requirements the organization must perform a risk analysis for the equipment. The risk analysis can include several steps depending on the product and organization:

• Determine what products were inspected with the measuring equipment. All inspections should record what measuring equipment was used during the inspection. That way, there is a traceable line from the measuring equipment to the inspections.
• Review the results of the inspections to see if there were any inappropriate non-conformances demonstrated or unusual inspection results. The inspections may also have been completed with different pieces of equipment (such as multiple inspectors using different calipers). In this situation, if the inspection results are consistent within a lot, the organization can support that there was little risk as a result of the out-of-tolerance equipment.
• Reinspect any affected product that is still on-site at the organization. This can help understand the actual impact on the product which was inspected with the out-of-tolerance equipment.
• Compare the out-of-calibration results to the device specifications. If a micrometer was found to be out-of-calibration by .001″, but all of the affected products have dimensions with much larger tolerances, the effect may be minimized.
• Investigate if there were any complaints generated as a result of out-of-tolerance equipment.
• Consider the risk level of the process where the measuring equipment was used. If the equipment was used at the very beginning of the manufacturing process, there may be less impact on the finished device. However, if the equipment was used as part of the final release of the product the impact may be quite significant.

Based on the results of the investigation the organization will have to initiate remedial actions. The organization might determine that there was no risk to finished devices as a result of the out-of-tolerance measuring equipment. On the extreme end, the organization might have to initiate a product recall or safety notice if there is a significant and dangerous impact from the equipment.

Ultimately, it is up to the organization to determine the risk and impact related to equipment found out-of-calibration and the necessary actions that must be taken. The analysis and actions should be appropriate to the risk level and must be recorded and readily available.

Software Calibration

Finally, ISO 13485 requires companies to validate any computer software that is used to inspect the requirements of devices. There are many different pieces of monitoring and measuring equipment that have a software component, such as a CMM. If the CMM will be used to verify product requirements, then the CMM will require validation.

In this scenario, the CMM might be validated by itself, and any programs that will be used to inspect product requirements will be validated individually. This should be done prior to using the CMM during production, as well as any time the CMM changes or is moved.

The organization will also have to follow the previously mentioned steps if the CMM is found to be out of calibration at any point. The calibration information and validation should be recorded.

Summary of a Calibration Procedure

Using everything we’ve discussed so far, I’m going to provide a list of items that should be in a company’s control of monitoring and measuring equipment procedure to remain compliant with ISO 13485:

• How pieces of monitoring and measuring equipment will be identified, how their calibration status is identified, and where this information is stored.
• The frequency and manner in which monitoring and measuring equipment will be calibrated.
• The process used to calibrate monitoring and measuring equipment.
• How software used for monitoring and measuring is validated and revalidated.
• A process that includes determining if equipment does not conform to its specifications, actions that will be taken in that situation, and how the actions will be recorded.
• How monitoring and measuring equipment will be safeguarded from adjustments, and protected from damage and deterioration.
• The way calibration records will be stored and maintained.

Wrapping Up

That was an overview of what is required for the control of monitoring and measuring equipment used for medical devices based on ISO 13485 section 7.6. Inspection and calibration play a significant role in the safety of medical devices, so organizations must have well-established calibration procedures.

If you have any questions or comments about the calibration of equipment used in the production of medical devices, please leave a comment below. Also, if you found this article helpful, check out our ISO 13485 page for other ISO 13485 guides and sign up for our newsletter below.

The post Controlling Medical Device Measuring Equipment (ISO 13485 7.6) appeared first on Hardcore QMS.

Document control is also the area of a QMS where it is easiest to get findings during an ISO 13485 audit. Why? Because your document control process is reviewed during every part of the audit. While complaints, CAPAs, and other sections are reviewed once, your document control is reviewed with every function of your QMS.

This article will go through the ins and outs of the document control requirements from ISO 13485 section 4.2.4. It will provide practical advice for what the standard is requesting, and how you can implement a document control procedure that meets regulatory requirements while serving the function of the company.

The Why

All good Quality Systems rely on quick access to the correct documents. Without this, there is far too little control over the processes happening within the organization.

A well-made document control system is a great thing to have. It means everyone can access whatever information they need, whenever they need it. It’s also the foundation of your entire QMS, and every other process will suffer if it is not in order.

What types of documents need to be controlled for ISO 13485?

A medical device company requires many different types of documents. Not only are there all of the documents needed to maintain a Medical Device QMS, but there are also employee records, accounting statements, and promotional materials. There are also informal documents like posts about employee birthdays and achievements.

With so many different types of documents existing, it can be difficult to know what types of documents need to be controlled. However, your document control procedure must include the scope of what documents require control so that you are not controlling every email that goes through your facility, or missing control from crucial documents.

The types of documents being controlled will also vary greatly depending on the medical device being produced. For example, there are no part prints if the Medical Device is software. So, be sure to consider the specific nature of your company before determining what documents require control.

Let’s review some of the common types of documents that should always be included in an ISO 13485 document control system.

• Quality Policy, Manual, and Objectives
• Quality Procedures including validation procedures
• Device Master Records/Medical Device Files
• Work Instructions
• Forms and templates
• Specifications
• Drawings
• Labels
• Documents of External Origin

These are all documents that are needed for the QMS to function properly. If there is any chance that a document may be presented during an audit, this is a good indication that it should be controlled. For example, while employee disciplinary actions would not be discussed and do not need to be controlled, job descriptions and forms for employee training definitely need to be controlled documents.

Another thing to keep in mind is that if the process for controlling documents is straightforward, then employees are more likely to follow the process. This means that the document control process has a greater chance of being compliant. One way to simplify an ISO 13485 document control process is through the use of an eQMS or digital document software.

Just a warning, auditors’ interpretation of what documents require control can vary. For example, during an audit at a company I was working for, an auditor stated that a poster depicting how to wash your hands should be controlled since it was related to infrastructure. While I’ve provided some of the more common types of documents it can be difficult to meet all auditors’ ideas of the standard.

What about records?

As ISO 13485 states, records are a special type of document and shall be controlled according to the requirements given in 4.2.5. As records fall under a different section of ISO, we will cover them in a different post to give as much clarity as possible.

Line-by-line breakdown of the ISO 13485 (4.2.4) document control requirements

Now that we know what types of documents require control, let’s look through ISO 13485 section 4.2.4 line-by-line to cover all of the requirements.

Reviewing and approving new documents

The first requirement is that new documents are reviewed and approved before they are used. This means that employees cannot create documents on their own and then issue them to the QMS without any further review. It also means that someone with the proper literacy and experience needs to review the document to confirm that the document will function as intended.

As far as approval goes, many companies issue new documents by following their document change control process, which we will cover in the next section. Documents need to be seen and approved by more than one individual before they are introduced into the Quality Management System.

Change control for documents

Once a document is included in the QMS, it needs to be reviewed and approved before any changes are made. Some companies choose to follow their normal change control process if they are going to make any changes to QMS documents. Other companies choose to have a different process in place specific to documents for reviewing and approval.

Later on in 4.2.4, ISO 13485 states that document changes need to be reviewed and approved either by the original approving function or another designated function that has access to pertinent background information upon which to base its decisions.

This provides the necessary approvals needed for a document. It means that if a document is created by an engineer, production manager, and QA, it cannot be reviewed and approved by QA alone. This makes sense since QA may not have the proper knowledge of the process to understand the impact of the changes.

There is also a warning tied to this clause. If you have a ton of different people approve a document it will be much harder to reapprove documents when they need to be updated. It is best to include only employees with the proper knowledge of the process when you are creating and updating documents.

Try to avoid having everyone on the top management team approve a document, as you will have to do a wild goose chase every time you need the document approved. It’s also a good idea to have a broad descriptor of the approving function so that you can still get documents approved if someone takes an extended vacation or their job title changes.

When you make a change to a document, you need to record the functions that approved the document, the name of the approvers, as well as the date the document was approved.

It can also be beneficial to have everyone approve a document sometime before the document is made effective. Employees should always be trained on the latest version of a document. This means that if a document is approved and then immediately made effective, you will have to train relevant personnel on the process immediately.

On the other hand, people should not train on an updated process unless the changes have been approved. To make this work, companies will often have the document fully approved, and then wait a week or more to conduct training before the document is made effective.

If the approval date and effective date are different, be sure that both dates are recorded.

Once the changes to the document have been approved and made effective, all relevant parties need to be made aware of the changes. This includes internal personnel as well as suppliers which may be manufacturing a part to the documented specification or following your process.

Document revisions and history

This is a fairly simple requirement that is met by following Good Documentation Practices (GDP). The industry standard is that documents have a stated revision which can be found on the document, usually in the header. The revision can be a letter, number, or combination of both. But, it should be clear which version of the document is being used.

The revision history of the document is typically found at the end of the document. Whenever a new revision of a document is created, you should summarize what changes were made to the document in the revision history table. This can be carried forward so that there is a full history of the changes made to a document. Some companies also choose to highlight or otherwise differentiate the most recent changes made to documents for greater visibility.

Availability of documents

If a work instruction is required on the floor to manufacture a device, would it make sense for the document to be in a filing cabinet at the other end of the warehouse?

All documents need to be available to the employees who are going to be using the document. This is most true for work instructions, forms, drawings, specifications, and other process-related documents.

The requirements can also be easily met by using a computer-based document control system. That way, as long as computers are accessible for use then the required documents can be available at the points of use.

If you are using a paper-based document management system, you will have to have physical copies of documents available at the point of use. These copies will also need to be tracked when a new revision of a document is made.

Where your controlled documents will be located needs to be referenced within your document management procedure.

Document legibility and identifiability (document numbering)

This line includes two different requirements. The first is that the document remains legible. This could mean formatting a document so that it is easy to read and understand if the document is digital. It could also mean that a physical copy of a document does not get damaged and covered in grease.

The second part of the requirement is that documents are identifiable. This requirement is typically met by having a clear and unique document title, as well as a unique document number. It helps if document titles are clear and straightforward so that it is easy to search for the appropriate document.

While document numbering is not specifically required in ISO 13485, it is the solution most companies have found to make sure it is easy to identify documents and tell them apart. The document numbering system can be a “smart” numbering system that includes different references to parts, divisions, or departments. Or, the document number can be randomly generated, which is much easier to do with an electronic document management system.

Documents of external origin

Many different types of documents of external origin may need to be induced in a company’s QMS. For example, a contract manufacturing company may be building a medical device to a customer’s specifications. Or, a company needs information provided by a machine supplier to have the machine properly function.

Companies should also include relevant regulations and ISO standards as part of their documents of external origin.

All documents of external origin that are necessary for your company should be included in the document control system. They also need to be controlled and updated if a new version of the document is provided, such as the medical device company changing specifications in the contract manufacturing example.

Safekeeping of documents

Your document control system should be set up so that documents do not get lost or damaged. If the document control system is electronic, this means creating backups of the document files so that they are not accidentally deleted. A company also needs sufficient cybersecurity measures in place so that documents cannot be damaged by hackers.

If the document control system is paper-based, then you must ensure that documents are not lost during normal use. There should also be accident prevention measures in place, such as storing documents in fireproof cabinets so that they are not damaged during a fire.

Your need to safeguard documents will depend on the document control system that is set up, as well as the environment in which you are using the documents.

Handling obsolete documents

The final requirement from this section is to ensure obsolete versions of documents are identifiable and do not get used. Once a document is obsoleted, it should be removed from the point of use, and normal access to the document should be eliminated. It should also be marked as obsolete either physically with a stamp or electronically through controls that state the status of the document.

Document Inclusions

Outside of what we discussed, it is useful for document management procedures to specify what information is included in documents. Using controlled forms or templates can make it easier to include the needed info on the documents.

Some of the information includes:

• Document approvers and approval dates
• Title
• Purpose and scope of the document
• Date the document is released or made effective
• Revision status and history
• Document number

You can also add whatever other pieces of information you believe will benefit the document system and company, such as definitions, related documents, and references to relevant standards.

Document Retention

The final aspect of the ISO 13485 document control requirements is the requirements related to document retention. This is another area of the requirements that will vary greatly depending on the type of document control system that a company is using as well as the medical device being produced.

If a company is using an electronic document control system, it can be cheap and easy to store documents indefinitely. However, if a company is using a paper-based system, document retention can quickly become a burden.

The standard first states that at least one copy of obsolete documents should be retained. You should be able to reference the obsolete version of a document to review the changes that were made, and the version may be relevant if processes occurred while that version was released.

How long should the obsoleted document be retained? ISO 13485 specifies that it should be “at least the lifetime of the medical device as defined by the organization but not less than the retention period of any resulting record or as specified by applicable regulatory requirements“.

This means that if there is a work instruction for the assembly of a medical device, the applicable version of the work instruction should be retained for at least the lifetime of the medical device.

For document retention, later is always going to be better. A company will not get in trouble for keeping obsolete documents well past the lifetime of a medical device (as long as this does not violate their procedures). But they could face issues if they get rid of documents too soon.

Again, if your company is using an electronic document management system, I would recommend retaining all documents indefinitely. It is cheap and avoids the issue of deciding when to get rid of obsolete documents.

However, if your company is using a paper-based document management system, you should look at all regulations that apply to your device, and then add some extra time for how long documents will be retained. It is better to be safe than sorry when it comes to document retention.

Wrapping Up

Document control is a fundamental aspect of having a compliant ISO 13485 QMS, or really any QMS for that matter. It is impossible to have good and consistent processes in place if documents are not controlled and can be changed by anyone. Hopefully, this article helped you understand what ISO 13485 requires for a medical device document control procedure.

If you have any questions or comments about document control, please leave a comment below. Also, if you found this article helpful, check out our ISO 13485 page for other ISO 13485 guides and sign up for our newsletter below.

The post Document Control for ISO 13485 Explained appeared first on Hardcore QMS.