Each manufacturing batch, audit, complaint, training session, and more creates records. The output of nearly every process is at least one, sometimes many, records. And there are specific requirements around how those records must be identified, stored, retrieved, and retained.

If it’s not documented, it didn’t happen. Let’s go through the requirements to understand everything an organization must do to ensure they are meeting the record-keeping requirements of ISO 13485 section 4.2.5.

What are records?

Records are a special type of document that are generated as the output of processes. They can be initiated from:

• Design and development of medical devices/products
• Manufacturing processes
• Manufacturing batches of medical devices/products
• Distribution of products
• Quality Management System (QMS) Records

Almost every process within an ISO 13485 QMS will generate a record. Some records may be as minor as a sign-off on a PO, all the way up to a 20-page audit report. Companies should save as much information and outputs as possible to demonstrate the effectiveness of the QMS.

Unlike other documents, the nature and raw data of a record can vary wildly depending on the medium. While, even digitally, most Quality documents are a type of Word or PDF file, records can have many types of data entry. For example, they may be automated or be entered directly into different types of software or spreadsheets. 

All of this information is considered a record. Many times, it is helpful to have software that can present the raw record in a PDF or similar summary. This is useful during audits and regulatory inspections. 

When you transfer raw data into a different record or summary, you should maintain a copy of the original data. Both of these can be included as one record, or they should be linked.

What are the ISO 13485 Requirements for Records?

The requirements for records share many similarities with the requirements for document control, however, there are some meaningful differences between the two, especially digital records. 

For example, all documents are required to be reviewed and approved. Some records may be automatically generated, and it would not make sense for them to be approved. Other records that are entered digitally will maintain timestamps and identification of which user generated the information. 

As we work through the other requirements, you can see more of the other differences with records:

• Identification: Records can have a document number for identification; however, many times they are labeled with a case or ID number. For example, a nonconformance may be labeled as NCR-0179. This ID/case number can be referenced in other documents or records. 
• Storage: While documents need to be stored, it is inevitable that there are many times more records than documents. This can make their storage a challenge. If they are stored electronically, they may be kept in a different area than regular documents. Sometimes documents and procedures are stored electronically, but their corresponding records are stored in large file cabinets.

Additionally, paper records are sometimes transferred to digital records. If this is the case, the company should ensure that all of the information in the original document is transferred. They will also have to determine if they are able to obsolete or dispose of the original copy. 

• Security and Integrity: Companies should ensure that records cannot be altered or changed outside of documented mechanisms. It’s also useful to limit access to certain records. This can be done digitally or through locked filing cabinets for paper records. If records are being stored digitally, companies should determine their backup and cybersecurity needs to ensure records are kept safe.
• Retrieval: There are many times when a company will need to access a record. Some examples include audits and regulatory inspections, as well as CAPA and other root cause investigations. The company needs to have a clear method of ensuring that the correct individuals can access documents in a timely manner.

Organizations need to document all of the requirements related to records (identification, storage method and location, security, and retrieval). This can be documented in a control of records procedure, in the procedure or work instruction for which the record is an output, or some combination of the two.

Records Retention and Disposal

The timeline for retention of records depends on the type of record and the specific medical device.

Records for Batches of Devices

For records related to the manufacturing and distribution of a specific medical device or batch of medical devices, ISO 13485 states that:

The organization shall retain the records for at least the lifetime of the medical device as defined by the organization, or as specified by applicable regulatory requirements, but not less than two years from the medical devices release by the organization.

Note: for EU MDR/IVDR, the minimum retention time is 10 years.

The lifetime of a medical device can either be multiple decades or under two years for certain products (some people are surprised that the lifetime of a device can be under two years, but this is common for certain types of devices that expire).

Organizations need to determine the specific lifetime of their devices based on shelf-life, expiration date, degradation of packaging materials, expiration related to stability, servicing requirements, and more. The lifetime of a device should be recorded in the appropriate Medical Device File.

Records for Manufacturing/Design Processes

The next type of record is those related to the design and manufacturing process of the devices, including validation reports and design control records (design inputs, outputs, verification, validation). These documents need to be retained for at least the lifetime of the device based on the last device manufactured or sold.

QMS Records

The final type of records is those that are generated from QMS processes. These can include Management Review minutes, internal audits, evaluation and monitoring of suppliers, etc. Here, it is up to the organization to determine the retention period of the records based on the specific process and risks. However, a company never wants to be unable to access a record when requested by an auditor or regulatory body.

Carrying over what I said in our document control guide, a company is unlikely to face consequences for retaining a record later than is required. Especially if the records are stored digitally, it is a good practice to maintain records indefinitely. Digital records past the lifetime of the device can be transferred to a different system for storage, as long as they can still be accessed when necessary.

If organizations are going to dispose of records, they need to document the manner of the disposal. For paper records, this could include in-house shredding or the contracting of a paper shredding supplier. Digital records could be deleted manually or automatically through an algorithm.

In their procedure, organizations should state the retention period of different records, as well as the mechanism for the retention and disposal of records.

Confidential Health Information

Another requirement of ISO 13485 section 4.2.5 is that medical device organizations must ensure that they are protecting confidential health information in accordance with regulatory requirements.

Medical device companies receive health information in a variety of ways. Many different medical devices and IVDs contain electronic data related to patients, with this data sometimes being stored in a cloud or accessible during servicing. Organizations might also receive health information from customer complaints, during clinical trials/studies, and when creating a custom medical device.

All of this data and health information must have an extra layer of security for how it is received and maintained. Companies should be certain that all relevant information is protected according to the relevant regulatory requirements, such as HIPPA in the United States.

Changes to Records

There are two main times when a record would need to be changed.

The first is during the data entry process when a mistake is made. When documents are changed this way, companies need to maintain the original entry if possible.

For paper records, the best practice is to have a strikethrough of the mistake, as well as the date and initials of the person performing the correction. For digital records, the system should automatically capture any changes made to the record, as well as the date, time, and user who made the changes.

The second type of change is much rarer and is done after a record has been completed/finalized. 

For paper records, the mechanism of changing may be the same as above, however, there should be a comment or description of why the change was made. 

For digital records, the company can use its document change control procedure to create a new revision of the record with updated information. The original version of the record should be maintained, and the reason for the change should be included.

Good Practices for Records

Following Good Documentation Practices (GDP) can be very helpful for proper record-keeping. Note that while many of these are not listed in ISO 13485 or FDA requirements, not following them can result in audit findings and FDA Form 483s. 

• Pages should be numbered for completeness and to prevent changes.
• Headers or other identifying information should be carried over to each page of a record.
• Signatures should be accompanied by a printed name and date.
• Hand-written signatures should always be done with ink (not a pencil).
• All entry areas and checkboxes should be completed when filling out a form. If that field does not have any data, “N/A” can be entered into that area.
• Records and data cannot be “pre-dated” or “post-dated”. This is a common mistake when a form is printed to be signed. However, all dates need to be made at the same time as the signatures. 
• Another person’s signature or initials should not be used on a form.
• For an electronic signature to be valid, it must comply with the requirements of 21 CFR Part 11.
• It can be a good idea to have a second person verify critical data for accuracy and completeness. The identification and date of the second review should be recorded.

If a company is planning on having many records filled out on paper, it’s a good idea to ensure that all relevant employees are trained on GDPs. Otherwise, Quality will have to spend more time verifying records to ensure information is entered correctly.

Digital Records

Digital records are much more convenient than paper records, from both a usability and retrieval standpoint. However, there are some considerations that should be made for digital records.

There are certain regulatory requirements that surround digital records. One easy example is that records for devices sold in the US must be compliant with 21 CFR Part 11. Another is the cybersecurity requirements in ISO 27001.

For storage, companies need to factor in the lifespan of the relevant software. While this is becoming less common with cloud storage, there are older software systems where the records are not easily exportable, and the software is no longer being updated. This means that any issue could lead to a loss of records.

From a security standpoint, records should be protected from unauthorized access and entries coming from inside and outside the organization. Records can either be stored in such a way that they cannot be amended once filed, or access to records can be controlled digitally. Cybersecurity measures can protect from access outside of the organization.

Any software that will be used for creating or storing records must be validated. This is to ensure that the software meets the above requirements and complies with ISO 13485 section 4.1.6.

Paper-Based Records

While paper-based records are much more cumbersome than digital records, there are some advantages. For example, the systems do not need validation, there are fewer regulatory requirements, and they are cheaper in the short term.

However, besides the drawbacks to efficiency, there are other considerations for paper documents.

Paper documents require much more work around GDP. Entries cannot be limited or automated in forms, all handwriting must be clear, and there are specific requirements surrounding signatures. Information entered into paper records must also be accompanied by a signature and date. This means that a larger number of employees need to be trained in record-keeping processes.

Paper documents must also be maintained securely. It is typical for paper records to be stored in lockable fireproof cabinets to prevent the loss of records in an emergency. Companies need to be careful and maintain responsibility for all copies of paper documents.

Wrapping Up

Sometimes, when you are working in the medical device industry, it can feel like everything you do is related to records. And that’s not far from the case! By following the information laid out in this article, you can help your company meet the control of records requirements of ISO 13485.

If you have any questions or comments about medical device records, please leave a comment below. Also, if you found this article helpful, check out our ISO 13485 page and sign up for our newsletter below.

The post Managing Medical Device Records for ISO 13485 (4.2.5) appeared first on Hardcore QMS.

Section 5.5 of ISO 13485 (Responsibility, authority, and communication) may not require its own procedure, but it’s still important for an organization to meet the requirements and achieve a high level of quality in its processes and products. 

The Why

Quality is not something that you can leave employees to create on their own. By establishing clear responsibilities and enabling people through authority, people are better able to produce high-quality devices and help the QMS improve. 

The goal of the Management Representative is to have one person who is knowledgeable about the relevant standards and regulations and empowered to implement changes for the betterment of the QMS and the company.

Responsibility and Authority (5.5.1)

Top management must ensure that all roles within an organization are well-defined. Without roles being defined, it becomes easy to brush off aspects of a process as “not your job”. 

Typically, top management delegates authority to employees through job descriptions and organizational charts. If you read our Training Requirements Guide, you know that job descriptions need to be controlled within your organization’s QMS. 

Additionally, companies also list responsibilities for different processes within the relevant work instructions or SOPs. This can make it clear who will be doing each section of the process. If your organization is going this route, you can make sure responsibilities are added to documents following your document control procedure.

The Organizational Chart

An Org Chart needs to exist within a company’s QMS to show the interrelation of personnel. The level of detail and location of the Org Chart will depend on the size and needs of the company. 

For example, a large company may have an Org Chart specific to roles and departments, and does not go into granular detail about who is in each role. You’ll often find this type of Org Chart in a company’s Quality Manual, but it is perfectly acceptable to have it as a standalone document referenced in the Quality Manual.

Medium and large companies may also have human resources software that can show a full Org Chart, including each employee and their manager. However, it may be difficult to access this information during an audit, and the chart would be impossible to move through if it contained thousands of employees. For this reason, a company may choose to have both the software and a department-level Org Chart built into the Quality Manual.

At smaller companies, it can be feasible to include each individual employee and their role within the Org Chart. If you are taking this approach, I highly recommend having an Org Chart as a separate document referenced in the Quality Manual. That way, you do not need to change the Quality Manual every time the Org Chart is updated.

Independence

ISO 13485 section 5.5.1 includes the statement “personnel who manage, perform, and verify work affecting quality shall ensure the independence and authority necessary to perform these tasks”.

It’s useful to think about this both from an organizational level and a specific task level.

From an organizational level, it can be detrimental for certain members of Quality to report directly under Operations/Manufacturing. The employees in Quality may feel that they can’t be honest in their role without facing career repercussions. Many times, Medical Device companies will have a separate area for Quality on their Org Chart, including the Head of Quality having a connection or “dotted-line” connection to the CEO.

However, the feasibility of this approach will depend on the size of the organization. Smaller companies may have limited managers and no employees dedicated to Quality. These companies should focus on empowering employees to point out quality concerns with their work.

At the task level, all sizes of organizations need to maintain independence for certain activities. 

One of the main activities cited here is internal audits. Put simply, people should never be in a position to audit their own work. It’s also not advisable to have someone audit the work of their direct superior. 

At larger companies, it can be easier to train different employees in internal audits and have them audit areas outside of their work function. At smaller companies, there may be one or no member of the organization who is qualified to lead audits, and the company should look at outsourcing its internal audit.

The Management Representative (5.5.2)

The Management Representative is a strange role that exists in organizations following a QMS. The purpose is to have one specific individual who is responsible for making sure every part of the QMS is effective, meets the standards, and is communicated to top management and the rest of the organization.

What are the duties of a Medical Device Management Representative?

The specifics of what the Management Representative does will vary depending on the size of the organization; however, here are the responsibilities laid out in ISO 13485:

• Verify that the processes needed for the QMS conform to ISO 13485 and are documented
• Inform top management of the effectiveness of the QMS and areas where it can improve
• Promote awareness of the standard and applicable regulatory requirements throughout the company

While ISO 13485 lists these as requirements for the Management Representative, it’s important to note that any or all of these tasks can be delegated to different members of the organization. However, the Management Rep has ultimate responsibility for ensuring the activities are completed.

The first responsibility is setting up and/or maintaining the QMS. If there are needed procedures, they should be written or reviewed by the Management Representative or a designee. The maintenance of the QMS is also supported by the Management Representative’s involvement in internal audits.

The second responsibility is most often done through the Management Review Meeting. The Management Rep can either prepare the information and lead the entire review, or they can delegate information gathering and the presentation to different employees. Either way, the Management Rep must be involved and participate in the Management Review.

The third responsibility comes down to training. The training for employees should go beyond specific work duties and include information on how activities help meet the QMS and regulatory requirements. The Management Rep should also ensure that the Quality Policy and different Quality Objectives are communicated throughout the organization.

Who can be the Management Representative?

Per the standard, the Management representative must be a member of management. They do not necessarily need to be an executive, but if they are not, they should be a manager who reports to an executive.

As usual, the person who will be the Management Rep will depend on the organization. A company may have a Quality Manager or Quality Director that acts as the Management Rep. It could alternatively have a more Regulatory-specific position that includes the Management Rep duties.  

However, at smaller companies, there may not be a specific member of the organization who is focused on Quality. In these situations, it is acceptable to have a different member of the management team identified as the Management Rep. 

However, there are a couple of difficulties in this situation. The first is that it is critical that there are no conflicts of interest between the responsibilities of being the Management Rep and their other responsibilities. This can make it difficult for a manager of Operations, especially a manager of Operations who does not have a background in Quality, to be the Management Rep.

The second is that a Management Rep outside of Quality may not have the necessary expertise to understand the requirements of the role. 

No matter the situation, the Management Rep should have significant experience and training related to Quality requirements (sign up for the newsletter below). 

If someone outside of Quality/Regulatory is going to be the Management Rep, they should be given outside training to help them succeed in the role. It’s crucial for the Management Rep to have the appropriate knowledge and authority to be respected by other members of the management team.

How is the Management Representative identified?

I’ve seen companies use two approaches to identifying the Management Representative.

The first is a callout in the Quality Manual, Org Chart, or Management Review procedure, either to a specific person or a title (e.g. the Quality Manager is appointed as the Management Representative).

The second is a formal document stating the responsibilities of the Management Rep, signed by the Management Rep and a member or members of top management.

Can there be more than one Management Representative?

There can only be one Management Representative for a QMS.

At larger companies, there may be more than one Management Rep throughout the entire organization, but this is only applicable if the company has different Quality Management Systems that each have their own ISO 13485 certificate.

Internal Communication (5.5.3)

The last part of ISO 13485 section 5.5 is focused on communication, which is often taken for granted within organizations. 

Two-sided communication is necessary to maintain a successful QMS. Top management and the Management Rep must disseminate information about the effectiveness of the QMS and related goals throughout the company.

At the same time, anyone in the company should be able to communicate feedback and offer improvements related to the QMS. The feedback should be encouraged by top management and reviewed seriously and efficiently by the correct people. 

One piece of advice for encouraging employees to make suggestions about processes and the QMS is that it should not feel like homework. If employees have to navigate to a hard-to-find area in the company’s intranet or fill out a detailed form, they will be less likely to offer feedback.

The types of two-way communication will vary by company but can include meetings, feedback sessions, suggestion drop boxes, emails, posters, and more. Everyone in the company should know that top management is committed to the organization’s quality.

Wrapping Up

Quality starts with people understanding their roles and how they can contribute to products and the system. To conform to ISO 13485 section 5.5, an organization needs to have a documented organizational chart with clearly defined roles and responsibilities. They should also appoint a Management Representative who has responsibility for the Quality System and communicates the effectiveness of the QMS to other members of management and throughout the organization.

If you have any questions, please leave a comment. If you found this article helpful, be sure to sign up for the newsletter below and review the rest of our articles, which cover ISO 13485 requirements in-depth.

The post Management Representative and Responsibilites for ISO 13485 5.5 appeared first on Hardcore QMS.

Element 1: Management Responsibility

The single most important element in ISO 13485 is top management’s commitment to the Quality Management System (QMS). Employees can try their best to create high-quality, effective medical devices, but this will be impossible to achieve unless top management has bought into the process. 

Top management are the ones who can dedicate the needed personnel and resources for implementing and maintaining the QMS. They make key decisions about where to focus improvement efforts when there are major concerns or negative trends.

Everything involving Quality and the QMS is made easier with top management’s commitment. If they view Quality as a means to the end of conforming to regulations, that is what the QMS will become. However, if they view the QMS as a tool for improving every process in the company and supporting the production of safe medical devices, they will see how much more power lies in the processes found in ISO 13485.

ISO 13485 has an entire section on Management Responsibility (section 5). Some of the ways top management can demonstrate their commitment to the QMS are through participation in management reviews, creation of the Quality Policy and Objectives, and appointing a Management Representative.

Element 2: Customer Focus

The next key element of ISO 13485 is Customer Focus. Customers are essential for any business, but there are two types of customers that should be considered for a Medical Device company.

The first are the direct customers of the business, such as doctors, hospitals, or other medical device companies. Organizations need to understand and respond to their customers’ requirements as well as requirements not stated by their customers that are still essential for use. 

Section 7.2 of ISO 13485, titled Customer-Related Processes, is all about how the company will determine and meet these requirements.  However, many of the other sections, such as Installation, Servicing, Complaint Handling, and more, involve heavy interaction with customers, and the customers’ needs should be considered. Organizations should also examine how they can help doctors use their products during the design and development phases.

The second type of customers are the patients who depend on the medical devices being produced. A medical device company should do everything in its power to support the safety and performance of its devices. Sections related to design and development, cleanliness of product, and sterilization are not there to check a box but rather to support the safety of devices used with patients.

Element 3: Risk-Based Decision Making

One principle of ISO 13485 that is unique to medical device companies is the reliance on risk-based decision-making. While other standards involve the idea of risk, there is a definition of risk that is unique to medical devices, which is: 

The combination of the probability of the occurrence of harm and the severity of that harm.

If you are part of the medical device industry, you are familiar with the role risk plays. As part of supporting the patients who need their products, organizations need to look at many decisions through the lens of risk.

When a company is setting up a supplier management process, it should consider the risk the purchased products have on the device. When it is determining how to handle a nonconformity, it should consider the risk of different dispositions. Every step of the design and development process is deeply intertwined with the concept of risk.

While risk is mentioned many times in ISO 13485, there is an additional standard that talks about risk: ISO 14971. Both of these standards are essential to the operation of a medical device QMS.

Element 4: Document Everything

While risk is specific, the next key element of ISO 13485 applies to many QMS standards, and that is to document everything! 

Documentation is the foundation of a QMS. The first requirement in ISO 13485 is that:

The organization shall document a quality management system and maintain its effectiveness in accordance with the requirements of this International Standard and applicable regulatory requirements.

All of your processes, work instructions, specifications, labels, etc., need to be documented. Not only that, but the documents need to be controlled so that they are approved by appropriate functions, any changes are managed, and they are available where they are needed.

Once you’ve documented all of the processes, you also need to document the outputs of those processes. The outputs are considered records and should be kept as records for customers, auditors, and regulatory bodies to see evidence that you followed your documented process.

The ISO 13485 sections focused on documentation are 4.2.4 Control of Documents and 4.2.5 Control of Records. However, nearly every section of ISO 13485 states that a process must be “documented”, and when it’s not explicitly stated, it is implied.

So, get to writing!

Element 5: Improvement is Essential.

The final key element of ISO 13485 is that the organization must always be working to improve itself and its QMS.

A QMS should never be seen as a static system that can be set up and forgotten. There are constant changes to regulations, standards, and the business environment, and a company that does not update its QMS is at risk of losing its position or failing to remain in compliance.

The inputs for improvement can come from many places: internal and external audits, customer feedback, customer complaints, corrective and preventive actions, management reviews, and nonconformances. Improvement can also come from a desire to make the QMS as good as possible, both to support customers and different employees at the company.

Improvement ties in all of the principles discussed in this article. Management has a responsibility to determine which areas to improve and dedicate resources to improvement activities. Improving processes and devices is crucial for supporting customers. Risk-based decisions can help guide the organization to the specific issues that warrant the most attention.

Not only is improvement essential for the operation of a QMS, but it is also one area that can bring the most joy to employees. People want to be a part of improvement efforts and see processes change for the better. The ability to provide input to a company can go a long way to keeping employees interested and committed to the organization.

Wrapping Up

By learning these 5 key elements, you are on your way to understanding ISO 13485 and its role in the medical device industry. If you found this article helpful and want to learn more about the standard, the ISO 13485 page features articles on many of the different processes and requirements. To stay up to date, be sure to sign up for the newsletter below.

The post The 5 Key Elements of ISO 13485 appeared first on Hardcore QMS.

If you’re in the Quality Management field, you might not be looking forward to this question.

There are a couple of different approaches. You can mention that you work in “Quality” in the “enter specific field here”. There’s a good chance they will look at you kind of confused and not ask any follow-up questions because it sounds a bit boring (90% success rate, personally). 

Or you can try to actually explain what you do. Now, there are a lot of different careers in Quality Management, so this will have a higher or lower success rate depending on the specifics. But unless you have a couple of uninterrupted minutes (or you can convince them to read this article), the average person will still have no idea what you do on a day-to-day basis.

The point is that Quality Management is completely unknown to most people. Even within a company, most employees outside of Quality do not know what Quality does or just believe that management hired them to make things harder. 

If you’re ever hired to build a Quality department, the people hiring you will have some vague idea of what Quality means based on their past experiences, but trust me, you are on your own for all of the specifics. 

But, with all that said, you’ve found yourself here. Either you started at a company with a Quality department and you’re wondering how to make the switch, you’re in college and searching for what’s out there, or you are already in the industry and looking for positions to advance.

Welcome! Here at Hardcore QMS, we write about different subjects in the Quality Management field, specifically in the Medical Device industry. This article will break down many of the different careers in both the Quality Control and Quality Assurance sides of the industry to help you understand what career options are possible.

What industries have Quality Management Professionals?

For this article, I am focusing on Quality Management careers in manufacturing and related industries.

Many of these careers are in regulated fields, such as Aerospace, Automotive, Medical Devices, and Pharmaceuticals.  There are also Quality Management jobs in the general manufacturing and consumer goods industries, highlighted by the large number of ISO 9001 certificates.

What about software quality assurance?

This article will not cover any positions related to the nonregulated software industry. It is that industries’ fault that the career descriptions and job postings related to Quality are completely jumbled.  The software industry co-opted job names from a long-standing profession that dates back to the early 1900s, and I will not apologize for any disappointment or confusion.

What’s the difference between Quality Control and Quality Assurance?

Before I get started breaking down the different careers, let’s provide some background on the differences between Quality Control (QC) and Quality Assurance (QA).

QC is a set of activities performed once something is manufactured, including testing, inspecting, and analyzing defective materials. In my perspective, this ignores aspects of Quality Engineering, so I will broaden the definition to all hands-on activities related to manufacturing.

QA is considered a “proactive” approach to quality, building processes and systems that lead to a high-quality product or service.

Note: These terms will be used randomly in your career. You may be a “Quality Assurance Inspector” or a “Quality Control Auditor”. As I said, no one outside of Quality has any clue what Quality people do, so try to take everything I say related to specific terminology with a grain of salt.

Salary and “can be done remotely” Chart

Quality Control Careers

Quality Inspector

Quality Inspectors are the most hands-on professionals in the Quality field. They use a variety of measuring tools like calipers, height gages, micrometers, electronic instruments like coordinate measuring machines (CMMs), and others to measure and test products. Their job is to see if the parts and articles meet internal specifications and requirements and identify nonconforming materials.

Quality Inspection is the most “trade” like profession in the Quality space, specializing in one specific area that requires some level of physical labor. 

Quality Inspectors have to understand or learn basic math, geometric dimensioning and tolerances (GD&T), and measurement techniques.

Quality Inspection is often the entry-level position for people on the QC side of things, especially for people without a college degree. That being the case, many Quality Inspection jobs start at the lowest end of the Quality payscale, around $35,000-$60,000 a year.

Once you are in a Quality Inspector there are a few options available. You can transition to a higher level QC role like a Technician or Quality Engineer, or even branch into QA depending on your company (this is the route I took). Alternatively, you can take the experience gained in the manufacturing space to move into a different manufacturing area.

Outside of advancement, if you like your role in Quality Inspection, there is a very high upside for an exceptional Inspector. Please understand that these opportunities are rare, and you will have to specialize, obtain certifications in an industry involving welding or aerospace, and possibly relocate. 

But, at this high end, there are Quality Inspection positions available that pay over $100,000 a year without requiring a college degree. The other benefit at this level is that despite what people will say, you are less likely to have your position taken by AI than other Quality roles. If the materials could be inspected by computers, they probably would be already. Quality Inspection still exists because it is hard to automate the inspection of complex products produced at low volume.

Quality Technician

Quality Technicians share a lot of similarities with Quality Inspectors, as many companies treat it as a natural progression from the Quality Inspection role.

Quality Technicians still inspect and test products and write up nonconforming materials. All skills from Quality Inspection apply, however, there are added responsibilities and expectations. 

For example, a Quality Technician may begin training Quality Inspectors, investigating nonconformances, maintaining audit schedules, and collecting data related to product quality. If a Quality Inspector is the one running a CMM, a Quality Technician could be the one programming the CMM. 

Quality Technicians might also start performing activities related to QA, such as participating in internal audits, maintaining documents, and handling corrective actions.

Being a Quality Technician is another career that can be done without a college degree. From a review of job postings, the average requirements for a Quality Technician are a high school diploma and two to four years of experience (typically gained through Quality Inspection or time in a manufacturing environment). It could also be a job acquired through an associate’s degree or training in a manufacturing role like machining. 

Quality Engineer

Quality Engineering is incredibly broad, so it’s hard to pin down everything a Quality Engineer might do in this article. Quality Engineering can include manufacturing-focused positions, specialization in processes like validation, or QA-focused roles.

A manufacturing-focused Quality Engineer handles statistical analysis, performs complex root cause investigations on nonconforming materials, builds out inspection and control plans, validates processes, and plans process and product improvement efforts.

A QA-focused Quality Engineer may work on the Quality Management System (QMS), communication and investigations regarding customer complaints, audits, and improvement of non-manufacturing processes (speeding up product distribution).

There are also many different subgroups and specializations within Quality Engineering, especially at larger companies. Some Quality Engineers only work on equipment and process validation whenever a piece of equipment moves or a manufacturing process changes. Design Quality Engineers perform risk analysis and evaluate new products for manufacturing and quality impact.

Quality Engineers need to have a strong foundational knowledge of Quality principles and statistics. They should understand problem-solving techniques (8D, Ishikawa diagrams, Pareto charts), the Plan Do Check Act (PDCA) cycle, statistical control, and more. In my opinion, the heavy use of these tools makes Quality Engineering the most “true-to-Quality” career available. 

It’s also useful for Quality Engineers to understand Lean and Six Sigma principles. If you want to gain credentials in Six Sigma, you can learn more in my article about passing the Certified Six Sigma Green Belt exam. 

Quality Engineering is the point where we move from Quality “trades” into a professional career. That being the case, becoming a Quality Engineer typically requires a bachelor’s degree, specifically in engineering (mechanical, biomedical, manufacturing, etc). In fact, many mechanical and manufacturing engineers start their careers as Quality Engineers. 

However, there are some exceptions, and it is possible to advance to a Quality Engineering position with an associate’s degree or accumulated on-the-job Quality experience. (Note, this applies to US-based positions, as countries like Canada have protections in place dictating that you can only have “Engineer” in your title if you have an engineering degree).

Entry-level Quality Engineers sometimes earn less than their counterparts in other areas of engineering, however, the pay range for Quality Engineers is large, and there are lots of growth opportunities. On average, a Quality Engineer can expect to earn between $75,000 (at the very entry level) and $140,000 depending on education and experience. There are even positions for Senior Quality Engineers available that pay upwards of $175,000 a year.

Also, while many career certifications provide marginal utility at best, the Certified Quality Engineer (CQE) certificate offered by the American Society of Quality is beneficial and sought by employers. If you are new to Quality, this won’t help you get a job in Quality Engineering as it requires eight years of experience or four years of experience with a bachelor’s degree, but it is worth pursuing if you want to advance in Quality.

Supplier Quality Engineer

Supplier Quality Engineering is a subgroup of Quality Engineering that focuses on materials coming in the door. A Supplier Quality Engineer should have all of the same skills as Quality Engineers that were listed above, but their day-to-day responsibilities will focus on interactions with suppliers and supplied material.

For example, a Supplier Quality Engineer will manage incoming inspection efforts, monitor supplier metrics and nonconformances, and handle the administration of Supplier Related Corrective Actions (SCARs). They might also perform supplier audits or visit suppliers to help work through quality issues related to products.

Supplier Quality Engineering roles require more experience than entry-level Quality Engineer roles, and someone may have to work as an engineer or Quality Engineer for a few years before transitioning into Supplier Quality Engineering. The pay scale reflects this experience, and a Supplier Quality Engineer can expect to earn between $90,000 and $160,000 a year.

Quality Assurance Careers

Quality Assurance/Compliance/Systems Specialist

Now, we are venturing over into the QA side of things. For ease, I am lumping a bunch of different job titles into this one category, including:

• Quality Assurance Associate
• Quality Assurance Specialist
• Quality Compliance Specialist
• Quality Systems Specialist
• Quality Specialist

These jobs have very similar duties, and they are based on doing everything related to Quality Assurance and the QMS. Also, the industries with the highest number of these positions are the Medical Device and Pharmaceutical industries.

The specifics will vary greatly depending on the position and industry, but some of the activities included under these job titles include:

• Running the document management system.
• Administering the electronic Quality Management System (eQMS).
• Writing Standard Operating Procedures (SOPs), Work Instructions, and other Quality-related documents.
• Coordinating a company’s training program.
• Performing Internal and External audits.
• Leading Change Control Efforts.
• Tracking and trending quality data.
• Supporting customer, registrar/notified body, and regulatory audits.
• Root Cause investigations for internal and supplier nonconformities.
• Creating corrective action plans and ensuring CAPAs are carried out.
• Investigating customer complaints.
• Preparing Management Review material. 

At a larger company, the position may focus on only one or a handful of the listed activities. But at a medium or small company, you may be doing everything on that list!

To excel in the role, a QA Specialist (and related titles) needs to have a background in Quality principles, as well as an understanding of Quality Management Systems. If you are interested in learning more about Quality Management Systems, especially for Medical Devices, our website is a great place to start!

In addition to similar skills as Quality Engineers, these careers rely heavily on writing ability. The role involves a substantial amount of paperwork and the creation and editing of SOPs and other documents. 

Many times, especially at smaller companies, QA Specialists venture into regulatory work. We’ll discuss some specifics with Regulatory Specialists below, but learning or having an understanding of specific regulations, both as they apply to the QMS and other aspects of the regulatory landscape, can be very beneficial.

Becoming a QA Specialist typically requires a bachelor’s degree, however, the type of degree can be more varied. Engineering degrees are useful, but depending on the industry, a Biology, Chemistry, Quality Management, or even an unrelated degree can be sufficient. 

There are positions available that do not require a degree, however, they do require experience to make up for the degree. In my opinion, this is what makes these types of roles the hardest jobs to get in the Quality space. This may seem backward at first, but all of the other roles either don’t require a college degree at the entry level (Quality Inspector or Technician) or can be worked up to by building experience in different areas of Quality. 

But, if someone cannot break into the industry, they aren’t able to get started getting experience to move up through the other careers. 

If you are interested in this type of career and don’t have a degree, my advice is to either start on the QC side of things or try and get an entry-level position related to Document Control. There are some Document Control positions (administrator, coordinator, or specialist) that don’t require a degree and can provide some of the background and experience necessary to move into QA.

A large number of different titles have been included in this section, which leads to a large salary range. An entry-level person in QA can expect to earn between $50,000 and $70,0000, while a more experienced person or Senior Quality Systems Specialist can expect to earn $90,000-$130,000 a year.

Regulatory Specialist

I’m including Regulatory Specialists as a subset of the group I talked about above, however, there are plenty of disagreements about the relationships between Quality and Regulatory.

Regulatory Specialists will have in-depth and experienced knowledge about the specific regulatory requirements of their industry. Taking my industry (Medical Devices) as an example, Regulatory Specialists are tasked with preparing and submitting Medical Devices for clearance or approval to the FDA and other foreign regulatory bodies. They may help with the QMS as well, however, the submission process is typically what separates someone into a Regulatory position.

Becoming a Regulatory Specialist requires at least a bachelor’s degree and a healthy amount of experience in the industry. An advanced degree is also beneficial.

If you are working in a Medical Device or Pharmaceutical company and want to move into the regulatory space, you should try and learn as much as you can about the submittal process and how information is communicated with regulatory bodies.

Being specialized and having more experience, Regulatory Specialists can expect to earn between $100,000 and $165,000 a year. This is a great career path for someone who wants to move into consulting, as companies often rely on consultants for the preparation of submission documents.

Quality Auditor

Outside of being a Quality Inspector, a Quality Auditor may be the only position on this list where you can explain what you do to someone at a party. 

Put simply, Quality Auditors audit companies to Quality Management System and other standards. Some of these standards include ISO 9001, AS91000, ISO 13485, ISO 14001, and ISO 27001.  There are positions available for Auditors in a wide array of industries, including general manufacturing, Aerospace, Medical Devices, Pharmaceuticals, and more.

There are two different types of Quality Auditors I am going to discuss in this article. 

The first is a Quality Auditor who works for a company in one of the above industries. These positions share similarities with Supplier Quality Engineers, however, more time is dedicated to auditing suppliers. Alternatively, a Quality Auditor may be focused on performing Internal Audits at their company or visiting different sites and performing Internal Audits at a larger company.

The second is a Quality Auditor who works for an auditing and accreditation company. These types of Auditors are responsible for visiting different companies to see if they meet the relevant standards and can receive their ISO 9001, ISO 13485, or other certificates.

A Quality Auditor can expect to spend almost all their time (3 to 4 weeks a month) traveling to different sites. For this reason, many Quality Auditors are semi-retired professionals who have spent their life in QA. However, I believe this is also a great career for someone younger, with 2-4 years of experience out of college, who would like to travel for work and is not interested in sales.

Becoming a Quality Auditor typically requires a bachelor’s degree that’s relevant to the specific industry (for example, biomedical engineering or chemistry for Medical Devices) and 2-10 years of experience in the industry, or a substantial amount of experience as a QA professional who is performing audits are part of their duties. 

Quality Auditing also requires outside education and certification as a prerequisite for the position. This could start with the Certified Quality Auditor certification offered by ASQ, but audit training on the specific industry standard is also necessary.

As far as pay goes, a Quality Auditor can expect to earn between $85,000 and $150,000 a year based on experience.

Quality Management Positions

Quality Manager

Now that I’ve gone over some of the individual contributor careers in Quality, it’s time to break down the Quality Manager position. Just as each title can be used for many different types of jobs, a Quality Manager position adds up all of the variance and is as unique to the specific company as a job can be. 

A Quality Manager could manage a specific department for any of the roles we’ve listed. There are Quality Engineering Managers, QC Managers, QA Managers, Quality Auditor Managers, Regulatory Managers, and more. Or, a Quality Manager could lead both the QC and QA programs at a site or company.

In the most basic form, a Quality Manager directs different Quality professionals, interacts with management in different departments, and controls the budget for Quality programs and tools.

One thing that makes a Quality Manager unique from managers of other departments is that the Quality Manager may be officially responsible for the company’s Quality and QMS. This means that they will be in charge of any ISO certifications at the company and will be speaking with federal agencies that come to inspect the company.

In the Medical Device world, the official responsibility is mandated by the FDA as the “Management Representative” who is in charge of the company’s Management Review Meetings and will be held responsible if they allow unethical Quality practices to take place.

To become a Quality Manager, the main thing needed is experience, experience, experience. Typically, this means 5-10 years of experience in a Quality department (Quality Engineering or Quality Assurance) of the relevant industry. 

You also need supervisory experience. For first-time managers, the experience is often obtained through promotion in their company. However, if you are not able to be promoted at your company, look to gain experience by leading projects and quality improvement efforts. Once you have gained experience leading projects, you can seek out other companies that are hiring Quality Managers. 

The certifications mentioned in the above sections can also be useful in becoming a Quality Manager. This includes Quality Engineer, Quality Auditor, and Six Sigma certifications. 

The salary for a Quality Manager will vary depending on experience and industry. The average pay for a Quality Manager is about $100,000-$120,000, with entry-level managers earning as low as $70,000 and senior managers earning upwards of $160,000-$200,000 a year.

Director/VP of Quality

At the very top of the Quality hierarchy are the Director of Quality and Vice President of Quality positions. 

The existence of this type of role depends on the size and geographical distribution of the specific company. At certain organizations, the Quality Manager is the highest level of the Quality department, while at very large corporations, there may be multiple VPs of Quality.

Directors and VPs of Quality usually have multiple Quality Managers reporting to them, and oversight over multiple or all of the sites in an organization. They are removed from the day-to-day activities of Quality and are instead focused on guiding their reports, setting company-wide Quality processes and objectives, and leading large-scale Quality improvement efforts.

Like many Director and VP-level roles, a lot of the focus is on strategy. This can include a company’s regulatory strategy, strategic planning, and resource distribution. 

The Director/VP of Quality may spend a significant amount of time traveling to the different parts of an organization and be on call in case any of the facilities are inspected by regulatory bodies.

This level requires a substantial amount of education and experience. A bachelor’s degree is typically a necessity, while a master’s degree or even a PhD may be required depending on the industry. A person could also have a combination of a Bachelor of Science degree in Engineering and an MBA or other business degree.

As far as experience goes, companies look for someone with 10-20 years of experience in the industry and 5-10 years of experience as a Manager (for director-level roles) or Director (for VP-level roles).

Being the highest level careers in Quality, Director and VP of Quality roles pay a substantial amount. For Directors, this can be anywhere from $140,000 to $220,000, while for VPs, this can be $200,000 to over $300,000 at a large organization.

Wrapping Up

Quality Management can be a challenging and rewarding career, with many different paths available depending on your interests. Hopefully, you were able to learn something or gain some interest in a new role through this article.

If you would like to learn more about Quality and Quality Management Systems, be sure to explore the site and sign up for our newsletter. Also, if you are looking for any advice and want to reach out, you can do so at info@hardcoreqms.com.

The post Exploring Careers in Quality Management appeared first on Hardcore QMS.

Instead, I want to provide a framework for thinking about SOPs and other documents, and what the benefits are to different approaches. Each company will handle this question differently, depending on the specific tools and shortcomings of that company. However, it’s best to take a conscious approach to this question.

What do I mean by SOPs?

In the Quality world, people love to use different terms and acronyms for the same things. What I mean by SOP is: Standard Operating Procedure, Quality Procedure, Procedure, Top Level Procedure, etc. Wherever you document your training process is what I mean as an SOP. 

However, the same approach can be applied to Work Instructions (WI, work guides, work standards, you get the point). All of the documents ultimately fit into this same framework.

What do you need to document?

When a company decides to embark on the mission to meet a QMS standard (such as ISO 13485), they are presented with a list of processes that it must create and document. These processes will eventually be documented in SOPs. 

If the company wants to meet the standard, they don’t have a choice for which processes to implement. Everything in the standard must be documented in some way (outside of exclusions and non-applicable sections). 

That said, no one is telling you the number of SOPs you need to contain all of these processes. 

If you are an absolute lunatic, you could put every SOP for your company in one giant Quality Manual (believe it or not, you could pull this off and still have a shorter Quality Manual than some companies). 

On the other hand, if maintaining documents is your passion, you can create an SOP for every aspect of design control or each line of your document control process (review of documents, approval of documents, availability of documents).  I’m not stopping you (your boss probably will).

For a more realistic example, look at our recent articles on Supplier Management, Purchasing, and Verification of Purchased Products. An organization can combine all these processes into the same SOP or break them out into individual SOPs. Or, it can put Supplier Management and Purchasing in one SOP, and add Verification of Purchased Product in to an SOP on inspection. Or any other combination that makes sense! 

How do they choose?

What this comes down to is: do you want a larger number of SOPs that are more concise or fewer SOPs that are longer?

Greater Number of SOPs

I’m going to talk about having more SOPs that are concise first because that is my bias. But, I won’t judge you for taking a different approach; it’s your QMS and organization.

The benefits of this approach are:

• The more precise an SOP is, the easier it is to find the relevant information in the document.
• It’s easier to train people on a particular process. Maybe your Purchasing personnel need to train on both the Supplier Management process and Purchasing process, while Quality personnel only need to train on Supplier Management. If both of these processes are in one SOP, you can’t differentiate the training.
• Speaking of training, I believe this approach is better for having people actually read documents. If you hand them a 25-page procedure, it’s going to be a slog to get through. If you hand them five 5-page procedures, they can get through each one of them with a cup of coffee.
• Changes:
  • If the process is specific, you might need fewer people to review and approve changes to an SOP.
  • If you need to make a change to an SOP, you can do so without affecting broad procedures.

The issues with this approach:

• You have more documents to maintain and review.
• While I believe this is a better approach to training, it is certainly harder to maintain training documentation.
• It can be harder to find the particular document you need.
• In an audit scenario, you will need to flip between more documents.
• This approach will necessarily lead to a greater number of changes. If the change control process is complicated, this will be a challenge.
• If you require a lot of preliminary information in your procedures (responsibilities, definitions, etc.), you may end up with a bunch of documents that are one page of intro and half a page of the actual procedure.

Looking at these, it’s easy to imagine why this needs to be an organization-specific decision. If you don’t have a good system for handling documents, it will be difficult as there are more documents to maintain. If the company’s change control process is a slog, you might want to make fewer changes. 

This is why it’s best to understand how everything functions within a system at your organization.

Fewer SOPs

In the other corner, let’s look at having fewer SOPs that are longer. Overall, you can take the above pros and cons, and flip them for this approach. So, to keep things interesting I will try to add some new information on the specifics.

Some benefits of having fewer SOPs are:

• This approach could be better if your SOPs are focused on a very high-level view of the process with separate Work Instructions to build out the specifics.
• It can make your SOPs seem more important. Looking at the typical document pyramid, you have policies at the top, followed by SOPs. If you have only 10 SOPs, they may feel more significant than 30 SOPs. It’s all about perception, after all.
• All of the documents will be easier to maintain. You do not need to review as many procedures or have as many documents in training files, it will reduce your records and more.
• You can combine similar processes. If you want everything related to one subject in the same area, this is the way to go.

Additional risks and issues with this approach: 

• Making a change or editing the document could feel like a monumental task. Do you really want to change a 30-page SOP to fix a couple of minor issues? Or, you can add them up as drafts over time and leave yourself with a massive undertaking when it is time for change control.
• It could be harder to match each process required by ISO to the correct SOP.
• Training will be more difficult. People will have to read longer documents, or, if you are doing in-person training, employees will have to take in a lot of information that does not apply to their job.
• If the company decides to implement a completely new process, say, human factors, where are they going to put it? Will it be the only shorter SOP? Will it be added to the design control process, making it even longer?

Once again, you will have to do what is best for your organization. There is no set number or limit of required SOPs, and each approach should be based on the unique situation.

Put things where they make sense

Finally, when you are deciding on how many SOPs you need at your company, remember to put things where they make sense. Keep it simple.

While I prefer having more SOPs that are shorter, this doesn’t mean I break things up as much as possible. For example, when I created a document control procedure at my company, I included a section on records.

Could I break them up if I really wanted to? Sure, but it would not add the same benefits that I discussed. 

For example, the documents and records live in the same place within our QMS. If there were two SOPs, I would have to discuss the system twice. Also, everyone who is going to be trained on document control is going to be trained on records.  

However, if this is different with your organization or your document control procedure is becoming too lengthy, it’s totally fine to break them up.

Another example is with Corrective and Preventive Actions. Are these the same processes? Technically no, and they are in two different sections of ISO 13485. But do they use the same system? Are they similar enough to combine? This is why most organizations choose to have one CAPA SOP.

Put each process in the SOP that makes the most sense for your organization while keeping SOPs lean enough to get the benefits discussed above.

Didn’t you mention something about Work Instructions?

Yes, much of what we talked about for SOPs can also be applied to Work Instructions.

Say you are assembling a wheelchair.

If one person is assembling the wheelchair from assorted parts, it could make sense to have a single WI titled Assembling the XXXX Wheelchair WI.

However, imagine there’s a welding step involved. You can ask yourself: “Is the welding process performed only for this one model, or is it used on many different wheelchairs”?

If the company has a welding step for multiple unique models of wheelchairs, you could break out welding into its own WI, and reference it in the assembly WI. If the welding is only for one model but is performed by a separate individual or functional group, it could also make sense to break up the WI.

That said, it’s not a great idea to take this to the extreme. Maybe all of the wheelchairs involve a step to screw in the wheel. This doesn’t mean you want an entire WI dedicated to screwing in the wheels that is one step long and is referenced from all of your assembly WIs.

The goal is to find a balance between having someone jump between 20 different documents and having massive, cumbersome WIs that include long, repeated sections and involve five different functional groups.

Wrapping Up

Hopefully, this article was able to bring you some clarity on how you want to document SOPs and WI for your QMS. If you liked the article, be sure to check out the rest of the website which is focused on making better Quality Management Systems, and sign up for our newsletter below.

The post What’s the right number of SOPs for your QMS? appeared first on Hardcore QMS.

What are the requirements for verification of purchased product?

The variety in purchased product verification can be massive, which is one reason that ISO 13485 is not prescriptive in this section. What the requirement comes down to is that an organization must have established processes for the inspection or other verification activities needed to confirm purchased product meets purchasing requirements.

It is up to the organization to decide on the method they will use to check the products they purchase. Some of the inputs going into the decision are the type of product, risk level, effect the purchased product has on the medical device, and feasibility of verification. As I will discuss below, the most influential input is the supplier management process.

Relationship between Supplier Management and Verification

Companies should always strive to lower their appraisal costs. Inspection and other forms of verification are expensive and are one of the least effective means of guaranteeing the quality of their devices. 

For purchased products, a company does not have the option of further validating or improving the process. This means that the mechanism to lower appraisal costs is supplier management.

One way of understanding this is that, at similar risk levels, there is an inverse relationship between supplier management and verification of purchased products. Companies can choose to do 100% inspection for every purchase and have minimal supplier controls, but this is ineffective and expensive. 

Instead, they should utilize their supplier management process to establish tight relationships with high-quality suppliers. If an organization can trust that the materials coming in their door will meet specifications, they do not need to devote as much time to verification.

This idea can be built into your supplier management process. As you determine the different risk levels and requirements for various products, you can state the required verification activities for those risk levels. You can also lower the verification activities if the supplier meets the stated criteria.

For certain types of suppliers, such as sterilization suppliers, companies may not have easy methods of verifying that the activity was successfully completed. This is why sterilization suppliers are almost always in the highest risk category of a medical device company’s supplier management process. The verification is built into the supplier management process.

Verifications of Products

As usual, the type of verification activities a company should perform depends on its medical device and the purchased product.

Certain verification activities extend beyond medical devices and are good for any business. Namely, checking if all of the purchased products are there, identified, and undamaged.

Other initial activities can include checking the packing slip and any Certificates of Conformity (CoC) or Certificates of Analysis (CoA). For low-risk products and/or well-qualified suppliers, this could be the full extent of the verification activities. 

That said, it is still a good idea to occasionally verify the supplier’s claims. Confirming the results of a CoC/CoA can be done frequently when initially qualifying a supplier, with fewer checks performed once the relationship is established. Organizations can also choose to verify the supplier’s products according to different sampling plans.

Verification activities that require more resources include testing and inspection of purchased products. This could mean measuring products with mechanical tools to see if the dimensions are within specification, sending products out to 3rd party testing companies, etc.

The inspection and testing will need to be performed according to a specified sampling plan. It is a good idea to include items like the AQL criteria in a Quality Agreement with a supplier so that both parties can better agree on the inspection results. The sampling plan could also change based on the results of previous inspections, with increased inspection being performed if products are consistently outside of their specifications.

Verification of Services

While measuring a product makes sense to most people, it’s common to struggle with the idea of verifying services. 

No surprise, but the type of verification will depend on the specific service being provided.

As an example, it is standard for calibration suppliers to send certificates for the calibration of measuring equipment. Organizations should review the calibration certificates to ensure they contain the necessary information and include any organization-specific requirements. For a service supplier providing internal auditing, the verification could be the receipt and review of the audit report.

Sterilization suppliers perform a high-risk process that is difficult to verify. To verify the sterilization activities, companies should record the CoC in addition to having strong supplier controls. Remember, supplier management activities like auditing can be included as part of the verification of purchased product.

Supplier Nonconformities

Organizations also need to determine how they will respond when an incoming test or inspection determines that a product or service does not meet its specifications. 

Similar to an internal nonconformance process, companies have several options available. They can return the product to the supplier, rework the purchased product, accept the products use under concession, or scrap the material on site. The MDSAP audit approach has more information about dispositioning nonconforming purchased product. The decision should be approved and documented.

The organization should also notify the supplier about the nonconformance. If the nonconformance is serious or if there are repeated nonconformances, the issue may escalate to a Supplier Corrective Action Request, which we cover in more detail in our Supplier Management Guide.

Documentation Requirements

An organization should document or record the following information to support its processes for verifying purchased material:

• Process for verifying purchased products
• Process for handling nonconforming purchased products
• Inspection, test, and sampling plans for purchased products
• Records of verification of purchased products
• Records resulting from any nonconforming purchased products

I also recommended holding onto supplier-provided documents like CoCs with the verification records. 

Changes to Purchased Product

The next requirement in ISO 13485 section 7.4.3 involves changes a supplier makes to a purchased product.

As part of supplier management, organizations need to have a Change Notification Agreement in place with their supplier. This requirement covers what the organization should do once they are notified of a change.

The good thing is that if the supplier is following the agreement, an organization should have a significant amount of time to respond to a change. As soon as a company becomes aware of a change from a supplier, it should initiate the change in its own change control process.

The actions taken will depend on the specifics of the change. A change could have no effect on the device, a facility change could require a new audit, and a specification change might start a whole series of design control activities.

If the change has anything to do with the fit, form, or function of the device the change should be reviewed for its impact on the medical device. The change might be significant enough to require new design verification and validation activities.

While it is possible to grasp the full effects of the change based on the information in the notification, it’s also useful to test the newest version of the product once it is available. Additionally, it is common to perform a First Article Inspection on a new version of a product, which is a more thorough inspection, to ensure it matches the supplier’s and organization’s specifications.

Wrapping Up

Wrapping up, I will stress that while verifying purchased material may be necessary, organizations should have strong supplier controls to limit appraisal activities. It can be extremely difficult for a company to respond to nonconforming purchased material and seriously delay production. Having good supplier controls in place will not only lower appraisal costs but will also reduce the likelihood of having to handle nonconforming purchased products.

If you have any questions, please leave a comment. If you found this article helpful, be sure to sign up for the newsletter below and review the rest of our articles, which cover ISO 13485 requirements in-depth.

The post Verifying Purchased Product According to ISO 13485 7.4.3 appeared first on Hardcore QMS.

For the last hour, he’s been locked in on one form that was not filled out properly. You’ve been scrolling through other instances of the form and haven’t found similar issues and are cursing the fact that he chose that example. But he’s not letting up, and you can feel the minor finding creeping up behind you. You’ve already drafted the CAPA in your head, and all signs point to one action. Retraining.

Stop it.

Too often, quality professionals use retraining as a crutch to solve Corrective Actions. “It’s not the process. It’s not the form. Just one more training session will fix everything”. Maybe you even know the operator and can picture their face as you present the audit finding and inform them of the training session that will result from what you see as a willful lack of attention to quality.

Well, you better be sure that the process is indeed perfect. 

Retraining is an indication that a Quality department is acting as an adversary to the rest of the company (this is not the sole responsibility of Quality and may be preached by other departments). There is chaos amongst the ranks, and it is Quality’s job to reign it in, to force the employees and company into a state of order. 

But there’s another way. The quality departments in regulated industries such as pharmaceuticals, medical devices, and aerospace are often seen by management as a necessary evil put in place by the government. However, the history of quality control demonstrates that the origin of the profession was to make better products and processes.

An employee didn’t fill out a form correctly. While you can hold onto the view that this was human error, it is a great opportunity to truly examine the process. Employ the tools that are in the quality handbook. Look for creative solutions to the problem that will not only fix the error but also make the process better and coworkers more satisfied with their jobs.

Quality professionals sometimes hold onto a view that a process is not the problem even if it was an inherited process, put in place years ago by a Manager they never even knew.

I’ve seen a lot of processes, and I’ve filled out a lot of forms, and I am sure that almost all of them could be improved. Quality should be seamless in the way it is integrated into day-to-day operations. When operators are constantly struggling or fighting the way processes are implemented, it’s a clear sign that something needs to give.

A lot of the time, the person performing a Corrective Action will default to listing retraining as the action. Someone messed up and didn’t fill out a form correctly. Everyone will be trained on the process and taught how to fill out the form correctly. It sounds nice and simple, but it’s the result of someone stopping at the first or second Why and not getting to the root cause. 

It also opens up another can of worms for a Quality department. If you have three Corrective Actions, and the actions taken for all of them were retraining, how on earth can you say that your training program is effective?

A form being filled out incorrectly by a production employee, leading to an entire overhaul of a company’s training program, would be a more effective and honest way to solve the issue than simply retraining. And if you take this approach, good for you! This is a much better approximation of the root cause!

I will also add here that almost all CAPAs will include training or retraining as part of the actions. However people should be trained on the new, improved process, not the process that was already found to have holes.

Let me tell you, dear reader, I am not without sin regarding this issue. Recently, I was in this exact situation at my company, finding that a certain section of a form was not being completed correctly. And while it was a repeated issue, all of the mistakes were made by one person. Is this not a perfect indication that they just need to be retrained on the form?

However, I decided not to implement actions right away and took the weekend to think through the issue. And it finally dawned on me. Why the heck am I having people fill out this section of the form to begin with?

All the information is already captured elsewhere in a more appropriate place. Filling out that section of the form required an understanding of multiple unrelated processes and caused my coworkers to spend time writing the same thing over and over. My other coworkers were filling out the form correctly, but it was not adding value in any demonstrable way. 

So I removed that section! Not only will the issue be impossible to repeat in the future, but it will also ease the burden of every single employee who has to fill out that form. This makes it more likely that the rest of the form is filled out correctly and that the process is completed without hitches. It also means that people can spend their time focusing on the quality of the rest of their work.

I’ll admit, this is an easy example. There will be lots of times when a form or process cannot be changed to this extent (although less than you probably think). But it’s just one example of how a mistake can lead to a better process. I believe that when you focus on what you can do to make your coworkers’ work more efficient, you will find that this leads to better and more sustainable quality.

The next time you are presented with a problem or a finding, and your first response is to retrain people on a process, don’t let yourself jump to conclusions. Take a moment, or a week, and really examine the process. You might find that even though it’s an isolated incident, there is still room to make it better.

If you enjoyed this article, sign up for our newsletter below, and follow us over on our LinkedIn Page: HardcoreQMS.

The post Retraining Is Not The Solution appeared first on Hardcore QMS.

That being said, Medical Device companies that want to conform to standards and regulations should still record their process for purchasing goods and services. This article will break down the processes Medical Device companies need to conform with ISO 13485 clause 7.4.2 when purchasing materials.

Approved Supplier List

Having an up-to-date Approved Supplier List (ASL) makes it simple for companies to know which vendors can provide different materials and services. To learn more about supplier management and setting up an ASL, check out our guide, Effective Supplier Management for Medical Devices.

If you are purchasing any materials or services related to finished medical devices, the supplier must be on the ASL. If you need to purchase something that is not provided by a vendor on your ASL or if the approved supplier is not able to provide the material, Purchasing should work with Quality to get the vendor added as quickly as possible.

For this reason and to minimize supply issues, it can be beneficial to have multiple suppliers of the same material on your ASL. However, this must be weighed with the business risk of qualifying extra suppliers who will not be providing anything immediately, as well as the benefits of working with a single supplier.

Purchase Orders

Companies almost always use Purchase Orders (PO) to purchase from other companies. ISO 13485 lists four items required to be included or referenced in purchasing requirements:

• Purchase specifications
• Requirements for product acceptance
• Requirements for qualification of supplier personnel
• Quality Management System Requirements.

The last two requirements are best left to the Supplier Management system so that a company does not create them from scratch every time they have to purchase materials.

Purchase Orders typically focus on the first and second requirements, purchase specifications, and conditions for product acceptance. For low-risk off-the-shelf products, this could be as simple as a PO documenting the part/catalog number and quantity.

For POs of complex, higher-risk, or custom products, more information should be included, such as:

• Revision levels
• Packaging and shipping requirements
• Certificates of Analysis
• Inclusions of product verification data
• Labeling
• National or International standards (a commonly used example is RoHS compliance)
• And more depending on your organization

Engineering should be involved with communicating the specifications, part drawings, and product requirements to Purchasing. These documents can be sent alongside the PO to give the supplier as much information as possible.

Requirements for acceptance can be included in a PO, a Quality Agreement, or a combination of both. These might state that the supplier sends a Certificate of Conformance or other testing information with the materials. It could also reference an inspection plan and Acceptable Quality Limit (AQL) agreed upon by the company and supplier.

Do Purchase Orders Need to be Approved?

ISO 13485 suggests that POs be checked for adequacy before being sent to suppliers.

The first part of this check is done during device design and development. Companies must ensure they have approved all of the requirements regarding their products before anything is requested from suppliers.

The second part comes when it is time to send out the PO. One option is to have Quality or a defined member of Purchasing physically approve each PO. I would caution against this approach, as it will add unnecessary paperwork burden and slow down the purchasing process. 

The better option is to make sure that the entire Purchasing team is well-trained on the organization’s supplier management and purchasing processes. That way, everyone involved with purchasing can understand which suppliers are on the ASL and the correct revision levels of materials to purchase.

Change Notification Agreements

Quality agreements are essential to purchasing for Medical Device companies, however, the area that is highlighted in ISO 13485 is the Change Notification Agreement.

The Change Notification Agreement dictates that a vendor must notify the purchasing organization before changing any aspect of the process or product. 

For medium and high-risk products this is usually done through formal Quality Agreements. If you want to learn more about what is included in a Quality Agreement, please review our guide on Supplier Management.

For low-risk products and materials, the Change Notification Agreement can be as simple as a statement on the PO or in terms and conditions associated with the PO. Either way, this information needs to be communicated and agreed upon with the supplier.

Traceability and Records

Traceability is another important aspect of producing Medical Devices, however, the criticality varies based on the nature and risk level of the specific device.

For purchasing, companies should, at a minimum, maintain records of their POs. The PO number is a common point of reference for the organization and the supplier and can be used for communications if there are any product defects found during incoming inspection.

Organizations should also try to tie the PO number and supplier lot/batch number to their internal lot/batch numbers of products. This is a requirement for higher risk Medical Device companies, especially those producing implantable devices, but it is the best practice for all Medical Device organizations.

This level of traceability is important if there are defects found in stages of the production processes outside of incoming inspection, or in products that have been sent to customers. This information facilitates investigations and can be used as a starting point during supplier audits.

Other records of traceability that may need to be maintained, depending on the specific requirements of the organization,n include Certificates of Analysis or Conformance, purchased material revision number, and supplier-provided verification information.

Should Purchasing be its own SOP?

Whether an organization should have a specific SOP on the purchasing process is completely up to that organization’s needs.

It is common and perfectly acceptable to fold the purchasing process into a supplier management or similar procedure. The advantage is that it gives the company fewer SOPs to review and control as part of document management. It also means fewer documents must be accessed during audits and similar activities.

Personally, I like having a QMS with a greater number of SOPs that are shorter. The advantage is that if some part of the purchasing process changes, you don’t need to do a change order on the entire supplier management SOP. It also means that you can be more specific and only push out training for documents that are specific to an employee’s role.

The key is that an organization has to document a Purchasing process, however, it is free to make that its own SOP or include the processes as part of a larger SOP.

Wrapping Up

Medical device companies spend so much time focused on managing suppliers that they often overlook the act of buying the materials. However, as part of having a well-running QMS, organizations also need a process to ensure they purchase the correct parts and services from the right suppliers. By following this guide, you can set up your organization for success and conformance with ISO 13485 requirements.

If you liked this post, be sure to check out the other articles on the site and sign up for our newsletter below.

The post Practicle Guide to Medical Device Purchasing (ISO 13485 7.4.2) appeared first on Hardcore QMS.

“When a measure becomes a target, it ceases to be a good measure.”

On its own, it’s a beneficial concept for Quality Management. For example, if you record the time it takes good, well-trained inspectors to measure a part, it won’t provide any benefits to broadcast the result to the inspectors. Since there is now a defined time that constitutes a good inspection, all inspectors can focus on hitting that time, instead of concerning themselves with the quality of the parts. The metric, inspection time, is no longer accurate.

But today, I’m talking about “Good Manufacturing Practices” and Quality Management Systems and introducing my twist:

When a Good Manufacturing Practice becomes a requirement, it ceases being a useful indicator of a Good Manufacturing Practice.

If you look at well-run manufacturing companies, you’ll discover that they have documented processes. If you survey enough of these companies, you’ll find that many of these processes are similar. 

From there, you can create a guideline or “standard” that includes all these processes. Then, you can build an audit plan for that standard that gives you criteria for ensuring the company has all the practices in place. If a company shows they have the required documented processes, you can issue them a certificate that allows them to display their competency to customers and regulators.

However, people who have spent a decent amount of time in Quality know of companies that are certified to different QMS standards, and yet you can’t shake the feeling that they have no idea what they’re doing. It might not be something that can be traced in an audit finding. But the Quality is just…off. The processes are there, but they’re bad or inefficient.

On the flip side, have you ever spent time with a luxury watch in person? I mean, really spent time and looked at every machining technique, every detail, every texture?

A Cartier watch is a beautiful work of art. It’s amazing. 

And yet, and this may surprise you, Cartier is not ISO 9001 certified. So, how can they be producing such a high-quality product, over and over and over again?

I’m sure Cartier has processes in place for manufacturing their watches. If you look at their Quality and Performance page, they list some of the different tests their watches endure to get them up to Cartier standards. However, these processes weren’t put in place to match GMP criteria or receive a QMS certification.

How is Cartier able to do this? 

How are there companies that are legally obligated to follow Good Manufacturing Practices and are bad at manufacturing, while unregulated, non-certified companies produce high-quality products?

Cartier’s quality is built around its internal goals and meeting customer expectations instead of conforming to a standard.

The luxury watch market is extremely competitive. No one needs a luxury watch. Timekeeping has been solved, and a mechanical watch is a poor solution.  So, if you are a luxury watchmaker, you need to listen to your customers and create the best quality product you can put in a display case. 

Every single time.

Looking at other excellent manufacturing companies, you’ll see that the processes they put in place have a purpose. They understand the “why” behind the processes.

A company can put in place any process it wants to conform to GMPs, but unless it understands and cares about the “why” of that process, it won’t lead to better quality. 

Take training as an example. If a company is not required to meet any GMPs and is not ISO certified but still has an effective documented training system, you would think highly of that company. You might trust that they are making something of good quality.

However, in certain regulated industries, organizations are required to have a documented training system. Many companies choose to have a superficial training program that technically meets requirements but does not create the intended value.

Therefore, an organization in this industry having a training program in place does not tell you anything about the quality of the organization, by the very fact that a training program is required.

This is one of my pet peeves when I see something like “ISO 13485 certification guarantees that an organization is producing high-quality medical devices.” No, it doesn’t. ISO 13485 certification guarantees (or at least hopefully guarantees) that a company is meeting the requirements of ISO 13485. This and good quality are two separate things.

Unfortunately, this cannot be solved by better regulations or standards. Anything regulatory agencies or certification bodies do, anything they define as a Good Manufacturing Practice will still fall victim to Goodhart’s Law. Once a practice is established as a requirement or goal, it allows a company to put a superficial process in place to meet that requirement.  

The funny thing is, they know it themselves.

If you read through the MDSAP audit approach section on supplier management, it says (and I’m embellishing here): “Yeah, you can check if a supplier has a third-party certification, but for god’s sake don’t rely on that to think the supplier is good quality.”

So what can you do about it?

If you need to evaluate a company from the outside, there are talented, experienced auditors and professionals who can tell the difference between good quality and meeting requirements (smell the BS). However, these people need to be empowered. If the organization that sent the auditor is itself just trying to check a box, it will ignore the auditor’s advice. “Do they meet the standard? Good enough.”

It becomes harder when a company internally faces this reckoning.

Ultimately it is the responsibility of top management and Quality Professionals to understand the “why” behind the processes they put in place, and deeply care about the quality of their products. 

To not only know how to comply with an ISO standard, but why the processes are beneficial to the company and can lead to higher quality. Not just teach people how to do tasks, but also the purpose of those tasks. 

Anyone can find out the requirements of “Good Manufacturing Practices” and standards, but just following them does not lead to good manufacturing. 

There are no Good Manufacturing Practices that will show you the way. 

The only way a company can achieve good quality is through a true, internal, continual commitment to creating the best possible processes, products, and services it possibly can.

Every single time.

If you enjoyed this article, sign up for our newsletter below, and follow us over on our LinkedIn page: HardcoreQMS.

The post There are No Good Manufacturing Practices appeared first on Hardcore QMS.

Many medical device companies have difficulty with supplier management, and for good reason. If the supplier management process is too lenient, it can lead to bad finished products, complaints, and worse. However, if the supplier management process is too intense, it will become watered down and convoluted, resulting in constant struggle and continuous audit findings from massive paperwork requirements.

Your supplier management process needs to be right-sized for your company to ensure that it maintains good relationships with suppliers and is constantly provided with high-quality products and services. We’ll break down the requirements of ISO 13485 section 7.4.1 and help you construct a powerful and effective supplier management process for your company.

The Why

If a company wants to make a high-quality product, it must be supplied with high-quality materials. Effective supplier management is a great tool for ensuring an organization works with companies committed to the quality of what they produce.

Many people see supplier management as a massive undertaking that costs a company lots of time and money to implement, but this is backward. The expense of a recall resulting from a supplier concern costs much more than creating a worthwhile supplier management process.

Furthermore, if a medical device company wants to 100% inspect all of the material it receives, it can have minimal supplier controls. But I don’t recommend this approach.

The purpose of supplier management is to save time and money by building trusted relationships with talented suppliers.

Supplier Qualification and the ASL

Note: ISO 13485 does not have a section with “suppliers” in the title and instead includes requirements in section 7.4 on Purchasing. This article covers section 7.4.1 titled Purchasing Process which is not about the full purchasing process but focuses on supplier selection, qualification, and monitoring.

Approved Supplier List

The first step in your supplier management process involves the evaluation and selection of suppliers. You need to know if the supplier provides the type of material you need, what their quality system looks like, and if they can supply the quantities to meet your company’s demand.

The goal of this evaluation is to determine if the supplier meets your requirements and can be added to your Approved Supplier List (ASL). Nothing related to final product quality should be purchased from suppliers that are not on your ASL, as this puts you at serious risk of bad quality products, audit findings, and regulatory consequences. 

(The one exception is contracting an initial pilot build or first article with a company that is not on your ASL to see if they meet your specifications and can be added to the ASL. However, the purchased materials should never be used on final products).

Your ASL will be your guiding document for suppliers. It will determine which companies Purchasing is allowed to order from and will be one of the first things an auditor looks at regarding your supplier management process.

It must be up-to-date and accurate, and many different QMS software can help you manage your ASL. However, you can also have an ASL in a Word or Excel file that includes the relevant information. If you go this route, the ASL must be a controlled document within your document control system.

What type of information needs to be included in an ASL?

There are no specific requirements for what needs to be on a company’s ASL. In its most simple form, it could simply list company names and risk levels (discussed below). Depending on the software used, an ASL could also function more like an index that includes company names and links to more information about the company.

However, if you are building an ASL from scratch, here is the type of information that is commonly included:

• Supplier name
• Contact information (either a quality or distribution contact)
• Goods/services that are approved to be provided by the company
• Supplier approval and re-evaluation date
• Supplier classification or risk level
• Supplier status
• Links or references to supplier-related documents

What types of suppliers need to be on your ASL?

The short answer is a supplier that provides any material or service that affects the quality of your product or your quality management system. The longer answer depends on the specific needs of your organization and the type of medical device it is producing. 

Some companies might not seem like suppliers at first but notified bodies and regulatory agencies will tell you are suppliers. One example is distributors, especially if they are distributing products that can only be purchased by physicians. For this reason, these companies should also be added to your ASL.

Consultants also need to be added to your ASL depending on the type of service they are providing. Examples include consultants conducting internal audits at your organization or aiding in the creation of 510(k) submissions.

Here are the types of suppliers that may need to be included in your ASL, however, remember this is not comprehensive, and it depends on the needs of your organization:

• Contract Manufacturers
• Original Equipment Manufacturers (OEMs)
• Raw material suppliers
• Device component suppliers (both custom and off-the-shelf)
• Contract sterilization services
• Software companies that supply software related to your device
• Software companies that affect your QMS (such as an eQMS provider)
• Calibration and testing services
• Design and development services
• Consultants/contractors
• Distributors
• Packaging suppliers

Who doesn’t need to be on your ASL? 

There are some obvious answers, like companies that supply toilet paper, snacks, or anything else that does not affect product quality. This list can also include companies supporting your organization with accounting, marketing, general IT, and other services. Ultimately, it is up to you to determine which suppliers are appropriate to not include on your ASL.

Supplier Risk Classifications

Before you start qualifying suppliers for your supplier management process, you need to have criteria in place for determining whether a supplier can be added to your ASL. 

Because you are in the medical device industry, your qualification criteria should be based on the risk the purchased component or service has on the safety and performance of your products. It does not make sense to audit every single supplier or only receive a supplier survey from a contract manufacturer.

Additionally, the risk can be affected by the ability to verify the purchased product or service. Sterilization suppliers are usually considered high-risk because it is not feasible to verify the output of their service.

It is typical to start by breaking suppliers into classifications or tiers based on the product’s impact on device safety. You need to have enough levels to meaningfully distinguish different types of suppliers, but not so many that it creates confusion.

We’ll start with three classes of suppliers, which is common in the industry. 

• Class A Supplier (High Risk): Contract manufacturers and sterilizers.
• Class B Supplier (Medium Risk): Supplier of custom components for the device(s), internal packaging, and off-the-shelf products that have a significant impact on the device(s).
• Class C Supplier (Low Risk): Supplier of off-the-shelf products, calibration services, outside packaging, and labeling suppliers.

This is just one way to classify the suppliers to your organization. As usual, the exact ways suppliers fit into your classifications will depend on your company and product. If your company produces a high-risk device, you’ll likely need tighter controls on the majority of your suppliers.

You might notice that certain types of suppliers are missing from this list. Personally, I find that the three-tier system is useful, but it does not accurately capture specific suppliers.

Consultants are one example. It doesn’t make sense for a company to require that a consultant be ISO-certified, or have a change notification agreement established. Therefore, I usually place consultants into their own classification (Class D)  so that they can have different evaluation criteria.

Another example is distributors. Distributors play a different role than any other supplier, and the evaluation criteria will also be unique. This puts distributors into Class E.  

This may seem like a lot of classes, but you want a system that helps you with the rest of your supplier management process. If you have too few classes, suppliers end up lumped together with requirements that don’t make sense. 

Supplier Evaluation Criteria

Now that you have your different supplier risk classifications, it’s time to take the next step and specify the requirements for each class of supplier. At this stage, you are using the risk classifications to determine how much information or insurance of quality is needed from the different types of suppliers.

Your evaluation criteria can include:

• FDA Registration (required for contract manufacturers in the US)
• ISO Certification (ISO 13485 or ISO 9001)
• Quality Agreements
• Supplier Audits
• Change Notification Agreements
• First Article Inspection
• Supplier Surveys** (see section under Choosing Suppliers and Gathering Information)

Once you’ve established the criteria required for your suppliers, you can place the criteria in a matrix based on the supplier classes.

A supplier classification matrix like this will make it easy to understand if a supplier can be qualified for the ASL. It can also be referenced by auditors to ensure a certain supplier is meeting the requirements. 

It’s important to keep in mind that an organization should not rely solely on a 3rd-party accreditation (like ISO certification), and there should be other controls in place to ensure the supplier is in the company’s best interest.

What about consultants and distributors? The purpose of adding these suppliers to different classifications was so it would be easy to have unique criteria in place. For consultants, the minimum requirement I have is maintaining a resume on file. For distributors, you want a detailed distribution agreement in place that dictates their responsibilities regarding your products. 

One thing to consider at this stage is that you always want the ability to use a supplier that does not entirely meet the requirements. For example, there may only be one type of supplier in the world of a certain component that is required for your device, and they might not be ISO certified. You will have to provide a sufficient documented reason for why you are using the supplier, but you still want to have the option available.

Supplier Audits

Supplier audits can be one of the best ways to confirm information about a supplier’s quality. However, audits are also expensive and time-consuming. 

In the matrix above, Class A and B suppliers require an audit before they can be qualified in the supplier management system. That said, the nature of these audits does not necessarily need to be the same.

A Class A supplier might require an in-person audit, while a Class B supplier might require a virtual audit.  The audit frequency could also be different, with Class A suppliers requiring audits every one to two years and Class B suppliers only requiring audits up front and if there are quality issues.

There might not be anyone at your company who is qualified to perform audits. In this case, an employee can perform lead auditor training and receive the necessary credentials. 

Alternatively, start-ups and smaller organizations may only be required to audit a few suppliers. If so, the company can hire a contract auditor to perform the audit on their behalf. If you are going this route, make sure the contract auditor is qualified and on your ASL!

Another action that can be beneficial is an informal supplier visit that does not include a full audit. This is useful for establishing a relationship with a supplier and gaining an understanding of their facility. If your company makes a low-risk device, a supplier visit can even substitute for an audit with Class B and lower suppliers. 

Supplier Quality Agreements

Supplier Quality Agreements are legally binding documents that are put in place to govern the relationships with suppliers. Not only are they required in certain situations, but they are a great way of formalizing expectations. For these reasons, Supplier Quality Agreements are essential to supplier management.

While Supplier Quality Agreements are very helpful to a company, they can also be difficult to put into place. This is especially true of large organizations that provide off-the-shelf components. For this reason, it is best to require full Quality Agreements only from medium and high-risk suppliers.

What needs to be included in a Supplier Quality Agreement? As usual, it depends on the type of product or service being provided. Appendix 2 of this NBOG document related to supplier controls can be a good start.

Certain items I’ve seen in Quality Agreements include:

• When the supplier will send validation data to the company
• If the supplier will send testing or inspection reports to the company
• When the company has the right to audit the supplier, and if the supplier agrees to be audited by the company’s notified body. 
• The change notification agreement (more information below). 
• Traceability requirements of products
• Access to documents maintained by the supplier

Each Supplier Quality Agreement should be tailored to the specific supplier. Quality Agreements typically need a higher level of control and are reviewed by a company’s legal department, so it’s best to have discussions with companies beforehand to understand who will be included in sign-offs.

Change Notification Agreements

Change Notification Agreements are one piece of a Quality Agreement that is specifically required by ISO 13485. 

From section 7.4.2:

“Purchasing information shall include, as applicable, a written agreement that the supplier notify the organization of changes in the purchased product prior to implementation of any changes that affect the ability of the purchased product to meet specified purchase requirements.”

If you are going to put a Supplier Quality Agreement in place with a company, it’s best to include the Change Notification Agreement in that document. However, for lower-risk suppliers who may not have a full agreement in place, you should still obtain a Change Notification Agreement.

The good news is that many large medical device suppliers who it may be difficult to obtain written agreements with have a change notification system in place. Take this example from Sigma Aldrich with their M-Clarity program. If the supplier you are working with has a public change notification system, I’d highly recommend documenting this in your supplier management system instead of obtaining a separate agreement if possible.

The type of Change Agreement will also depend on the specific supplier and material/service being purchased. 

With custom products, the Change Agreement may specify that the supplier will not make any changes unless they have written approval from your company. However, with off-the-shelf components, this may be impossible to obtain, and the agreement can be limited to the supplier notifying the company before any changes are made.

What types of changes should be included in a Chance Notification Agreement?

Just like a company’s change control process, some of the types of changes that should be included in the agreement include:

• Facility changes
• Changes to specifications
• Material Changes
• Packaging changes
• Labeling changes
• Supplier changes
• Process changes

The timeline of the notification will also vary based on the supplier’s commitments. From a customer perspective, it’s best to be notified as early as possible about any upcoming changes. For changes to specifications, three to six months is typical. However, larger changes, such as changing a facility or material might require a longer notification period. The specific timeline should be detailed in the agreement.

Choosing Suppliers and Gathering Information

Once your supplier evaluation process is in place, you can start finding and qualifying suppliers. 

Initially, you need to find companies that provide the type of materials or services that you need. This can be done through Google searches or contacts in or around your organization. There is no point in qualifying a supplier and going through the process of adding them to your ASL if they aren’t capable of providing the product you need. 

After you have some potential suppliers picked out, it’s common for a cross-functional team, including Purchasing, Engineering, and Quality, to meet with the supplier. Each of these departments will be heavily involved with the supplier, so it’s useful for all of them to gather relevant information on the supplier. 

Some of the questions you are looking to get answered are:

• Are they capable of producing products to your specifications?
• Do they have the capacity to meet your needs?
• Will they be able to meet your supplier evaluation criteria?
• Are there any major changes coming to the organization, such as being bought out or moving locations?

You can also assess any public or private information on the reputation and expected reliability of the supplier. 

While cost can be a major factor in choosing a supplier, it should never be what decides a supplier (this is called out specifically in different documents, including the MDSAP audit approach). For this reason, avoid all mentions of cost in your quality-related supplier documentation.

At this stage, especially if a meeting isn’t conducted, it’s also typical to send a supplier survey to the company to document information related to their Quality Management System.

When you are preparing to move forward with a supplier, you’ll need to gather all of the information required by your supplier evaluation criteria. But before you reach out to the supplier, search their website for any of your listed requirements.

A large percentage of companies in the medical device space have their FDA registration number and ISO certification listed on their websites. They may also have a standard supplier survey and change notification system available. 

Make sure you check their website for this information before sending out requests! If a supplier has a current ISO 13485 certification easily available, it shows a lack of empathy to ask for it by email. You want to maintain a good relationship with the supplier, and they have already demonstrated that they are making it easier for you!

However, if the supplier does not have their certifications or FDA registration number publicly available, it is appropriate to reach out to them to gather those records.

If all the departments are happy with the information they have received from the supplier, you can move forward to the more resource-heavy elements of supplier qualification.

If they are providing a product, you can request a first article to ensure it meets specifications. If the supplier is high-risk, you can schedule or perform the supplier audit.

This is also the time to get the Quality Agreement drafted and in place. Once that is signed, you can celebrate since it’s time to add the supplier to your ASL!

Supplier Surveys

This is a personal note, but I’m not a fan of supplier surveys. I believe they rarely add value to the supplier management process or organization, slow down evaluation, and start the supplier relationship on a bad foot. 

Ultimately, you need a record that the supplier can make the product you want and meet your order timelines. However, if I go to a supplier’s website and it says: “We are an ISO 13485 certified injection molded part supplier”, and then I send them a survey that asks: “Are you ISO Certified?” and “What do you make?”, all I’ve done is create busy work for their Quality person.

In my opinion, you should be creative in how you meet this requirement. If you are meeting remotely with the supplier, ask them if you can record the meeting and save it with their record. Or, just take notes on the meeting and see if all of the necessary questions are answered. Perform a website review and document your findings. 

If they ask for a survey, sure, send them a survey. Outside of that, I do not believe surveys are the best way of gathering information about suppliers and that talking to the supplier is far more effective. As mentioned earlier, this can include an informal on-site visit. 

Neither ISO 13485, MDSAP, nor the FDA or any other regulation that I know of says: “You must have a completed supplier survey on your companies’ letterhead.” There is information you must have documented, and it is up to you as the quality professional to justify your approach to an auditor or notified body.

Supplier Management and Monitoring

Is the supplier management process complete once the supplier has been evaluated and added to your ASL? Absolutely not. In fact, it’s just getting started.  At this point, it’s time to start monitoring and re-evaluating your supplier as necessary.

Supplier monitoring hinges on some key aspects of a supplier’s performance.

• Is the purchased product meeting the stated specifications?
• Is the supplier fulfilling other obligations that have been listed in the Quality Agreement (sending batch reports or validation information)?
• Is the supplier shipping products by agreed-upon deadlines?

So how do you monitor suppliers? The MDSAP audit approach includes the following activities for motoring suppliers:

“supplier re-audits, statistical analysis of incoming acceptance results, monitoring of complaints and nonconformities related to supplied product, independent confirmation of certificate of conformance data, and consideration of the supplier’s responses to requests for corrective action”

As with everything Medical Device related, the breadth and frequency of monitoring will depend on the risk level of the supplier. High-risk suppliers will need more frequent re-audits and motoring of material, while for low-risk suppliers, you may need to do occasional reviews of the nonconformities and complaints.

A supplier scorecard can be a useful way of documenting your monitoring and re-evaluation of suppliers.

Taking the motoring activities listed above, build a specific weighted scoring approach for each element. For example, it is important that a supplier ships material on time, but it is more important that the material a supplier ships is correct. 

Using the score, you can put the suppliers into different categories such as preferred, acceptable, and at-risk. A preferred supplier may be the go-to supplier if you need a similar product or service in the future, and an at-risk supplier may be a supplier you are looking to replace.

Also, as part of your supplier re-evaluation process, you should ensure that the supplier’s certification status has not changed and that you have a record of their current certificate on file.

We’ll talk about SCARs down below, but I will note that I like the comment on SCARs in the MDSAP section I included. It is reasonable to have monitoring criteria that include the number of SCARs, and a surplus of SCARs should have you looking for a new supplier.

However, if you send one SCAR to a supplier and they become defensive and dismissive, I believe that supplier is worse than a supplier who has received three SCARs but has sent back excellent results each time and shown improvement. 

You should be trying to build healthy, long-standing relationships with suppliers. At times, you might need to visit a supplier on-site and help them through processes related to your products. If you do this, you will build a better, more resilient product in the long run, as opposed to jumping to different suppliers and starting over every time there are issues.

Supplier Nonconformances and SCARs

Another aspect of supplier management is addressing the non-fulfillment of purchasing requirements with suppliers. In the medical device industry, this is handled by sending your supplier a Supplier Corrective Action Request (SCAR). 

A SCAR is the supplier version of a CAPA and is a request by the company to have the supplier open a corrective action related to the company’s product. 

This is one reason it is useful to work with suppliers who are ISO certified, as you can be confident that they have a corrective action process in place to address issues. If they are not ISO certified, there is no harm in walking the supplier through the expected process to try and fix the problem.

There are many different reasons a SCAR might be initiated. It could be from a batch of incoming products that does not meet specifications. It could be an output of a Management Review Meeting. 

A SCAR could also be raised as the result of the supplier monitoring process. At times, a supplier being behind schedule or sending incorrect quantities might just be noted and communicated to the supplier. However, a pattern of this behavior might be escalated to a SCAR.

Should you send a SCAR form managed by your company to the supplier?

My preference is that if you are working with an ISO-certified supplier, they (hopefully) have a CAPA system in place. Many companies use different eQMS software to manage their CAPAs, and if not they should be recording the CAPA on specific forms within their QMS. 

Ask the supplier and see if they have a system in place that can send you a record of their CAPA. Since all of the steps of a CAPA are generally the same, this record should be able to meet your requirements. Making your supplier take all of their information and copy it into your form is another way of unnecessarily building bad blood with a supplier. But, if they do not have a form available, it’s fine to send them documentation to complete the activities.

Supplier Documentation

Everything you do related to supplier management should be documented.

Not only will you need to have a procedure in place for supplier evaluation and motoring, but you should also have records of your actions related to these activities. 

Outside of a supplier evaluation form (or similar electronic record), you will need to maintain copies of up-to-date supplier certifications, audit reports, surveys, supplier-provided documents (the supplier-controlled surveys and change notifications I mentioned), SCARs, and other actions related to suppliers.

And most importantly, your ASL should always be accurate and up-to-date.

A good eQMS system can go a long way in making supplier management simpler. Either way, you need to document everything you are doing related to suppliers.

Wrapping Up

Supplier management is a crucial aspect of producing high-quality medical devices. ISO 13485 and medical device regulations expect you to select, qualify, and monitor your suppliers to ensure you have control over what is going into your products. By following this guide, you can your company up for success and nail supplier management.

If you learned something from this article, please subscribe to our newsletter below and be sure to check out our other informative articles breaking down ISO 13485.

The post Effective Supplier Management for Medical Devices (ISO 13485 7.4.1) appeared first on Hardcore QMS.