The Road To ISO 13485 Certification: Tips For Effective Audits
The Road To ISO 13485 Certification: Tips For Effective Audits
Joanne Rupprecht, senior vice president, regulatory and quality at Boulder iQ shares insights into ISO 13485 certification procedures in her latest article in meddeviceonline.com:
“We all know a moving target is hardest to hit. Whether it’s a high-speed tennis ball or an audit, keeping your eye on the target at all times is the key to success.
Even the mention of the term “audit” can send people cowering under their desks. Indeed, the variety of quality and safety standards and requirements medical device manufacturers must adhere to can be overwhelming, especially if operations are international as well as domestic. But there are ways to prepare for and conduct an audit that will keep you out from under the desk and produce positive results.
Understanding ISO 13485
ISO 13485 is one of many International Organization for Standardization (ISO) standards, and it is specific to the expectations and requirements for a compliant medical device quality management system in the medical device industry. Against that background, the next step is to understand the base requirements of the ISO 13485 standard and its relationship to 21 CFR Part 820, the Quality System Regulation (QSR), which codifies the expectations and requirements of the FDA. The QSR is the regulation that ensures all medical devices created and developed within the United States are safe and follow satisfactory quality processes throughout their development.
Currently, compliance with ISO 13485 is voluntary, while compliance with the QSR is not. In fact, medical devices are considered “adulterated” if the associated quality management system (QMS) is not compliant with the QSR. Yet, the significance of ISO 13485 certification becomes more apparent given that compliance with that standard can serve as evidence of a compliant QMS during FDA audits. And, in early 2022, the FDA proposed an amendment to the QSR that will incorporate ISO 13485. While this will likely not take place until at least 2024, the movement is an indication that ISO 13485 audits will become more common.
The Importance Of ISO 13485 Audits
When a notified body conducts an audit for purposes of ISO 13485 certification, the intent — to the surprise of some people — is not to find fault but rather to assess a device manufacturer’s processes against the ISO 13485 standard and identify areas for improvement.
Still, heading into an audit can be nerve-wracking. No one wants to fall short of expectations — their own, their company’s, and those of the notified body requesting the audit. Common concerns when going into an ISO 13485 audit include:
- inadequate preparation of facility and staff,
- inability to answer the auditor’s questions,
- regretting an answer provided to an auditor’s question,
- lack of complete documentation available upon request, and
- an out-of-compliance finding.
In truth, some of these concerns are well-founded. The most common ISO 13485 audit observations include non-adherence to policies, processes, and procedures and inadequate or inaccurate records. The best way to allay concerns and increase chances of avoiding those out-of-compliance findings is to prepare, prepare, prepare.
Best-Practice Tips
- Know your stuff! Understanding the standard is essential for any medical device manufacturer. Buy the standard, and make sure it’s the latest version, including all amendments. Get to know it well.
- Become familiar with the resources offered by the ISO’s Committee on Conformity Assessment.
- Implement the standard in internal processes and procedures. Working with ISO 13485 is really all about designing, implementing, maintaining, and improving the quality management system of your organization around its requirements. While there’s no doubt that notice of an audit can elevate these actions, implementation should be an ongoing process.
Organizations should, as best practice, always be preparing for an audit through good documentation practices (GDPs). From an audit perspective, GDPs allow:
- transfer of consistent information among internal and external parties,
- auditors to understand a project’s history, assess the performance of obligations, and verify compliance,
- auditors to reverse-engineer any steps in the device’s development, and understand the reasoning,
- more efficient personnel training and cross-training, and
- creation of internal standards upon which continual improvements can build.
Each manufacturer must apply good judgment to determine how best to implement GDPs, but one basic rule applies: When it comes to an audit, if what you are doing isn’t written down, it doesn’t exist. To the extent it is written, but not done, it is documenting your noncompliance.
- Educate. Each person in a medical device manufacturing facility needs to understand the expectations of ISO 13485 (and the QSR). Preparing for an audit is everyone’s job, and each person needs to incorporate the standard into their day-to-day activities, processes, and procedures. Taking these steps, along with proactive education and training on ISO 13485 expectations, is essential in preparing for an audit.
Tips: Upon Scheduling Of An Audit
- Obtain the audit plan. After the audit has been scheduled, request a detailed audit plan from the notified body conducting the audit. This plan serves as a road map for what documentation and records will be reviewed in the audit. It should include the audit’s scope, materials requested in advance, and a request to access the site. The plan also should address any previous nonconformities or opportunities for improvement, providing a guide for anyone working on those improvements to complete their work. Typically, a company will receive the audit plan several weeks — or even months — in advance of the requested time period for the audit.
- Distribute the audit plan. An audit is a team sport. Establish open communication channels. Make sure each member of the team feels that they are in a safe environment and can disclose and address any issues at any time. If each person understands the goal and scope of the audit, they will be ready when the time comes for assessment of the processes, procedures, and timelines for which they are responsible.
- Review one of the many ISO 13485 audit checklists available online. Even better, request one directly from the notified body conducting the audit, and review it thoroughly with your internal audit team. Alternatively, you can create your own checklist by reviewing the ISO 13485 standard itself.
- Organize, declutter, clean. Allow adequate time to clean and organize all work spaces and files. Get all records in order so that you can respond to questions and requests quickly and easily, in a focused manner. This will help avoid “audit creep” into areas outside the stated scope.
Tips: During The Audit
- Rest up. It may sound basic, but make sure everyone is well-rested and well-fed before beginning the audit. The most valuable components in an ISO 13485 audit are good attitudes, open eyes, and readiness to respond.
- Request permission to record the audit interactions. If not allowed, designate a good note-taker. Also designate an audit lead to check in with the auditor often to make sure they have everything they need.
- Make sure employees are ready and available for any requested interviews. Keep a list of subject matter experts the auditor can speak with on specific topics. Each employee should be prepared to retrieve applicable records and to demonstrate processes and procedures pertinent to their job, if asked.
- Address questions succinctly. Respond to any questions with the detail necessary — no more. Do not offer or prepare information unless it is specifically requested. It is often in an awkward silence that auditors obtain information that is not always to the benefit of the organization. If you don’t know the answer, be honest and say so. Find the person who can answer the question or, if necessary, explain that you don’t have the information but will obtain it. A deferred answer is better than a wrong answer.
- Exercise caution in questioning or pushing back on a potential finding. Adopt an attitude of openness, transparency, and learning. Constructive dialogue can result if all parties can walk away feeling heard and understood. Sometimes, that in itself is a victory.
- Look forward to the closing meeting. It represents an important learning opportunity. You will learn that you have met expectations or have fallen short. Either way, the information you garner will improve future operations.
Audit Interview Do’s And Don’ts
Do…
- Be polite, but limit casual conversation.
- Answer questions completely, directly, and honestly with supportable facts. Steer clear of opinion.
- Respectfully disagree when appropriate; ask for clarification.
- Offer responses of “I do not know” or “I do not remember,” if appropriate, followed with when you will have the information or a referral to the correct subject matter expert.
- Keep an inventory and a copy of anything you provide the auditor.
- Show only one record at a time, if possible.
- Correct any errors in speaking as soon as possible to avoid miscommunication.
- Note any questions you were uncomfortable answering or would have answered differently in retrospect.
- Conduct a short daily internal debrief during the audit.
- Expect what you say to be documented. There is no such thing as “off the record” in an audit.
Don’t…
- Misrepresent the truth or leave out important facts.
- Correct a colleague in front of the auditor.
- Correct documents when reviewing them with the auditor.
- Guess or make up an answer.
- Volunteer more information than necessary.
- Feel like you have to fill dead air.
- Question the auditor’s authority, argue, or raise your voice.
- Agree to or volunteer to change a policy or procedure during the audit.
- Refer to uncontrolled documents.”
Please find the complete article here.
Topics: #healthcare #lifeSciences #medicaldevices #medtech #medicaltechnology #MedSysCon #ISO_13485 #Audit #NotifiedBody
For further information please get in touch with us:
+49-176-57694801
How To Update my QMS for FDA QMSR Amendment Compliance?
Mark Allen Durivage, principal consultant at Quality Systems Compliance LLC, wrote in the current issue of meddeviceonline: “Now that the FDA has officially announced its intention to harmonize and modernize 21 CFR Part 820 Quality Management System Regulation (QMSR) for medical devices, the question is: What do I need to do to my quality management system (QMS)? If your QMS is based on the requirements of ISO 13485:2016, I suggest downloading 21 CFR Part 820 QMSR and analyzing where your current QMS may need updates to ensure compliance. I would recommend purchasing a copy of ISO 13485:2016 Medical devices – Quality management systems – Requirements for regulatory purposes and ISO 13485:2016 – Medical Devices – A Practical Guide, reading them, and performing a comprehensive gap analysis (assuming your current QMS was based on the requirements of 21 CFR Part 820).
ISO 13485:2016 contains eight major clauses, including:
- Scope
- Normative References
- Terms and Definitions
- Quality Management System
- Management Responsibility
- Resource Management
- Product Realization
- Measurement, Analysis, and Improvement
Each clause contains the requirements as well as sub-clauses, which support the main clause by providing the details of the standard’s requirements for a QMS. For the purposes of this article, 21 CFR Part 820 will be referred to as the regulation and ISO 13485:2016 will be referred to as the standard. I will highlight the differences in each section of the standard and the procedures that will have to be modified to be compliant with the updated regulation, as well as the additional requirements necessary for the standard to be compliant with the regulation.
1. Scope
The standard applies to organizations that provide services including design and development, production, storage and distribution, installation, or servicing of a medical device and suppliers providing product, including QMS-related services. The regulation applies to finished devices and contract sterilization, installation, relabeling, remanufacturing, repacking, or specification development, as well as initial distributors of foreign entities that perform these functions. Organizations that manufacture parts or components of finished medical devices are not required to adopt the regulation but are encouraged to do so.
The FDA will still have the ability to grant exemptions or variances; however, that will not relieve the organization of following the requirements of the standards for the purposes of certification.
The FDA will still maintain inspectional jurisdiction over organizations regardless of their standard certification status. Additionally, the FDA will not issue certification to the standard or regulation. Generally, if an organization is not subject to the requirements of 21 CFR Part 807 Establishment Registration and Device Listing for Manufacturers and Initial Importers of Devices, the probability of the FDA inspecting your facility is negligible regardless of ISO 13585 certification status.
Modifications to the scope of the requirements include clarifications that conflicting regulations that are more specific take precedence only to the extent of the conflict.
The changes made here should not have any impact on the QMS documentation and are provided for clarification.
2. Normative References
ISO 9000:2015 Quality management systems – Fundamentals and vocabulary, the standard, and the regulation should be listed in Section 2, Normative References of the Quality Manual to aid auditors and inspectors during audits and official regulatory inspections.
3. Terms and Definitions
The terms and definitions found in ISO 9000:2015 Quality management systems – Fundamentals and vocabulary, the standard, and the regulation will apply. However, the definitions in the regulation will take precedence. These documents should be listed in Section 3, Terms and Definitions of the Quality Manual, along with any company specific terms, to aid auditors and inspectors during audits and official regulatory inspections.
4. Quality Management System
The failure to comply with any applicable requirement in the regulation renders a device adulterated under section 501(h) of the Federal Food, Drug, and Cosmetic Act. Such a device, as well as any person responsible for the failure to comply, is subject to regulatory action. This is in addition to any action that may by taken by the ISO certifying body.
The standard requires the organization to document a Quality Manual, which was not previously required by the regulation. The Quality Manual should describe at a high level how your organization complies with the standard, the regulation, and other applicable regulatory requirements. The Quality Manual should not be a regurgitation of the standard and the regulation. Any exclusions and non-applicabilites should be documented, with appropriate justification provided. A best practice is to include a compliance matrix with maps showing how and where your QMS addresses each requirement of the standard and the regulation to aid auditors and inspectors during audits and official regulatory inspections.
The regulation requires the manufacturer to document a QMS that complies with the requirements of the standard and the regulation and the following regulatory requirements as applicable:
- 21 CFR Part 803 Medical Device Reporting
- 21 CFR Part 806 Medical Devices; Reports of Corrections and Removals
- 21 CFR Part 821 Medical Device Tracking Requirements
- 21 CFR Part 830 Unique Device Identification
I suggest, as applicable, listing these additional regulatory requirements in Section 2, Normative References of the Quality Manual.
Your Control of Records standard operating procedure (SOP) must require the signature of everyone who approves or re-approves records (paper or electronic) and the date of the approval.
Your Control of Records SOP and/or External Inspections SOP should specify that records deemed confidential should be marked as such to aid the FDA in determining whether the information contained in the record may be disclosed to the public.
5. Management Responsibility
With the adoption of the standard, there will be a greater emphasis on identifying, analyzing, evaluating, controlling, and monitoring risk throughout the product life cycle to ensure that the devices are safe and effective. Management will be responsible for ensuring risk management and risk-based thinking are considered throughout the entire QMS, including planning, outsourcing, design and development, traceability, purchasing controls, acceptance activities, production and process controls, servicing, installation, analysis of data, and corrective and preventive actions (CAPA).
The regulation defines Top Management as those senior employees of a manufacturer who have the authority to establish or make changes to the manufacturer’s quality policy and quality management system. This position was previously referred to as management with executive responsibility. Update your Quality Manual and SOPs including Management Responsibility, Management Review, Reporting to Regulatory Authorities, etc., to reflect the use of the appropriate terminology, top management.
6. Resource Management
No specific differences exist between the requirements of the standard and the regulation, with the exception of the potential application of risk management and risk-based thinking.
7. Product Realization
Your Communications SOP should reference 21 CFR Part 806 Medical Devices; Reports of Corrections and Removals and how your organization will communicate with customers and the FDA in the event of a correction or removal as applicable.
Your Design and Development SOP will need to require the application of design controls to class II, class III, and certain class I devices.
The regulation’s requirement for a design review requiring an individual(s) who does not have direct responsibility for the design stage being reviewed has not been transferred to the standard. However, you may want to consider adding this best practice to your Design and Development SOP.
Your Control of Production and Service Provision SOP will need to require the recording of the unique device identifier (UDI) for each medical device or batch of medical devices in the device history record (DHR).
You will need to update your Labeling and Packaging SOP to ensure labeling and packaging have been examined for accuracy prior to release or storage and, where applicable, to include the following:
- The correct UDI or universal product code (UPC), or any other device identification(s);
- Expiration date;
- Storage instructions;
- Handling instructions; and
- Any additional processing instructions.
The release of the labeling for use must be documented by obtaining the signature of everyone who approves the release (paper or electronic) and the date of the release.
Your Labeling and Packaging SOP must also ensure labeling and packaging operations have been established and maintained to prevent errors, including, but not limited to, inspection of the labeling and packaging immediately before use to assure that all devices have correct labeling and packaging, as specified in the medical device file. The results of labeling inspection must be documented by obtaining the signature of everyone who approves the release (paper or electronic) and the date of the release.
You will need to update your Servicing SOP to ensure the following information is recorded for servicing activities:
- The name of the device serviced;
- Any UDI or UPC, and any other device identification(s);
- The date of service;
- The individual(s) who serviced the device;
- The service performed; and
- Any test and inspection data.
Your Identification and Traceability SOP will need to document a system to assign a unique device identification to the medical device in accordance with the requirements of 21 CFR Part 830 Unique Device Identification.
You will also need to update your Identification and Traceability SOP. Traceability requirements from the standard for implantable medical devices will now additionally apply to devices that support or sustain life or for those for which the failure to perform, when properly used in accordance with instructions for use provided in the labeling, can be reasonably expected to result in a significant injury. Additionally, your Identification and Traceability SOP should reference 21 CFR Part 821 Medical Device Tracking Requirements and define the process for tracking such devices as applicable.”
Please find the complete article here.
For further information please get in touch with us:
+49-176-57694801
Don’t Let Data Integrity Be Your Achilles’ Heel
MasterControl recently published an article by Gina Guido-Redden showing that the FDA has been actively defining detailed expectations for data integrity since 1997 when they supplemented 21 CFR Part 211’s predicate rules on records and record keeping, by publishing Title 21’s first set of regulations directly defining the rules for electronic records and electronic signatures (21 CFR part 11). However, more than a decade passed before their first guidance document on this topic was released. In addition to the FDA’s recently published guidance on data integrity, industry has also received formal guidance documents from The Pharmaceutical Inspection Co-operation Scheme (PIC/S), the Medicines and Healthcare products Regulatory Agency (MHRA), the European Medicines Agency (EMA) and the World Health Organization (WHO). It’s clear that everyone is publishing on the same topic, at the same time and they are saying the same thing. Our data lacks integrity and the regulators want that to change.
Please read the full article here
Please get in touch with us for any further support:
+49-176-57694801