European Union Medical Device Regulation: December 2014

Thursday, December 25, 2014

Internal Quality Audit

A medical device company should have a robust internal quality audit program which consists of procedure, internal audit team, plan, quality audit checklist to audit the quality system regularly.

For quality audit plan: Quality Assurance (QA) should be responsible for the planning and scheduling of internal audits of the quality system, manufacturing processes and products. QA should establish audit frequency. The audit frequency is often based on the importance of manufacturing processes, products and areas. Should there be customer complaints, internal and external nonconformities regarding a product and process, internal audit for that area of interest should be carried out as well.

Internal audit should be performed at the very least once a year or semiannually or quarterly. I had observed some medical device company performed internal audit monthly, but only on a specific section of the quality system. For example, January on Design Verification and February on CAPA.

The internal quality audit plan should be mapped out clearly in a matrix with all the quality system elements like that of 21 CFR 820 and ISO 13485. In this plan, there should be responsible group who will be performing the internal audit on the desired date of the audit.

The audit team should consist of qualified, experienced and independent quality auditors who are very well versed in the quality system about to be audited. Audit team should not succumb to internal pressure so they may water down the internal audit report. I had basically seen this occurrence where the marketing group had complaint to the top management that the severity of the internal audit causes slowness in releasing product and therefore the internal audit did not perform the job they should be doing. The internal audit team should perform the job without fear or favor.

During the audit, auditors seek objective evidence demonstrating whether the audited activities conform to the requirements of the documented quality system, and whether the system is effectively implemented and maintained. When nonconformity is noted, it is brought to the attention of, and discussed with, the responsible individual of the department in question.

Before the end of the audit, each noted nonconformity is documented using the Audit Nonconformity Report form. Auditors fill out only the first part of the form, describing the noted nonconformity. The form is then handed over to the responsible individual who uses its second part to propose a corrective action.

Documentation and record: Internal audits, implementation of resulting corrective actions, and follow-up audits are documented using the audit nonconformity report form.

At the end of an auditing cycle, all nonconformity reports established during the cycle are compiled and analyzed, and are presented at the management review meeting.

Reference	Criteria
ISO 13485 8.2.2	Does the company conduct internal audits at planned intervals to determine whether the quality management system conforms to the planned arrangements?
ISO 13485 8.2.2	Does the company conduct internal audits at planned intervals to determine whether the quality management system conforms to the requirements of ISO 9001:2000?
ISO 13485 8.2.2	Does the company conduct internal audits at planned intervals to determine whether the quality management system conforms to the quality management system requirements established by the company?
ISO 13485 8.2.2	Does the company conduct internal audits at planned intervals to determine whether the quality management system is effectively implemented and maintained?
ISO 13485 8.2.2	Are the company’s audit programs planned? Do the audit programs take into consideration the status and importance of the processes and areas to be audited? Do the audit programs take into consideration the results of previous audits?
ISO 13485 8.2.2	Are the audit criteria, scope, frequency, and methods defined? Does selection of auditors and conduct of audits ensure the objectivity and impartiality of the audit process?
ISO 13485 8.2.2	Does the audit process ensure that auditors do not audit their own work? Are the responsibilities and requirements for planning and conducting audits, and for reporting audits and maintaining records, defined in a documented procedure?
ISO 13485 8.2.2	Does management responsible for the area being audited ensure that actions are taken without undue delay to eliminate detected nonconformities and their causes? Do follow-up activities include the verification of the actions taken and the reporting of verification results?

Disclaimer: Although the author had exhaustively researched all sources to ensure the accuracy and completeness of the information contained in this blog, but no warranty and fitness is implied. I assumed no responsibility and implied warranty of any kind for errors, inaccuracies, omission, or any inconsistency herein. No liability is assumed for incidental or consequential damages in connection with the use of the information contained herein. Readers should always use their own judgment and review all related regulatory guidelines. Guidelines can change over time.

Saturday, December 13, 2014

Traceability

Basically, traceability is based on identifying the finished product with unique control numbers. It is a regulatory requirement. This traceability is useful should there be a product recall.

The extent of traceability includes

· Serial or batch numbers.

· identification of Purchase Order for critical materials and components used;

· Identification of key processes and inspection equipment and their operators;

· Inspection and testing results and identification of inspectors;

· Identification of personnel performing final labeling operations.

The actual traceability information required for a given medical device should be able to be called out in the production work order for this product. Typically in this day and age, there are several enterprise software like SAP to help sponsor manage all the traceability information.

Traceability Records for purchased materials and components. Their origination and verification records, such as certificates of analysis, testing inspection reports supplied with the product, etc., are linked to the products through their purchase orders. Purchase Orders are maintained by Purchasing. Purchasing department must keep all of these records for a certain period even after the product is discontinued. It is because there might be old product out in the market.

Traceability Records for finished products can be achieved by the work order. Work order is the main traceability record linking the product to its production history. Some data may also be recorded in logs, tables, or databases associated with particular workstations or processes. Work orders and any additional traceability records are maintained in the Device History Record (DHR) or Lot History Record (LHR).

Sponsor should also have a recall plan to test the efficiency of the traceability program. Perform a mock recall periodically.

Reference	Criteria
ISO 13458 7.5.3	Where traceability is a requirement, does the company control and record the unique identification of the product?
ISO 13458 7.5.3.2.1	Has the company established documented procedures for traceability? If appropriate, is traceability of products ensured contractually in those cases where external parties are used for the distribution of CE-marked products?
ISO 13458 7.5.3.2.2	Has the organization included records of all components, materials and work environment conditions, in defining the records required for traceability, if these could cause the medical device not to satisfy its specified requirements?
ISO 13458 7.5.3.2.2	Has the organization required that its agents or distributors maintain records of the distribution of medical devices to allow traceability and that such record are available for inspection?
ISO 13458 7.5.3.2.2	Has the organization ensured that the name and address of the shipping package consignee is maintained (see 4.2.4)?

Thursday, December 11, 2014

Identification

To be in compliance with this section of identification, sponsor should always establish procedures and protocols to provide a system and instruction for product identification. Product identification not only apply to finished products, but should also apply to materials, parts, subassemblies and other critical components.

Sponsor should establish part number and device configuration record and traceability record. Purchased materials, parts and components are identified with unique numbers, codes, or names. The identifications should be maintained while the ‘products’ are in the production, finished product, storage and even at consumers locations. In the present day, there are many software which can help sponsor to identify all the parts like SAP.

Identification should be performed during production. During all stages of production, manufactured parts and subassemblies are identified by the work order. Work orders accompany products as they move from one workstation or production process to the next.

Identification should be performed during finished product. Finished products are identified by a label that is permanently affixed to the product. The identification label includes the name and model of the product; the name, address and phone number of the manufacturer; and the serial or lot number.

The identity of the product sold to each customer should also be tracked in a software system like SAP. Should there be a product recall or field advisory, it will be a lot easy for the sponsor to do so.

Identification of Returned Product: Products returned for servicing are brought to the receiving desk in the servicing department and are tagged with the service job number. New products returned for exchange, refund or for any other reason are labeled HOLD and are placed in a designate a holding (quarantine) area before moving redistribution area or being repaired.

Reference	Criteria
ISO 13485 7.5.3	Has the company identified the product by suitable means throughout product realization?
ISO 13485 7.5.3.1	Has the company identified the product by suitable means throughout product realization, and established documented procedures for such product identification?
ISO 13485 7.5.3.1	Has the company established documented procedures to ensure that medical devices returned to the company are identified and distinguished from conforming products?
ISO 13485 7.5.3.3	Does the company identify product status with respect to monitoring and measurement requirements?
ISO 13485 7.5.3.3	Is the identification of product status maintained throughout production, storage, installation and servicing of the product to ensure that only product that has passed the required inspections and tests (or released under an authorized concession) is dispatched, used or installed

Sunday, December 7, 2014

Document Control

The whole point of this section ‘Document Controls” are nobody can simply revise and approve any procedure and documents. All new revision of procedures, documents, protocol, manufacturing processes must be well thought of and be implemented effectively throughout the whole organization.

Associates whom have been effectively trained on the documents can perform a task according to the procedure. Therefore, a new revision or a new document should have the approved status and effective status. Approved status is to show the document is only ready pending all the employees are trained effectively, then the document is changed to a status of ‘effective’ with a date. Then, the document is ready for the whole organization.

Each stage of a document must be indicated as either ‘DRAFT’, ‘Controlled’ or OBSOLETE’. Only approved documents can be used. Effective date of each document must be conspicuously shown on the document or the effective date is easily accessible. It is not uncommon for careless associate to work on the old revision of a procedure resulting in a messy deviation. This obsolete document must be marked ‘OBSOLETE” and be removed promptly from being inadvertently used.

Any change to each document must be performed according to corporate procedure. It is critical to get all related departments managers involved to ensure the change can be reviewed, edit, approved and implemented.

A sponsor should have a document control department to ensure all new documents are initiated, edited and written properly and present documents revised accordingly. There should not be any obsolete document floating around.

Because there can be hundreds of documents in the organization from quality policy, procedures, work instructions, drawings, training record, verification and validation protocols and report, manufacturing processes, etc. It is important that medical device company to have a system to manage all the documents. There are many software out there to manage all the documents. Master Control is one of them.

Reference	Criteria
ISO 13485 4.2.1	Does the quality management system documentation include documents needed by the company to ensure the effective planning, operation, and control of its processes?
ISO 13485 4.2.3	Are the documents required by the quality management system controlled?
ISO 13485 4.2.3.a	Has a documented procedure been established to define the controls needed to approve documents for adequacy prior to issue?
ISO 13485 4.2.3.b	Has a documented procedure been established to define the controls needed to review, update as necessary and re-approve documents?
ISO 13485 4.2.3.c	Has a documented procedure shall be established to define the controls needed to ensure that changes and the current revision status of documents are identified?
ISO 13485 4.2.3.d	Has a documented procedure been established to define the controls needed to ensure that relevant versions of applicable documents are available at points of use?
ISO 13485 4.2.3.e	Has a documented procedure been established to define the controls needed to ensure that documents remain legible and readily identifiable?
ISO 13485 4.2.3.f	Has a documented procedure been established to define the controls needed to ensure that documents of external origin are identified and their distribution controlled?
ISO 13485 4.2.3.g	Has a documented procedure been established to define the controls needed to prevent the unintended use of obsolete documents, and to apply suitable identification to them if they are retained for any purpose?

Wednesday, December 3, 2014

Corrective and Preventive Action (CAPA)

Medical device sponsors should pay a lot of attention to CAPA, its initiation, implementation, effectiveness, closure and documentation. It is one of the best tool to improve the quality system. But, CAPA can consume a lot of human and financial resources if it is probably done right.

Sponsor should have a system, procedure, work instruction and forms and to assign responsibilities for the initiating, requesting, implementing and verifying the effectiveness of CAPA. The CAPA procedure applies to prevent and correct nonconformities related to materials, components, subassemblies, finished products, manufacturing processes and the whole quality system.

Some of the associated documents with CAPA procedure are as follows:

· Corrective and Preventive Action Request Log

· Corrective and Preventive Action Request Form

· Work Instruction for Corrective and Preventive Action Request

· Corrective and Preventive Action Records.

· But, in this day and age, all of this CAPA can be managed using a computer system like Trackwise.

· The above request log and form can be deployed a small or startup medical device.

Corrective Actions are implemented to address actual nonconformities occurred in the organization. Anyone can initiate a CAPA, but it is advisable that QA should authorize CAPA request and review all CAPA for completeness and effectiveness before closure.

CAPA request includes a description of the unsatisfactory condition to be corrected and explain how quality is impacted. CAPA request may be directed to the company's internal departments as well as to its suppliers and subcontractors as well.

Examples of cases which may initiate corrective actions are shown as follows:

· Identification of a nonconforming product;

· Identified problem with a manufacturing process or work operation;

· A nonconformity identified during a regulatory or third-party audit;

· Field performance problem reported by servicing;

· Customer or regulatory complaint like patient’s injury;

· Nonconforming delivery from a subcontractor;

· Findings from internal audit or customers;

· Identification of any other component, device, process or condition that does not conform to specifications, documented quality system, or requirements of the ISO 13485 standard or 21 CFR 820.

Preventive actions, however are initiated when quality performance data indicates that there are trends of decreasing quality capability or effectiveness of the quality system. For example: increasing incidence of product nonconformities traceable to the same common cause; excessive equipment problems; or increasing number of internal audit findings against the same element of the quality system or department.

When a problem requiring preventive action is identified, the process of dealing with the problem follows the same steps that apply to corrective actions as described above.

Upon receiving a request for corrective action or preventive action, the responsible manager investigates the cause of the problem that initiated the request, proposes a corrective action or preventive action to be taken, and indicates the date by which the corrective action or preventive action will be fully implemented. A great and well thought CAPA plan should be warranted.

Another key concept for CAPA is the effectiveness of the corrective action and preventive action taken to remediate the nonconformity. QA should follow up with an inquiry or an audit to determine if the corrective action or preventive action has been implemented effectively. When there is objective evidence that the corrective action is effective, the CAPA can be closed out. Examples of methods to gauge the effectiveness is the measurement of any recurrences of the nonconformity or also perform trending for a certain period after the corrective action and preventive action had been implemented. If more work is needed to fully implement the action, a new follow-up date is set.

If any CAPA is not seriously implemented and the root causes are not resolved. Similar or even identical nonconformity can occur. It is the best interest in the long run to have a robust quality system. The cost of noncompliance is can be costly in the long run.

Sponsor should also have a spreadsheet to track all the CAPA outstanding and ensure all CAPAs are reasonably closed within a time-frame. I once have a client who get a 483 observation for not closing CAPA in 4 years.

Reference	Criteria
ISO 13485 8.5.2	Does the company take action to eliminate the cause of nonconformities in order to prevent recurrence? Are corrective actions appropriate to the effects of the nonconformities encountered?
ISO 13485 8.5.2.a	Has a documented procedure been established to define requirements for reviewing nonconformities including customer complaints?
ISO 13485 8.5.2.b	Has a documented procedure been established to define requirements for determining the causes of nonconformities?
ISO 13485 8.5.2.c	Has a documented procedure been established to define requirements for evaluating the need for action to ensure that nonconformities do not recur?
ISO 13485 8.5.2.d	Has a documented procedure been established to define requirements for determining and implementing action needed, including, if appropriate, updating documents?
ISO 13485 8.5.2.e	Has a documented procedure been established to define requirements for records of the results of action taken?
ISO 13485 8.5.2.f	Has a documented procedure been established to define requirements for reviewing corrective action taken and its effectiveness
ISO 13485 8.5.3	Has the company determined action to eliminate the causes of potential nonconformities in order to prevent their occurrence? Are preventive actions appropriate to the effects of the potential problems? Has a documented procedure been established to define requirements for evaluating the need for action to prevent occurrence of nonconformities? Has a documented procedure been established to define requirements for determining and implementing action needed? Has a documented procedure been established to define requirements for records of the results of action taken? Has a documented procedure been established to define requirements for reviewing preventive action taken?