Category: ISO 13485 – Medical Devices

Document Revision Criteria

ISO documentation practices, requirements

Question

Is there any criteria available for the frequency of document revision in ISO 9001 or ISO 13485?  Some organization don’t revise the documents for a period of more than 2-3 years.  The reason provided by the organization is that there were no changes during this period. Do ISO standards mandate the revision of documents within a certain time frame? Can we treat this as non-compliance, if the documents are not revised over a period of 2-3 years ?
Answer

There are no criteria nor a requirement for document revision in ISO 9001:2015, 7.5.

ISO 13485:2016, 4.2.4, states, “review, update as necessary and re-approve documents.” This leave the review to the discretion of the organization.

Thus, there is no mandatory review frequency and no non-conformance if documents are not revised within a determined time frame.  ISO 13485 does require a review, however. But, the frequency of the review is not mandated.

George Hummel

Terminology for Inspected Material (GMP, ISO 13485)

Pharmaceutical sampling

Q: There is often confusion with the labeling of purchased materials  after they have been “inspected, tested and/or verified” according to good manufacturing practice (GMP)
requirements.  Once out of quarantine, are purchased materials labeled as accepted, approved or released?  I’ve had auditors and inspectors tell me all three.

A: Either term (accepted, approved, or released) is appropriate and commonly used.  It would appear that the auditors are voicing an opinion and shouldn’t be. Neither ISO 13485:2003: Medical devices — Quality management systems — Requirements for
regulatory purposes or FDA’s quality system regulation (QSR) specify what language is to be used.

ISO 13485:2003, clause 7.5.3.3 status identification, states:

“The organization shall identify the product status with respect to monitoring and measurement requirements.  The identification of product status shall be maintained throughout production, storage, installation and servicing of the product to ensure that only product that has passed the required inspections and test … is dispatched, used or installed.”

FDA 21 CFR 820.86 acceptance status requires:

“Each manufacturer shall identify by suitable means the acceptance status of product, to indicate the conformance or nonconformance of product with acceptance criteria. The identification of acceptance status shall be maintained throughout manufacturing, packaging, labeling, installation, and serving of the product to ensure that only product which has passed the required acceptance activities is distributed, used, or installed.”

The requirement should be clear for purchased materials: identify so that only those materials that passed acceptance activities are allowed to be used.  Neither the standard or regulation states how the material is to be identified.  That is up to the manufacturer to define in its operating procedure(s).

My personal recommendation is to use the terms “accept/reject” at receiving and during in-process, then use the terms “release/hold” to mean the final product is or is not to be released for distribution.  But any similar terms are fine as long as they are consistently used throughout the quality system and personnel understand the requirement that they can only use product that passed their acceptance activities.

Jim Werner
Voting member to the U.S. TAG to ISO TC 176 Quality Management and Quality Assurance
Medical Device Quality Compliance (MDQC), LLC.
ASQ Senior Member
ASQ CQE, CQA, RABQSA Lead QMS Assessor

For more on this topic, please visit ASQ’s website.

Establishing and Maintaining a CAPA System

CAPA process, CAPA requestsQ: We have a Corrective Action and Preventative Action (CAPA) system, and we find that CAPAs are almost always completed late — even though we do have an extension request form for CAPAs, and the system sends automated reminders to  employees in advance.

What can we do to resolve this issue and avoid late CAPAs?

A: I will answer this question based on the information provided.

1. Does the CAPA system rank the CAPA based on risk? If not, each CAPA should be ranked either high, medium, or low.

High risks generally mean that the problem behind the CAPA could have a negative affect on the business and put it at risk. For example, in the medical device industry, a high risk CAPA could include a regulation violation, something that can harm a device user or patient, or issues that could result in legal action against the company.

2. Does the CAPA system have a way to involve top management? If not, it should — especially if timely corrective action is not being taken in instances of high risk CAPAs.

3. Does the management review process include a statistical analysis of the time it takes to complete CAPAs?

Often, reports to management include the number of CAPAs greater than 90-days old and greater than 180-days old. In addition to reporting on the number of open CAPAs, also report on the number of CAPAs completed by the due date and the number of CAPAs that are overdue (past the original, assigned completion date).

It is a good idea to also convert these numbers into percentages to make data digestible and to allow for comparison making.

4. Next, discuss with management (if possible) to consider consequences for employees if company problems that result in a CAPAs are not addressed in a timely manner.

With this approach, proceed with caution. You must make certain that the CAPA system is robust. Not every little problem is a CAPA. A good way to weed out the CAPAs from the non-CAPAs is to ask: is this an issue that requires an investigation into the root cause? And, does this problem require corrective action to fix it? If the answers are yes, then it is probably a CAPA.

5. You may want to consider benchmarking how other organizations structure their CAPA system and look to guidance documents for help. The Global Harmonization Task Force published a guidance document help establish CAPA systems. It is for the medical device industry, but it can be applied elsewhere.

Jim Werner
Voting member to the U.S. TAG to ISO TC 176
Medical Device Quality Compliance (MDQC), LLC.
ASQ Senior Member
ASQ CQE, CQA, RABQSA Lead QMS Assessor

For more about this topic, please visit ASQ’s website

ISO Standard Audit and Confidential Information

Reviewing confidential files, training records, human resources files

Q: During an external audit, what records are we allowed to keep confidential – e.g. human resources records? Certain records pertaining to new business leads or accounting matters? Specifically, my question is related to audits to the ISO 9001:2008 Quality management systems–Requirements and ISO 13485:2003: Medical devices — Quality management systems — Requirements for regulatory purposes standards.

 A: The “scope” of any audit is the quality management system (QMS) as found in the ISO standard for quality management. Areas such as finance, marketing plans, sales goals, and other business related topics are not part of a QMS audit.

It should be understood that during the audit, potential areas of conflict between the auditor and auditee might exist. The most common is when the auditor wants to see training records and the auditee claims them to be a confidential part of HR records. The auditor need to be a diplomat here and explain that only the training record is needed and not the entire HR record.

Also, it is not uncommon for the auditee to require the auditor to sign a non-disclosure agreement stating that the auditor(s) will keep everything observed during the audit confidential between the parties.

Again, the scope of the audit, usually agreed to ahead of time, is the QMS — not any business related matters.

Jim Werner
Voting member to the U.S. TAG to ISO TC 176
Medical Device Quality Compliance (MDQC), LLC.
ASQ Senior Member
ASQ CQE, CQA, RABQSA Lead QMS Assessor

ISO 9001:2008 Impact on ISO 13485:2003

ISO 13485, medical devices, medical device manufacturing

Q: Why does Annex B of ISO 13485:2003: Medical devices — Quality management systems — Requirements for regulatory purposes address ISO 9001:2000?

Shouldn’t it be ISO 9001:2008 Quality management systems–Requirements?

A: ISO 9001 is “controlled” by Technical Committee (TC) 176 while ISO 13485 is “controlled” by TC 210. They are two separate, independent technical committees that write and revise standards.

ISO 13485:2003 is founded on ISO 9001:2000, with additional requirements added for the medical device industry. In other words, ISO 13485:2003 is ISO 9001:2000 (but with the requirement for “continual improvement” removed) and additional requirements for the medical device industry

When TC 176 revised ISO 9001 in 2008,  TC 210 decided not to make a change to ISO 13485 because ISO 9001 requirements didn’t change substantially.   It is important to note that many governments such as Health Canada have adopted ISO 13485:2003 as their law or have their medical device law based on 13485:2003. Many medical device companies today get ISO 13485:2003 registered and have dropped ISO 9001:2008 altogether as not being necessary.

By the way, TC 210 issued a technical corrigendum to ISO 13485:2003 in August of 2009 correcting its reference to “ISO 9001” to “ISO 9001:2000” to make this clear.

Jim Werner
Voting member to the U.S. TAG to ISO TC 176
Medical Device Quality Compliance (MDQC), LLC.
ASQ Senior Member
ASQ CQE, CQA, RABQSA Lead QMS Assessor

For more on this topic, please visit ASQ’s website.