May 12th, 2020
To have a successful audit, the right people within an organization need to receive appropriate training and be supported in making and maintaining the tweaks and improvements needed to maintain certification.
Choosing Employees To Take Training
The number and role of in-house auditors vary among organizations, but usually, their functions include the following at a minimum:
Planning and scheduling internal audits, whether these are conducted entirely in-house or using Cavendish Scott (or a similar firm) Serving as the point of communication for the registration auditor Ensuring audit findings are reported to top management and corrective actions are taken and enforced
Managers do well to consider several relevant factors in selecting employees for training as auditors.
Independence is important. It’s best to assign at least one person to work full-time as an in-house auditor. Otherwise, auditing may take a back seat to other duties. Changes that were made in the immediate aftermath of an audit may give way to older habits. In addition, employees who audit the areas of their primary jobs may blind to needed changes or reluctant to suggest them. If it’s necessary for auditors to split their time between auditing and other duties, it’s best if they do not audit their own areas. Auditing teams can be helpful, too, as they can assist with culture change related to quality improvement.
Consistency is helpful. Career-oriented auditors who want to stay in a position over time are the best candidates for training. It doesn’t help to train someone who will leave the organization or move out of the auditing role prematurely.
Personalities matter. The best auditors are usually good listeners who like people and processes. They’re confident enough to deliver sometimes unwelcome news to top management. They’re observant, patient and smile easily.
Trainers Speak From Experience
Cavendish Scott offers a range of auditing courses, including customized options tailored to suit specific standards and individual organizations. For example, Cavendish Scott taught a three-day remote ISO 9001:2015 internal auditor course to 19 enrollees involved in microelectronics at a federal lab. Common Requests include ISO 14001:2015, ISO 13485:2016, and AS9100D. Classes may be taught remotely, on-site, or at Cavendish Scott offices.
In all cases, trainers speak from experience. They strengthen their points with personal anecdotes from actual audits and engage trainees through interactive activities. Often client documents are used for exercises and a live internal audit is conducted on processes of the client’s choosing. This allows for specific questions to be asked and advice from the instructor to be given about scenarios described by the client.
From Classroom to Implementation
Putting the knowledge gained in training to work in an organization is essential to successful audits.
Whether they are in-house or from a firm like Cavendish Scott, internal auditors provide guidance and direction on changes that need to be made to keep an organization compliant with standards. Auditors must be independent and observant enough to see what needs to be done. They also need to have enough influence to see that management follows through on their guidance.
Cavendish Scott is an approved training partner of the International Register of Certified Auditors, or IRCA. While not all of the many courses available are individually IRCA-approved, Cavendish Scott follows the IRCA principles based on the company’s commitment to professional and effective training.
August 28th, 2014
By Dave Moskal
There is no doubt that medical devices need to be manufactured with processes that are under control. There also isn’t much of an argument against making sure that they are clean, and in some cases even sterilized. Whether it be for products that we use at home to treat ourselves; devices that are used at the doctor’s office for diagnostics; instruments that are used in hospitals for surgery; or equipment used in laboratories for analysis. Clean devices start with the manufacturing process and must continue all the way through until it’s being used.
Processes for Cleanliness of the Work Environment
For companies that have product realization activities where medical devices or components thereof, are manufactured, assembled, packaged or even repackaged, the control of cleanliness of the work environment is one of the many differences in 13485. Processes used to protect the product from contamination need to be determined, documented, and implemented. For example, contaminates can include fluids that are used during the machining or assembly processes. Therefore a process would need to be established to ensure that compatible fluids are used and are completely removed from the product. Additionally, processes would need to be established and documented to control the environment that the work is being performed in and where product is stored. This includes requirements for personal health, cleanliness, and clothing if contact between such personal and the product could have an adverse effect on the quality of the product. Not only do the processes need to be determined, documented and implemented, they also need to be measured and monitored to ensure that the controls of these processes remain effective. Some of the processes that may be established could include the use of a pest control specialist to ensure that rodents or insects could not contaminate the product; air filtration systems to ensure that pollen, dust or residue from manufacturing processes don’t contaminate the product; the establishment of a policy so that production personnel do not have food or open containers at their work stations; or personnel are required to wear gloves when handling product to ensure that body oils are not transferred to the product. You may determine that these or any number of other processes need to be established to ensure that the cleanliness of the product that is being produced will not be compromised.
Documentation of Risks
In addition to the cleanliness of the product, risks that are associated with the product realization process need to be determined and documented. While it is inherent during manufacturing, assembly, and packaging operations to understand what the risks are, 13485 requires that they also be documented. The documentation of the risks is an important element. It’s not only to understand where the weaknesses are in a process, but having the ability to understand what the true impact would be if the risk would occur. An additional benefit is to have the ability to know the action that needs to be taken to reduce the likelihood and/or severity of the risk should it be realized, thus having less of an impact on the quality of the part, not to mention delivery and customer satisfaction. Some risks that might be identified include material availability; environmental monitoring equipment not working properly; inadequate packaging that could fail causing the contamination; incorrect instructions being provided with the product.
Required Identification and Traceability of Product
Another difference between the two standards is the identification and traceability of product. Where the requirement in 9001 is ‘as required’, in 13485 it is required. Furthermore, each batch of medical devices that are produced, records that provide traceability and identify the amount that was manufactured and approved for distribution are required to be created, reviewed, approved and maintained. Like the processes for cleanliness and risk, these processes also need to be documented. Also operations for the labeling of the devices must be defined, implemented and documented to ensure that requirements are met consistently.
Document Customer Complaints
The last area that we will look at is that of customer satisfaction and complaints. While it is important in any management system to understand how satisfied customers are and to have a mechanism to receive, track, and analyze customer feedback, 13485 goes one step further. For medical devices these processes need to also be documented. It is important to get feedback from the customer, including complaints as well. So processes need to be established to ensure that any complaints are recorded each time they are received, no matter how they are received or by whom. All complaints must be investigated, no matter if the compliant appears to be insignificant or not. If it is determined that a Corrective or Preventive Action is not necessary, the reason for not using the CAPA process must be recorded and authorized. In addition, the process needs to be able to provide an early warning system so that the information received can be analyzed to know if there are any quality problems that should be fed into the Corrective or Preventive Action processes. A strong and effective early warning detection system that would alert of any actual or potential quality problems is crucial for any organization.
Process for Advisory Notices
The organization must have a process established and documented for advisory notices. The early warning system, customer feedback and complaints, and production processes are typically all used to understand if an issue warrants an advisory notice. The documented procedure would firstly need to identify the criteria used to determine if an advisory notice is actually needed. If it does, would the notice include a recall of the product or only a notification of a potential problem that could occur? Who would need to be notified and what method would be used to notify the affected parties? Your system should be able to guide you through not only the analysis of this, but the processes that are required after the analysis has been completed.
While these are only some of the differences, you can see that these differences between ISO 9001 and ISO 13485 Quality Management Systems are significant and cannot be taken lightly. Management must ensure that processes are developed, implemented, and documented so that personnel within the organization know how to handle, protect and identify medical devices. The organization also needs to ensure that the processes for customer communication including those of complaints and advisory notices have been established.
Cavendish Scott, Inc. has been working with ISO 9001 and ISO 13485 for over 25 years and we really understand how these standards should be applied. We have also been involved in many upgrades from ISO 9001 to ISO 13485. Contact us for more information.
Want to learn about how your company can upgrade to ISO 13485? This e-book will guide you down the right path to ISO 13485 certification.
Download Now
June 3rd, 2010
Kerri Williams of Platinum Registration was recently asked to make a presentation about upgrading an existing ISO 9001 management System to ISO 13485.
She kindly allows us to display her presentation. With her agreement we have modified the content to remove background and benefit information about Platinum Registration. The presentation covers many of the differences between ISO 13485 and ISO 9001 but read below for more information about some of the issues which have to be considered. You can see the presentation here: Upgrading to ISO 13485 from ISO 9001 .
Organizations who are already registered to ISO 9001 are often interested in migrating to industry specific versions of the standard. These include TS16949 (for the Automotive Industry), AS9100 (for the Aerospace Industry) and ISO 13485 (for the Medical Device Manufacturing Industry). In some instances, customers are insisting on conformance and in others, organizations want the marketing advantage to break into or extend their involvement in the industry.
These versions enhance the requirements of ISO 9001 by adding additional requirements that must be built into the management system and implemented – with evidence, to demonstrate conformance to an auditor.
This presentation looks at the differences that exist between ISO 9001 and ISO 13485 but the principle is the same with the other standards.
With ISO 13485 the scope of the management system is very important. ISO 13485 is used by the medical device regulatory agencies in Europe, Canada, Australia and Japan (among others) and has been accepted by a global harmonization task force which is supported by the US. At this time, the FDA does not use ISO 13485 and thus steps must be taken to address their requirements (CFR 21 Pt 820) if it is also applicable. For many higher risk devices, agencies require that this standard is implemented before they will allow the marketing of the medical device.
But these rules typically only apply to the device manufacturer. Many contractors seeking ISO 13485 do not manufacture the actual device. And even if they did manufacture a complete device, they would only have a secondary responsibility for meeting the regulatory requirements (including ISO 13485) unless it was their name on the label as the owner of the device. More frequently a contractor is producing parts for the medical device company who might finally assemble and sell the device. It is they who are subject to the regulatory requirements and they want an easy life justifying how some of their parts are made to their regulators. Thus they are keen on the contractor registering to ISO 13485.
ISO 13485 contains a number of requirements that are applicable only to the device manufacturer. For instance, the collection of post-market intelligence. Being registered to ISO 13485 implies that you have the ability to collect post market intelligence about the medical device. However, a contractor might not even know what device their part is used in. In some situations the contractor cannot exclude these requirements (like for instance they might be able to exclude the requirement for the control of sterilization) and must be able to demonstrate an ability to do something that they will never have any use to do.
The contractor needs to think carefully about what they want their management system to cover (i.e. the scope) and make this clear to the chosen registrar and their auditor so that no surprises occur. These things are not always spelled out in the standards and highlight the reason why experienced help is essential in order to achieve success.
Other differences and additions to the standard are much clearer and simply require updating or new documented procedures and the implementation of simple processes or training. So long as the interpretation is understood (and it is not always clear) then this is a straight forward process that just takes time and resources.
All management systems require internal auditing. Done well internal audits bring benefits by protecting against issues before they are found by the registrar, highlighting opportunities (and waste) and giving confidence in the effectiveness of the management system. When upgrading to a new standard an internal audit needs to be conducted. This will ensure you haven’t missed anything and show conformance to the new standard has been achieved. Technically it is possible to audit only the changes but if this not done well, a registrar should reject the audit as ineffective. Bearing in mind that an internal audit would be necessary anyway, a slightly enhanced audit for the new standard is just a little more effort than normal.
Cavendish Scott, Inc. has been consulting, training and auditing on the implementation of ISO 9001 and industry specific standards for 25 years. Upgrading an existing ISO system to meet an additional standard is something we are frequently asked to assist with. Typically we review documentation, make adjustments to existing documents and write new procedures, support with the training, understanding and implementation of new processes and changes. We then conduct internal audits (which usually have to be completed anyway) at a slightly enhanced level to prove conformance with the additional standard – and guarantee successful registration. For more information tell us a little about what you want to achieve with your QMS system.
Want to keep this information on hand? Get our free e-book on making the transition from ISO 9001 to ISO 13485.
Download Now
