QCS International

The main point of any management system is continuous improvement.   Practically this means that we identify issues that are causing significant business cost, loss or risk and then we set about solving the issue by identifying the root cause, and then putting in place a corrective action.

Root Cause Analysis
If you are running a management system, you will without a doubt have a corrective action system that identifies issues and records them to ensure investigation to closure.   But in the middle of all the form filling and meetings to agree actions, how effective are you and your organisation at root cause analysis?

ISO 9001 tells us that ‘Corrective actions shall be appropriate to the effects of the non-conformities encountered.’ In other words, you need to step back and take a look at the impact of the issue on your organisation in terms of cost, loss and risk.

Only Look at the Big Hitters
The first step is, in the words of the dearly beloved Pareto, sorting the significant few from the trivial many.    When you have done this and decided on a way of prioritising what the ‘big hitters’ really are, its time to get to work with some root cause analysis.

5 Whys
After clearly defining the problem you have, 5 why analysis is one of the simplest and best ways to understand a problem and all the root causes.   All you need to do is keep on asking why an issue happened until the root cause, or causes, have been identified.

For example…
During an audit it was noted that the supplier for a key material was not on the approved supplier list.   The material had been ordered but, thankfully not used, as it was the wrong specification.   But why did this happen?

1. The specification not checked before ordering… Why?
2. The procedure was not followed… Why?
3. The procedure is not clear… Why?
4. Responsibilities not well defined in purchasing… Why?
5. People are not well trained in the procedure… Why?
6. No induction training in purchasing…

By focussing on the main issues within your corrective action system and using a simple tool such as 5 Why, you can have a highly effective corrective action system to drive improvement into your organisation.

One of the key audit skills we deliver in our audit courses is the ability to write a good audit checklist. This is simply because a checklist provides you with a clear set of questions to ask during the audit and keeps you on track with the audit timetable and objectives.

At QCS write our checklist of the month to help people with areas of auditing management systems but this month we thought we would look at how to actually write an audit check list using and ISO standard.

The key steps to writing a checklist based on any management system standard is to understand:

* the intent of the section/clause of the standard
* breakdown the specific requirements of the clause of the standard (the ‘shalls’)
* identify what objective evidence you are going to look for to prove the system works

To give a simple example I have chosen Management Review from ISO 13485:2003 (Section 4.6) but this technique can be applied to any ISO standard including Harmonised Standards.

The overall intent of management review is to ensure the management system is implemented and effective in driving improvement.

If we take a look at clause 4.6, the key requirements are that

• Results from internal audits will be reviewed
• Results from processes are reviewed
• Results of product testing/product release is reviewed
• Status of preventive and correctiev actions are reviewed
• Follow up actions from previous reviews
• Changes (legislation, organisation, technology etc) are reviewed
• Records of the review shall be maintained

The evidence you will need to look at during the audit will be:

• Minutes of management review meetings
• Who actually attended management review meetings
• Agendas from the meetings including any data analysis/reports
• Action plans resulting from the management reviews

And of course the main question to ask to ensure effectiveness… review an actual improvement that has occurred as a result of a decision taken in management review. This way you can show that the system if fully implemented and effective.

One great debate that always comes around when auditing Regulatory Affairs as part of your ISO 13485 system relates to change notifications to notified bodies. When exactly do you report a change i.e. when is a change a significant change?

Help is at hand in the EU Association of Notified Bodies give guidance on this issue.

The guidance notes start by recommending that each manufacturer have a (documented) procedure to clarify the reporting procedure for any changes to the design, device and/or quality system as significant or not significant (i.e. to report or not to report).

So to ensure compliance you actually need to check that you have a procedure and the requirements for reporting in that procedure.
What should the procedure say?

The procedure should define what a significant change is and when the change should be communicated to your notified body.

Changes can be categorised into two main types:

1. Product changes, where the change would affect conformity with (i) the essential requirements and/or (ii) the conditions prescribed for the intended use of the device

2. Changes to the quality system, that would (i) affect compliance of the devices covered by the quality system with the essential requirements or the approved type / design or (ii) mean additions to the product range covered by the quality system.

Significant product/device changes…

As a checklist for product changes the procedure should cover the following situations:

• Changes that introduce new hazards which have not been previously addressed
• Changes adversely affect the risk associated with existing hazards
• Changes that alter the details on intended use
• Changes that alter compliance with the essential requirements contained in the technical file
• Changes that the device will have different end users or be used in a different manner
• Changes that mean that the clinical data may not support the new device characteristics and performance

Significant system changes…

The procedure should cover the following situations:

• Changes that alter the manufacturing technologies or product-range covered
• Changes that affect product conformity with the essential requirements
• Changes that affect the continued compliance of the quality system with the relevant harmonized standards
• Changes that affect the arrangements (e.g. verification, validation, organizational
• Structure, change in sub-contractor) for ensuring continued compliance.

Reporting a significant change…

A notification of any substantial should include prompt (or even advanced) notification to your notified body to include:

• A brief description of the modifications compared to the approved design/device or approved quality system

• The reason for the changes / modifications

• in the case of design / device changes, a statement on the relevance to the compliance with the essential requirements.

The procedure referred to may not have to be a stand alone procedure but control of changes must be defined within your quality system.

Although this is probably not the most exciting audit to do, it is worth performing an audit across your business from time to time to assess how documentation is controlled.

A question of risk…
It is important when planning your audit to look at the overall risk to your business posed by documentation control.   The fact is, no one has ever died because the wrong revision of the internal audit procedure was being used but some big mistakes have been made because the wrong specification was issued.

Of course system documentation is important and yes you will pick up non conformities during certification body assessments for poor control of system documentation but you also need to look at the control of all types of documentation in your business.  

Typical documentation can include:

• Quality Management Policy, Manual and Procedures
• Operational Procedures
• Operational Checklists
• Training Documents
• Documents sent to/used by customers
• Bills of materials
• Price Lists
• Product & Test Specifications
• Art work and packaging proofs
• Service Level Agreements
• Method Statements
• Documentation sent to and from suppliers
• Design documentation

 Also don’t forget external documentation – I often get told during audits that there aren’t any external documents only to find a long list of important documents that are not being controlled effectively.  

External documents may include:

• Product/service legislation
• Product/service design standards
• ISO standards and other industry requirements
• Customer policies and specifications
• Service level agreements
• Contracts
• Customer designs

 For each type of documentation you should assess the core controls as identified in the check list below:

 For internal documents:

 Is there a documented procedure available to define controls for all document types identified?

1.Does this procedure identify who can approve and issue each type of document?

2.What is the process for updates and changes?

Are changes approved before issue?   Is this approval by the same ‘authority’ as the initial issue or has this changed?   If so is this adequate to control the document issue? 

Are documents reviewed from time to time to make sure they are still relevant and being followed?   If there is a review period is there evidence this is being followed or are documents out of date?

Are hand amendments allowed in the procedure and if so are these properly authorised? 

3.Does each document have a clear title/identification and is there a clear revision level for the document?

4.How are changes to documents communicated to the people who need to use the document?

5.How are documents of each type circulated?   Are the right documents available at each point of use?

If this is controlled by a computer system, what happens if this system is not available?

7.Are any documents used at other/remote locations?   If so how do you know the correct version is being used?

8.For external documents – what controls are in place to identify any updates to:

Legislation and standards?

Changes to customer designs and requirements?

Changes in any contracts/service level agreements?

9.What happens to obsolete documents?

When new documents are issued are you sure the old documents are removed from use?   Is it obvious which documents are obsolete or is there a chance of confusion?

Are old documents retained for reference and if so are these identified?

Document control is a process that require auditing from time to time to ensure compliance and control business risk.  Don’t forget, you can download the audit checklist below.

Document Control Checklist

Check List of the Month

 An audit of the audit system I hear you say!   What ever next?   Well actually it is a mandatory requirement but it often confuses people on what they should actually ask during their ISO 13485 internal audit.  

Here is a checklist that will allow you to thoroughly audit your ISO 13485 internal audit system.

 The checklist can also be downloded in checklist style below so that all you have to do is print the checklist out to use it as part of your audit.

ISO 13485 Checklist – Internal Audits 

Audit Programme

1. Is there an audit programme available, approved and communicated?(8.2.2)

 2. Does the audit programme cover all processes & clauses of ISO 13485? (8.2.2)

3. Does the audit programme cover processes (or does it tend to follow procedures within the system?).   (8.2.2)

 4. Does the programme reflect the results of previous audits & importance of process? (8.2.2)

 5. Are auditor’s trained? Check training certificates/records. (6.2.2)

 Audit Procedure

 6. Review audit procedure (8.2.2) does this cover:

 -          Requirements for planning audits?

-          Checklist preparation as a means to record objective evidence?

-          Non conformity reporting including categorisation (e.g. Major/Minor/Improvement etc)?

-          How corrective actions are agree, verified and followed up?

-          Requirements for auditor competency?   (6.2.2)

Reporting & Records

 7. Are records of internal audits maintained? (8.2.2)

 8. Are these records maintained?   If so for how long? (4.2.4)

 9. Are records of any non-conformities and corrective actions maintained? (8.5.2)

 10. Are records of root cause and corrective action verification maintained? (8.5.2)

System Effectiveness & Improvement

11. Is the audit programme on track (or have some audits been missed this year?)   (8.2.2)

 12. Are corrective actions from internal audits closed in a timely manner?   How many overdue actions are there?   (8.2.2)

 13. Are audits reviewed at management review as a means to improve effectiveness? (5.6)

 14. And finally, always ask yourself…does the audit programme provide real information to the senior management team to identify the real risks to the business and drive improvement if required or is it just a tick in the box exercise?

When a Certification Body issues a nonconformity during an audit there is strict guidance they must follow to close out the nonconformity.   Here is a 10 point check list for you to follow to ensure you will get full closure during your next audit…

Correction…what the auditor is looking for…

1. The nonconformity has been determined and contained.
2. If correction cannot be immediate, there must be a clear plan in place with responsibilities, dates and if required the issue must have been communicated to all affected departments internally and to any customers and suppliers affected.
3. There must be evidence that the correction was implemented or is being implemented.

Root Cause Analysis…what the auditor is looking for…

4. There should be a defined direct cause as well as a root cause… (e.g. someone did not follow a process would be direct cause; determining why someone did not follow a process would lead to the true root cause).

5. The Root Cause should not be a repeat of the nonconformity or the direct cause and should not attempt to explain or justify the direct cause.

6. There should be a root cause statement to addresses a fundamental issue without any obvious “why” questions remaining.   If a “why” question can reasonably be asked, this indicates that the analysis did not go far enough.   This hints at using 5 Why analysis as a tool for more complex issues.

7. There may be several ‘root causes’ but each cause must have a corrective action identified…for instance if training and inadequate work instructions are identified as root causes, a corrective action plans must be identified for each.

Corrective Action…what the auditor is looking for…

8. The corrective action must address the root cause(s) determined in the root cause analysis.   This needs to include specific actions, responsibilities and dates for completion.

9. In order to accept the evidence of implementation there must be enough evidence provided to show the plan is being implemented.

10. Full evidence is not required to close a nonconformity and this may be carried forward to future assessments in order to verify full effectiveness.