An effective quality program includes four critical elements:
- Certification to ISO standards,
- Risk management for product realization,
- A strong CAPA (corrective and preventive actions) program, and
- A culture where quality is a top priority, and operations and engineering functions work collaboratively to achieve quality.
In addition to the above ongoing elements, OEMs also need to be confident that their medical device suppliers are on track to meet the deadline for the upgraded ISO standards. With the deadline looming, how can you have confidence that your suppliers will be certified on time and not leave you with the crisis of an uncertified supplier?
This article — the first of two parts — provides a framework for evaluating medical device suppliers for two elements of quality: ISO certification and risk management for product realization. The second article will cover two additional elements of quality: the CAPA program and the cultural aspects of quality. Together, these four areas paint the big picture for what is required for an effective quality system.
As an OEM, it is your responsibility to ensure the parts supplied to you are compliant with ISO regulations. That is no easy task. Ideally, your supplier’s quality systems are strong enough to identify risks, prevent defects, and to catch defects quickly if they do occur. This requires a robust quality management system.
Contact the Notified Body as Needed for Guidance
Every supplier with an ISO certification is assigned a notified body. The notified body is the main point of contact during the transition process. The notified body is the company that audits against the new standards and will ultimately grant the certification. It can advise on the proper steps to follow and provide the checklists that will be used to evaluate the supplier. The supplier can ask the notified body to do an on-site assessment to determine if the current quality system can meet the new standard. While the notified body will guide the supplier through the transition, it is the supplier’s responsibility to proactively seek the input of the notified body as needed.
Attend a Transition Course
This course educates the Quality Management Representative about the changes and requirements needed to meet the new standard.
Become Lead Auditor Certified for the new Standard
This course teaches the Quality Management Representative how to audit to the new standard.
Perform the Gap Analysis
This analysis compares the requirements for the new standard against the supplier’s current procedures. The gaps between the two define where focus is needed for certification.
The Consultant Approach
When internal resources and/or expertise are lacking, suppliers may choose to hire a consultant to manage the certification process. The consultant has already attended the transition course, is certified as a lead auditor, can perform a gap analysis at your location, and get you moving in the right direction. The consultant can add depth of expertise when it is lacking internally. Often, consultants bring a wealth of knowledge and experience from their exposure to other companies. This approach can also streamline the process since the consultant already has the necessary coursework and certification to lead the process.
Regardless of what approach is used, it can be tempting to delay the project because the deadline seems generous. Delaying the project is a huge mistake. The time allotted by regulatory bodies is the time needed to successfully complete the certification by the deadline.
As an OEM, should you have confidence in your suppliers’ ability to meet the certification deadline? By this time, suppliers that are ISO 9001 certified should have had their first or second assessment performed to identify the gaps in their quality system that don’t meet the new standard. Suppliers that are ISO 13485 certified should already have a plan in place to achieve certification on time. The gap analysis should be done. Suppliers should be considering the lead auditor course and the transition course. Internal deadlines should be already be set, outlining the timeline for how the supplier will reach the big goal on time.
Risk Management For Product Realization
ISO standards require suppliers to have processes in place for risk management. This includes tools to assess the level of risk and plans for how to mitigate high-risk situations. The regulatory guidance for exactly how to manage risk is intentionally vague. This vague approach empowers suppliers to use whatever tools and processes are necessary to manage risk.
The effectiveness of supplier risk management plans can vary greatly among suppliers. When a defect occurs a second or even third time, the lack of properly identifying true cause of risk may be to blame. Certainly, experience is one way to learn to properly identify risk.
The examples above are just a few of the many ways to incorporate risk management in your quality management system. Wherever there is risk, there must be a process to mitigate it.
Below is an example of a risk management tool called a pFMEA (Product or Process Failure Mode Effects Analysis). This tool is designed to identify potential risk or failure(s) in each process step, understand the effects of the risk or failure(s), define what can cause the risk or failure(s) to occur, and evaluate any current preventive controls in place to detect the risk or failure(s). The pFMEA also aids in understanding the severity of the risk or failure(s) and the potential frequency of the risk or failure(s), and uncovers the need for additional detection methods to mitigate the risk and failure(s).
What else can be done to speed up the learning curve and create effective risk management plans?
A good place to start is by benchmarking how other similar suppliers manage risk. There is no need to start from a blank page on a risk management plan when other component manufacturers have already figured this out. One key to successful risk management is to incorporate it throughout product realization. A strong risk management program starts with the initial customer contact, also called the feasibility stage, and continues throughout the entire process. In the feasibility stage, the supplier considers risk with such questions such as:
Do we have the right capabilities? Do we have the right machines? Can we order the right material? Do we have the ability to detect defects? Next, resources are evaluated. Do we have the resources to produce this part? Can we produce it at the volume needed? Risk is further managed during receiving by inspecting incoming materials. Another way to reduce risk is by evaluating suppliers prior to selection.
