We were recently invited to attend the BSI ‘Meet the Experts’ event at the BSI office in Milton Keynes.

As a team of consultants in the medical device industry, we found this event to be extremely beneficial, as it contained very useful information about both regulatory and quality topics, but moreover the chance to listen to lessons learned delivered by a leading EU Notified Body, with a view to being able to help our clients and those in the wider medical device industry avoid non-conforming (quality) or non-compliant (regulatory) situations.

Anyone in the medical device industry knows the importance and challenges of maintaining ISO 13485 certification, and so can appreciate that the work and stress involved in addressing Notified Body non-conformities can (at best) distract from the day to day activities, or (at worst) put the sales of medical devices in jeopardy, so it pays to be audit ready all of the time and thus help reduce the risk of audit findings as far as possible.

Having an insight into any Notified Body’s metrics on their audit findings is exceptionally useful in helping to achieve this goal.

What were the top 5 non-conformities as presented by BSI….?

Number 5 – ISO 13485 Clause 7.5.1 – Control of production and service provision
Issue #1: Incomplete or insufficiently completed batch release/production records.
Issue #2: Inadequate monitoring and measuring during manufacturing process.
Issue #3: No records of qualification of infrastructure.
Issue #4: Insufficient documentation to ensure product conformity to specification.
Key takeaway… you must ensure that you can show sufficient control and records to demonstrate conformity to specification.
Number 4 – ISO 13485 Clause 8.2.6 – Monitoring and measurement of product
Issue #1: Test/verification records not maintained.
Issue #2: Acceptance criteria not defined or not aligned with design specification.
Issue #3: Traceability to individuals performing tests.
Issue #4: Monitoring and measuring of product process not defined & no demonstrable link to non-conforming product process.
Key takeaway… you must ensure that you have adequate monitoring and measuring for product conformity during manufacture and its conformity to design specification.
Number 3 – ISO 13485 Clause 7.5.6 – Validation of processes for production and service provision
Issue #1: Records of process validation and production software validation not maintained.
Issue #2: Re-validation process not defined.
Issue #3: Not utilising a risk-based approach or defining statistical techniques/sample size rationales in validation activities.
Issue #4: No demonstrable links to change management process.
Issue #5: Equipment qualification records not held (especially installation and operational qualification for new equipment).
Key takeaway… you must ensure that you can demonstrate robust process links to change and risk management processes.
Number 2 – ISO 13485 Clause 8.2.4 – Internal audit
Issue #1: Records of internal audits not complete (reports, plans, CAPAs).
Issue #2: Risk-based approach not applied to planning of audits or Internal audit schedule not maintained.
Issue #3: No timely follow-up of actions resulting from internal audits.
Issue #4: No records of internal auditor competence to applicable regulation(s).
Issue #5: Internal auditor not impartial.
Key takeaway… you must ensure that you can show evidence of a risk-based approach to internal audits, covering regulatory requirements, by trained auditors, and with timely follow-up.
Number 1 – ISO 13485 Clause 7.1 – Planning of product realization including risk management
Issue #1: Records of risk management not updated during life cycle of product.
Issue #2: PMS data not feeding into Risk Management & Clinical Evaluation.
Issue #3: Risk management process not aligned to ISO 14971:2019, including applicable Annex (e.g. ZA/ZB for EU Regs).
Issue #4: No risk management process in place.
Key takeaway… you must ensure that you establish robust links to change management, PMS, and design inputs.

Impact and risk:

Being audit ready is as simple as ‘saying what you do’, and ‘doing what you say’, however unless you take the time to really understand the requirements of the ISO 13485 standard and the applicable regulations, you can easily find yourself with a non-conformity to these requirements. And then of course, if you are not ensuring that you ‘do what you say’, this can result in a finding as you did not follow your own processes… (this of course could also mean that a standard or regulatory requirement was also not met, and the finding could become a serious issue!)

Your next steps to compliance:

At Advena we have many years of experience helping clients in the medical device industry build robust and effective Quality Management Systems, prepare for audits, and deal with non-conformities, so if you feel that your organization could benefit from a fresh pair of eyes to help you avoid findings at your audits, or if you are considering outsourcing your internal audit process to avoid risk of findings around impartiality, do please feel free to contact us and we’ll be glad to help you.

In addition, many common QMS issues are easily resolved by the application of an eQMS that makes administration of the requirements less burdensome. Advena has such software in the form of Activ. If you wanted to understand more about how Activ works, and how it can help you stay compliant, contact us for a free demonstration here.