ISO 13485:2016 Compliance

Embedding Risk in Your Quality Management Processes

Introduction
The medical device industry is buzzing
with information about ISO 13485:2016.

Is your company ready to get up-and-

running with the latest version of the
standard?

The final deadline for ISO 13485:2016

compliance is February 28, 2019, but a
transition plan and registration audits take
time.

Don’t be the last one off the starting block.

The time to prepare is now!

2
With the onset of the Medical Device Single Audit Program (MDSAP), ISO 13485
compliance is becoming more critical than ever before.

Since ISO 13485 will be used as an auditing standard for MDSAP, your company
may also need to adhere to these standards during a regulatory audit.

Pilgrim is here to help you every step of the way. As you work through your gap
analysis phase, you’ll need to closely examine many processes, especially your
quality management processes.

In this e-book, we’ll focus on specific quality management processes and take
a closer look at how you can build risk-based thinking into each of them.

Let’s Get Started

3
Table of Contents
Risk-based Quality Audits 5

Risk-based Incoming Inspection 19

Risk-based CAPA Management 30

Training, Competency, and Risk 38

Learn More 43

4
 Risk-based
Quality Audits
Why Risk-based Auditing?
If you’re responsible for planning and carrying out your company’s internal
audits, you know how much planning and effort it takes to monitor your
quality system for GMP and ISO compliance.

As your quality system has matured, you’ve probably noticed that certain
sites, departments, or processes require more of your attention, while
others are consistently in compliance and don’t need as much assistance.

If this is the case in your organization, it’s time for you to consider a risk-
based approach to your internal quality system audits.

6
The Value of a Risk-based Approach
A risk-based approach to internal audits allows you to assess the importance and
performance of each area to be audited and to use your results to devote your auditing time
and resources to these critical business areas.

Based on this risk assessment, you may also decide that certain areas of your business don’t
need as much oversight. The value in a risk-based approach frequently comes in the form of
higher product quality, since trouble areas will receive the time and attention they need to
improve.

Risk-based quality audits also improve your productivity. You will spend more time discovering
and solving problems rather than auditing areas that are already performing well.

7
Get Started with Risk-based Auditing
Let’s take a look at how you can incorporate risk into your internal
ISO and GMP audit processes.

Assess Incorporate Conduct Follow Up Monitor

8
Step 1: Assess Organizational Risk
When you’re assessing risk, consider the departments and processes you
normally audit.

As you work through these areas, you may choose to quantify each area’s risk
level.

Or you can use standard risk analysis tools such as Hazard Analysis, Fault Tree
Analysis, or Failure Mode Effects Criticality Analysis (FMEA).

9
Step 1: Assess Organizational Risk
There are many areas to consider when assessing risk including:

ü Risk to Product Quality and/or Patient Safety — Rank each department or

process according to its criticality in terms of producing a safe, high-quality
product.

ü Performance Risk — Review the history of nonconformances, CAPAs,

recalls, or adverse events for each area to be audited. Areas with a higher
number of these incidents should be given a higher risk score.

ü Compliance Risk — Look at past recommendations and perform a gap

analysis on existing regulatory requirements across all countries where you
have market approval. This score can also factor in how well the area has
corrected previous audit observations.

10
Step 1: Assess Organizational Risk
Once you’ve considered these areas (and other risk areas specific to your
business), you can combine their individual risk scores to create an overall risk
score for each department or process.

This can help you quickly understand your high-risk areas so you can create
your audit plan accordingly.

This assessment forms the basis for your risk-based audit plan, so it should be
documented in a list or spreadsheet as you work through it.

11
Step 2: Incorporate Risk into Your Audit Plan
As you’ve ranked each department’s risk, you’ve probably begun to form a
mental picture of your audit plan. Now it’s time to take a closer look at each area
and its corresponding risk score.

A key part of your planning will be your audit schedule. Higher risk areas will
need to be audited more frequently (at least annually, but possibly more often).

For low-risk areas, it is important to remember that an annual audit is not always
required. In either case, you need to define how often you will audit each
department based on the risk assessment, document a schedule, and stick to it.

12
Step 2: Incorporate Risk into Your Audit Plan
There are other pieces of your audit plan that are also affected by risk. These
can include the audit duration and the size and skill of your audit team.

You may need to plan for longer, more detailed audits of high-risk areas. Areas
involving more complex products or processes may require auditors with
special skills or knowledge.

13
Step 3: Conduct Risk-based Audits
Risk-based auditing doesn’t stop with your audit plan. Once you’ve determined
an area to audit, you can incorporate a risk-based approach into each audit you
conduct.

The first step is to review each department’s existing procedures. These

documents provide you with a jumping off point for understanding which
processes a department views as high-risk, so you can focus your questions in
these areas.

14
Step 3: Conduct Risk-based Audits
If you’ve audited an area before, you should review the data you already have
from previous audits and work from there. Some items to review include:

ü Observations from previous audits

ü Previous corrective action plans and their effectiveness
ü Areas that were not inspected during previous audits
ü Defects, adverse events, or recalls related to this department
ü Changes to processes or personnel since the last audit

Understanding these areas will help you hone in on potential areas of concern.
This will help you focus your questions properly and get the most value from
your time spent auditing.

15
Step 4: Risk-based Follow Up
Once you’ve completed the audit, you will assign recommendations and/or
findings.
Using a risk-based approach to follow up,
you will assign a risk level to each finding to
clarify which findings need a quick
response or escalation. This allows you to
address critical findings more quickly, rather
than just following up to findings in the
order they were discovered.

This, of course, feeds your CAPA process.

High-risk findings can trigger a CAPA
process, while low-risk can be resolved
quickly and closed with the audit.

16
Step 5: Monitor Changes in Risk
Your initial risk assessment was a snapshot of your quality, performance, and
compliance risks. Changes to products, processes, or defect history will
cause this snapshot to evolve over time. That’s where automated quality
management software can help keep you aware of emerging risks.

Solutions like our SmartSolve® quality management system will

help you monitor and control defects, CAPAs, customer
complaints, changes, and other processes that will affect your
overall risk.

You will be able to quickly understand the performance of your

various sites and processes, and modify your audit plan
and other quality processes accordingly.

17
Implementing Your Risk-based Audit
Program
The idea of implementing a risk-based GMP audit program, or any
type of risk-based process, can be intimidating. But keep in mind
that you don’t need to change your entire audit process all at once.

Take it one site, department, or process at a time; document your

plan; and you will keep your audit program moving in the right
direction.

18
 The Basics
of Risk-based
Incoming
Inspection
An Introduction to Risk-based Inspection
You’re probably conducting incoming inspections today but if you aren’t taking a
risk-based approach, chances are you’re performing inspections you don’t need
to do and possibly overlooking the items which need to be inspected most.

Implementing a risk-based sampling system (based on the criticality of risk

identified in your risk files) helps you spend less time and less money inspecting
high-quality raw materials when you are already confident that they are good.
You’re also able to pinpoint poorly performing raw materials and suppliers
based on their inspection state.

A typical risk-based inspection program includes a sampling system with a

sampling plan, skip lot schedule, and inspection state switching rules. If you’re
thinking about implementing a sampling system for incoming inspection, here
are some basics to help you on your way.

20
Three Components of Risk-based Inspection

1 2 3
Sampling Plan & Skip Lot Switching Rules
AQL Schedule Performance-based
Manage Inspection Control Inspection Change
Quantity Frequency

21
Sampling Plan and AQL
Sampling plans help to define your sample size or
the number of items to be inspected for each lot of
incoming material.

When you choose a sampling plan, like the

commonly used ANSI/ASQ Z1.4, you’re setting a
baseline for the percentage of defects you’re willing
to tolerate for each measured characteristic.

This percentage may be 0, which means 100%

inspection for your most critical product
characteristics. For less critical characteristics, you
may choose a different percentage (typically
between 2.5-4.0%).
Sampling Plan and AQL
This level is called your Acceptance Quality Level,
or AQL. Based on your AQL, the sampling plan
defines how many items to inspect for a given lot
size.

Typically, the lower the AQL, the higher the

sample size you’ll need to have statistical
confidence in a material’s quality.

The sampling plan also defines how many defects

can occur for the lot to still pass inspection.
The Skip Lot Schedule
A skip lot schedule details how many lots
need to be inspected out of the total you
receive.

Just like the sampling plan, your skip lot

schedule can vary based on past supplier
performance or based on a material’s risk.

You may decide to vary the inspection

schedule for certain raw materials, while you
may have other materials that need no
incoming inspection at all.

24
Switching Rules
Switching rules are a third component of risk-based incoming inspection. These
rules take ongoing inspection results into consideration and tell you how your
sample size and skip lot schedule should change as a result.

For sampling systems like ANSI/ASQ Z1.4, switching rules govern changes
between the following states:
ü Normal – The baseline for sample size and number of lots to be inspected
ü Reduced – Fewer lots are inspected and fewer samples are taken for each
lot. This state is reached based on good results in previous incoming
inspections.
ü Tightened – More lots are inspected and more samples are taken for each
lot. This state is reached based on poor results in previous incoming
inspections.

25
Stick with the Standards
Switching rules are also based on a statistical plan that modifies the inspection
schedule while maintaining confidence that incoming quality will remain high.

For this reason, you will need to stick with an industry-standard plan rather than
creating your own skip lot schedule.

26
Challenges in Risk-based Inspection
A major obstacle to risk-based inspection is that sampling systems are difficult
to track. Industry standard sampling tables are detailed and complex.

Plus, manual inspection management processes make it challenging to

understand each material’s quality performance over time.

This makes it difficult to determine sample size, skip lot frequency, and
switching schedules for an organization’s many suppliers and raw materials.

27
Challenges in Risk-based Inspection
Fortunately, electronic Inspection Management solutions can completely
automate risk-based inspection processes.

Tools like SmartSolve Supplier Quality Management combine industry-standard

sampling systems with your ongoing supplier performance data to notify your
team when inspection is needed.

You can have all of the benefits of risk-based inspection without the
administrative (or statistical) headaches.

28
Sampling Systems and Compliance
In the Life Sciences, compliance has to be at the forefront of
every incoming quality decision. Don’t forget to consider the
compliance aspects of your sampling choices.

It is critical that you clearly document the sampling system

you decide to use, and that the sampling system you use is
statistically valid.

It is also important to remember that sampling systems

should only be implemented if you have confidence in a
supplier’s previous quality performance. Be sure that you’ve
documented any audits, inspections, nonconformance history,
or other records in support of this decision within your quality
management system.

29
Risk-based
CAPA
and
Efficiency
A more efficient CAPA process
CAPA systems provide a wealth of information regarding the
quality of a product or process. However, few companies fully
leverage the power of this tool to realize its positive impact to the
bottom line.

For instance, it is commonplace for a CAPA to be initiated for each

product quality-related complaint regardless of scope or severity.

31
A more efficient CAPA process
Over time, the system becomes laden with records of varying
degrees of severity, which are often vetted by issuance order
rather than priority.

As a result, the organization cannot optimally allocate resources to

correct events that have the most impact on the business as a
whole.

So then, how can a company reclaim efficiency and perhaps even

streamline the CAPA process?

32
“ By quantifying risk, companies can more quickly
realize a return on investment for their preliminary
data gathering and work during the CAPA process.
“
Konyika Nealy
VP of Quality Assurance & Validation
Pilgrim Quality Solutions

33
What’s the Risk?
First, while it must be noted that there is no standard
definition for risk that can be applied across
organizations, the common goal is to mitigate risk, and
for those that cannot be eliminated, to reduce them to
a level as low as reasonably practicable.

Many companies spend plenty of time and money

putting risk metrics in place that are at best subjective
based on their level of tolerance.

This leads to inconsistency in the response to

negative events. By quantifying risk, companies can
more quickly realize a return on investment for their
preliminary data gathering and work during the CAPA
process.

34
Building a Risk-based CAPA Matrix
Risk assessment (or impact assessment) is required for any CAPA
process and involves the identification, analysis, and prioritization of
risks, and the subsequent application of effort to minimize, monitor,
and control the probability and/or impact of a negative outcome.

First, review historical data to determine risk attributes, frequency, and

impacts. From this information a company can clearly determine its
baseline risk exposure as well as its appetite for risk (risk tolerance).

Second, quantify the risks and impacts using an agreed-upon

methodology.

35
Building a Risk-based CAPA Matrix
Next, plot a 2 x 2 matrix (probability versus severity) to focus on the
high-risk and high-impact category.

This risk matrix becomes a tool that allows you to determine the
corresponding actions to events based on those criteria, including
no action if it falls within the acceptable risk category.

Further, for events that required action based on its risk rank as
defined by the matrix, an effectiveness review becomes more
analytical since a new severity (in light of mitigation strategy
employed) and frequency can be measured to produce a follow-
up ranking.

36
Risk-based CAPA Drives Innovation
In Life Sciences, where patient safety is foremost, quality-related
risks must be addressed swiftly and systematically.

Use of a matrix approach can, therefore, allow certain activities to

be triggered automatically such that the quality of the product is
adequately protected, while resources can be returned to the
business of innovation and helping patients.

37
Employee
Training
and
Risk
Training Requirements and Risk
How does your organization currently define training
requirements? If you’re not considering risk as you define them,
you will need to add this consideration into your process.

Training requirements and effectiveness checks should be

proportionate to the risk associated with the work

The product design and the development of the manufacturing

process will yield critical steps that need to be defined because
they impact the quality of the process and/or the safety and
performance of the device.

39
Determining Training Requirements
When determining the training requirements for these process
steps, you will benefit from analyzing:

Type of Training Competency Method of

Evaluations Tracking
Training Content Results
Required

40
Risk at Various Levels
Does your business associate the risk for both role-
level training and for job-specific requirements?

Of course the answer would be “it depends.”

If someone has the role of a “Qualified Person,” who is
signing off on a Batch Release, or if a Quality Manager
is signing off as a CAPA Approver, these roles have a
risk associated with their job activities.

How is that risk accounted for in the respective

training requirements?

A specific lab test that a Lab Technician needs to run

for a product may have a unique risk depending on
the specific product and/or process criticality;
therefore, a specific training document or lab
procedure may be linked to a critical characteristic
that has a specific risk value.

41
Getting it Documented
Finally, how will your organization capture this information and link
it to objective evidence required for the competency of each role
and/or requirement?

If you don’t have a plan for this, now is the time to act. Risk-based
quality processes and training requirements are key updates in
ISO 13485:2016.

42
Learn
More
Risk-based Quality Processes
Quality Management Software can speed your company’s path to ISO 13485:2016
compliance. Pilgrim SmartSolve® contains in-the-box best practices for:

ü Audit Management – Captures auditee risk as a part of the audit planning process.
ü CAPA Management – Provides a guided processes to implement risk-based corrective
actions quickly.
ü Change Management – Allows specific cross-functional teams and business process
workflows to be dynamically managed based on the significance of each proposed
change.
ü Document Management – Controls standard operating procedures and other
documentation throughout their lifecycle.
ü Inspection Management – Automates sampling plans and inspection frequency for
incoming inspection.
ü Training Management – Manages certifications for both role-related and job-related
training requirements.

44
ISO 13485:2016 Resources
Although risk-based quality processes are a key part of ISO 13485:2016
compliance, there are more changes within the standard that need your
attention. And Pilgrim is here to help you every step of the way.

Here are additional resources to help you on your path to ISO 13485:2016
compliance:
ü On-Demand Webinar: ISO 13485:2016 : Will Your Transition be a Marathon or
a Sprint?
ü Key Takeaways on ISO 13485:2016
ü ISO 13485:2016: Are you prepared for the transition?
ü cGMP and ISO 13485: Aligning Device Quality Worldwide
ü ISO 13485:2016 Compliance: Resources to Help You Get Started

45
About Pilgrim Quality Solutions
Pilgrim Quality Solutions is the leader in quality compliance management
software and services for Life Sciences.

For more than 20 years, our solutions have automated thousands of processes
across global company sites to manage the quality and compliance of life’s
most important products.

Our cloud-based and on-premise solutions include in-the-box best practice

workflows, document and process management, dashboards, electronic
signatures, audit trails, and automated validation – helping companies more
easily achieve quality system compliance and pass regulatory audits.

With Pilgrim Quality Solutions as your partner, you are prepared to succeed. For
more information, visit www.pilgrimquality.com.

46
Contact Us
Pilgrim Quality Solutions
(813) 915-1663
www.pilgrimquality.com

Prepare to Succeed

? LEARN MORE CONTACT US

References
• The Anatomy of Great Risk-Based GMP Audits
• Sample, Skip, and Switch: The Basics of Risk-based Incoming Inspection
• CAPA Risk Management and ROI
• ISO 13485:2016: Are You Prepared for the Transition?

48