How 1980’s pop culture can help us make risk-based decisions in healthcare

/in /by
6 minute read.
This article uses 1980’s pop culture to describe purchasing requirements in ISO 13485 and the Medical Device Single Audit Program, MDSAP.
In the 1986 film “Crocodile Dundee,” a gang in New York attempted to rob a crocodile-hunter visiting from Australia. They flashed a knife, and he replied with a line that’s been quoted for 30 years: “That’s not a knife. This is a knife!”
Crocodile Dundee made a risk-driven decision. A flow-chart for his decision would look like this:

Medical device companies are required to make risk-based decisions by international regulations and standards, such as ISO 13485 and MDSAP, which state that all company process should be linked by a common goal of reducing risk. This article focuses on risk-driven decisions in purchasing processes, but can be applied to any department in your company.
Purchasing is important
To understand why “Purchasing” is so important for risk-based decisions and processes, consider the 1986 Challenger Space Shuttle explosion.Seven people died, including a civilian high-school teacher.

The explosion originated near a small O-ring that was allowing fuel to leak. That O-ring was purchased from a vendor, but no one in the purchasing department knew the significance of that part. In fairness, it would be hard to see the significance of an O-ring, which emphasizes that Risk isn’t just about the part, it’s about what happens if that part fails.
Regulations for purchasing
The scene from Crocodile Dundee that led to a risk-based decision, “That’s not a knife,” has been viewed two million times:

Your company must have an approved quality system to sell medical devices. The international standard for this is ISO 13485, which is the foundation of a new audit method, the Medical Device Single Audit Program (MDSAP). Both require that quality systems function as a “risk-driven process.” ISO 13485:2016 training videos have, collectively, been viewed a few thousand times, but impact the lives of billions of people.

A ‘process approach’ that reduces risk to patients is the foundation of ISO13485 and MDSAP. Together, these programs help improve healthcare for 7.2 billion people. But, they don’t detail how to analyze risk. For that, use ISO 14971, Risk Management, and the supplement used in the European Union, EN 2012 : ISO 14971. Both include using teams to identify, analyze, and document “Hazardous Situations” in which the failure of a part would lead to unforeseen risks.
In the case of the Space Shuttle Challenger, a Hazardous Situation Analysis would have included asking “what happens if the O-ring fails?” and “what if the weather is colder on launch-day than purchasing specifications for the O-ring?” Those questions were being asked by engineers, but there wasn’t a way for their voices to be heard; modern Risk Management standards ensure a diverse team identifies, analyzes, and documents hazardous situations so they can be used by all departments. In the language of ISO13485 and MDSAP, risk analysis would be “linked” to processes used by other departments, such as the NASA launch team and purchasing departments.
That’s not a process.This is a process!
Let’s look at what ISO 13485:2016 considers a process, using a diagram provided by Crocodile Dundee’s home country, Australia, which is one of five countries pioneering MDSAP.

“Risk Management”

and “Purchasing” surround all departments. The diagram shows that Purchasing is driven by Risk Management, which means that oversight of vendors is based on reducing risk, which requires information from all departments through a series of linked processes.

All of these risk-driven processes create outputs; each output is used by other processes within a company, sometimes in different departments, with the goal of reducing risk to patients. In other words:
A process receives inputs and creates outputs. Outputs become inputs for other processes, creating a continuous flow of information and actions. A company’s quality system oversees these processes, and uses inputs from the real-world to generate outputs in the form of improved products and services.
Risk-driven process
For more clarity on how ISO defines a process, please see my blog, “MC Hammer, Vanilla Ice, & the process approach for quality systems,” where I illustrated concepts for what is, and what is not, a process. The bottom-line is that a flow-chart is not a process; to be a process by ISO definitions, you must show that outputs become inputs for other processes in a closed-loop system of continuous improvement.
MDSAP requires evidence that your company uses risk-driven decision points for purchasing, either for high-risk parts or high-risk vendors. Examples of decision points for vendor selection or oversight include:
Is it a high-risk part?Is this a high-risk vendor? i.e., are they not ISO 13485 certified, not MDSAP audited, have a history of mistakes, etc.Is it a “Black Box” part? i.e., Is the part is assembled by a vendor, and when we receive the part are critical features hidden from our inspection process?Does the vendor use sub-vendors that introduce risk into your supply chain?
An example of a risk-driven purchasing process is:

In this example, processes are linked between departments using “Risk Management Documents,” and receive real-world input for continuous improvement through incoming inspections and CAPA’s (Corrective And Preventive Actions). Risk-driven decisions are made for vendors based on the part they’re making and their capabilities, which complies with ISO 13485, clause 4.1.5:
“controls shall be proportionate to the risk and the ability of the external party…”
In other words, risk for purchasing is a combination of the part and the vendor. You can reduce risk from purchasing in many ways, such as:
Selecting vendors that are ISO 13485 compliant or have passed a MDSAP auditOn-site inspections of their quality systemIncrease the percentage of parts inspected in your receiving departmentRequest first-article inspections for custom-made partsWorking with design engineering to reduce risk from that part
Because there are so many ways to reduce risk from purchasing, I strongly recommend starting with a plan. A plan that includes including scope, goals, team-members, etc. could be the starting point of brainstorming best ways to reduce risk. And, it’s likely that unforeseen situations may arise in your Hazard Analysis. For standardized ways to analyze risk, see my article on “Medical Device Risk,” based on ISO’s standard for Risk Management, ISO 14971. For this article on purchasing, the most important requirements from ISO 14971 and ISO 13485 are:
Start with a team-driven risk management plan, including what’s an acceptable level of risk. Remember the Space Shuttle time-line pressures? Pre-determined risk analysis reduces the human tendency to push boundaries when pressured.
Share Risk Management processes between departments through linked processes. In the example I created, “Risk Management Documents” would probably begin with Design Controls, and extend through manufacturing, purchasing, supplier audits, field maintenance, etc. Again, the Space Shuttle illustrated that one department knowing the risk was insufficient risk management because not all departments had access to that information.
Document all assumptions, ensuring there’s a process linking post-market surveillance to update assumptions. In a way, that’s what every iteration of ISO 13485 and 14971 are doing for us; they use information from events all over the world to continuously improve standards so that patients have safer healthcare.
Documentation could be done in many ways, such as with an engineering change order, ECO, following ISO 13485 change-control guidelines, and should be described in your company’s quality system. A comprehensive Risk Management policy is part of a company’s overall quality system, which is a responsibility of each company’s executive management.
Next Steps
Hopefully, Risk Management policies in your company are sufficient and easy to implement across all departments. If not, consider leading from within your company, proactively identifying ways to improve, and initiating a project to apply new standards of Risk Management. You can use compliance with ISO 13485:2016 and MDSAP to support your case, and use the resources below to help you plan.
Resources
CONSULTING & TRAINING
Oriel STAT-A-MATRIX (I consult with Oriel)

MaetricsLNE G-MedMDI Consultants

Me(Jason 🙂
AUDITING ORGANIZATIONS
Summary
Modern quality system regulations reduce risk to patients by requiring pre-determined risk management policies, links between departments, and processes that allow continuous improvement.
requires a medical device company’s quality system to be a series of risk-driven processes.Risk can come from non-obvious Hazardous Situations, as described by

Purchasing is critical for ISO 13485 and , and purchasing decisions should be traced to risk-driven processes that are linked to processes in other departments.
Please share
If you think this has been entertaining and useful, please “like” it, link to it, or forward it for others to benefit.
.

Steps away from addiction

/in /by
2 minute read.
I define addiction as:
Acknowledging an action has consequences harmful to yourself or othersAcknowledging that you’d like to stop an action, then repeating the action

I took this photo in 2010 while laughing with friends after I had surgery and was diagnosed with medical conditions associated with chronic pain. By 2017 the United States was experiencing high levels of opioid and alcohol addictions, which can creep up on you if you’re not mindful. I was prescribed opiate pain medications by the Veterans Administration for nine years, then hiked over the Himalaya Mountains without them; I had surgery, again, in 2018 and didn’t use pain medications.
All addictions have moments when you can make a choice, and you can take steps towards or away from freedom. Take the following steps towards freedom:
Acknowledge that actions can have consequences harmful to yourself or othersObserve your actions and be mindful of whether or not they harm othersIf your actions could be harmful to yourself or others, try changing themIf you can’t change your actions, express this to friends, family, or healthcare providers
Obstacles to freedom include:
You’re unaware of consequences of actionsYou have a false understanding of consequences of actions

You have chronic pain, which leads to depression and addictions
You have a biologic disposition to pain or addiction: 40-60% of risk to addiction comes from genetics
You have an emotional disposition to pain or addiction because of poverty, childhood exposure to addictions, or post-traumatic stress
Defer judging the obstacles or yourself. Instead, focus on observing if there’s a problem, then solving the problem by removing obstacles, such as reducing suffering from chronic pain. Consider professional assistance or the following resources:
If someone you know is addicted, learn how to help them through Al-Anon.
Good luck; you’re not alone.

Dyslexia

/in /by
6 minute read, unless you’re dyslexic, then it’s 9
19% of us have it, and so do 55% of prisoners and many celebrities. Dyslexia has many forms, and many levels, and we may not even realize we have it. What’s saddening is the correlation between dyslexia, school dropouts, and prison.
Conversely, many famous actors, CEO’s, and entrepreneurs are dyslexic, implying there could be a correlation between dyslexia and success. Less obvious are the 20% of our friends, family, and coworkers who may not realize they have dyslexia and aren’t realizing their potential.
This article summarizes who has dyslexia, the benefits from thinking like someone who’s dyslexic, and what we can do to help anyone communicate more effectively.
Background
People with dyslexia often have difficulty manipulating sounds, poor spelling, delayed visual-verbal responding, or a combination of these traits. We’re not sure why, but it could be related to differences in eye structures for people with dyslexia, or different ways the brain can work. Dyslexic people typically have average to above-average intelligence despite reading more slowly; this may be because everyone’s brain has different regions of strengths.
This image is a simplification of brain functions to illustrate a concept. Note that the dyslexic brain has a larger “Broca’s area,” indicating stronger analysis when speaking.
Dyslexia can be passed genetically. A child can exhibit traits of dyslexia without either parent being aware.

This image is a simplified example of genetic traits not exactly related to dyslexia; it emphasizes that traits such as dyslexia can skip generations and that people can have varying degrees of traits passed through genes.
Kids ability to adapt to dyslexia depends environmental factors such as family behaviors and whether or not an education system recognizes and adapts to diverse learners.

Reading together while pointing to images helps form connections. Even better would be to have real-world situations correlating with the images and words, such as reading about a cat with pictures of a cat while playing with a cat.
Famous people
Many successful people have dyslexia including scientists, actors, politicians, and writers. Many of them

emphasizing their creativity and ability to make complex connections that written words may have hindered.

Who succeeds, and who doesn’t
Most successful people with dyslexia express gratitude that their families, teachers, or peers who allowed them to experience self-esteem during school and build upon their strengths.
Many people don’t have this opportunity at home and suffer in schools that don’t have resources to support diverse learners. The result is a high dropout rate of kids with dyslexia, often leading to prison where the majority of inmates exhibit learning disorders.
My experiences
When I read, my eyes dart across the page and I focus on context rather than individual words. This is common for dyslexia; researchers use cameras to track eye movementsthat may identify reading disorders.
When I focus on reading, it’s difficult for me to combine letters phonetically. I mispronounce words that are new to me, but develop long-term associations if I practice saying them because other areas of my brain are used for verbal processing.

If you’re dyslexic, try saying words as quickly as you see or hear them to create associations in your brain.
If I don’t practice saying the word out loud, I still retain concepts described by the word and form connections with other concepts. In other words, I don’t need to know a word to understand the concept. This has been useful to me throughout my career, allowing me to read faster, ironically, and quickly apply concepts in inventions, programs, and guiding teams. It’s also helped me empathize with people who may not realize they’re dyslexic.
I was a Court Appointed Advocate for two young adults in the foster system who were diagnosed with dyslexia after 10 years of being placed in “slow-learning” classes. They pursued their strengths outside of school, where they felt accepted, and dismissed academic pursuits, where they didn’t feel accepted. Both have been incarcerated several times, which could have been avoided if they had different learning environments at younger ages; we can help all of society by learning communication best-practices for schools and workplaces.
What to do?
Communicate differently.
Methods for helping people with dyslexia learn and communicate are also best practices for effective communication across all of society.
Use audio-visual presentations; when possible include real-world objects or contextProved frequent opportunities for others to reply verbally and confirm understanding, leading to long-term retentionIf possible, allow others to create audio-visual responses in your classroom or meeting. An audio-visual response can be as simple as a piece of paper with visual representations of concepts as they discuss their interpretations.

This image isn’t verified, but shows the concept that most people understand new concepts and retain information longer if they can create mental connections and present their understanding with immediate feedback.
If you think you may have dyslexia, try discussing new concepts without judging your ability to understand them at first. Discussing new concepts without judgement can form permanent connections in regions of your brain that associate words with concepts and allow long-term retention.
Be patient with anyone who hesitates when reading or explaining new concepts.
What to do at school
In the past, classrooms were places where students listened to teachers and did homework on their own to hopefully make connections. Progressive classrooms incorporate project-based learning, where all students learn-by-doing with frequent feedback from diverse audiences to ensure that new concepts are understood correctly and can be communicated with others.

Dyslexia advocate Dean Bragonier leads a hands-on class that puts concepts into context.
Progressive classrooms with sufficient resources encourage students to explore modern communication methods in addition to writing, such as video, animation, art, and physical projects that can convey concepts more effectively than words.
What to do at work
In the past, workplaces had long meetings, people were given written handouts, someone talked a lot, and most people used acronyms that were difficult for everyone to process quickly. Modern workplaces… well, most are still boring and ineffective.
Progressive professionals create audio-visual presentations, minimizing acronyms and jargon. They allow participants to express understanding. They fun with it because most people learn more in a fun and interactive environment.
Resources
If you have children, learn about the symptoms of dyslexia. Consider finding local schools with inclusive learning philosophy. Many will be project-based, catering to a range of learning styles, and may be free, public charter schools within close distance to your existing school.
National, online resources include:
Summary
Dyslexia:

is a difference in audio-visual processing affecting up to 19% of the populationis not an indication of intelligence or characterdisproportionately impacts low-income and minorities due to a combination of genetics and environmental factors
If your child may be dyslexic,

seek professional assessmentsat home, put context behind words and encourage diverse ways of communicatingseek schools that are inclusive of diverse learning styles and incorporate project-based learning
If you may be dyslexic,

zoxRrvW Nosres (just kidding :)Accept limitations and embrace strengths; learn by speaking and doing
If you’re in a work environment,

prepare for meetings with audio-visual presentations using minimal words, acronyms, and jargontake breaks every 10 minutes to have participants re-phrase concepts; be patientencourage team members to do the same

Remember:

I think this image is hilarious! It’s from Pinterest. But, there’s no evidence that people with dyslexia “reverse” letters. Learn symptoms of dyslexia from the Mayo Clinic.

Take these steps to increase your health & mental clarity

/in /by
4 minute read.
Sitting longer than 30-60 minutes at a time increases your risk of back pain, diabetes, and cardiovascular disease. It also decreases your learning ability and mental alertness.
You can take steps every 30 minutes to increase your physical health and mental clarity; literally, take steps every 30 minutes, at a minimum. For some reason, people aren’t doing this, despite extensive scientific evidence of the risks of sitting and the benefits of moderate motion throughout the day.
This is similar to smoking; for years, people ignored the scientific evidence that proved smoking’s hazards because it was socially acceptable. To help others, we could make sitting all day less socially acceptable, both in the workplace but especially in school classrooms where kids are forming habits that will impact them the rest of their lives.
This article summarizes the science behind getting off your behind, then gives steps anyone could take to improve their health can mental clarity and create a healthier culture for workplaces and classrooms.
Facts
The following statements summarize 18 research studies that, combined, followed 800,000 people for up to 30 years.
People who sit most of the day:
Twice as likely to develop diabetesTwice as likely to have a heart attack2.5 times more cardiovascular diseaseMore back pain
People who alternate sitting and standing:
More energyFewer headaches
Students allowed to move instead of sitting:
Less attention deficit More long-term learning and memory
Exercising once a day does not change the negative effects of sitting all day. Benefit comes from alternating sitting and standing throughout the day, with no more than 20 to 60 consecutive minutes of sitting.
Science
Our bodies and minds are more efficient when in motion because of blood flow, spine biomechanics, and blood sugar levels.
Blood Flow
Sitting puts pressure on our thighs and restricts blood flow, decreasing energy and accumulating toxic wastes. Leg muscles pump blood while walking and, to a lesser extent, while standing. Stand using proper posture, ensuring your knees aren’t locked.
Image from Stepit
Spine biomechanics
Sitting weakens back-muscles and changes orientation of spinal discs. When discs change orientation, nutrients are pumped out, disc height decreases, and pressure on bones increases. Together, this leads to degenerated discs and back pain. Similarly, poor posture leads to abnormal forces in the cervical spine (neck), causing headaches.
The effects of spine degeneration can take years to be felt, and are permanent. When you sit, which should not be for longer than 30 minutes, use the best posture for working on a computer.

Image from The Wave Seat
Blood sugar
Sitting after eating increases blood glucose levels, which can cause diabetes. To reduce your chances of diabetes, eat moderate portions, avoid sugars, and walk after eating.

Mental clarity
Our brains need blood flow and oxygen to be efficient, and throughout history, people have realized that mental clarity comes from standing while working.
Winston Churchill advocated using a stand-up desk.

Earnest Hemingway used a stand-up desk, later in life.

In the 1800’s, inventors and designers recognized the need for stand-up desks.

In the 1700’s, Thomas Jefferson designed his own standing desk.

2,600 years ago, The Buddha described the posture of a person wanting to increase mental clarity, saying [he] “sits down cross legged, holding his back erect…”

Sitting cross legged, with your back erect, negates many harmful effects of sitting. The Buddha also advocated eating moderate amounts and following the middle-way between extremes. The middle-way between sitting all day and standing all day, which is also harmful, is a sit-stand desk.
Sit-stand desks

Sit-stand desks include additions to your existing desk, desks designed to alternate between sitting and standing, and desks with treadmills or other forms of exercise. Examples include:
You can experiment with a standing desk by stacking boxes under your computer.

This improvised standing desk is from a Time magazine article, “How a DIY Standing Desk Changed My Life
Experts
The risk of sitting all day has been emphasized by almost every major newspaper, scientific journal, and government agency.
National Institute of Health& Exercise and Sport Sciences Reviews : Too Much Sitting: The Population-Health Science of Sedentary Behavior
National Health Services, U.K. Why we should sit less
The Economist: Standing Orders
The Washington Post: The health hazards of sitting
National Education Association: “Kids Who Can’t Sit Still
Take these steps
To start:
Never sit for more than 30 minutes without moving.Eat moderately, avoid sugar, and walk after eating.
Advanced:
Investin a sit-stand option for your desk

Practice being mindful of your breathing and mental clarity each day

Help others:
Arrange your workplace, classroom, or meeting room to allow both sitting and standing.

If you think this could help others, please share.

OBEY, Charlie Brown

/in /by
5 minute read.
This is the history of hope, happiness, and politics. It starts with the caste system in Nepal and ends with how to recognize truthful hope.
The caste system

and learned that Nepal was recovering from a ten-year civil war, had a new democracy, and would be voting for the second time in their history.

All over Nepal, people hoped for a better life from their new democracy. They discussed life, religion, and politics near temples while street-workers sewed strands of flowers.
The flowers were purchased by people on their way to or from work, who would leave them at the temple as offerings. They did their duty, and helped the person selling flowers do their duty. This exchange dated back thousands of years, and is how the caste system views work.

In the caste system, you do the work your father did, who did the work of his father. Your children will do your work.
You can not marry outside of your caste. Your name includes the work you can do.
You hope that by doing your duty you’ll be reborn into a higher caste.
The caste system has been Hindu doctrine for almost 4,000 years, and was Nepali law until recently. But, Nepali people still obey the rules of their former caste system.

OBEY!
An American graffiti artist became famous by swapping “Obey” with “Hope,” leading to a presidential campaign poster.

His Obey logo became a popular clothing line. To be inexpensive, clothing was made in China, which borders Nepal and provides most of the cheap clothing worn by lower castes.

Over the next month, I saw people use the OBEY brand to keep warm as they persevered through manual labor, tedious tasks, and shoveling human waste. All came from families of the lowest castes. Despite the caste-system being illegal, their suffering persists. They hope for change, which was exploited as justification for a civil war while people continued doing their work.

Hope
The Greek gods tormented humankind by giving us suffering in Pandora’s Box. They put Hope in the box, too, because hope prolongs suffering. False hope is what keeps a boxer fighting when there’s no chance of winning, taking punch-after-punch while spectators watch.

Many people misinterpret hope as something positive, but hope was made attractive to entice us. Greek writers warned us about hope and fruitless effort with Sisyphus, who is still being punished by the gods. Each day, Sisyphus carries a rock uphill, hoping he’ll reach the top. Every evening, it rolls back downhill. The gods don’t need prisons; Sisyphus obeys his gods because he has hope.
Hope & Change
Charlie Brown has been hoping to kick a football held by Lucy since 1950. He misses because Lucy intentionally moves the football. Millions of fans know he won’t succeed but enjoy watching him try; we are Charlie Brown’s gods.

The creator of Peanuts sent a message to society for 50 years. He used the words “Hope!” and “Change!”when satirizing politics; those words are still used by politicians today, and we still continue to believe in false hopes.

Modern Sisyphus

Politicians use our desires to their advantage, promising hope, change, and to make things great again. We then obey their rules, wars, and calls for a stronger economy that do not bring more happiness.
Hope keeps us trapped. We don’t enjoy the present moment because we hope for a better job, more money, better possessions, and more happiness.
We send our kids to school, not be happy in the moment, but hoping they learn skills that will get them a job that will make them happy, one day.
To be free from the trap of false hope, seek truthful hope.
Truthful hope
There are differences between false hope and truthful hope:
False hope speaks to our desires; truthful hope speaks to our intellect.False hope speaks about the future; truthful hope begins with the present moment.False hope gives goals without a practical path; truthful hope has small steps, with each step being an incremental improvement.

This isn’t new: 2,600 years ago Prince Siddhartha Gautama rejected the caste system in Nepal and India, teaching people to avoid extremes by following the middle-way. His teachings became Buddhism, the world’s 4th largest religion, not an external deity or god, but on human intellect. Siddhartha’s advice was:
“Each day, do more of what you know to be wholesome, and do less of what you know to be unwholesome.”
To do more of what’s wholesome, seek truthful hope that applies to your unique situation in life. Be mindful of each moment, aware of your thoughts and motivations; do not be swayed by politicians, advertisements, or situations that speak to desires rather than intellect. Plan for the future, but don’t become attached to it. View life as an adventure where nothing’s certain except the present moment. At that point, you’ll be able to look at the promises of hope and change objectively, to see them for what they really are, and you’ll know what to do to escape the cycle.
When there is no desire, all things are at peace. – Lao Tzu
I’m making this up as I go. – Indiana Jones

Peace.
JiP

How to use ISO 14971 to improve a Risky Business

/in /by
This is under revision… please don’t forward this version. For a current version, please see my iteration on Linkedin.
Early in 2018 I underwent surgery surrounded by medical devices that were made by companies for which I had consulted. As the staff connected to a device that would keep me breathing during surgery, I thought about my experiences helping companies become more innovative while reducing risk to patients. I wrote this article while recovering. To keep it fun I use 1980’s pop-culture to illustrate the most important points.
Background
Reducing medical device risk is a law in the United States and a standard internationally. The regulations define risk as the severity of harm and how likely it is to happen.
Risk = Severity X Probability
This is more than just a definition, it’s a systematic method of reducing risk that provides repeatable, inspectable methods known to reduce harm to patients and create new products. Unfortunately, this method is underutilized or misunderstood, which harms people and adds costs to companies. For example, 44% of medical device recalls could have been prevented by design-controls that included risk-reduction, and up to 250,000 people die each year from accidental deaths in the American healthcare system. But, when used properly, risk management creates safer products, opens new markets, and makes quality control more efficient.
Regulatory requirements
Medical device manufacturing is regulated in United States by 21 CFR 820, and internationally by ISO 13485. Both require risk analysis, but neither describes how to do it, so we use methods from from the International Standards Organization, ISO, which describes Risk Management in ISO 14971:2007. Additionally, selling medical devices in the European Union requires a supplemental standard, EN 2012 : ISO 14971. which requires, among other things, that risk be reduced “As Far As Possible” (AFAP), which is a stronger statement than ISO’s, “As Low As Reasonably Practicable” (ALARP), and implies that cost can not be an obstacle to reducing risk to people, property, or the environment. Including property and the environments in risk is unique to ISO; the Food and Drug Administration limits risk to patients and users.
EN 2012 : ISO 14971 satisfies risk requirements for all countries, and using it allows a abbreviated regulatory process in the United States. A FDA 510(k) submission can refer to EN 2012 rather than explain internal processes that may be questioned by the FDA.
Medical device companies must pass country-specific audits before they can sell products in that country. An exception is the Medical Device Single Audit Program, MDSAP, which is currently accepted by five countries, including the United States. The image below, from Australia’s MDSAP policy, illustrates that risk management should be fundamental to all areas of a company’s quality-control system, especially purchasing from suppliers, and that risk management begins with a company’s management team.
Hazardous situations
A key aspect of ISO 14971 is identifying potential hazardous situations that could lead to harm. Hazardous situations are often unforeseen, especially by a small group of people who are likely biased by their experiences, therefore identifying hazardous situations requires diverse team input and constant re-evaluation. A classic example is the 1986 Space Shuttle Challenger explosion, which stemmed from a small O-ring allowing gas to leak in a rare, but catastrophic series of events that led to a hazardous situation of a postponed launch, a cold launch day, and fuel leaking around the O-ring that was not rated to such a cold temperature. Some people knew of the risk, but, in 1986, systems weren’t in place to ensure risk was analyzed for all hazardous situations.

Risk analysis methods
After identifying potential hazardous situations and harms, risk analysis is conducted to quantify the severity and probability of each harm. Risk analysis must be documented in a systematic way so that your work can continue with a product’s life-cycle, and that assumptions can continuously be monitored and updated. The two most common methods for medical devices risk analysis are:
Failure Modes and Effects Analysis (FMEA)

, which can include a dFMEA for design, a pFMEA for manufacturing processes, a system-level FMEA, a supplier FMEA, etc.

Fault Tree Analysis (FTA)
Other risk-analysis methods are less common to medical devices, but all should lead to similar results. Most use a table, or matrix, to illustrate Risk = Severity X Probability for different scenarios.

Probability is initially assumed based on similar products or scientific literature, and should be continuously updated with data from real-world use. For the matrix example shown, “catastrophic” and “high” risks would be unacceptable, and “moderate” risks would need to be reduced As Low as Reasonably Practicable or As Far As Possible. In the case of the space shuttle, an unlikely probability of a sequence of events leading to a hazardous situation would be balanced by the severity of failure.
To apply a risk analysis matrix for medical devices, each harm must be unambiguous. Harm is defined by ISO 14971, section 2.1, as “physical injury or damage to the health of people, or damage to property or the environment,” and must be unambiguous so that a “severity” number can be applied, monitored, and continuously re-evaluated.
Companies are required to maintain their risk analysis in a risk management file so that auditing organizations can see evidence of continuous improvement by constantly re-evaluating risk, which includes re-evaluating potential hazardous situations and harm that could result from those situations.
Risk Control
Both ISO 14971 and the EN 2012 supplement describe systematic methods of risk management. For example, they standardize how risk is solved by providing three priorities:
Improve the design to be risk-tolerantAdd safeguards to reduce exposure to riskLabels or instructions to educate or warn of risk
Most of us don’t read or follow instructions, so ISO doesn’t consider written warnings to be effective risk control. This partially explains the European Union’s supplement that cost can not be an obstacle to reducing risk, i.e. companies can not apply a warning label to justify not improving their product’s design. This concept is summarized by an image used for training companies, provided by Oriel STAT-A-MATRIX, a training and consulting organization:

Other forms of risk control can be included in manufacturing processes, inspections before shipping products, etc., but it’s important to emphasize that ISO standards clearly state that prioritization should be placed on design and safeguards, whichever is the current “state of the art.” State of the art means that if a solution is known, it should be implemented; if not, extensive justification should be documented for audits. And, per the European Union definition of reducing risk “As Far As Possible,” cost can not be justification for not implementing state of the art risk control.
Post-market surveillance
Risk analysis uses assumptions that must be constantly re-evaluated using real-world data. Your company’s post-market surveillance processes must be linked to your risk-management processes, ensuring real-world data is used to adjust assumptions in a closed-loop system of continuous improvement.
Definitions
The following definitions can help you search risk management regulations:
HARM – injury to people or property
HAZARD – something that can cause harm
HAZARDOUS SITUATION – a situation in which a hazard could cause harm
HAZARD ANALYSIS – a process for identifying hazards and hazardous situations
RISK – the severity of harm and the likelihood it will happen
RISK ANALYSIS – a process for estimating risks from hazard analysis
RISK CONTROL – actions taken to reduce risk for a product
RISK MANAGEMENT – a company’s official, systematic process for reducing risk
RISK MANAGEMENT PLAN – a plan before risk activities, required by law and standards
RISK MANAGEMENT FILE – a document tracing the location of all risk documents
RISK MANAGEMENT REPORT – a report summarizing all risk management activities for a product, and how it will be continuously improved.
Safer Products
Needle sticks:

Hospital caregivers were often exposed to used needles, increasing their risk of a skin puncture and exposure to diseases such as HIV and Hepatitis C. The first company to innovate a way to reduce this risk quickly dominated the market, and other companies scrambled to create their own designs. Now, patients all over the world benefit from multiple forms of risk reduction, ranging from different needle designs to user-friendly disposal containers.

New Markets
Automatic Electronic Defibrillators (AED’s):

In the past, a patient with a heart attack had to wait for trained paramedics to arrive with a cardiac defibrillator. Paramedics were trained to ensure a patient had a heart attack, as opposed to an illness with similar effects, because using a defibrillator on someone without a heart attack could harm them. Companies innovated defibrillators that reduced this risk by detecting a patient’s condition before allowing defibrillation, which allowed public defibrillators all over the world. This expanded market size, and improved public safety.
Improved Quality Control
Manufacturing processes:

The Sulzer orthopedic company recalled one of their hip implants because a manufacturing change introduced risks into their product. Their quality system did not have modern risk management methods, resulting in thousands of patients with failed hips, secondary surgeries, and permanent damage to their livelihood. A billion dollars went towards lawsuits, putting the world’s 4th largest implant manufacturer out of business. Modern risk management methods ensure that changes are reviewed by a risk management team, reducing errors before they become harmful and costly problems.
Resources
CONSULTING & TRAINING
AUDITING ORGANIZATIONS
Summary
Risk = Severity X Probability

Risk management is required by:

FDA ISO
Risk management standards are:ISO

Common risk-analysis methods are: requires a company’s quality system to be a risk-driven process.

Risky Business
I’m having fun with 80’s pop culture while sharing my belief in ; there’s no new information here.

was a 1983 film that springboarded into fame after he danced in his underwear, just like how my career began. (Just kidding.) In the film, a teenage Tom took risks, resulting in harm to his father’s Porsche sports car and their home. Like most movies in the 80’s, their problems were quickly solved with money and quirky but reliable friends.
Healthcare is Risky Business. In the real-world of medical devices, risk affects people’s lives and well-being, and can rarely be fixed with money. If you if they would rather have insurance money or be able to walk normally the rest of their lives, they would have prefered a less-risky hip replacement. Any heart-attack patient saved by a public defibrillator would be grateful for risk-reduction, and hospital workers all over the world are safer each day thanks to reduced risk of needle-sticks.
Our work can be more fulfilling knowing it makes the world a safer, healthier place. We can do our work more effectively by understanding Risk Management regulations that focus on patient safety.
Take a break from saving lives to watch Tom Cruise dance in his underwear, a risk that paid off.

How to pass a quality-system audit using Brown M&M’s

/in /by
6 minute read.
In the 1980’s, the rock-band Van Halen caused $85,000 damage to their dressing room because they found brown M&M’s in their bowl of “munchies.”
Van Halen’s story can help medical-device companies pass an FDA or ISO Quality-System audit. This article shows you how, but the conclusion may not be what you think.
The 80’s

Van Halen, circa 1985
In the 1980’s, Van Halen was one of the most successful bands in history. According to Wikipedia,
[Van Halen’s] lead single, “Jump”, became an international hit and their only single to reach number one on the Billboard Hot 100. The following singles, “Panama” and “I’ll Wait”, both hit number 13 on the U.S. charts. The album went on to sell over 12 million copies in the U.S. alone.
Van Halen toured nationally; concert venues prepared weeks in advance. Their contract required providing “munchies,” including a bowl of M&M’s with the brown ones removed. In 1982, the band destroyed their dressing room after finding brown M&M’s.

35 years later, I use lessons from Van Halen, and brown M&M’s, to help medical-device companies comply with FDA and ISO requirements.
Jump In
Why would Van Halen’s contract require having brown M&M’s removed? That answer will help explain how to pass quality-system audits. My answer is after this video of “Jump. Feel free to sing along while you think about possible reasons one of the world’s most successful bands would add a clause in their contract about brown M&M’s.

“Jump!” by Van Halen, 1984

The answer is that Van Halen used brown M&M’s to guage attention to detail in their contracts. They toured globally, performing several times a week, and were one of the first rock bands using 3rd-party contractors to prepare concert venues according to their specifications. Stages had to withstand the weight of their show, and electrical circuits had to handle requirements for amplifiers, stage effects, and VERY LOUD SPEAKERS. Van Halen used the contract clause about brown M&M’s to quickly guage if complex safety requirements would be met.

Van Halen stage show in the 80’s
Here’s what the lead singer of Van Halen, David Lee Roth, said about brown M&M’s:
Van Halen was the first band to take huge productions into tertiary, third-level markets. We’d pull up with nine eighteen-wheeler trucks, full of gear, where the standard was three trucks, max. And there were many, many technical errors — whether it was the girders couldn’t support the weight, or the flooring would sink in, or the doors weren’t big enough to move the gear through.
The contract rider read like a version of the Chinese Yellow Pages because there was so much equipment, and so many human beings to make it function. So just as a little test, in the technical aspect of the rider, it would say “Article 148: There will be fifteen amperage voltage sockets at twenty-foot spaces, evenly, providing nineteen amperes …” This kind of thing. And article number 126, in the middle of nowhere, was: “There will be no brown M&M’s in the backstage area, upon pain of forfeiture of the show, with full compensation.”
So, when I would walk backstage, if I saw a brown M&M in that bowl … well, line-check the entire production. Guaranteed you’re going to arrive at a technical error. They didn’t read the contract. Guaranteed you’d run into a problem. Sometimes it would threaten to just destroy the whole show. Something like, literally, life-threatening.
You can read an NPR article about David Lee Roth’s views on brown M&M’s, or listen to Dave explain it himself in

Phrasing
Look at Van Halen’s phrasing in their contract:

They clearly indicated NO BROWN ONES, and asked for twelve (12) Reeses’s peanut butter cups. The other phrasing, such as “assorted” dips, or the open-ended “nuts,” allows freedom for these choices. This is similar how ISO defines their phrasing in ISO 13485:2016 section 0.2:
“shall” indicates a requirement”should” indicates a suggestion”may” indicates a permission”can” indicates a possibility or capability
You can use these phrases to prioritize improvements to your Quality System, or to be more efficient when evaluating your suppliers.
FDA audits
I’ll paraphrase David Lee Roth, imagining him as your guide to the FDA:

Medical Device regulations are to protect public safety. Some requirements seem simple. Other requirements are more complex, and have direct impact on patients.
So, if I walk into an audit and I see simple requirements aren’t met… well, line-check their entire process. They didn’t understand the requirements. Guaranteed you’d run into a problem. Sometimes it would threaten to just destroy the entire process. Something like, literally, life-threatening.
Brown M&M’s for FDA and ISO
The FDA maintains a database of FDA warning letters they sent to companies, which are often commonly found among thousands of companies and can be used as Brown M&M’s. Here are examples of some of the most common warning letters:

Expired calibration of manufacturing equipment
Companies must keep calibration records of equipment used to manufacture medical devices. This is clearly stated in FDA 21 CFR 820.72 and ISO 13485:2016 clause 7.6, so an expired calibration probably means that more complex requirements weren’t followed.

Products or parts of products on employees’ desks without a label identifying the parts as “not for human use”
Companies must identify and control products that are non-conforming so that they are not accidentally delivered to patients. This is clearly stated in FDA 21 CFR 820.90 and ISO 13485:2016 clause 8.3.2, so uncontrolled products probably mean that more complex requirements weren’t followed.

A Design History File with any of the following:
* Design-changes without test data or rationale
* Design-reviews without an independent reviewer
* Long time-periods without updates
FDA 21 CFR 820.30 (j)requires companies to maintain a Design History File for each product, ensuring that decisions follow a plan, changes to plans are team-decisions based on data, and that design reviews have an independent person to reduce bias. Failing any one of these, or going for long time-periods without updates, are all brown M&Ms.
How to Pass any Audit

Brown M&M’s are not the problem, they are a symptom. Use the concept of Brown M&M’s to evaluate the effectiveness of your quality system, then make gradual improvements to your quality system, training, and culture before audits are scheduled. Use these steps:

Make improving your quality system a core responsibility of senior management. Ensure your company’s Quality System complies with FDA Quality Requirements and ISO 13485 Standards.
Continuously improve your quality system by making it a closed-loop process.

Create a culture where everyone understands their role in patient safety; be authentic, transparent, and positive.Perform internal audits, use independent auditors, or hire consultants.Use the concept of brown M&M’s to help you audit your suppliers and subcontractors. If you find Brown M&M’s for a critical supplier, that’s an indication that they may not follow more complex processes, therefore are a risk to your supply-chain and, ultimately, to your customers.

Resources
OFFICIAL DOCUMENTS
The FDA Quality System Requirements (QSR) for medical devices, 21 CFR 820
The International Standards Organization (ISO) quality system standard, ISO 13485:2016

MDSAP audit model

CONSULTING OR TRAINING
AUDITING ORGANIZATIONS
BLOGS WITH 1980’s THEMES
Summary

Brown M&M’s are quick ways to gage compliance with other, more complex requirements

Common Brown M&M’s in FDA warning letters include:
expired calibration on manufacturing or test equipmentmedical device parts outside of a manufacturing area that are not labeled “not for human use”missing signatures or dates in a Design History File
Brown M&M’s can help you quickly gage supplier quality control, which is critical to ISO 13485:2016 and MDSAP.
When using ISO 13485to gage your Quality System or audit a supplier, prioritize requirements with the word “shall,” followed by “should,” “may,” and “can.”
Please Share
If you feel people in the medical device industry would enjoy this article, or benefit from it, please share it.
Parting Thoughts
The 1980’s were fun, and I’m definitely a “child of the 80’s,” as my high-school homecoming photo shows:

Hopefully, I make wiser choices today than I did in the 80’s, especially with haircuts. I help companies make wise choices to become more effective, and I use blogs like this to illustrate concepts in FDA and ISO requirements.

Take this quiz to see if you’re ready for MDSAP

/in /by
3 minute read, or a 12 minute quiz, if you’re ready.
By January 2019, the Canadian government will require all companies selling medical devices in Canada to be certified under the Medical Device Single Audit Program (MDSAP). There are only a few circumstances in which this deadline can be extended.
If you’re familiar with MDSAP, this article quizzes your knowledge of key concepts. If it’s new to you, read how to prepare for MDSAP.
Background
MDSAP allows medical device companies to sell products in multiple countries with one audit. To help you prepare, I created a guide to MDSAP and this quiz.
If you can answer all questions in this quiz, you should be able to discuss three questions with anyone, at any level, in your company:
Is MDSAP right for your company?If so, are you ready for a MDSAP audit?If you’re not ready, what steps can you take to prepare?
QUIZ
MDSAP overview
How many countries are participating in MDSAP? List them.Is MDSAP mandatory for all participating countries?Does MDSAP add regulatory requirements beyond existing ISO 13485 and country-specific requirements?If your company doesn’t plan to sell products in one of the MDSAP countries, do you still have to comply with that country’s unique requirements to pass a MDSAP audit?
Canada
When will Canada require MDSAP for most companies?

Under what conditions will Canada accept alternative MDSAP routes or deadlines?

Which classes of medical devices apply to Canada’s MDSAP requirements? Check all that apply:

Class IClass IIClass IIIClass IV
Auditing Organizations and audit reports
What is an “Auditing Organization (AO)?”List two, fully-recognized AO’sIf an AO finds a score of 5, how long do they have to report that score to regulatory authorities?If your company receives a MDSAP score of 5, how long do you have to submit a corrective-action plan?How many tasks with scores of 4 result in the same action as one score of 5?If your company has no scores of 4 or 5, how long does an AO have to submit a report to participating countries?
Audit model
How many quality-system “processes” are identified by MDSAP? List them.

What is task 7 for the process “Production & Service Controls?”

Which ISO 113485 clause(s) are used for task 7?If your company sells a product in Japan, list additional requirements for task 7, if any.

The image below is used by some regulatory agencies to summarize MDSAP processes and links. In your own words, explain the concepts this image is trying to convey.

Image thanks to Australia’s TGA
MDSAP grading
Use the MDSAP two-step grading system to answer the following questions.

Scoring matrix via Australia’s TGA
An AO discovers that a company has a procedure addressing ISO 13585:2016, clause 5.5, but did not follow it. This was the first finding, and it did not result in shipping a nonconforming product.

What is the Step 1 grade?What is the Step 2 grade?What is the final grade?Would the AO report this grade to regulatory agencies within five days, or simply include it in their final audit report?
Repeat question #1, but as a second audit, with the previous finding documented and uncorrected.

What is the Step 1 grade?What is the Step 2 grade?What is the final grade?Would an AO report this grade to regulatory agencies or simply include it in their final audit report?

Repeat questions #1 and #2, replacing clause 5.5 with clause 7.3.Repeat question #3, this time as if a nonconforming product had shipped.

Are you ready?
Would MDSAP be useful for your company? Why or why not? (Hint: use the “readiness” questions in how to prepare for MDSAP)

Do you believe your company is ready to pass a MDSAP audit?If your company isn’t ready, what are two things you could do to start getting ready?List three consultants or consulting companies that provide MDSAP training or consulting.

Conclusion
MDSAP is straight-forward and transparent. To paraphrase The Buddha, there are no secrets “hidden in the closed fist of the teacher.” If you weren’t sure about portions of the quiz, see these key resources, which include links to consultants and trainers to help larger groups gain understanding of medical device quality systems and regulations.
Resources
OFFICIAL DOCUMENTS
Canada’s MDSAP updatesSearch “MDSAP” in the
CONSULTING OR TRAINING
AUDITING ORGANIZATIONS (AO’s)
Good Luck!
Please share this blog if you think other people could benefit from it.

Medical Device Design Controls

/in /by
5 minute read.
This article provides an overview of FDA design controls and lists resources to help understand and apply them.
BACKGROUND
Researchers in the 1980’s discovered that 44% of medical device recalls in the United States could have been prevented through design controls.
Almost half of medical device recalls were preventable before a product was manufactured.
The risk to patients and cost to American medical device companies was addressed by the United States Food and Drug Administration. The FDA worked with industry experts to understand best-practices for effective and efficient design, adding Design Controls to recommended guidelines. In 1997, these guidelines became the FDA Quality System Regulation (QSR), a law under theCode of Federal Regulations, Title 21, part 820 (21 CFR 820).
OVERVIEW
FDA laws apply to any manufacturer of medical devices or pharmaceuticals selling products in the United States. Design Controls are one subsystem of a required Quality System.

Design Controls are not required when researching new ideas. Design Controls begin, and must be documented, when a company commits to developing a product. The distinction between research and development should be defined in each company’s Quality System.
Design Controls have ten components listed in 21 CFR 820.30, paraphrased below:
General Requirements 21CFR820.30 (a)

Use design controls. It’s required for all manufacturers of class Class II and Class III medical devices and a few Class I devices.
Design & Development Planning 21CFR820.30 (b)

Create and follow a development plan.List who’s responsible for all aspects of development and how teams interface.Update plans when necessary using a team-driven process.
Design Input 21CFR820.30 (c)

Inputs are what needs to be accomplished by a design, including regulatory requirements and business needs.
Inputs are not “designs,” inputs are what should be accomplished by a design to ensure user needs are met.
Inputs are agreed upon, in writing, by people listed in your plan.
Design Output 21CFR820.30 (d)

Outputs are design features that satisfy inputs.

Outputs are typically in the form of drawings, software, procedures, labels, and inspection criteria of features critical to satisfying Inputs.Outputs are reviewed and agree upon, in writing, by people listed in your plan.

Design Review 21CFR820.30 (e)

Reviews ensure plans are followed and updated using a team-driven process.Reviews shall have at least one person attending who does not have responsibility for the stage of your plan being reviewed.Reviews are approved, in writing, by people listed in your plan.
Design Verification 21CFR820.30 (f)

Verification compares outputs to Input requirements.

Verification must be measurable.For example, for an Input of “weighs less than 2.0 kilograms” the output could be verified by measuring weight on a scale.

Verification is reviewed and approved, in writing, by people listed in your plan.

Design Validation 21CFR820.30 (g)

Validation ensures Inputs are met for output that can not be measured.For example, measuring a mass-produced chemical wouldn’t be practical, output can tested using samples and validating consistency through statistics
Validation also ensures user needs are met from the user’s perspective.For example, if an Input is that a package “must be opened within 30 seconds” the final design couldn’t be measured directly, it must rely on real-world people in a controlled test.

Validation must use production-units in actual or simulated conditions.Validation is reviewed and approved, in writing, by people listed in your plan.

Design Transfer 21CFR820.30 (h)

Ensure that you can transfer a design to manufacturing without losing control of outputs that were verified and validatedTransfer is reviewed and agreed upon, in writing, by people listed in your plan.
Design Changes 21CFR820.30 (i)

Changes to inputs, outputs, and verification or validation methods must be controlled ensure there aren’t unforeseen consequences, including for other products that may share design componentsChanges are reviewed and agreed upon, in writing, by people listed in your plan.
Design History File 21CFR820.30 (j)A Design History File (DHF) is evidence that a product was developed according to a Plan, including references to the locations of all plans, inputs, outputs, verification, validation, and transfer procedures.
I emphasize that a DHF is also a history of “why” changes are made so that future teams learn from current teams. This has been critical in addressing device recalls and designing improvements.
Design Controls assume that teams document risk-assessments throughout development to minimize risk in designs and manufacturing processes.
Historically, a waterfall-diagram has been used to illustrate Design Controls.

Most companies don’t follow a waterfall-method for development. Design activities occur simultaneously, often across different teams that may reside in multiple states or countries. Modern companies also strive for concurrent-design between teams, such as development and manufacturing.
Design Controls may be simplified to documenting a process of creating and following a plan, focusing user needs and regulatory requirements to create inputs, facilitating communication between teams using change procedures & reviews, ensuring outputs satisfy Inputs through verification and validation prior to transfer, and documenting your process in a Design History File that includes assessments of risks and mitigations in both design and manufacturing.
Design Controls extend into manufacturing and throughout the life of a product. Feedback from manufacturing and post-market surveillance becomes input for design changes.
RESOURCES & NEXT STEPS
The FDA is a transparent organization. To paraphrase The Buddha, there isn’t a secret “hidden in the closed fist of the teacher.” The FDA tells you exactly what they require and tries to help you accomplish it. The resources below are focused on medical devices and Design Controls.
FDA OFFICIAL INFORMATION
FDA Quality System (QS) Regulation / Medical Device Good Manufacturing Practices21 CFR 820, printed version21 CFR 820, electronic version (e-CFR)FDA “Device Advice”

FDA Division of Industry & Consumer Education (DICE)

Includes phone numbers for conversations with real peopleGo ahead, roll the “dice” (I couldn’t resist)
FREE TRAINING
FDA Design Control Guidance for Medical Device ManufacturersFDA guidance on Design Controls (.pdf version)FDA presentation on Design Controls

FDA online training and continuing educationalmost overwhelming with the amount of information ranging from foods to drugs to devices – search for keywords
TRAINING & CONSULTING COMPANIES
SUMMARY
Design controls are laws to protect patient safety and facilitate efficient companies.Design Controls are a part of the FDA Quality System Regulations.Design Controls can be summarized as: Focus on solving user needs, follow a plan, ensure communication via design reviews, verify and validate that designs meet user needs, oversee successful transfer to manufacturing, and document all designs and changes in a Design History File.
FDA design controls are one part of selling medical devices in the United States. To sell in other countries requires additional requirements, including a comprehensive quality control system that meets FDA Quality System Regulations and the International Standards Organization standards in ISO 13485, plus each country’s specific requirements including the new

.

Good luck!

MDSAP: The Medical Device Single Audit Program

/in /by
6 minute read.
The Medical Device Single Audit Program (MDSAP) allows medical device companies to sell products in multiple countries with one audit. This article summarizes the MDSAP and helps your company prepare for it.
If you’re confident in your knowledge of MDSAP, consider taking a quiz to see if you’re prepared for MDSAP.
After you understand MDSAP, if you’d like to have fun learning how to improve your Quality System, consider reading “Van Halen, brown M&M’s, & the quality system audits”
BACKGROUND
Medical devices are regulated by governments in order to protect patient safety. For example, when the United States discovered that 44% of medical device recalls could be attributed to design flaws, the FDA began enforcing design controls.
Companies must comply with the regulatory requirements of each country in which they sell medical devices. Participating countries will accept MDSAP in lieu of individual audits. These countries, and their regulatory agencies, are:
MDSAP is a standardized way of auditing, ensuring repeatable audits regardless of the auditor. It doesn’t add any new regulations; it standardizes the audit process to emphasize risk-driven processes, which was already required by ISO 13485.
Currently, MDSAP is voluntary. Beginning in January 2019, Canada will require MDSAP. There are only a few circumstances in which this deadline can be extended.
Before continuing, it’s important to emphasize that MDSAP was driven by industry input, and is considered both practical and beneficial by the International Medical Device Regulators Forum, which archives the respected work of the Global Harmonization Task Force.
Most participants believe that MDSAP audits represent an improvement over previous audits. More importantly, MDSAP can increase patient safety while improving company efficiency.
Does MDSAP add requirements to existing quality systems? Why or why not?
MDSAP VS. PREVIOUS AUDITS
Previously, each country required an audit.
MDSAP allows one audit to be used for all participating countries. A company only needs to comply with countries in which they intend to sell products.
Previously, auditors were encouraged to review a company’s quality system as process but were allowed to audit components independently.
MDSAP audits are conducted as a “process,” ensuring each part of a quality system links to other parts for a seamless flow of information. This must be a close-loop process; the outputs of each process become the inputs of another process, with information cycling through a review by senior management to ensure continuous improvement of the entire system.
The most common links are Risk Management and Purchasing procedures; all decisions must be based on reducing Risk to a patient, and documented to provide evidence for auditors and metrics for management review.
Image thanks to Australia’s TGA
Previously, noncompliances were graded as “minor” or “major.”
MDSAP noncompliances are graded from 1 to 5 based on the potential impact to a patient, frequency of occurrences, and whether or not products were shipped with the noncompliance.
What is a “closed-loop process,” and how does it apply to a quality system for continuous improvement?
How do you make, and document, risk-driven decisions about suppliers?
Consider checking your understanding in these fun, but informative, articles:
PROCEDURE
MDSAP auditors grade companies using a list of approximately 92 “tasks,” provided in seven chapters of the MDSAP audit model. The tasks capture all clauses of ISO 13485:2016, plus country-specific requirements.
Audits are conducted through Auditing Organizations (AO) that are approved by Regulatory Authorities (RA) of participating countries. I list some AO’s at the end of this article.
An AO will conduct an initial audit, perform surveillance audits, then re-certify a company every three years. An initial audit begins with a review of documents before an on-site visit; subsequent audits are document reviews unless there’s a reason to conduct a special audit.
What are MDSAP “tasks?”
GRADING
Noncompliance for each MDSAP task is graded from 1 to 5, with 5 being the most adverse. Grading has two steps.
STEP 1: start with a score based on two factors:
Potential impact to a patient, either indirect or direct, which corresponds with clauses in ISO 13485
Clauses 4.1 through 6.3 are indirect, = 1 point
Clauses 6.4 through 8.5.3 are direct, = 3 points
Frequency of occurrence, increasing a score +1 if the noncompliance was reported in any two previous MDSAP audits. (A “repeat” is defined between different audits, not within the same audit.)

Scoring matrix via Australia’s TGA
STEP 2: apply an escalation score, if applicable.
+1 if a process isn’t documented (vs. being inaccurate or incomplete)+1 if the company shipped a non-conforming product
The final MDSAP score for each task is the combination of Step 1 and Step 2 scores, but with a maximum score of “5.” Audit results will include the following information:
Step 1 scoreFinal scoreThe ISO clause, or country-specific addition, out of complianceExamples of company documents out of compliance
Audit reporting formats, plus a standard grading system, allow regulatory agencies to know exactly what happened during the audit. This also allows companies a clear, unambiguous path to correct non-compliances.
Auditing Organizations report a score of “5” or three scores of “4” to Regulatory Authorities within five business days. Otherwise, AO’s have 90 days to submit their report to all participating countries.
Look at Step 1 scoring. If you were preparing for an audit, which ISO 13485 clauses would you focus on, initially, if you did not have a lot of time? In other words, which clauses are “bang for your buck?”
STEPS TO PREPARE
Determine if MDSAP matches your company’s business needs

Do you sell, or plan to sell, in participating countries?Canada will require MDSAP in January 2019; how does this affect your business?Does your company still use ISO 13485:2003? If so, this may be a good time to transition to the 2016 version and incorporate MDSAP.
Determine your MDSAP readiness

Understand MDSAP audit “tasks” and “grading.”

Follow the MDSAP audit modeltasks; begin by looking for obvious grades of “5” or “4” by focusing on ISO 13485:2016 clauses 6.4 – 8.5.3, which have “direct” impact and higher grade penalties.

Complete an assessment of all tasks, ensuring your procedures for risk management and purchasing are linked between parts of your quality system.

Consider if consultants could help you train your company or assist preparing for MDSAPSchedule an audit with an Auditing Organization soon; there are only a few AO’s, so their schedules may be busy.

MORE TO MDSAP
An overview of the MDSAP won’t answer every question. Examples include how companies respond to noncompliances, how internal audits are utilized, etc.
But there are no surprises with the MDSAP. To paraphrase The Buddha, there are no secrets “hidden in the closed fist of a regulatory agency.” All documents used by Auditing Organizations are available, for free, online.
If you have the MDSAP audit model, are you fully prepared for what an auditor will ask? Why or why not?
RESOURCES
OFFICIAL DOCUMENTS
CONSULTING OR TRAINING
AUDITING ORGANIZATIONS (AO’s)
SUMMARY
Five countries are participating: USA, Japan, Australia, Brazil, CanadaCanada will require MDSAP by January 2019

Uses existing requirements. Differences from previous audits include:

One audit recognized by participating countries rather than individual auditsRequires links between parts of a quality system, emphasizing risk and purchasing procedures, rather than focusing on specific partsNoncompliances are graded 1-5 rather than “major” or “minor”
Test your understanding by taking this MDSAP quiz.
Please Forward
If you think others would benefit, please “like” or forward this article.