innolitics · yujanshrestha · Dec 31, 2020 · Dec 31, 2020 · Dec 31, 2020 · Jan 13, 2021
diff --git a/rdm/checklists/13485_2016.txt b/rdm/checklists/13485_2016.txt
@@ -0,0 +1,81 @@
+# Audit checklist for ISO 13485:2016
+#
+# This checklist is not a substitute for reading, understanding, and implementing the associated standard.
+# The descriptive phrase following each keyword reference is intended only as a helpful mnemonic for locating
+# and recalling the referenced section of the standard.
+
+13485:4.1.1 Organization shall document user roles
+13485:4.1.2 Organization shall have a process for coming up with new processes
+13485:4.1.3 For each quality process, organization shall measure the effectiveness of processes
+13485:4.1.4 Organization shall keep up to date with changes to applicable standards
+13485:4.1.5 Organization shall ensure outsourced processes are conformant to this standard
+13485:4.1.6 Organization shall have a software tools validation process
+13485:4.2.1 Organization shall have a document management system
+13485:4.2.2 Organization shall maintain a quality manual that includes the scope of the QMS, procedures, and interaction between the procedures
+13485:4.2.3 Organization shall maintain separate file for different medical devices. I take this to mean the separation between a product specific QMS vs organization QMS. For example, this would be the DHF for each medical device. Regulatory deliverables usually go here.
+13485:4.2.4 Organization shall have a document control system capable of capturing reviews / approval, versioning, accessible by those who need it, legible, ability to deprecate old documents and prevent their use, and prevent loss or deterioration of documents.
+13485:4.2.5.a Organization shall document records of conformity to this standard.
+13485:4.2.5.b Organization shall document controls needed for storage, security, integrity, retrieval, retention time, and disposition of records
+13485:4.2.5.c Organization shall protect PHI contained within records (if applicable)
+13485:4.2.5.d Organization shall retain records for at least two years or for the lifetime of the medical device
+13485:5.1 Top management shall conduct reviews of the quality policy, ensure enough resources are available to execute the quality policy, and instill a culture of quality throughout the organization
+13485:5.2 Top management shall ensure customer and regulatory requirements are met for all products
+13485:5.3 Top management shall review and maintain the quality policy
+13485:5.4.1 Top management shall ensure quality objectives are met
+13485:5.4.2 Synonymous to 5.4.1
+13485:5.5.1 Top management shall document responsibilities of all personell
+13485:5.5.2 Top management shall increase awareness and foster an environment of constant improvement for the quality management system
+13485:5.5.3 Top management shall ensure appropriate communication channels are established throughout the organization.
+13485:5.6.1 Organization shall document procedures for review of quality management system at documented and planned intervals.  Records of review shall be maintained
+13485:5.6.2 Input to management review shall be documented. Input shall at least contain: employee feedback, complaint handling, customer or patient reports, process monitoring, product monitoring, CAPAs, follow ups from previous management reviews, changes that could affect QMS, new or revised regulatory requirements, changes to this ISO standard
+13485:5.6.3 Management review results shall be recorded
+13485:6.1 Organization shall determine what resources are necessary to implement the quality manual and meet customer / regulatory requirements
+13485:6.2 Organization shall ensure personell are qualified to do what they are tasked to do. This means documenting personell qualifications, provide trainings, evaluate action effectiveness. The amount of oversight here depends on the risk level involved.
+13485:6.3 Organization shall document work environment and infrastructure necessary to create conforming product.
+13485:6.4.1 Organization shall document any work environment requirements necessary to create conforming product. This probably does not apply to a SAMD.
+13485:6.4.2 organization shall have a process to control contamination. This does not apply to a SAMD.
+13485:7.1 Organization shall have a product planning process. Organization shall have a risk management and product design and development plan.
+13485:7.2.1 Organization shall have process for requirements capture for both premarket and postmarket activities.
+13485:7.2.2 The organization shall review product requirements prior to launch of a new product version.
+13485:7.2.3 Organization shall document channels used for customer communication: product info, feedback / complaints, advisory notices
+13485:7.3.1 Organization shall have a design and development plan
+13485:7.3.2 Organization shall have a design and development plan. This will point to 62304
+13485:7.3.3 Organization shall maintain records of requirement review
+13485:7.3.4 Organization shall verify design and development outputs for: meeting requirements, field maintainability, purchasability, meet acceptance criteria, RHA
+13485:7.3.5 Organization shall identify checkpoints for systematic reviews of design and development. Specifically, the aforementioned reviews shall evaluate the effectiveness of design and development process is able to meet requirements.
+13485:7.3.6 Organization shall document verification plan
+13485:7.3.7 Organization shall document validation plan
+13485:7.3.8 Organization shall have a documented design transfer plan to manufacturing. For a SAMD, this is usually a deployment/ops procedure.
+13485:7.3.9 Organization shall document procedures to control design and development process changes. Remember to account for products already in design and development. This is similar to releasing a forced update to users.
+13485:7.3.10 Organization shall maintain a DHF for all medical devices
+13485:7.4.1 Organization shall establish criteria for evaluation and selection of suppliers based on: supplier capability, supplier performance, level of risk to the quality of the medical device. Organization shall, from time to time, re-evaluate suppliers.
+13485:7.4.2 Organization shall document clear purchase order specify what services are to be rendered, acceptance criteria, supplier personnel qualification.
+13485:7.4.3 Organization shall establish and execute inspection activities to ensure purchased product meets requirements. Depending on the level of risk to device safety, organization shall implement more stringent supplier evaluation before and during purchased product development.
+13485:7.5.1 Organization shall ensure the production of product results in product conforming to specification. SAMD parallel to this could be techniques like locking dependencies, hashes to ensure the validated product is what is being pushed out into production. SAMD differs from physical product in that "produced" software are identical, so typically less process control is necessary. For example, it may be necessary to sample a hardware from the assembly line to QA but this does not make sense for software since we can guarantee they are all binary equivalent.
+13485:7.5.2 Organization shall document clininess and contamination control procedures. This does not apply to SAMD.
+13485:7.5.3 Organization shall document installation procedure and verification of installation procedure. This is especially important for end user installed product.
+13485:7.5.4 Organization shall document servicing procedures, manuals, reference measurements, etc. Organization shall analyze these records to determine if the inforamtion should be a complaint and react appropriately for process improvement.
+13485:7.5.5 Organization shall maintain sterilization records. Not applicable for SAMD.
+13485:7.5.6 Organization shall validate process used for production or service where the resulting output cannot be or is not validated by subsequent monitoring or measurement. In SAMD terms, this does NOT include a compiler because its output is validated by device verification and validation. Organization shall document procedure for process validation of computer software used in production and service. The computer software validation approach shall be proportionate to the risk level of the application.
+13485:7.5.7 Organization shall document procedures for sterilization. Does not apply to SAMD.
+13485:7.5.8 Organization shall document procedures for product identification. For SAMD this is related to version numbering and git hash. The bit about returned product does not really apply to a SAMD, but a hashing strategy may be used.
+13485:7.5.9.1 Organization shall document procedures to maintain traceability in accordance to regulatory bodies.
+13485:7.5.9.2 Requirements for implantable medical devices does not apply.
+13485:7.5.10 Organization shall have a process to protect customer provided property. This does not apply to a SAMD.
+13485:7.5.11 Organization shall have process for product preservation, storage, handling, and distribution. The main application for a SAMD is cryptographic based integrity and authenticity checks.
+13485:7.6 Organization shall have process for monitoring and measuring equipment necessary to provide evidence of conforming product. This is stuff like calibrating a volt meter, oscilloscope, temperature sensor, etc. This does not apply to a SAMD.
+13485:8.1 Organization shall implement process for process improvement for processes needed to: demonstration of product conformity, ensure conformation to QMS, maintain effectiveness of QMS.
+13485:8.2.1 Organization shall have gather and monitor feedback on whether customer requirements are met. Feedback shall be taken from production and post-production activities.
+13485:8.2.2 Organization shall document timely complaint handling procedure. Procedure shall contain at least: receiving and recording complaints, evalutation if the feedback is a complaint (or feature request), complaint investigation, reporting regulatory bodies if necessary,  handling of complaint related product (the installation having issue), determining if a CAPA is necessary.
+13485:8.2.3 Organization shall document procedures for reporting to appropriate regulatory bodies.
+13485:8.2.4 Organization shall conduct periodic internal audits.
+13485:8.2.5 Organization shall monitor and measure the effectiveness of the QMS.
+13485:8.2.6 Organization shall monitor and measure the conformity of product.
+13485:8.3.1 Organization shall ensure non-conforming product does not make it to customers. This does not apply to SAMD in its intended form. However, we can make the case that 62304 compliance features including code review, validation, verification fulfill this requirement
+13485:8.3.2 Organization shall detect nonconforming product before delivery. SAMD conforms to this by 62304 compliance.
+13485:8.3.4 Organization shall document refurbishing / rework procedures. This does not apply to a SAMD.
+13485:8.4 Organization shall document procedure to collect and analyse adequecy and effectiveness of the QMS. This procedure should at minimum contain inputs from feedback (both customer and internal), conformity to requirements, opportunities for improvement, suppliers, audits, service reports. Service reports are support cases.
+13485:8.5.1 Organization shall have process for identification and implementation of QMS improvements.
+13485:8.5.2 Organization shall attempt to eliminate the cause of nonconformities to prevent recurrence. This is called a corrective action (reactive). Corrective action urgency shall scale with the effect of the nonconformity encountered.
+13485:8.5.3 Organization shall attempt to prevent occurence of nonconformity in the future. This is called a preventitive action (proactive).
+
diff --git a/rdm/checklists/21CFR820.txt b/rdm/checklists/21CFR820.txt
@@ -0,0 +1,66 @@
+# Audit checklist for 21CFR820
+#
+# This checklist is not a substitute for reading, understanding, and implementing the associated standard.
+# The descriptive phrase following each keyword reference is intended only as a helpful mnemonic for locating
+# and recalling the referenced section of the standard.
+
+21.CFR.820.20.a Management with executive responsibility shall ensure that the quality policy is understood, implemented, and maintained at all levels of the organization.
+21.CFR.820.20.b  Each manufacturer shall establish and maintain an adequate organizational structure to ensure that devices are designed and produced in accordance with the requirements of this part.
+21.CFR.820.20.b.1 Responsibility and authority. Each manufacturer shall establish the appropriate responsibility, authority, and interrelation of all personnel who manage, perform, and assess work affecting quality, and provide the independence and authority necessary to perform these tasks.
+21.CFR.820.20.b.2 Resources. Each manufacturer shall provide adequate resources, including the assignment of trained personnel, for management, performance of work, and assessment activities, including internal quality audits, to meet the requirements of this part.
+21.CFR.820.20.b.3 Management representative. Management shall appoint quality systems subject matter expert.
+21.CFR.820.20.c Management review. Management with executive responsibility shall review the suitability and effectiveness of the quality system at defined intervals and with sufficient frequency according to established procedures to ensure that the quality system satisfies the requirements of this part and the manufacturer's established quality policy and objectives. The dates and results of quality system reviews shall be documented.
+21.CFR.820.20.d Quality planning. Each manufacturer shall establish a quality plan which defines the quality practices, resources, and activities relevant to devices that are designed and manufactured. The manufacturer shall establish how the requirements for quality will be met.
+21.CFR.820.20.e Quality system procedures. Each manufacturer shall establish quality system procedures and instructions. An outline of the structure of the documentation used in the quality system shall be established where appropriate.
+21.CFR.820.22  Third Party quality audit procedure.
+21.CFR.820.25.a General. Each manufacturer shall have sufficient personnel with the necessary education, background, training, and experience to assure that all activities required by this part are correctly performed.
+21.CFR.820.25.b Each manufacturer shall establish procedures for identifying training needs and ensure that all personnel are trained to adequately perform their assigned responsibilities. Training shall be documented.
+21.CFR.820.25.b.1 As part of their training, personnel shall be made aware of device defects which may occur from the improper performance of their specific jobs.
+21.CFR.820.25.b.2 Personnel who perform verification and validation activities shall be made aware of defects and errors that may be encountered as part of their job functions.
+21.CFR.820.30.a shall establish and maintain procedures to control the design of the device in order to ensure that specified design requirements are met.
+21.CFR.820.30.b Design and development planning.
+21.CFR.820.30.c Design input.
+21.CFR.820.30.d Design output.
+21.CFR.820.30.e Design review.
+21.CFR.820.30.f Design verification.
+21.CFR.820.30.g Design validation.
+21.CFR.820.30.h Design transfer.
+21.CFR.820.30.i Design changes.
+21.CFR.820.30.j Design history file.
+21.CFR.820.40.a Document approval and distribution
+21.CFR.820.40.b Document changes
+21.CFR.820.50.a Evaluation of suppliers, contractors, and consultants
+21.CFR.820.60 Identification
+21.CFR.820.65 Traceability
+21.CFR.820.70 Production and process controls.
+21.CFR.820.70.a General.
+21.CFR.820.70.b Production and process changes.
+21.CFR.820.70.c Environmental control.
+21.CFR.820.70.d Personnel.
+21.CFR.820.70.e Contamination control.
+21.CFR.820.70.f Buildings.
+21.CFR.820.70.g Equipment maintenance, inspection, and adjustment.
+21.CFR.820.70.h Manufacturing material.
+21.CFR.820.70.h.i Automated process. Tools validation.
+21.CFR.820.72 Inspection, measuring, and test equipment.
+21.CFR.820.75 Process validation.
+21.CFR.820.80 Receiving, in-process, and finished device acceptance.
+21.CFR.820.86 Acceptance status.
+21.CFR.820.90 Nonconforming product.
+21.CFR.820.100 Corrective and preventive action.
+21.CFR.820.120 Device labeling.
+21.CFR.820.130 Device packaging.
+21.CFR.820.140 Handling.
+21.CFR.820.150 Storage.
+21.CFR.820.160 Distribution.
+21.CFR.820.170 Installation.
+21.CFR.820.180 General requirements.
+21.CFR.820.181 Device master record.
+21.CFR.820.184 Device history record.
+21.CFR.820.186 Quality system record.
+21.CFR.820.198 Complaint files.
+21.CFR.820.200 Servicing.
+21.CFR.820.250 Statistical techniques.
+
+
+
diff --git a/rdm/init_files/organization_qms/SOPs/capa.md b/rdm/init_files/organization_qms/SOPs/capa.md
@@ -0,0 +1,77 @@
+---
+revision: 1
+title: CAPA SOP
+---
+# Approvals
+
+All approvers shall add a signed commit with their name and roles appended to the table in this section.
+
+| Name | Role                | Date |
+| ---- | ------------------- | ---- |
+|      | Quality Systems SME |      |
+
+# Training Record
+
+| Name | Role | Date |
+| ---- | ---- | ---- |
+|      |      |      |
+
+# Purpose
+
+This SOP shall describe the process for creating, executing, and concluding a corrective action / preventative action (CAPA).[[21.CFR.820.100]]
+
+# Change History
+
+The change history section shall contain a brief summary of changes made in this revision.
+
+| Change Description | Date |
+| ------------------ | ---- |
+| Initial version    |      |
+
+# Required Roles to Execute
+
+The following user roles are required to execute this SOP:
+
+- Quality Systems SME
+- All roles necessary to execute the CAPA 
+
+# Required Roles to Review
+
+The following user roles are required for initial approval, periodic review, and change approval of this SOP:
+
+- Quality Systems SME
+
+# Required Inputs and Dependencies
+
+The following inputs are required for the execution of this SOP:
+
+- The event(s) that lead to initiating this CAPA
+
+# Outputs
+
+The SOP shall produce the following outputs:
+
+- A CAPA record
+- Potentially one or more changed, removed, or new SOPs
+
+# Risk Level
+
+High: Error in SOP or SOP execution is likely to result in patient harm.
+
+# Periodic Review
+
+Author shall insert the review periodicity depending on the risk level.
+
+High: Review every six months.
+
+# Record Template
+
+Refer to `templates/capa_record.md`
+
+# Work Instruction
+
+1. Ensure you are on the `master` branch of the QMS git repository it is up to date.
+1. Create a new branch called `capa/name_of_capa`
+1. Create a copy of the CAPA record template to `records`
+1. Fill out the CAPA record as requested in the record template.
+1. Close the CAPA by merging the branch into `master`. Merging into master signifies the CAPA has been resolved and is ready to be executed.