For Medical Device
Overview of ISO 13485 - Medical Device Quality Management System Requirements
by Betty Lane, CQMg, CQA
Many people in the medical device industry do not know much more about quality systems than that they are required. This article provides an overview of medical device quality systems and then describes generally the requirements of the ISO 13485 international standard for medical devices quality management systems (QMS). Medical devices can be simple or complex, but all of these can benefit from being designed and manufactured under ISO 13485:2003 which is the most widely used medical device QMS standard. It is required in Europe, Canada and many other countries for most devices. In the US the FDA Quality System Regulation (QS Reg.), also known as the cGMP, is required. Although the QS Reg. is structured very differently than ISO 13485, they have no conflicting requirements.
ISO 13485 is a regulatory standard whose focus is meeting customer requirements, including regulatory requirements, and maintaining the effectiveness of the QMS.
ISO 13485 is a regulatory standard whose focus is meeting customer requirements, including regulatory requirements, and maintaining the effectiveness of the QMS. This differs from ISO 9001:2000 which focuses on customer satisfaction and continual improvement. Whereas both customer satisfaction and continual improvement are as important to medical device manufacturers as to any other business today, these things are hard to measure and tend to be somewhat subjective. So when it came time to adapt ISO 9001:2000 to the medical device industry, these potentially subjective requirements were changed to meeting customer requirements and maintaining the effectiveness of the QMS, which are more easily measureable. The other major difference from ISO 9001, which is also consistent with the fact that this is a regulatory standard, is that there are more requirements for documented procedures.
This article is related to the webinar:
ISO 13485:2016 Part 1: Getting Ready for Changes.
To get the full details, please view your free webinar.
In ISO 13485, meeting requirements includes meeting regulatory requirements. So for devices that will be used in the US, to be compliant with ISO 13485, manufacturers must also meet the QS Reg. As a regulation the QS Reg. is often more specific than ISO 13485, particularly in the areas of complaint handling, labeling control, an
d documentation. ISO 13485 is structured the same way as ISO 9001:2000, and is in fact about 90 % the same as this general standard for quality management systems. The reason for the differences between ISO 13485, ISO 9001 and the FDA QS reg., can be understood by looking at the differences in their objectives as given in Figure 1.
A good QMS, if integrated into the goals and management of a company, provides a way to reduce variation. Reducing variation can provide financial benefits for the company, such as reduced scrap and general process efficiencies. So in addition to being a regulatory requirement, a well-functioning QMS makes good sense from a business and financial perspective.
ISO 13485 follows the process approach introduced in ISO 9001:2000. The process approach treats the QMS as a set of interrelated processes covering not only the manufacture of a product or provision of a service, but also management processes and support processes. A "process" is something that transforms a collection of inputs into outputs. Inputs consist of everything needed to accomplish this transformation. For manufacturing a device these this might included such things as raw materials, manufacturing supplies, work benches, cleaning materials, tools, and equipment, the building, people, written instructions, assembly drawings, comparison samples, and workmanship standards. The output of the process, that is the transformation of these inputs, produces the finished part, records about what was done by who, and information about how the transformation was accomplished, such as time to complete or production yield. Unwanted outputs might include scrap parts and wasted material. For non-manufacturing processes, for example Document Control, inputs might include Document Control procedure, change request, people, equipment (copy machine, computer, scanner), document control center, and the outputs would included controlled documents, controlled copies, and process statistics. As you can see from even just these two examples, the output of one process, i.e. Document control, is the input to other processes, such as manufacturing.
Figure 2 gives a diagram of how the ISO 13485 standard is organized. Sections 1 to 3 are introductory sections that describe the purpose and use of the standard, followed by sections 4-8 that contain requirements that must be fulfilled in order to be compliant with the standard.
ISO 13485 Section 4 gives the general requirements. These include identifying specific processes and how they interact, and responsibility for processes that are outsourced. A quality manual, quality policy and objectives and the requirements for control of documents and records and for outlining the company's document structure are given in Section 4. Document control includes review and approval of documents before use, control of changes, and making sure that current versions of controlled documents are available where needed for use. Requirements for control of records include maintaining their integrity and establishing procedures for how long documents and records are maintained.
The management of a company must take an active part in the establishment and maintenance of an ISO 13485 QMS. Section 5 requires management involvement at the level of the person who makes policy and financial decisions. This is usually either the CEO or the chief of operations. Establishing the quality policy and objectives, support and oversight of the QMS and provision of resources are the direct responsibility of upper management. In addition, top management appoints a Management Representative, usually the most senior quality manager, who has the day-to-day responsibility for the functioning of the QMS. Upper management's commitment must also include quality planning, and making sure that the quality policy is understood at every level of the organization.
There are specific requirements for the periodic management review of the QMS. This specifies the minimum of what must be covered in these reviews, as well as the output requirements. This is one of the most important processes for a QMS, and also adds value to the company by providing a structured framework managing for quality and productivity.
Section 6 contains requirements for provision of resources. Management must assure adequate facilities including, space, tools, and equipment, including computer systems. The building environment must fit the devices being made, including where necessary, such environments as clean rooms. Buildings, tools and equipment must be maintained in order to produce devices meeting all their requirements. The QMS must have as process to insure that all required maintenance activities are preformed.
Human resources are essential to quality medical devices. Therefore the provision of and adequate number of people that are competent, capable, and aware of their job responsibilities is key. It is not sufficient to train personnel and keep good training records, although that is important. Management must first define job requirements, often in the quality manual and positions descriptions. The QMS must then document that employees meet these requirements, or have had training to fill in any gaps. Ongoing employee awareness of QMS requirements, particularly related to documents and recordkeeping is the responsibility of management. Employees must also have awareness of their job responsibilities, including their responsibilities for product quality. They must know the consequences to the product or to the people using the product, if they fail to do their job properly.
The portion of the standard that most effects what people in the company do on a day-to-day basis is section 7, with the unusual name of "Product Realization." This covers much more than manufacturing. It does in fact cover everything that is required to realize a product, from customer requirements to creating (designing and manufacturing), installing and supporting a medical device.
Planning is an essential part of a functioning QMS, and in planning for product realization the company is required to establish processes for all phases of product realization, from how they obtain customer requirements, design products, purchase supplies and materials, make, install and service a device. There is risk associated with everything that we do, but in making medical devices these can include the risk to a person's life. Therefore ISO 13485 requires that "The organization shall establish documented requirements for risk management throughout product realization." Risk management includes the following:
- Risk Assessment - Identifying risks
- Risk Analysis - looking at severity and probability of all hazardous situations
- Risk Reduction - reduction, mitigation (labeling), elimination of risk as much as possible or practical
Risk management applies to processes, including all QMS processes. However, most importantly it applies to device design, manufacturing and support processes. This is such an important process that ISO 13485 requires that risk management be done according ISO 14971, the international standard for medical device risk management.
Planning for product realization begins with establishing processes for handling customer requirements, and how to communicate with the customer throughout the lifecycle of the device. Requirements may be as simple as processing orders from the company's catalog, to as complex as requirements to design a complex device from a general concept. Communication includes back and forth communication with the customer on requirements changes, and way of collecting customer feedback on all aspects of the device and the manufacturer's business processes.
If a company does product or process design, they must follow the requirements for design controls given in ISO 13485. When governments and regulatory agencies looked at reported adverse events of medical devices, they found that as often as not the problems were caused by poor design. So having a controlled design process that includes risk management, verification, validation and controlled transfer of a design to manufacturing can reduce the potential for adverse effects. A product development process following the design control requirements begins with establishing design requirements, and goes through validation and transfer to manufacturing, as outlined in Figure 3.
Once there is a device design with established manufacturing processes, it is important to make sure that the materials going into and used in making the device are correct. ISO 13485 purchasing requirements cover purchasing from qualified suppliers, according to pre-established specifications, and assuring that purchased product meets those specifications.
Manufacturing or production processes must be controlled to assure that the manufactured device meets all of its specifications. This includes not only controlling the production processes, but control of how material and devices are identified, stored and used. Documented processes must cover receiving, warehouse, production, testing, shipping, installation and servicing. Some of these processes cannot or cannot economically be fully tested to assure that all product specifications are met. Processes that cannot or will not be fully verified must be validated to assure that they always meet specifications, and once validated must be controlled and performed by trained personnel.
One of the ways to insure that a product meets its specifications involves the use of monitoring and measuring equipment. This equipment must be controlled to assure that it gives accurate results. A calibration and preventive maintenance program is essential to this control.
The last section of ISO 13485 is the one that provides the feedback and other information that allows management to maintain the effectiveness of the QMS and includes:
- Feedback including Customer Complaints and handling adverse events
- Internal audit
- Monitoring and measurement of processes
- Monitoring and measurement of product including nonconforming product
- Analysis of data
- Corrective and preventive action
A corrective action is one that fixes the root cause of a problem that has happened. This is often confused with fixing a problem that exists. Just fixing a problem is not sufficient. A root cause analysis that can be as simple as asking "WHY" five times, is not only essential to a corrective action system, but to the effectiveness of the entire QMS. Preventive action, on the other hand, is a system that if used successfully will provide one of the largest financial benefits of the QMS. Preventive actions are taken to prevent nonconformities by fixing things that might go wrong.
ISO/TR 14969:2004 is a guidance document for application of ISO 13485: 2003. Additional guidance on the implementation of a medical device QMS is available free from the Global Harmonization Taskforce and the FDA guidance documents and compliance manual.
- ISO 13485:2003, Medical Devices - Quality Management Systems - Requirements for regulatory purposes, 2003 editions
- ISO 14971:2007, Medical devices - Application of risk management to medical devices,
- ISO 9001:2008, Quality management systems â€“ Requirements
- 21 CFR 820, Medical Devices; Current Good Manufacturing Practice (CGMP) Final Rule; Quality System Regulation, Department of Health and Human Services, Food and Drug Administration, October 7, 1996
Betty Lane of Be Quality Associates, LLC has more than 20 years' experience in Medical Device quality assurance and regulatory affairs. She has established or updated quality systems for numerous small- and medium-sized medical device and diagnostic companies. Her accomplishments enabled these companies to manage their business in compliance with FDA and ISO 13485 requirements, thus enabling worldwide sale of their products. Her background in digital systems engineering enabled her to facilitate design controls and software validation when they became FDA and industry requirements.
- Established ISO 13485 and FDA Quality Systems Regulation complaint quality systems for multiple medical device and diagnostic companies. Obtained ISO 9001 certification for Instrumentation Laboratories in Lexington, MA, among others.
- Taught courses at Northeastern University, Boston MA, in Regulatory Affairs and cGMP
- Taught AAMI Quality Systems Regulation and Design Control courses, which provide comprehensive training for both industry and FDA personnel.
- Member of the Advisory Board of DQS, Inc., a worldwide RAB accredited ISO 9000/QS9000/AS9000 registrar for over 20 SIC categories
- Featured in Journeys of Women in Science and Engineering, No Universal Constants, by Susan A. Ambrose, et. al., Temple University Press, 1997.
Betty Lane is the founder and President of Be Quality Associates, LLC, a consulting company helping medical device companies implement and improve their quality systems for both business improvement and regulatory compliance. Other services included training, auditing, supplier management and medical device quality system software validation.
She has been active in local sections of the American Society for Quality including serving on the committee for Boscon, the Boston Section's annual quality conference. Her publications include articles on long-term cardiac monitoring and "A Successful University-based Eight-week Regulatory Affairs Course."
Betty is a member of the American Society for Quality, Regulatory Affairs Professional Society, Association for the Advancement of Medical Instrumentation, the Society of Women Engineers and the Institute of Electrical and Electronic Engineers. She may be reached at 603-742-4963 or at http://www.linkedin.com/in/bequality.