Featured Product
This Week in Quality Digest Live
Management Features
Gleb Tsipursky
Only a third of organizations have hybrid policies in place
Joe Judge
How you do anything is how you do everything
Stephanie Ojeda
How addressing customer concerns benefits the entire quality process
Shiela Mie Legaspi
Set SMART goals
Mike Figliuolo
Creating a guiding maxim helps your people think ahead, too

More Features

Management News
For companies using TLS 1.3 while performing required audits on incoming internet traffic
Accelerates service and drives manufacturing profitability
New video in the NIST ‘Heroes’ series
A tool to help detect sinister email
Developing tools to measure and improve trustworthiness
Manufacturers embrace quality management to improve operations, minimize risk
How well are women supported after landing technical positions?

More News

Jon Speer


Implementing ISO 13485

Six common mistakes and how to avoid them

Published: Tuesday, September 10, 2019 - 11:03

Medical device manufacturers must implement and maintain a quality management system to ensure they are producing safe and effective medical devices. Created and maintained by the International Organization for Standardization (ISO), standard 13485 outlines the guidelines for medical device quality management systems. ISO 13485:2016 has been adopted by regulatory agencies around the world as a universally harmonized standard.

However, the International Organization for Standardization itself is not a governing regulatory agency; unlike government agencies, ISO does not publish reports to the public of violations during audit findings. This fact makes it nearly impossible for device makers in this market to research and learn from others’ mistakes.

With more than 20 years of experience working in the medical device industry, I’ve seen my fair share of mistakes made during ISO 13485 implementation, with six mistakes in particular that commonly trip up device makers. You can learn from these missteps of others and avoid making them yourself:

1. Treating processes as checkboxes

One of the most common mistakes I see companies make is treating ISO 13485 activities as simply “checkboxes” or must-do items for compliance. Oftentimes, contract manufacturers will achieve their ISO 13485 certification as a competitive advantage to secure business, instead of doing it because they believe in the benefits of the standard.

Implementing ISO 13485 should involve a holistic approach with an emphasis on quality from the onset. The implementation process should promote a culture of quality across the entire organization that extends beyond the initial execution of the standard’s processes.

Companies that adopt practices from ISO 13485 using a quality-first mindset should find it as a value-add exercise, rather than checking off regulatory guidelines from their to-do list.

2. Internal auditing

A company that was about to lose its ISO 13485 certification recently reached out to us. Unfortunately, this company had broken rule No. 1 and implemented ISO 13485 as a “just get it done, checkbox activity."

The company had undergone an audit a few months prior to gain its ISO 13485:2016 certification, learning after the audit that there were two major findings. One of which had to do with internal audits, or lack thereof. It turns out the company hadn’t been conducting them at all. Beyond this being a huge mistake in the eyes of an auditor, failing to conduct internal audits meant the company was unaware of issues that existed with their products, leading to the second finding that was discovered: The company had not been making the necessary improvements to its device based on customer feedback that was received.

I recommend performing internal audits on an annual basis at a minimum. Look at your deliverables, processes, and document management, and ensure that the responsible team members are in fact managing their assigned tasks accordingly. Internal audits are a valuable opportunity for companies to make improvements and changes to their medical devices.

3. ‘Death by CAPA’

Whether it’s through ineffective investigations or poorly defined processes, many companies have ineffective CAPA processes, which lead to additional mistakes. It is critical to have a firm understanding of the differences between “corrective action” and “preventive action,” according to ISO 13485.
• Corrective actions eliminate the cause of nonconformities in order to prevent a recurrence.
• Preventive actions eliminate the causes of potential nonconformities in order to prevent their occurrence.

“Death by CAPA” can occur when processes are so poor that a company is too overwhelmed to eliminate and prevent causes, or conversely, becomes overburdened treating everything as a CAPA event.

I have learned over time that ISO auditors are more likely to drill deep into a company’s CAPA processes to gain a better understanding of how root causes were identified. ISO auditors like to get into the weeds and see that companies are utilizing their tools and procedures to maximum effect.

Don’t skip over building out an effective CAPA procedure within your quality system; based on my experience, it is one of the first things auditors look at and consider in their findings.

4. Customer feedback

Companies often struggle with properly handling customer feedback, especially when they have customers in multiple markets. This process can get increasingly challenging when attempting to do so proactively, as recommended in ISO 13485:2016.

Where companies tend to struggle most with customer feedback is acknowledging that a complaint is in fact a type of feedback. Although complaints are reactive in nature, both ISO 13485 and customers expect a proactive approach to be taken by companies.

On the other side of the coin, feedback doesn’t have to be negative. It might come in the form of a letter of commendation, or suggestions for improvements in future products. The bottom line is, companies are expected to have quality systems and processes in place to proactively gather the feedback in order for it to be properly handled.

5. Management reviews

Management reviews are required under ISO 13485, as well as in FDA 21 CFR Part 820. Management reviews are meant to ensure procedures are being properly executed and followed. Unfortunately, due to the amount of time and paperwork involved with this process, companies often slip up during implementation.

Quite often, management teams see reviews as a checkbox activity that is only attended to late in the year. The extra panic this creates within an organization only serves to compound the work that needs to be done.

Clause 5.6.2 of ISO 13485 offers a list of inputs that medical device companies should consider during management reviews:
• Results of audits
• Customer feedback
• Process performance
• Product conformance
• Status of corrective and preventive actions
• Follow-up to previous reviews
• Changes that could impact quality systems
• Improvements
• New regulatory requirements

Companies using an ineffective quality management system with poor document management will struggle with conducting effective management reviews of these nine inputs. Ineffective systems make it challenging to keep information up to date, and records can be easily lost and difficult to trace as a result. This leads management teams to conduct unsatisfactory reviews that reinforce a poor quality-focused culture within the organization.

When performed properly, management reviews are an opportunity for executive teams to understand how well their quality management system is functioning, understand their company culture, and be proactive within their business. This gives managers the opportunity to take proactive, corrective, or preventive actions necessary to identify potential issues and nip them in the bud.

6. Risk-based processes

The idea of using risk-based processes is something that is highly emphasized in the 2016 version of ISO 13485. The standard encourages companies to consider whether they assessed risk after completing a process or task. This, too, is often seen as a check-the-box activity.

Because there are varying levels of risk, it is important that companies document all risk assessments into their risk management files, where they can be managed and scored. This is a process that cannot be done in haste.

When it comes to managing risk with your suppliers, there isn't a one-size-fits-all approach. The risk-based processes you put into place should be directly proportional to how critical the supplier’s role is with your medical device. This safeguard measure will yield benefits to the overall safety and efficacy of your device.

One way to assess the level of risk in suppliers is to look at how their component interacts with patients. Anything that comes into contact with patients should be given a much higher risk score, compared to, say, a supplier for labeling.

A risk-based approach is also critical to implement in your complaint-handling process. Without one, your processes can become cumbersome, leading to a “death by CAPA” scenario as I mentioned above.

Final thoughts

Many of the mistakes associated with implementing ISO 13485 are common across the industry and can be avoided fairly easily. By ditching the checkbox mentality and last-minute scrambles, companies can leverage their quality management systems as powerful tools to develop safe and effective medical devices. This, in essence, is the overall intended purpose of the international standard.

By establishing a quality-first culture, medical device companies can achieve and maintain compliance as a natural byproduct of their efforts, while also reaping the added benefits of valuable insights gained from an effective quality management system.


About The Author

Jon Speer’s picture

Jon Speer

Jon Speer is the founder and vice president of quality assurance and regulatory affairs at Greenlight Guru, a software company that produces the only medical device quality management software solution. Device makers in more than 50 countries use Greenlight Guru to get safer products to market faster. Speer has served more than 20 years in the medical device industry and helped dozens of devices get to market. As a thought leader and speaker, he regularly contributes to numerous industry publications. He is also the host of Global Medical Device Podcast.