On July 15, 2006, all medical device manufacturers registered to ISO 13485 were required to transition from ISO 13485:1996, based on the ISO 9001:1994 quality management system (QMS) model, to ISO 13485:2003, based on the ISO 9001:2000 process model for a QMS. The vast majority of medical device manufacturers completed the transition on time and proved to their respective registrars that their quality management systems are in compliance with ISO 13485:2003. Is compliance, however, good enough? Are manufacturers getting sufficient value and benefit from their ISO 13485:2003-compliant systems? Are quality assurance systems that are minimally compliant more likely to become noncompliant? A robust, well- planned and effectively implemented quality assurance system takes time and money, and is essential for maintaining full compliance and avoiding the even larger costs and pain of being found noncompliant.
Medical device manufacturers that have taken the time to study and train on ISO 9001:2000 seem to be further ahead and have better understanding in implementing the most effective systems to meet ISO 13485:2003 than those who haven't.
Having a compliant ISO 13485:2003 system, however, doesn't necessarily mean that the manufacturer has an effective and efficient system. Unlike ISO 9001:2000, ISO 13485:2003 doesn't have requirements for continuous improvement or customer satisfaction. This is because ISO 13485 is focused on maintaining regulatory compliance, not business improvement. Successful manufacturers must fully and effectively address continuous improvement and customer satisfaction. If they don't, their competition will.
The transition to ISO 13485:2003 is noteworthy in terms of requirements to meet regulations because nothing much has changed. TC 210 (the standards-writing committee) was very effective in ensuring that nothing of substance was added and nothing was lost in terms of regulatory requirements. There has been a big change in the philosophy of quality assurance, however, particularly with the introduction of the process model, and the need to really understand the interface and interaction of processes. Many medical device manufacturers have either underestimated or misunderstood the effect of this shift and are struggling with the change from clause-by-clause thinking to a true process orientation. Although they may have achieved compliance and received their upgraded certificate, they are still a long way from best practices.
It is highly recommended that medical device manufacturers obtain and refer to ISO/TR 14969, the guidance document on the intended use and implementation of ISO 13485 for regulatory compliance of medical device quality management systems. There is a great deal of wisdom in this document.
The focus of this article is to identify seven areas of opportunity for more effective and efficient systems in the medical device manufacturing industry from a lead auditor's perspective.
The requirements must be read in light of where the company is in respect to the process model, not in light of the clause number.
Many manufacturers miss Normative Reference 2, which says that ISO 9000:2000 is indispensable for the application of ISO 13485:2003. This is certainly true in at least two key areas: terms and definitions, and the graph showing the model of a process-based QMS. The graph of the process model appears in ISO 9001:2000 and not in ISO 13485:2003, which has led to some very interesting results. There is a strong tendency toward a clause-based system rather than a process-based system because of the regulated nature of medical devices. This type of thinking leads to several misconceptions, duplication of efforts and inefficiencies in implementing the QMS.
Consider, for example, customer communications. If we are thinking "clause-based," here are sample requirements that could be considered relevant to customer communication.
• Subclause 5.2, "Customer focus." "Top management shall ensure that customer requirements are determined and met." (See subclauses 7.2.1 and 8.2.1.)
• Subclause 5.6.2, "Management review." "The input to management review shall include information on… customer feedback."
• Subclause 6.2, "Human resources." "The organization shall ensure that its personnel are aware of the relevance and importance of their activities and how they contribute to the achievement of the quality objectives."
• Subclause 7.2.1, "Determination of re-quirements related to the product." "The organization shall determine… requirements specified by the customer." (Recall that this was referenced in subclause 5.2.)
• Subclause 7.2.3, "Customer communication." "The organization shall determine and implement effective arrangements for communication to customers in relation to… customer feedback, including customer complaints." (See subclause 8.2.1.)
• Subclause 8.2.1, "Feedback." "As one of the meas-urements of the performance of the quality management system, the organization shall monitor information relating to whether the organization has met customer requirements." (Recall that this was referenced in subclause 5.2.)
Compare and contrast sub- clauses 5.6.2, 7.2.3 and 8.2.1 for a moment. If read as a clause-based system, it appears that the same concept is being discussed in slightly different ways--e.g., "feedback" is mentioned in management review, customer communication and a section on the standard related to feedback. Did the writers of 13485:2003 multiply words just to create confusion? If the standard is read and implemented as a clause-based system, there will be confusion, and those who assess the system will be able to confute decisions. These requirements must be interpreted based on the process model shown in ISO 9001:2000.
When we read the requirement in subclause 7.2.3, we need to consider the input to the subclause, the output and the process. The input on the process model is human resources, so this requirement is describing the assignment and training for the process owner. The output is measurement, analysis and improvement. The process is clearly stated. The expectation is that when feedback is received from customers, there is a system to monitor it and provide the appropriate output.
Let's follow the process model for this issue. First, management states that the company will conform to ISO 13485:2003, the requirements of which are found in clause 4. Then management responsibility kicks in, which is clause 5. The standard requires a review of information on feedback and the existence of a quality policy and objectives. Following the process model, we come to resource management, so the company needs to assign responsible individuals and ensure that they know that the expectation is to measure and have a process for capturing complaints. That leads to product realization, as found in clause 7, where manufacturers need to understand customer requirements and effectively capture every concern raised by customers. Then we come to the output of product realization, which is the information related to the processes, and to measurement, analysis and improvement. There must be a system to monitor complaints, integrate the complaints data and evaluate if changes are needed. The requirements for measurement, analysis and improvement are found in clause 8. Finally, we come to output, which feeds back to management responsibility. Relevant information on the complaint is fed back to management review to ensure that the policy and objectives are being met.
This should point out the importance of reading the requirements in light of where the requirement is in the process model, and thinking of inputs to each requirement, the process and the outputs of the requirement as significantly more important than the number of the clause.
A good way to understand the process is to discuss the difference between the requirements of subclauses 8.2.1 and 8.5.1 of the ISO 13485:2003 standard. If these requirements are read from a clause-based mindset, they will often be confusing. If read from a process-based mindset (i.e., the inputs and outputs that the writers were considering when the standard was written), the requirements will begin to make sense.
Further guidance on the process approach can be found at www.iso.ch/iso/en/iso9000-14000/explore/transition/9001_2000approach.html.
It's interesting to look at the first requirement in ISO 13485:2003, which reads, in part, "The organization shall… identify the processes." Many organizations don't really grapple with this as a first step, and it leads to many problems down the road. Once the processes have been identified, sequence and interactions, operation and control, resources, monitoring and correction become supporting activities. If the organization doesn't have a clear foundation for identifying the processes, everyone may not be on the same page. The standard doesn't specifically denote "minor" or "major" processes, and the process listing will be related to the size of the organization. Many organizations classify processes into the categories of management, product realization and measurement. Other organizations may break these down into core processes and support processes. A suggestion is to have top management start with a clean sheet of paper and write down the top four to six processes for the organization, and use that as a discussion point. It could also be worked out in a team environment. This is a key area to consider for clarity and improvement of the system, because the output of process documentation leads to a clear quality policy statement, and this can lead to better and more relevant objectives.
Further guidance on identifying processes that can be useful to ISO 13485:2003 can be found at www.iso.ch/iso/en/iso9000-14000/explore/transition/faqs.html.
Subclause 4.2.2 requires that the organization establish and maintain a quality manual that includes the scope of the QMS. The word "scope" appears twice in the standard; first in clause 1 in reference to the breadth and extent of the ISO 13485:2003 standard, and then in subclause 4.2.2 in the context of the application of the quality system to a company's products and services. Here, "scope" refers to the coverage, span or range of the medical devices for which the company takes responsibility. This can be documented in many ways; the quality manual could refer to the certificates of registration--which have been worked out with the certification body--or it could refer to the products that the company manufactures. Many companies struggle with this, perhaps because the requirement is written in a lengthy manner. It's a simple concept, really: Describe what the company does. In the new standard, the scope of the QMS, the quality policy and objectives, and the processes are required to be consistent and complete.
Many organizations miss a key point when structuring their internal audit programs. Subclause 8.2.2 says, "The organization shall conduct internal audits… to the planned arrangements (7.1), to the requirements of this international standard and to the QMS requirements established by the organization." The company must be clear on its responsibility with respect to regulatory requirements. If the company has established Quality System Requirements, the Medical Devices Directive (for the European Union), the Canadian Medical Device Regulations or the Japanese Pharmaceutical Affairs Law as relevant regulatory requirements, there is an expectation that the regulations have been established by the organization, and that there is objective evidence that internal auditors will be trained to audit against the regulations. The regulatory authorities have made it clear to the certification bodies that this is the expectation, so it is best to provide training to ensure competence in auditing against the regulations. The nature of the training and how much is needed is not defined. Please bear in mind that competence, as noted in subclause 6.2.2, is the ability to do the required job, and the organization needs to provide sufficient training and a means of testing training effectiveness. On-site training, lead auditor training and Webinars are examples of ways to satisfy this requirement.
ISO 13485:2003's scope, as stated in subclause 1.1, concerns "requirements for a quality management system… to provide medical devices… that consistently meet customer and regulatory requirements applicable to medical devices…." The scope of ISO 9001:2000, as stated in subclause 1.1, regards "requirements for a quality management system… to provide product… that meets customer and applicable regulatory requirements." The difference is not regulatory requirements but the specific focus of ISO 13485 for medical device manufacturers. Also, if you read the scopes carefully, you will notice that the primary objective of ISO 9001:2000 is enhanced customer satisfaction, whereas the primary objective of ISO 13485:2003 is to "facilitate harmonized medical device regulatory requirements," which means a safe and useful medical device. That is why, for example, risk management is a requirement throughout product realization with ISO 13485:2003, whereas ISO 9001:2000 is silent on the matter of risk management.
The issue of regulatory requirements bears more discussion, as ISO 13485:2003 actually says "regulatory requirements applicable," which infers that for some organizations, regulatory requirements might be not applicable. The reference to ISO 13485 and ISO 13488 in guidance document ISO/TR 14969, subclause 0.1, shows clearly that the intent is requirements that encompass national and/or regional regulations to control and monitor medical devices. Examples of companies that might have limited regulatory requirements could include contract manufacturers, sterilizers and molding shops, none of which provide a finished medical device in their own name. European, U.S. and Canadian regulatory authorities pretty much agree on this concept.
Japan is somewhat different, and that is why the JPAL system--although participating in Global Harmonization Task Force activities--requires some level of assessment beyond ISO 13485:2003 as part of its regulatory requirements and interpretation of the supply chain.
Let's consider where key regulatory requirements are listed in ISO 13485:2003:
• Subclause 4.2.1f. "The QMS documentation shall include… any other documents specified by national or regional regulations."
• Subclause 5.1a. "Top management shall… communicate to the organization… regulatory requirements."
• Subclause 5.6.2. "The input to management review shall include… new or revised regulatory requirements."
• Subclause 6.2.2 (Note). "Regulations might require… documented procedures for identifying training needs."
• Subclause 7.2.1. "The organization shall determine… regulatory requirements related to the product."
• Subclause 7.3.2. "Inputs relating to product requirements… shall include… regulatory requirements."
• Subclause 8.1. "Regulations might require documented pro-cedures… for statistical techniques."
• Subclause 8.2.1. "If… regulations require… experience from the post-production phase, the review… shall form part of the feedback system."
• Subclause 8.3. "… product is accepted by concession only if regulatory requirements are met."
• Subclause 8.5.1. "If… regulations require notification of adverse events… documented procedures to… notify… regulatory authorities."
It's crucial for the manufacturer that sells the finished device to address the requirements where the applicable regulations (depending on country of sale) impinge on its devices. The suppliers of services, contract manufacturers or molders, all of which supply unfinished devices, still need to address each of the requirements and be very clear on where and how any specific regulatory requirements impinge on their part of the process. When reading the requirements, be very certain to use process-based thinking and look at the definitions in section 3 of ISO 13485:2003, under the supply chain section, to decide where your company fits into this picture.
Much more could be said about this, but it is essential, as a company establishes its QMS, to identify processes and determine the documented quality manual and related procedures. The system must be clear on where the company's responsibility starts and stops with respect to regulatory requirements.
ISO 9001:2000 makes provision for "permissible exclusions" that are limited to activities in product realization (clause 7). ISO 13485:2003 makes provision for "permissible exclusions," but these are limited to design controls if appropriately justified and documented. The reason for this is that the regulations permit this exclusion in certain circumstances, typically in the case of the lowest-risk devices. Japan, the European Union, Canada and the United States all employ a similar concept, based on the device risk and class. The regulations do not tell a company what types of products are applicable, or what is applicable to the medical device manufacturer's business. So the writers of ISO 13485:2003, in subclause 1.2, "Application," say, "If any requirement(s) in clause 7… are not applicable…." Further, in subclause 4.2.2a, the standard says that the "quality manual… includes… details of and justification for any… nonapplication." Many companies have not gone completely through product realization to make this distinction clear. The documentation must show whether the company is responsible for regulatory requirements (subclause 7.2.1), cleanliness of product (184.108.40.206.1), installation (220.127.116.11.2), serv-icing (18.104.22.168.3), sterile medical devices (22.214.171.124), particular requirements for implantables (126.96.36.199.2) and customer property (7.5.4). These are examples of potential areas of nonapplication that many companies miss. Remember, the scope of the QMS must be clear, and that concept includes addressing design controls (unless there is a permissible exclusion) and all areas of nonapplication. The writers of the standard wanted the QMS to be complete to clearly describe what the company does and does not do.
ISO/TR 14969:2004, "Guidance on the application of ISO 13485 and ISO 13488," is an excellent guidance document for medical device manufacturers. The word "risk" appears at least 51 times and makes it clear that the writers of the standard are concerned with device safety when risk is considered and managed. The document also provides a superb background for how to structure organizational thinking where risks might occur "throughout product realization," which is a requirement in subclause 7.1 and a concept with which many manufacturers struggle. Consider, for example, a contract manufacturer who makes a product to specification, does not do design control and has adequately justified it as a permissible exclusion. The company still must clearly and carefully consider all product realization, e.g., customer-related processes, planning, purchasing, inspection, supplier controls, production controls, software controls and calibration controls, to mention a few. The consideration must include risk management. This is one of the biggest areas for specific growth in the medical device industry. There is also some excellent guidance in ISO/TR 14969 on interpreting "lifetime of medical device" records control, environmental controls and label controls.
Tom Kahrmann is the senior medical device manager for BSI Management Systems on the Medical Devices Directive and EN 60601 for electro-medical qualifications. He authored BSI's course for CE marking for MDD. Kahrmann has expertise in global quality management systems, yield improvement and manufacturing cost control for high-volume operations. He is a registered lead auditor for electronics, active and implantable medical devices, TL 9000 and IRCA, as well as an ANAB lead auditor.