ISO 13485: 2016: A Complete Guide to Quality Management in the Medical Device Industry, Second

ISO 13485:2016Quality Management in the Medical Device Industry
Second Edition
Quality Management in the Medical Device Industry
Second Edition
Itay Abuhav
CRC Press Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742
© 2018 by Taylor & Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, an Informa business
No claim to original U.S. Government works
Printed on acid-free paper
International Standard Book Number-13: 978-1-138-03917-9 (Hardback)
This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint.
Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers.
For permission to photocopy or use material electronically from this work, please access www. copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged.
Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe.
Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com
and the CRC Press Web site at http://www.crcpress.com
3. Terms and definitions .............................................................................. 11
4. Quality management system ................................................................. 13 4.1 General requirements ..................................................................... 13 4.2 Documentation requirements ....................................................... 94
4.2.1 General ............................................................................... 94 4.2.2 Quality manual ............................................................... 106 4.2.3 Medical device file .......................................................... 120 4.2.4 Control of documents ..................................................... 124 4.2.5 Control of records ........................................................... 143
5. Management responsibility ................................................................. 161 5.1 Management commitment ...........................................................161 5.2 Customer focus...............................................................................167 5.3 Quality policy ................................................................................ 170 5.4 Planning ..........................................................................................176
5.4.1 Quality objectives ............................................................176 5.4.2 Quality management system planning ....................... 182
vi Contents
5.6 Management review ..................................................................... 203 5.6.1 General ............................................................................. 203 5.6.2 Review inputs .................................................................. 208 5.6.3 Review outputs ............................................................... 215
6. Resource management ........................................................................... 221 6.1 Provision of resources .................................................................. 221 6.2 Human resources .......................................................................... 225 6.3 Infrastructure ................................................................................ 241 6.4 Work environment and contamination control ........................ 266
6.4.1 Work environment .......................................................... 266 6.4.2 Contamination control ................................................... 282
7. Product realization ................................................................................. 295 7.1 Planning of product realization .................................................. 295 7.2 Suitable planning for the organization’s operations:
A practical quality plan ............................................................... 334 7.2.1 Determination of requirements related to product ... 336 7.2.2 Review of requirements related to the product .......... 343 7.2.3 Communication ............................................................... 354
7.3 Design and development ............................................................. 366 7.3.1 General ............................................................................. 366 7.3.2 Design and development planning .............................. 369 7.3.3 Design and development inputs ................................... 381 7.3.4 Design and development outputs ................................ 391 7.3.5 Design and development review .................................. 400 7.3.6 Design and development verification .......................... 409 7.3.7 Design and development validation ............................ 425 7.3.8 Design and development transfer ................................ 452 7.3.9 Control of design and development changes ............. 460 7.3.10 Design and development files ....................................... 470
7.4 Purchasing ..................................................................................... 473 7.4.1 Purchasing process ..........................................................474 7.4.2 Purchasing information ................................................. 495 7.4.3 Verification of purchased product ................................ 509
7.5 Production and service provision .............................................. 520 7.5.1 Control of production and service provision .............. 520 7.5.2 Cleanliness of product ................................................... 548 7.5.3 Installation activities ...................................................... 557 7.5.4 Servicing activities .......................................................... 563 7.5.5 Particular requirements for sterile medical devices .... 576 7.5.6 Validation of processes for production and service
provision .......................................................................... 584
7.5.7 Particular requirements for validation of processes for sterilization and sterile barrier systems ................................................................ 625
7.5.8 Identification .................................................................... 635 7.5.9 Traceability ....................................................................... 652 7.5.10 Customer property ......................................................... 666 7.5.11 Preservation of product ................................................. 671
7.6 Control of monitoring and measuring equipment .................. 681
8. Measurement, analysis, and improvement ....................................... 701 8.1 General ........................................................................................... 701 8.2 Goal of monitoring, measurement, analysis for
improvement ................................................................................. 702 8.2.1 Planning and implementing processes for
monitoring, measurement, analysis, and improvement ................................................................... 704
8.2.2 Feedback ........................................................................... 707 8.2.3 Complaint handling ....................................................... 717 8.2.4 Reporting to regulatory authorities ............................. 736 8.2.5 Internal audit ................................................................... 740 8.2.6 Monitoring and measurement of processes ................ 757 8.2.7 Monitoring and measurement of product ....................767
8.3 Control of nonconforming product ............................................ 778 8.3.1 General ............................................................................. 779 8.3.2 Actions in response to nonconforming products
detected before delivery ................................................. 795 8.3.3 Actions in response to nonconforming products
detected after delivery ................................................... 805 8.3.4 Rework ...............................................................................816
8.4 Analysis of data ............................................................................. 820 8.5 Improvement ................................................................................. 834
8.5.1 General ............................................................................. 834 8.5.2 Corrective action ............................................................. 843 8.5.3 Preventive action ............................................................. 854
Index ................................................................................................................ 863
The quality management world of the medical device industry has gone through a significant change represented by the publication of the new revision of the ISO 13485 Standard, the 2016 revision. This revision brings new challenges to organizations as well as changes to old challenges. This book is a complete guide to implementing all of the requirements of the standard. In order to present the reader with a practical and useful guide, I have provided a definition of my quality policy and objectives.
My quality policy Presenting and reviewing the ISO 13485:2016 standard requirements through analysis, interpretation, and demonstration, with explanations, insightful examples, and events from various industries and sectors.
My quality objectives • Commitment to the highest level of consulting regarding the ISO
13485:2016 standard. • Reviewing all the topics and issues related to the realization of a
product or service with reference to various types of processes and products.
• Providing support in the implementation of an effective quality management system.
• Facilitating the documentation of processes. • Providing a reference to the new challenges presented in the ISO
13485:2016 standard.
However, a policy and related objectives are ineffective without also having in place designed and structured tactics and methods to achieve them:
x Preface
• This guide is designed and structured to mirror the standard’s table of contents in order to simplify navigation and use.
• Each clause and subclause of the standard is discussed and analyzed through quality and regulatory perspectives, such as the implications for an organization—its processes, risk management, resources, infrastructures, work environment, control and effectiveness, and documents and records.
• The ISO 13485:2016 standard acts like a complicated web of prerequisites with relations between them. A full and comprehensive reference to the interrelations between the different clauses and subclauses has been included.
• Putting words into actions—the book will assist in translating the requirements and objectives into feasible activities and tasks. It visualizes situations with everyday events from the different sectors, branches, and products or services.
List of exclusions I decided to exclude Chapter 0 of the standard from this book since it mainly provides explanations regarding ISO 13485:2016 that are already covered elsewhere in this book. I also reduced Chapter 3 to the minimum because the terms and definitions are already thoroughly discussed in the standard.
My biggest wish is that you, as a reader, will refer to this guide as a consulting session, read and explore it, draw information and knowledge that suits you and your organization, and introduce this information to your quality management system and processes.
xi
Acknowledgments
I wish to thank all the people—consultants, co-workers, auditors, mentors, bosses, and friends—who introduced me to the quality world, and who have aided, supported, taught, lectured, consulted, and provided valuable knowledge and information during the undertaking of this book and also in my professional career. You have helped give an edge to this book. The list of names is too extensive to include here, but you know who you are.
I wish to thank my dear family for their warm support throughout the years.
I also wish to thank my wife Angela, daughter No’omi and son Gabriel for understanding, pushing, believing, and supporting me throughout this project.
Thank you.
Itay Abuhav is a highly experienced medical device quality control expert and consultant based in Geneva, Switzerland. He has over 25 years of experience in dealing directly with a number of large medical device enterprises in their quality control manufacturing processes of state-of- the art medical devices. He has also been awarded 15 patents in medical devices and related technologies.
1. Scope
Clause 1 of the ISO 13485 Standard is used to present the purposes and concepts of the standard and define the scope of application of the standard to your quality management system. The following aspects are covered in this clause:
• The goals and purposes of the standard • The types of organizations to which the standard applies • The approach and reference to customer requirements • Which types of products may be controlled by this standard • The responsibility of the organization when using partners like
suppliers in the realization of the medical device (MD) • The approach and reference to regulatory or statutory requirements • Applicability of design and development controls • Possibilities for exclusions of the standard requirements
Before we start to understand the requirements of clause 1—Scope, let us review them first:
• This International Standard specifies requirements for a quality management system where an organization needs to demonstrate its ability to provide medical devices and related services that consistently meet customer, safety, and applicable regulatory requirements.
• The ISO 13465 Standard is an international standard for the establishment, design, and implementation of a quality management system (QMS) for organizations that are involved in one or more stages of the life-cycle of the MD, including design and development, production, storage and distribution, installation, or servicing of a medical device and design and development or provision of associated activities (e.g., technical support).
• The ISO 13485 Standard can also be implemented by suppliers or external parties that provide services, processes, materials, or components for the medical device.
• The requirements of this standard apply and may be implemented in any organization regardless of its size or the type of its products or services, except where explicitly stated.
2 ISO 13485:2016
• The requirements of this Standard apply to the associated services as supplied by the organization and are related to the MD.
• Where requirements of this standard, which are applicable to the product or service, are performed externally, it is under the responsibility of the organization to prove conformity to these requirements by monitoring, maintaining, and controlling these processes.
• Applicable regulatory requirements that permit the exclusion of design and development controls may be used as a justification for their exclusion from the quality management system.
• When applicable regulatory requirements allow, or suggest other controls for design and development, the organization may plan and include them in the design and development.
• When exclusions to design and development requirements are made, it is the responsibility of the organization to prove conformity to the ISO 13485 Standard requirements.
• When requirements from clauses 6, 7, or 8 of this standard are not applicable to the QMS of the organization due to its nature, activities, or operations of MD type or nature, it may exclude this requirement from its QMS.
• Any exclusion will be provided with a sufficient documented justification. The exclusion and justification shall be documented in the quality manual according to the requirement of clause 4.2.2— Quality manual.
The principles of the ISO 13485 Standard Clause 1—Scope presents us with the principles and concepts of the standard. The ISO 13485 Standard aims to enable the organization to provide an adequate MD to the end users by fulfilling its requirements, initiating risk management activities, and meeting applicable international and national regulations. This is expressed through four principles:
• The goal of the standard is to initiate a QMS that acts to consistently meet customer requirements and safety requirements, as well as applicable regulatory requirements.
• The requirements of this standard initiate an effective integration between a QMS of an organization and applicable regulatory requirements.
• The requirements suggested in the ISO 13485 Standard facilitate an improvement of processes included in the QMS and assurance of conformity to customer or regulatory requirements.
• The standard covers all the related phases and their derived activities of the life-cycle of the MD. The requirements suggested in the ISO
31. Scope
13485 Standard are applicable to all sorts of organizations regardless of their size or type, the type of their customers, and the type of products or services that they provide.
Stages of life-cycle of the medical device Organizations that choose to implement the ISO 13485 Standard requirements may participate in one of more of the stages of the MD. Basically, these stages derive the activities that the organization must perform and the QMS must control, including design and development, production, storage and distribution, installation, or servicing of a medical device and design and development or provision of associated activities (e.g., technical support). All these stages represent different processes, activities, and operation that are needed for the realization of the MD. The requirements of the standard cover all these related activities. Please refer to Chapter 4.1.1.8 for detailed information and an explanation about the different life-cycle stages of the MD and how the organization knows in which life-cycle stage it is involved.
The ability to provide appropriate medical devices What are the actual requirements of clause 1? When an organization decides to implement the ISO 13485 Standard, it is required, through the use and application of the methods and quality instruments presented in this standard, to prove its ability to
• Identify customer requirements • Identify regional regulatory requirements • Initiate a risk management approach and system • Implement any activities or controls required by those regulatory
requirements • Establish a QMS according to the requirements of the ISO 13485
Standard • Provide safe MDs that meet the applicable regulatory, safety, and
standard requirements
In other words, the purpose of the standard presented in clause 1 must be reflected through the quality management system of your organization. How? Through applying the quality management tools and instruments that are suggested in the standard, like setting and defining quality policy and objectives, applying the process approach, planning processes, establishing a system to control risks, and meeting any other standard requirement presented in the standard.
4 ISO 13485:2016
A quality management system is a combination of various activities and processes—marketing, design and development, production, technical activities, storage, and distribution—operated by various functions and roles that demand certain conditions and qualifications. Determining what is to be included under the QMS will define which organizational aspects will be designed, managed, and controlled under the quality requirements: products, processes, activities, sites, information and data, tools and equipment, and human resources. The determination of what and how from the standard requirements must be translated, put into operational activities, and implemented in the organization will frame the scope of your quality management system and define which of the standard requirements are applicable to your organization. A description of the scope and a detailed list of the standard requirements related to the QMS will be included in the quality manual, where it is required to include a list of the operations, processes, and products that are included. The objective is to describe all the quality operations and processes that are applicable to the organization: planning of product realization, customer-related processes, purchasing, and so on.
Size and type of the organization Another statement of clause 1 defines the appointment and adequacy of the ISO 13485 Standard requirements to organizations that provide medical devices. The statement indicates that the size and type of an organization do not affect the application of the standard except where explicitly stated. In other words, when you are defining the application of the standard requirements to your processes, activities, and products, the size and type of the organization are not factors that will determine whether a requirement is needed, except where explicitly stated.
Integrating regulatory requirements in the QMS One of the main objectives of the ISO 13485 Standard is to integrate applicable regulatory requirements or other international standards, or internal standards with quality management system requirements. To integrate means to identify the applicable regulatory requirements and their operational, legal, administrative, and any other demands and to implement them into the QMS activities. The objective is to systematically identify all the regulatory requirements and understand (as well as implement) how they affect or implicate the QMS elements: processes, activities, human resources, documentations, records, and risk
51. Scope
management. These may have special demands regarding the extent, structural activities, and documentation of the QMS.
Exclusions and justifications The ISO 13485:2016 Standard is intended to be a standard for medical device manufacturers and other organizations that participate in the life- cycle of the MD that are expected to demonstrate their ability to provide medical devices and related services that consistently meet customer and applicable regulatory requirements. It is recognized, however, that not all the requirements of this standard will necessarily be relevant to all organizations. Thus, the ISO 13485 Standard permits, under certain circumstances and limitations, the exclusion of certain standard requirements: the omission of quality or realization activities that are normally required from the QMS. Exclusion means that certain standard requirements (one or more) are not applicable to the organization due to the activities and processes undertaken by the organization or the nature of the medical device for which the quality management system is applied, and the organization decided not to implement these requirements in its QMS. The implication of the exclusion is that certain quality activities specified in the standard will not be developed in the QMS and will not be implemented. The exclusions will be referred to and justified in the quality manual.
Exclusions are very important because they set the degree of effort and amount of resources that you will have to invest in implementing and maintaining the QMS. The application of the ISO 13485 Standard refers to how the QMS defines what users are allowed to do and how, instructs them, and provides them with quality tools to accomplish processes, operations, activities, and tasks. The determination of the application will frame the scope of your quality management system and define which of the standard requirements are applicable to your organization and which may you exclude. The organization is allowed to exclude only requirements that appear in clauses 6, 7, or 8 of the ISO 13485 Standard. All other clauses are obligatory for meeting the ISO 13485 Standard requirements and will be implemented. In other words, the organization must consider whether all the requirements of the standard are relevant to its activities, based on the nature of the organization itself, the type and class of the MD, the realization activities and safety requirements (that are derived), and the statutory and regulatory requirements.
The justification for the exclusions must prove beyond any doubt that the exclusions do not affect the ability or responsibility to consistently provide a product that meets customer, safety, and applicable regulatory requirements. Furthermore, the exclusions must be consistent with the
6 ISO 13485:2016
scope of the QMS, as mentioned in the quality manual. For example, you may not exclude clause 7.5.10—Customer property and claim management of customer property in the scope. Considering the justifications, the organization shall evaluate the implications of the exclusions and how the exclusions will prevent it from meeting applicable safety and regulatory requirements. The documentation and approval of the exclusions will be documented in the quality manual. Each standard requirement that was left out will be justified or referred to another documented justification. The justification shall confirm that the exclusion does not affect the quality of the activities, processes, and products.
It is very tempting to exclude, but the experience, the reality, and, above all, the external audit show that exclusions are often mistakenly applied. For example:
• The company manufactures, markets, and delivers a medical device. The design and the development are done by an external company. The company may not exclude the design and the development requirements (7.3), since it holds the responsibility for the medical device, its functionality, performance, safety, and intended use.
• The company manufactures components for a medical device as a subcontractor. The design and the development are done by an external company. The company may exclude the design and the development requirements (7.3), since it holds no responsibility for the medical device, its functionality, performance, safety, and intended use.
• The company manufactures the medical device, but the purchasing is done by the parent company. The company may not exclude the purchase requirements (7.4), since it handles information regarding the purchase: type, product, supplier, schedules, and quantities.
• The company designs and develops a medical device according to the customer specifications. The company may not exclude the customer’s property requirements (7.5.10), since it manages the customers’ documents, diagrams, and technical specifications.
It can be very confusing, and each case shall be evaluated on its own merits. I advise you to consult the auditor regarding the exclusions. The exclusion and justification shall be documented in the quality manual according to the requirement of clause 4.2.2—Quality manual.
Exclusion of design and development controls The organization is required to implement design controls through a design and development process, and the design controls are normally executed while the design and development proceed. The organization
71. Scope
may exclude the requirements for the design and development controls presented in Chapter 7.3 when other regulation allows the exclusion of these requirements. Nevertheless, this regulation must submit alternative design and development controls. There is no doubt that designing and developing the medical device must be controlled. However, it may be that the manufacturer designs and develops its medical devices in a region with certain regulatory systems and controls of the processes that have already been implemented. There is no logic in maintaining two sets of controls. Thus, the ISO 13485 Standard allows the organization to implement other regulatory controls and to exclude the design and development controls specified in clause 7.3. For example, if the organization is developing the medical device while implementing the requirements of the FDA QSR21 CFR820.30: Design Controls, it may exclude the controls of clause 7.3. The exclusion must be documented and justified. But it is still the responsibility of the organization to provide sufficient evidence of the ability of the QMS to meet the ISO 13485 Standard requirements (including clause 7.3) despite the exclusion of the design and development controls.
Outsourced processes The application of the standard requirements includes processes related to the organization and the realization of medical devices that are performed outside the organization. Such processes are applicable to the quality management system and must be identified, documented (if and where appropriate), controlled, and verified. This does not relate to purchased goods, materials, or components, but to the provision of core processes needed for the realization of the product supplied by suppliers or contractors: design and development, production, assembly, sterilization, cleaning, accreditation, storage, and transportation:
• These processes will be identified and included in the quality manual and in the description of the interrelations between other processes of the quality system.
• These processes will be implemented and the necessary realization requirements shall be defined and allocated: production means, human resources, verification, and validations, in order to verify that they meet the ISO 13485 Standard requirements. It is allowed to let the supplier of those processes allocate the resources. The organization then will be informed, take part in the planning of those processes, and approve the allocation of the resources.
• These processes will be appropriately controlled, and the manufacturer shall acquire the minimal knowledge and technical abilities to control these processes and will receive from the supplier sufficient information regarding the processes and their results.
2. Normative references
The meaning and purpose of normative references is the indication that the terminology and nomenclature specified in this standard are not open for debate or an interpretive discussion. A normative reference refers to a document that includes terms, fundamental concepts, principles, and vocabulary that are essential for the application of the ISO 13485 Standard. The ISO 13485 Standard requirements are as follows:
• When dated normative references are used, only the edition cited applies (the ISO 9000:2015 Standard).
• When undated normative references are used, the latest edition of this referenced document (including any amendments) applies.
• The document ISO 9000:2015, Quality management systems— Fundamentals and vocabulary is to be normatively referred to while establishing a quality management system according to the ISO 13485 Standard requirements.
A normative reference lists other ISO or IEC documents or standards that are necessary for the application of the standard, in other words, the documentation that may assist you in how to comply with the requirements stated in the ISO 13485 Standard. The objective of a normative reference is to relate to a standard that is applicable to the implementation of the ISO 13485 Standard and to relate to directives, definitions, or understanding of the ISO 13485 Standard.
The ISO 13485 Standard refers us to a specific document, ISO 9000:2015: Quality management systems—Fundamentals and vocabulary. In case questions or misunderstanding regarding the definitions or requirements of the ISO 13485 Standard arise during the implementation and application of the standard requirements, you can turn to this document. For example, when you are discussing and planning activities related to customer focus and you are not sure what the definition of customer focus is, you may turn to the ISO 9000 Standard and learn how the ISO 13485 Standard interprets the issue of customer focus.
3. Terms and definitions
Clause 3—Terms and definitions is necessary in order to clarify terms and definitions mentioned in the ISO 13485 Standard. In order to clear matters and disputes, the standard presents its interpretations and explanations regarding terms and definitions presented throughout the standard. These are an inseparable and integral part of the standard. The explanations provided are very descriptive and clear; therefore, there is no need to repeat them. Please refer to clause 3 of the ISO 13485 Standard—Terms and definitions for the exact definitions.
4.1 General requirements 4.1.1
In clause 4.1.1, the general requirements and main principles of a quality management system are presented. In this clause are the foundations of the QMS presented. First, let me review the basic requirements.
• The organization shall establish and maintain, document, and implement a documented quality management system within the organization with conformity to the requirements of the ISO 13485 Standard and applicable regulatory requirements.
• The organization is required to maintain the effectiveness of the quality management system in accordance with the requirements of the ISO 13485 Standard and applicable regulatory requirements.
• Any requirement, processes, activity, arrangement, or procedure required by the ISO 13485 Standard and applicable regulatory requirements shall be identified, included, planned, implemented, and controlled in the QMS.
• The organization shall document the role or several roles undertaken by the organization in relation to the applicable regulatory requirements.
• Note—Roles undertaken by the organization can include manufacturer, authorized representative, importer, or distributor.
Terms and definitions Before we start to unveil the requirements of clause 4.1.1 and their implementation, it is important to know some terms and definitions:
• Process—A set of interrelated or interacting activities that convert inputs into outputs and accomplish a specific organizational goal. These activities require allocation of resources such as people and materials.
• Role of the organization—The role of the organization determines which quality and regulatory activities and controls the organization must plan and implement in its QMS. The role of the
14 ISO 13485:2016
organization is determined according to the phase of the life-cycle of the medical device in which the organization is taking part and the activities that the organization is executing in the supply, provision, maintenance, after-sales obligations, and relations with the user or patient of the MD. The organization must provide a documentation of its role.
• Scope of a process—Scope of the process defines precisely where a process starts and ends, what its related inputs and outputs are, and which activities are included and excluded.
• Supplier of a process—The deliverer of inputs to a process (data, information, goods, or services). The supplier may be an external supplier that delivers, for instance, goods or material, or an internal supplier—an organizational unit that delivers inputs to a process.
• Customer of a process—The receiver of the outputs of a process (data, information, goods, or services). The customer defines what outputs are expected according to its needs. Customers may be external customers, end customers, or internal customers.
• Inputs—Specified requirements needed to be put into a process in order to start the process. The input will be processed by a process or activity.
• Output—Specified expected or intended result of a process. • Risk—Combination of the probability of the occurrence of not
fulfilling process specifications or customer requirements. • Monitoring of processes—A continuous, sequential, and periodic
examination of processes and their outputs. • Measurement of processes—Determining a physical measurement of
processes and their outputs based on data. • Process owner—An organizational function responsible for a process
or subprocesses.
Establishing a QMS according to clear principles The ISO 13485 Standard declares in clause 4.1.1 quite clearly with which principles the QMS shall be established:
• Establishment of a QMS according to the ISO 13485:2016 Standard • Identification and integration of relevant regulatory requirements in
the QMS • Definition of processes and their interactions needed for the operation
of this QMS • Identification of the resources needed for the QMS or required by
regulatory requirements • Ensuring achievement of planned results
154. Quality management system
• Continually maintaining the effectiveness of the QMS through improvement
The important message here is that in order to deliver a conforming MD or associated service and to meet customer and regulatory requirements as well as other needs and expectations of other relevant interested parties in an effective way, a QMS must be established and maintained—a QMS
• That is based on the quality principles suggested in the ISO 13485 Standard.
• That is defined, planned, implemented, and controlled. • That is regulatory requirement focused—the QMS should use
methods to identify, understand, and implement regulatory requirements in any region in which the organization is active, and shall develop processes to meet these requirements.
• That is planned in accordance with the role of the organization in the life-cycle of the MD.
• Whose activities and processes address the needs and expectations of interested parties.
• In which a risk-based approach is implemented. • Whose resources are identified, planned, allocated, and controlled. • Whose processes and activities are managed and whose interrelations
are clear. • That is constantly analyzed and controlled—analysis of data and
information is implemented and decisions are based on facts. • That supports improvement and effectiveness through collection of
evidence and its analysis. • That is fueled by the top management leadership—through
leadership, the purpose and strategic direction of the organization are established. Leadership shall create the environment for establishing the appropriate quality policy, in which employees can become fully involved and quality objectives can be achieved.
• That persons in the organization are aware of. • That uses data of after-sale activities to improve and update its
processes and products and the safety of the products.
Identifying applicable regulatory requirements The identification of applicable regulatory requirements is a critical phase in developing the QMS because the regulatory requirements will shape your QMS and its elements and operations. It is also necessary for the next stage of documenting the roles of the organization. Applicable regulatory requirements also depend upon the risk class of the device and on the regulatory system of the country. It is important to find the overlap points
16 ISO 13485:2016
between the regulatory requirements and the standard requirements because they influence each other. Regulations for quality systems dictate
• The methods, facilities, and controls used by the manufacturer in the design, manufacture, packaging, labeling, storage, installation, servicing, and postmarket handling of medical devices.
• The requirements that a vendor must follow when registering and marketing an MD in a region and applying methods for after-sale activities.
The objectives of the regulatory requirements that are relevant to the ISO 13485 Standard requirements are:
• Ensuring that certain activities regarding the realization of the MD are being taken
• Developing the interrelation between the organization and the regulatory bodies
• Developing basic acceptance criteria: • Requirements on safety and performance • Requirements for quality systems • Requirements for packaging and labeling • Administrative requirements like registration
• Controlling import of MDs into the region • Controlling local production • Developing the basis for postmarket surveillance • Ensuring user education and training • Reviewing and approving policies and related standards • Managing a national alert system
The types of the regulatory requirements may differ from one another, meaning they might have other legal statuses that will determine the degree of the commitment expected by the organization. Types of regulatory requirements may be:
• Regulations • Directives • Decisions • Recommendations • Opinions • Standards
Maintaining effectiveness of the QMS The organization is required to maintain the effectiveness of the QMS in accordance with the requirements of the ISO 13485 Standard and applicable
regulatory requirements. What does effectiveness in regard to the QMS mean, exactly? Effectiveness is the extent to which planned activities are realized and planned results are achieved; something is planned, and the extent of the results are tested against the expected objectives. This is performed in order to achieve systematic improvement. The requirement is for maintaining processes and documented systems that will allow the organization to constantly assess whether its quality management system is effective and when it is necessary to replan its further steps. This will be accomplished through the use of several quality tools suggested by the ISO 13485 Standard that are designed for the maintenance of the effectiveness of the QMS, for example, quality objectives. Obtaining these objectives will achieve improvement of the quality management system. The objectives may include schedules, defined timeframes for responses, results of processes, reductions of returned goods, and so on. The objectives are to be measurable in order to be compared to criteria.
The effectiveness of a QMS depends much on the ability of an organization to achieve planned results—the expectations of the interested parties. Therefore, the identification of needs and expectations of the relevant interested parties—customer and safety requirements and those of regulatory bodies—puts the organization in a position to develop and plan an effective QMS. Maintaining the effectiveness of the QMS is achieved through implementing specific measures and activities for the improvement the processes of the QMS (achievement of objectives and maintenance of effectiveness). The next step in maintenance of effectiveness is the ability to recognize where these expectations are not answered and react accordingly.
The requirement of clause 4.1.1 regarding the maintenance of the effectiveness of the QMS is here conceptual rather than practical. In other words, you are expected to bring the idea of maintenance of the effectiveness of the QMS into the concept of your QMS, develop those organizational tools and systems for identifying cases where the effectiveness of the QMS is not maintained, and apply certain quality tools to maintain this effectiveness, for example, mentioning it in the quality policy and initiating activities that will maintain the effectiveness:
• Make a commitment to define and develop appropriate quality objectives.
• Plan the implementation, maintenance, and control of certain indicators of performance and effectiveness of processes or process outputs (products or services).
• Plan and implement the monitoring and measurements of those indicators.
• Initiate improvements of the performance of the QMS. • Allocate resources and initiate actions to reduce nonconformities. • Allocate resources and initiate corrective and preventive actions.
18 ISO 13485:2016
Relation between processes, the ISO 13485 Standard requirements, and the applicable regulatory requirements
It is important that the defined processes refer to the relevant ISO 13485 Standard requirements and applicable regulatory requirements. What do I mean by that? The ISO 13485 Standard presents us with many quality management requirements, such as management review, management of resources, and many quality requirements for the operation of the QMS. The applicable regulatory requirements compel you to implement certain activities and processes. For example, when you design the process of offering or selling products to the customer, you must take into account the specification in clause 7.2—Customer-related processes, such as
• Determine requirements specified by the customer. • Determine applicable regulatory requirements related to the
product. • Ensure that product requirements are defined and documented.
While defining and designing the processes included in the QMS, one must include such operational quality requirements.
In practice, I would develop a matrix that demonstrates the applicable QMS element like process, form, and so on for each ISO 13485 Standard requirement. The matrix may look like this:
ISO 13485 Standard Req.
X
X
This matrix shall be a controlled document and shall be submitted to the controls suggested in clause 4.2.4.
Documentation of the QMS The ISO 13485 Standard requires documentation of the processes, operations, and activities that make up the QMS. I promote it as part of standardization in organizations; the documentation creates a system for designing, analyzing, and implementing processes. The extent and level of detail of the documentation shall be determined by the organization according to its needs, but bear in mind that you will have to justify it. If you decide to maintain low-detail documentation during an audit, you must show how this documentation is sufficient. Documentation is divided into two levels:
• The organization shall define how processes, operations, and activities shall be documented. Here, the standard refers to process diagrams, procedures and standard procedures, work instructions, and so on.
• The organization shall define which process outputs must serve as evidence and be maintained in the form of records of processes, operations, and activities.
The methods and basics of defining and maintaining documentation needed for the operation of the MQs and management of records as evidence are discussed thoroughly in Section 4.2—Documentation requirements.
Employing the process approach The ISO 13485:2015 Standard is based on the process approach in order to enable the organization to effectively plan its processes and their interactions (see clause 0.3 of the standard: Process approach). How effective? The effectiveness of an organization depends much on its ability to perform several interconnected activities simultaneously in order to achieve the intended results—meeting customer, safety, and regulatory requirements. These relations should be planned, managed, prioritized, and controlled. The ISO 13485 Standard requires adopting a system of processes within the organization. This system of processes requires the identification, application, and implementation of processes in the organization, the definition of their sequences and interrelations, and the application of their controls. The goal here is to develop and plan processes and methods for the realization of products or services.
The specific requirements regarding the process approach and its implementation in the QMS are presented in clauses 4.1.2 and 4.1.3. I will discuss the specific requirements and suggest methods to achieve these in Sections 4.1.2 and 4.1.3. But for clause 4.1.1, I would include in the quality policy a statement that the processes of the QMS are developed according to a planned system based on the process approach.
20 ISO 13485:2016
Phases in the life-cycle of the medical device The organization is required to document the role undertaken by it regarding the realization and supply of the MD. But before we start to discuss the role of the organization, we must review the different life-cycle phases of the MD because the role of the organization will be derived from the phases in which the organization is active. Understanding the different phases of the life-cycle of the MD is the basic stage in developing an effective QMS in the medical device industry.
Basically, there are seven major phases in the lifespan of a medical device from conception and development to disposal. I illustrate them in Diagram 4.1.
• Each phase of the life-cycle proposes another regulatory framework. By regulatory framework, I mean necessary regulations, relevant rules, laws, and regulatory bodies that influence and must be considered when planning the QMS—that is to say, planning the operations and activities of the QMS.
• Each phase of the life-cycle considers and refers to other aspect of the intended use and performance of a medical device and bears other ISO 13485 Standard, safety, and regulatory requirements. In other words, the life-cycle stage in which the organization is active influences the quality management expectations and requirements demanded from the organization. The quality management expectations and requirements from the manufacturer are different from those of the vendor.
• Another important aspect of the life-cycle of the MD is its safety; each of its phases may have other safety requirements and may demand other safety measures. This is derived from the fact that each phase bears other activities related to the MD.
The life-cycle also dictates the different necessary roles and functions in the organization, and these roles and functions must be identified. Normally, but not necessarily, the manufacturer of the MD usually manages the first three phases of the medical device’s life-cycle:
• Conception and development • Manufacturing • Packaging and labeling
Conception and
development Manufacture
Packaging and
labeling Advertising Sale Use Disposal
Diagram 4.1 Major phases in the lifespan of a medical device.
The next phases of the life-cycle, advertising and sale, are usually executed by importers, distributors, retailers, and manufacturers who sell the MD. In addition, the users and regulatory authorities take part in the life-cycle. The regulatory bodies have the responsibility of ensuring that the medical devices sold in their country or region are safe and effective. As you can see, all interested parties must work together. The relation between the four is illustrated in Diagram 4.2.
An interface and interaction between the different roles in the life- cycle of the MD, the participants and involved parties, is required to be established and maintained, for example, communication channels, a reporting system, and so on. Such interaction ensures:
• Compliance with regulatory requirements • Maintaining safety measures • Compliance with reporting requirements • Enables the management of nonconformities • Facilitates fulfillment of the ISO 13485 Standard requirements, like
• Feedback activities • Purchasing activities • Traceability
For example, the vendor shall demand from the manufacturer or importer the proper training as a condition for cooperation in selling the MD. Another example is developing and arranging communication channels between the vendor and manufacturer for exchanging data regarding feedbacks and complaints. The complaints, for example, must be submitted to regulatory requirements, which means the operations
Manufacturer Regulatory bodies
Shared responsibility in manufacturing, communicating, and delivering the medical device and training the user or patient
Diagram 4.2 The relation between the interested parties during a medical device’s life-cycle.
22 ISO 13485:2016
of managing a complaint must be planned according to the regulatory requirements. Plus, controlling and improving MD safety and performance is considered a multiphased process and requires cooperation among all roles participating in the life-cycle of the MD.
The life-cycle is usually divided into three main stages, premarket, placing on the market, and postmarket, that determine which requirements may be relevant for the organization and thus its processes, activities, and operations that will be planned and integrated into the QMS (see Diagram 4.3). If we refer back to the diagram that illustrates the typical life-cycle of the MD, the phases will be divided like this:
In the premarket stage, it is ensured that the MD:
• Is developed according to customer, safety, and regulatory requirements
• Has been tested or clinically tried • Performs as expected • Is safe for use • Complies with regulatory requirements • Is labeled and packed in a correct and accurate way
In the placing-on-market stage, it is ensured that:
• The vendor is registered. • The MD is registered as required in each region where it is marketed. • The performance and intended use of the MD are communicated
correctly to the public. • After-sales obligations like user support, complaint handling, or
maintenance of user records are being pursued by the manufacturer or the vendor.
In the postmarket stage (vigilance and surveillance), it is ensured that:
• The use of the MD is being closely studied for relevant events that occur, like feedback from users, adverse events, or other new developments or changes in the area of the MD that require reaction.
Premarket Placing on market Postmarket
Use DisposalSaleAdvertising Packaging
and labeling
Manufacture Conception
and development
Diagram 4.3 The three main stages of the life-cycle of the medical device.
• Systems for reporting and alerts are developed. • The MD is adequately disposed of. • The safety and performance of the MD that is in use are ensured and
improved.
So? In which life-cycle phase does your organization take part? It is important to understand when proceeding to the next requirement— documenting the role of the organization.
Understanding the undertaken role(s) of the organization The organization is required to document the role undertaken by it regarding the realization and supply of the MD. The role of the organization determines the obligations of the organization toward the realization of the MD and the expectations of interested parties relevant to the MD, and indicates certain operations of the QMS as well as attributing risks and their controls to the realization processes of the MD.
Several regulatory bodies maintain several regulatory frames: applicable requirements to be adopted by organizations with a variety of roles in the supply chain for medical devices. Through the identification and definition of the roles of the organization in the relevant regulatory frame (e.g., a region), it can relate more effectively to relevant regulatory requirements and identify the applicable requirements of all aspects, characteristics, performance, intended use, safety, and compliance with regulatory requirements, then also incorporate these applicable regulatory requirements into its quality management system. Therefore, the organization must understand exactly what its role is regarding the different life-cycle phases of the MD. Basically, the role of the organization in the context of the ISO 13485 Standard may be manufacturer, distributer, or importer. The role of the organization is determined:
• By the regulatory authorities in which the organization is active. • According to the phase of the life-cycle of the MD in which the
organization is taking part. • The activities that the organization is executing in the supply,
provision, maintenance, after-sales obligations, and relations with the user or patient of the MD.
Why is it so important to understand which role the organization takes?
• Regulatory requirements propose critical phases in the life-cycle of the MD. Those phases require different controls and activities.
• Defining the role of the organization can identify which regulatory requirements are applicable to it and which controls or activities they
24 ISO 13485:2016
require. For each role in the lifetime of the MD, another regulatory requirement may be introduced.
• The applicable regulatory requirements are also derived from the class of the product.
• The role of the organization sets the degree of the organization’s responsibility regarding the safety of the MD.
• The roles of the organization dictate which permissions or licenses the organization must obtain.
• The role of the organization determines which accreditations or certifications are required for the realization and distribution of the MD.
• Identifying the role of the organization may serve as a basis for the definition of the scope of the QMS.
• The different roles dictate which data regarding the use and distribution of the MD the organization must collect and in which situations.
• The different roles specify how the organization must report different events regarding the MD.
• The regulatory requirements may demand specific methods, facilities, and controls to be implemented by the role of the manufacturer in the activities or operations of design, manufacture, packaging, labeling, storage, installation, servicing, and postmarket handling of the MD.
• Regulatory requirements may dictate the inspections of regulatory bodies for each role of the organization.
• The role of the organization defines the interrelations with other roles in the life-cycle of the MD and with the relevant authorities or regulatory bodies.
• The role of the organization defines which processes, operations, and activities regarding performance, safety, and regulatory compliance the organization must apply in its QMS. The role of the organization may define which ISO 13485 Standard requirements are applicable— if the organization is not acting as a vendor, it might not need to implement requirements like 7.5.3 Installation activities or 7.5.4 Servicing activities.
• The role of the organization defines the relation and responsibility of the organization to the user of the MD, for example, the execution of user training. A manufacturer is responsible for designing and developing an MD according to the needs and specifications of the customer and according to regulatory requirements, but the vendor is responsible for the second part of relations with the user—the proper use of the MD.
Which roles might we encounter? The ISO 13485 Standard provides us with the specific terms and definitions for the different roles in clause 3:
• Authorized representative • Distributor • Importer • Manufacturer
The note of clause 4.1.1 specifies that a role of the organization may be manufacturer, authorized representative, importer, or distributor. In other words, the ISO 13485 Standard requirements apply to those mentioned roles and not the role of the user. Please review clause 3 of the standard for these definitions. But I would like to add some details of my own in the next sections.
The manufacturer of the medical device The manufacturer is a legal entity with the intention of making the medical device available for use under its name. The manufacturer is responsible for realizing the MD from the design and the development to the delivery of the MD through answering various requirements such as customer, safety, and regulatory. The manufacturer is responsible for preparing the MD for use. This role can include design and development, testing, realizing (manufacturing), labeling, packaging, and so on. The manufacturer may
• Only design the MD and let it be initially manufactured by a third party
• Design and initially manufacture the MD
Next, let us review the distinctions of the manufacturer of the MD:
• The manufacturer has the responsibility for the characteristics, intended use, and performance safety of the MD as well as compliance with regulatory requirements.
• When an MD or one of its components or accessories is subject to regulatory requirements, these requirements may describe and specify who is considered the manufacturer. Normally, the entity that is responsible for the manufacturing of that accessory is considered to be a manufacturer.
• Manufacturing the MD includes the next activities and operations: specification development, purchasing materials, components, services and ordered processes, production, fabrication, assembly, processing, packaging, repackaging, labeling, relabeling, sterilization, installation, or rework of a medical device.
• When one accessory or component of the MD is subjected to a regulatory frame and requirements, the entity that is designing and making this accessory available for integration in the MD under its name is considered a manufacturer.
26 ISO 13485:2016
• Putting a collection of devices, and possibly other products, together for a medical purpose is also included under manufacturing of the MD.
• When changing the intended use of the MD or modifying its design and making it available for use under another name without acting on behalf of the original manufacturer, this entity is considered the manufacturer of the modified medical device as well.
Authorized representative An authorized representative is considered a natural or legal person established within a country or jurisdiction who has received a written mandate from the manufacturer to act on its behalf for specified tasks with regard to the latter’s obligations under that country or jurisdiction’s legislation, for example:
• Registering an MD • Certifying vendors • Managing adverse events
The importer of the medical device The importer of an MD is a natural or legal entity that is the first to take part in the supply chain of the MD in the region in which it is active in another country or jurisdiction.
• The importer of the MD shall identify its relevant regulatory requirements under which the importer must develop its QMS. These regulatory requirements normally have a precise definition of who and under which circumstances a legal entity is considered to be an importer.
• The importer is responsible for maintaining the relationships and interrelations with the regulatory bodies in the region where it is active. Such registration allows the government to be informed of which importers are importing and selling which devices.
• The importer will manage the import of the MD according to the regulatory requirements of the region where it is distributing the MD, for example, maintaining export certificates that testify to the characteristics of medical devices being imported.
• An importer may have other responsibilities and obligations regarding the MD characteristics, intended use, performance, safety, and regulatory compliance than the manufacturer.
• The importer is responsible for reporting incidents, adverse events, or recalls related to the MD.
• The importer shall participate in feedback activities for receiving information regarding the transport and delivery of the MD.
• The importer is responsible for maintaining relationships and interrelations with the vendor of the MD.
• The importer is responsible for ensuring that the MD is correctly labeled regarding the import activities of the MD.
• The importer is responsible for maintaining the records of distribution of the MD.
The distributor or vendor of the medical device The distributor or vendor is any natural or legal person in the supply chain who, on his or her own behalf, communicates, advertises, and delivers (or makes available) the medical device to the end user and therefore is responsible for all activities that manage contact with the customer and end user. The vendor coordinates between the manufacturer of product and the user; he or she has the critical role of selling the MD, ensuring that the sold product complies with regulatory requirements, and putting it into actual use. The term vendor includes importers, distributors, retailers, and manufacturers who sell medical equipment. In the case of the vendor, the objective of regulatory requirements is to minimize the risk of exposing the public to low-quality or ineffective devices.
• The vendor will sell the MD according to the regulatory requirements of the region where he or she is distributing the MD.
• The vendor of the MD shall identify its relevant regulatory requirements under which he or she must develop its QMS. These regulatory requirements normally have a precise definition of who and under which circumstances a legal entity is considered to be a distributer or a vendor.
• The vendor is responsible for maintaining the registration, relationships, and interrelations with the regulatory bodies in the region where he or she is active. Such registration allows the government to be informed of which vendors are selling what devices.
• A manufacturer may serve as a vendor as well. • The vendor is responsible for the registration of the MD in the region
where he or she is active. • A vendor may have other responsibilities and obligations regarding
the MD characteristics, intended use, performance, safety, and regulatory compliance than the manufacturer.
• The vendor may be also the one that provides after-sales services like training or maintenance activities for the MD.
• The vendor shall participate in feedback activities for receiving information and applications from users and customers, for example, processing complaints from customers regarding the MD.
28 ISO 13485:2016
• The vendor must also provide training and qualifications for the proper use of the device and must be familiar with the indications, contraindications, and operating procedures mentioned by the manufacturer.
• The vendor is responsible for publishing and communicating correct and genuine information and claims about the MD.
• The vendor is responsible for ensuring that the MD is correctly labeled in the region where he or she is active.
• The vendor is responsible for reporting incidents and adverse events or managing recalls related to the MD.
• When an authorized representative or distributor only adds its own address and contact details to the medical device or the packaging without covering or changing the existing labeling, it is considered a vendor.
• The vendor is responsible for maintaining the relationships and interrelations with the customers and end users of the MD.
• The vendor is responsible for maintaining the records of distribution of the MD.
The vendor has a great responsibility toward the user of the MD. For example, the MD may be a home-use medical device used by a layperson who may need special instructions for the proper use and maintenance of the device. Then it is under the responsibility of the vendor to provide that person with the appropriate training that is adapted to his or her needs— translated when required, less technical and more user friendly, and so on.
Documenting the undertaken role(s) of the organization After understating which role is undertaken by the organization, you are required to provide documentation of the role. This documentation is the basis for establishing a QMS that will ensure intended use, performance, and safety of medical devices. As mentioned above, all interested parties, the manufacturer, the vendor, the user, and the regulatory bodies, must have an interface so they can work together. This is why it is important for the organization to document its role in the life-cycle of the medical device. I suggest here a way to document it: plan a matrix to demonstrate the relation between the role of the organization and the referred-to activities of the QMS. Such a matrix is an effective tool for ensuring that each regulatory requirement I covered in the QMS is met.
1. Identify and document all the regulatory requirements that are applicable to the organization. It is important to relate to each jurisdiction or region in which the organization is active. You may maintain a different matrix for each jurisdiction or region.
2. For each documented regulatory requirement, identify which role the organization is required to undertake according to the regulatory requirements.
3. For each documented regulatory requirement, identify with name, number, or certain capital which processes, procedures, activities, and operations relevant to the realization of the MD are included under the applicable regulatory requirements.
4. Refer those identified processes, activities, and operations to the relevant activities and processes of your QMS.
5. Maintain this documentation as a controlled document as part of your QMS, which is submitted to the controls of clause 4.2.4—Control of documents.
The matrix will look like this:
Matrix for FDA Part 820
Defined role Manufacturer
Number Type Description PO-7.4.A Procedure Purchasing process Sec. 50 Purchasing
controls FO-7.4 C Quality record List of approved
suppliers Sec. 50 Purchasing controls (3)
4.1.2
The ISO 13485 Standard moves forward in dictating how the QMS should look and presents the basic principles (the ISO 13485 Standard requirements for clause 4.1.2):
• The organization shall determine the processes needed for the quality management system.
• The organization shall determine the application of these processes throughout the organization.
• While determining the processes needed for the quality management system, the organization and their application shall take into account the roles undertaken by the organization.
• The organization shall apply a risk-based approach to the control of the appropriate processes needed for the quality management system.
• The organization shall determine the sequence and interaction of the planned processes.
30 ISO 13485:2016
Applying the process approach The process or system approach refers to the act of implementing a method or rules that analyze, identify, manage, and measure the processes of the organization. These processes are necessary for the operation of the QMS and the realization of the product. The fundamental goal is to create standardization of processes in the organization and to ensure that persons or different organizational units in the organization work in a unified way. The objectives of the process approach are as follows:
• Creating awareness and understanding in the organization regarding responsibility for managing activities
• Implementing a method for the identification and planning of activities needed for the operation of the QMS
• Implementing a method for the identification of relevant regulatory requirements
• Defining the sequences between processes • Implementing safety and regulatory measures in the processes • Promoting a smooth and transparent flow of operations in the
workflow • Identifying and ensuring the interactions between processes, that is,
activities in the organization • Ensuring accurate delivery of inputs to processes • Monitoring and controlling activities of the QMS • Ensuring delivery of the right process outputs • Ensuring achievement of intended results or process objectives • Enhancing satisfaction of process customers • Creating basis and environment for addressing risks and preventing
errors • Creating basis and environment for the planning, implementation,
and analysis of improvements
The application of processes of the QMS throughout the organization refers to the implementation and practice of the planned processes. Let us see how it will practiced.
Determining the processes in the organization Which processes are to be included in the QMS? Applying the process approach requires identification and determination of all processes needed to realize the product or service. In other words, you are required to determine all key stages and substages (processes or subprocesses if you may) necessary for the delivery and realization of the MD or associated services (ASS). Identifying and determining the processes included in the QMS is the first practical step in applying the process approach. While implementing the QMS, you will need to
• Understand the requirements of this standard and any applicable regulatory requirements
• Identify processes, activity arrangements, and resources necessary for answering these requirements
• Determine the scope of the QMS
Now, we must declare which operations are required in order to fulfill the scope (realize the MD). The level of detail and complexity of the processes depends solely on your organization and the nature of its MD. But the rule of thumb indicates that only processes and activities that affect the product, its intended use, and quality must be included.
There are many ways to identify and determine which processes are included under the QMS. For the ISO 13485 Standard, it is important to have a clear definition of these processes because these are the activities that will be planned, monitored, analyzed, and controlled. It is important that the list of processes you come up with answer these questions:
• Do these processes reflect your ability to deliver your MD according to customer, safety, and regulatory requirements?
• Are all processes, key stages, subprocesses, operations, or activities critical for the realization of the MD identified?
• Are all areas of the realization of the MD covered? • Are there any activities that are required in order to meet regulatory
or safety requirements that are not covered? • Is the scope of each process clear?
The end result of this determination of the processes and activities included in the QMS may be displayed with a list that specifies all processes, or a diagram (or set of diagrams) that illustrates the processes and the interactions between them. Again, the book is too short to suggest a certain method. You must identify the method most suitable to your organization and its processes.
Considering the role of the organization As mentioned in Section 4.1.1, the role of the organization has a great influence on which parts of the regulatory requirements are applicable to the organization and define the regulatory activities and actions that the organization must perform. In relation to the processes of the QMS, the organization must identify which activities and operations are required by applicable regulatory requirements and include them in the list of the processes of the QMS.
32 ISO 13485:2016
Determining the sequence of processes Determining the sequence of processes means determining the sequence of different activities of different elements involved in the process and constructing the workflow in the organization. The goal is to make sure that the processes achieve quality objectives, deliver planned results, and ensure conformity of products or services. In practice, you define how your processes flow in your workflow (Figure 4.1).
The sequence should allow an overview of your workflow and reflect the way you are realizing the MD and operating in your organization. A correct sequence of processes will allow the information to flow effectively in the workflow, deliver the inputs to the processes as required, and provide the right outputs. Normally, these processes have subprocesses. Some processes or activities may be in sequence and some may work in parallel. But the end result should be a process map that indicates or describes the workflow in the organization.
You must determine the sequence of activities within a process— what has to be done, in what order, when, by whom, and which resources are required. Furthermore, you have to identify whether a regulatory requirement is applicable to that sequence and may demand including more activities or processes. One way to describe the sequence of activities in a process is through a documented procedure—documented information that includes
Design of a product
Figure 4.1 Example for sequence of processes of the organization.
• Reference to a process • Goal or objective of the process • Reference to relevant documents • Target group—to whom this document is designated • Description of activities • The expected outputs • The required records
Types of such documentation:
• Management-oriented process—This method is designated to support the management of different areas of responsibility and enables core processes needed to achieve strategic objectives, such as defining quality policy and objectives, strategic planning, and management review.
• Process diagram/flowchart—A graphic demonstration of the separated steps of a process in sequential order indicating the entities involved in the process, required inputs, and expected outputs.
• Documented procedure—A structured, documented, and formatted set of activities needed to achieve an objective.
• Work instruction—A list of documented actions that specifies what an employee is required to perform and what the expected inputs and outputs are. This type of documentation is usually used to define specific activities.
• Standard operating procedure—A detailed written instruction to achieve the objective of the performance of a specific activity.
Another tool that reflects and demonstrates the sequence of process is an enterprise resource planning (ERP) system, where processes are managed according to a defined workflow: management of products and bills of materials, customer offers, customer orders, planning/scheduling (material requirements planning [MRP]), retrieving recommended purchase propositions, retrieving recommended production propositions, purchasing, outsourcing, manufacturing, delivering, invoicing, and managing after- sales activities. Such systems dictate the sequence of activities for the user. In some cases, documentation of such systems may serve as process diagrams or work instructions. If you decide to use this type of documentation, make sure to document the gaps and loopholes—those activities and operations of the realization that are not covered in this documentation.
Interaction between processes Processes in the QMS must interact with each other. A process, by definition, is set of interrelated or interacting activities that transform inputs into outputs. Interaction between processes refers to the delivery of inputs to
34 ISO 13485:2016
processes, the acceptance of outputs from processes, and the transferring of these outputs as inputs to the next process. The interaction defines how inputs, outputs, or resources are transferred between processes and activities. Processes of a system exchange many types of information, data, material, goods, or services through activities. In order to make the system effective, the interactions between the processes in the system must be planned and known to the operators of the system. This interaction is influenced by many factors. I prepared here a table of the factors and their influence on the interaction between processes.
Factor Influence on the interaction between processes
Supplier of inputs The supplier initiates the interrelation by delivering inputs to the process.
The required inputs The required inputs specify what is expected from the supplier. Here, it is important to know the inputs are handed or delivered to the process. This definition of inputs can be documented.
Methods or activities required to operate the process
Here is the reference to the methods and techniques used to operate the process. It includes the required tools, facilities, or infrastructures for the operation of the process and the documentation that is needed to support the operation of the process.
Resources that are needed to operate the process
Role or organizational units that operate the process must be clear—the unit that processes inputs into outputs. It need not necessarily be human; it could, for example, be software. The knowledge and competence needed for the operation of the process must also be defined.
Customer of outputs It must be understood who the customer of the process is and how the outputs will be delivered.
The outputs the process generates
The expectation of the process must be defined, as well as the verifications, validations, and criteria that are required for the process. The required records are evidence that a process delivered its intended results.
Effectiveness of the interactions
Regarding the inputs, the organization must consider how it can verify or validate that the correct inputs were delivered to the process.
Regarding the activities, the organization must consider which methods and tools it must maintain to control the performance of those processes.
Regarding the outputs, the organization must consider how it can verify or validate that the correct outputs were delivered from the process.
If you define and plan all of these, you will be in a position to effectively plan the interactions between the processes. In practice, it must be clearly defined with the method that you are using to document that describes how the interactions are taking place.
Defining inputs to the processes After defining the processes and their activities included in the QMS and their interactions, you must define which inputs are needed for each activity. Applying the process approach, you should prove that each identified process has identified inputs and that the supplier of the process knows exactly what it should deliver. Inputs of a process are defined as specified requirements needed for the operation of a process. Inputs are the fuel that drives the process: personnel, resources, materials, data or information, technology, or knowledge. Inputs may be tangible (raw material for a production process) or intangible (information or data, e.g., results of a customer satisfaction feedback survey). In order to effectively analyze and identify the inputs, one must first know which activities a process includes. Let me review the important aspects of inputs related to the ISO 13485 Standard. Inputs must be:
• Defined—For each process, the inputs are defined. • Deliverable—There is an effective way to deliver the inputs to the
process. • Measurable—Inputs of a process must be measurable in order to
verify their availability. • Planned—It will be clear when, during the workflow, inputs must
be delivered. • Known—The supplier and operator of the process must know which
inputs they must deliver (supplier) and receive (operator) for the process.
• Assigned—Responsibilities and authorities for the inputs are assigned.
• Located—The persons who operate the process must know which inputs are required for their operations and where they may find them or how they should request them.
• Verifiable—The persons who are responsible for the inputs have the means and criteria knowledge to verify or validate that the inputs are as expected.
When regulatory requirements demand certain inputs to certain activities or processes, they will be identified and planned. A good example is the management of distribution records of the MD; after the release of the MD, data like the serial number or the batch number will serve as inputs for a set of processes for maintaining such distribution records.
36 ISO 13485:2016
Defining outputs to the processes An output is a deliverable result of an operational process aimed to address the expectations of the customer of the process. An output may be tangible (finished products) or intangible (services provided to a customer or information, such as the results of a calculation). Applying the process approach, you must ensure that the expectations of the customer for each identified process are identified and understood by the people who operate the process. In practice, regardless of the methods you are using to analyze your processes, make sure that the outputs for each process are as follows:
• Identified—The intended outputs of a process are identified and clear. • Measureable—The outputs of a process must be measurable in order
to verify their conformity. • Assigned—Responsibilities and authorities for the outputs are
assigned. • Known—The persons who operate the process should know which
output is expected from them. • Verifiable—The persons who are responsible for the outputs have
the means, knowledge, and criteria to verify or validate that outputs are as expected.
When regulatory requirements demand certain outputs to certain activities or processes, they will be identified and planned. For example, when certain processes must be reported to the regulatory authorities (like results of sterilization activities), that means that the outputs of those activities shall be planned in the right format.
Responsibilities and authorities for processes While defining the requirements related to the QMS for each process, it is required to determine the authorities and responsibilities for specific duties and obligations for performing the process activities for ensuring the implementation, maintenance, and improvement of each process and its interactions. I recommend the assignment of an organizational role, functional units, or authority to a process. This organizational role will relate to the organizational structure. By assigning a responsible person to a process, we create a relation between the organizational structure and the workflow. The objectives of this person are as follows:
• To decide and na

ISO 13485: 2016: A Complete Guide to Quality Management in the Medical Device Industry, Second

Documents

Transcript of ISO 13485: 2016: A Complete Guide to Quality Management in the Medical Device Industry, Second