ISO 13485: 2016: A Complete Guide to Quality Management in the Medical Device Industry, Second
-
Upload
others
-
View
3
-
Download
0
Embed Size (px)
Citation preview
ISO 13485:2016Quality Management in the Medical Device
Industry
Second Edition
Quality Management in the Medical Device Industry
Second Edition
Itay Abuhav
CRC Press Taylor & Francis Group 6000 Broken Sound Parkway NW,
Suite 300 Boca Raton, FL 33487-2742
© 2018 by Taylor & Francis Group, LLC CRC Press is an imprint
of Taylor & Francis Group, an Informa business
No claim to original U.S. Government works
Printed on acid-free paper
International Standard Book Number-13: 978-1-138-03917-9
(Hardback)
This book contains information obtained from authentic and highly
regarded sources. Reasonable efforts have been made to publish
reliable data and information, but the author and publisher cannot
assume responsibility for the validity of all materials or the
consequences of their use. The authors and publishers have
attempted to trace the copyright holders of all material reproduced
in this publi- cation and apologize to copyright holders if
permission to publish in this form has not been obtained. If any
copyright material has not been acknowledged please write and let
us know so we may rectify in any future reprint.
Except as permitted under U.S. Copyright Law, no part of this book
may be reprinted, repro- duced, transmitted, or utilized in any
form by any electronic, mechanical, or other means, now known or
hereafter invented, including photocopying, microfilming, and
recording, or in any information storage or retrieval system,
without written permission from the publishers.
For permission to photocopy or use material electronically from
this work, please access www. copyright.com
(http://www.copyright.com/) or contact the Copyright Clearance
Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923,
978-750-8400. CCC is a not-for-profit organi- zation that provides
licenses and registration for a variety of users. For organizations
that have been granted a photocopy license by the CCC, a separate
system of payment has been arranged.
Trademark Notice: Product or corporate names may be trademarks or
registered trademarks, and are used only for identification and
explanation without intent to infringe.
Visit the Taylor & Francis Web site at
http://www.taylorandfrancis.com
and the CRC Press Web site at http://www.crcpress.com
3. Terms and definitions
..............................................................................
11
4. Quality management system
.................................................................
13 4.1 General requirements
.....................................................................
13 4.2 Documentation requirements
....................................................... 94
4.2.1 General
...............................................................................
94 4.2.2 Quality manual
............................................................... 106
4.2.3 Medical device file
.......................................................... 120
4.2.4 Control of documents
..................................................... 124 4.2.5
Control of records
...........................................................
143
5. Management responsibility
.................................................................
161 5.1 Management commitment
...........................................................161 5.2
Customer
focus...............................................................................167
5.3 Quality policy
................................................................................
170 5.4 Planning
..........................................................................................176
5.4.1 Quality objectives
............................................................176
5.4.2 Quality management system planning .......................
182
vi Contents
5.6 Management review
.....................................................................
203 5.6.1 General
.............................................................................
203 5.6.2 Review inputs
..................................................................
208 5.6.3 Review outputs
...............................................................
215
6. Resource management
...........................................................................
221 6.1 Provision of resources
..................................................................
221 6.2 Human resources
..........................................................................
225 6.3 Infrastructure
................................................................................
241 6.4 Work environment and contamination control
........................ 266
6.4.1 Work environment
.......................................................... 266
6.4.2 Contamination control
................................................... 282
7. Product realization
.................................................................................
295 7.1 Planning of product realization
.................................................. 295 7.2 Suitable
planning for the organization’s operations:
A practical quality plan
............................................................... 334
7.2.1 Determination of requirements related to product ... 336
7.2.2 Review of requirements related to the product .......... 343
7.2.3 Communication
...............................................................
354
7.3 Design and development
............................................................. 366
7.3.1 General
.............................................................................
366 7.3.2 Design and development planning
.............................. 369 7.3.3 Design and development
inputs ................................... 381 7.3.4 Design and
development outputs ................................ 391 7.3.5
Design and development review ..................................
400 7.3.6 Design and development verification
.......................... 409 7.3.7 Design and development
validation ............................ 425 7.3.8 Design and
development transfer ................................ 452 7.3.9
Control of design and development changes ............. 460 7.3.10
Design and development files
....................................... 470
7.4 Purchasing
.....................................................................................
473 7.4.1 Purchasing process
..........................................................474 7.4.2
Purchasing information
................................................. 495 7.4.3
Verification of purchased product ................................
509
7.5 Production and service provision
.............................................. 520 7.5.1 Control of
production and service provision .............. 520 7.5.2
Cleanliness of product
................................................... 548 7.5.3
Installation activities
...................................................... 557 7.5.4
Servicing activities
.......................................................... 563
7.5.5 Particular requirements for sterile medical devices .... 576
7.5.6 Validation of processes for production and service
provision
..........................................................................
584
7.5.7 Particular requirements for validation of processes for
sterilization and sterile barrier systems
................................................................
625
7.5.8 Identification
....................................................................
635 7.5.9 Traceability
.......................................................................
652 7.5.10 Customer property
......................................................... 666
7.5.11 Preservation of product
................................................. 671
7.6 Control of monitoring and measuring equipment
.................. 681
8. Measurement, analysis, and improvement
....................................... 701 8.1 General
...........................................................................................
701 8.2 Goal of monitoring, measurement, analysis for
improvement
.................................................................................
702 8.2.1 Planning and implementing processes for
monitoring, measurement, analysis, and improvement
...................................................................
704
8.2.2 Feedback
...........................................................................
707 8.2.3 Complaint handling
....................................................... 717 8.2.4
Reporting to regulatory authorities .............................
736 8.2.5 Internal audit
...................................................................
740 8.2.6 Monitoring and measurement of processes ................
757 8.2.7 Monitoring and measurement of product
....................767
8.3 Control of nonconforming product
............................................ 778 8.3.1 General
.............................................................................
779 8.3.2 Actions in response to nonconforming products
detected before delivery
................................................. 795 8.3.3 Actions
in response to nonconforming products
detected after delivery
................................................... 805 8.3.4
Rework
...............................................................................816
8.4 Analysis of data
.............................................................................
820 8.5 Improvement
.................................................................................
834
8.5.1 General
.............................................................................
834 8.5.2 Corrective action
............................................................. 843
8.5.3 Preventive action
.............................................................
854
Index
................................................................................................................
863
The quality management world of the medical device industry has
gone through a significant change represented by the publication of
the new revision of the ISO 13485 Standard, the 2016 revision. This
revision brings new challenges to organizations as well as changes
to old challenges. This book is a complete guide to implementing
all of the requirements of the standard. In order to present the
reader with a practical and useful guide, I have provided a
definition of my quality policy and objectives.
My quality policy Presenting and reviewing the ISO 13485:2016
standard requirements through analysis, interpretation, and
demonstration, with explanations, insightful examples, and events
from various industries and sectors.
My quality objectives • Commitment to the highest level of
consulting regarding the ISO
13485:2016 standard. • Reviewing all the topics and issues related
to the realization of a
product or service with reference to various types of processes and
products.
• Providing support in the implementation of an effective quality
management system.
• Facilitating the documentation of processes. • Providing a
reference to the new challenges presented in the ISO
13485:2016 standard.
However, a policy and related objectives are ineffective without
also having in place designed and structured tactics and methods to
achieve them:
x Preface
• This guide is designed and structured to mirror the standard’s
table of contents in order to simplify navigation and use.
• Each clause and subclause of the standard is discussed and
analyzed through quality and regulatory perspectives, such as the
implications for an organization—its processes, risk management,
resources, infrastructures, work environment, control and
effectiveness, and documents and records.
• The ISO 13485:2016 standard acts like a complicated web of
prerequisites with relations between them. A full and comprehensive
reference to the interrelations between the different clauses and
subclauses has been included.
• Putting words into actions—the book will assist in translating
the requirements and objectives into feasible activities and tasks.
It visualizes situations with everyday events from the different
sectors, branches, and products or services.
List of exclusions I decided to exclude Chapter 0 of the standard
from this book since it mainly provides explanations regarding ISO
13485:2016 that are already covered elsewhere in this book. I also
reduced Chapter 3 to the minimum because the terms and definitions
are already thoroughly discussed in the standard.
My biggest wish is that you, as a reader, will refer to this guide
as a consulting session, read and explore it, draw information and
knowledge that suits you and your organization, and introduce this
information to your quality management system and processes.
xi
Acknowledgments
I wish to thank all the people—consultants, co-workers, auditors,
mentors, bosses, and friends—who introduced me to the quality
world, and who have aided, supported, taught, lectured, consulted,
and provided valuable knowledge and information during the
undertaking of this book and also in my professional career. You
have helped give an edge to this book. The list of names is too
extensive to include here, but you know who you are.
I wish to thank my dear family for their warm support throughout
the years.
I also wish to thank my wife Angela, daughter No’omi and son
Gabriel for understanding, pushing, believing, and supporting me
throughout this project.
Thank you.
Itay Abuhav is a highly experienced medical device quality control
expert and consultant based in Geneva, Switzerland. He has over 25
years of experience in dealing directly with a number of large
medical device enterprises in their quality control manufacturing
processes of state-of- the art medical devices. He has also been
awarded 15 patents in medical devices and related
technologies.
1. Scope
Clause 1 of the ISO 13485 Standard is used to present the purposes
and concepts of the standard and define the scope of application of
the standard to your quality management system. The following
aspects are covered in this clause:
• The goals and purposes of the standard • The types of
organizations to which the standard applies • The approach and
reference to customer requirements • Which types of products may be
controlled by this standard • The responsibility of the
organization when using partners like
suppliers in the realization of the medical device (MD) • The
approach and reference to regulatory or statutory requirements •
Applicability of design and development controls • Possibilities
for exclusions of the standard requirements
Before we start to understand the requirements of clause 1—Scope,
let us review them first:
• This International Standard specifies requirements for a quality
management system where an organization needs to demonstrate its
ability to provide medical devices and related services that
consistently meet customer, safety, and applicable regulatory
requirements.
• The ISO 13465 Standard is an international standard for the
establishment, design, and implementation of a quality management
system (QMS) for organizations that are involved in one or more
stages of the life-cycle of the MD, including design and
development, production, storage and distribution, installation, or
servicing of a medical device and design and development or
provision of associated activities (e.g., technical support).
• The ISO 13485 Standard can also be implemented by suppliers or
external parties that provide services, processes, materials, or
components for the medical device.
• The requirements of this standard apply and may be implemented in
any organization regardless of its size or the type of its products
or services, except where explicitly stated.
2 ISO 13485:2016
• The requirements of this Standard apply to the associated
services as supplied by the organization and are related to the
MD.
• Where requirements of this standard, which are applicable to the
product or service, are performed externally, it is under the
responsibility of the organization to prove conformity to these
requirements by monitoring, maintaining, and controlling these
processes.
• Applicable regulatory requirements that permit the exclusion of
design and development controls may be used as a justification for
their exclusion from the quality management system.
• When applicable regulatory requirements allow, or suggest other
controls for design and development, the organization may plan and
include them in the design and development.
• When exclusions to design and development requirements are made,
it is the responsibility of the organization to prove conformity to
the ISO 13485 Standard requirements.
• When requirements from clauses 6, 7, or 8 of this standard are
not applicable to the QMS of the organization due to its nature,
activities, or operations of MD type or nature, it may exclude this
requirement from its QMS.
• Any exclusion will be provided with a sufficient documented
justification. The exclusion and justification shall be documented
in the quality manual according to the requirement of clause 4.2.2—
Quality manual.
The principles of the ISO 13485 Standard Clause 1—Scope presents us
with the principles and concepts of the standard. The ISO 13485
Standard aims to enable the organization to provide an adequate MD
to the end users by fulfilling its requirements, initiating risk
management activities, and meeting applicable international and
national regulations. This is expressed through four
principles:
• The goal of the standard is to initiate a QMS that acts to
consistently meet customer requirements and safety requirements, as
well as applicable regulatory requirements.
• The requirements of this standard initiate an effective
integration between a QMS of an organization and applicable
regulatory requirements.
• The requirements suggested in the ISO 13485 Standard facilitate
an improvement of processes included in the QMS and assurance of
conformity to customer or regulatory requirements.
• The standard covers all the related phases and their derived
activities of the life-cycle of the MD. The requirements suggested
in the ISO
31. Scope
13485 Standard are applicable to all sorts of organizations
regardless of their size or type, the type of their customers, and
the type of products or services that they provide.
Stages of life-cycle of the medical device Organizations that
choose to implement the ISO 13485 Standard requirements may
participate in one of more of the stages of the MD. Basically,
these stages derive the activities that the organization must
perform and the QMS must control, including design and development,
production, storage and distribution, installation, or servicing of
a medical device and design and development or provision of
associated activities (e.g., technical support). All these stages
represent different processes, activities, and operation that are
needed for the realization of the MD. The requirements of the
standard cover all these related activities. Please refer to
Chapter 4.1.1.8 for detailed information and an explanation about
the different life-cycle stages of the MD and how the organization
knows in which life-cycle stage it is involved.
The ability to provide appropriate medical devices What are the
actual requirements of clause 1? When an organization decides to
implement the ISO 13485 Standard, it is required, through the use
and application of the methods and quality instruments presented in
this standard, to prove its ability to
• Identify customer requirements • Identify regional regulatory
requirements • Initiate a risk management approach and system •
Implement any activities or controls required by those
regulatory
requirements • Establish a QMS according to the requirements of the
ISO 13485
Standard • Provide safe MDs that meet the applicable regulatory,
safety, and
standard requirements
In other words, the purpose of the standard presented in clause 1
must be reflected through the quality management system of your
organization. How? Through applying the quality management tools
and instruments that are suggested in the standard, like setting
and defining quality policy and objectives, applying the process
approach, planning processes, establishing a system to control
risks, and meeting any other standard requirement presented in the
standard.
4 ISO 13485:2016
A quality management system is a combination of various activities
and processes—marketing, design and development, production,
technical activities, storage, and distribution—operated by various
functions and roles that demand certain conditions and
qualifications. Determining what is to be included under the QMS
will define which organizational aspects will be designed, managed,
and controlled under the quality requirements: products, processes,
activities, sites, information and data, tools and equipment, and
human resources. The determination of what and how from the
standard requirements must be translated, put into operational
activities, and implemented in the organization will frame the
scope of your quality management system and define which of the
standard requirements are applicable to your organization. A
description of the scope and a detailed list of the standard
requirements related to the QMS will be included in the quality
manual, where it is required to include a list of the operations,
processes, and products that are included. The objective is to
describe all the quality operations and processes that are
applicable to the organization: planning of product realization,
customer-related processes, purchasing, and so on.
Size and type of the organization Another statement of clause 1
defines the appointment and adequacy of the ISO 13485 Standard
requirements to organizations that provide medical devices. The
statement indicates that the size and type of an organization do
not affect the application of the standard except where explicitly
stated. In other words, when you are defining the application of
the standard requirements to your processes, activities, and
products, the size and type of the organization are not factors
that will determine whether a requirement is needed, except where
explicitly stated.
Integrating regulatory requirements in the QMS One of the main
objectives of the ISO 13485 Standard is to integrate applicable
regulatory requirements or other international standards, or
internal standards with quality management system requirements. To
integrate means to identify the applicable regulatory requirements
and their operational, legal, administrative, and any other demands
and to implement them into the QMS activities. The objective is to
systematically identify all the regulatory requirements and
understand (as well as implement) how they affect or implicate the
QMS elements: processes, activities, human resources,
documentations, records, and risk
51. Scope
management. These may have special demands regarding the extent,
structural activities, and documentation of the QMS.
Exclusions and justifications The ISO 13485:2016 Standard is
intended to be a standard for medical device manufacturers and
other organizations that participate in the life- cycle of the MD
that are expected to demonstrate their ability to provide medical
devices and related services that consistently meet customer and
applicable regulatory requirements. It is recognized, however, that
not all the requirements of this standard will necessarily be
relevant to all organizations. Thus, the ISO 13485 Standard
permits, under certain circumstances and limitations, the exclusion
of certain standard requirements: the omission of quality or
realization activities that are normally required from the QMS.
Exclusion means that certain standard requirements (one or more)
are not applicable to the organization due to the activities and
processes undertaken by the organization or the nature of the
medical device for which the quality management system is applied,
and the organization decided not to implement these requirements in
its QMS. The implication of the exclusion is that certain quality
activities specified in the standard will not be developed in the
QMS and will not be implemented. The exclusions will be referred to
and justified in the quality manual.
Exclusions are very important because they set the degree of effort
and amount of resources that you will have to invest in
implementing and maintaining the QMS. The application of the ISO
13485 Standard refers to how the QMS defines what users are allowed
to do and how, instructs them, and provides them with quality tools
to accomplish processes, operations, activities, and tasks. The
determination of the application will frame the scope of your
quality management system and define which of the standard
requirements are applicable to your organization and which may you
exclude. The organization is allowed to exclude only requirements
that appear in clauses 6, 7, or 8 of the ISO 13485 Standard. All
other clauses are obligatory for meeting the ISO 13485 Standard
requirements and will be implemented. In other words, the
organization must consider whether all the requirements of the
standard are relevant to its activities, based on the nature of the
organization itself, the type and class of the MD, the realization
activities and safety requirements (that are derived), and the
statutory and regulatory requirements.
The justification for the exclusions must prove beyond any doubt
that the exclusions do not affect the ability or responsibility to
consistently provide a product that meets customer, safety, and
applicable regulatory requirements. Furthermore, the exclusions
must be consistent with the
6 ISO 13485:2016
scope of the QMS, as mentioned in the quality manual. For example,
you may not exclude clause 7.5.10—Customer property and claim
management of customer property in the scope. Considering the
justifications, the organization shall evaluate the implications of
the exclusions and how the exclusions will prevent it from meeting
applicable safety and regulatory requirements. The documentation
and approval of the exclusions will be documented in the quality
manual. Each standard requirement that was left out will be
justified or referred to another documented justification. The
justification shall confirm that the exclusion does not affect the
quality of the activities, processes, and products.
It is very tempting to exclude, but the experience, the reality,
and, above all, the external audit show that exclusions are often
mistakenly applied. For example:
• The company manufactures, markets, and delivers a medical device.
The design and the development are done by an external
company. The company may not exclude the design and the
development require- ments (7.3), since it holds the responsibility
for the medical device, its functionality, performance, safety, and
intended use.
• The company manufactures components for a medical device as a
subcontractor. The design and the development are done by an
external company. The company may exclude the design and the
development requirements (7.3), since it holds no responsibility
for the medical device, its functionality, performance, safety, and
intended use.
• The company manufactures the medical device, but the purchasing
is done by the parent company. The company may not exclude the
purchase requirements (7.4), since it handles information regarding
the purchase: type, product, supplier, schedules, and
quantities.
• The company designs and develops a medical device according to
the customer specifications. The company may not exclude the
customer’s property requirements (7.5.10), since it manages the
customers’ documents, diagrams, and technical specifications.
It can be very confusing, and each case shall be evaluated on its
own merits. I advise you to consult the auditor regarding the
exclusions. The exclusion and justification shall be documented in
the quality manual according to the requirement of clause
4.2.2—Quality manual.
Exclusion of design and development controls The organization is
required to implement design controls through a design and
development process, and the design controls are normally executed
while the design and development proceed. The organization
71. Scope
may exclude the requirements for the design and development
controls presented in Chapter 7.3 when other regulation allows the
exclusion of these requirements. Nevertheless, this regulation must
submit alternative design and development controls. There is no
doubt that designing and developing the medical device must be
controlled. However, it may be that the manufacturer designs and
develops its medical devices in a region with certain regulatory
systems and controls of the processes that have already been
implemented. There is no logic in maintaining two sets of controls.
Thus, the ISO 13485 Standard allows the organization to implement
other regulatory controls and to exclude the design and development
controls specified in clause 7.3. For example, if the organization
is developing the medical device while implementing the
requirements of the FDA QSR21 CFR820.30: Design Controls, it may
exclude the controls of clause 7.3. The exclusion must be
documented and justified. But it is still the responsibility of the
organization to provide sufficient evidence of the ability of the
QMS to meet the ISO 13485 Standard requirements (including clause
7.3) despite the exclusion of the design and development
controls.
Outsourced processes The application of the standard requirements
includes processes related to the organization and the realization
of medical devices that are performed outside the organization.
Such processes are applicable to the quality management system and
must be identified, documented (if and where appropriate),
controlled, and verified. This does not relate to purchased goods,
materials, or components, but to the provision of core processes
needed for the realization of the product supplied by suppliers or
contractors: design and development, production, assembly,
sterilization, cleaning, accreditation, storage, and
transportation:
• These processes will be identified and included in the quality
manual and in the description of the interrelations between other
processes of the quality system.
• These processes will be implemented and the necessary realization
requirements shall be defined and allocated: production means,
human resources, verification, and validations, in order to verify
that they meet the ISO 13485 Standard requirements. It is allowed
to let the supplier of those processes allocate the resources. The
organization then will be informed, take part in the planning of
those processes, and approve the allocation of the resources.
• These processes will be appropriately controlled, and the
manufacturer shall acquire the minimal knowledge and technical
abilities to control these processes and will receive from the
supplier sufficient information regarding the processes and their
results.
2. Normative references
The meaning and purpose of normative references is the indication
that the terminology and nomenclature specified in this standard
are not open for debate or an interpretive discussion. A normative
reference refers to a document that includes terms, fundamental
concepts, principles, and vocabulary that are essential for the
application of the ISO 13485 Standard. The ISO 13485 Standard
requirements are as follows:
• When dated normative references are used, only the edition cited
applies (the ISO 9000:2015 Standard).
• When undated normative references are used, the latest edition of
this referenced document (including any amendments) applies.
• The document ISO 9000:2015, Quality management systems—
Fundamentals and vocabulary is to be normatively referred to while
establishing a quality management system according to the ISO 13485
Standard requirements.
A normative reference lists other ISO or IEC documents or standards
that are necessary for the application of the standard, in other
words, the documentation that may assist you in how to comply with
the requirements stated in the ISO 13485 Standard. The objective of
a normative reference is to relate to a standard that is applicable
to the implementation of the ISO 13485 Standard and to relate to
directives, definitions, or understanding of the ISO 13485
Standard.
The ISO 13485 Standard refers us to a specific document, ISO
9000:2015: Quality management systems—Fundamentals and vocabulary.
In case questions or misunderstanding regarding the definitions or
requirements of the ISO 13485 Standard arise during the
implementation and application of the standard requirements, you
can turn to this document. For example, when you are discussing and
planning activities related to customer focus and you are not sure
what the definition of customer focus is, you may turn to the ISO
9000 Standard and learn how the ISO 13485 Standard interprets the
issue of customer focus.
3. Terms and definitions
Clause 3—Terms and definitions is necessary in order to clarify
terms and definitions mentioned in the ISO 13485 Standard. In order
to clear matters and disputes, the standard presents its
interpretations and explanations regarding terms and definitions
presented throughout the standard. These are an inseparable and
integral part of the standard. The explanations provided are very
descriptive and clear; therefore, there is no need to repeat them.
Please refer to clause 3 of the ISO 13485 Standard—Terms and
definitions for the exact definitions.
4.1 General requirements 4.1.1
In clause 4.1.1, the general requirements and main principles of a
quality management system are presented. In this clause are the
foundations of the QMS presented. First, let me review the basic
requirements.
• The organization shall establish and maintain, document, and
implement a documented quality management system within the
organization with conformity to the requirements of the ISO 13485
Standard and applicable regulatory requirements.
• The organization is required to maintain the effectiveness of the
quality management system in accordance with the requirements of
the ISO 13485 Standard and applicable regulatory
requirements.
• Any requirement, processes, activity, arrangement, or procedure
required by the ISO 13485 Standard and applicable regulatory
requirements shall be identified, included, planned, implemented,
and controlled in the QMS.
• The organization shall document the role or several roles
undertaken by the organization in relation to the applicable
regulatory requirements.
• Note—Roles undertaken by the organization can include
manufacturer, authorized representative, importer, or
distributor.
Terms and definitions Before we start to unveil the requirements of
clause 4.1.1 and their implementation, it is important to know some
terms and definitions:
• Process—A set of interrelated or interacting activities that
convert inputs into outputs and accomplish a specific
organizational goal. These activities require allocation of
resources such as people and materials.
• Role of the organization—The role of the organization determines
which quality and regulatory activities and controls the
organization must plan and implement in its QMS. The role of
the
14 ISO 13485:2016
organization is determined according to the phase of the life-cycle
of the medical device in which the organization is taking part and
the activities that the organization is executing in the supply,
provision, maintenance, after-sales obligations, and relations with
the user or patient of the MD. The organization must provide a
documentation of its role.
• Scope of a process—Scope of the process defines precisely where a
process starts and ends, what its related inputs and outputs are,
and which activities are included and excluded.
• Supplier of a process—The deliverer of inputs to a process (data,
information, goods, or services). The supplier may be an external
supplier that delivers, for instance, goods or material, or an
internal supplier—an organizational unit that delivers inputs to a
process.
• Customer of a process—The receiver of the outputs of a process
(data, information, goods, or services). The customer defines what
outputs are expected according to its needs. Customers may be
external customers, end customers, or internal customers.
• Inputs—Specified requirements needed to be put into a process in
order to start the process. The input will be processed by a
process or activity.
• Output—Specified expected or intended result of a process. •
Risk—Combination of the probability of the occurrence of not
fulfilling process specifications or customer requirements. •
Monitoring of processes—A continuous, sequential, and
periodic
examination of processes and their outputs. • Measurement of
processes—Determining a physical measurement of
processes and their outputs based on data. • Process owner—An
organizational function responsible for a process
or subprocesses.
Establishing a QMS according to clear principles The ISO 13485
Standard declares in clause 4.1.1 quite clearly with which
principles the QMS shall be established:
• Establishment of a QMS according to the ISO 13485:2016 Standard •
Identification and integration of relevant regulatory requirements
in
the QMS • Definition of processes and their interactions needed for
the operation
of this QMS • Identification of the resources needed for the QMS or
required by
regulatory requirements • Ensuring achievement of planned
results
154. Quality management system
• Continually maintaining the effectiveness of the QMS through
improvement
The important message here is that in order to deliver a conforming
MD or associated service and to meet customer and regulatory
requirements as well as other needs and expectations of other
relevant interested parties in an effective way, a QMS must be
established and maintained—a QMS
• That is based on the quality principles suggested in the ISO
13485 Standard.
• That is defined, planned, implemented, and controlled. • That is
regulatory requirement focused—the QMS should use
methods to identify, understand, and implement regulatory
requirements in any region in which the organization is active, and
shall develop processes to meet these requirements.
• That is planned in accordance with the role of the organization
in the life-cycle of the MD.
• Whose activities and processes address the needs and expectations
of interested parties.
• In which a risk-based approach is implemented. • Whose resources
are identified, planned, allocated, and controlled. • Whose
processes and activities are managed and whose interrelations
are clear. • That is constantly analyzed and controlled—analysis of
data and
information is implemented and decisions are based on facts. • That
supports improvement and effectiveness through collection of
evidence and its analysis. • That is fueled by the top management
leadership—through
leadership, the purpose and strategic direction of the organization
are established. Leadership shall create the environment for
establishing the appropriate quality policy, in which employees can
become fully involved and quality objectives can be achieved.
• That persons in the organization are aware of. • That uses data
of after-sale activities to improve and update its
processes and products and the safety of the products.
Identifying applicable regulatory requirements The identification
of applicable regulatory requirements is a critical phase in
developing the QMS because the regulatory requirements will shape
your QMS and its elements and operations. It is also necessary for
the next stage of documenting the roles of the organization.
Applicable regulatory requirements also depend upon the risk class
of the device and on the regulatory system of the country. It is
important to find the overlap points
16 ISO 13485:2016
between the regulatory requirements and the standard requirements
because they influence each other. Regulations for quality systems
dictate
• The methods, facilities, and controls used by the manufacturer in
the design, manufacture, packaging, labeling, storage,
installation, servicing, and postmarket handling of medical
devices.
• The requirements that a vendor must follow when registering and
marketing an MD in a region and applying methods for after-sale
activities.
The objectives of the regulatory requirements that are relevant to
the ISO 13485 Standard requirements are:
• Ensuring that certain activities regarding the realization of the
MD are being taken
• Developing the interrelation between the organization and the
regulatory bodies
• Developing basic acceptance criteria: • Requirements on safety
and performance • Requirements for quality systems • Requirements
for packaging and labeling • Administrative requirements like
registration
• Controlling import of MDs into the region • Controlling local
production • Developing the basis for postmarket surveillance •
Ensuring user education and training • Reviewing and approving
policies and related standards • Managing a national alert
system
The types of the regulatory requirements may differ from one
another, meaning they might have other legal statuses that will
determine the degree of the commitment expected by the
organization. Types of regulatory requirements may be:
• Regulations • Directives • Decisions • Recommendations • Opinions
• Standards
Maintaining effectiveness of the QMS The organization is required
to maintain the effectiveness of the QMS in accordance with the
requirements of the ISO 13485 Standard and applicable
174. Quality management system
regulatory requirements. What does effectiveness in regard to the
QMS mean, exactly? Effectiveness is the extent to which planned
activities are realized and planned results are achieved; something
is planned, and the extent of the results are tested against the
expected objectives. This is performed in order to achieve
systematic improvement. The requirement is for maintaining
processes and documented systems that will allow the organization
to constantly assess whether its quality management system is
effective and when it is necessary to replan its further steps.
This will be accomplished through the use of several quality tools
suggested by the ISO 13485 Standard that are designed for the
maintenance of the effectiveness of the QMS, for example, quality
objectives. Obtaining these objectives will achieve improvement of
the quality management system. The objectives may include
schedules, defined timeframes for responses, results of processes,
reductions of returned goods, and so on. The objectives are to be
measurable in order to be compared to criteria.
The effectiveness of a QMS depends much on the ability of an
organization to achieve planned results—the expectations of the
interested parties. Therefore, the identification of needs and
expectations of the relevant interested parties—customer and safety
requirements and those of regulatory bodies—puts the organization
in a position to develop and plan an effective QMS. Maintaining the
effectiveness of the QMS is achieved through implementing specific
measures and activities for the improvement the processes of the
QMS (achievement of objectives and maintenance of effectiveness).
The next step in maintenance of effectiveness is the ability to
recognize where these expectations are not answered and react
accordingly.
The requirement of clause 4.1.1 regarding the maintenance of the
effectiveness of the QMS is here conceptual rather than practical.
In other words, you are expected to bring the idea of maintenance
of the effectiveness of the QMS into the concept of your QMS,
develop those organizational tools and systems for identifying
cases where the effectiveness of the QMS is not maintained, and
apply certain quality tools to maintain this effectiveness, for
example, mentioning it in the quality policy and initiating
activities that will maintain the effectiveness:
• Make a commitment to define and develop appropriate quality
objectives.
• Plan the implementation, maintenance, and control of certain
indicators of performance and effectiveness of processes or process
outputs (products or services).
• Plan and implement the monitoring and measurements of those
indicators.
• Initiate improvements of the performance of the QMS. • Allocate
resources and initiate actions to reduce nonconformities. •
Allocate resources and initiate corrective and preventive
actions.
18 ISO 13485:2016
Relation between processes, the ISO 13485 Standard requirements,
and the applicable regulatory requirements
It is important that the defined processes refer to the relevant
ISO 13485 Standard requirements and applicable regulatory
requirements. What do I mean by that? The ISO 13485 Standard
presents us with many quality management requirements, such as
management review, management of resources, and many quality
requirements for the operation of the QMS. The applicable
regulatory requirements compel you to implement certain activities
and processes. For example, when you design the process of offering
or selling products to the customer, you must take into account the
specification in clause 7.2—Customer-related processes, such
as
• Determine requirements specified by the customer. • Determine
applicable regulatory requirements related to the
product. • Ensure that product requirements are defined and
documented.
While defining and designing the processes included in the QMS, one
must include such operational quality requirements.
In practice, I would develop a matrix that demonstrates the
applicable QMS element like process, form, and so on for each ISO
13485 Standard requirement. The matrix may look like this:
ISO 13485 Standard Req.
X
X
This matrix shall be a controlled document and shall be submitted
to the controls suggested in clause 4.2.4.
194. Quality management system
Documentation of the QMS The ISO 13485 Standard requires
documentation of the processes, operations, and activities that
make up the QMS. I promote it as part of standardization in
organizations; the documentation creates a system for designing,
analyzing, and implementing processes. The extent and level of
detail of the documentation shall be determined by the organization
according to its needs, but bear in mind that you will have to
justify it. If you decide to maintain low-detail documentation
during an audit, you must show how this documentation is
sufficient. Documentation is divided into two levels:
• The organization shall define how processes, operations, and
activities shall be documented. Here, the standard refers to
process diagrams, procedures and standard procedures, work
instructions, and so on.
• The organization shall define which process outputs must serve as
evidence and be maintained in the form of records of processes,
operations, and activities.
The methods and basics of defining and maintaining documentation
needed for the operation of the MQs and management of records as
evidence are discussed thoroughly in Section 4.2—Documentation
requirements.
Employing the process approach The ISO 13485:2015 Standard is based
on the process approach in order to enable the organization to
effectively plan its processes and their interactions (see clause
0.3 of the standard: Process approach). How effective? The
effectiveness of an organization depends much on its ability to
perform several interconnected activities simultaneously in order
to achieve the intended results—meeting customer, safety, and
regulatory requirements. These relations should be planned,
managed, prioritized, and controlled. The ISO 13485 Standard
requires adopting a system of processes within the organization.
This system of processes requires the identification, application,
and implementation of processes in the organization, the definition
of their sequences and interrelations, and the application of their
controls. The goal here is to develop and plan processes and
methods for the realization of products or services.
The specific requirements regarding the process approach and its
implementation in the QMS are presented in clauses 4.1.2 and 4.1.3.
I will discuss the specific requirements and suggest methods to
achieve these in Sections 4.1.2 and 4.1.3. But for clause 4.1.1, I
would include in the quality policy a statement that the processes
of the QMS are developed according to a planned system based on the
process approach.
20 ISO 13485:2016
Phases in the life-cycle of the medical device The organization is
required to document the role undertaken by it regarding the
realization and supply of the MD. But before we start to discuss
the role of the organization, we must review the different
life-cycle phases of the MD because the role of the organization
will be derived from the phases in which the organization is
active. Understanding the different phases of the life-cycle of the
MD is the basic stage in developing an effective QMS in the medical
device industry.
Basically, there are seven major phases in the lifespan of a
medical device from conception and development to disposal. I
illustrate them in Diagram 4.1.
• Each phase of the life-cycle proposes another regulatory
framework. By regulatory framework, I mean necessary regulations,
relevant rules, laws, and regulatory bodies that influence and must
be considered when planning the QMS—that is to say, planning the
operations and activities of the QMS.
• Each phase of the life-cycle considers and refers to other aspect
of the intended use and performance of a medical device and bears
other ISO 13485 Standard, safety, and regulatory requirements. In
other words, the life-cycle stage in which the organization is
active influences the quality management expectations and
requirements demanded from the organization. The quality management
expectations and requirements from the manufacturer are different
from those of the vendor.
• Another important aspect of the life-cycle of the MD is its
safety; each of its phases may have other safety requirements and
may demand other safety measures. This is derived from the fact
that each phase bears other activities related to the MD.
The life-cycle also dictates the different necessary roles and
functions in the organization, and these roles and functions must
be identified. Normally, but not necessarily, the manufacturer of
the MD usually manages the first three phases of the medical
device’s life-cycle:
• Conception and development • Manufacturing • Packaging and
labeling
Conception and
development Manufacture
Packaging and
labeling Advertising Sale Use Disposal
Diagram 4.1 Major phases in the lifespan of a medical device.
214. Quality management system
The next phases of the life-cycle, advertising and sale, are
usually executed by importers, distributors, retailers, and
manufacturers who sell the MD. In addition, the users and
regulatory authorities take part in the life-cycle. The regulatory
bodies have the responsibility of ensuring that the medical devices
sold in their country or region are safe and effective. As you can
see, all interested parties must work together. The relation
between the four is illustrated in Diagram 4.2.
An interface and interaction between the different roles in the
life- cycle of the MD, the participants and involved parties, is
required to be established and maintained, for example,
communication channels, a reporting system, and so on. Such
interaction ensures:
• Compliance with regulatory requirements • Maintaining safety
measures • Compliance with reporting requirements • Enables the
management of nonconformities • Facilitates fulfillment of the ISO
13485 Standard requirements, like
• Feedback activities • Purchasing activities • Traceability
For example, the vendor shall demand from the manufacturer or
importer the proper training as a condition for cooperation in
selling the MD. Another example is developing and arranging
communication channels between the vendor and manufacturer for
exchanging data regarding feedbacks and complaints. The complaints,
for example, must be submitted to regulatory requirements, which
means the operations
Manufacturer Regulatory bodies
Shared responsibility in manufacturing, communicating, and
delivering the medical device and training the user or
patient
Diagram 4.2 The relation between the interested parties during a
medical device’s life-cycle.
22 ISO 13485:2016
of managing a complaint must be planned according to the regulatory
requirements. Plus, controlling and improving MD safety and
performance is considered a multiphased process and requires
cooperation among all roles participating in the life-cycle of the
MD.
The life-cycle is usually divided into three main stages,
premarket, placing on the market, and postmarket, that determine
which requirements may be relevant for the organization and thus
its processes, activities, and operations that will be planned and
integrated into the QMS (see Diagram 4.3).
If we refer back to the diagram that illustrates the
typical life-cycle of the MD, the phases will be divided like
this:
In the premarket stage, it is ensured that the MD:
• Is developed according to customer, safety, and regulatory
requirements
• Has been tested or clinically tried • Performs as expected • Is
safe for use • Complies with regulatory requirements • Is labeled
and packed in a correct and accurate way
In the placing-on-market stage, it is ensured that:
• The vendor is registered. • The MD is registered as required in
each region where it is marketed. • The performance and intended
use of the MD are communicated
correctly to the public. • After-sales obligations like user
support, complaint handling, or
maintenance of user records are being pursued by the manufacturer
or the vendor.
In the postmarket stage (vigilance and surveillance), it is ensured
that:
• The use of the MD is being closely studied for relevant events
that occur, like feedback from users, adverse events, or other new
developments or changes in the area of the MD that require
reaction.
Premarket Placing on market Postmarket
Use DisposalSaleAdvertising Packaging
and labeling
Manufacture Conception
and development
Diagram 4.3 The three main stages of the life-cycle of the medical
device.
234. Quality management system
• Systems for reporting and alerts are developed. • The MD is
adequately disposed of. • The safety and performance of the MD that
is in use are ensured and
improved.
So? In which life-cycle phase does your organization take part? It
is important to understand when proceeding to the next requirement—
documenting the role of the organization.
Understanding the undertaken role(s) of the organization The
organization is required to document the role undertaken by it
regarding the realization and supply of the MD. The role of the
organization determines the obligations of the organization toward
the realization of the MD and the expectations of interested
parties relevant to the MD, and indicates certain operations of the
QMS as well as attributing risks and their controls to the
realization processes of the MD.
Several regulatory bodies maintain several regulatory frames:
applicable requirements to be adopted by organizations with a
variety of roles in the supply chain for medical devices. Through
the identification and definition of the roles of the organization
in the relevant regulatory frame (e.g., a region), it can relate
more effectively to relevant regulatory requirements and identify
the applicable requirements of all aspects, characteristics,
performance, intended use, safety, and compliance with regulatory
requirements, then also incorporate these applicable regulatory
requirements into its quality management system. Therefore, the
organization must understand exactly what its role is regarding the
different life-cycle phases of the MD. Basically, the role of the
organization in the context of the ISO 13485 Standard may be
manufacturer, distributer, or importer. The role of the
organization is determined:
• By the regulatory authorities in which the organization is
active. • According to the phase of the life-cycle of the MD in
which the
organization is taking part. • The activities that the organization
is executing in the supply,
provision, maintenance, after-sales obligations, and relations with
the user or patient of the MD.
Why is it so important to understand which role the organization
takes?
• Regulatory requirements propose critical phases in the life-cycle
of the MD. Those phases require different controls and
activities.
• Defining the role of the organization can identify which
regulatory requirements are applicable to it and which controls or
activities they
24 ISO 13485:2016
require. For each role in the lifetime of the MD, another
regulatory requirement may be introduced.
• The applicable regulatory requirements are also derived from the
class of the product.
• The role of the organization sets the degree of the
organization’s responsibility regarding the safety of the MD.
• The roles of the organization dictate which permissions or
licenses the organization must obtain.
• The role of the organization determines which accreditations or
certifications are required for the realization and distribution of
the MD.
• Identifying the role of the organization may serve as a basis for
the definition of the scope of the QMS.
• The different roles dictate which data regarding the use and
distribution of the MD the organization must collect and in which
situations.
• The different roles specify how the organization must report
different events regarding the MD.
• The regulatory requirements may demand specific methods,
facilities, and controls to be implemented by the role of the
manufacturer in the activities or operations of design,
manufacture, packaging, labeling, storage, installation, servicing,
and postmarket handling of the MD.
• Regulatory requirements may dictate the inspections of regulatory
bodies for each role of the organization.
• The role of the organization defines the interrelations with
other roles in the life-cycle of the MD and with the relevant
authorities or regulatory bodies.
• The role of the organization defines which processes, operations,
and activities regarding performance, safety, and regulatory
compliance the organization must apply in its QMS. The role of the
organization may define which ISO 13485 Standard requirements are
applicable— if the organization is not acting as a vendor, it might
not need to implement requirements like 7.5.3 Installation
activities or 7.5.4 Servicing activities.
• The role of the organization defines the relation and
responsibility of the organization to the user of the MD, for
example, the execution of user training. A manufacturer is
responsible for designing and developing an MD according to the
needs and specifications of the customer and according to
regulatory requirements, but the vendor is responsible for the
second part of relations with the user—the proper use of the
MD.
Which roles might we encounter? The ISO 13485 Standard provides us
with the specific terms and definitions for the different roles in
clause 3:
254. Quality management system
• Authorized representative • Distributor • Importer •
Manufacturer
The note of clause 4.1.1 specifies that a role of the organization
may be manufacturer, authorized representative, importer, or
distributor. In other words, the ISO 13485 Standard requirements
apply to those mentioned roles and not the role of the user. Please
review clause 3 of the standard for these definitions. But I would
like to add some details of my own in the next sections.
The manufacturer of the medical device The manufacturer is a legal
entity with the intention of making the medical device available
for use under its name. The manufacturer is responsible for
realizing the MD from the design and the development to the
delivery of the MD through answering various requirements such as
customer, safety, and regulatory. The manufacturer is responsible
for preparing the MD for use. This role can include design and
development, testing, realizing (manufacturing), labeling,
packaging, and so on. The manufacturer may
• Only design the MD and let it be initially manufactured by a
third party
• Design and initially manufacture the MD
Next, let us review the distinctions of the manufacturer of the
MD:
• The manufacturer has the responsibility for the characteristics,
intended use, and performance safety of the MD as well as
compliance with regulatory requirements.
• When an MD or one of its components or accessories is subject to
regulatory requirements, these requirements may describe and
specify who is considered the manufacturer. Normally, the entity
that is responsible for the manufacturing of that accessory is
considered to be a manufacturer.
• Manufacturing the MD includes the next activities and operations:
specification development, purchasing materials, components,
services and ordered processes, production, fabrication, assembly,
processing, packaging, repackaging, labeling, relabeling,
sterilization, installation, or rework of a medical device.
• When one accessory or component of the MD is subjected to a
regulatory frame and requirements, the entity that is designing and
making this accessory available for integration in the MD under its
name is considered a manufacturer.
26 ISO 13485:2016
• Putting a collection of devices, and possibly other products,
together for a medical purpose is also included under manufacturing
of the MD.
• When changing the intended use of the MD or modifying its design
and making it available for use under another name without acting
on behalf of the original manufacturer, this entity is considered
the manufacturer of the modified medical device as well.
Authorized representative An authorized representative is
considered a natural or legal person established within a country
or jurisdiction who has received a written mandate from the
manufacturer to act on its behalf for specified tasks with regard
to the latter’s obligations under that country or jurisdiction’s
legislation, for example:
• Registering an MD • Certifying vendors • Managing adverse
events
The importer of the medical device The importer of an MD is a
natural or legal entity that is the first to take part in the
supply chain of the MD in the region in which it is active in
another country or jurisdiction.
• The importer of the MD shall identify its relevant regulatory
requirements under which the importer must develop its QMS. These
regulatory requirements normally have a precise definition of who
and under which circumstances a legal entity is considered to be an
importer.
• The importer is responsible for maintaining the relationships and
interrelations with the regulatory bodies in the region where it is
active. Such registration allows the government to be informed of
which importers are importing and selling which devices.
• The importer will manage the import of the MD according to the
regulatory requirements of the region where it is distributing the
MD, for example, maintaining export certificates that testify to
the characteristics of medical devices being imported.
• An importer may have other responsibilities and obligations
regarding the MD characteristics, intended use, performance,
safety, and regulatory compliance than the manufacturer.
• The importer is responsible for reporting incidents, adverse
events, or recalls related to the MD.
274. Quality management system
• The importer shall participate in feedback activities for
receiving information regarding the transport and delivery of the
MD.
• The importer is responsible for maintaining relationships and
interrelations with the vendor of the MD.
• The importer is responsible for ensuring that the MD is correctly
labeled regarding the import activities of the MD.
• The importer is responsible for maintaining the records of
distribution of the MD.
The distributor or vendor of the medical device The distributor or
vendor is any natural or legal person in the supply chain who, on
his or her own behalf, communicates, advertises, and delivers (or
makes available) the medical device to the end user and therefore
is responsible for all activities that manage contact with the
customer and end user. The vendor coordinates between the
manufacturer of product and the user; he or she has the critical
role of selling the MD, ensuring that the sold product complies
with regulatory requirements, and putting it into actual use. The
term vendor includes importers, distributors, retailers, and
manufacturers who sell medical equipment. In the case of the
vendor, the objective of regulatory requirements is to minimize the
risk of exposing the public to low-quality or ineffective
devices.
• The vendor will sell the MD according to the regulatory
requirements of the region where he or she is distributing the
MD.
• The vendor of the MD shall identify its relevant regulatory
requirements under which he or she must develop its QMS. These
regulatory requirements normally have a precise definition of who
and under which circumstances a legal entity is considered to be a
distributer or a vendor.
• The vendor is responsible for maintaining the registration,
relationships, and interrelations with the regulatory bodies in the
region where he or she is active. Such registration allows the
government to be informed of which vendors are selling what
devices.
• A manufacturer may serve as a vendor as well. • The vendor is
responsible for the registration of the MD in the region
where he or she is active. • A vendor may have other
responsibilities and obligations regarding
the MD characteristics, intended use, performance, safety, and
regulatory compliance than the manufacturer.
• The vendor may be also the one that provides after-sales services
like training or maintenance activities for the MD.
• The vendor shall participate in feedback activities for receiving
information and applications from users and customers, for example,
processing complaints from customers regarding the MD.
28 ISO 13485:2016
• The vendor must also provide training and qualifications for the
proper use of the device and must be familiar with the indications,
contraindications, and operating procedures mentioned by the
manufacturer.
• The vendor is responsible for publishing and communicating
correct and genuine information and claims about the MD.
• The vendor is responsible for ensuring that the MD is correctly
labeled in the region where he or she is active.
• The vendor is responsible for reporting incidents and adverse
events or managing recalls related to the MD.
• When an authorized representative or distributor only adds its
own address and contact details to the medical device or the
packaging without covering or changing the existing labeling, it is
considered a vendor.
• The vendor is responsible for maintaining the relationships and
interrelations with the customers and end users of the MD.
• The vendor is responsible for maintaining the records of
distribution of the MD.
The vendor has a great responsibility toward the user of the MD.
For example, the MD may be a home-use medical device used by a
layperson who may need special instructions for the proper use and
maintenance of the device. Then it is under the responsibility of
the vendor to provide that person with the appropriate training
that is adapted to his or her needs— translated when required, less
technical and more user friendly, and so on.
Documenting the undertaken role(s) of the organization After
understating which role is undertaken by the organization, you are
required to provide documentation of the role. This documentation
is the basis for establishing a QMS that will ensure intended use,
performance, and safety of medical devices. As mentioned above, all
interested parties, the manufacturer, the vendor, the user, and the
regulatory bodies, must have an interface so they can work
together. This is why it is important for the organization to
document its role in the life-cycle of the medical device. I
suggest here a way to document it: plan a matrix to demonstrate the
relation between the role of the organization and the referred-to
activities of the QMS. Such a matrix is an effective tool for
ensuring that each regulatory requirement I covered in the QMS is
met.
1. Identify and document all the regulatory requirements that are
applicable to the organization. It is important to relate to each
jurisdiction or region in which the organization is active. You may
maintain a different matrix for each jurisdiction or region.
294. Quality management system
2. For each documented regulatory requirement, identify which role
the organization is required to undertake according to the
regulatory requirements.
3. For each documented regulatory requirement, identify with name,
number, or certain capital which processes, procedures, activities,
and operations relevant to the realization of the MD are included
under the applicable regulatory requirements.
4. Refer those identified processes, activities, and operations to
the relevant activities and processes of your QMS.
5. Maintain this documentation as a controlled document as part of
your QMS, which is submitted to the controls of clause
4.2.4—Control of documents.
The matrix will look like this:
Matrix for FDA Part 820
Defined role Manufacturer
Number Type Description PO-7.4.A Procedure Purchasing process Sec.
50 Purchasing
controls FO-7.4 C Quality record List of approved
suppliers Sec. 50 Purchasing controls (3)
4.1.2
The ISO 13485 Standard moves forward in dictating how the QMS
should look and presents the basic principles (the ISO 13485
Standard requirements for clause 4.1.2):
• The organization shall determine the processes needed for the
quality management system.
• The organization shall determine the application of these
processes throughout the organization.
• While determining the processes needed for the quality management
system, the organization and their application shall take into
account the roles undertaken by the organization.
• The organization shall apply a risk-based approach to the control
of the appropriate processes needed for the quality management
system.
• The organization shall determine the sequence and interaction of
the planned processes.
30 ISO 13485:2016
Applying the process approach The process or system approach refers
to the act of implementing a method or rules that analyze,
identify, manage, and measure the processes of the organization.
These processes are necessary for the operation of the QMS and the
realization of the product. The fundamental goal is to create
standardization of processes in the organization and to ensure that
persons or different organizational units in the organization work
in a unified way. The objectives of the process approach are as
follows:
• Creating awareness and understanding in the organization
regarding responsibility for managing activities
• Implementing a method for the identification and planning of
activities needed for the operation of the QMS
• Implementing a method for the identification of relevant
regulatory requirements
• Defining the sequences between processes • Implementing safety
and regulatory measures in the processes • Promoting a smooth and
transparent flow of operations in the
workflow • Identifying and ensuring the interactions between
processes, that is,
activities in the organization • Ensuring accurate delivery of
inputs to processes • Monitoring and controlling activities of the
QMS • Ensuring delivery of the right process outputs • Ensuring
achievement of intended results or process objectives • Enhancing
satisfaction of process customers • Creating basis and environment
for addressing risks and preventing
errors • Creating basis and environment for the planning,
implementation,
and analysis of improvements
The application of processes of the QMS throughout the organization
refers to the implementation and practice of the planned processes.
Let us see how it will practiced.
Determining the processes in the organization Which processes are
to be included in the QMS? Applying the process approach requires
identification and determination of all processes needed to realize
the product or service. In other words, you are required to
determine all key stages and substages (processes or subprocesses
if you may) necessary for the delivery and realization of the MD or
associated services (ASS). Identifying and determining the
processes included in the QMS is the first practical step in
applying the process approach. While implementing the QMS, you will
need to
314. Quality management system
• Understand the requirements of this standard and any applicable
regulatory requirements
• Identify processes, activity arrangements, and resources
necessary for answering these requirements
• Determine the scope of the QMS
Now, we must declare which operations are required in order to
fulfill the scope (realize the MD). The level of detail and
complexity of the processes depends solely on your organization and
the nature of its MD. But the rule of thumb indicates that only
processes and activities that affect the product, its intended use,
and quality must be included.
There are many ways to identify and determine which processes are
included under the QMS. For the ISO 13485 Standard, it is important
to have a clear definition of these processes because these are the
activities that will be planned, monitored, analyzed, and
controlled. It is important that the list of processes you come up
with answer these questions:
• Do these processes reflect your ability to deliver your MD
according to customer, safety, and regulatory requirements?
• Are all processes, key stages, subprocesses, operations, or
activities critical for the realization of the MD identified?
• Are all areas of the realization of the MD covered? • Are there
any activities that are required in order to meet regulatory
or safety requirements that are not covered? • Is the scope of each
process clear?
The end result of this determination of the processes and
activities included in the QMS may be displayed with a list that
specifies all processes, or a diagram (or set of diagrams) that
illustrates the processes and the interactions between them. Again,
the book is too short to suggest a certain method. You must
identify the method most suitable to your organization and its
processes.
Considering the role of the organization As mentioned in Section
4.1.1, the role of the organization has a great influence on which
parts of the regulatory requirements are applicable to the
organization and define the regulatory activities and actions that
the organization must perform. In relation to the processes of the
QMS, the organization must identify which activities and operations
are required by applicable regulatory requirements and include them
in the list of the processes of the QMS.
32 ISO 13485:2016
Determining the sequence of processes Determining the sequence of
processes means determining the sequence of different activities of
different elements involved in the process and constructing the
workflow in the organization. The goal is to make sure that the
processes achieve quality objectives, deliver planned results, and
ensure conformity of products or services. In practice, you define
how your processes flow in your workflow (Figure 4.1).
The sequence should allow an overview of your workflow and reflect
the way you are realizing the MD and operating in your
organization. A correct sequence of processes will allow the
information to flow effectively in the workflow, deliver the inputs
to the processes as required, and provide the right outputs.
Normally, these processes have subprocesses. Some processes or
activities may be in sequence and some may work in parallel. But
the end result should be a process map that indicates or describes
the workflow in the organization.
You must determine the sequence of activities within a process—
what has to be done, in what order, when, by whom, and which
resources are required. Furthermore, you have to identify whether a
regulatory requirement is applicable to that sequence and may
demand including more activities or processes. One way to describe
the sequence of activities in a process is through a documented
procedure—documented information that includes
Design of a product
Figure 4.1 Example for sequence of processes of the
organization.
334. Quality management system
• Reference to a process • Goal or objective of the process •
Reference to relevant documents • Target group—to whom this
document is designated • Description of activities • The expected
outputs • The required records
Types of such documentation:
• Management-oriented process—This method is designated to support
the management of different areas of responsibility and enables
core processes needed to achieve strategic objectives, such as
defining quality policy and objectives, strategic planning, and
management review.
• Process diagram/flowchart—A graphic demonstration of the
separated steps of a process in sequential order indicating the
entities involved in the process, required inputs, and expected
outputs.
• Documented procedure—A structured, documented, and formatted set
of activities needed to achieve an objective.
• Work instruction—A list of documented actions that specifies what
an employee is required to perform and what the expected inputs and
outputs are. This type of documentation is usually used to define
specific activities.
• Standard operating procedure—A detailed written instruction to
achieve the objective of the performance of a specific
activity.
Another tool that reflects and demonstrates the sequence of process
is an enterprise resource planning (ERP) system, where processes
are managed according to a defined workflow: management of products
and bills of materials, customer offers, customer orders,
planning/scheduling (material requirements planning [MRP]),
retrieving recommended purchase propositions, retrieving
recommended production propositions, purchasing, outsourcing,
manufacturing, delivering, invoicing, and managing after- sales
activities. Such systems dictate the sequence of activities for the
user. In some cases, documentation of such systems may serve as
process diagrams or work instructions. If you decide to use this
type of documentation, make sure to document the gaps and
loopholes—those activities and operations of the realization that
are not covered in this documentation.
Interaction between processes Processes in the QMS must interact
with each other. A process, by definition, is set of interrelated
or interacting activities that transform inputs into outputs.
Interaction between processes refers to the delivery of inputs
to
34 ISO 13485:2016
processes, the acceptance of outputs from processes, and the
transferring of these outputs as inputs to the next process. The
interaction defines how inputs, outputs, or resources are
transferred between processes and activities. Processes of a system
exchange many types of information, data, material, goods, or
services through activities. In order to make the system effective,
the interactions between the processes in the system must be
planned and known to the operators of the system. This interaction
is influenced by many factors. I prepared here a table of the
factors and their influence on the interaction between
processes.
Factor Influence on the interaction between processes
Supplier of inputs The supplier initiates the interrelation by
delivering inputs to the process.
The required inputs The required inputs specify what is expected
from the supplier. Here, it is important to know the inputs are
handed or delivered to the process. This definition of inputs can
be documented.
Methods or activities required to operate the process
Here is the reference to the methods and techniques used to operate
the process. It includes the required tools, facilities, or
infrastructures for the operation of the process and the
documentation that is needed to support the operation of the
process.
Resources that are needed to operate the process
Role or organizational units that operate the process must be
clear—the unit that processes inputs into outputs. It need not
necessarily be human; it could, for example, be software. The
knowledge and competence needed for the operation of the process
must also be defined.
Customer of outputs It must be understood who the customer of the
process is and how the outputs will be delivered.
The outputs the process generates
The expectation of the process must be defined, as well as the
verifications, validations, and criteria that are required for the
process. The required records are evidence that a process delivered
its intended results.
Effectiveness of the interactions
Regarding the inputs, the organization must consider how it can
verify or validate that the correct inputs were delivered to the
process.
Regarding the activities, the organization must consider which
methods and tools it must maintain to control the performance of
those processes.
Regarding the outputs, the organization must consider how it can
verify or validate that the correct outputs were delivered from the
process.
354. Quality management system
If you define and plan all of these, you will be in a position to
effectively plan the interactions between the processes. In
practice, it must be clearly defined with the method that you are
using to document that describes how the interactions are taking
place.
Defining inputs to the processes After defining the processes and
their activities included in the QMS and their interactions, you
must define which inputs are needed for each activity. Applying the
process approach, you should prove that each identified process has
identified inputs and that the supplier of the process knows
exactly what it should deliver. Inputs of a process are defined as
specified requirements needed for the operation of a process.
Inputs are the fuel that drives the process: personnel, resources,
materials, data or information, technology, or knowledge. Inputs
may be tangible (raw material for a production process) or
intangible (information or data, e.g., results of a customer
satisfaction feedback survey). In order to effectively analyze and
identify the inputs, one must first know which activities a process
includes. Let me review the important aspects of inputs related to
the ISO 13485 Standard. Inputs must be:
• Defined—For each process, the inputs are defined. •
Deliverable—There is an effective way to deliver the inputs to
the
process. • Measurable—Inputs of a process must be measurable in
order to
verify their availability. • Planned—It will be clear when, during
the workflow, inputs must
be delivered. • Known—The supplier and operator of the process must
know which
inputs they must deliver (supplier) and receive (operator) for the
process.
• Assigned—Responsibilities and authorities for the inputs are
assigned.
• Located—The persons who operate the process must know which
inputs are required for their operations and where they may find
them or how they should request them.
• Verifiable—The persons who are responsible for the inputs have
the means and criteria knowledge to verify or validate that the
inputs are as expected.
When regulatory requirements demand certain inputs to certain
activities or processes, they will be identified and planned. A
good example is the management of distribution records of the MD;
after the release of the MD, data like the serial number or the
batch number will serve as inputs for a set of processes for
maintaining such distribution records.
36 ISO 13485:2016
Defining outputs to the processes An output is a deliverable result
of an operational process aimed to address the expectations of the
customer of the process. An output may be tangible (finished
products) or intangible (services provided to a customer or
information, such as the results of a calculation). Applying the
process approach, you must ensure that the expectations of the
customer for each identified process are identified and understood
by the people who operate the process. In practice, regardless of
the methods you are using to analyze your processes, make sure that
the outputs for each process are as follows:
• Identified—The intended outputs of a process are identified and
clear. • Measureable—The outputs of a process must be measurable in
order
to verify their conformity. • Assigned—Responsibilities and
authorities for the outputs are
assigned. • Known—The persons who operate the process should know
which
output is expected from them. • Verifiable—The persons who are
responsible for the outputs have
the means, knowledge, and criteria to verify or validate that
outputs are as expected.
When regulatory requirements demand certain outputs to certain
activities or processes, they will be identified and planned. For
example, when certain processes must be reported to the regulatory
authorities (like results of sterilization activities), that means
that the outputs of those activities shall be planned in the right
format.
Responsibilities and authorities for processes While defining the
requirements related to the QMS for each process, it is required to
determine the authorities and responsibilities for specific duties
and obligations for performing the process activities for ensuring
the implementation, maintenance, and improvement of each process
and its interactions. I recommend the assignment of an
organizational role, functional units, or authority to a process.
This organizational role will relate to the organizational
structure. By assigning a responsible person to a process, we
create a relation between the organizational structure and the
workflow. The objectives of this person are as follows:
• To decide and na