Working as a medical device consultant and third-party auditor for over 20 years, I have compiled the top 5 areas where companies, primarily small businesses and start-ups, misinterpret and make errors ISO 13485:2016 implementation. Some are easily fixed, while others are time-consuming and costly.
As an auditor who has worked mainly with small businesses and start-ups, I focus on conducting thorough audits to identify areas that need improvement so organizations can minimize cost and effort. Nevertheless, some of the solutions presented may not apply to your organization.
1. Misunderstanding of the requirement to validate QMS Software: ISO 13485:2016 Clause 4.1.6
The number one question I receive from companies implementing ISO 13485:2016 is the QMS software validation.
Some companies misinterpret the requirements and hire consultants to validate their software to pharmaceutical standards, which is expensive, time-consuming, and unnecessary.
ISO 13485:2016 clause 4.1.6 states: “The specific approach and activities associated with software validation and revalidation shall be proportionate with risk associated with the use of software.”
This means that you can tailor your validation based on risk. A simple approach is to list the software used in the QMS, determine the risks, and then define the validation steps required based on the risk result.
2. Complaint Handling: ISO 13485:2016 Clause 8.2.2
Another common misunderstanding is in complaint handling. Customers do not record all complaints that they receive.
The definition for complaints in ISO 13485:2016 states: “written, electronic, or oral communication that alleges deficiencies in a medical device’s identity, quality, durability, reliability, usability, or safety or performance of a medical device that has been released from the organization’s control or related to a service that affects the performance of such medical devices.”
For instance, the company receives a call from a customer with an issue with their medical device. The customer’s issue is resolved in 5 minutes over the phone. Should this call be recorded as a complaint? Based on the definition of the complaint, it must be recorded. The word “alleges” in the complaint’s definition means that the complaint does not need to be valid. It must be recorded.
Companies also struggle with the recording and investigation of complaints. The complaint form should:
- Include confirmation of the problem with the device to determine if it is valid or potentially reportable.
- Investigate whether the device failure was due to not meeting specifications for the device, labeling, or packaging.
- Determine if there were similar complaints issued.
- Include a review of trends, product batches, and inspection/testing records; if the failed product is available, perform testing or inspection of the defective or failed devices.
- Determine the complaint cause, if known.
3. Change Controls: ISO 13485:2016 Clause 4.1.4
Medical device auditors frequently cite the change control process as a nonconformity.
Companies do not realize that the requirement includes changes to processes, which include changes to documentation. It is required to determine the impact of these changes on the quality management system and medical devices.
It is crucial to establish a change control system. Users of QMS systems usually have modules that prompt them to include these requirements. Companies that are doing change control manually may forget to include these requirements.
The steps to implement a change control system are:
- Create a change control form and a detailed work instruction or procedure that explains what changes require documentation.
- Train personnel on how to complete the change control form with the work instructions or procedure.
- Assign someone the responsibility for the change control system.
- Hold periodic reviews (monthly) to ensure that all changes are recorded.
4. Determining and Measuring the Processes of the QMS
Many start-ups have difficulty determining the process of the QMS. Some small companies have up to 10 different QMS processes. Some also represent the processes per the sections listed in ISO 13485:2016 (Quality Management System, Management Responsibility, Resource Management, Product Realization, Measurement, Analysis, and Improvement). Although there is no issue with doing this, the processes should reflect the organization’s activities. The following are typical processes used by companies that design and manufacture hardware:
- Sales/Contract Review
The advantage of this arrangement is that it better reflects the company’s activities, and employees better understand how they fit into these processes.
Additionally, there is a requirement to measure the processes of the quality system to determine if they are effective. Unfortunately, companies usually select key performance indicators (KPIs) that are not measurable or attainable. The KPIs must include a target and be easy to measure. During my experience, there were cases where companies selected KPIs that took many hours to determine the results. Thus, it is better to set KPIs that are easy to measure and whose results are readily available.
5. Not Capturing All Outsourced Processes: ISO 13485:2016 Clause 4.1.5
In clause 4.1.5, there is a requirement to monitor and control outsourced processes that affect product conformity with the requirements.
Outsourcing includes any requirements in ISO 13485:2016 that are performed outside of the organization, and new companies sometimes misunderstand the requirements for outsourcing completely.
Outsourcing activities can include design, production, calibration, preventive maintenance, servicing, regulatory representatives, internal audit, etc. The company needs to determine the risks related to outsourcing and implement controls proportionate to the risks.
As an example, for companies providing manufacturing services (critical suppliers), the controls could include ensuring that the contract manufacturer has ISO 13485 and is being audited annually.
The last sentence of this clause requires that quality agreements be established with the supplier. It is common for companies to request their legal department to conclude these agreements, but I do not consider it necessary. A simple, 1-2 page agreement listing the responsibilities of both parties is sufficient.
The information presented in this article is general. It is best to contact a qualified consultant to determine the best solution for the company.
Danny Kroo is the President of Docusys Corporation, a Quality Management and Regulatory Affairs consulting company established in 1994 for medical devices, aerospace, transport, services, and commercial industries. Mr. Kroo is a member affiliate of Biomedical Engineering at McGill University and has created a course on Medical Device Regulatory Affairs and Quality Management. Additionally, he is a certified MSECB Auditor, assessing quality systems and providing regulatory services for ISO 13485.