07 Jun A Quick Guide to ISO 13485 Quality Management System
Interview with Educo Life Sciences expert Anne Jury
We interviewed Educo Life Sciences trainer Anne Jury to discuss the ISO 13485 Quality Management System (QMS) for Medical Devices & IVDs. We discuss the basics of the standard and why it is different from ISO 9001. We also discuss the different challenges faced by a start-up company with no QMS compared with an established company with fully operational QMS.
You can watch or read the interview below.
What is it?
ISO 13485 is a quality system standard. It is an international standard that provides a framework for the development and manufacture of medical devices.
For those starting from scratch – how do you do implement it?
I probably should have said that it is a standard providing a framework within which you can implement something called the quality management system and as the name would imply, it is intended to give a system of processes that will allow you to create and develop medical devices and manufacture them in a consistent manner. The idea behind most standards is that we get the consistency of output from something or a consistent approach to something.
So if you are a start-up company, you must first sit down and think about what you are there to do. What is your raison d’etre, so to speak, and when I have implemented quality management systems with start-up companies, the very first thing you need to do is document management, because you cannot even write a product specification or a manufacturing procedure until you determine how you are going to manage the documentation. Because one of the biggest potholes or pitfalls of quality systems is using the wrong document, using last week’s instead of this week and then you get into difficulties. So it is really important to have a document control process and so that is the first one to write and then everything after that is produced in a consistent manner. Everyone understands it has a format and a look to it that people understand and know how to use. Then from there, whether you are developing products or even straightforward manufacturing them, you need to control the materials. Well, two things. The resources of the company and the materials that you will use in your product. So, there is a whole section on resource management called product realisation, and that is a bit of a confusing title, but meaning from concept to retirement, it covers the whole product lifecycle. So those two areas, once you have done your document control, do your control of materials, so that includes purchasing and how you interface with suppliers and then your product realisation, which is how you do what you are doing.
What is the difference between 9001 and 13485?
Therefore, ISO 9001 is a similar parallel standard for all industries. It is not specific to one industry, and the nature of the development of standards means that once they are written they have a period of validity and are then revised if needed. ISO 9001 was revised in 2015, at least its current published version was 2015 and ISO13485 was 2016, and the two committees do not work together, so 13485 is specific to medical devices and at that point they diverged slightly. So, ISO 9001, in my opinion, is a slightly more forward thinking flexible standard intended for use by all sorts of industries and medical devices 13485 was very much a standard for quality systems to meet regulatory requirements. So the difference is 9001 can be applied to anything, anywhere, any company.
But perhaps the basis for those who are working in non-regulated industries and 13485 is specifically for medical devices, which have their regulations in many territories, so it is not specific to Europe or the UK or anywhere in particular. So the content differences come down to things like there is greater attention to product identification and traceability, there is more attention to documenting things which under 9001 perhaps you don’t need to document quite as much because there isn’t that need to demonstrate to a regulator.
I would say in a nutshell that is the sort of difference.
What about those with an established 13485 system – What challenges/problems should they be aware of?
As I said, ISO 13485 was published in 2016 and there was an amendment published or an addendum in 2021. But all that does is it does not change the content of the standard, it merely adds some pages that show how it meets the intentions of the regulations. Regulations never specify a standard. The regulation says you should have a quality management system and it should cover X, Y, and Z, but they do not actually make reference to the standards.
ISO 13485 is the standard of choice to demonstrate compliance with that requirement, at least in European regulations. That is one of the things that we need to think about more recently, so for companies who have been using it for a long time, they need to maybe have a look at that addendum from 2021 and make sure they have mapped across ISO13485 with the exact wording of the regulations. The trouble is the new European regulations, not so new now, but the MDR and the IVDR, they make bullet point requirements of what a quality system has to do and be, and there are a few things in there which are not covered by 13485. So that is the first thing. For well-established quality systems, you must ensure that you have written a quality system that meets 13485, but also addresses some of those gaps.
So, for example, the regulations require that you have a clinical evaluation process. There is nothing specifically in 13485 that says that. So that is an additional procedure that is now expected for those regs. And apart from those things, I find having been using this standard and its forebears for many years now, one of the things that is cropping up often is the management of organisational knowledge, which is not a term used in the standard. The standard talks about managing resources, but it’s clear that in the development to manufacture of medical devices, one of the key attributes the company has is competence of its staff, and whereas I think not even that many years ago it was accepted that, you recruit people and then you bring them in and you train them on the quality system, but you rely on the knowledge they brought with them or which their profession makes them competent in without thinking or documenting too much more about that. Now, I’m seeing a lot more focus and attention, particularly from the conformity assessment bodies on that very subject, and so whereas the standard just requires that you have a system to control the use of external documents, so regulations, standards, guidelines, all that wealth of information that’s out there about safety of medical devices, now it’s becoming more necessary to document how you do that, when you do that, who does that, how often do they review it and revise and assess the impact and so on and so forth. So, I would say that more recent trend is needing a procedure to control or manage the gathering and use of regulatory intelligence. So that’s something that’s not mentioned specifically in the regulations, it’s not highlighted, especially in 13485, but it follows on from the thinking and the intentions behind it.
Can you please provide some top tips for managing regulatory knowledge.
The whole intention of the standard is to provide this framework, this platform in the shape of a quality management system. Once you are in the habit of defining procedures that identify who does what, when, how often is it reviewed, who needs to approve, that is a habit that people get into and the standard provides a kind of minimum level. It doesn’t say you should only do these things, it’s a way of showing the minimum level of control that is expected to be applied in the development and manufacture of medical devices. My tip would be just to keep using that format, so anything that crops up that is specific to your industry, your type of device, specific to your type of company. Just use that format over and over and use it to ask those questions, who are responsible for what? How do they do it? Do they need additional resources? How often do you assess that and review it and so on? And a big component that I have not mentioned is that it is the first chapter of clauses, which is simply called quality management. It is about understanding what you are as a company and adapting, reacting to external pressures and having processes in place that will not only capture that information, that in itself is a trick that you need to get good at. But then acting on it, what is the impact of a change, whether it is a new regulation, whether it is a new type of technology, whether you decide that suddenly you need a digital system to help you manage the quality system, that is another new trend, is people moving across to digital platforms for running their quality systems on. These are very useful and helpful in increasing consistency. That was a long-winded way of giving a tip of keep doing what you’re doing and know what you’re doing.
Watch the interview below:
Anne teaches on the following courses:
Fundamentals of the EU Medical Device Regulation (MDR)
Understanding Medical Device Regulations: A Beginners’ Guide
PRRC Training (Person Responsible for Regulatory Compliance)
To view all our medical device and IVD courses follow the link below.
View our medical device & IVD training courses