ISO 13485 and FDA QSR: A Step-by-Step Guide to Complying with Medical Device QMS Requirements
This is more valuable than gold to your medical device company. It’s like knowing all the questions on the test and being provided an answer key.
For ISO, you should review audit guidance documents available via International Medical Device Regulators Forum (IMDRF).
Let me direct you to “Guidelines for Regulatory Auditing of Quality Management Systems of Medical Device Manufacturers – Part 2: Regulatory Auditing Strategy”.
And here is one more freebie for you: I’ve developed a QMS audit checklist that combines requirements from FDA 21 CFR part 820 and ISO 13485. It’s free--all you have to do is click below.
Use all these guides, guidances, checklists, etc. as tools to help you with your QMS efforts. They should all help you identify gaps and issues in your QMS and can be used to structure your internal auditing program.
I share more about internal auditing and how to use the QSIT and IMDRF guides later in this guide. For now, understand that the way FDA inspectors and ISO auditors use a system approach when reviewing a QMS.
Major QMS sub-systems as defined by FDA QSIT
Of course having all this information is useless if you don’t actually take action to establish and implement a QMS.
In this piece, I’ll guide you through the steps of building your QMS. Keep in mind that the order in which I suggest implementing your QMS is a just that--a suggestion. You will need all the parts and pieces at some point in time in the genesis of your QMS. And the order may vary slightly depending on your product and company.
Know this. Pleading ignorance of ISO 13485 and FDA QSR is unacceptable. Pretending QMS regulations and requirements somehow are not applicable to your company is a mistake.
Realize and accept you need a QMS. Here are 5 reasons why:
QMS Aligns with Regulations
QMS is a Framework
QMS Defines Expectations & Deliverables
Design Controls + Risk Management
Evolution of QMS
Regardless if your company has an established QMS or if you are just beginning this journey, I encourage you to spend the next 20 minutes reviewing this guide. And if nothing else, be sure to take advantage of the QMS audit checklist I have developed for you.
QMS Philosophy
There are a few cornerstones you should understand about my QMS philosophy. Let me share these with you now.
Bootstrap your QMS
Keep your QMS simple
Right-size your QMS
Bootstrap your QMS
Think about a medical device startup. It starts with an idea. Chances are some funding is likely required. And bootstrapping capital is often a tactic to get to that next milestone. Keep adding value as you go. Build your product and company as you progress from one milestone to the next.
Think of your QMS in a similar fashion. Bootstrap your QMS and build it as you go. And the QMS you construct should be commensurate with the product / company milestones.
For example, if you are in early stage product development, establishing QMS elements applicable for production and post-production may not be the best use of your time. Instead, focus QMS efforts on the processes applicable for the milestones you are tackling.
Keep your QMS simple
Make sure to keep your QMS as simple as possible. The QMS must align with FDA and ISO regulations and requirements. Reviewing 21 CFR part 820 and ISO 13485 will take less than 30 minutes.
If you simply regurgitate the QMS requirements, this will add little to no value to your company. Expect to spend between 4 - 8 hours per QMS procedure. And when doing so, keep three things in mind.
Does this meet the regulations?
Is this as simple as possible?
How does this impact the business?
Yes, I realize conventional wisdom suggests implementing a QMS may be somewhat disruptive to the business and may be viewed as not adding value.
I assure you that starting your QMS early and always keeping it as simple as possible will add a significant amount of value to your company. In the present case, having a QMS will help ensure that your company is generating expectation documentation and objective evidence. Also consider the future impact. Consider the positive impacts on your valuation. Consider what will happen during a FDA inspection or ISO audit.
Right-size your QMS
Make sure your QMS is built to suit your company size. Your QMS needs to be the right size to align with your company.
I learned about right-sizing a QMS the hard way about 10 years ago when I first started consulting. I was brought in to help a startup finish their QMS. The process was well underway when I joined. My job was to finish implementing the QMS.
The first thing I did was review the QMS efforts to date. I read through each procedure, comparing to FDA and ISO. All good.
Then I compared the established procedures against the actual company practices. Not good.
The procedures, as written, while compliant with the regulations, were overly burdensome for the startup. Too complicated to follow and not built in a way that aligned with the company.
I knew from this point on that a QMS must always be kept as simple as possible and evolve to meet the company size, personnel, and maturity.
Evolution of a QMS
Let me share with you a roadmap for constructing your QMS. I will break down what to do and when to do it based on the stage of your product lifecycle.
Product Development
Transfer to Manufacturing
Go to Market
Post-Market
QMS needs during Product Development
By now, you should know my view on bootstrapping a QMS. This should start while in the early stages of product development.
Basically, at the point when you have funds and are pursuing design and development of a medical device, you need to establish the first phase of your QMS. This first phase should include:
Design Controls
Risk Management
Document Control & Records Management
Supplier Management
Design Controls
Design Controls are defined in FDA 21 CFR 820.30 and in section 7.3 of ISO 13485. Design Controls are a systematic framework for capturing key aspects of medical device product development to prove your product meets user needs and is safe and effective.
Risk Management
Risk Management is defined per ISO 14971. There are references to risk management in FDA 820.30 and ISO 13485. And regulatory bodies around the world are expecting you to establish risk management processes that align with ISO 14971. Risk management is a systematic application of management policies, procedures, and practices to the tasks of analyzing, evaluating, controlling, and monitoring risks related to your products.
Document Control & Records Management
Document Control & Records Management is laced throughout all FDA 820 and ISO 13485. Consider this: If it is not documented, then it didn’t happen. Establishing when documents and records are required and who needs to review and approve is vital. While in product development, required documentation relates primarily to design controls and risk management. But as your company evolves, document control and records management will be critical to your overall success. Establishing a sound methodology early, which can scale as your product gets to market is necessary. Every step along the way will result in documents and records that will serve as the supporting evidence to prove you did what was expected.
Supplier Management
Chances are you rely heavily on suppliers for vital goods and services relating to your medical device. Supplier Management is about ensuring you are properly qualifying, evaluating, and monitoring your suppliers. Think of your suppliers as an extension of your company. And it’s not good enough to assume that since the supplier is FDA registered and/or ISO certified, that this is all you have to do. You need to conduct due diligence to demonstrate that your suppliers are able to meet your needs and requirements. You need records to demonstrate that you have implemented supplier controls commensurate with the criticality of the goods and services provided.
QMS needs during Transfer to Manufacturing
Your objective is to navigate through product development and ultimately into the market. In order to achieve this, at some point you will begin transitioning from development into manufacturing.
In a design controls sense, this generally starts to happen when you are entering Design Verification and Design Validation. Transferring to manufacturing is the time when prototypes and pilot production begins. This is the time when your product is about to be put through formal testing and analysis. If you are conducting simulated use studies, animal studies, and/or clinical investigations, then your product should be transitioning to manufacturing prior to these events.
When entering this phase, your QMS efforts also need to evolve to address these growing needs. You need to establish QMS procedures for:
Training
Purchasing
Device Master Record
Production & Process Controls
Labeling & Packaging
Receiving, Incoming, In-Process, Final Inspection
Identification & Traceability / Device History Record
Change Management
Nonconforming Material
CAPA
Management Responsibility
Training
Training is a key process as your QMs evolves. You need to make sure all your resources are properly trained. The training procedure should identify training requirements for your personnel. Managing training can definitely be tricky. You have to make sure that training is sufficient in order to demonstrate resources are proficient with skills required to perform daily functions.
Purchasing
Purchasing procedures shall describe minimum criteria required to buy goods and materials. Purchasing should go hand in hand with supplier management. Specifically, good and services should be purchased from approved suppliers.
Device Master Record
Device Master Record (DMR) includes all the drawings, specifications, manufacturing instructions, etc. required to manufacture your medical device. Think of the DMR as the recipe required for the medical device.
This recipe first gets established during product development. The design outputs you define during design controls are the preliminary DMR.
Production & Process Controls
Production & Process Controls is related to your DMR. You need to establish necessary controls regarding your manufacturing processes. The purpose is to ensure reproducibility and repeatability.
Process validation may be necessary for any processes where you do not or cannot verify the outcome 100%.
Labeling & Packaging
Labeling and packaging for your medical device must be defined. These are also part of your DMR. Depending on your product, labeling specifications and packaging specifications may be very important. This is especially the case for sterilized products.
Receiving, Incoming, In-Process, Final Inspection
At all steps from receiving goods through all steps of the manufacturing process, there are steps where inspections should be established. You need to establish inspection criteria in order to confirm that your specifications and acceptance criteria are met.
Identification & Traceability / Device History Record
When you manufacture products, you need to establish identification and traceability. Identification relates to the materials and components required for the device, often captured in a bill of materials (BOM). Depending on the type of device will dictate the level of traceability required for your product. Identification and traceability pertains to your ability to know where products are, and in the case of a recall, your ability to retrieve product.
The results of your identification and traceability are captured in a Device History Record (DHR).
Change Management
Changes to documents, records, goods, and materials are going to happen. In part, document control should describe how to manage revisions to approved documents and records. Beyond this, change management should be formally established for changes to your product.
Nonconforming Material
Nonconforming material relates to any goods, materials, and products that fail to meet established specifications. Nonconforming relates to inspections. If an inspection fails, this should be captured as nonconforming material.
CAPA
From time to time, you are likely to identify issues that require a formal investigation in order to fix. These investigations should be captured as a CAPA, or Corrective and Preventive Action.
Management Responsibility
A key part of establishing your QMS is to ensure management has oversight and awareness. At least once per year, your company needs to conduct a management review to review all aspects of your quality system. You also need to name a management representative. This person serves as the face of the company during FDA inspections and ISO audits.
QMS needs to Go to Market
Prior to going to market, you need to establish and implement the last parts of your QMS.
Process Validation
Software Validation
Calibration
Preventive Maintenance
Handling, Storage, Distribution, & Installation
Servicing
Complaint Handling
Adverse Event Reporting / MDR
Corrections & Removals
Customer Feedback
Analysis of Data
Quality Manual
Process Validation
Process validation is required for any processes where you are not able to verify the results 100%. It is also required in cases where you can verify 100% yet choose not to for business reasons.
Software Validation
Software validation is required for any software used in your company for managing aspects of your business impacting quality. This can include QMS software, manufacturing inspection software, etc.
Calibration
Calibration relates to any gauges and equipment used to take measurements of product during manufacturing processes. The gauges shall be certified to recognized standards and updated periodically to ensure gauges continue to measure accurately and precisely.
Preventive Maintenance
Preventive maintenance applies to routine actions required to keep gauges and equipment operating as expected.
Handling, Storage, Distribution, & Installation
Your product may need to have specifications defined regarding product handling, storage, and distribution. This can include temperature and humidity requirements.
Your product may also require installation at point of use. If so, this needs to be defined.
Servicing
Servicing relates to any activities required to keep your product functioning and operational. This generally applies to reusable products and not usually for single-use devices.
All servicing activities shall be document and records included with the original product DHR.
Complaint Handling
Any time a customer provides any written, electronic, or oral communication that alleges deficiencies related to the identity, quality, durability, reliability, safety, effectiveness, or performance of a device after it is released for distribution fits the official FDA definition of a complaint. You need to establish complaint handling procedures, including how you will investigate and address complaints.
Adverse Event Reporting / MDR
In the event that a complaint results in, or has the potential to result in serious injury, this is a complaint. More than that, this fits the criteria of an adverse event and may need to be reported to FDA (and other regulatory bodies). For FDA, the mechanism for reporting is known as a Medical Device Report or MDR. Your procedures need to address adverse event reporting.
Corrections & Removals
Although you never plan to have a field correction or removal (otherwise known as “recall”), you have to establish procedures to deal with this possible scenario.
Customer Feedback
A complaint is a type of customer feedback. Complaints are generally reactive: you learn about the issue after it has occurred. ISO expects that you establish customer feedback processes where you solicit feedback on the use of your products in a proactive fashion.
Analysis of Data
All of your QMS processes result in documentation and records. Ideally, you also establish key performance indicators (KPIs) and metrics to monitor your QMS performance. Analysis of data is one means to measure your QMS performance.
Note that any data you analyze shall be done so with proven statistical techniques.
Quality Manual
A quality manual is an overview of your QMS. A quality manual briefly describes your company quality policy and brief descriptions of all the required quality system elements.
QMS needs Post Market
Once you are in the market and you have established your QMS, you need to define your internal auditing processes. You set the schedule and frequency for internal audits. It is important to make sure that personnel conducting internal audits have been appropriately trained to conduct audits. Often times, internal audits are outsourced.
Internal auditing is a very important function. This is a way to monitor whether your company is following established procedures. Internal audits should be used as means for continuous improvements.
I mentioned FDA QSIT and IMDRF guidances earlier in this guide. Both FDA and ISO use a system approach when conducting inspections and audits of your QMS.
When establishing your internal audit program, I recommend structuring this in a way that mimics a system approach, as well as conducting individual process audits too.
To aid you in a system approach, I am providing you a free QMS audit checklist that includes both FDA 21 CFR part 820 and ISO 13485.
Written By Jon Speer @greenlight.guru
标签:   ISO13485 audit QSR820 audit