Protect Your ISO 13485:2016 Quality Management System – Mistakes to Avoid
Medical Device Manufacturers need to be aware of different regulatory and quality requirements listed around the World. Launching a medical device is not just about the marks and certifications, it's also about quality control from manufacturing to sale and then Post-Market Surveillance (PMS) after product launch.
When we talk about Quality Control and compliance, many manufacturers utilise ISO 13485:2016 as a Quality Compliance standard. Not only because it is more prescriptive and requires a more thoroughly documented QMS but also because ISO 13485:2016 is mentioned in the harmonised European Standards (hENs)'s list and therefore, it can be interpreted that with ISO 13485:2016 – the mandatory requirement for a QMS listed under EU MDR is met. An ISO 13485:2016 certified company need not worry about QMS requirements.
Over the years, RAQA advisers at our parent company, Global Regulatory Services, as well as our very own RAQA adviser at Med-Di-Dia have come across many 'Common ISO Audit Mistakes.' What follows is an overview of some of these ‘mistakes’ and what can go wrong during an Audit and can push your organisation miles off course from achieving ISO 13485:2016 certification.
- Checkboxes – a QMS is NOT A Checkbox activity!
As mentioned previously, ISO 13485:2016 supports entry into the European market. Many companies consider compliance with ISO 13485:2016 as a ‘necessary evil’ and not a step towards safety and quality control. Since ISO 13485:2016 is viewed as a burden, several companies just want to 'Get Done' with the entire process. Companies need to stop looking at this entire process as a check list or to-do list. ISO 13485:2016 is a comprehensive process.
Looked at from another perspective, implementing ISO 13485:2106 should involve a holistic approach with quality at the core. The implementation process and processes after that should promote a culture of quality across the entire organisation, always considering the level of value it brings to the Company and opportunities for improvement. If you take this approach, implementing ISO 13485:2016 becomes a value-add exercise rather than a checkbox activity.
- Audit Planning
Compliance with ISO 13485:2016 is an ongoing activity. Companies need to plan their audits appropriately. There are 3 ways to conduct internal and external audits. Internal audits should be conducted in a planned manner to achieve the intended outcomes. A successful internal audit process requires the coordinated efforts of managers, supervisors, and everybody else on board. Many audit areas need to be addressed, so if your personnel aren’t working cohesively as a team, it is easy for the auditors to miss critical aspects which support a robust and compliant QMS.
Good planning helps establish a clear roadmap that's easy to understand and follow by those involved to address non-conformities. Having a realistic action plan helps Management bring everyone on board and ensure the selected approach is well coordinated.
- CAPA (Corrective Action and Preventive Action)
Many companies have ineffective CAPA processes. Whether that is poorly defined processes or ineffective investigations, these are the main contributing factors that lead to mistakes made by companies when implementing ISO guidelines around CAPA. For these reasons, it's critical to have a sound understanding of the subtle differences, according to the standard, between "corrective action" and "preventive action."
Corrective Action: eliminate the cause of nonconformities in order to prevent recurrence.
Preventive Action: eliminate the causes of potential nonconformities in order to prevent their occurrence.
"Death by CAPA" can occur when processes are so poor that it is difficult for the Company to follow through with eliminating and preventing the cause(s). Alternatively, everything is treated as a CAPA and then the Company becomes overburdened.
- Quality Oversight – ‘Money Spinner’
ISO 13485:2016 in itself is a time and money-consuming process. The latest audit costs are reaching a lifetime high. Our Advisers have seen that many companies do not plan their strategies effectively. In order to strengthen your regulatory and quality compliance activities, you must keep a check on certifications, technical files and quality processes. Some companies are asking that their technical files are reviewed and approved by one Notified Body whilst working with a different Notified Body to obtain ISO 13485:2016 certification. Here it is important that companies:
- A. Engage the same Notified Body to review their Technical File and also to audit their QMS for ISO 13485:2016 certification.
- B. Before approaching any Notified Bodies for an audit, all documents are in place and the QMS has been operational for a period of at least 3 months.
- C. Liaise with the Notified Body about their availability and capacity to take on new clients.
If the Notified Body doesn't have the capacity to review your technical files, then companies can approach another Notified Body.
In our case, the client was already going through an ISO 13485:2016 Audit by Notified Body A, who confirmed that they didn’t have the capacity to review the technical files. Since Notified Body A cannot review the technical files, the Company can contact a different Notified Body [Notified Body B] to undertake a Technical File Review. But … there is a catch!
If a Company has an ISO 13485:2016 certificate from one Notified Body [i.e. Notified Body A] but Notified Body A doesn’t have the capacity to review the Company's technical file(s), then the Company can approach another Notified Body [Notified Body B].
Notified Body B, however, will not accept the ISO 13485:2016 certificate from the first Notified Body [i.e. Notified Body A]. This is because hidden away in the EU Medical Device Regulation is the phrase ‘quality oversight’. Notified Bodies are interpreting this phrase ‘quality oversight’ as meaning that they must re-audit the QMS of the company because the ISO 13485:2016 certificate was awarded by a different Notified Body. This re-audit of an already certified QMS (by Notified Body A) then ensures that Notified Body B meets their obligations under the EU Medical Device Regulation by having ‘quality oversight’.
If a company is ‘caught’ in this scenario they will pay for Notified Body A to audit their QMS and provide them with an ISO 13485:2016 certificate and then pay Notified Body B to audit their already certified QMS so that Notified Body B can also review their Technical Files because Notified Body B now has ‘quality oversight’. In this scenario, companies are facing a doubling of costs.
This is a good example of whyl MedTech companies must develop a robust regulatory strategy to ensure that costs are kept to a minimum and that they are able to do things “right first time”.. A “blind bull run” will only result in wasting time, resources and money.
Protect your resources by contacting our RAQA Advisers for complete regulatory support! Book a FREE 30 Minute One-2-One call with one of our RAQA Advisers by sending an email to: mdd@mddltd.com or on our Calendly page – BOOK NOW
- Risk Based Processes
The 2016 version of the ISO 13485 standard strongly emphasises the idea of using risk-based processes. The standard reminds companies to consider whether they assess risk after completing a process or task. Unfortunately, many companies make mistakes when they treat this reminder as a checkbox activity. It's crucial to accurately document all risk assessments and link them back to your Risk Management File. There are different levels of risk, and it's essential to manage and score them appropriately. This is not something you simply ‘check off’.
When managing risk with your suppliers, there isn't a “one size fits all” approach. The risk-based processes you put in place should be directly proportional to how critical their part is to ensure your device's overall safety and efficacy. So one way to assess that level of risk is to look at how the supplier's component interacts with patients, for example. Anything that comes into contact with patients should be given a much higher risk score than a supplier for labelling.
A complaint about a device causing harm to a patient should receive a much higher risk score than a complaint about the device's packaging. Without a risk-based approach to complaint handling, your processes can become cumbersome, resulting in a "death by CAPA."
Risk management ties into your QMS so if you want to make sure you’re doing it right and right first time, please seek specialist advice. A vague process or one which no one follows could push you miles off course in obtaining ISO 13485:2016 certification!
Book a FREE 30 Minute One-2-One call with one of our RAQA Advisers by sending an email to: mdd@mddltd.com or on our Calendly page – BOOK NOW
We are here to be your regulatory risk partners for #MedicalDevices #Diagnostics and #DigitalHealth
