Implementing a medical device quality management system, or QMS, is a regulatory requirement for medical device manufacturers. In the medical device industry, there is a strong focus on the regulatory requirements and creating conforming procedures. But a QMS should also make the organisation efficient and result in products that have high quality.
As such, implementing and maintaining a QMS requires skills beyond regulatory requirements. The art of implementing and maintaining a medical device QMS is rarely described and few training courses are available.
This illustrated guide was written by Peter Sebelius, who has implemented numerous quality management systems throughout his career and is a member of the Joint Working Group which authored the latest version of ISO 13485.
This guide will:
- Provide a useful overview of considerations when implementing and maintaining a QMS,
- Address common pitfalls and how to avoid them, and
- Explain what a Quality Management System (QMS) is.
What is a medical device Quality Management System (QMS)?
A Quality Management System, or QMS, is a comprehensive framework, or set of documented procedures, that guides people in an organisation to consistently deliver products that meet customer and regulatory requirements.
According to the ISO 9000:2015 standard, a Quality management system is defined as:
Quality management system
a system to direct and control an organisation in terms of quality.
Having a QMS that meets the requirements of applicable norms and standards is required for medical device manufacturers and is a regulatory requirement. Thus, manufacturers cannot legally place their medical devices on the market without it.
Some people may frown upon implementing a QMS, thinking it is burdensome and creates significant overhead for the organisation. However, a QMS is not much different from a playbook or onboarding documentation organisations in non-regulated industries would implement to achieve organisational efficiency.
The documented procedures of the QMS should act as comprehensive guides, ensuring seamless onboarding of new hires, streamlined workflows, and adherence to quality standards. And when properly implemented, it is an investment that should pay itself back with improved organisational efficiency and reduced failure costs, both internal as well as external. Not to mention improved customer and employee satisfaction.
The bitterness of poor quality remains long after the sweetness of low price is forgotten.Benjamin Franklin
Why start-ups must implement a quality management system
For a medical device manufacturer, implementing a QMS based on the ISO 13485 standard will cover a lot of what is required, but it is not sufficient in itself.
The norms and standards that the medical device quality management system must meet depend on the type of medical device and which market the device is to be placed on:
- For the EU market
- 2017/745 – The Medical Device Regulation (MDR), or
- 2017/746 – The In-Vitro Diagnostic Medical Device Regulation (IVDR), and
- ISO 13485 – Quality management systems – Requirements for regulatory purposes
- For the US market
- 21 CFR 820 – The Quality System Regulation
There may be other norms that have to be implemented in the QMS, for example:
- 2016/679 – General Data Protection Regulation (GDPR)
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
There are also voluntary standards that may be considered, for example:
- ISO 14001 – Environmental management systems – Requirements with guidance for use
- ISO 27001 – Information security, cybersecurity and privacy protection – Information security management systems – Requirements
All the norms and standards above can be integrated into one quality management system.
The structure of a medical device QMS
Even though there are some variations in terms of the requirements, most QMS will include the following elements:
What is an ISO 13485 quality manual?
The quality manual is the top of the QMS and the starting point for anyone who is attempting to access the QMS to understand, use or audit it.
Think of the quality manual as the document you would give someone who wants to understand how you work with quality.
And as it is the starting point, it also makes perfect sense, and is required to include the documented procedures in the quality manual or reference the SOPs that contain them.
Below is an example outline of an ISO 13485 + MDR quality manual:
1. Purpose
2. Scope
3. Contents
4. Introduction
1. Regulatory framework and purpose of the QMS
4.2. Scope of the QMS
4.3. Exclusions and non-applicability
5. Quality management system
5.1. Quality policy
5.2. General
5.3. Main processes
5.4. Supporting processes
5.5. Quality management system structure
5.6. Technical documentation
5.7. Control of documents and records
6. Management responsibility
6.1. Management commitment
6.2. Quality policy and objectives
6.3. Responsibility, authority, and communication
6.4. Management review
7. Resource management
7.1. Human resources
7.2. Infrastructure
7.3. Maintenance
7.4. Work environment and contamination control
7.5. Design and development
7.6. Manufacturing of products
8. Feedback, measurement, analysis, and improvement
8.1. Feedback
8.2. Complaints and reportable events
8.3. Internal and external audits
8.4. Unannounced audits
8.5. Corrective actions and preventive actions
8.6. Improvement
9. Change history
10. Annual quality plan
What is an ISO 13485 standard operating procedure or SOP?
The standard operating procedures (SOP) are written instructions that describe how a process should be carried out.
SOPs may differ in their level of detail; a product lifecycle SOP may describe the process of the initiation of a product development project all the way to removing the product from market. Such a document would naturally be written on a fairly high level. Other SOPs may be very granular and detailed, for example defining exactly how to process a customer complaint.
The ISO 13485 will require an organisation to have about 31 documented procedures. The ISO 9000 standard defines procedure as:
Procedure
specified way to carry out an activity or process
Note 1 to entry: Procedures can be documented or not.
Does this mean that the organisation must have 31 SOPs? The answer is no.
The SOPs are paper or electronic documents containing the documented procedures. This means that one document, SOP or even the quality manual, could contain one, two, half or just about any number of documented procedures.
Forms and templates for ISO 13485
An absolute majority of medical device manufacturers will have both forms and templates in their QMS but they are not explicitly required.
In fact, neither forms nor templates are mentioned in ISO 13485. But it is strongly recommended to implement forms and templates in your QMS to assist creating records and data collection.
Records
Records are at the lowest level of the QMS. It could be argued that they are not part of the medical device quality management system, but rather the output of operating the quality management system.
Records would be the documents that are created and show the results of something, for example, the meeting minutes from a design review meeting. This would be a record that shows that the design review took place and the relevant information relating to that design review.
Records are often created using either forms or templates.
Paper-based QMS or eQMS?
In this article, three different platforms or media for the QMS will be discussed:
1. Paper based QMS
The traditional QMS is created using paper-based documents. It is true for both SOPs as well as the records that are created.
2. eQMS
There is an increasing number of platform providers where the QMS can be hosted on a digital platform. Often, this means that the QMS is found on a cloud-based server.
3. Hybrid QMS
Lastly, there are hybrid QMS. This means that some parts of the QMS reside in an eQMS, whereas other parts or records are created using paper documents. For example, the procedures may be digital, but the batch release form is paper-based and signed using a pen in production when a batch release is performed.
The ten-thousand-dollar question is, which system is best? The answer is that it depends. The different solutions offer different pros and cons, and these depend on the context of the organisation.
If a new QMS is implemented from scratch for a small organisation, a paper based QMS will be cheap and fast because the number of documented procedures and records created is limited.
Start-ups will typically be very focused on product development, and the technical documentation may be limited to one product only. This can quite easily be managed by using paper documents or even scanning the original paper documents to make them available in a shared file storage space.
In this situation, it is hard to justify the investment of an eQMS that can easily cost from 1000 EUR or USD per month for a small start-up. However, if the organisation is spread out with people working from different locations, the burden of sending paper documents back and forth can be very costly and inefficient, and therefore, justify the use of an eQMS already at an early stage.
The more products, documents, and personnel the organisation gets, the more challenging it will be to implement and maintain the paper based QMS successfully, and in comparison, the eQMS solution will start showing its advantages by streamlining the review and approval of documents and ensuring that documents do not need to be physically chased around when pending approval and signing.
QMS stakeholders
Understanding who your stakeholders are, is an important aspect of business life in general. It is also very important when working with the implementation or changing of a QMS.
In any situation when a QMS is to be changed, stakeholders should be identified and considered. This does not mean that a complete stakeholder register should be established, but the persons working on the change shall, at least, have a mental awareness of who the most important stakeholders are.
In ISO 9000:2015, stakeholder, or “interested party“, is defined as:
Interested party
Stakeholder
person or organization that can affect, be affected by, or perceive itself to be affected by a decision or activity.
The Medical Device HQ project management course uses a stakeholder overview similar to the one below. In this version of the stakeholder overview, the stakeholders that should typically be considered for changes to a QMS have been highlighted with yellow.
Please note that the overview is not a comprehensive list of stakeholders to consider, but only a general guide.
One should remember that notified body auditors, or the FDA, are stakeholders of any change made to the QMS. Although some changes to an existing QMS require notification to notified bodies, it does not mean that every change must be actively communicated to a notified body. It merely means that one should consider notified bodies as a stakeholder when implementing the change.
Another important stakeholder group is the personnel. And in this instance, it is the personnel that would have to be trained on the procedures and perform the tasks that are described in the procedures.
Writing the QMS for the auditor or the personnel?
There will always be conflicts between the interests of different stakeholders. The conflict described in this section is based on the following observations:
- A QMS that is easy to audit is often more challenging to work according to, and
- a QMS that is easy to work according to is often more challenging to audit.
For some processes, the above statements are not true, but for many, they are. The reason is that the auditors and personnel performing work use the QMS for two completely different purposes. But they are working with the same documents.
Auditors compare the procedures with audit criteria to determine the extent to which the organisation conforms to the requirements.
Personnel either read the procedures to be trained on how to perform work, or they use the procedures for instructions while carrying out the work.
The above purposes are completely different and this is where the conflict of interest lies.
The example below explains the conflict.
The ISO 13485 standard requires organisations to document procedures to determine, collect and analyse appropriate data to demonstrate, among other things, the effectiveness of the QMS. To do this, data collection will have to take place in many of the organisation’s processes that are covered by multiple procedures.
From an auditor’s point-of-view, the easiest solution would be to write one data analysis procedure describing how and where the data collection should be carried out.
For the personnel engaged in the many processes that include data analysis, it is best if the tasks relating to data analysis appear as integral parts of the procedures according to which the work is carried out.
This is one clear example of where the auditors’ interests are in conflict with the personnel’s interests.
With some diligent considerations, the recommendation is to write the QMS to achieve good quality, including safe and effective medical devices, thus focusing primarily on the needs of the personnel. However, sometimes compromises have to be made.
Who should write the SOPs?
It is a common misunderstanding that anyone who understands the regulatory requirements can successfully write SOPs. It is indeed important to understand the regulatory requirements, but it is not sufficient in itself because one must also understand how to perform the work that the SOP describes.
Let’s take risk management as an example, ISO 13485 points to the ISO 14971 standard on the application of risk management, but even if you understand the requirements of both ISO 13485 and ISO 14971, it does not make you an expert in risk management. Thus, you will not be able to describe how to perform risk management in a meaningful way without knowing how it is supposed to be done.
And it doesn’t end there, because even if you know the regulatory requirements and how to carry out the work, writing a procedure is in itself a knowledge area that must be mastered. This will cover aspects such as what language to use, not writing the procedure to expose you to unnecessary risk of nonconformities and making the procedure understandable to the target audience. All three knowledge areas above must be covered to create high-quality SOPs.
This leads us to the question of who should be writing the SOPs. In start-ups, it is not uncommon that knowledge is missing in the areas of regulatory requirements and how to write a procedure. Training courses on how to write procedures for the medical device industry are rare, and without such training, one might have to rely on expensive external regulatory consultants.
Sometimes, even the knowledge of how to do the work is missing, for example, in usability engineering or risk management. In those instances, the knowledge must be brought in by training the existing staff, hiring staff with knowledge, or temporarily hiring external consultants with the needed knowledge.
If all three knowledge areas are fulfilled only by external consultants, there is a significant risk that the implementation will fail. It would be the equivalent of hiring a professional chef to come to your home to cook for you. After serving an amazing five-course dinner, the chef would leave you with the recipe and trust you to repeat the cooking the next day. This is very likely to result in failure.
Therefore, at least some knowledge must be internalised by training or hiring staff with the required knowledge.
Furthermore, the less engaged the staff is in creating procedures, the less committed they will be to conforming to the procedures, and the “not invented here”.
Not Invented Here, short NIH, is a term used to describe a cultural attitude or mindset within an organisation where individuals or groups reject ideas, products, or solutions that originate externally, preferring to rely on internal developments or creations. It can manifest as a reluctance to adopt external innovations, technologies, or best practices simply because they were not internally generated. NIH can also negatively impact the implementation of procedures.
How can templates help streamline the implementation of a quality management system?
The contents of a QMS can be created in many different ways. This section applies to situations when a new QMS is implemented. The information may also, in part, be applicable to situations where an organisation already has a QMS but is expanding the scope of the QMS by implementing new requirements or adding new processes to the existing QMS.
Two main considerations are what to start from when writing a procedure, and who will write it.
Regarding starting points, the two extremes are to:
- Write everything from scratch, or
- use a set of templates.
Assuming an organisation is working on developing and manufacturing a medical device, it is very rarely worthwhile to write a QMS from scratch. It saves a lot of time having templates to start from. Generally speaking, writing everything from scratch is not recommended because:
1. The time is spent on write generic wording and definitions instead of properly documenting how the work should be performed.
2. The risk of forgetting important aspects increases without a template as a starting point, and this in turn increases the risk of nonconformities and failed audits.
What are the risks when using templates to create a quality management system?
In the previous section, the issues with completely outsourcing the authoring of SOPs to external consultants were discussed. It is not recommended to have only external consultants involved in writing procedures.
The recommended approach is to use templates as appropriate. Some content or procedures may have to be written from scratch, which is acceptable when there are no templates available.
If the quality management system is implemented based on a set of templates, it is important to ensure that the templates cover the appropriate regulations. For example, a set of QMS templates created based on ISO 13485 will not meet the MDR, IVDR or QSR requirements. Some procedures will be missing and different and must be added to such a set of templates.
Implementing QMS templates without tailoring them to the situation is not recommended. As templates have been created with the intent of them working for a wide range of companies, they are unlikely to provide the necessary support of how to work if used “out-of-the-box“.
ChatGPT can be used to generate procedures as an alternative to ready-made templates. The output of ChatGPT cannot be trusted to the same degree as a template made by an expert, but as a framework or inspiration, the outputs from ChatGPT can provide a lot of value to someone experienced in writing procedures according to regulatory requirements.
It is very unlikely that templates will work well for a large organisation that already has products on the market that are not classified as medical devices and must now implement a QMS that meets, for example, ISO 13485 requirements.
In most cases, it would be more appropriate to document how the organisation works and identify any gaps and address them by updating the existing QMS or adding new custom procedures written from scratch.
The risk-based approach
When considering risk in the medical device industry, the most common reference is to risk, as defined in ISO 14971, which is about product safety risk management. ISO 14971 defines risk as:
Risk
the combination of the probability of occurrence of harm and the severity of that harm.
And when you read the definition of harm, you’ll find that it includes property, the environment, and people. Remember that the term ‘people’ is not only restricted to patients, but includes bystanders, users, and just about any human being.
ISO 13485 does not only refer to risk management as it’s defined in ISO 14971. Let’s examine that closer.
Section 0.2 of the ISO 13485 standard states that when the term ‘risk’ is used, it pertains to safety or performance requirements of the medical device, which is well in line with what we do when doing product safety risk management according to ISO 14971.
The last part of this clause makes it a bit more complicated. Because it includes meeting applicable regulatory requirements, in the scope of the word ‘risk’.
When you define the processes of your organisation and establish the procedures, you have to consider clause 4.1.2 of ISO 13485. It requires you to apply a risk-based approach to the control of the appropriate processes needed for the quality management system.
So, in this context, you need to consider both risk as it relates to harm to people, as it is defined in ISO 14971, but also the risk of regulatory nonconformities as it is mentioned in 0.2.
Leading change
For simplicity, from hereinafter, when referring to “change of the QMS“, it means both the implementation of a new documented procedure or a complete new QMS or change to existing documented procedures.
When implementing a new QMS, or even just a change of an existing QMS, each change can be plotted on a continuum between two extremes.
1. The ways of working don’t change at all, the change or new QMS only documents the already existing procedures.
2. The new or changed procedures describe a completely new way of working, thus the ways of working must change completely.
All changes will exist on or between the two extremes.
The more the change introduces new ways of working, the more important it is to lead the change. Without leading the change, the change may never become more than an updated documented procedure.
From a quality management perspective, if the working methods do not match the documented procedures, the procedures are neither effective nor established, and both are required. This will result in nonconformities when the organisation is subject to audits.
The term ‘lead the change’ has been borrowed from the hallmark article Leading change by John F. Kotter in the Harvard Business Review. The article describes ten principles that should be employed when working with organisational change. The three most valuable principles of the ten in the context of QMS changes are listed below.
1. Establish a sense of urgency
Create a compelling reason for change. Leaders must communicate a sense of urgency to motivate individuals to actively participate in change.
Quality means doing it right when no one is looking.Henry Ford
Unfortunately, experience shows two situations where it is easier to change things than at any other time in a medical device company. This is:
- Before and audit, and
- after an audit when nonconformities have been received.
You will likely find that changing procedures is easier at this point than at any other time. Use this to your advantage.
2. Communicate the vision
Effective communication is vital to ensure that everyone understands the vision and strategy.
Consistent messaging helps build understanding and commitment among employees. This may be less important in conjunction with a minor change, but for a larger change, it is crucial. Spend the time necessary to communicate the vision.
3. Deal with resistance
Leaders must anticipate and address resistance to change. Open communication, training, and involvement can help mitigate resistance and foster a more positive reception to the changes and avoid “not invented here“.
Training medical device personnel
It is absolutely instrumental to provide training to personnel on the QMS and how to perform the work.
ISO 13485 requires the organisation to determine the necessary competence for personnel performing work affecting product quality and to provide training or take other actions to achieve or maintain the necessary competence.
In addition, it is required to evaluate the effectiveness of training actions taken, meaning confirming that the training achieved the planned results.
The most common training method in the medical device industry and why it doesn‘t work
Despite the many and clear requirements on training in ISO 13485, the most common method of training in the medical device industry is referred to as “read and understood“. It could even be questioned whether “read and understood“ should even be considered “training”.
“Read and understood” typically means that personnel receive the procedures of the company when they are hired or updates as procedures are changed. They should then read and sign off that the procedure has been read, understood, and that they will work according to the procedure.
Not only are procedures one-way communication with limited or no possibility to ask an instructor questions, but the procedures were not intended as training material. There is an infamous term called “death-by-PowerPoint”. There ought to be an analogous term called “death by reading and understanding procedures”. I have come across examples where new hires have been tasked with reading between 50–100 procedures when they start their new job, and they have left before completing the reading.
But not only that, “understood” means that the person doing the self-studies is the one confirming that he or she has understood the content.
The Dunning-Kruger curve is a psychological phenomenon that describes the relationship between one’s actual skill or knowledge level and their perceived competence. It suggests that individuals with a low task ability may overestimate their ability, while those with a high ability may underestimate their own competence.
The curve typically illustrates a U-shaped pattern, with a peak representing the point where people are most likely to overestimate their abilities.
If one combines the Dunning-Kruger curve with the fact that people themselves are confirming their understanding of the procedures they read, there is a high likelihood of having personnel that sign that they understood the procedure but lack knowledge or skills and are not aware of their deficiencies.
In the context of training, personnel who simply sign off on “read and understood” without truly comprehending the material may be in a state of unconscious incompetence. They may falsely believe they understand the content but lack the awareness of their gaps in knowledge.
Should “read and understood” never be used?
There are cases when “read and understood” can be used. For example, “read and understood” combined with other types of training or when the change is minor, thus personnel are expected to understand the change when provided only with the procedure and reading it.
What training should be used?
To achieve the intent and meet the requirements of the standard and achieve good quality, the recommendation is to develop purpose-built training materials and apply proper methods to train personnel based on the needs and objectives of the training.
The effectiveness of the training should be evaluated. This can be done by practical examinations or multiple-choice question quizzes with pass/fail scores.
The company’s internal training may also be supplemented by training from external providers specialising in delivering medical device industry-specific training courses.
In MedicalDeviceHQ training courses, training effectiveness is evaluated by having a pre-course assessment quiz with random questions before partaking in the training and then taking a final exam at the end, again, with randomly selected questions. This way, the effect of the training can be measured.
Would you like to know more about Quality Management?
We’re currently crafting the Introduction to Implementing and Maintaining a QMS for Medical Devices course.
If you’re interested in learning more about QMS, fill out the form to be the first in the loop, or apply as a validator for a chance to access it for free. Participants will learn how to confidently define processes and write procedures and templates that comply with various norms and standards, such as ISO 13485, Quality System Regulation (QSR), the Medical Device Regulation (MDR), and In-Vitro Diagnostic Medical Device Regulation (IVDR).
In the meantime, explore our Quality Management for Medical Devices and ISO 13485 course, covering a broader spectrum. The course is tailored to make the requirements of the ISO 13485 as tangible, so participants can confidently work in an organisation where ISO 13485 requirements apply.
