The quality management system (QMS) is a central component of a medical device manufacturer. With the European regulations on medical devices (MDR) and in vitro diagnostics (IVDR) coming into force, the importance of quality management has increased even further. Even manufacturers of medical devices in risk class I are now required to have a QMS. Many other regulatory requirements are directly linked to quality management.
What characterizes a quality management?
The aim of quality management is to achieve defined quality objectives in a reproducible manner. To this end, an organization systematizes all workflows, defines processes based on them and documents them. Consequently, the QMS comprises all work processes of an organization including their documentation.
A QMS is not static. The goal is to achieve continuous improvements in quality and to meet the requirements of all stakeholders. Therefore, the organization must continuously monitor the processes and implement improvement measures. This is where the Plan > Do > Check > Act (PDCA) cycle plays an important role.
The QMS considers 3 types of processes:
- Management processes
- core processes and
- Support processes
The core processes comprise the value-adding workflows, i.e. this is where the organization plans, develops, produces and markets its products or services. The support processes are no less important and relate, for example, to material procurement or corrective and improvement measures. The management processes include activities that are usually the responsibility of the organization's management.
ISO 9001 is the internationally recognized standard for cross-industry quality management systems. It focuses on customer satisfaction as well as continuous improvement of the QMS.
For QMS for medical devices, the ISO 13485 standard is applied, which also focuses on the safety of medical devices. ISO 13485 is aimed at companies involved in one or more phases of the life cycle of medical devices, "including development, production, storage and distribution, installation or maintenance of a medical device, and development or provision of related activities (e.g. technical support)".
Requirements of the MDR for a quality management system
In Article 10 (9), "General Obligations of Manufacturers," the MDR states that manufacturers must "establish, document, implement, maintain, continually update, and continuously improve" a QMS. The QMS must include at least the following aspects:
- Compliance with regulatory requirements
- Compliance with conformity assessment procedures
- Management of changes to the product
- Compliance with essential safety and performance requirements
- Management accountability
- Resource management
- Risk management
- Clinical evaluation and follow-up
- Product realization
- Product traceability
- post-market surveillance system
- Communication with all stakeholders
- Vigilance
- Corrective and preventive action management
- Product improvement
The QMS includes all elements of a manufacturer's organization related to product quality.
The ISO 13485 standard
ISO 13485 describes the following essential aspects and follows the PDCA cycle in its structure.
Plan
Chapters 4, 5 and 6 of ISO 13485 define the general requirements for the QMS and describe the responsibility of performance as well as quality-related aspects of resource management (>Plan).
The management of an organization defines, monitors and takes responsibility for the quality policy and objectives, provides the necessary resources and defines roles and (partial) responsibilities. This includes the appointment of a management representative. The representative ensures that all processes required for the QMS are documented. In addition, the representative reports on effectiveness and potential for improvement to the management and promotes the application of the QMS in the organization.
There is a quality policy documented in writing, from which measurable quality objectives are derived, and tracking of which is the basis for corrective action. The management of an organization continuously evaluates the achievement and appropriateness of quality objectives as part of the management review.
The management of an organization ensures that the employees involved are or will be appropriately qualified and can prove this. If the QMS is certified by a Notified Body, it monitors the QMS through audits. Therefore, the organization regularly undertakes internal audits of its QMS to satisfy itself of its suitability in practical operation.
Do
Chapter 7 of ISO 13485 specifies the requirements for the realization of production and service provision (>Do).
At the beginning of a medical device is its development. The organization must plan the development and link it at an early stage with the regulatory requirements with regard to intended purpose or intended use. The development results are continuously evaluated, the procedure is modified if necessary, documented and transferred to production.
The organization must ensure that each product is manufactured according to the requirements defined in the QMS. The associated processes for production and service delivery must usually be validated. In general, the manufacturer must address and control all aspects that may affect the quality of the products as part of the QMS. This also includes transport and storage as well as delivery or installation on site. If suppliers are involved, the organization must also plan and verify procurement of materials, components or trades.
Check
Chapters 8.1 to 8.4 of ISO 13485 define the requirements for measurement and analysis aimed at checking the activities defined in the QMS (>Check).
The organization shall establish an appropriate feedback system for product conformity, record complaints and monitor a product on the market. The feedback system must meet the MDR requirements for post-market surveillance and also have a process to report serious incidents to the competent authorities during vigilance.
Overall, it is the organization's responsibility to ensure that all available and relevant data on the use of a product on the market are collected and evaluated. These are both the basis for continuous product improvement for the benefit of customers and for continuous improvement of the safety and performance of a product for the benefit of patients and legislators.
Furthermore, the manufacturer must also ensure the conformity of the QMS and maintain its effectiveness. Activities such as internal audits and process measurements play an essential role here.
Act
Chapter 8.5 of ISO 13485 defines the requirements for the improvement of products and the QMS (>Act).
The organization completes the PDCA cycle by drawing conclusions from the data on product use in the marketplace and initiating improvement actions. These actions are called Corrective Actions and Preventive Actions (CAPA). In order to arrive at suitable or appropriate CAPAs, it is a good idea to get to the bottom of the product or application defects by means of a detailed Root Cause Analysis (RCA). The organization continuously adapts its QMS to the new findings.
Practical implementation of a QMS
The practical implementation of a QMS according to ISO 13485 varies greatly from case to case. For the start of a QMS project in the company, it is recommended, for example, to use the VDE Quality-Map
Step 1: Identify stakeholders
- Who are the customers?
- Which regulators (e.g., legislators, standards organizations) are important for the product's market access?
- What government agencies does the organization deal with?
- Who are the distributors?
- Is there an authorized representative / importer?
- Who is the owner of the organization?
- Are there any suppliers?
- Are the identified stakeholders internal or external?
Step 2: Define products
- The goal is to satisfy the customer with a safe and efficient product
- What is offered to the customer as a product (or service)?
- For which indication and for which target group are the products intended?
Step 3: Identify regulations
- Which laws must be followed? (Attention: This concerns all relevant laws for the respective product, e.g. also the EU General Data Protection Regulation (GDPR)).
- Are there relevant guidance documents from the respective legislator or other stakeholders that are important for interpreting the legal requirements?
- Which standards may be important to achieve compliance with the legal requirements? In order, harmonized European standard, European standard, and international standard.
Step 4: Identify processes
- The ISO 13485 standard for the quality management of medical devices requires the documentation of certain processes
- Which processes required by ISO 13485 are not applicable to our product and why?
- Which processes are required by the relevant laws (MDR, DSGVO, etc.)?
- Which other processes can usefully supplement the quality management system?
- Who is responsible for which process?
The result is an individual process landscape of an organization with regard to all activities required throughout the life cycle of one or more medical devices. At the heart of the documentation is the quality management manual, which describes the entirety of the QMS. Procedural instructions (or process descriptions) document the actual process execution, i.e. the workflows in the organization. There are also other applicable documents, such as templates for plans and reports, information documents or work instructions.
On the basis of applicable documents, records are created that serve as proof that activities have been carried out in accordance with the QMS specifications. Both documents and records must be controlled, i.e. there is a defined release workflow in the company and the traceability and uniqueness is clearly regulated. As an international standard, ISO 13485 requires a medical device file with all generated records to demonstrate compliance with regulatory requirements (in the EU with the MDR). In the EU, the medical device file is essentially congruent with the technical documentation of a medical device.
Furthermore, from a practical point of view, the question arises as to how a QMS should be implemented technically. The spectrum ranges from paper-based file folders to special web-based cloud solutions and license-based on-premises software. Here, too, the individual situation of an organization is decisive for the selection of the best solution.
ISO 13485 is considered the internationally relevant standard for quality management systems of medical device manufacturers. However, the application of ISO 13485 is not legally binding. In addition, the legal requirements of the MDR for QMS are not congruent with those of ISO 13485. For this reason, the current European edition EN ISO 13485:2021-12 has been supplemented with Z-annexes, which establish the connection between the sections of the standard and the requirements of the MDR (and the IVDR) in detail. In our technical article "Quality management system for medical devices: What do I really need?" we go into detail about the practical implementation of a QMS according to MDR and EN ISO 13485:2021-12 using the example of software as a medical device.
Summary
The European regulations on medical devices (MDR) or in vitro diagnostics (IVDR) increase the requirements for the quality management system of medical device manufacturers and suppliers. In addition to the aspects already discussed, there is even an additional requirement: the newly introduced Responsible Person according to Article 15 MDR is explicitly also responsible for checking the conformity of the products to the quality management system.
Despite the complex regulatory requirements, the focus of a QMS should not be its rigid processing. The focus is on patient welfare and product-related quality objectives. Compliance then results from this. This conclusion cannot be drawn the other way around.
Despite all legal or normative requirements, the introduction of a QMS is an individual process and requires a tailor-made solution for the respective requirements of a company. We are happy to support you in implementing a process landscape that is as lean but effective and compliant as possible.
