Challenges and pitfalls in the implementation of ISO 13485

ISO 13485 is a mandatory standard that outlines the necessary requirements for establishing a quality management system for the production or provision of medical devices.

The standard includes five chapters that detail these requirements, in addition to the introductory chapters that are known in other quality management standards.

Although most of the requirements are well described, there are requirements that are more challenging to implement and for which non-conformities in audits are piling up.

In this blog post we will discuss the most challenging requirements of ISO 13485 and provide solutions to avoid common pitfalls associated with these requirements.

ISO 13485 is not identical to ISO 9001

Some companies already have an ISO 9001 certified quality management system in place when deciding to expand their product portfolio to include medical devices. At first glance, ISO 9001 and ISO 13485 seem to state the same requirements.  Therefore, management teams often allocate few resources to their quality managers to implement the ISO 13485 requirements into the existing quality management system.

The table in Appendix B of ISO 13485 also gives the impression that both standards define the same content. Anyone who has already tried to build a QMS based on this table knows that it cannot be implemented. The ISO/TC 210/WG 1 standardization group acknowledged this, stating in a 40-page publication that around 1/3 of the requirements of the two standards are not comparable.

Scrutinizing both standards, you quickly notice that the goals of the two differ. In addition to the obvious differences, such as the requirements for sterile medical devices, there are also less obvious ones that result in increased effort to implement. Both standards require a risk-based approach, when implementing the processes. The ISO 13485 focuses thereby on health risks for patients, users and third parties, while ISO 9001 focuses on business risks and the long-term supply of customers with high- quality products.

The differences between these two standards are topic in our ISO 13485 training course.

‘The stairs must be swept from above’

Some management teams have misinterpreted a quote from economics professor Hermann Simon, assuming that they can delegate the tedious tasks of writing a quality manual, quality policy, and quality objectives to their employees.

ISO 13485 sees the management as responsible for generating a quality manual, a quality policy and quality objectives. These documents are very often created by quality managers, in the best case the documents are reviewed by management or even completely ignored by the management.

When the management falls silent on questions about the quality manual and the quality manager must step in, any auditor will realize that the management has not fulfilled its obligations. In particular, the quality policy and the quality goals provide the employees with information about the company’s strategy and where the journey should go. Since not all employees may be aware about the company’s long-term strategy, it’s up to the management to derive meaningful quality objectives and set up a quality policy.

Search for the unknown

ISO 13485 requires that the manufacturers identify and implement the applicable regulatory requirements. This activity is part of the management review and therefore in the responsibility of the management.

However, it can be difficult to search for something if you’re not even aware of its existence.

A good starting point is the list of the harmonized standards. With the implementation of the requirements of the harmonized standards, one can assume that the requirements of the medical device regulation (MDR) or the In-vitro diagnostic device regulation (IVDR) are fulfilled. Unfortunately, the EU is taking its time with the harmonization of standards, resulting in very few standards currently harmonized. To identify non-harmonized standards, manufacturers may search the internet for acknowledged organisations. Since there are many standards that need to be acquired, manufacturers should consider hiring experienced consultants to only acquire the necessary standards for their product.

Not all regulatory requirements are identified with the standards. In addition to directives and standards, national legislation and the state of the art must also be considered. Auditors refer to many states of the art requirements found in so-called guidance documents. The guidance documents are published by IMRDF, MDCG, MEDDEV, NBOG and the FDA and provide further information to the standards and best practices.

Software tool validation

ISO 13485 requires a procedure to validate process software. However, it does not provide guidelines for how the process software should be validated. As a result, many manufacturers do not know how to prove the suitability of their process software. While manufacturers may have used their software for years without issue, auditors require more than this. They expect the manufacturers to implement ISO/TR 80002-2:2017 Medical device software — Part 2: Validation of software for medical device quality systems.

This technical report describes how to perform efficient validation of process software. It also defines process software as software used in the quality management system, software used in production and service provision and software used for monitoring and measuring requirements.

Another guide to software validation comes from across the Atlantic. A further description for the validation of process software can be found in the GAMP 5 standard. Both ISO TR 80002-2 and GAMP 5 apply a risk-based approach, allowing the validation scope to be adjusted based on the level of risk associated with the process software.

If you want to learn more about software tool validation, you can participate in one of our ISO 13485 training courses. If you need consultation about software tool validation, do not hesitate to contact us under info@lorit-consultancy.com.

Internal audits

During an audit I participated in, a MDD auditor once said that he found a non-conformity to the requirement 8.2.4 Internal audit for every manufacturer he audited.

This motivating statement highlights the significance of internal audits. Not only to break an auditor’s “lucky streak”, but also because internal audits are a powerful tool for the continued delivery of high-quality medical devices. To plan, carry out and evaluate an effective internal audit, manufacturers should observe and implement the specifications of ISO 19011. This standard does not only describe a meaningful internal audit process but also provides valuable insights into the competences of internal auditors. Many audit programmes are just tables with the dates of the audits and audit plans only contains a time schedule when an individual department or process should be audited. ISO 19011 extends the content of these tables, for example, the standard requires the manufacturers to assess the opportunities and risks for the audit programme and every internal audit.

By Verena Wieser, Medical Device Consultant