What is ISO 13485:2003?

Transcription

1 What is ISO 13485:2003? A step by step guide to ISO 13485:2003 QUALITY MANAGEMENT SYSTEMS

2 Contents *ISO 13485:2003 QUALITY SYSTEMS AND PLAN-DO-CHECK-ACT... 1 *SECTION 4.0 QUALITY MANAGEMENT SYSTEM... 6 *SECTION 5.0 MANAGEMENT RESPONSIBILITY... 8 *SECTION 6.0 RESOURCE MANAGEMENT... 9 *SECTION 7.0 PRODUCT REALIZATION *SECTION 8.0 MEASUREMENT, ANALYSIS AND IMPROVEMENT *WHERE CAN I FIND OUT MORE? WHO CAN HELP ME? *This symbol may only be displayed by those organizations that register with BSI. Users of this guide are reminded that copyright subsists. No part of this publication may be reproduced in any form without prior permission in writing from BSI, *2004. All rights reserved.

3 ISO 13485:2003 Quality Systems and Plan-Do-Check-Act An Introduction to ISO 13485:2003 Quality Management Systems This booklet has been produced as an introduction to ISO 13485:2003, a standard developed to specify quality management system requirements for regulatory purposes for medical device manufacturers. ISO 13485:2003 provides a framework to enable companies to meet their customer and regulatory requirements. The primary objective of this International Standard is to provide a harmonized model for quality management system requirements that satisfy international medical device regulations. This is in contrast to ISO 9001:2000 where the primary focus is a satisfied customer and business improvement. Medical device manufacturers need to ensure that all medical device products are safe, fit for their intended purpose and that their products and their design and manufacturing quality management systems meet Regulatory requirements. Organizations whose quality management system conforms to ISO 13485:2003 cannot claim conformity to ISO 9001:2000 unless their quality management systems also conforms to all the requirements of ISO 9001:2000, including the additional requirements for customer satisfaction and continuous improvement. The benefits of an ISO 13485:2003 compliant quality management system to the thousands of companies worldwide include: 1. Recognition by regulators around the world of ISO 13485:2003 as a good basis for addressing medical device design and manufacturing regulatory requirements 2. Controlled consistency of manufactured products 3. Managed productivity and efficiency, controlling costs 4. Competitive advantage and increased marketing and sales opportunities. 5. Improved customer perception of the organization s image, culture and performance. 6. Improved communications, morale and job satisfaction staff understand what is expected of them and each other. 1

4 ISO Quality Systems Two Medical Device Regulatory Affairs Managers are meeting for dinner and get onto the topic of ISO Q. We hear you are registered to something called ISO 13485? A. Yes, we are, and what a difference it makes to our organization. Q. Really? We don t fully understand what ISO is. A. It s an international standard for quality management systems for medical device manufacturers to address regulatory requirements and is becoming recognized worldwide. Q. What s a quality management system A. The ISO quality management system is a common sense, documented business management system for medical device manufacturers of all company sizes. If you think of a business as a set of processes, it identifies the key process areas that need to be addressed to ensure quality is managed effectively and consistently. Q. What is a process? A. A process is an activity, supported by resources and management, for enabling the transformation of inputs into outputs. The outputs from one process often form the input to the next. Q. So what does ISO have to do with processes? A. ISO 13485:2003, based on the ISO 9001:2000 process model, suggests that the application and management of a system of processes is an effective way to ensure good quality management. The standard strongly infers that clients should consider using ISO 9000:2000 to ensure understanding of the Process Model, definitions and other items of concern, too. Q. So what are some of the primary differences between ISO 9001:2000 and ISO 13485:2003? A. A large difference is the focus on Continual Improvement and Customer Satisfaction in ISO 9001:2000 but not in ISO

5 In ISO 9001:2000, the process approach is utilized and includes continual improvement and customer satisfaction in the model. To adopt this process approach, ISO 13485:2003 adopts the Plan-Do-Check-Act (PDCA) methodology that can be applied to all processes and can briefly be described as follows: Plan: Do: Check: Act: establish the objectives and processes necessary to deliver results in accordance with customer requirements and the organization policies. implement the processes. monitor and measure processes and products against policies, objectives and requirements for the product and report the results. take actions to improve process performance. OK, so both ISO 13485:2003 and ISO 9001:2000 quality management system models are based around the management of individual processes, which when put together as a whole, help you to effectively manage your entire business. The continual improvement is the next step for ISO 9001:2000 but is a little different for ISO 13485:2003. The flow model of processes in ISO 13485, looks like this: 3

6 Q. Why is there a difference between ISO 9001:2000 s continual improvement model and ISO s general improvement model? A. The reason is to make ISO consistent with the objective of addressing the current regulatory thinking and to facilitate the harmonization of new medical device regulations around the world. Continual improvement of the quality management system is a business improvement initiative but not necessarily relevant to regulatory compliance. Q. So why are Continual Improvement and Customer Satisfaction de-emphasized in ISO 13485:2003? A. Both are de-emphasized because when a product is created for medical purposes, it is understood to be developed with the latest technology available and to meet customer requirements, which are primarily patient protection and regulator orientated, since lives are involved. Instead of driving towards continuing to improve the effectiveness of the quality management system, ISO 13485:2003 requires the organization to maintain the effectiveness of the quality management system. 4

7 Section 4.0 Quality Management Systems Q. That s interesting. So where would we start? A. Well, now I have introduced you to the basics, you would start by looking at Clause 4.0 as this really sets the scene for the rest of the ISO standard. It emphasizes the need to document, implement and maintain a quality management system and maintain its effectiveness. Section 4.0 has a strong relationship with the other 4 clauses. It covers documentation requirements, including the need to create a quality manual and documented procedures required by the standard. Section 4.0 also requires documented statements of quality policy and objectives. Please bear in mind one very important difference between ISO 9001:2000 and ISO 13485:2003 in the area of documented procedures. Where the standard says documented procedures, the organization must have a procedure that is written, controlled and effectively implemented. ISO 9001:2000 only requires 5 documented procedures. Be sure to go through ISO 13485:2003 and find everywhere it says documented procedure and ensure there are no gaps in your quality management system. For example, ISO 9001:2000 requires a process for purchasing; ISO 13485:2003 requires a documented procedure. Q. Is that all we need? A. Not exactly, it also requires us to control documents we create and to control records that demonstrate we have followed our system. Q. Is there a lot of documentation involved in the Quality System and manual? A. I know it does sound that way, and it is a commonly held misconception. Many companies are getting very smart in how they present their quality system and manual. A quality system could be anything from a creative one page to a very large document. Organizations need to look at what is best for their business. 5

8 They should avoid creating overly burdensome documentation as this is not the intent of the standard. Many companies are using process mapping software and business mapping to clearly identify what documentation is critical in the application of their quality management system. Many others are placing their quality system on intranets or referencing material on the internet. Key to an effective quality management system is to keep things simple to reflect what actually happens and not what you would like to happen. Document and Data Control Q. OK. So who needs what information? A. Procedures and other information are only given to those who really need them, and we keep a record of what we have issued to whom. Q. What happens if things change? A. Easy, we update the information and inform the relevant people as part of the formal system. We then ensure obsolete documents are archived and kept for the required record retention times after which they can be archived or destroyed. Control of Quality Records Q. What information do we need to keep? A. We need to retain information which demonstrates that activities carried out within the quality system were to our satisfaction. For example, records of staff training, reviewed contracts and inspected products, as well as evidence of legal and regulatory compliance. 6

9 Q. OK. What comes next? A. Well naturally, any good quality management system starts at the top, so senior management should be involved. This is an important component to ensuring that the quality management system works efficiently. Section 5.0 Management Responsibility Q. What do you mean by senior management? A. In the context of ISO 13485, senior management are the people responsible for setting quality policy for a given location or activity. They could be the CEO, a site manager or a corporate quality director. ISO has a strong emphasis on top management involvement. Q. Are there things they will already be doing? A. I d think most organizations will be doing some of them, such as communicating the need to maintain the effectiveness of the quality management system, meet customer, regulatory and statutory requirements, as well as, having a clearly identified organizational structure. Q. What does organizational structure have to do with quality A. It s to ensure all staff are aware of lines of responsibility and understand what impact their decisions have on the organization. Q. So what might we not be doing? A. Most of this element involves formalizing the quality management system and giving it legitimacy. One example is through management review meetings (documented records must be maintained), where the management representatives responsible for implementing the quality system reports back to top management on performance. There is also a requirement for a statement of commitment to quality from top management, through the quality policy. 7

10 6.0 Resource Management Q. OK, so we have management commitment and the infrastructure to help maintain quality. What else is needed? A. Well, the day-to-day management of quality and effectiveness relies on using the appropriate resources for each task. These include the people conducting activities, the tools they have and supporting services. Q. So is staff training part of the quality system? A. Most certainly, as is the working environment in which they operate, meaning the workplace and whether it is well lit, ventilated and ergonomically correct. The management review mentioned earlier may result in the need to change the environment or improve staff training. Environment and staff training have effects on product quality, meaning focus in this area, helps not only the quality system, but also the company. Q. Do we need to demonstrate that our staff are competent for their roles? A. Yes. This can be done by showing they have had the appropriate classroom or on the job training, or that they have sufficient years of experience to be considered competent. By reviewing before and after training it is easy to demonstrate whether or not a person is more effective as a result. Q. Does that include what they do, or is it just the tools? A. It s just the tools. What they do is covered in Product Realization in Clause 7.0. Don t forget it includes the equipment and environment in which they work. 8

11 7.0 Product Realization Q. Does Product Realization mean the products and services we provide? A. Yes. Once you understand what the customer requires, you need processes in place to ensure these requirements are met, and their effectiveness is measured. In this standard, because of the importance of medical device safety and the significance of changes, risk management is strongly emphasized and required throughout product realization. Another International standard, ISO 14971, provides guidance on risk management requirements. Q. OK, then what s next? A. First, you must decide whether you are responsible for design of devices, under some regulatory requirements, for higher risk devices. Even though you are not conducting design internally, you may still be responsible for ensuring that the design process is controlled. If design is your responsibility, then design process must be defined and controlled, records maintained and risks managed. The standard is very concerned that all devices are designed and developed to be safe and fit for their intended purpose, so there are strong requirements for design verification and validation. Q. That makes sense. Then I suppose you have to plan the production process? A. Yes, planning, scheduling resources, and purchasing are all part of this process. You have to ensure service that where appropriate processes are validated, that there are work instructions (so people know what they are doing), traceability of products is controlled, and that preservation, monitoring and measurement procedures are all in place. You also take responsibility for defining and controlling outsourced processes and services that may be provided by other locations or subcontractor / suppliers that effect your products. 9

12 Q. So how do I know what a customer requires? A. Well, you need to establish customer requirements from the outset. You also need to understand their unstated requirements, such as what the product is going to be used for. At the same time, you must also meet statutory and regulatory requirements of the markets where you intend to place products. Q. So is that how we ensure that the customer gets what they want and we maintain our quality? A. Yes, but it doesn t end there, as customer feedback is part of our quality management system, both negative and positive. 10

13 8.0 Measurement, Analysis and Improvement Q. What does this section involve? A. Well, Section 8.0 is the key to a successful business. It involves measurement and analysis to identify areas of improvement. Q. What does our organization need to measure and analyze? A. Feedback is a good place to start, internal audits are another. There are many possibilities here, including monitoring and measuring of our processes and product. Q. What happens if our processes result in a nonconforming product or service? A. If that happens, your organization needs to ensure that any resulting product is prevented from unintended use. A documented procedure needs to ensure that action is taken to eliminate the defective, nonconforming product, and that the product is dealt with in an appropriate manner. Of course, meeting regulatory incident reporting requirements are also important when dealing with nonconforming medical device products. Q. You mentioned analysis of data. What data should our organization measure? A. The requirements are that you measure feedback at a minimum, conformity to product requirements, characteristics and trends of processes and products as well as suppliers. Q. What about improvement? A. The standard references the use of the quality policy, objectives, audit results, analysis of data, corrective and preventive actions and management review to maintain the effectiveness of the quality management system. 11

14 Q. Corrective and Preventive actions what does this involve? A. The aim of the standard is the prevention of nonconformity. This can be done in two ways - through corrective or preventive actions. Corrective actions are put into place once something has been identified as having gone wrong. Corrective actions should not be confused with corrections. Corrections are related to correcting the immediate problem. Corrective actions deal with the prevention of recurrence. When things go wrong, we do root cause analysis to understand the underlying reasons for a problem. Preventive actions are more proactive and are put in place once something has been identified as having the possibility of going wrong. Of course, it is necessary to keep records of any correction, corrective or preventive actions taken. Q. It really does sound useful. What are some overall advantages again? A. Well that gave you a flavor of what is involved in developing a quality management system to the requirements of ISO 13485:2003, and I m sure you will agree it makes a lot of sense. Our experience shows that a well-implemented system has helped us: meet regulatory and customer requirements increase effectiveness of processes improve staff morale reduce waste focus on risk management improve awareness of improvement opportunities know how to respond when things go wrong 12

15 Q. At the beginning I said I heard you were registered to ISO 13485, what does being registered mean? A. Well, being registered means that a 3rd party such as BSI visits and assesses the way your system and processes work within the company. If everything is running in accordance with the requirements of the standard, they issue a certificate registering us to ISO This gives independent verification to our customers and other stakeholders that we are a quality company. For further information, please contact BSI Management Systems: USA Tel: Fax: Canada Tel: Fax: inquiry@bsiamericas.com 13

16 YOUR QUESTIONS ANSWERED I S O : BSI Management Systems Sunset Hills Road Suite 200 Reston, VA USA Tel Fax BSI Management Systems Canada Inc. Quality Management Systems 17 Four Seasons Place Suite 102 Toronto ON M9B 6E6 Canada Tel Fax inquiry@bsiamericas.com shape the future BSI Group: Standards Information Training Inspection Testing Assessment Certification BSIUSA47/MS/0409/E