The Quality Management System is a key element in the medical device industry. In certain countries, it’s required to register not only the medical device but also a company’s QMS, which is a different process than ISO certification by a Notified Body. Without a QMS, it’s impossible to market your device in the key markets, e.g. the EU or the US, even if your product is ready to launch. That’s why a QMS should be the first thing for medical device manufacturers to start from in their go-to-market strategy.
In this article, prepared in cooperation with Sara Juszczyk (Quality and Regulatory Affairs Manager), Sandra Jakiel (Quality Engineer), and Pawel Jurijkow (Senior Quality Engineer), we’re discussing the requirements for a QMS included in the ISO 13485, MDR and FDA’s regulations in detail.
What is a Quality Management System?
The Quality Management System (QMS) can be defined as a set of documented processes, policies, procedures, instructions and relations between them, determining the framework of the system, together with evidence from the activities carried out to confirm the implementation of these requirements.
The QMS covers all parts and elements of the manufacturer’s organisation – not only documents and procedures but also legal requirements, people and their competencies, communication and infrastructure required to manufacture the product.
Moreover, an important element of the QMS is the use of a risk-based approach to control processes. To minimise risks and prevent device-related incidents, manufacturers should establish a risk management policy as well as a system for reporting incidents and describing external corrective actions regarding safety.
For each process included in the Quality Management System, the organisation shall define the criteria and methods to:
- ensure that the operation and control of these processes are effective;
- ensure the availability of necessary resources and information;
- implement the actions necessary to achieve the planned results;
- monitor, measure and analyse these processes;
- and establish and maintain the records needed to demonstrate compliance with the standards and applicable regulatory requirements.
What are the requirements regarding the QMS in the EU?
EU requirements for the QMS are described in Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices (MDR). Nevertheless, the easiest way to meet the requirements is by following ISO 13485:2016 – Medical devices – Quality management systems – Requirements for regulatory purposes (Chapters 4-8). ISO 13485 defines the processes and procedures that medical device manufacturers must implement and maintain. The standard is harmonised for the MDR.
According to ISO 13485:2016, the organisation must demonstrate its ability to provide medical devices and related services that meet customer requirements and applicable regulations. Such services may be related to one or more stages of a medical product’s lifecycle, including the design and development, manufacturing, storage and distribution, installation or servicing of a medical device, or providing related activities (e.g. technical support).
The ISO 13485:2016 standard can also be used by external parties that provide services related to the Quality Management System. Moreover, distributors and importers must also ensure they have a Quality Management System in place.
The ISO 13485:2016 contains requirements regarding the following elements:
- Quality manual
- Quality policy
- Quality objectives
- Technical Documentation of the medical device (Medical device file)
- Control of documents
- Control of records
- Internal communication
- Management review
- Management’s responsibilities and the appointment of a QMS Representative
- Infrastructure and work environment management
- Human resources and competencies management
- Computerised system validation
In chapter 7 (Product realisation), you can find the following elements:
- Defining product requirements
- Design and development
- Purchasing and supplier management
- Production control
- Identification and traceability
- Control of monitoring and measuring equipment
- Validation of production processes
Chapter 8 of ISO 13485:2016 covers measurements, analysis and improvement. It also includes monitoring feedback and complaints, reporting adverse events to supervisory authorities, conducting QMS internal audits, monitoring processes and products, controlling non-conforming products, and implementing corrective and preventive actions.
A vital element of a QMS is a Risk Management process based on ISO 14971 standard. It states that a procedure describing this aspect and an internal policy regarding risk management, defining the criteria and levels of risk acceptability, should be established as part of the risk management process. Risk management shall be applied for manufacturer products to determine the product risk profile and shall be updated if necessary.
The MDR 2017/745 regulation mentioned above defines requirements for QMS in Art. 10 General Obligations of Producers and Annex IX (Chapter I). The Post-Market Surveillance system is an essential process under the EU MDR. It’s important to add here that the requirements for the PMS system are described in more detail in the Regulation rather than in ISO 13485.
Each documented process must be then applied in practice, and the evidence confirming its implementation must be maintained, for example, in the form of plans, reports, registers, control cards or other forms of paper or electronic records.
For countries outside of the EU, local regulations apply.
What are the requirements regarding the Quality Management System in the USA?
In the USA, the requirements for the Quality Management System are covered in the regulation 21 CFR Part 820 – Quality System Regulation:
“Each manufacturer shall establish and maintain a quality system that is appropriate for the specific medical device(s) designed or manufactured, and that meets the requirements of this part”. Those requirements include: management responsibility, quality audits, requirements for personnel and many others described in subsections A-0, including:
- Design Controls
- Document Controls
- Purchasing Controls
- Identification and Traceability
- Production and Process Controls
- Inspection, measuring, and test equipment
- Process validation
- Acceptance Activities
- Non-conforming Product
- Corrective and Preventive Action
- Labelling and Packaging Control
- Handling, Storage, Distribution, and Installation,
- Device master record
- Statistical Techniques
Do you have to establish a separate QMS to enter multiple different markets?
The MDR and FDA’s regulations state that the Quality Management System is obligatory for medical device manufacturers. Does it mean that if you plan to sell your medical device in the European Union and the United States, you must have two separate Quality Management Systems for each market? No, it’s possible to establish one QMS that meets the requirements of both markets. Our team has experience in this field, and we can help you with that.
Another way to enter multiple markets is through MDSAP (The Medical Device Single Audit Program) audit, established by regulatory authorities from Canada, Brazil, Australia, Japan and the USA. The goal of the MDSAP program was to create a single regulatory audit of a medical device manufacturer conducted by an MDSAP-recognised auditor, which would meet the requirements of multiple regulatory jurisdictions.
Any manufacturer whose product falls under the scope of at least one participating regulatory authority may participate in the audit and can choose which country’s regulatory requirements they want to get audited against. There’s a possibility to add another country’s regulatory requirements to the certification in the future.
The MDSAP audit is quite an expensive option, though. However, it has two important benefits. Firstly, it minimises the chance of an unexpected FDA inspection. Secondly, there are significantly fewer audits throughout the year.
Does QMS have to be certified?
Compliance with ISO 13485 requires that a medical device manufacturer successfully undergoes a series of audits before entering the market with their product. If they don’t have a certificate of compliance with ISO 13485, they will not be able to objectively prove that their product was manufactured in accordance with these procedures. This is the downside of not having an ISO 13485-certified QMS.
The MDR requires that all medical device manufacturers have an established and maintained Quality Management System in place to ensure that their series-produced devices continue to comply with legal requirements and that the user experience is taken into account in the manufacturing process. The Quality Management System should be proportionate to the product’s risk class and type.
In the EU, the manufacturer can build their Quality Management System from scratch, but it will lack the credibility that ISO 13485 gives, and the process will be much longer.
According to FDA’s regulations, a QMS doesn’t have to be certified but can be subject to inspections. There’s no requirement to undergo an audit before or at the time the medical device enters the market. The manufacturer is only required to submit a statement confirming that all FDA requirements, also regarding the QMS, have been met. However, the FDA inspector can conduct an unexpected audit at any time.
What are the ISO 13485 exclusions?
ISO 13485 states that:
“If any requirement in Clauses 6, 7 or 8 of this International Standard is not applicable due to the activities undertaken by the organisation or the nature of the medical device for which the quality management system is applied, the organisation does not need to include such a requirement in its quality management system. For any clause that is not applicable, the organisation records the justification as described in 4.2.2.”
For example, if sterile products are not in a company’s scope, sections on sterilisation process validation, sterile barrier systems or other special requirements for sterile products can be excluded.
Please note that any exclusions must be recorded in the certification process and agreed upon with the notified body.
Exclusions vs medical device risk class
The exclusions in the QMS not always correspond to the medical device risk class. For instance, one company may manufacture class I medical devices (under the MDR) and be subject to no exclusions. In contrast, another company may develop class II medical devices and be qualified for specific exclusions. An example of such a scenario is a company developing software for cancer diagnosis – a product of a higher class but not sterile, so exclusions are possible
What are the benefits of a QMS for a company?
The QMS is a must-have not only due to regulatory requirements. Implementing ISO 13485 brings many benefits to an organisation, including:
- providing products and services, which meet customer expectations and regulatory requirements
- continuous improvement of the processes, products and services
- effective risk management
- ensuring traceability
- enhanced credibility for potential customers
Moreover, the QMS provides a framework to facilitate and ensure the identification and implementation of customer and regulatory requirements. It also contains guidelines on post-market activities.
An effective QMS should enable producing a safe product according to the specification and minimising defects and costs in the production process as well as risks to patients and users of the medical device. In the case of non-conforming products or adverse events, the QMS defines the framework for efficient patient protection.
Get expert assistance in preparing a Quality Management System in accordance with ISO 13485
We have extensive experience in establishing Quality Management Systems tailored to a client’s needs and the specifics of their organisation and compliant with ISO 13485 requirements. Contact us for more information via the form below or visit our offering page.