Medical Device QMS Compliance and Misconceptions 

ISO13485:2016 has now been mandatory for nearly 5 years. Due to advancements in technology, changes in political environments and the regulatory landscape it’s not surprising some working groups are looking into potential updates to the standard.

Even now, 8 years after publication many manufacturers and other organisations that are certified to ISO 13485:2016 make the same common errors.

Issues can result in product disapproval, delayed release, and increased cost to the business due to additional audits or recalls. Here are some Medical Device Compliance misconceptions and common mistakes that can be avoided.

While ISO 13485:2016 is recognised as a harmonised standard and does provide the majority of the QMS requirements for compliance with MDR/IVDR it doesn’t cover everything. There are several gaps, particularly around PMS and vigilance that are not covered in ISO 13485.

The standard includes a comprehensive breakdown of the gaps between the standard and regulation. These are the Annex Z tables and are extremely useful for identifying the gaps in your system.

ISO 13485:2016 reference: Annex Z

No. Notified bodies will expect that any relevant MDCG guidance is reviewed and implemented in a reasonable timeframe. The timeframe depends on the extent of the impact and the auditor.

MDCG Guidance

Everything comes down to what you can show the auditor on the day. You can give the best justification and explanation ever but if there is no evidence then in an auditor’s eyes it didn’t happen.

All decisions within a QMS should be recorded. This could be part of a larger record e.g. change control or CAPA but it must be there.

ISO 13485:2016 reference: 4.2.5

Partially correct. It is unlikely that an auditor would ask to see your validation of Microsoft Word. However, other office programs allow you to add custom macros or even just equations.

For example, let’s look at Microsoft Excel. As a database for entering data that’s fine however if you use Excel as a workbook to help automatically calculate weights for a formulation that could have an impact on product performance and safety.

This means that the workbook should be validated and protected from change. As more and more companies are using eQMS systems one of the simplest ways of digitalising a QMS is to use a Sharepoint. Again this can be customised and depending on what functions are added may need to be validated.

ISO 13485:2016 reference: 4.1.5

A quality policy should be a top-level document that identifies the main goals of the company and what is important to the organisation.

The quality objectives should be set as measurable targets which are tangibly linked to the quality policy to allow the organisation to meet the goals set out in the policy.

For example, if patient safety is mentioned in the quality policy there should also be a relevant quality objective that helps the organisation to meet this goal. Your objective may be “No vigilance issues or recalls this year” but adverse events often aren’t predictable and if a recall is required due to information you didn’t have when determining your objectives, then this one would not be met.

A better objective would be to “complete all PMS activities on time as scheduled” or “First response to all vigilance reports within X working days”

ISO 13485:2016 reference: 5.4.1

Management review frequency is determined by the organisation and can often be variable.

For an SME company an annual review may be the best option but for a complex organisation may schedule several in a year all covering off different topics. ISO 13485 does not state that the management review must take the form of a meeting, in some cases a meeting is not practical and management may take time to review the data presented (inputs) and draw recorded conclusions (outputs). ISO 13485 also does not state the entire management review must be done as one review it can be split up into multiple sessions.

ISO 13485:2016 reference: 5.6

Training is a staple of a QMS whether it be training on the QMS documents or specific training for manufacturing activities, it’s something all organisations have to consider.

Many organisations however do not assess the effectiveness of training that is delivered. This is especially important where the training is part of a corrective action.

ISO 13485:2016 reference: 6.2

Companies who operate clean room areas as part of their processes often have specific gowning and material access procedures that must be followed for proper operation.

Many companies also have contractors working on their premises such as outsourced cleaning. People working temporarily on site must also be trained in proper procedures to minimise the potential for contamination of a cleanroom.

ISO 13485:2016 reference: 6.4

Many medical device companies sell their product globally. Many regulatory teams have expertise in the UK and EU where MDSAP affiliates the regulations but other markets are often overlooked.

Companies often rely on distributors/sponsors to confirm whether a design change will impact market access in a particular country.

Although this is a sensible approach to take, these responsibilities are often not fully controlled. In these cases a quality agreement should be put in place, detailing responsibilities. The competency/ability of the distributor to assess regulatory impact should also be reviewed as per supplier management procedures.

ISO 13485:2016 reference: 7.3.9

Supplier management is a tightrope situation at the best of times, but it’s often not helped by impossible controls stated in procedures.

As an SME it is very unlikely that a multinational organisation is going to allow for annual audits. Understandably multinationals cannot accept every request for an audit due to servicing many different organisations.

So when a supplier management procedure states all suppliers must be audited annually how do we reconcile this? What is more suitable is a process that allows the organisation to determine the level of supplier evaluation and give justification for the controls that have been decided on.

ISO 13485:2016 reference: 7.4

In a lot of organisations, distributors are solely considered as aids to sell the device. However, they are actually service providers, representing the product on local markets and receiving feedback that is valuable in the PMS processes.

Distribution agreements often focus on numbers and don’t include provisions for providing this feedback and informing manufacturers of complaints and potential vigilance issues promptly.

ISO 13485:2016 reference: 7.4

It’s not always understood what the definition of customer property is. Customer property is anything owned by a customer. This includes product returns where a repair or replacement is to be made.

Until the fault is remedied the customer is still owed their property back or equivalent product/compensation. This is where companies often misinterpret customer property requirements in the standard and do not consider their returns to be customer property.

Another area that is often overlooked is digital property or Intellectual Property (IP). Where an organisation deals with digital property e.g. materials for printing, logos etc. there must be relevant controls in place to manage this. Similarly IP must also be well controlled. This can be particularly difficult for contract manufacturers and is often a grey line between IP that is owned by the customer or knowledge gained as an organisation that can be applied to other products/manufacturing processes.

ISO 13485:2016 reference: 7.5.10

Feedback should be more than just complaints. Complaints are very useful for determining how the device is performing in the field however other avenues for feedback should be considered.

Feedback from manufacturing, installation activities, training and suppliers should also be considered. This information can feed into vigilance if needed, it can also be used to improve manufacturing processes or be a lead for future developments.

ISO 13485:2016 reference: 8.2.1

This isn’t going to happen. There will always be one or two complaints that need further investigation or are waiting for information from a third party that doesn’t work to the same schedule.

Complaints should be responded to as quickly as possible but investigated properly and dealt with as appropriate to the issue.

ISO 13485:2016 reference: 8.2.2

Why not? That is the question most auditors would ask at this point. It may be true that the complaint or information is not reportable but the decision should be recorded.

ISO 13485:2016 reference: 8.2.2

This is a common non-conformity. Internal audits should consider ISO 13485 and any applicable regulatory requirements however it isn’t enough to write it in the procedure or in the scope of the audit. There must be evidence that the internal auditors have checked the compliance of the audited area against these documents.

ISO 13485:2016 reference: 8.2.4

The effectiveness check of a CAPA should always review whether the actions taken have had the intended effect and have now mitigated the issue that was determined to be the route cause.

Checking that the “fix” is implemented is not enough as it could be the case that it hasn’t resolved the issue and therefore needs re-investigating.

ISO 13485:2016 reference: 8.5.2

Needless CAPAs can clog a perfectly good QMS. If a mistake is a one-off human error then it is unlikely a CAPA is needed.

It is always good practice to document these issues to identify long-running trends but they often don’t need the full 8D treatment. A system with at least two categorisations can help alleviate this:

  • Low-grade non-conformances that are recorded and corrected quickly
  • Full-scale CAPAs that require investigation and route cause analysis

Non-conformances can always be upgraded to a CAPA.

ISO 13485:2016 reference: 8.5.2

Our UK team of Medical Devices / IVD experts are here to support and guide you through the complex and ever-changing regulatory landscape. With many years of experience in the industry and with notified/UK-approved bodies we offer comprehensive regulatory services to suit your business.

Talk to an Expert

Tom Wood
Thomas Wood
Regulatory Manager (Medical Devices)
Tom Wood
Latest posts by Tom Wood (see all)