4 Quality management system (QMS) T 22 .gif)
4.1 General requirements
Purpose of the QMS, requirements of ISO 13485, control of outsourced processes, software validation
Requirements 1 to 26 (see also the quiz)
In the simplified diagram of figure 4-1 we can see the purpose of an ISO 13485 quality management systemset of processes allowing the achievement of the quality objectives (see also ISO 9000, 3.5.4):
Figure 4-1. Purpose of an ISO 13485 QMS
The requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.6.4) of the ISO 13485 standard in clauses 4 to 8 are shown in figures 4-2:
Figure 4-2. The requirements of the ISO 13485: 2016 standard
Requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.6.4) related to productsany outcome of a process or activity (see also ISO 9000, 3.7.6) are specified by the customeranyone who receives a product (see also ISO 9000, 3.2.4) , by the company or a regulation.
The requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.6.4) of ISO 13485 apply exclusively to the quality management systemset of processes allowing the achievement of the quality objectives (see also ISO 9000, 3.5.4) and its processesactivities that transform inputs into outputs (see also ISO 9000, 3.4.1):
- customer requirements and applicable regulatory requirements are identified and taken into account
- the quality management system (QMS) is established, documented, implemented and maintained
- the quality policy, objectives, resources and work environment are determined
- the roles of the manufacturer, importer, distributor and authorized representative are documented
.gif)
- processes required by the QMS:
- are identified, measured, monitored
- records are retained for compliance with requirements:
- of the ISO 13485 standard
- applicable regulatory requirements
- their objectives are established and analyzed
- their necessary resources are provided
- their sequence and the interactions are determined
- their operational criteria are established
- their information essential for monitoring is ensured
- their owners are named
- the level of risk of the processes is identified in relation to:
- impact on safety and performance of medical devices
- regulatory compliance
- actions to achieve planned results and maintain process efficiency are established and implemented
- staff are involved
In annex 05 are shown the new requirements of the 2016 version of the standard with examples of actions to be undertaken. 
Processactivities that transform inputs into outputs (see also ISO 9000, 3.4.1) changes (cf. sub-clause 7.3.9) are:
- evaluated against their impact on:
- the QMS
- medical devices
- controlled in accordance with the requirements:
- of the ISO 13485 standard
- applicable regulatory requirements
An outsourced processactivities that transform inputs into outputs (see also ISO 9000, 3.4.1) is always controlled and does not relieve the organizationa structure that satisfies a need (see also ISO 9000, 3.2.1) of its responsibilitiescapacity to make a decision alone towards customersanyone who receives a product (see also ISO 9000, 3.2.4) (cf. sub-clause 7.4). Outsourced processesactivities that transform inputs into outputs (see also ISO 9000, 3.4.1) are identified and their level of risklikelihood of occurrence of a threat or an opportunity (see also ISO Guide 73, 1.1) is proportionate to the ability of the external party to meet the requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.6.4) (see annex 07). An element of outsourced processactivities that transform inputs into outputs (see also ISO 9000, 3.4.1) control is the signed supplierentity that provides a product (see also ISO 9000, 3.2.5) qualityaptitude to fulfill requirements (see also ISO 9000, 3.6.2) agreement.
The proceduredocument describing the to carry out a process (see also ISO 9000, 3.4.5 and documented information) 
software validationconfirmation that the application of a process, product, service or material allows expected results to be achieved (see also ISO 9000, 3.8.13) includes:
- validation of software applications prior to initial use
- revalidation after software or application change
- a proportionate approach of risk associated with its use
- retaining records
Used software is validated and a list is retained.
The ISO guide “The integrated use of management system standards” of 2018, contains relevant recommendations on the integration of management systems.
.jpeg)
Pitfalls to avoid:
- going overboard on quality:
.jpg)
- a useless operation is performed without adding value and without the customer asking for it - it is a waste, cf. quality tools D 12
- having all procedures written by the quality manager:
- quality is everybody's business, cf. paragraph 6.2 - "the staff is conscious of the relevance and importance of each to the contribution to quality objectives", which is even more true for department heads and process pilots
- forgetting to take into account the specificities related to the corporate culture:
- innovation, luxury, secrecy, authoritarian management (Apple)
- strong culture related to ecology, action and struggle, while cultivating secrecy (Greenpeace)
- fun and quirky corporate culture (Michel & Augustin)
- liberated company, the man is good, love your customer, shared dream (Favi)
- the process map has enough arrows to show who the customer (internal or external) is
- reveal the added value of the process during the process review
- the list of processes is updated
- the analysis of processes performance is an example of continual improvement and evidence of the effectiveness of the QMS
- the role of the organization is documented in accordance with applicable regulatory requirements
- revisions of process changes are evaluated
- quality contracts are established for critical outsourced processes
- validation records of software applications are coded and retained
- some process outputs are not set correctly (customers not considered)
- process efficiency criteria not established
- the process list is not updated
- the role of the organization is not documented
- the process owners are not formalized
- outsourced processes are not determined
- some real activities are not identified in any process
- control of outsourced services is not described
- sequences and interactions of certain processes are not determined
- criteria and methods for ensuring effective processes are not determined
- monitoring the effectiveness of certain processes is not established
- the impact of process changes is not evaluated
- software applications are not validated
4.2 Documentation
Documentation pyramid, procedures and records of a medical device QMS
Requirements 27 to 62
The right document, at the right place, at the right moment
The documentation of the QMSQuality Management System (cf. figure 4-3) includes:
- the quality manual (QM)
- the quality policy
- the quality objectives
- the process sheets
- the procedures
- the documents needed to control processes
- the documents of external origin (from suppliers, customers, standards)
- the documents required by applicable regulatory requirements
- required records
Figure 4-3. Documentation pyramid
The quality manualdocument specifying the general measures taken by an organization to obtain conforming products or services (see also ISO 9000, 3.8.8) (cf. annex 08) describes the:
- scope of the QMS
- types of medical devices manufactured
- procedures (cf. annex 09) or a reference to them
- sequence and interactions between processes (process mapping, cf. § 3.3 and annex 03)
- justification of the exclusions from elements of clauses 6, 7 and 8 (cf. § 1.2)
The quality manualdocument specifying the general measures taken by an organization to obtain conforming products or services (see also ISO 9000, 3.8.8) is like traffic laws: it is mainly a guide, a tool, but it does not teach you to drive.
The medical deviceproduct or service to be used for purposes of diagnosis, prevention, monitoring, treatment, alleviation of disease or injury file includes the technical documentation developed and maintained for each model or type of MD and each servicing activity. This documentation includes:
- product description, intended use, labeling, instructions for use
- bill of materials:
- assemblies, sub-assemblies
- components
- materials
- labels, instructions for use, advisory notices
- accessories
- packaging
- classification of applicable regulatory requirements
- manufacturing, packaging, storage, handling and distribution process (including sterilization methods, inspections, testing and validation)
- flow diagrams, blueprints, drawings, assembly diagrams and working instructions
- measurement and monitoring procedures
- risk analysis
- installation requirements, if appropriate
- servicing activities, if appropriate
- results of verifications, validations, trials, tests, clinical data and declaration of conformity
Documentsany support allowing the treatment of information (see also ISO 9000, 3.8.5) requiring approval of changes by customersanyone who receives a product (see also ISO 9000, 3.2.4) or authorities are identified.
A chart summarizing customeranyone who receives a product (see also ISO 9000, 3.2.4) requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.6.4), applicable regulatory requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.6.4) and processesactivities that transform inputs into outputs (see also ISO 9000, 3.4.1) is a great help in verifying QMSQuality Management System conformityfulfillment of a specified requirement (see also ISO 9000, 3.6.11).
Each internal documentany support allowing the treatment of information (see also ISO 9000, 3.8.5) is verified and approved. Any documented proceduredocument describing the to carry out a process (see also ISO 9000, 3.4.5 and documented information), requirementexplicit or implicit need or expectation (see also ISO 9000, 3.6.4) or activity is implemented and maintained. Outdated (obsolete) documentsany support allowing the treatment of information (see also ISO 9000, 3.8.5) are identified, retained and their use prohibited in the workshop.
The next-to-last version of a documentany support allowing the treatment of information (see also ISO 9000, 3.8.5) may become a recorddocument providing objective evidence of achieved results (see also ISO 9000, 3.8.10 and documented information).
The technical report ISO/TR 10013 (2006): "Guidelines for quality management system documentation" provides recommendations relative to the documentation of a QMSQuality Management System.
Answers to all 416 requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.6.4) (in the text « shall ») of clauses 4 to 8 of the ISO 13485 standard are included in the documentation. ISO 9001 “only” requires 305.
Document: any support allowing the treatment of information
Record: document providing objective evidence of achieved results
Quality manual: document specifying the general measures taken by an organization to obtain conforming products or services
Procedure: document describing the actions to carry out a process
The proceduresdocument describing the to carry out a process (see also ISO 9000, 3.4.5 and documented information) of ISO 13485 (cf. annex 09) are:
- Validation of software (sub-clauses 4.1.6, 7.5.6 and 7.6)
- Document control (sub-clause 4.2.4). The procedure ensures:
- verification (review of content and form)
- approval (and then issue authorization)
- updating (verification and approval again)
- identification of the relevant version in force at the place of use
- readability
- availability
- identification and distribution of documents of external origin
- prevention of the use of outdated (obsolete) documents and their specific identification
- prevention of loss or deterioration of documents
- retention of medical devices outdated documents
- Record control. The procedure ensures:
- identification
- storage
- security
- integrity
- retrieval
- availability
- retention time
- retrieval
- disposal
- readability
- issue
- change identification
- a justification for every requirement which cannot be applied
- Management review (sub-clause 5.6)
- Work environment control (sub-clause 6.4.1)
- Design and development (sub-clause 7.3)
- Transfer (sub-clause 7.3.8)
- Control of changes (sub-clause 7.3.9)
- Purchasing (sub-clause 7.4)
- Post-market surveillance (sub-clause 8.2)
- Regulatory watch (sub-clause 8.2)
- Control of production (sub-clauses 7.5.1 and 8.2.6)
- Servicing activities (sub-clause 7.5.4)
- Process validation (sub-clauses 7.5.6 and 7.5.7)
- Identification and traceability (sub-clauses 7.5.8 and 7.5.9)
- Preservation of product (sub-clause 7.5.11)
- Monitoring and measuring equipment (sub-clause 7.6)
- Feedback (sub-clause 8.2.1)
- Complaint handling (sub-clause 8.2.2)
- Post-market surveillance (sub-clause 8.2.2)
- Reporting to regulatory authorities (sub-clause 8.2.3)
- Internal audit (sub-clause 8.2.4)
- Control of nonconforming product (sub-clause 8.3.1)
- Advisory notices (sub-clause 8.3.3)
- Rework (sub-clause 8.3.4)
- Analysis of data (sub-clause 8.4)
- Corrective action (sub-clause 8.5.2)
- Preventive action (sub-clause 8.5.3)
You can group several proceduresdocument describing the to carry out a process (see also ISO 9000, 3.4.5 and documented information) into one. The documentation can be in any form and any type of medium. It contributes, among other things, to providing objective evidencedemonstrably true factual data (see also ISO 9000, 3.8.3) and evaluating the effectivenesscapacity to perform planned activities with minimum effort (see also ISO 9000, 3.7.11) and performancemeasurable and expected results of the management system (see also ISO 9000, 3.7.8) of the QMSQuality Management System.
Objective evidence: demonstrably true factual data
Rework: action on a product to make it conform
A proceduredocument describing the to carry out a process (see also ISO 9000, 3.4.5 and documented information) may or may not be documented (see ISO 9000: 2015, sub-clause 3.4.5 – Note 1: “Procedures can be documented or not”). Our preference is for the documented (written) solution, short, simple and relevant. Especially in cases where the absence of a proceduredocument describing the to carry out a process (see also ISO 9000, 3.4.5 and documented information) can lead to deviations from the policy, the quality objectivesquality-related, measurable goal that must be achieved (see also ISO 9000, 3.7.2), the safety or the performancemeasurable and expected results of the management system (see also ISO 9000, 3.7.8) of the medical deviceproduct or service to be used for purposes of diagnosis, prevention, monitoring, treatment, alleviation of disease or injury.
Changes made are carried out by the author of the documentany support allowing the treatment of information (see also ISO 9000, 3.8.5) and reviewed and approved by a person with relevant information to make decisions.
Methods of protecting recordsdocument providing objective evidence of achieved results (see also ISO 9000, 3.8.10 and documented information) containing confidential health information are implemented in accordance with applicable regulatory requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.6.4).
A review of the documentation is carried out periodically by the quality managerleader of the journey towards excellence.
The retention period of at least one copy of the documentsany support allowing the treatment of information (see also ISO 9000, 3.8.5) is determined (proceduresdocument describing the to carry out a process (see also ISO 9000, 3.4.5 and documented information) and recordsdocument providing objective evidence of achieved results (see also ISO 9000, 3.8.10 and documented information)). This period complies with applicable regulatory requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.6.4) and shall not be less than the lifetime of the medical deviceproduct or service to be used for purposes of diagnosis, prevention, monitoring, treatment, alleviation of disease or injury and no less than two years from the release of the MD.
At a third party audit, the auditor asked to see the version history of three procedures and some instructions.
The procedures all had more than three versions and the instructions (in our case, audit reports) had on average two or three versions (actions and one or two follow-ups).
The auditor was comforted because he was afraid he would come across “inactive” documents.
The QMSQuality Management System documentation is related to the size and type of the organizationa structure that satisfies a need (see also ISO 9000, 3.2.1) , the complexity of processesactivities that transform inputs into outputs (see also ISO 9000, 3.4.1) and the competence of staff. This documentation is accessible to the personnel concerned and they are informed during evolutions of the documentation. Only the documentsany support allowing the treatment of information (see also ISO 9000, 3.8.5) that are strictly necessary are required to obtain simplified documentation. Example of documentsany support allowing the treatment of information (see also ISO 9000, 3.8.5) commonly used include:
- quality manual
- company organization chart
- procedures
- quality plans
- specifications
- work or test instructions
- templates
- records
- documents of external origin
- list of approved suppliers
- test and inspection plans
Specification: final description of system or product requirements in order to develop or validate it
Theprocessactivities that transform inputs into outputs (see also ISO 9000, 3.4.1) "manage documentation" ensures the review, release, changes and implementation of the customeranyone who receives a product (see also ISO 9000, 3.2.4) 's technical specifications. .jpg)
Spoken words fly away, written ones stay. Latin proverb
Retained recordsdocument providing objective evidence of achieved results (see also ISO 9000, 3.8.10 and documented information) required by ISO 13485 and regulation 2017/745 to prove conformityfulfillment of a specified requirement (see also ISO 9000, 3.6.11) and effectivenesscapacity to perform planned activities with minimum effort (see also ISO 9000, 3.7.11) of the QMSQuality Management System (sub-clauses):
- role of the organization (4.1.1)
- benefit/risk ratio (4.1)
- process control (4.1.3 e and 4.2.1 d)
- software application validation (4.1.6)
- general documentation of the QMS (4.2.1)
- regulatory requirements (4.2.1 e)
- medical device file (4.2.3)
- control of records (4.2.4)
- responsibilities, authorities and independence (5.5.1)
- management review (5.6.1 and 5.6.3)
- staff competence (6.2.e)
- maintenance of infrastructure (6.3)
- work environment (6.4.1)
- contamination control (6.4.2)
- risk management (7.1)
- planning of the production (7.1)
- process and product conformity (7.1 d)
- review of requirements related to product (7.2.2)
- communication with customer (7.2.3)
- design and development inputs (7.3.3)
- design and development outputs (7.3.4)
- design and development review (7.3.5)
- design and development verification (7.3.6)
- design and development validation (7.3.7)
- design and development transfer to manufacturing (7.3.8)
- design and development changes (7.3.9)
- design and development files (7.3.10)
- control of suppliers (7.4.1)
- purchasing information (7.4.2)
- verification of purchased product (7.4.3)
- verification and approval of medical devices before release (7.5.1)
- product cleanliness (7.5.2)
- installation and verification of medical devices (7.5.3)
- servicing activities carried out (7.5.4)
- batch sterilization process parameters (7.5.5)
- process validation (7.5.6)
- sterilization process validation (7.5.7)
- unique identification (7.5.8)
- traceability (7.5.9.1)
- package addressee (7.5.9.2)
- customer property problem (7.5.10)
- product preservation (7.5.11)
- calibration and verification of measuring equipment (7.6)
- results of validation of monitoring and measurement software (7.6)
- feedback (8.2.1)
- legislation review (8.2)
- inventory of legal requirements (8.2)
- complaint handling (8.2.2)
- post-market surveillance plan (8.2)
- post-market surveillance report (8.2)
- reporting to regulatory authorities (8.2.3)
- internal audits (8.2.4)
- product monitoring and measurement (8.2.6)
- nonconformities (8.3.1)
- acceptance by concession (8.3.2)
- rework performed (8.3.4)
- analysis of data (8.4)
- corrective actions taken (8.5.2)
- preventive actions taken (8.5.3)
Each recorddocument providing objective evidence of achieved results (see also ISO 9000, 3.8.10 and documented information) is unique and usually cannot be changed, except for error correction. Any recorddocument providing objective evidence of achieved results (see also ISO 9000, 3.8.10 and documented information) provides evidence of a task, operation, activity, processactivities that transform inputs into outputs (see also ISO 9000, 3.4.1) or requirementexplicit or implicit need or expectation (see also ISO 9000, 3.6.4). Recordsdocument providing objective evidence of achieved results (see also ISO 9000, 3.8.10 and documented information) are the essential database for analyzing processactivities that transform inputs into outputs (see also ISO 9000, 3.4.1) efficiencyfinancial relationship between achieved results and resources used (see also ISO 9000, 3.7.10) and contributing to the maintenance of the QMSQuality Management System. Examples of other recordsdocument providing objective evidence of achieved results (see also ISO 9000, 3.8.10 and documented information) often used:
- advisory notices
- process capability study
- costs of obtaining quality
- change request
- concession request
- customer complaint
- delivery form
- nonconformity sheet
- conformity certificate
The recorddocument providing objective evidence of achieved results (see also ISO 9000, 3.8.10 and documented information) retention period is determined and is usually included in the master documentany support allowing the treatment of information (see also ISO 9000, 3.8.5) list. This period is at least two years, complies with applicable regulatory requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.6.4) and cannot be less than the life of the medical deviceproduct or service to be used for purposes of diagnosis, prevention, monitoring, treatment, alleviation of disease or injury.
- the quality manual is short and simplified (easy to read by all staff). It contains the scope and justification of the exclusions
- document management clearly shows the author and approver of the initial document and subsequent versions
- properly managing changes to documents (a line in the middle of the old text, red) can quickly show the history and the identity of the person who has approved the change
- a list of the dates of implementation of the changes in production is available in the workshop
- the file of each type of medical device is complete
- the methods for distributing documents are described in the procedure "Document control"
- the hierarchy of documents is logical and clear (manual, processes, procedures, records)
- a review of all documentation of the QMS is conducted twice a year, it is very well organized and the actions are completed on schedule
- the master list of documents also includes the retention period
- documents of external origin (standards, regulations, documents of customers, suppliers and machines) are coded as internal documents and the location is notified in a specific list
- the quality manual is not updated
- in the quality manual exclusions are neither detailed nor justified
- in the quality manual are not justified not applicable processes
- some procedures are not updated
- the need of some documents is not evaluated
- many real activities are not identified in any document
- some documents are not codified
- files of some medical devices are not complete
- documents are not in the place where they are needed
- instructions are outdated (version before the last one)
- no arrangement to ensure the security of the records
- changes to records are difficult to identify
- changes are not approved by those with authority
- documents are not approved prior to release
- during the project launch meeting the list of participants is not recorded
- the protection of documents on the network is not defined
- documents of external origin (customer, supplier) are not controlled (codified)
- the shelf-life and the elimination of rerecords are not established
.jpg)
Minute of relaxation. Game: Documentation
The rest of the T 22v16 ISO 13485 readiness version 2016 training is accessible on this page.
See also the training T 42v16 Internal audit ISO 13485 and the training package ISO 13485.