ISO 13485: Medical Devices and Risk Management
January 5, 2010
Surgically implanting a device, such as a pacemaker, has saved the lives of countless individuals battling with a compromised heart. Infusion pumps that automatically deliver consistent doses of drugs and eliminate the need for daily injections or pills is another example of how medical devices can drastically improve quality of life and treatment for patients. However, these same devices can pose a threat to human health unless there is a quality management system in place to ensure proper safety and quality procedures are being followed throughout their production. The medical devices industry generated more than $230 billion in 2007, and that number is expected to grow to more than $285 billion by the end of 2012, according to the U.S. Department of Commerce’s International Trade Administration. The increasing need for quality medical devices is matched by the need for quality management systems to ensure quality, standardize manufacturing and ensure that these devices are safe for their intended use. The standard known as ISO 13485: 2003-Medical devices-quality management systems-Requirements for regulatory purposes, has become the global standard for those involved in the manufacture of medical devices.
In today’s global marketplace, many organizations are utilizing ISO 13485: 2003 as a platform to build their business management systems. Registration to ISO 13485: 2003 is key to securing and maintaining global business, becoming more cost-effective and improving efficiency and internal communication.
ISO 13485: 2003 is based on eight quality management principles: customer focus, leadership, involvement of people, process approach, system approach to management, continual improvement, fact-based decision-making and mutually beneficial supplier relationships. When fully adopted, these principles have been proven to enhance organizational performance.
It is important to provide a context around which this standard was created, discuss major themes, and provide an explanation to why this standard is so effective in helping companies maintain quality assurance and manage risk.
Relating to ISO 9001: 2000The International Organization for Standardization (ISO) began drafting the first version of a non-industry-specific quality system standard known as ISO 9001 in the mid 1980s. This standard broke from the traditional quality control model and even surpassed the scope of the FDA’s Good Manufacturing Practices (GMPs). However, international consensus asserted that a more comprehensive standard was necessary. When finally approved, ISO 9001: 1994 became the leading standard for quality systems worldwide.
Soon after, industry specific standards based on ISO 9001: 1994 were drafted, including ISO 13485: 1996. However, when ISO 9001 was revised in 2000, the International Organization for Standardization began to draft a new standard to replace ISO 13485: 1996 that would align with the revised ISO 9001: 2000 standard.
The primary goal of drafting ISO 13485: 2003 was to harmonize medical device regulatory requirements for quality management systems. Therefore, particular requirements for medical devices were incorporated and some requirements of ISO 9001 that were deemed not appropriate as regulatory requirements were excluded. In 2003, the new ISO 13485 standard was approved as a stand-alone standard, and although it is based on ISO 9001: 2000, it acknowledged that some of the goals of ISO 9001, such as continuous improvement and customer satisfaction, are not appropriate to the closely regulated medical device industry.
As the overall framework of the ISO 13485: 2003 standard follows that of the ISO 9001: 2000, clauses such as Documentation Requirements (cl. 4.2), Management Responsibility (cl. 5), Resource Management (cl. 6), Product Realization (cl. 7), and Measurement, Analysis and Improvement (cl. 8) are outlined similarly. ISO 13485 uses this framework and then enhances it with specific medical terms and definitions (for example, advisory notice, labeling, etc.) as well as medical industry-specific requirements, as defined by the responsible Technical Committee (ISO/TS 210). An ISO 13485: 2003 quality management system can be evolved from or integrated into another management system but careful consideration must remain of these medical-specific requirements.
ISO 13485: 2003 OverviewISO 13485: 2003 is an international standard that specifies requirements for a quality management system where an organization needs to demonstrate its ability to provide medical devices and related services that consistently meet customer and regulatory requirements applicable to medical devices and related services. ISO 13485 is applicable to organizations that manufacture private label medical devices, in vitro diagnostic medical devices and medical components.
The introduction of the revised ISO 13485 standard in 2003 marked the shift from procedure-based to process-based quality management systems. Process-based standards can be viewed as a continuum of activities, inputs and outputs that become the inputs of the next activity, whereas a procedure-based system considers the quality system in parts or separate functions, such as design control, production and process control.
This is a central approach to quality assurance because it shifts the importance from the role of the quality inspection at the end of production, and evenly distributes the responsibility of quality control throughout every aspect of production, building quality assurance procedures into the process itself.
A prevalent theme throughout the ISO 13485: 2003 standard, and one that should occur throughout the initial development to product realization and eventual delivery of a product, is how well the organization assesses and manages risk. A guidance document within the ISO 13485: 2003 standard that is specifically referenced for risk assessment is ISO 14971: 2007-Medical devices – Application of risk management to medical devices.
Within this document, the organization is given detailed supporting tools to manage risk, which are largely accepted throughout the medical community. While this guidance document is not a requirement, it is strongly recommended that organizations consider its applicability or relevance before developing any of their own risk assessment tools.
Identification and traceability also is an important theme, in terms of product lots or batches, which carry with them supporting identification markings and records throughout the process. The ability to finely tune-in to a specific product lot or batch and all of its corresponding supporting records is a significant value to any medical device company, as well as the basis for many common audit trails.
Lastly, cleanliness or sterile conditions of the work environment is another main theme within the ISO 13485: 2003 standard. While ISO 9001: 2000 certainly elevated the importance of these types of requirements as it pertains to productivity, as well as an organized overall quality management system, ISO 13485: 2003 takes these requirements to the next level as many companies rely on these types of conditions as a matter of doing business altogether and also continually scrutinize their impact on the quality of the product.
Risk ManagementAs discussed earlier, the introduction of ISO 13485: 2003 also incorporates risk management into the process, specifying a process for a manufacturer to identify the hazards associated with medical devices, including in vitro diagnostic medical devices, to estimate and evaluate the associated risks, to control these risks and to monitor the effectiveness of the controls.
Risk management is a crucial part to effective quality assurance systems because justification for quality system decisions should be documented based on risk. Risk often is evaluated from two perspectives: safety risk and business risk. Safety risks are analyzed based on the class of medical product and the intrinsic risk that it poses. For this component, safety risk can be described as likeliness of resulting in serious injury or death or as causing harm.
Risk management, according to the aforementioned ISO 14971: 2007, is defined in two parts: the probability of occurrence of harm and the consequences of that harm, or how severe it might be. In this case, a medical device company has to consider this definition and then expand on a given product’s risk by using tools such as the risk analysis, risk evaluation, risk control and production and post-production information throughout the initial development to product realization and eventual delivery of the product.
During the risk analysis, an organization needs to consider how the product is intended to be used, what possible hazards evolve from those uses and then place an estimation on the degree to which risk is possible. Following this analysis, the organization then should conduct its risk evaluation.
During the risk evaluation the organization should be deciding which hazards will require actions through risk reductions using defined risk guidelines. After hazards that require risk reduction are defined, the organization should move on to risk control or putting measures in place to reduce the risk to an overall acceptable level.
Lastly, after these steps have been taken, the organization needs to complete the entire risk assessment cycle by considering whether production and post-production information requires adjustment to reflect any previously unrecognized risks or previously unacceptable risks. In either case, when these adjustments are made, the process should start over. As risk is inherent, the goal of this process is to closely manage risk, not necessarily eliminate it altogether.
Risk management applies to all medical device companies and, in the end, protects both the manufacturing companies and consumers. Companies are provided with a proven tool for driving the inherent risk of their products down while consumers can be reassured that any hazards to them with the medical devices they may come into contact with are being managed through a systematic approach to making the products safer for use. This is a central theme of ISO 13485: 2003 and one of the driving motivations for its continued growth within the standards community. Q