Académique Documents
Professionnel Documents
Culture Documents
Dr Dennis Green
The right of Dr Dennis Green to be identified as author of this work has been asserted in accordance with the
Copyright, Designs and Patents Act 1988.
Copyright subsists in all BSI publications. Except as permitted under the Copyright, Design and Patents Act 1988,
no extract may be reproduced, stored in a retrieval system or transmitted in any form or by any means – electronic,
photocopying, recording or otherwise – without prior written permission from BSI. If permission is granted, the terms
may include royalty payments or a licensing agreement. Details and advice can be obtained from the Copyright Manager,
BSI, 389 Chiswick High Road, London W4 4AL, UK.
Great care has been taken to ensure accuracy in the compilation and preparation of this publication. However, since it is
intended as a guide and not a definitive statement, the author and BSI cannot in any circumstances accept responsibility for
the results of any action taken on the basis of the information contained in this publication nor for any errors and omissions.
This does not affect your statutory rights.
The idea of writing a book on the latest version of the medical devices quality management
systems standard, ISO 13485:2000, arose shortly after I began to study the standard. At one
stage in my career I had been involved with the use of a wide range of such devices after I
had been appointed Assistant Regional Physicist in the Department of Clinical Physics and
Bio-Engineering of the Greater Glasgow Health Board. It became the biggest department of its
kind, certainly in the United Kingdom, if not in the world, with over 200 staff, which included
about 80 physicists, other scientists and many technicians. Later in my career, by invitation,
I became a director and board member of a company manufacturing medical devices, which
gave me further insight into this industry.
On examination of ISO 13485 it immediately became apparent that the standard is very closely
linked to ISO 9001, both in format and content. The emphasis of this book is on
the requirements of ISO 13485, but each corresponding clause of ISO 9001 is also considered.
Thus, any differences between the two standards are readily and easily identified.
The first edition of the medical devices standard, ISO 13485, was published in 1996.
Its title was:
Quality systems – Medical devices – Particular requirements for the application of ISO 9001
The second edition of ISO 13485 published in 2003 has a revised title:
Medical devices – Quality management systems – Requirements for regulatory purposes
The ISO 9001 quality management systems standard was published in December 2000.
It was the culmination of several years’ work by the international Technical Committee 176,
of the International Organization for Standardization (ISO), which had met at regular intervals
following the publication of the last revision of the standard in 1994. The revision of standards
is a routine procedure and committees responsible for revisions always consider any feedback
from users of an existing standard. In the case of ISO 9001:2000, the standard that replaced
three of the 1994 standards (9001, 9002 and 9003), this was reflected in committee drafts
(CD1, CD2 and CD3) and these draft international standards were widely circulated for
comments. There was also a final draft international standard, which had limited circulation.
The end result was not a perfect revised standard, but many people appear to agree that
ISO 9001:2000 is an improvement on its precursors.
There is one important difference between ISO 13485 and ISO 9001. The prime requirement
of ISO 13485 is to ensure that medical devices and related services are provided to consistently
satisfy customer requirements as well as any applicable regulatory requirements. The customer
xi
Medical Devices: ISO 13485 and ISO 9001
in the case of medical devices is in most cases not the end user or recipient of the medical
device, but an intermediary, namely, a doctor, scientist or technologist, technician or a nurse.
The prime customer might also be a general medical practitioner. Aside from regulatory
requirements being met, another important objective of ISO 13485 is the promotion of
international harmonization of medical products.
Satisfying customer requirements, both intermediate users and/or end users and regulatory
requirements, applies just as much to ISO 9001, but the promotion of harmonization of
products and services is not within its scope. It does, however, require top management to
strive to enhance customer satisfaction through the effective application and continual
improvement of its quality management system. It is important to realize that the continual
improvement in the quality management system does not mean continual improvement in a
product, although some improvements might occur as a result of improvements in the quality
management system. This is not a requirement of ISO 13485 and a manufacturer of medical
devices, or an organization that services medical devices, does not have to strive to enhance
customer satisfaction through the effective application and continual improvement of the
quality management system (see Chapter 4).
Chapter 1 gives the historical background to quality and quality assurance and the basis of
quality management systems. There is a difference between quality and quality assurance.
Many people use the term quality without really understanding what it means. The term
quality assurance is a little better understood, especially amongst manufacturers.
Chapter 2 shows how quality assurance standards were pursued after the First World War up
to and including the 1994 series of standards, although the emphasis of the later standards
did change a little. For instance, the concept of management principles was introduced in 1994
and in ISO 9001:2000, ‘management’ was included in its title.
Chapter 3 gives general background information on ISO 13485, Medical Devices and
ISO 9001:2000. Both standards place great emphasis on processes and two process
diagrams, or flow sheets, are included in this book as examples.
Chapters 4, 5, 6, 7 and 8 are the requirement clauses. These must be addressed for
compliance with the two standards.
Clause 6, on resource management, refers for the first time in any of the quality management
system standards to competence (clause 6.2.2). Its introduction by the international committee
that drafted the quality management standards is commendable. Perhaps the increasingly wide
adoption of the latest quality management system standards will result in organizations
investing in training to improve staff competence. This should lead to increased organizational
competence in all sectors.
Clause 7, in both standards, is an exceptional one in that parts of it need not be addressed,
provided any exclusion can be justified and the exclusion is explained in the quality manual.
Clause 7.3, design and development, is one example of possible exclusion. Because there is
evidently some confusion over possible exclusion of this important clause, Chapter 9 is
devoted to this matter.
Chapter 10 provides typical guideline audit questions, which are relevant to both process
auditing and compliance auditing against the standards. There is much common ground
between the two standards, but to help the reader, where there are differences the
requirements for ISO 13485 are printed in italics, whereas the corresponding ISO 9001
requirements are printed in bold.
xii
Preface
In some cases a question is printed only once when there are only a few extra words to be
added to comply with the additional requirements of ISO 13485. These additional words in
a question are also printed in italics.
Appendix 1 includes the mandatory procedures for ISO 9001. It is recommended that any
other procedures, mandatory or otherwise, follow the same format.
• who manufacture and/or service medical devices and who wish to seek accredited
certification only to ISO 13485; and
• who manufacture and service medical devices, but also other products, so that both
the standards can be applicable.
It is hoped that this book will benefit many different kinds of managers. First and foremost I
hope that it will be of interest to (what the standards refer to as) top management. These are
people who direct and control organizations. In accordance with ISO 9001:2000, an external
auditor from a certification body is now expected to determine whether there is a commitment
by top management to its quality management system. A committed top manager is more
likely to create a new culture in which corporate competence and individual competence are
in the forefront of the minds of all workers.
The book should also be of interest to professionals and those who aspire to become
professionals. This includes auditors of all kinds: internal auditors, second-party and third-party
auditors.
The views expressed in this book are those of the author. The author is confident that if the
guidelines included in this book are followed in interpreting the five requirement clauses of
ISO 13485 and ISO 9001 any organization is likely to achieve certification at the first attempt
for either or both standards.
It would be impossible to thank personally all those who have made the writing of this book
possible. Much of the book is based on my experience as an auditor, mainly auditing against
the quality management standards on behalf of certification bodies. I should like to express my
thanks to these certification bodies, which have provided me with many opportunities for
third-party auditing. I should also like to thank the people in many organizations who I have
subjected to the rigours of third-party auditing. All these people whom I have met at different
levels within such organizations have, without exception, received me kindly into their
organizations to enable me to carry out my duties. Without such acceptance, auditing would
have become an unwelcome task and one that I would have abandoned a long time ago.
xiii
Table of Contents
Preface xi
Chapter 1: Brief historical background to quality assurance 1
Home production 1
Factory production 1
Mass production and quality inspectors 1
Association of Inspectors 1
Disadvantages of using quality inspectors 2
Quality control 2
Meeting requirements of a contract 2
Quality 2
Quality assurance 3
Chapter 2: Quality standards 5
The birth of the modern technological age 5
Military standards 5
The first non-military standard (1979) 6
ISO 9001, 9002 and 9003 (1987) 6
The ISO 9000:1994 series of quality assurance standards 6
Eight management principles 6
BSI Benchmark on the eight management principles 8
Latest revision of the 1994 series of quality standards 9
Numbers of ISO 9001 certificates worldwide 9
Chapter 3: ISO 13485 Medical Devices and ISO 9001 11
Core terms and definitions 11
ISO 13485 and ISO 9001 12
vii
Medical Devices: ISO 13485 and ISO 9001
ISO 13485 12
ISO 9001 13
Format of ISO 13485 and ISO 9001 13
Process models 13
Continual improvement in the effectiveness of
the quality management system (ISO 9001 only) 15
Chapter 4: Quality management systems (clause 4) 19
General requirements 19
Documentation requirements 20
Chapter 5: Management responsibility (clause 5) 31
Management commitment 31
Customer focus 31
Quality policy 32
Planning 33
Responsibility, authority and communication 36
Management review 37
Chapter 6: Resource management (clause 6) 45
Provision of resources 45
Human resources 45
Infrastructure 46
Work environment 47
Chapter 7: Product realization (clause 7) 49
Planning of product realization 49
Customer-related processes 50
Design and development 52
Purchasing 56
Production and service provision 59
Control of monitoring and measuring devices 67
Chapter 8: Measurement, analysis and improvement (clause 8) 73
General 73
Monitoring and measurement 74
Control of nonconforming product 79
Analysis of data 81
Improvement 82
viii
Table of Contents
Quality Policy 41
ix
Medical Devices: ISO 13485 and ISO 9001
x
Chapter 1:
Brief historical background to quality assurance
Home production
In the past, when making an object, a skilled craftsman would examine the object carefully at
each stage of its construction. When it was completed, the craftsman would check it in detail
to ensure that it was acceptable according to the craftsman’s standards. A second item of the
same type would probably not be exactly the same, but would have been produced to the
same high standards.
Factory production
When standard items began to be produced in factories, a worker was appointed to oversee
the work of others. This ensured, as far as was possible, that similar items were identical in
all respects.
Association of Inspectors
In 1919, an Association of Inspectors was formed at the Woolwich Arsenal in London and
this association was the predecessor of the Institute of Quality Assurance, IQA, which was
established on 20 June 1972. This institute is now recognized as the professional body for
quality practitioners, with the vision, ‘We lead in quality’.
1
Medical Devices: ISO 13485 and ISO 9001
Quality control
These difficulties in mass production led to a new concept of quality control, in which faults
were detected at every stage of production, rather than only at the end of a production line.
A quality controlled process is one in which monitoring and measurements are made
at appropriate points during major and supplementary processes. The monitoring and
measurements can be made manually, although now they are often done automatically,
either continuously or continually. Any measurements made are compared with the required
measurements at that particular point, and data are then fed back. This procedure allows
corrections to be made earlier in the process, so that the required output specification is
obtained. Thus, quality control can be defined as all the monitoring and measurements that
are made to control major and supplementary processes so that the product or service meets
the specified requirements.
Quality
It is important to differentiate between quality and quality assurance. Quality is used in many
situations. There are at least 15 definitions of ‘quality’ in print. The following definition of
quality is preferred here.
‘Quality: excellence as perceived by a customer or a stakeholder’ [1].
2
Brief historical background to quality assurance
Quality assurance
Quality assurance can be defined as a pledge to a customer that the quality (as seen,
demonstrated, defined, or agreed and accepted) will be maintained for a particular product
or a particular service.
3
Chapter 2:
Quality standards
Military standards
In 1959, the first military national standard, MIL-Q-9858-A, was issued by the American
Department of Defense. Later, some of the European NATO countries started to re-arm
and NATO equipment had to be built to the same agreed design specifications. There was a
need to ensure that all equipment made to the same design specification really was the same,
i.e. was quality assured, whether it was made in one factory, or in ten factories, and whether
it was made in the UK or elsewhere. Thus, NATO prepared design and manufacturing
specifications for military equipment. These were first published in 1968 and were known
as Allied Quality Assurance Publications, or AQAPs.
In 1973, the British Ministry of Defence changed the AQAP documents, when it was
considered necessary, to place greater emphasis on design. This was done with the support
of the industry. The changed AQAP documents were published as Defence Standards in the
05 series: 05 21, 05 24 and 05 29.
In November 1972, the British Standards Institution published BS 4891, A guide to quality
assurance. In 1974, they published BS 5179, A guide to the operation and evaluation of quality
assurance systems.
By 1979, the British Ministry of Defence (MOD) had selected 3,000 companies, which it
believed would be able to provide quality assured products under future defence contracts
and reduced its number of inspectors from 16,500 to 3,000.
5
Medical Devices: ISO 13485 and ISO 9001
At about this time, the British Standards Institution proposed to the International Organization
for Standardization (ISO) based in Geneva, Switzerland, that a technical committee should be
set up to harmonize the existing quality systems standards in various countries and in various
industries. A Technical Committee, TC 176, was designated this task. (Incidentally, the
International Organization for Standardization is not represented by the acronym IOS, but by
ISO, which is derived from the Greek word ‘isos’ meaning ‘equal’.)
All three ISO standards are compatible. ISO 9002 and ISO 9003 are in fact subsets of ISO
9001. None was better than the other two, they were merely applicable in different situations.
General
The 1994 standards refer to eight management principles that are considered to be essential for
the successful management of any organization
The concepts embodied in these principles form the foundation of a quality management
system based on the ISO 9000:1994 series of standards
6
Quality standards
There are many kinds of leadership. ISO 9001:2000 encourages empowerment of employees
through openness of management and trust, as exemplified by a quality policy, quality
objectives, internal auditing, management reviews, and other measures. Such leadership does
not support a ‘no blame culture’, but instead promotes a ‘responsibility culture’ at all levels
within an organization.
All organizations have at least one major process, which is why any organization exists
(see Chapter 5 and Figure 5.1). ISO 9001:2000 focuses on processes. Top management is
responsible for ensuring that processes are properly managed from beginning to end by:
7
Medical Devices: ISO 13485 and ISO 9001
In any successful operation of a major process, there is a need to recognize the importance
of supplementary processes and how they interact with a major process. Third-level processes
also make a contribution. It is this recognition, identification, understanding and control of
such a system of interrelated processes for a given objective that improves the effectiveness
and efficiency an organization.
More specifically in connection with ISO 9001:2000, there is a requirement for continual
improvement in the effectiveness of the quality management system. It is a requirement that
is repeated many times in the different clauses of ISO 9001:2000.
The ISO 9001:2000 standard requires data to be collected and analysed. Such objective data
provides evidence of what has happened. The collation and analysis of the data will enable
rational decisions to be made based on facts.
8
Quality standards
independently examined by BSI to determine whether what has been claimed actually happens
at lower levels within the organization. The organizations receive award certificates (bronze,
silver, gold or platinum) depending on their final score. BSI claims that what is more important,
however, is that the report identifies opportunities for improvement and progression.
ISO 9001:2000 does not mention the eight management principles, but the companion
ISO 9004:2000, published simultaneously with ISO 9001:2000, does. It provides guidance
on the interpretation of the new ISO 9001:2000.
Organizations that were certified against the 1994 version were given three years, until
15 December 2003, to conform to the requirements of the revised standard. Otherwise,
their certification lapsed.
The survey shows that by the end of 2003, over half a million ISO 9000 certificates
(old and new versions) had been awarded in over 100 countries [2].
9
Chapter 3:
ISO 13485 Medical Devices and ISO 9001
NOTE The requirement for sterility of a medical device might be subject to national or regional regulations or standards.
11
Medical Devices: ISO 13485 and ISO 9001
medical device that relies for its functioning on a source of electrical energy or any
other source of power other than that directly generated by the human body or gravity
advisory notice
• the return of the medical device to the organization that supplied it;
• the destruction of a medical device.
As will be explained later, many of the requirements of ISO 13458 are applicable to ISO 9001
(see Chapters 4, 5, 6, 7 and 8). Where there are differences between the standards, these
will be noted. In addition, if ISO 13485 has additional requirements to those required by
ISO 9001, these will be addressed under the relevant clauses.
ISO 13485
ISO 13485 is applicable to organizations manufacturing medical devices or providing related
services.
The requirements of a quality management system based on ISO 13485 can be used as
a foundation for the design and development, production, installation and servicing of
medical devices. The quality management system based on ISO 13485 must satisfy specific
requirements:
This International Standard specifies requirements for a quality management system
where an organization needs to demonstrate its ability to provide medical devices
and related services that consistently meet customer requirements and regulatory
requirements applicable to medical devices and related services.
ISO 13485 is focused on reflecting the current regulations and thereby encourages the
harmonization, i.e. worldwide agreement on medical device regulations.
12
ISO 13485 Medical Devices and ISO 9001
Note that the terms, ‘if appropriate’ and ‘where appropriate’ mean that the requirement
is deemed to be ‘appropriate’ unless the organization can justify otherwise. Some of the
requirements of this standard apply only to named groups of medical devices.
Any requirements in Clause 7 that cannot be applied to medical devices and related services
can be excluded from the quality management system. Clause 7.3 can be justifiably excluded
from the quality management system if regulatory requirements allow such exclusions,
although the same regulation might impose alternative regulations that must be addressed in
the quality management system.
ISO 9001
ISO 9001 is applicable to all organizations that manufacture products or provide services
of any kind.
A quality management system based on ISO 9001 must satisfy specific requirements:
• it needs to demonstrate its ability to provide a product, or deliver a service that
consistently satisfies customer requirements and any applicable regulatory
requirements for such products and services;
• it must aim to enhance customer satisfaction through the effective application and
continual improvement of the quality management system.
Many clauses in the two standards are identical, though with some additions and omissions.
Some requirements are less prescriptive and are written in broader terms. In all cases of exact
correlation the basic intent is the same. There are, however, some additional requirement
clauses to be addressed and these are highlighted when they occur.
Process models
The new emphasis in ISO 9001 is on processes because of the wish to align the revised
standard with the environmental management systems standard, ISO 14001. Alignment is
a useful step for organizations that might wish to integrate their quality management system,
their environmental management system, and any other systems such as health and safety
into one comprehensive system. However, integration of these systems will not be achieved
in the near future.
13
Medical Devices: ISO 13485 and ISO 9001
Since ISO 13485 is based on ISO 9001, it also places great emphasis on processes.
A process is simply a number of serial and/or parallel activities that are carefully planned and
executed to achieve the desired objectives. All organizations have at least one process, which
is why any organization exists.
Any process is initiated through some form of input, and the activities that follow will result
in some form of output. In its simplest form, a process consists of an input, one activity and
an output that arises from the activity being applied to the input (Figure 3.1). In practice,
many processes consist of a series of consecutive activities resulting in the required output
(Figure 3.2). Such a series of processes (Figures 3.3 and 3.4) can be referred to as a major
process or a core process. Figures 3.3 and 3.4 are preliminary flow diagrams that will be
modified and improved.
Often a number of supplementary processes (sometimes called secondary processes, or
lower-level processes) have to take place so that a major process can proceed to a satisfactory
conclusion. For example, supplementary processes have to be established in order to purchase
the required materials that have to be ‘fed-into’ the major process at appropriate stages.
Many organizations have more than one major process. One manufacturer might have
a number of different product lines, whereas another organization might provide several
different services, hence several major processes.
One of the lower-level processes that impacts directly on a major process will be
measurements that are taken at certain defined times as the major process proceeds.
Management will have decided at the planning stage which measurements have to be taken,
and when. It will also have decided which instruments need to be calibrated. If calibration is
deemed necessary, the calibration of measuring devices will be undertaken as planned.
It is also important to emphasize that for each first-level process and the associated second-
level processes that impact directly on the first-level process, there may be other background
activities occurring for one or more of the lower-level processes. There is another clear
distinction between second-level processes and third-level processes that concerns timing.
Second-level processes are essential and must be carried out as planned, at given times, so
that a major process can proceed, as planned, to its completion. Third-level processes will
have been deemed desirable by management, but a failure to execute such a process at a
specific time will not impact directly on a major process. For example, the failure to recalibrate
a device as scheduled after one year does not mean that the device has suddenly gone
‘out-of-calibration’ and can no longer be used to make measurements.
Another third-level process might concern cleanliness and tidiness in the production area or
in an office. Any failures in this connection are less likely to have any immediate impact on
the major process; and the timing of cleaning up and tidying up is not likely to have any
immediate impact on a major process. (In extreme circumstances, however, an auditor might
comment that the work environment is not being managed properly and that product or
service requirements are being placed in jeopardy - see page 47)
The preparation of flow diagrams such as those in Figures 3.3 and 3.4 can help organizations
to rationalize their major processes with the minimum amount of textual documentation.
Lower-level processes can also be shown by means of flow diagrams, notes, procedures,
work instructions, forms, and other material can then be added as is deemed necessary to
ensure effective and efficient operation of the major processes. Software is now available that
enables such process diagrams to be drawn easily.
14
ISO 13485 Medical Devices and ISO 9001
15
Medical Devices: ISO 13485 and ISO 9001
Enquiry
received
Invitation to Invitation to
manufacture submit tender
Tender
Design dept. requirements
considered
Yes
Meeting with
potential
customer Submit
tender?
Specification
finalized
No
Outline design
agreed
Tender
submitted
No
Liaison: Liaison: Liaison:
purchasing manufacturing R and D Documents filed for
future reference
Manufacturing commences
16
Full traceability of instruments at every stage
Placement Sterilization
Collection of of instruments Sealed packages
Washing of instruments Packaging placed in steam
instruments Placed in trays. Instrument trays placed in washer with Instruments packed and sterilizer in
Three times Source of instruments detergent. Steam cleaned. packages heat sealed accordance with
each day clearly identified by disks Procedure PC 101.
placed in the trays Controls set in
accordance with
Sterilization
same procedure.
Department Return of instruments Fast steam sterilization
Instruments covered with sterile Unwrapped instruments sterilized
cloth and returned to sender as over five minutes
soon as possible
Return journeys
Sterilized sealed packages returned to
Department three times each day.
Sterilizer Records
The organization must clearly identify its major processes (first-level processes), the sequence
and interaction of any such processes and any associated lower-level processes to ensure that
they will result in products or services, or both, that achieve planned results. In the case of
ISO 13485, this means safe and effective medical products or related services and in the
case of ISO 9001, products or services that are safe and satisfy the needs and expectations
of customers.
Top management must ensure that adequate resources are made available and that relevant
information and documentation is always available at appropriate stages during any of the
processes. Above all, management has to ensure that the sequence of activities proceed in
ways that achieve the planned results in the most efficient manner. At the planning stage the
19
Medical Devices: ISO 13485 and ISO 9001
satisfactory operation and control of first-level processes and any associated lower-level
processes will have been determined beforehand by the identification of the test criteria
to be used at specific stages in the processes. At these stages appropriate monitoring and
measurements will be made. Any data that are collected will be collated and analysed.
Such monitoring and measurements might result in corrective actions being taken. All these
activities also provide opportunities to ensure that any resulting medical devices and related
services are safe and effective and/or that products and services, in general, satisfy the
requirements of customers. In the case of ISO 9001, there is an overriding requirement to
promote continual improvement in the effectiveness of the quality management system.
Outsourcing is the use of resources outside an organization to carry out tasks on its behalf.
If an organization does subcontract (outsource) any processes that could affect product or
service conformity with requirements, then the organization must maintain close control over
such contracts. Any such outsourced products or services must be clearly identified and the
means by which they are tightly controlled must be evident from the quality management
system documentation of the organization.
An organization should consider outsourcing an activity:
Records are also required to be kept and maintained as explained below (see procedure
PC 102, Control of Quality Records).
20
Quality management systems (clause 4)
The framework documentation is the core documentation required to establish and maintain
the quality management system. All documents (with the exception of the quality manual)
can be numbered from, for example, 101 upwards, so that new quality management system
documents can be readily identified and distinguished from pre-QMS documents. This does
not mean that documents with numbers below 100 are no longer relevant. These existing
documents should continue to be used until the new quality management system has been
established. Consideration can then be given to withdrawing any documents that have been
superseded by the new quality management system documents or, if changes have to be made
to existing documents, they can perhaps be recoded and numbered in accordance with the
new quality management system.
The quality management system documentation will include:
1. a quality management system manual;
2. quality management system process diagrams;
3. thirteen mandatory quality management system procedures.
ISO 13485 also requires the following mandatory procedures:
• validation of the application of computer software (and changes to such software
and/or its application) (see clause 7.5.2.1);
• validation of sterilization processes (see clause 7.5.2.2);
• identification of returned medical devices (see clause 7.5.3.1);
• preservation of product (with limited shelf-life or requiring special storage)
(see clause 7.5.5);
• monitoring and measuring devices (see clause 7.6);
• feedback on quality problems and corrective and preventive action processes
(see clause 8.2.1);
• monitoring and measurement of product (see clause 8.2.4.1).
In connection with ISO 9001, these are:
• control of documents (see clause 4.2.3);
• control of quality records (see clause 4.2.4);
• internal audit (see clause 8.2.2);
• control of nonconforming product (see clause 8.3);
• corrective action, including customer complaints (see clause 8.5.2);
• preventive action (see clause 8.5.3).
Some organizations might prefer to combine several procedures into a single
document, e.g. correction and preventive action.
4. quality management system policies;
5. quality management system forms;
6. quality management system external documents;
7. quality management system external forms.
21
Medical Devices: ISO 13485 and ISO 9001
A quality policy statement is also required and quality objectives must be set for all levels
within the organization. With ISO 13485 when it specifies that a requirement, procedure,
activity or special arrangement be ‘documented’, it must in addition be implemented and
maintained. (This is implicit in ISO 9001.)
In addition, ISO 13485 requires that for each type or model of medical device, the
organization must establish and maintain a file either containing or identifying documents
that define product specifications and are in accordance with current regulations and quality
management system requirements. These documents must define the complete manufacturing
process and, if applicable, installation and servicing.
With both standards, an organization is completely free to introduce any other documentation it
deems desirable to ensure the effective planning, operation and control of all its first-level and
lower-level processes. Such controls may be in the form of additional procedures, work
instructions, forms, external documents and external forms. Records are also required as
explained on page 27.
Working documents
There is another important part to any quality management system namely, working
documents. Working documents are all the essential documents that are necessary to ensure
that orders, contracts, and other day-to-day activities are dealt with in ways that satisfy the
needs and expectations of customers. All such documents need to be under proper control.
These are the working documents that an organization considers necessary for the planning,
operation and control of all its processes. These are likely to be referred to in the organization’s
major and lower-level process diagrams, such as procedures, work instructions, forms, external
documents and external forms (see Figure 4.1).
In connection with ISO 13485, external documents must include any national or regional
medical device regulations associated with the manufacture of safe and effective medical
devices or provision of related services.
Organizations will not necessarily have all the above categories of documentation. For instance,
some organizations may decide that work instructions are not necessary; others will find that
they do not have external documents (other than the standard itself); and many will not have
any external forms. On the other hand, management may decide that some other additional
form of documentation is required in order to achieve the planned results.
The extent of the quality management system documentation can be decided by the
organization itself, depending on the:
• type of activities;
• size of the organization;
• competency of personnel.
Large complex organizations with many employees will probably find it necessary to have a
lot of documentation, whereas a very small organization will require much less documentation.
In addition, an organization that consists of mainly highly qualified professional people will
probably require less documentation than one with few professional people.
The organization can decide for itself whether the documentation is to be in hard copy
throughout, or available electronically on a computer network.
22
Quality management systems (clause 4)
All documents should be given a reference letter, a number and an issue number to identify
them uniquely. The reference letters listed below are merely suggestions:
QM Quality manual;
PD Process diagrams;
PL Policies;
PC Procedures;
WI Work instructions;
FM Forms;
ED External documents;
The identification letters and the associated number, e.g. PD 101, should be followed by
an issue number, 1 or 2, etc. Forms do not have revision numbers, only issue numbers.
External documents and external forms are listed in a logical manner by the quality manager.
23
Medical Devices: ISO 13485 and ISO 9001
An organization chart is required. These frequently change and can best be controlled as a
policy document (see Figure 5.1).
With both standards organizations have to justify, rather than simply state, any exclusion from
Clause 7. Moreover, the replacement of ‘Design’ by ‘Design and Development’ in the revised
standard will probably make such justifications for exclusions even more difficult in some cases
(see Chapter 9).
Examples of justifiable exclusions
Some examples of justifiable exclusions include:
(a) design and development (clause 7.3) - Chapter 9 is devoted to the possible exclusion
of this clause;
(b) validation of processes for production and service provision (clause 7.5.2).
Note that in some cases, however, validation is not possible. In these and similar cases, proving
what has been achieved in a particular case results in the output being damaged or completely
ruined. Examples are:
• paint spraying – if paint spraying a car, checking that the required layers of paint
have actually been applied will ‘break’ the surface of the paints;
24
Quality management systems (clause 4)
• welding – destructive testing of a welded joint is not very helpful and it is not
generally economical or practical to X-ray each weld for imperfections.
In all such cases, sometimes referred to as special processes, validation of the processes is
necessary and clause 7.5.2 cannot be justifiably excluded. To achieve validation of such
processes, strict measures have to be in place such as specially trained practitioners, special
equipment and devices, and processes/procedures, which have to be rigidly followed to ensure
that the planned results are in fact achieved.
If an organization does not receive any property for incorporation into the organization’s
products, or for activities relating to the organization’s products or services (this includes
intellectual property), then Clause 7.5.4 can be justifiably excluded.
An organization that does not use any monitoring and measuring devices or computer software
to provide evidence of conformity of product or service to customer requirements can
justifiably exclude the whole of this clause.
Examples of such permissible exclusions are:
• recruitment agencies;
• training organizations; and
• legal companies;
since monitoring and measuring devices are not used.
Procedures
A procedure is merely the prescribed way in which an activity is carried out. For example,
a procedure on the ‘control of documentation’ will detail how this has to be achieved.
Procedures can be in any form and format. Procedures tend to be strictly confidential to an
organization, whereas the quality manual is not.
Only 13 procedures are mandatory in the case of ISO 13485 and ISO 9001, but management
will almost certainly decide that many other procedures are required in order to satisfactorily
control its process and lower-level processes. All procedures can be included in the quality
manual, but it is common practice to keep procedures separate. Appropriate cross-references
must be made to procedures in the text of the manual and it is also good practice to list all the
procedures in an appendix.
25
Medical Devices: ISO 13485 and ISO 9001
documents and forms are in use, even though changes to the documentation will inevitably
be necessary from time to time. The quality manager is usually made responsible for control
of all the documents that are part of the organization’s quality management system.
1. review and approve documents for adequacy prior to use. (The ‘review’ part of this
requirement is implicit in ISO 9001 requirement.)
2. ensure that documents are reviewed from time to time, changed if necessary, and
reapproved prior to being reissued;
3. ensure that the latest changes on current documents are identified and that the
current revision status of documents is evident.
4. ensure that relevant versions of applicable documents are always available at points
of use;
5. ensure that documents remain legible and readily identifiable;
6. ensure that documents of external origin (such as documents and forms) are
identified and their distribution controlled;
7. prevent the unintended use of obsolete documents, and if any are retained for
knowledge preservation purposes or any other reason, they must be clearly marked as
being ‘obsolete’ or ‘superseded’ or by any method that clearly identifies their status.
ISO 13485 requires even tighter controls than ISO 9001 when it states that:
[With reference to list item (2)]: The organization shall ensure that changes to
documents are reviewed and approved either by the original approving
function or another designated function which has access to pertinent
background information upon which to base its decisions.
[Importantly in connection with list item (7)]: The organization shall define
the period for which at least one copy of obsolete controlled documents
shall be retained. This period shall ensure that documents to which medical
devices have been manufactured and tested are available for at least the
lifetime of the medical device as defined by the organization, but not less
than the retention period of any resulting record, or as specified by relevant
regulatory requirements.
26
Quality management systems (clause 4)
As explained earlier, there are three very important policy documents that need to be carefully
controlled since they are likely to change from time to time. One is the organization chart
(QMS PC 101/1). Another policy document is the quality policy statement (see clause 5.3),
QMS PC 102/1. Yet another very important policy document is one that lists the organization’s
quality objectives, QMS PC 103/1 (see clause 5.4.1). Quality objectives will be systematically
reviewed at regular intervals and each time this is done, the new list of quality objectives can
be given the next issue number.
Any other method of effectively controlling these documents would, of course, be acceptable.
One individual, such as the quality manager, does not usually control all working documents,
as is generally the case for framework documents. However, they do need to be controlled
adequately since they will provide useful evidence, i.e. records on the effectiveness of the
quality management system. The quality manager needs to be satisfied that such documents
are properly controlled.
Control of the computerized documents and computer data
An increasing number of organizations now have at least part of their quality management
system documentation on computer. All will have some data on computer. The procedure on
‘control of documents’ must explain how computerized documents and data are controlled
and safeguarded.
Minimum retention times must be stated for the different kinds of records as well as explicit
arrangements for disposition of records after retention times have been exceeded.
In the case of ISO 13485 the retention time of records for medical devices are more explicit:
The organization must retain the records for a period of time at least equivalent to the lifetime
of the medical device as defined by the organization, but not less than two years from the date
of product release by the organization or as specified by the relevant regulatory requirements.
In the planning stages of the product realization process and the planning of final products or
services, decisions should be made to determine which records must be kept in order to
achieve the planned results. It might be possible to reduce the number of records that were
27
Medical Devices: ISO 13485 and ISO 9001
originally planned once confidence has been established in a certain product or in the
provision of a specified service. Nevertheless, some records will always be required to provide
evidence that the product realization processes and the resulting product or service, meets the
specified requirements [see 7.1(d) of both standards].
3. records are required to provide evidence that the realization processes and the
resulting product/service meet requirements (see clause 7.1);
4. review of customer requirements and actions taken for the product or service
(see clause 7.2.2);
11. validation of ‘special processes’ to achieve planned results (see clause 7.5.2);
12. identification (where appropriate) and traceability (where it is a requirement) of
product or service (see clause 7.5.3);
13. lost, damaged or unsuitable customer property (see clause 7.5.4);
17. nonconformities, corrective actions and preventive actions (see clauses 8.3, 8.5.2
and 8.5.3);
18. customer complaints, corrective and preventive actions (see clauses 8.5.2 and 8.5.3).
Not all the above listing is relevant in given circumstances. The requirements are generally
in line with what many good organizations are already doing in their own interests.
Other records
Any organization, but especially those involved with medical devices and related activities,
might decide that it is in its own interests to keep many more records than is specifically
required by either ISO 13485 or ISO 9001. These could be readily identified from the required
records listed above by numbering them from, say, 101 upwards.
28
Quality management systems (clause 4)
Quality manual
Scope of quality management system;
justifiable exclusions;
Clauses 4, 5, 6, 7 and 8;
reference to procedures;
appendices
Process diagrams;
policies (including: Procedures;
quality policy; work instructions;
quality objectives; forms;
organization chart) external documents;
procedures; external forms;
forms; etc.
etc.
External forms;
external documents
Outsourcing
documentation
Records
29
Chapter 5:
Management responsibility (clause 5)
• ensure that measurable quality objectives are set, measured and reviewed from time
to time (see clause 5.4);
31
Medical Devices: ISO 13485 and ISO 9001
much more important for medical devices is that the quality management system is such that
the organization can consistently produce safe and effective products.
Customer requirements are determined from the stated needs and expectations of customers,
compounded by any statutory and regulatory requirements, whether specified or not and
perhaps unknown to a customer, as well as the organization’s existing knowledge and previous
experience with identical or similar products or services. The requirements specified by the
customer will include requirements for delivery and post-delivery activities. Reputable
organizations have always done this.
The quality policy must be appropriate, i.e. relevant to the purpose of the organization. It
should contain commitments that are realistic and attainable.
The policy statement must include a commitment not only to complying with the requirements
of ISO 13485, but there must also be a commitment to maintain the effectiveness of the
quality management system. (As mentioned in 5.1, the emphasis of ISO 9001 is to continually
improve the effectiveness of the quality management system.)
The quality policy statement must state that a framework exists for reviewing all measurable
quality objectives in a systematic manner.
Top management has the responsibility for ensuring that all employees (including new
employees) fully understand the quality policy statement.
Top management must review the quality policy statement in a systematic way for its
continuing suitability.
It is good practice is to have the quality policy on the standard agenda of management review
meetings as a reminder that it is to be reviewed at least once each year, for example, at the
first meeting in the year, or when the need arises because of changes within the organization.
The quality policy statement is part of the quality management system documentation [see clause
4.2.1(a) and the example quality policy statement of page 41].
There is no requirement for the quality policy statement to be included in the quality manual.
However, it is good practice for the quality policy statement to be made into a ‘stand-alone’
document and displayed at strategic points within the organization. It should be written on the
organization’s headed paper, be signed by one or more members of top management and
dated, thus signifying its importance and providing evidence to all employees and other
interested parties that top management is committed to the organization’s quality management
system.
The standard does not require a quality policy statement to be issued to all employees, but it
often is, and managers are encouraged to discuss its implications with the people for whom
they are responsible.
32
Management responsibility (clause 5)
• at the planning stages across the whole spectrum of an organization’s activities, this
includes setting quality objectives that are relevant for satisfying the requirements for
the manufacture of a product or the provision of a service;
• after implementation of the quality management system or, if this has already been
implemented, after the introduction of any new processes. Feedback from these
activities might identify the need for changes to be made to quality objectives or the
introduction of additional quality objectives.
Different organizations pursuing different activities will choose different targets to focus on
depending on what is most important to the organization.
First group of quality objectives: immediately following implementation of a quality
management system
In the first group of quality objectives the following are given as examples:
• all staff will act in a professional and courteous manner at all times; (Since all quality
objectives must be measurable, this would require a carefully worded questionnaire
to be sent to all customers, or at least to a representative sample. After completion of
the questionnaires, they must be carefully analysed to provide evidence of
professionalism and evidence of courtesy as perceived by the customers.)
• a senior manager will review all staff annually;
• during the first production runs of a new product, at least 90% will successfully pass
the final inspection tests;
This group of quality objectives can only emerge following the collection and analysis of data
after implementation of the (integrated) quality management system.
Measurable quality objectives might, for instance, relate to maintaining or improving performance
in any or all of the areas referred to below. The list is not intended to be exhaustive.
33
Medical Devices: ISO 13485 and ISO 9001
Nonconformities can arise in every organization from a number of causes: management failure,
organizational failure, technical failure, and human failure. Any experienced quality
professional knows that identifying nonconformities and dealing with them effectively will
result in improved performance.
A blame-free culture is no longer acceptable. There must be no cover-ups at any level within the
organization. What is needed is first-class management, which can deal with nonconformities in
an appropriate manner. One-off nonconformities by individuals must, of course, be dealt with in
a sympathetic but effective manner.
The first task is to ensure that any nonconformity, once recognized, is documented in a
systematic manner. All nonconformities should be documented using a suitable form. This form
should clearly identify the nonconformity and in the case of failure by an individual, the person
must be clearly identified, whatever their standing within the organization. In a hospital, for
example, if a nurse fails to carry out defined tasks, the name of the nurse must be clearly
stated on the nonconformity form. The name of the person responsible for the corrective
action taken must be stated and, if possible, the date by which the corrective action is to
become effective. Any proposed preventive action taken or planned must likewise be
recorded. Verification that such actions have been carried out satisfactorily must be validated
by the management representative or someone on their behalf.
Top management will ensure that the number and nature of all such nonconformities are
discussed at planned management review meetings. Consideration will then be given to setting
new quality objectives in connection with the identified nonconformities as a means of
providing objective evidence that continual improvements in the effectiveness of the quality
management system are being sought.
The aforementioned sequence of events is really no different from what happens at present
within a good organization that has already achieved accredited certification.
Reduction in number of customer complaints
The detection of nonconformities inside an organization during all the processes should keep
the number of customer complaints to a low level. A ‘no complaints’ objective is unrealistic:
some complaints will always occur as a result of occasional human failure. More seriously,
complaints might arise if the actual product or service provided does not satisfy customer
needs and expectations for other reasons.
All customer complaints, however trivial and whether justified or not, should be recorded on a
suitable form, usually referred to as a customer complaints form. This should clearly identify
the nature of the complaint, who is complaining and when the complaint was received. The
necessary corrective actions must be taken and fully documented and, when deemed
necessary, any preventive actions should be identified to prevent similar occurrences in the
future. Once again, all actions taken need to be validated by the management representative
or another responsible person.
Top management should discuss the number and nature of customer complaints at planned
management review meetings. Consideration should always be given for setting a lower
maximum number of complaints in the ensuing year.
34
Management responsibility (clause 5)
Improvements in warranty
Whatever warranty is currently on offer, there may be opportunities to improve it in some way.
Apart from any rights established in common law and statutory rights, organizations have
warranties, which fall into several categories:
Full warranty, which usually includes parts and labour, postage, etc., covered for specified
periods of time. A quality objective might be to be able to extend the lifetime of the present
full warranty in, for example, a year’s time.
A partial warranty usually excludes labour costs. The feedback from customers in connection
with the warranty will provide useful information on the quality of a product or service and on
customer satisfaction. A quality objective might be to improve this partial warranty.
First, data need to be collected on the delivery times for a product and/or for delivery of a
service to a customer. If delivery times are not what were expected or agreed, investigations
should be conducted with the objective of ensuring that in future such shortcomings will not
occur. Thus, a quality objective could be to ensure that all promised delivery times are adhered
to. If there is objective evidence that products are delivered on time, or a service is provided as
scheduled, then a quality objective might be to shorten the delivery times from a specified
date in the future.
Finally, are the arrangements for delivery of a product to a customer satisfactory, e.g. in terms
of damage? If there is any evidence from any source that this is not the case, data need to be
collected and analysed, with the purpose of setting targets for improvement in the safe delivery
of products and/or services. Any such target could become a quality objective.
Improvements in customer satisfaction
Many good organizations have been monitoring customer satisfaction for some time and this is
now a requirement of ISO 9001 (see clause 8.2.1). However, if customer satisfaction is to
become a quality objective, means must be found to measure customer satisfaction. This is
much more difficult and, presumably, this is the reason why measurement of customer of
satisfaction, which was included in the earlier drafts of the new standard, was finally changed
to monitoring of customer satisfaction.
35
Medical Devices: ISO 13485 and ISO 9001
Top management must ensure that the integrity of the quality management system is
maintained when changes to it are planned and implemented.
ISO 13485 adds a further sensible requirement, namely that top management must also
establish the interrelation of all personnel who manage, perform and verify work affecting
quality, and must ensure the independence and authority necessary to perform these tasks.
One simple and effective method of doing this is for an organization chart to be issued. This, as
explained earlier, can be another policy document, the issue number of which can be increased
by one each time a change takes place. There is no need for names of staff to be included in
the organization chart but, within the framework of the specified organization, the
responsibilities and authorities of senior staff must be made known throughout the organization.
In the case of the manufacture of medical devices, national or regional regulations might require
the nomination of specific persons as being responsible for activities related to monitoring
experience from the post-production stage, including adverse events (see clauses 8.2.1 and 8.5.1).
A management representative might have other responsibilities as well, such as liaison with
external parties on the quality management system.
In practice, a management representative plays a key role in the quality management system of
an organization. Typical responsibilities in addition to (1), (2) and (3) above are:
4. (in consultation with others) arranging the internal audit programme, the internal
quality audits, and any consequential corrective and preventive actions;
36
Management responsibility (clause 5)
6. dealing with customer and stakeholder complaints, corrective and preventive actions;
10. collection and analysis of data for presentation to the management review meetings;
Top management can choose whatever methods are considered to be most effective in
establishing first-class communications with its staff on the effectiveness of the quality
management system. These might include:
• general meetings held on a regular basis with all staff, i.e. departmental meetings;
• meetings which focus on ‘feedback’ from staff through individual presentations,
written submissions or representations;
• meeting on the suggestion scheme awards, ‘merit recognition’ meetings;
Top management should encourage any aspect of the organization’s quality management
system to be discussed by whatever methods seem appropriate in different circumstances.
Top management must review the organization’s quality management system, at planned
intervals, to ensure its continuing suitability, adequacy and effectiveness. The review must
37
Medical Devices: ISO 13485 and ISO 9001
include assessing opportunities for improvement and the need for changes to the quality
management system, including the quality policy and quality objectives.
There is no requirement regarding the frequency of management reviews. The organization can
decide for itself the planned interval between such reviews. However, it is evident that reviews
that are held only annually cannot be of any real value to an organization and certainly cannot
enable top management to be in control of its quality management system. Moreover, by holding
such infrequent reviews, top management is depriving itself of a most value management tool.
Extraordinary management reviews may be called at any time by top management, but the
standard agenda need not be used on such occasions. The management representative will play
a leading role in the preparations for the management reviews and in the ensuing discussions.
Management reviews must be recorded. The customary method is by means of minutes that
include the findings of the reviews, the actions to be taken and the names of persons
responsible for carrying through such actions by specified dates. Records of all management
reviews become part of QMS records (see clause 4.2.4).
The standard identifies items for inclusion in the agenda of management reviews (see clause
5.6.2) and through the output clause (see clause 5.6.3) requires decisions and corresponding
actions to be identified. Many organizations hold management review meetings based on a
comprehensive agenda, and proper minutes of the meetings are prepared in which decisions
are recorded with accompanying actions and dates for completion.
(h) new or revised regulatory requirements (in connection with medical devices and
related services).
(It seems that (h) could be added to ISO 9001 with reference to all new or revised regulatory
requirements in general.)
The more logical sequence for a review meeting input is: (e), (a), (c), (d), (b), (g), (f) and (h) as
shown below:
(e) follow-up actions from previous management reviews;
38
Management responsibility (clause 5)
7. Product conformity
8. Nonconformities
• Training needs
• Evaluation of training
• Skills testing
39
Medical Devices: ISO 13485 and ISO 9001
16. New or revised regulatory requirements or any other factors that could affect the
quality management system.
Chief Executive;
Managing Director;
Financial Director
Management
Shift Managers Day Managers
Representative
Production
Line Staff
40
Management responsibility (clause 5)
Quality Policy
Company A is a privately own company that employs about 1,000 people in a modern
factory. Many of its employees are highly qualified and work on the fringes of modern
science and technology. They are supported by a highly competent workforce. The
company produces a range of sophisticated medical equipment all of which complies with
regulatory requirements. It also provides a range of mass produced items of medical
devices, which are provided for more general care of patients in hospitals.
A short time ago top management decided to improve its image in the marketplace by
seeking accredited certification to two quality management systems standards, ISO 13485
and ISO 9001. External auditors from a certification body recently came to the factory and
at the conclusion of the visit we were advised that the company’s operations did in fact
satisfy the requirements of these standards. Top management is proud of these successes,
which would not have been achieved but for the hard work done by all employees.
All staff are fully aware of the prime importance of ensuring that our medical devices and
related services consistently continue to satisfy customer requirements as well as any
applicable regulatory requirements, as required by ISO 13485.
Since the company has also been certificated against ISO 9001 standard, subject to the
overriding requirements of ISO 13485 referred to above, the company will also strive to
continually improve the effectiveness of its quality management system and thereby
through increased efficiency, etc. enhance customer satisfaction.
The company has measurable quality objectives in place, overall quality objectives and
objectives for each department. These are reviewed on a regular basis in a systematic
manner at management review meetings.
(Page 1 of 1)
41
Medical Devices: ISO 13485 and ISO 9001
Quality Objectives
Company A sets measurable quality objectives that are reviewed at six monthly intervals.
Some objectives will be set for top/higher management while others will be set at lower levels.
The objectives are agreed with the staff directly responsible for achieving the objectives.
All objectives are made known to all staff shortly after the objectives have been set.
The first round of objectives have recently been set by top management and are stated on
the accompanying sheet, Page 2 of 2.
The objectives will be reviewed at a management review meeting. The individuals directly
concerned may be asked to attend the relevant part of the meeting.
Objectives are not intended to be punitive. They are intended to improve the effectiveness
of working. Sometimes objectives will not be met for reasons outside the control of an
individual. In such cases management will take appropriate measures in the hope that the
adverse events will be prevented from happening again.
Top management will be pleased to hear directly from any member of staff who would like
to suggest an objective for themselves or for their department. All suggestions will be
considered in confidence and top management will respond directly to all suggestions.
Date: Signed:
Chief Executive, Company A
(Page 1 of 2)
42
Management responsibility (clause 5)
Quality Objectives
1. Ensure that all staff act in a professional and courteous manner at all times.
2. Ensure that Senior Managers review the performance of their staff annually in
accordance with a set procedure.
3. During the first production runs of a new product, at least 90% will successfully pass
the final inspection.
4. During routine servicing of equipment, a checklist will be used, and no aspect of
servicing will be ‘missed’, as confirmed by an independent inspector.
5. Initially record the number of nonconformities raised, in different categories, over a six
month period, with a view to seeking improvements in the future
6. Initially record the number of customer complaints received over a six month period.
Other objectives will be introduced as and when considered appropriate in the light of
experience.
Date: Signed:
Chief Executive, Company A
(Page 2 of 2)
43
Chapter 6:
Resource management (clause 6)
When medical devices are being manufactured or when related services are being provided,
the prime consideration must be in the interest of safety, to ensure that the quality
management system is effective in achieving the specified objectives.
In ISO 9001, there is a need to provide resources to continually improve the effectiveness of the
quality management system. This is a desirable aim for all organizations and there should be no
difficulties in this respect provided that the prime objectives are given the necessary consideration.
(b) to meet regulatory and customer requirements.
Once again the prime requirement in (b) must be met. The ISO 9001 requirement to enhance
customer satisfaction by meeting customer requirements must take second place to the first
requirement, but the two are not incompatible.
45
Medical Devices: ISO 13485 and ISO 9001
Once a suitable person has been chosen, training can be given in a particular task or activity.
Any training must be evaluated to determine whether the actions taken have been effective in
making an employee competent in the clearly defined tasks. Evaluation of training is a new
requirement in ISO 9001.
All employees, whatever their status in the organization, must be made aware of the relevance
and importance of the work that they are doing in contributing towards achieving the quality
objectives of the organization (see clause 5.4.1). Many good employers already do this during
the induction process for new employees when the quality management system of the
organization is explained and discussed.
Appropriate records must be maintained on all staff in terms of education, qualifications,
training, experience and competency skills, as well as the evaluation records of any training
courses undertaken. Such records are maintained as QMS records (see clause 4.2.4).
If medical devices are being manufactured, national or regional regulations might require the
organization to establish documented procedures for identifying training needs.
(c) the necessary supporting services such as cleaners and communications services.
Both (d) and (e) could be introduced to ISO 9001 with advantage.
46
Resource management (clause 6)
• safety of individuals;
• ergonomics of working;
Management must clearly take into consideration any unusual requirements that are necessary
to achieve the planned results. For example, clean rooms may be required for certain
manufacturing processes. In other cases, sterile conditions are necessary. Whatever is the case,
management must make certain that appropriate controls are in place to ensure that the
planned work environment is maintained.
The following requirements must apply when medical devices or related services are being
considered.
(a) The organization must establish documented requirements for health, cleanliness and
clothing of personnel, if contact between such personnel and the product or work
environment could adversely affect the quality of the product (see clause 7.5.1.2.1).
(b) If work environment conditions can have an adverse effect on product quality, the
organization must establish documented requirements for the work environment
conditions and documented procedures or work instructions to monitor and control
these work environment conditions (see clause 7.5.1.2.1).
(c) The organization must ensure that all personnel who are required to work temporarily
under special environmental conditions within the work environment are
appropriately trained or supervised by a trained person [see clause 6.2.2 (b)].
(d) If appropriate, special arrangements must be established and documented for the
control of contaminated or potentially contaminated product in order to prevent
contamination of other product, the work environment or personnel
(see clause 7.5.3.1).
None of these requirements would be incompatible with the general requirements in clause
6.4 of ISO 9001.
47
Chapter 7:
Product realization (clause 7)
A quality plan must identify every activity that is necessary in order to meet the requirements
for a product or a service. A quality plan must state whether any design and development work
is necessary and, if this is the case, how this will be carried out and by whom. This will
culminate in a design proposal that will also need to be verified and identify the individual(s)
involved (see clause 7.3). All processes that are an integral part of the quality management
system of an organization need to be identified (see clause 4.1). Appropriate documentation
(such as flow charts, procedures, work instructions, forms, external documents, engineering
drawings and specifications) must be provided, as is considered necessary to control all the
processes. A quality plan must include measurable quality objectives that are set at relevant
functions and levels within the organization (see clause 5.4.1). Human and physical resources
(including any specific skills or facilities, e.g. software design or clean rooms) specific to the
product, or service, must be identified. Questions have to be answered as to how the product
or service will be validated within the limitations of any practicalities. What monitoring,
inspection and test activities specific to the product or service will be carried out? Which
monitoring and measuring devices need to be calibrated and their calibrations linked to
international standards? What criteria have been established for acceptance of the product, or
service, by the customer? If an organization decides to outsource any process that can have a
bearing on the quality of a product, or a service, the organization must ensure control over
such processes. Examples of outsourcing are delivery, installation, and routine servicing of a
49
Medical Devices: ISO 13485 and ISO 9001
product. All are often carried out by a third party on behalf of a manufacturer. Decisions are
required on the records that will be kept. Such records (QMS records – see clause 4.2.4) will
provide objective evidence that all major and lower-level processes operated as planned.
Other records will give confidence that the product, or service, satisfies the customer
requirements.
If planned changes to the quality management system are implemented, the integrity of the
quality management system must be maintained [see clause 5.4.2 (b)].
Any quality plan should be structured so that everyone is made aware of the continual need to
improve the effectiveness of the quality management system; and suggestions for such
improvements should always be welcomed through recognized channels by top management.
If medical devices are being manufactured an organization must establish documented
requirements for risk management throughout product realization. Risk management is the key
to determining the nature and amount of activity in many parts of a quality management
system in which medical devices are being manufactured.
Records arising from risk management must be maintained (see clause 4.2). See ISO 14971 for
guidance related to risk management.
50
Product realization (clause 7)
The requirement to document in ISO 13485 is an improvement on the ISO 9001 wording.
The requirements of any contract or order that is different from earlier agreed requirements
must be resolved to the mutual satisfaction of the customer and the organization. The
organization must be satisfied that it is able to meet any newly agreed defined requirements.
The records of the results of any review and any actions arising from the review must be
maintained (see clause 4.2.4).
In the case of verbal orders, a customer’s requirements should be explicitly agreed before
acceptance of an order. This can be achieved by reading back a customer’s requirements on
the telephone to the customer. Written evidence of what was read back is recommended,
with the signature of the person taking the order and the name of the person placing the order,
together with any other relevant information. A much better arrangement is that all the
relevant information concerning a verbal order is sent back to the customer by fax or letter
confirming the acceptance of the order. Some organizations refuse to accept verbal orders.
When product requirements are changed, all relevant documentation must be amended and
relevant personnel must be advised accordingly.
In some situations, such as straightforward sales involving perhaps hundreds or thousands of
products, formal reviews for each order are clearly impractical. In such cases, the reviews can
cover product information by reference to sales literature such as catalogues, to ensure that all
the relevant information is made known to a purchaser, so that there can be no intention of
misleading potential buyers.
51
Medical Devices: ISO 13485 and ISO 9001
In the case of large and complex contracts, mutually acceptable arrangements for
communications between the two parties are usually agreed and rigorously implemented in the
interest of both parties. Sometimes, in the case of very large organizations, e.g. a nuclear
power station, only one-to-one named contacts are permitted for all communications on large
and complex contracts.
Note that, ‘development’ has been included. Many organizations do not carry out design work,
but some will almost certainly carry out development work on an existing design. Sometimes
development work takes place during the preparation of a new design, especially when the
design uses ideas and concepts, which have not yet been put into practice. Thus, care needs to
be exercised in excluding this clause from the scope of the quality management system (see
Chapter 9).
In the case of any proposed new design and development work, the organization is required to
establish a design and development plan. Planning must identify:
52
Product realization (clause 7)
(c) the responsibilities and authorities for design and development work.
Note that design transfer activities (b) during the design and development process ensure that
design and development outputs are verified as suitable for manufacturing before final
production specifications are agreed.
The interfaces between different groups of people involved in the design and development
work must be managed properly to ensure effective communication between different groups.
As each stage in the design and development progresses, staff responsible for other stages of
the design and development must be routinely informed of changes. Throughout all the design
and development stages, there must be ongoing clarification of where responsibilities begin
and end.
The design and development planning output must be documented and updated as
appropriate as the design and development evolves (see clause 4.2.3). ISO 9001 does not
specify this, but it is implied and the author believes that it would be a good idea to introduce
it at the next revision stage.
Requirements must be complete, unambiguous and not in conflict with each other.
The agreed design input specification may prove to be unsatisfactory when the details of the
design are being considered. If there is a need to deviate from the agreed design input
specification discussions must take place with all interested parties (customer, regulatory
authority, etc.) and formal approval sought and obtained for a revised design input specification.
53
Medical Devices: ISO 13485 and ISO 9001
(d) specify the characteristics of the product or service that are essential to ensure that the
product is inherently safe, when used properly (or it is safe in the manner intended,
when the service is delivered).
The outputs from the design and development teams must be documented in a manner that
enables verification against the design and development input requirements.
Design and development output documents must be approved prior to release. Records of
design and development outputs must be maintained (see clause 4.2.4). (ISO 9001 does not
specify this requirement, but it is implicit.)
Note that such output records can include specifications, manufacturing procedures,
engineering drawings, and engineering or research log books. (ISO 9001 does not specify what
records must be kept.)
(b) identify any discrepancies and problems and propose any necessary actions.
The reviews must include representatives of the functions concerned with the design and
development stage or stages being reviewed, as well as other specialist personnel (see clauses
5.5.1 and 6.2.1).
(In ISO 9001 there is no specific reference to other specialist personnel, but any organization
would ensure that the review would include specialist personnel, if considered appropriate.)
In complex designs, e.g. a nuclear power station, there will be many design reviews held on a
regular basis, whereas with a simple project only one final design review may be considered to
be necessary.
The findings of reviews and any subsequent follow-up actions must be recorded and
maintained (see clause 4.2.4).
Verification must be conducted in accordance with planned arrangements to ensure that the
design and development outputs have indeed met the design and development input
requirements.
Common sense should prevail over the degree of verification that is to be undertaken. If the
design is a major one for a project involving a considerable amount of money and, perhaps,
with considerable risks in terms of health and safety, etc. then verification of the design must
be carried out by appropriate staff that have not been involved with the design hitherto. In
some cases, the verification of the design for a major project should be sought by submitting
the design to an external body. When verification had been successful it gives confidence to all
54
Product realization (clause 7)
interested parties that the design and development requirements have been met. If no such
verification has taken place and if the design and development has not met the input
requirements then a project might be in jeopardy.
Recently there have been a few cases in which the effective application of this clause might
have prevented failures and unnecessary further expenditure.
In the case of a relatively trivial design and development of a product or provision of a service,
in which health and safety are not involved, simple checks by a colleague may be all that is
required. In such cases there may be only one final design verification.
Records must be maintained of all such design and development verifications and follow-up
actions (see clause 4.2.4).
It is very important to emphasize that all the previous clauses of 7.3 have to be addressed
before a product is manufactured or a service is provided. Up to this stage, there is no actual
product and no service has been provided.
Design and development validation of medical devices must be performed in accordance with
planned arrangements (see clause 7.3.1) to ensure that resulting product is capable of meeting
the requirements for the specified application or intended use. Validation, if possible, must be
completed prior to delivery or implementation of the medical device. If a medical device can
be validated only after assembly and installation at the point of use, delivery is not considered
to be complete until the product has been formally transferred to the customer.
As part of design and development validation for medical devices, the organization must
perform clinical evaluations and/or evaluation of performance of the medical device, as
required by national or regional regulations. Provision of the medical device for purposes of
clinical evaluations and/or evaluation of performance is not considered to be delivery.
The requirements for validation of product in ISO 9001 are similar but are not as explicit. The
product or service must be tested in use in the specified circumstances and if multiple uses or
applications are intended, then each use or application must be checked against previously
agreed criteria and conditions.
Product validation can also be in the form of prototype testing or commissioning trials under
controlled conditions.
Design validation does not have to be carried out by the design organization. It is sometimes
impossible for a manufacturer to validate a final product so a validation has to be carried out
before a production run. For instance, a printed circuit board (PCB) manufacturer will in some
cases receive a circuit diagram from a purchaser, turn it into a prototype circuit following the
stages referred to above, and then send it to the purchaser for validation prior to the
production run. It may be impossible for the manufacturer to validate the design
independently, because the PCB is usually part of a greater design and the manufacturer does
not have the equipment, knowledge and experience. In such cases, validation by the
purchaser is perfectly acceptable.
Service validation can be testing of the service under controlled conditions. For instance, in the
case of the design of an Ambulance Service, it is not normally possible for the designers to
validate the design themselves. Only the Ambulance Service itself acting under controlled
conditions can do this.
55
Medical Devices: ISO 13485 and ISO 9001
The results of all validations of medical devices and subsequent follow-up actions must be
recorded and held as QMS records (see clause 4.2.4).
It is recognized that it may become necessary to make changes to a design during any of the
design and development stages referred to above. Either the organization or the customer can
propose changes, provided in the case of ISO 13485 that regulations continue to be satisfied.
However, all suggestions for a change must be identified clearly, fully documented and
controlled. Any proposed changes must be authorized by previously agreed named persons
representing the customer and the organization. The proposed changes must include
evaluation of the effect of the changes on constituent parts as well as the effects on products or
services that have already been delivered. Arrangements must also be made for reverification
and revalidation, as is considered appropriate, and agreed by all interested parties before
changes to the design are approved.
The results of the review of changes and subsequent follow-up actions, including details of any
reverifications and revalidations, must be documented and held as QMS records (see clause
4.2.4).
Organizations may choose the ways in which suppliers and subcontractors are evaluated, but
the criteria for evaluation and selection and, if necessary, re-evaluation must be defined. The
results of evaluations and selections and any subsequent follow-up actions must be recorded
and held as records (see clause 4.2.4).
After evaluation and selection many organizations generate an approved list of suppliers and
subcontractors. Some also have a temporary list. The temporary list includes suppliers and
subcontractors that are being used that will probably be transferred to the approved list in due
course. Transfer can take place after a satisfactory track record has been established, or after a
56
Product realization (clause 7)
Some organizations also have a non-approved list, which include suppliers and subcontractors
that have not met the required standards of the organization. The non-approved list reminds
all employees that orders must not be placed with suppliers and subcontractors on this list. The
performance of chosen suppliers should be reviewed on a regular basis and the lists should be
updated as necessary. Evidence of updating should be available.
Sometimes an organization may have to use a specific supplier or subcontractor, named by its
customer, as one of the conditions of placing an order or awarding a contract. Clearly, in such
cases the customer must accept some responsibility if the supplier or subcontractor defaults on
requirements that have a bearing on the final quality of the product, or the quality of the
service being provided.
Suppliers and subcontractors that provide products and/or services that are unlikely to have
any bearing on the quality of the product and/or service provided by the organization need not
be subjected to the same scrutiny.
Some organizations find that as a result of implementing these requirements, an opportunity is
provided to decrease the number of suppliers and subcontractors with consequential savings in
administration.
Most organizations clearly describe on their purchase orders (and associated documents, if any)
what is required and have designated levels of authority to review and approve such orders.
This is not a very onerous requirement. In simple cases it is implicit that the person signing the
order has, as a minimum, looked over the order and given an approval of adequacy, as would
be the case for standard off-the-shelf items, which are unlikely to pose problems. However, in the
case of complex orders for a manufactured product or a sophisticated service, the organization
might have to impose some sort of checklist, each section of which would have to be signed-
off by named signatories, before a final signature is added by, e.g. a purchasing manager, or in
the case of very big orders by, a director of the organization. Each organization must decide for
itself what is appropriate for its own circumstances within the remit of the standard.
Where traceability is required (see clause 7.5.3.2), the organization must maintain relevant
purchasing information, i.e. documents (see clause 4.2.3) and records (see clause 4.2.4).
57
Medical Devices: ISO 13485 and ISO 9001
There are not explicit requirements of this sort in ISO 9001, but they can be adopted if
traceability is required.
Any such verification by a customer must not be used by the organization as evidence that the
supplier has an effective quality management system in place for effective control of the quality
of its products or services. It could be that by devious means the supplier or subcontractor has
provided excellent quality of product or proved excellent provision of service for the visiting
customer, but the lack of proper quality control may have been hidden from the customer.
Thus, the onus remains with the organization to satisfy itself that effective quality controls are
in place.
Such verification does not in any way absolve the organization of its responsibilities to the
customer to make a satisfactory product, or provide a satisfactory service in accordance with
the specification referred to in the order placed by the customer. Moreover, it does not stop
the customer from rejecting the product supplied or stating that the service provided is not
satisfactory.
ISO 13485 additionally requires that QMS records of the verification must be maintained (see
58
Product realization (clause 7)
clause 4.2.4). ISO 9001 imposes no such requirement. In practice, such records of verification
are imperative and in the interest of the organization.
(a) the availability of information that describes the characteristics of the product;
(b) the availability of documented procedures, documented requirements, work
instructions, reference materials and reference measurement procedures as necessary;
ISO 9001 requires only the availability of work instructions, as necessary; but the
application of b) is acceptable.
(c) the use of suitable equipment;
The release, delivery and any post-delivery activities must be conducted only in
accordance with previously agreed procedures.
All the above activities should have been planned in accordance with clause 7.1 before
manufacture of a product or provision of a service begins. The controls should have ensured
that planned provisions have been adhered to in all respects.
Servicing and maintenance arrangements may be included as part of the original quality plan,
or they may be agreed between the two parties at a later stage. The organization must establish
and maintain a record for each batch of medical devices to provide traceability to the extent
specified in clause 7.5.3 and identify the amount manufactured and approved for distribution.
59
Medical Devices: ISO 13485 and ISO 9001
The batch record must be verified and approved. A batch can be a single medical device.
The last paragraph applies to medical devices but could be applied equally well under
ISO 9001 for other products, if only to provide useful information to top management.
Control of production and service provision – Specific requirements (clause 7.5.1.2)
The organization must establish documented requirements for cleanliness of product if:
(a) product is cleaned by the organization prior to sterilization and/or its use; or
(c) product is supplied to be used non-sterile and its cleanliness is of significance in use; or
The whole of clause 7.5.1.2.1 can be applied to other products under ISO 9001 if considered
applicable.
Installation activities (clause 7.5.1.2.2)
Records of installation and verification performed by the organization or its authorized agent
must be maintained (see clause 4.2.4)
The whole of clause 7.5.1.2.2 can be applied to other products under ISO 9001, if considered
applicable.
Servicing activities (clause 7.5.1.2.3)
If servicing is a specified requirement, the organization must establish documented procedures,
work instructions and reference materials, and reference measurement procedures, as
necessary, for performing servicing activities and verifying that they meet the specified
requirements.
Records of servicing activities carried out by the organization must be maintained (see clause 4.2.4).
Note that servicing can include, for example, repair and maintenance.
The whole of clause 7.5.1.2.3 can be applied to other products under ISO 9001, if considered
applicable.
The organization must maintain records of the process parameters for the sterilization process
that was used for each sterilization batch (see clause 4.2.4). Sterilization records must be
traceable to each production batch of medical devices (see clause 7.5.1.1)
60
Product realization (clause 7)
The whole of clause 7.5.1.3 can be applied to other products under ISO 9001, if considered
applicable.
If an organization is able to demonstrate that all of its product or service output can be
validated by subsequent measurements or monitoring to prove that the planned output results
have been achieved, clause 7.5.2 can be justifiably excluded.
The organization must validate any production and service processes when subsequent
measuring or monitoring cannot readily or economically verify the resulting output. Such
processes must be continually monitored and controlled by specially trained staff. This includes
any processes where deficiencies become apparent only after the product is in use or the
service has been delivered.
Examples in which process validation is imperative follow. In all such cases, proving what has
been achieved in a particular case will result in the output being damaged or completely
ruined.
• Paint spraying (of vehicles) – the process of checking that the required layers of paint
have actually been applied will ‘break’ the surface of the paints.
• Sterilization of products – opening a particular sterilized package to check whether
sterilization has actually been achieved results in a package which has to be sterilized
again before it can be used as intended.
Instead, strict measures are usually in place such as specially trained practitioners, special
equipment and devices, and processes/procedures that have to be rigidly followed to ensure
that the planned results are in fact achieved. Validation shall demonstrate the ability of
processes referred to above to achieve planned results.
The organization shall establish arrangements for these processes, which must include, as
applicable:
(a) the qualification of the processes, i.e. defined criteria for review and approval of
the processes;
(b) approval of equipment and qualification of personnel;
The organization must establish documented procedures for the validation of the application of
computer software (and changes to such software and/or its application) for production and
service provision that affect the ability of the product to conform to specified requirements.
Such software applications must be validated prior to initial use.
61
Medical Devices: ISO 13485 and ISO 9001
The last two additional paragraphs of clause 7.5.2.1 can be applied to other products under
ISO 9001.
There is no such clause in ISO 9001, but what is specified under ISO 13485 is standard
practice with sterilization of non-medical devices.
The organization must identify the product by suitable means throughout product realization,
and must establish documented procedures for such product identification.
The organization must establish documented procedures to ensure that medical devices
returned to the organization are identified and distinguished from conforming product [see
clause 6.4(d)].
There is no corresponding requirement in ISO 9001 for a documented procedure, but such an
inclusion in ISO 9001 would be an advantage. Likewise, the requirement for documented
procedure(s) in ISO 9001 for identification of returned products, other than medical devices,
can only be to the advantage of the organization.
The organization must establish documented procedures for traceability. Such procedures must
define the extent of product traceability and the records required (see clauses 4.2.4, 8.3 and
8.5). Where traceability is a requirement, the organization must control and record the unique
identification of the product (see clause 4.2.4).
In the case of ISO 9001, if traceability is explicitly required, the organization must control and
record the unique identification of individual items, or batches of items, as appropriate. Whilst
traceability is paramount in some cases, it can also be useful in much less onerous
circumstances. For example, in the case of a cleaning service, an organization often considers it
useful to be able to identify what particular cleaners did on certain dates and, thereby, be able
to provide full traceability on the service provided.
An organization can similarly decide how traceability is to be achieved. It is advisable to
maintain records of all traceability data used (see clause 4.2.4). If traceability is a requirement,
the QMS records become mandatory.
Certificates of conformance
62
Product realization (clause 7)
special requirements of the importing country, then the manufacturer will issue a certificate of
conformance. The certificate will give the part number, the serial or batch number, and a
reference number that enables the certificate to be linked to the approving aviation authority.
The certificate will be signed by an approved inspector and dated. A copy of the certificate will
be provided to the end-user but it does not exonerate them from their responsibilities in any
way; it merely provides full traceability back to the manufacturer in the event of any untoward
developments.
Similarly, certificates of conformance can be issued for second-hand parts in a ‘new’ condition,
which have been removed from a serviceable unit that has not previously been subjected to
excess wear or conditions of service.
A stockist will often accept responsibility that the product supplied conforms to a specification
and will issue a certificate of conformance accordingly to the customer. In the event that
doubts are raised about the product, the stockist will refer any queries back to its supplier.
Test certificates
In order to promote confidence in a manufacturer’s products, a manufacturer may issue a test
certificate with a product. One such test certificate reads:
The product described above and supplied against the defined order has been tested
in accordance with [the manufacturer’s] procedures and is verified as being
compliant with the requirements of the relevant [instrument] specification.
Details of the device are included on the test certificate along with the relevant test
measurements. Such test certificates should not be confused with calibration certificates, which
enable any measurements made to be traced back to a national standard.
Certificates of conformance are sometimes supported by test certificates. For instance, a test
certificate in the aircraft industry will include appropriate codes that give the chemical analyses
of the material of the ingots from which batches of product have been made. The codes might
also be engraved or embossed on the final end product. The test certificates often give the
mechanical properties of the material used, such as tensile strength, yield, results of impact
tests and hardness. The test certificate will refer to relevant national and international
standards. An authorized representative will sign it on behalf of the manufacturer.
There is no requirement in ISO 9001 for a documented procedure but such an inclusion in
ISO 9001 would be an advantage.
Particular requirements for active implantable medical devices and implantable medical
devices (clause 7.5.3.2.2)
In defining the records required for traceability, the organization must include records of all
components, material and work environmental conditions, if these could cause the medical
device not to satisfy its specified requirements.
The organization must require that its agents or distributors maintain records of the distribution
of medical devices to allow traceability and make them available for inspection. Records of the
name and address of the shipping package consignee must be maintained (see clause 4.2.4).
This clause is explicitly applicable to medical devices, but the more general requirements
regarding traceability are equally applicable under ISO 9001 to other high risk products, such
as aircraft parts, where full traceability is required.
63
Medical Devices: ISO 13485 and ISO 9001
The organization must identify the product status with respect to monitoring and measurement
requirements.
The identification of product status must be maintained throughout production, storage,
installation and servicing of the product to ensure that only product that has passed the
required inspections and tests (or released under an authorized concession) is dispatched, used
or installed.
This would also appear to be an excellent requirement in connection with ISO 9001 activities.
Customer property can be a part (or parts) that a customer wants the organization to
incorporate into one of its products or wants the organization to use in one of its services. It
can also be material provided by a customer for activities related to the work that the
organization is doing for the customer. This includes intellectual property such as software
provided by a customer.
The organization must ensure that due care is exercised with customer property and material
at all times whilst it is under its care or use. When they are being incorporated into the
product or services of the organization, the organization must ensure that this property or
material is identified, verified, protected and safeguarded. Likewise, when material is being
used by the organization for related activities, the same care must be taken of the customer’s
property.
Any confidential information provided by a customer must be respected. An organization is
expected to communicate immediately with a customer in the event of problems concerning
customer’s property.
Customer property for incorporation into a product or in the provision of a service
Once the erasers are delivered to the organization, the onus is on the organization for
controlling, identifying, verifying, storing and safeguarding the customer’s property. Questions
may be asked such as:
• Are the erasers what they are supposed to be?
• Are the arrangements for storage satisfactory and are the erasers being looked
after properly?
• Is the temperature of the store in which they are being kept too high?
64
Product realization (clause 7)
There are many other occasions when customer property is not incorporated into the
organization’s product, but is provided by the customer for a related activity.
In the case of a taxi or hire car, the baggage of the customer that is to be transported with the
passengers is customer property in connection with the transportation service being provided.
Another example is a garage that receives customer property, a car, so that the garage can
undertake a routine service.
Products sent to an organization for sterilizing are another example of customer property in
relation to the sterilization service being provided by the organization.
Customer property for incorporation into product and for related activities
Sometimes it might be argued that customer property can be provided for incorporation into
the organization’s products and for a related activity. For instance, with a film processing
organization, one might argue that undeveloped film is supplied for incorporation into the
organization’s products because the information stored in the film appears in the colour prints.
One might also argue that the film is provided for related activities, i.e. the provision of colour
prints. Whatever argument prevails, the undeveloped film is customer property.
In the case of ISO 9001, intellectual property might be confidential health information, if the
standard is being applied to hospitals, nursing homes, residential care homes and other
organizations.
Lost/damaged/unsuitable customer property
Any customer property that is lost, damaged or otherwise found to be unsuitable for use must
be recorded and reported to the customer. This includes intellectual property, e.g. information
provided in confidence.
65
Medical Devices: ISO 13485 and ISO 9001
During the manufacture of a product, an organization must preserve its conformity and any
constituent parts at each stage throughout the major process and during all subsequent stages
such as handling, packaging, storage, preservation and delivery to the intended destination.
Identification
Once a product or service has been suitably identified, the identification must be preserved
until it has been delivered to the intended destination.
The methods used for identifying product, labels, any writing made directly on packages, etc.
must be suitable for their intended purpose. For example, labels must remain affixed to the
packages and any written identification must be done with indelible and waterproof pens.
Handling
The onus is on the organization to devise methods of handling that protect the product from
damage or deterioration.
Packaging
The organization must have controls in place that ensure that any packing or packaging is
adequate to prevent any damage that would result in the product being unacceptable to a
customer.
After final inspection and test, all packaging must be of a suitable nature to provide protection
against damage whilst within the confines of the organization.
Storage
Storage areas need to be systematically allocated and organized to prevent damage or
deterioration of product whilst it is awaiting use or dispatch. Stock that is likely to deteriorate
with time should be clearly marked so that it can easily be reviewed at appropriate intervals.
Product should only be received, or dispatched, when the specified documentation is
available. Any goods received without proper documentation should be rejected immediately,
i.e. not admitted to stock, or placed in a quarantine area pending further investigation by
management.
Preservation
An organization must ensure that all its products remain undamaged up to the time of their
delivery to customers. This is particularly important in the case of more vulnerable products
that can be damaged easily if the packaging is inadequate or if the storage area is unsuitable.
Consideration needs to be given to controlling environmental conditions such as temperature,
humidity, lighting, and static electricity. In the case of the presence, or possible presence, of
static electricity, these conditions may require special packaging and storage for certain
products to prevent electrostatic damage to them.
All stock must be appropriately segregated until it is used or dispatched. Similarly, incoming
stock must be carefully segregated and preserved until it is required for use.
66
Product realization (clause 7)
Delivery
Adequate packaging must be provided against accidental damage during handling whilst the
product is in transit to a customer. Special attention must be paid to any contractual conditions
in this respect.
Outsourcing the delivery through independent delivery companies does not absolve the
organization from its responsibilities regarding safe delivery of products to its customers.
There is little doubt about what is meant by measurement. Measurement is associated with the
determination of a number, length, area, volume, time, speed, velocity, acceleration or weight.
The units of measurements are usually, but not always, based on the metric system of
measurements. In some cases the accuracy of any measurements with a given measuring
device may be unimportant. For instance, when a plasterer is preparing a quotation for
plastering a wall, one of the factors to be taken into consideration is the area of the wall, which
he will probably determine from measurements made using a steel rule. An error in
measurements of a few centimetres is unimportant. In fact experienced plasterers will often not
even bother to take measurements with a steel rule. The plasterer’s eye will determine at a
glance all the information that is required to prepare their estimate of costs.
At the other extreme, organizations and sometimes customers decide that accurate
measurements are necessary. Sometimes accurate measurements are also required to satisfy
regulations, standards, and other requirements. For instance, when a window frame
manufacturer is adding a surface coating to lengths of aluminium, a minimum thickness of
coating is required, namely 50 microns (0.050 mm.) Thus, any measuring device used must be
accurate within specified limits. Whenever a thickness of less than 50 microns is found, the
coated aluminium is reworked or scrapped. In order to be confident that the measuring device
is sufficiently accurate, it is necessary to have the measuring device calibrated. This can be
done externally or verified within the organization.
Monitoring
If measuring devices are being used to monitor something, the monitoring might take place
continuously. Such measuring devices immediately identify any untoward changes occurring at
the chosen monitoring points or stages of a major process so that appropriate action can be
taken, such as stopping the process. If the changes or trends are taking place very slowly they
give early warning of problems but do not necessarily mean that a process must be stopped
immediately. For instance, if the diameters of extruded plastic rods are gradually increasing, as
indicated by a monitoring device, the rate at which the diameter is increasing will provide
valuable evidence about when the permitted tolerance on the diameter is likely to be
exceeded, before which time action must be taken or the process stopped.
An important aspect of monitoring equipment is that the measuring device being used will
have been selected on the basis of the manufacturer’s specification as being suitable, within
the accuracy of measurement specified by the manufacturer, for monitoring the parameter in
question. Somebody will nevertheless have to make a decision on whether the selected
measuring device needs to be calibrated or merely be maintained at regular intervals.
Maintenance does not necessarily include recalibration although a manufacturer carrying out
such maintenance would, as a minimum, claim that the device is functioning within their
67
Medical Devices: ISO 13485 and ISO 9001
Monitoring does not always involve measuring devices and need not be undertaken
continuously. For instance, ISO 13485 and ISO 9001 require an organization to monitor
customer satisfaction. This can be done without measuring devices (see page 74).
However, when it is decided that measuring devices need to be calibrated so as to ensure that
measurements are as accurate as required, then the devices must either be calibrated
externally or internally. The organization must establish documented procedures to ensure that
monitoring and measurement can be carried out in a manner that is consistent with the
monitoring and measurement requirements.
ISO 9001 does not require documented procedures in connection with clause 7.6, control of
monitoring and measuring devices. However, the establishment and implementation of such
procedures would appear to be in the organization’s interest.
This means that measuring devices must:
Once it has been decided to undertake calibration of devices it should be noted that different
devices can be calibrated at different intervals. Some devices are not used very often and are
more stable as a result. Devices that are used regularly and devices that are highly sensitive will
need to be calibrated at more frequent intervals. The same applies to any device where the
accuracy of the results is of very special significance. For instance, a tyre depth gauge that is
used frequently and usually kept in a technician’s tool box is more likely to need calibrating at
68
Product realization (clause 7)
shorter intervals than a digital vernier that is kept in a carefully designed box and is used only a
few times each year.
Devices must be calibrated and adjusted periodically or prior to use, against devices traceable
to international or national standards. Where no such standards exist, the basis used for
calibration must be recorded.
External calibration
If a decision is made in favour of external calibration, the calibration can be carried out by an
Accredited Calibration Laboratory, which has been accredited by the United Kingdom
Accreditation Service (UKAS) or some other similar national accreditation body or by a non-
accredited calibration body. ISO 9001:2000 does not require that a UKAS (or equivalent)
calibration laboratory is used. Both standards do, however, require that calibration can be
traced to international or national measurement standards.
An external calibration laboratory will state, after calibration of a device, the accuracy (within
specified limits) of any measurements made with the device. The accuracy of the calibrated
equipment must be greater than is needed to achieve the required accuracy of measurement.
• What are the acceptable limits for the calibration results for a particular instrument or
device that is to be calibrated internally?
• Is the known accuracy of the calibrated reference standard sufficiently greater than
the theoretical accuracy of the instrument or device being calibrated internally?
• Is the calibrated reference standard otherwise appropriate for the internal calibrations?
• Is the uncertainty for the calibrated reference standard low enough to ensure that the
uncertainty of calibration of the instrument or device being calibrated will be
acceptable in the circumstances in which it will be used?
• What documentation is required to ensure that all internal calibrations are carried out
in a professional and scientifically acceptable manner?
It is common practice to establish and maintain calibration registers that hold all relevant
information for proper control of such equipment. These include unique identification number
of equipment, usual location of equipment, date of calibration and date of recalibration, and
69
Medical Devices: ISO 13485 and ISO 9001
When a piece of equipment is calibrated externally, a calibration log should be established and
maintained for each piece of equipment, which gives the relevant details regarding the
calibration that has been carried out on that equipment. This should include:
• type of equipment;
• normal location of equipment;
• manufacturer of equipment;
• manufacturer of equipment;
• unique identification number of equipment;
• frequency of calibrations;
70
Product realization (clause 7)
Some customers may insist that calibration data are made available to them in order to give
assurance that the monitoring and measuring equipment and any test software are all
functionally adequately for the processes that have to be carried out.
Identification of devices
All calibrated equipment (whether externally calibrated and internally calibrated) should be
uniquely identified by whatever means are practical.
It is common practice for each piece of calibrated equipment to have a label affixed which
states:
• the unique identification number or code for the equipment;
When deemed desirable metal labels are used because these can be wiped clean, without
removing the information recorded on them.
A label that includes the date of recalibration enables the user to check that the equipment has
not passed that recalibration date without recalibration having taken place.
Some monitoring and measuring devices need not be calibrated and are used for indication
only. When a lot of monitoring and measuring devices are being used, some organizations find
that it is good practice to emphasize that such devices are used for indication only. For
instance, a meter that measures the amount of oil that is poured into a car engine from a
centralized supply need not be calibrated, because all car mechanics are trained to check the
71
Medical Devices: ISO 13485 and ISO 9001
level of the oil that has entered the engine by means of the dipstick. The dipstick is the
definitive measure that there is sufficient oil in the engine. Thus, the oil flow meter is used only
as an indication of the amount of oil put into the engine. The flow meter can be labelled, ‘Not
calibrated: for indication only’.
Chartered surveyors use moisture meters to indicate whether there might be a damp problem
in a wall. Since a chartered surveyor would not say categorically that there is a problem, there
is no need for the moisture meter to be calibrated. The chartered surveyor would merely
recommend that the problem be referred to other experts.
Out-of-calibration equipment
The organization is required to make a judgement on the effect of any possible errors in
measurements, in actions taken, on the quality of the product or the quality of service
provided. The decisions should be documented and appropriate action must be taken.
The results of all calibrations and verifications must be recorded and maintained (see clause
4.2.4).
New equipment
There is a popular misconception that it can be assumed that a new piece of equipment is
within specification. If a manufacturer provides a valid certificate of calibration then this must
be true. Similarly, a carefully scrutinized test certificate from a manufacturer would increase
confidence in a new product. However, if there are any doubts and a specified accuracy is
crucial to the success of the organization, it might be prudent to check carefully with the
manufacturer.
Results
The results of all calibrations and verifications must be recorded and maintained (see clause
4.2.4).
72
Chapter 8:
Measurement, analysis and improvement (clause 8)
All data from the monitoring and measurements are collated and analysed. The monitoring and
measurements made during the processes enable appropriate changes to be made, as and
when necessary, to ensure that each step in a process is able to achieve its intended purpose,
and to make planned checks on the evolving product during such processes to ensure that the
final product conforms to the requirements.
In planning any monitoring and measuring activities, due consideration must always be given
to deciding how the data collected shall be used, including the possible use of statistical
techniques.
In the case of ISO 13485, national or regional regulations might also require documented
procedures for implementation and control of the application of statistical techniques.
73
Medical Devices: ISO 13485 and ISO 9001
With ISO 9001 the organization is expected to determine a customer’s perception of whether
the customer’s requirements have been met. This is subjective information and is referred to as
customer satisfaction.
If national or regional regulations require the organization to gain experience from the post-
production phase, the review of this experience must form part of the feedback system (see
clause 8.5.1).
Customer satisfaction
A documented procedure for obtaining information on customer satisfaction would appear to
have advantages in the case of ISO 9001, as is the case for feedback with ISO 13485.
Customer satisfaction data can be obtained from direct contact with customers or from their
secondary sources.
Direct contact with customers
There are a number of ways that customer satisfaction data can be obtained directly from
customers. Some examples follow.
74
Measurement, analysis and improvement (clause 8)
Organizations that do not deal directly with their customers often feel the need to
know what customers think about their products or services and about the way their
intermediaries have dealt with them. The classic case is that of car manufacturers that
sell their new cars through franchised garages. Car manufacturers often ask, through
their franchises, for all customers to complete a customer satisfaction questionnaire.
The manufacturer may offer no incentive to the customer for its completion, other
than the general desire to ensure that all customers are dealt with courteously and
efficiently, but the garage is sometimes under pressure to get the customers to
complete the questionnaires, because failure to do so can cause the bonus paid by
the manufacturer to the garage to be reduced.
Any attempts at analysis also highlights the importance of asking the right questions
and often after receipt of the first batch of completed questionnaires changes need to
be made to the questionnaires to improve the feedback from customers.
Small organizations should keep their questionnaires very simple with only a few
carefully thought out questions. Larger organizations can use questionnaires that have
more questions. The answers can be entered into a computer and analysed to obtain
indicators of customer satisfaction.
One way to select customers for such telephone calls is to telephone customers who
have not responded to customer satisfaction questionnaires. Another way is to
telephone a given percentage of customers who have used the organization in some
way or other during the previous week or month.
Customers who have failed to make a complaint, or those who have failed to return a
questionnaire, will sometimes reveal on the telephone that they have not been fully
satisfied with the product or service provided by the organization.
75
Medical Devices: ISO 13485 and ISO 9001
week a given percentage of customers who have used the organization in some way
or other during the previous week. Such information should, of course, be logged
properly for examination by the management of the organization.
76
Measurement, analysis and improvement (clause 8)
individuals who do not do what they promise to do so that a repeat call is necessary.
If a customer’s perception of an organization is adversely influenced by such
experiences, they are more likely to go elsewhere with their enquiry. Customers and
potential customers should therefore be asked at every opportunity whether they are
satisfied with the administrative arrangements. Their factual comments must be
recorded for future analysis and included in customer satisfaction reports.
Secondary sources of information from customers
Customer satisfaction data can also be obtained from the secondary sources of customers, such
as the following.
Two well established secondary indicators of consumer satisfaction are Which? reports
published by the independent Consumers’ Association, and media investigations, such
as the BBC ‘Watchdog’ programmes.
The Consumers’ Association usually examines mass-produced products, such as cars
and washing machines, and publicizes widespread impartial investigations using
customer feedback, which results in the listing of ‘best buys’ and criticisms of products
and services.
The ‘Watchdog’ programmes, on the other hand, usually focus on products and
services provided by national organizations, or sometimes international organizations,
which have resulted in intense customer dissatisfaction by one or more customers.
All such reports and programmes give an indication of customer satisfaction with
products or services of particular organizations. Some may be relevant to other
organizations attempting to monitor customer satisfaction, if only to suggest questions
that might be included in their own questionnaire.
A carefully planned audit programme, if executed properly, ought to give confidence to top
management that the:
77
Medical Devices: ISO 13485 and ISO 9001
Thus, internal auditing ought to be a first-class management tool and any findings might
provide opportunities for improvements to be made. Internal audits have to be carried out at
planned intervals.
When auditing against ISO 9001:1994, internal auditors had to determine the effectiveness of
the quality system and verify whether quality activities and related results complied with
planned arrangements (i.e. the organization’s procedures and work instructions). ISO 9000:1994
did not require the internal auditors to measure the organization’s compliance with the actual
requirements of the standard. This has now been introduced when auditing against
ISO 9001:2000.
Personnel other than those who actually perform the activity being audited must conduct the
audits. Thus, auditors must not audit their own work. This is a welcome change, particularly for
small organizations, since finding an independent auditor within a small organization is not
always possible.
It has been common practice for all internal auditing to be conducted only as compliance
audits against the organization’s procedures and work instructions. The new focus is on
processes. Thus, an auditor could take one of an organization’s major processes and work
through it meticulously, step by step, until a final product is reached or a service is completed
to the satisfaction of a customer, or customers. In working through a major process, pauses in
the steps forward will be inevitable and frequent, during which time supplementary processes
will have to be checked. These, in turn, will result in examination of compliance with one or
more of the organization’s procedures, work instructions and forms. Some compliance auditing
will still continue to be necessary.
The new focus on processes will mean that internal audits are likely to take much more time
and skill than would be the case if an auditor were merely checking for compliance with one
or more isolated procedures. Auditing should become much more interesting and more
meaningful because of its direct link with the reasons why an organization exists. Moreover, in
discussions with auditees, it should provide opportunities for considering ways in which
changes might be made to the major processes, and to the associated supplementary
processes, so that the major processes can be improved.
An audit program, or audit schedule, must be prepared that covers all the areas to be audited.
As explained in the previous paragraphs the focus should be on the organization’s major
processes. Once these have been clearly identified all the other audits can be planned
accordingly in logical sequence. The schedule must identify the frequency of such audits based
on the status and importance of various activities. The schedule of internal audits should be
flexible and changes will be inevitable as the results of earlier audits become available.
A properly designed nonconformity form is recommended for use during internal audits. This
will include, as a minimum:
• the individual responsible for undertaking the corrective action and when.
78
Measurement, analysis and improvement (clause 8)
The form should include space for preventive action to be recorded, if this is deemed
necessary (see clause 8.5.3). Another section requires verification of the corrective action (and,
perhaps, preventive action) by the management representative or some such designated
person.
The findings of internal audits are a key item on the agenda of management review meetings,
which includes the effectiveness of any corrective (and preventive) actions.
All processes must be monitored and measured, as and when deemed necessary, in such a
way that the output of a major process will satisfy customer requirements.
All monitoring and measurements must confirm the continuing ability of each process to
achieve the specified requirements. In the event that requirements are not being met, a
nonconformity form is completed. The same information needs to be recorded as for internal
audits (see clauses 8.5.2 and 8.5.3).
Any lower-level processes also need to be a monitored in the same way.
Product release and service delivery must not take place until all planned arrangements have
been satisfactorily completed (see clause 7.1).
With ISO 9001, product can be released in certain circumstances if planned arrangements
have not been completed satisfactorily. In such cases, permission to release product can only
be given by a relevant authority and, where applicable, by the customer. Records must indicate
the person(s) authorizing release of product.
Particular requirement for active implantable medical devices and implantable medical
devices (clause 8.2.4.2)
The organization must record the identity of any personnel who are carrying out any
inspection or testing (see clause 4.2.4).
This requirement is not mandatory with ISO 9001, but its adoption could only be in
everybody’s interests.
79
Medical Devices: ISO 13485 and ISO 9001
nonconformities have already been addressed in clause 8.2.2 and process nonconformities
have been addressed in clause 8.2.3.)
Manufacturers
All nonconformities in product must be properly recorded and the nature of the nonconformity
clearly explained. If the nonconformity has been caused by an individual then this should be
highlighted on the report as this will help identify training needs that might be applicable to
that individual and maybe their whole department. In some cases, the cause of nonconformity
is not the result of an individual’s action or inaction, but may have been introduced earlier in
the design stage. Any nonconforming product should be clearly identified and the nature of the
nonconformity should be recorded on a prescribed form. In addition, the nonconforming
product must be carefully controlled to prevent unintended use or delivery.
Nonconforming product must be dealt with in one or more of the following ways:
With ISO 9001 there is no restriction, but concessions can be granted only by a
relevant authority and, where applicable, by the customer.
(c) by taking action to preclude its original intended use or application.
Whenever a product needs to be reworked, the organization must have a documented work
instruction for any rework process that has undergone the same authorization and approval
steps as the original work instruction. Prior to authorization and approval of a new work
instruction, a determination of any adverse effect of the rework on the product must be made
and documented (see clauses 4.2.4 and 7.5.1)
ISO 9001 does not require authorization and approval of a new work instruction nor does it
require a determination of any adverse effect of the rework of the product. This should be
carried out and documented. These steps would appear to be admirable and could easily be
adopted for non-medical products for organizations seeking registration to ISO 9001 as well as
to ISO 13485.
Records of the identity of the person authorizing the concession must be maintained (see
clause 4.2.4).
Whatever is the case, a record must be kept of the corrective action taken. The quality
manager must be kept fully informed. Only when the quality manager, or some such
nominated person, is satisfied that the nonconformity has been dealt with satisfactorily will
they sign-off the nonconformity form, which is retained as a QMS record (see clause 4.2.4).
If the organization becomes aware of nonconformity in a product after it has been delivered to
a customer, and even after a customer has started to use the product, it must take appropriate
action regarding the consequences, or potential consequences, of the nonconformity.
Exactly the same procedure should be followed in the case of outsourced processes
immediately after the nonconformity has been found.
80
Measurement, analysis and improvement (clause 8)
Service organizations
Similar arguments apply to service organizations. If, during the delivery of a service, the
organization becomes aware of a nonconformity in the delivery of a service or through
comments made by a customer receiving the service, the nonconformity must be fully
documented as for a manufactured product and consideration be given to placing the service
‘on-hold’ until the problems have been amicably resolved with the customer.
Recording of nonconformities
In all cases in which product or service nonconformities arise every effort should be made to
identify and record on appropriate nonconformity forms the causes of nonconformities (see
clauses 8.5.2 and 8.5.3).
Top management must review all such factual information on nonconformities. The regular
management review meetings are intended to be the focus of such discussions. Unplanned
management review meetings can, of course, be called at any time.
Top management should be in a position to manage nonconformities if:
(c) appropriate corrective (and, perhaps, preventive actions) are taken; and
(d) all relevant information [such as (a), (b) and (c)] is fully documented.
Data will include that generated as a result of monitoring and measurement and from any
other relevant sources.
The analysis of data will provide information in relation to:
81
Medical Devices: ISO 13485 and ISO 9001
Customer satisfaction is subjective evidence, but any analyses, if done properly, will give an
indication of customer satisfaction with the product or services provided by an
organization;
(c) the characteristics and trends in processes, and products and services, including
opportunities for preventive action;
The organization must establish documented procedures for the issue and implementation of
advisory notices. These procedures must be capable of being implemented at any time.
Records of all customer complaint investigations must be maintained (see clause 4.2.4). If
investigation determines that the activities outside the organization contributed to the customer
complaint, relevant information must be exchanged between the organizations involved. If any
customer complaint is not followed by corrective and/or preventive action, the reason must be
authorized (see clause 5.5.1) and recorded (see clause 4.2.4).
If national or regional regulations require notification of adverse events that meet specified
reporting criteria, the organization must establish documentary procedures to notify the
relevant authorities.
None of these requirements should present any difficulties for an organization seeking
certification to ISO 12385 and ISO 9001.
The requirement for continual improvement in the effectiveness of the quality management
system does not automatically mean a continual improvement in products or services. It does
mean that an organization should always be striving to make changes that will result in
82
Measurement, analysis and improvement (clause 8)
improving processes in the interests of efficiency, economy, etc. In fact these are all the things
that a good company should be doing in any case, irrespective of ISO 9001. Some areas of
process improvement could include:
• management;
• organization;
• new resources (more competent people and better physical resources);
Some of these changes might result in improvements in existing products, but the focus is on
the processes and any improvements in a product from such changes could be coincidental.
Nonconformities
Corrective action is essentially a backwards looking phenomeno starting, at the latest, from the
time that a decision is made that corrective action is necessary in order to put right that which
is going wrong or that which has gone wrong and, whenever possible, to eliminate the cause of
nonconformity in order to prevent a reoccurrence. The implementation of the corrective action
may not always be possible immediately, but it will take place as soon as possible or as
appropriate in the immediate future. Eliminating the cause of nonconformity in order to
prevent a reoccurrence of nonconformity can also be regarded as a preventive action (see
clause 8.5.3).
When a car driver notices that a red warning light for the car battery on the dashboard lights
up intermittently, it is an indication that something is wrong. The most likely reason for a
flashing red light is that the battery is being charged only intermittently and the cause, at its
simplest, might be a slipping drive-belt. The driver, or other person, can take corrective action
immediately, or within a relatively short time, by taking the slack out of the drive-belt and
thereby return the battery charging to normal, when the red light will go out.
If a car driver ignores a constant red warning light it will mean, if ignored for long enough, that
the battery will become discharged. If an emergency breakdown service is called, the
mechanic might detect one of several reasons as the cause of the problem such as:
The mechanic may be able to take corrective action to put right immediately what has gone
wrong; on the other hand, if another part is required that he does not carry and if it is out of
normal working hours, then the corrective action may not be able to take place until some
time in the near future when spare parts establishments are open.
83
Medical Devices: ISO 13485 and ISO 9001
Another example of corrective action being required after something has gone wrong might be
as follows. A car has been taken to a garage for a specific purpose such as a routine service.
Most owners check their coachwork when collecting their cars before leaving the garage. If any
damage has been done to the car whilst in the garage, e.g. if a wing of the car has been
scratched, this can be pointed out immediately. In such circumstances, the garage has to
accept responsibility and it will take corrective action to put right that which had gone wrong,
by re-spraying the wing. Incidentally, if the owner had returned to the garage a month later to
have another job done and on collecting the car discovered that another part of the car has
been badly scarred, the previous corrective action to put right that which had gone wrong
would have done nothing to prevent it from happening again in the future. The first incident
might have resulted in a request or warning to all staff to be more careful in the future, but the
warning would, hopefully, have removed the cause of such nonconformities.
The sole purpose of taking corrective action in the above cases was to eliminate the cause of
the nonconformity. In the case of the re-spray of a wing, the re-spraying returns the car to its
status quo. Likewise, tightening a loose driving-belt, replacing a driving-belt or replacing an
alternator are all corrective actions that are taken to put right that which was going wrong, or
has gone wrong and, whenever possible, to eliminate the cause of nonconformity in order to
prevent a reoccurrence.
A corrective action procedure (see PC 105) is required to define requirements for:
(e) recording the results of the investigation and the action taken (see clause 4.2.4).
Likewise, ISO 9001 does not require any subsequent actions to be recorded but again
this could easily be included in the procedure.
(f) reviewing the corrective action taken and its effectiveness.
Similarly, ISO 9001 could easily review the effectiveness of corrective actions in
the procedure.
84
Measurement, analysis and improvement (clause 8)
The corrective action taken should also be reviewed to decide whether it has been effective in
dealing with the nonconformity.
Nonconformity forms are systematically filed and presented at regular management review
meetings. One person, usually the management representative, should provide a summary of
events for the period between management review meetings.
Corrective actions must always be appropriate to the impact of the problems encountered and
the likelihood of them happening again. For example, a large amount of money should not be
spent following a single nonconformity or a single complaint when either is considered to be a
‘one-off’ event with a very low probability of recurrence.
Customer complaints
There seems to be some doubt about what is meant by a customer complaint. A good
guideline is that if anyone in an organization feels that it is necessary to apologize to a
customer, because the customer appears to be aggrieved by what has happened, or by what
has not happened, then a complaint has been received. It may appear to be an unjustifiable
complaint, but the customer evidently thinks otherwise so the complaint should be
acknowledged and investigated without undue delay.
Good organizations respond promptly to any customer complaints. A customer complaints
form, similar to the nonconformity form, should be used to deal with the complaint. Every
complaint should be recorded on the prescribed form. The form identifies the customer who is
complaining, the date and time of receipt of the complaint, the recipient of the complaint, and
the nature of the complaint. The form includes space to state the corrective action taken, i.e.
action taken to put right that which has already gone wrong, or is going wrong. The person
who accepts responsibility for the corrective action should sign that part of the form. The form
should include space for preventive action, i.e. action that the organization may decide it has
to take in order to prevent occurrence of a similar complaint in the future (see clause 8.5.3).
The prescribed form should only be signed-off by an authorized individual within the
organization, usually the management representative, when they are satisfied that the
complaint has been dealt with satisfactorily. Finally, the effectiveness of the actions taken
should be reviewed to ascertain that they have been effective.
The achievement of customer satisfaction is paramount. Even when investigations might show
that a complaint is considered to be unjustified, many organizations often give the customer
the benefit of any doubts and, sometimes, even when it is thought that the customer might be
partly to blame for what has gone wrong or even has lied about events, such doubts will result
in corrective action being taken as a measure of goodwill.
Customer complaint forms are systematically filed and presented at regular management
review meetings. One person, usually the management representative, provides a summary of
events since the last management review meeting.
Management should view customer complaints in a positive manner. They should not be used
to ostracize people. Complaints, when properly recorded, are an important management tool.
Most customers usually accept with good grace most mistakes, provided corrective action is
taken promptly. More importantly, from the organization’s point of view, customer goodwill is
thereby usually retained.
85
Medical Devices: ISO 13485 and ISO 9001
An example in the former category is when preventive action is taken following a series of
incidents that have resulted in a number of corrective actions being taken, for essentially the
same reasons. If the paintwork of cars is being scratched regularly whilst they are being
serviced in a workshop, the garage will probably take action that hopefully will reduce the
likelihood of such incidents in the future. This would be preventive action.
An example in the second category of preventive action is when a car manufacturer decides
that a particular part that it has made will, or might, fail sometime in the future with disastrous
consequences. The manufacturer advises garages accordingly and the replacement of the said
part, or parts, is a preventive action by garages.
A preventive action procedure (see PC 106) is required for:
(a) determination of potential nonconformities and their causes;
(b) evaluation of the need for action to prevent occurrence of nonconformities and,
following a corrective action, to prevent a recurrence of a nonconformity or customer
complaint;
(c) determining and implementing action needed;
(d) records of the results of any investigations and of the action taken (see clause 4.2.4):
ISO 9001 does not require records of the results of any investigations but this
requirement could easily be included in the procedure.
As with corrective actions, any preventive actions taken must be appropriate to the impact of
the potential problems and the likelihood of a problem recurring. Thus, it may be decided that
no preventive action is to be taken. For instance, the single failure in many thousands of cases
may not warrant the very high expense associated with the perceived preventive action
necessary to prevent a similar occurrence in the future. Likewise, a risk may exist in theory and
will not justify the expense to reduce the probability of that risk occurring.
86
Chapter 9:
Justification for exclusion of design and development
Introduction
This chapter should be read in conjunction with clause 7.3, Design and development in
Chapter 7.
Some exclusion from clause 7 is easy to justify and these have been referred to in Chapter 4.
However, exclusion of design and development is not always easy.
In both ISO 9001 and ISO 13485 clause 7 has seven subclauses. These are:
For people who have no experience of design and development work, it is important to realize
that up to and including clause 7.3.5, no product has been made. In the case of more
nebulous products such as the ‘product’ of a hospital, and similarly for a residential home for
elderly people, no action should take place before clauses 7.3.1 and 7.3.5 have been
addressed if design and development is to be included.
Ideally, clause 7.3.6 should also be addressed before manufacture or action commences. If these
points are clear then the remainder of this chapter will be understood more easily.
Manufacturing organizations
Clause 7.3 is unlikely to cause any problems for many manufacturers. For instance, if a
company merely manufactures a product to a third-party specification, be it the customer’s
87
Medical Devices: ISO 13485 and ISO 9001
own specification or some other specification acceptable to the customer, then the
manufacturer can justifiably claim that clause 7.3 can be excluded as far as product made to
that specification is concerned.
However, what is the position if a company that has justifiably excluded clause 7.3 on the basis
of the former paragraph and then decides after manufacturing some of the product that it can
improve the product, either by improving the processes or improving the end product itself?
Alternatively, a customer, in the light of experience using the first batch of the product, might
suggest to the manufacturer that the product would be even more acceptable if certain
changes could be made to the design before the next batch is produced. If a company does
decide to make changes to the original specification in the light of this new knowledge or
experience, the company is in fact undertaking development work to improve the original
design. The range of possible development work might extend from being a relatively trivial
change in the specification to a much bigger change in the specification. Would the earlier
justified exclusion of clause 7.3 now become unjustifiable? Moreover, if a trivial change means
that clause 7.3 can be excluded, at what point does a trivial change become non-trivial to the
extent that clause 7.3 can no longer be excluded?
Incidentally, it has been assumed in the previous paragraph that the manufacturer has not been
presented with a new updated specification for the next production batch. If this were the
case, the manufacturer would not be involved with development work, (and perhaps only with
the re-tooling) so that the original justified exclusion would still apply as far as the product in
question is concerned.
Service organizations
Consider next a service industry, which does not manufacture products, but provides services.
A field marketing company is one such case. A typical field marketing company will have many
clients and its core business is providing appropriate field marketing personnel, on a short-term
or long-term basis for their clients over a wide range of marketing opportunities. The selected
field marketing personnel might operate as sales teams, undertake merchandising, provide
road shows, give demonstrations, undertake auditing in the marketplace, carry out mystery
shopping and other activities.
In practice, the following occurs. The company’s client presents its needs and expectations.
These are carefully examined. The field marketing company prepares a detailed cost proposal,
which if successful is checked and rechecked before the operational stage. Whatever the
proposed operational activities, they are based on previous experience over a number of years,
so that the company has a more or less standard approach for implementing the activities such
as those listed above. There may be some fine-tuning of a proposed activity in order to satisfy
the slightly different needs of clients. Fine-tuning will, in any case, take place from time to time
based on the company’s earlier experience with similar activities, with the same client or other
clients.
Are the proposals for such service activities to be considered as design work and is the fine-
tuning development work? Such a company must consider such activities carefully before
deciding what stance to take.
88
Justification for exclusion of design and development
Sometimes readers might have difficulty in deciding whether design and development can be
justifiably excluded from their quality management system. Two examples are provided below.
A study of these examples might help readers to come to the right decision on whether in their
own case the design and development clause (7.3) can be justifiably excluded.
Example – Hospitals
ISO 9001 provides an opportunity for introducing quality into hospitals.
The major processes in any hospital are diagnosis and treatment. It is these processes that
are intended to maintain and, if possible, improve the quality of the life of a patient. ‘To
maintain or improve the quality of life of a patient’ can be regarded as the product of a
hospital. All the other activities that take place within a hospital associated with patient
care and support can be regarded as services.
When a patient is admitted to a hospital, after being taken through standard admission
procedures, the patient is made as comfortable as possible, as quickly as possible. Shortly
thereafter, an assessment is made by a professional person, such as a consultant in
medicine, a consultant psychiatrist or a nurse therapist to determine how to achieve the
best possible quality of life for the patient. Once a decision is made, it is usual to record
the findings in a few simple explicit sentences summarizing the general state of the patient
and making clear what action is to be taken, and when, for the benefit of the patient.
Can design and development, clause 7.3 in ISO 9001, be justifiably excluded from the
quality management system documentation for a hospital? In order to decide this, each
subclause of 7.3 is examined below against the major process of diagnosis and treatment
in a hospital.
89
Medical Devices: ISO 13485 and ISO 9001
Outpatients
As soon as possible after admission, the patient is examined and a case history is built up
in the patient’s case notes. If the patient has been to the same hospital before, the
patient’s case notes will be made available, in which case, the case notes will be brought
up to date. Minor processes may be called upon to aid the diagnosis: these might include
an X-Ray examination, an ultrasonic examination, electrocardiography examination, as
well as analyses of blood and urine samples. The case notes for the patient will contain the
results of each such investigation, as well as the results of any previous investigations.
These and any other minor diagnostic processes will enable the consultant in charge of the
patient to diagnose the problem. The diagnosis will be recorded in the patient’s case
notes. The consultant will then decide, in most cases without referral to anyone else, what
needs to be done to maintain and improve the patient’s quality of life.
In all the cases mentioned above (accident and emergency patients, out patients, day
patients and in patients) decisions are usually made by one professional who is ultimately
responsible for the quality of life of the patient while in their care.
Since clause 7.3.3(a) cannot be addressed with certainty, the subsequent clauses, 7.3.4,
7.3.5, 7.3.6 and 7.3.7 become irrelevant. This is likewise the case with clause 7.3.1, the
‘planning’ clause.
Since only the input clause can be addressed with certainty, the whole of clause 7.3 can
be justifiably excluded from the requirements of ISO 9001.
90
Justification for exclusion of design and development
The prime purpose of a legal organization is to ensure that the needs of its clients are
addressed and, if the employer can be shown to have been negligent, to obtain
compensation in return for the negligence that might have caused mental and physical
damage to the client.
On first reporting to the legal company, the client is taken through more or less standard
questioning by a professional person, with specific expertise in litigation cases concerning
health and safety issues, to ascertain the facts in connection with the alleged incident.
(a) If physical damage has been caused to the client by the negligence, the
‘functional and performance requirements’ are to ensure that the individual’s
health is restored to what it was before the incident. This can only be determined
following a clinical examination of the client. If the client is mentally disturbed as
a result of the incident, psychiatric examination may be necessary.
(b) It is axiomatic that a professional person responsible for the interests of a client
will abide by statutory and regulatory requirements.
Thus, the input requirement is to restore the individual back to the state he was in prior to
the incident. A secondary requirement might be to obtain financial compensation for the
inconvenience caused by the incident. (If the client is neither physically nor mentally
damaged, financial compensation may be the only design and development input.)
It would appear that clause 7.3.2 cannot be justifiably excluded.
91
Medical Devices: ISO 13485 and ISO 9001
A lawyer’s brief may be a few pages, but it can also be extensive running into many
pages. The brief will state the way forward in the light of the known facts. The
expected outcomes are likely to be recorded, but there is no certainty that an
expected outcome will be achieved. Thus, in the legal profession outputs are recorded,
but there is no question of comparing design and development inputs (the brief) with
design and development outputs (the outcome) before legal action is taken.
Clause 7.3.3(a) cannot be addressed and can be justifiably excluded.
The lawyer will provide whatever information is required in order to support their case
and thereby achieve a satisfactory output in accordance with the input information
provided by the client. But as explained above, the output is uncertain, so that
whatever information is provided, the unknown output cannot enable verification
against the design and development input.
Clause 7.3.3(b) can be justifiably excluded.
• 7.3.3(c) Product acceptance criteria
The designed output is drawn up by a professional and does not have to be approved
by anyone. The client will be advised what the sought after designed output is.
The acceptance criteria cannot be stated rigidly. At best a desirable outcome in favour
of the client can be stated. Law is not an exact science and others will decide the final
results. Clause 7.3.3(c) cannot be addressed because rigid acceptance criteria cannot
be stated by the client or given by the lawyer.
As a result, clause 7.3.3(c) can be justifiably excluded.
• 7.3.3(d) Characteristics of the product that are essential for its safe and proper use.
This clause requires that the service to be provided by the professional be done
properly. (Safety is irrelevant in this case.) This is axiomatic, or should be, by reason of
the professional’s training. To attempt to prove that the service to be provided will be
done properly is impracticable. Both requirements are inherent in the activities of the
professional by virtue of their knowledge, training, experience and competence.
Clause 7.3.3(d) is impractical and can be justifiably excluded.
The purpose of a design and development review is to ensure that the design and
development output does indeed match the design and development input. However,
as explained in 7.3.3(a), legal outputs cannot be defined beforehand so that any reviews,
however long and thorough, can never result with certainty in the designed output for
the client.
As a professional, the lawyer will have provided a brief in the first instance that will merely
state a desired output.
Clause 7.3.4 can thus be justifiably excluded.
92
Justification for exclusion of design and development
The professional decides what action to take. They might seek the second opinion of
another professional but there is no obligation to do so. The professional is well aware that
he cannot be certain that the output will match the input.
Validation is an after-event, i.e. something that takes place after a product has been
manufactured or after a service has been provided. Its purpose is to ensure that a
customer is satisfied, i.e. that their needs and expectations have been addressed. If they
have not, the validation will expose any shortcomings so that they can be addressed to the
satisfaction of the customer or client.
Since the outcome has never been stated explicitly or with any definite certainty,
validation would appear to be impossible.
Clause 7.3.6 can, therefore, be justifiably excluded.
Control of design and development changes (clause 7.3.7)
This clause exists to ensure that if there are changes proposed by the customer, client, or
the lawyer dealing with the case, they are fully documented and agreed by both parties.
In a legal case, the professional is in complete control and can change the brief as deemed
necessary without reference to anyone else and in particular without reference to those
opposing the case against their client.
Clause 7.3.7 can, therefore, be justifiably excluded.
Legal companies also conduct noncontentious work, e.g. trademarks, and terms and
conditions of trading.
In this type of work, outputs can be made to match inputs precisely and therefore all the
93
Medical Devices: ISO 13485 and ISO 9001
Other cases
Readers may well be faced with cases in which they feel that design and development can be
excluded. In such cases they should study clause 7.3 and the examples given in this chapter
and apply similar arguments to their own situations.
94
Chapter 10:
Guideline audit questions
Introduction
The prime purpose of this book is to focus on ISO 13485, the medical devices standard.
However, since ISO 13485 is based on ISO 9001, as explained in the preface, an attempt has
been made to correlate the two standards when compiling audit questions.
If preparations are being made for certification to both standards simultaneously, it is important
to establish the different requirements for the two standards. There is much common ground
between the two standards but to help the reader distinguish the key differences in the
requirements of both standards, ISO 13485 requirements are printed in italics whereas the
corresponding ISO 9001 requirements are printed in bold. The regular text indicates provisions
that are applicable to both. In some cases a question is printed only once when there are only
a few extra words to be added to comply with the additional requirements of ISO 13485.
These additional words are also printed in italics.
In view of this new focus on processes, the new emphasis in auditing is on process auditing.
Process auditing means that the auditor is checking the sequential and interrelated steps
against planned activities, from the beginning of a major process until the final validated
product is achieved, delivered and, perhaps, installed or, in the case of a service, until the final
validated service is completed. This kind of auditing is called process auditing, rather than
compliance auditing, and it might prove to be more attractive to some employees because
they can relate more easily to the purpose of such audits.
In spite of the new emphasis on process auditing, there will still be a need for some
compliance auditing. Compliance auditing will be necessary when checking on the stand-alone
processes, such as calibration of measuring devices, when checking that the relevant
requirements of the standard have been addressed and when checking on the ‘output’ of a
major process.
The output of a major process is checked to ensure that the product or the service, or both,
meet the planned outputs. Sampling the outputs and comparing them with the required inputs
can do this. Good auditors will also check by various methods, such as checking on final test
records and customer complaints, to determine whether planned outputs are being met.
It is clearly impossible to produce an all-embracing list of audit questions for a universal major
95
Medical Devices: ISO 13485 and ISO 9001
process. However, it is possible to compile a comprehensive list of typical audit questions that
address the requirements of ISO 13485 and ISO 9001. Thus, the reader, when process
auditing, can then pick and choose the relevant questions when he or she is following a
specific audit trail through a major process, pausing, as necessary, when interacting processes
intervene, until the intended output is achieved. Compliance auditing is much easier and likely
to be less time consuming the specific questions should also be of help to those conducting
them.
These guideline audit questions can be used for internal auditing, second-party auditing and
for third-party auditing.
Some accredited certification bodies carry out their audits in two stages. In the first stage,
lasting perhaps one or two days, the object is to determine whether the organization has
prepared its quality management system in accordance with the requirements of ISO 13485
and ISO 9001 as they apply to the proposed scope of certification. In stage 2, an auditor is
seeking objective evidence that the planned processes, objectives, etc. as defined by the
documentation during the stage 1 audit (or pre-audit stage) are in fact being followed. Any
minor nonconformities raised during the stage 1 audit will have to be cleared during the stage
2 audit. The division between stage 1 and stage 2 audits is often inevitably blurred during the
actual auditing processes.
Surveillance audits are usually conducted at six monthly intervals or annually depending on the
size, complexity and overall performance of the organization. Successive surveillance visits
check that the quality management system that was approved at the stage 2 audit is still in
place and is continuing to be effective. In the case of ISO 13485, the audit needs to verify that
current regulations, and possibly any new regulations, are being addressed and in the case of
ISO 9001, whether attempts are being made continually to improve the effectiveness of the
quality management system.
During a ‘closing meeting’ an auditor from a certification body should have stressed that they
have not been able to examine everything, however skilful they might be. In other words, they
have sampled what is going on within the organization. Surveillance visits also provide an
opportunity to widen the scope of the previous sampling. New nonconformities might be
found that did not come to light during previous visits. These are treated in the same way as
any earlier nonconformities.
96
Guideline audit questions
Can I have a copy of all such documentation for examination as and when appropriate?
(It is accepted that some parts might be in different departments and can be examined later.)
What do you understand as the purpose of the quality management system based on ISO
13485? Do you state this in your documentation?
(It is to maintain the effectiveness of the quality management system in accordance with the
requirements of the standard so as to consistently produce safe and effective products or to
deliver safe and effective services.)
How does the organization implement actions to achieve planned results and:
• maintain the effectiveness of the quality management system in accordance with
ISO 13485 requirements?
97
Medical Devices: ISO 13485 and ISO 9001
Can I please see the documentation on which the quality management system is based?
Is it partly or wholly on the intranet?
Can I please see a list of your quality objectives (see clause 5.4.1)?
Can you confirm at this stage that you have the following mandatory procedures?
Have you established records that provide objective evidence of conformity to requirements
and the effective operation of your quality management system? I will ask to see those records
shortly as and when deemed appropriate (see clause 4.2.4).
98
Guideline audit questions
Does the quality manual outline the structure of the organization’s quality management system?
Does the quality manual include the scope of the quality management system?
Please may I see it?
Please will you go through the arguments for such exclusions now?
Have any parts of clause 7 been excluded because of the terms, ‘if appropriate’ and ‘where
appropriate’ in the text of the standard (see clause 1.2)?
(An exclusion cannot be accepted if a requirement is considered to be ‘appropriate’ when its
inclusion is necessary in order:
Does the quality manual make reference to procedures at appropriate points in the text?
Please show me examples.
Does the quality manual include procedures or are they filed separately?
If procedures are filed separately from the quality manual is there a comprehensive list in the
quality manual?
Does the quality manual include a description of the interaction between all the processes?
Please show me how you have achieved this.
What arrangements are in place for reviewing, updating as necessary, and reapproving such
documents prior to their being reissued?
Please show me an example.
99
Medical Devices: ISO 13485 and ISO 9001
Are changes to documents approved either by the original method of approval or by another
designated person, or persons, who have access to pertinent background information on which
to give approval to the changes?
How does the management representative, or another named person, ensure that relevant
versions of applicable documents are always available at points of use or application?
Show me an example.
How does the organization ensure that all documents remain legible?
How does the organization ensure that all documents are readily retrievable?
How are documents of external origin (e.g. standards, codes of practice, forms) controlled to
ensure that only the latest issues of such documents can be used?
Is there a master list of external documents?
Who is responsible for updating this list?
Is there a controlled distribution of external documents?
What happens to superseded documents?
What precautions are taken to prevent unintended use of obsolete documents?
Are they returned to the management representative, or another person, on receipt of an
updated document, or when a document is no longer applicable?
Is one copy, clearly marked ‘superseded’, filed separately, and retained for knowledge
preservation purposes?
Does the organization define the period for which at least one copy of obsolete controlled
documents must be kept?
How is this period chosen?
(This period is defined by the organization as being at least equal to the lifetime of the medical
devices. This lifetime must not be less than the retention time of any resulting record (see
clause 4.2.4) or as specified by relevant regulatory requirements.)
Is the quality policy statement a controlled document?
How is the quality policy statement document controlled?
Is it, for instance, a quality management system internal document (QMS ID) with a unique
number and issue number?
Is the statement of quality objectives a controlled document?
How do you control the document on quality objectives?
Can I now examine in more detail your documented procedure for control of records?
100
Guideline audit questions
These questions are addressed to a member of top management (e.g. the chief executive or
managing director).
I have already spent some time seeking objective evidence about your quality management
system based on ISO 13485 and ISO 9001. I am impressed (or unimpressed) by what I have
found so far. Everyone has been most courteous and helpful so far (or, say, courteous but
reluctantly helpful, or whatever is appropriate). Would you kindly let them know what I feel?
The revised standard makes it clear that top management has to be actively involved in the
organization’s quality management system. All requirements in clause 5 begin, ‘Top
management shall - ’.
I have asked to spend a little time with you, because I hope you will be able to convince me of
your commitment to the development and implementation of your quality management system,
and to the continual improvement and effectiveness of the development and implementation
of it.
With these points in mind, I would like to ask you a few questions.
How do you communicate with your employees the importance of meeting customer
requirements as well as statutory and regulatory requirements?
In the case of ISO 13485 statutory requirements are limited only to the safety and performance
of the medical devices.
I see you have a quality policy. Are you confident that all employees understand it and try hard
to adhere by it?
101
Medical Devices: ISO 13485 and ISO 9001
I also see that you have established quality objectives. How does top management promote the
importance of these objectives?
Do you find that management review meetings are really worth the time they take up?
At the end of the interview an auditor must make a judgement as to whether top management
is committed to the development, implementation and continual improvement in the
effectiveness of the quality management system.
The final judgement will be influenced to some extent by any objective evidence obtained
earlier. This explains the importance of not interviewing top management at the beginning of
an audit. These are the possible outcomes:
Subjective evidence good
If the subjective evidence collected from top management is good and the objective evidence
collected earlier was good, the commitment of top management to the quality management
system would appear to be satisfactory.
If the subjective evidence is good, but the objective evidence collected earlier was poor, then
top management has evidently failed to develop and implement its quality management system
satisfactorily.
In the case of ISO 13485, how does top management ensure that customer requirements are
determined and met (see clauses 7.2.1 and 8.2.1)?
Is this a primary consideration?
In the case of ISO 9001, how does top management ensure that customer requirements
102
Guideline audit questions
are met with the aim of enhancing customer satisfaction (see clauses 7.2.1 and 8.2.1)?
Is this a secondary consideration?
How does the organization convert the needs and expectations of customers into the
requirements of customers so that through the product realization processes customer
satisfaction is achieved (see clause 7.2.1)?
Can you please show me one example of how you went about this?
How do you determine whether you have achieved customer satisfaction in the case of a
particular product or a given service (see clause 8.2.1)?
Please show me examples.
Is it appropriate and positive in every respect (for ISO 13485 and ISO 9001)?
In the case of ISO 13485, does it include a commitment to comply with requirements and
maintain the effectiveness of the quality management system?
If it does, what do you understand by this statement?
How do you go about ensuring that this happens?
In the case of ISO 9001, does it include a commitment to comply with requirements and
continually improve the effectiveness of the quality management system?
I note the commitment of top management to comply with the requirements of ISO 9001.
Can you give me one or more examples in which the requirements of the standard have
forced your organization to change the ways in which it operates?
Does it state that a framework is in place for reviewing quality objectives?
Please explain and show me examples of how this is done.
How do you ensure that people at all levels in your organization know about the quality policy
and understand what it means?
How do you ensure that the quality policy is reviewed for its continuing suitability?
103
Medical Devices: ISO 13485 and ISO 9001
Have quality objectives been set at relevant functions and levels within the organization?
Please can I see the quality objectives that are in place so as to meet the requirements of
manufactured product or to satisfy the requirements of the service provision?
Are all of the quality objectives compatible with the quality policy statement?
When planning the quality management system, were the general requirements of the quality
management system addressed (see clause 4.1), as well as the quality objectives (see clause 5.4.1)?
When changes to the quality management system are planned and implemented who is
responsible for ensuring that the integrity of the quality management system is maintained?
Can you please show me an example of such a change?
How do you ensure that responsibilities and authorities are defined and communicated within
the organization?
Is there an organization chart? Please may I see it?
If the organization chart is not in general circulation, how are employees expected to know
who is responsible for what and the responsibilities accorded to different people?
If there are no names, or very few names, on the organization chart although individuals are
bound to know to whom they report to, are the reporting lines clear to others in the organization?
Are the responsibilities and authorities of individuals clearly specified in some other ways?
Please show me examples.
Has top management established the interrelation of all personnel who manage, perform and
verify work affecting quality of the product?
How has top management ensured the independence and authority necessary for such people
to perform the above mentioned tasks?
Please show me examples.
Is the organization bound by national or regional regulations to nominate specific people as
being responsible for activities related to monitoring experience from the post-production
stage onwards and thereafter to report adverse events (see clauses 8.2.1 and 8.5.1)?
104
Guideline audit questions
Does everyone know about the responsibilities and authority of the management representative
for establishing, implementing and maintaining the quality management system?
To whom does the management representative report on the performance of the quality
management system (see clause 8.5)?
Please show me examples of such reporting.
To whom does the management representative report on the need for any changes to be made
for improvements in the quality management system (see clause 8.5)?
Can you show me such examples?
How does the management representative ensure the promotion of awareness of regulatory and
customer requirements throughout your organization?
Can you please show me examples of such promotional activities?
Is your management representative responsible for liaison with external parties, e.g.
certification bodies, on matters relating to your quality management system?
If not, who is responsible for such activities and what arrangements exist to ensure that the
management representative is kept fully informed of such developments?
How do you ensure that appropriate communication processes are established within your
organization?
How do you ensure that communication takes place within your organization regarding the
effectiveness of the quality management system?
What arrangements are in place for top management to review the quality management
system?
Have the reviews of the quality management system shown that it continues to be suitable,
adequate and effective for the organization?
105
Medical Devices: ISO 13485 and ISO 9001
Have such reviews resulted in opportunities for changes to be made that have resulted in
continual improvement in the effectiveness of the quality management system?
Please show me one example of such continual improvement.
The reviews provide opportunities for changes to be made to the quality policy. Have any such
changes been made?
Have the reviews resulted in the need for changes to quality objectives?
Can you show me an example of such a change?
(e) nonconformities?
• quality management system: corrective and preventive actions
• processes: corrective and preventive actions
(g) any changes, whatever their origin or nature, which could have a bearing on the quality
management system?
(h) recommendations for improvement in the effectiveness of the quality management system?
Can you give me examples of decisions and actions decided at management review meetings
that have resulted in:
(a) improvements needed to maintain the effectiveness of the quality management system?
106
Guideline audit questions
How do you ensure that employees whose duties and responsibilities can have a bearing on the
quality of the products or services of the organization are competent on the basis of their
relevant education, training, qualifications, experience and skills?
Can you give me a few examples?
Are competency needs defined for those employees whose work has a bearing on the quality
of the organization’s products and/or services?
Please show me several examples.
How does the organization arrange training, where necessary, or other actions, to achieve the
defined competencies?
Can you show me evidence of this?
How is in-house training (and any external training) evaluated?
Please can I see examples?
How do you ensure that all employees are made aware of the relevance and importance of their
activities and how each one contributes to the achievement of quality objectives?
How do you ensure that any new employees are suitably briefed on this matter?
Please show me examples.
107
Medical Devices: ISO 13485 and ISO 9001
How do you maintain appropriate records of all staff on education, training, qualifications,
experience and skills (see clause 4.2.4)?
Please may I choose, at random, some training records for examination?
Also, specifically, may I see the training record(s) of your internal auditor(s)?
How do you ensure that all records are kept up to date?
How long do you keep personnel records?
Where are the minimum retention times defined (see clause 4.2.4)?
Who has the authority to dispose of them (see clause 4.2.4)?
Are the required maintenance activities documented for equipment when lack of proper
maintenance could affect product quality?
Is the frequency of such maintenance specified in such documents?
How does management determine and manage the human and physical factors of the work
environment that are necessary to achieve conformity of product or conformity of services?
Has the organization documented requirements for health, cleanliness and clothing of
personnel if contact between such personnel and the product or work environment could
adversely affect the quality of the product (see clause 7.5.1.2.1)?
Can the work environment have an adverse effect on product quality?
108
Guideline audit questions
If so, has the organization established documented requirements for the work environment
conditions and documented procedures, or work instructions, to monitor and control these
work environmental conditions (see clause 7.5.1.2.1)?
If people have to work temporarily under special environmental conditions within the work
environment, are they properly trained or supervised by a trained person [see clause 6.2.2(b)]?
Are special arrangements in place and documented for controlling contaminated or potentially
contaminated product so as to prevent contamination of other product, the work environment
or personnel (see clause 7.5.3.1)?
• safety of individuals?
• ergonomics of working?
• appropriate lighting levels?
• appropriate temperature and humidity controls?
• acceptable noise levels?
• acceptable levels of cleanliness and hygiene?
• minimum pollution levels?
• appropriate protective equipment?
Which of the above are covered by legislation, regulations or codes of practice?
If the organization requires special facilities, e.g. clean rooms or sterile areas, how are
such special requirements addressed?
Do you have quality plans for each specific product, service, project or contract?
Can I please examine several such quality plans?
If design and development work is required, have the following been determined:
• Do the plans make clear how the products, or services, will be validated; when, by
whom and where?
109
Medical Devices: ISO 13485 and ISO 9001
• Is it clear how planning output will be updated as design and development projects
progress towards completion?
Have the criteria and methods been determined to ensure that processes proceed to their
planned outputs in an effective manner?
Who ensures that suitable resources are provided to achieve the planned output?
Does the plan identify where suitable documentation has to be available for the processes to
proceed to their planned outputs in an effective manner?
Does the plan show what monitoring and measurements have to be made, and where and
when?
Does the plan address delivery of a product to a customer or completion of a service for a
customer?
Does the plan explain in adequate detail what post-delivery services will be in place?
Does the plan identify the records that will be taken and maintained as the planned product or
service proceeds to completion (see clause 4.2.4)?
In the case of ISO 13485 has the organization established documented requirements for risk
management throughout product realization?
Records arising from risk management must be maintained (see clause 4.2.4).
(ISO 14971 gives guidance related to risk management.)
Please explain how customer needs and expectations are turned into customer requirements. Is
this through:
Can you please show me examples of these additions in which the organization has added to a
customer’s needs and expectations, with the approval of the customer?
110
Guideline audit questions
Who is responsible for reviewing product and/or service requirements before the organization
makes a commitment to supply a product and/or provide a service (e.g. submission of a tender,
acceptance of contracts/orders or acceptance of changes to contracts or orders)?
Is there evidence that the reviews include consideration of required delivery dates, as defined
by the contracts or orders?
Following each review process has the outcome been that product and/or service requirements
are clearly defined?
In the case of ISO 13485, product requirements must be defined and documented.
In those cases in which documentation has not been received from a customer, has the
customer always been made to confirm (by letter, fax or email) their needs and expectations
and consequential requirements before acceptance of any order or contract? Can I please
see examples?
Who is responsible for ensuring that any contract or order requirements differing from those
previously expressed are resolved to the mutual satisfaction of the customer and the
organization?
Can you please show me examples in which such differences have been resolved?
When product requirements are changed, is all relevant documentation amended and relevant
personnel advised accordingly?
Please show me examples.
Are the reviews and the follow-up discussions and actions recorded (see clause 4.2.4)?
• on product information?
• on customer feedback?
• on customer complaints?
• on enquiries regarding contracts or order handling, amendments to contracts, etc?
In the case of large and/or complex contracts has management agreed with the customer
mutually acceptable arrangements for all communications between the two parties? If this is
the case, please show me examples.
If advisory notices have to be sent, who is responsible for them (see clause 8.5.1)? Could I
please see an example?
111
Medical Devices: ISO 13485 and ISO 9001
In the case of ISO 13485 there must be a mandatory procedure on design and development.
Please may I see it?
Please show me how the people responsible for different design and development activities
have been identified and the limitations placed on their authority.
Please show me how the organizational and technical interfaces between the different groups,
which input to a design and development, are identified.
Please show me how effective documented communications systems have been put in place for
all the people who have to be kept informed about design and development.
Is it proposed to hold design and development reviews, as appropriate, at different stages of the
design and development?
Do the plans indicate when verification of the design and development output will take place,
and by whom?
Do the plans make clear how products, or services, will be validated? When will this happen,
by whom and where?
Do ‘design and transfer activities’ during the design and development process ensure that the
design and development outputs (see clause 7.3.3) are verified as being suitable for
manufacturing before they become production specifications?
Is planning output documented and updated as design and development projects progress
towards completion (see clause 4.2.3)?
The design and development input is based on customer requirements, or perceived customer
needs and expectations. Who in particular is responsible for defining and documenting
customer requirements?
Please show me an example of design and development input. Do the requirements include:
112
Guideline audit questions
Please can you show me the documentation for a finally agreed design and development output
specification for manufacture of a product or provision of a service?
Can you show how the documentation for the proposed design and development output
enables verification against the design and development input?
Was the design and development output document approved by the designated authority before
being released?
Will you please explain how the design and development output document satisfies the design
and development input requirements?
Does the design and development output document provide appropriate information for
departments, such as purchasing and for other people who are responsible for the operation
and control of the processes, to produce the required product or provide the required service?
What product or service acceptance criteria are included in the proposed design and
development output document?
Does the design and development document identify any characteristics that are crucial to safe
and proper functioning of the product or the provision of a service?
Are records of the design and development outputs maintained (see clause 4.2.4)?
(These might be specifications, manufacturing procedures, engineering drawings, engineering
or research logbooks.)
The design and development plan for the project under consideration (see clause 7.3.1)
specifies when design and development reviews shall be undertaken. What actually happened
in this particular case?
Did the reviews evaluate the ability of the results of design and development to satisfy
requirements?
Did the reviews identify any problems and propose necessary actions?
Can you provide evidence that in the review processes all the interested parties in the design
and development, including representatives of functions concerned with the design and
development of the stage(s) being reviewed, were represented, as well as other specialist
personnel (see clauses 5.5.1 and 6.2.1)?
113
Medical Devices: ISO 13485 and ISO 9001
Can you provide evidence that in the review processes all the interested parties in the
design and development, including representatives of functions concerned with the design
and development of the stage(s) being reviewed, were represented?
Please show me evidence of design and development verification that has been conducted to
ensure that the design and development output satisfies the design and development input
requirements.
In the case of very complex and probably very expensive projects how would your
organization conduct verification of the design and development output work?
114
Guideline audit questions
(Provision of the medical device for the purpose of clinical evaluations and/or evaluation of
performance is not considered to be delivery.)
Have any of the agreed changes been made after delivery of some of the product or delivery of
a service?
Please show me examples.
Did it prove necessary, or was it considered advisable, to recall product or repeat a service, in
such circumstances?
Can you provide me with an example in which this was done?
Are records of the results of all reviews of changes and any necessary actions systematically
kept and maintained?
Please show me these records.
In the case of ISO 13485, does the organization have a documented procedure to ensure that
purchased product conforms to specified purchase requirements?
In the case of ISO 9001, does the organization ensure that purchased product conforms to
specified purchase requirements?
What kinds of controls are exercised by the organization over suppliers and subcontractors?
115
Medical Devices: ISO 13485 and ISO 9001
Can I please see any records of re-evaluations that have become necessary because of poor
performance?
Has your organization ever been required, as a condition of a contract or placing of an order, to
use a specific supplier or subcontractor, named by the customer?
If so, have any such suppliers or subcontractors defaulted in their requirements and had a
bearing on the final quality of the product, or the quality of the service being provided?
Can you please show me evidence of such occurrences?
Has the introduction of purchasing controls resulted in a reduction in the number of suppliers
and subcontractors, with consequential savings in administration, etc?
Do purchasing documents state what acceptance criteria for inspections at the supplier’s
116
Guideline audit questions
establishment are to be used and the method of product release to the organization?
Please show me an example.
I need evidence that the organization plans and carries out production and service provision
under controlled conditions. Let us consider one or two products (or services).
(a) the number of medical devices manufactured in each batch (a batch can be a single
medical device);
117
Medical Devices: ISO 13485 and ISO 9001
Has the organization decided that it should have documented requirements for cleanliness of
product? If so, please may I see it?
(a) how product is to be cleaned by the organization prior to sterilization and/or it use?
(In such cases, the requirements in clauses 6.4(a) and 6.4 (b) do not apply prior to the
cleaning process.)
(b) how product, if supplied non-sterile, is to be cleaned prior to sterilization and/or use?
(In such cases, the requirements in clauses 6.4(a) and 6.4 (b) do not apply prior to the
cleaning process.)
(c) if product that is intended to be supplied and used non-sterile, whether cleanliness is of
importance before use;
(d) if any process agents are to be removed from the product during manufacture?
Has the organization documented the requirements for acceptance criteria for installing and
verifying the installation of the medical device?
Can I see the documentation for performing servicing activities and how such work must be
verified so as to meet the specified requirements, such as:
(a) procedures?
(b) work instructions?
118
Guideline audit questions
Can I see the records of the process parameters for the sterilization process used for each
sterilization batch?
How do I trace such sterilization records to each production batch of medical devices (see
clause 7.5.1.1)?
Does the organization have any processes for production and service provision where the
resulting output cannot be directly validated?
Does the organization have any processes for which only indirect validation of such processes
is possible? Please show me examples.
Have criteria been defined for review and approval of any such processes?
Are specific methods and procedures being used that have been approved by recognized
bodies?
Could I please see the organization’s records in this connection (see clause 4.2.4)?
Whenever planned results are evidently not being achieved, does revalidation take place
following appropriate changes to equipment, materials or staff?
Can I see the procedure for the validation of the application of computer software (including
changes to such software and/or its application) for production and service provision that
affect the ability of the product to conform to specified requirements?
Have such software applications been validated prior to initial use?
May I see the validation records please?
Can I please see your procedure for the validation of sterilization processes?
Are sterilization processes validated prior to use? Please show me evidence of this.
Can I see your records on each sterilization process (see clause 4.2.4)?
119
Medical Devices: ISO 13485 and ISO 9001
Has the organization established documented procedures to ensure that medical devices
returned to the organization are identified and distinguished from conforming product [see
clause 6.4(d)]?
Has the organization decided to provide full traceability on any, or all, of the organization’s
products or services?
If so, please show me how this is done.
Please show me the documentation.
If a customer requires full traceability, what documentation is provided by the organization for
identification of individual items, or batches of items, as appropriate?
120
Guideline audit questions
Particular requirements for active implantable medical devices and implantable medical
devices (clause 7.5.3.2.2)
If any of these could cause the medical device not to satisfy its specific requirements:
Does the organization ensure that its agents or distributors maintain records of the distribution
of medical devices to allow traceability?
Are such records available for inspection by the manufacturer of the medical products?
Does the organization keep and maintain records of the name and address of the shipping
package consignee (see clause 4.2.4)?
How does the organization identify product status with respect to any monitoring and
measurement requirements?
Does the organization receive any product from customers that the customer wants the
organization to incorporate into the product that is being made for it by the organization, or for
activities related to what the organization is doing for the customer?
When customer product is being incorporated into the organization’s product, how is it
identified, verified, protected and safeguarded?
When customer product is being used by the organization for ‘related activities’, is the same
care exercised as for product that is being incorporated into the organization’s products?
Does the organization recognize any intellectual property as belonging to a customer? How is
that safeguarded?
Does the organization have any documentation to help to ensure that all property belonging to
a customer is properly controlled?
Please show me.
121
Medical Devices: ISO 13485 and ISO 9001
What happens when customer property is lost, damaged or otherwise found to be unsuitable
for use?
Do you have any special arrangements in place to protect the intellectual property of
customers?
Can you show me an example of any the safeguards?
Please may I see your procedures or work instructions for preserving conformity of product
during internal processing and delivery to the intended destination?
How does management ensure the conformity of product during internal processing and
delivery to the intended destination? Please demonstrate this by means of a few
examples.
How does the organization ensure that sensitive product, which might be damaged by any
adverse method of packaging and storage, is preserved whilst under its control so that product
remains undamaged from any such potential threats up to the time of its delivery to a customer?
If damage by static electricity is a possibility, is special packaging and storage used to prevent
electrostatic damage to them?
Is all stock appropriately segregated until the time has arrived for its use or dispatch?
Is all incoming stock carefully segregated and preserved until it is required for use?
Protection
After final inspection and test, how does the organization provide protection against damage
whilst within the confines of the organization?
Packaging
What controls does the organization have in place to ensure that any packing or packaging is
adequate to prevent damage that would result in the product being unacceptable to a customer?
Please show me examples.
What methods are used for identifying packaged product? Show me examples.
Once a product has been suitably identified, how is the identification preserved until it is
delivered to the intended destination.
Identification
122
Guideline audit questions
Handling
What does the organization do to ensure that the ways in which product is handled do not
result in damage to or deterioration of product?
Please show me examples.
Storage
Do you have dedicated storage areas suitably organized so as to prevent damage or
deterioration of product whilst it is awaiting use or dispatch?
If so, can you identify these please?
What criteria, if any, are used to decide whether product should be received or dispatched?
If the criteria are not met, what happens to any such product?
How do you deal with products (incoming or outgoing) that are likely to deteriorate with time?
Delivery
How does the organization make provision against accidental damage during handling whilst
the product is in transit to a customer?
Have you any cases in which special attention must be paid to any contractual conditions in
this respect?
How does management decide what monitoring and measurements, which can have a bearing
on the quality of the product being manufactured/assembled or on the service that is being
provided, need to be made and how accurate they need to be before choosing suitable
equipment?
Please may I see your documented procedure that ensures that monitoring and measurement
are carried out in a manner that is consistent with the monitoring and measurement
requirements?
Has the organization established processes to ensure that monitoring and measurement
are carried out in a manner that is consistent with the monitoring and measurement
requirements?
Has management decided whether any of the chosen measuring and monitoring devices need
to be calibrated? If so, please identify them.
Which devices are to be calibrated externally and which are to be calibrated internally?
How are devices safeguarded from irresponsible adjustments that would invalidate the
calibration?
How are devices protected from damage and deterioration during handling, maintenance and
storage?
If a device is found to be out of calibration at recalibration, how does management address the
‘out-of-calibration’ state of the device and assess the possible consequences of the recent
measurements having been incorrect?
123
Medical Devices: ISO 13485 and ISO 9001
If corrective action need to be taken, who would be responsible for such action?
Is this documented?
How is software, which is used for measuring and monitoring of specified requirements,
validated prior to use?
Does the organization allow customers and stakeholders to have access to calibration data?
External calibration
What are the acceptable limits for the calibration results for a particular instrument or device
that is to be calibrated internally?
Is the known accuracy of the calibrated reference standard sufficiently greater (e.g. 10 times
greater) than the theoretical accuracy of the instrument or device being calibrated internally?
Is the uncertainty for the calibrated reference standard low enough to ensure that the
uncertainty of calibration of the instrument or device being calibrated will be acceptable in the
circumstances in which it will be used?
Who decides how often the instrument or device will need to be calibrated?
What documentation is used to ensure that all internal calibrations are carried out in a
professional and scientifically acceptable manner?
124
Guideline audit questions
Has all calibrated equipment (externally calibrated and internally calibrated) been uniquely
identified?
How is this done?
• analysis processes (with explanations of the methods used) (see clause 8.4);
(Are there any national or regional regulations that require documented procedures for
implementation and control of the application of statistical techniques? If this is the case,
please can I see your procedures?)
• the improvement processes (see clause 8.5);
in order to:
125
Medical Devices: ISO 13485 and ISO 9001
• maintain the effectiveness of the quality management system (see clauses 8.4 and 8.5.1);
Do you feel confident that you have addressed these issues in general?
These specific requirements and associated requirements are addressed below.
What methods are used to monitor information relating to whether the organization has met
customer requirements (see clause 7.2.1)?
Can I please see the latest findings?
Are they more satisfactory than earlier findings?
Has the organization established a procedure for a feedback system [see clause 7.2.3(c)] to
provide early warning of quality problems and for input into the corrective and preventive
action processes (see clauses 8.5.2 and 8.5.3)?
Do national or regional regulations require the organization to gain experience from the post-
production phase? If so, can I see the review of this experience? Is it part of the feedback
system (see clause 8.5.1)?
What methods are used to monitor information relating to whether the organization has met
customer requirements (see clause 7.2.1)?
Are the responsibilities and requirements for planning and conducting audits clearly stated?
Has consideration been given to the status and importance of the activities and areas to be
audited, as well as the results of previous audits?
126
Guideline audit questions
How does management ensure that timely corrective action is taken on nonconformities and
any observations found during the audit?
Please show me a few examples.
How are all processes monitored (and/or measured, as and when deemed necessary), so that
the outputs will satisfy customer needs and expectations?
Give me an example of monitoring and measurements undertaken during one major process
and the associated interacting supplementary processes.
If monitoring shows that a requirement is not being met, how is this dealt with?
Can you please show me examples of any such nonconformities found?
What monitoring and measurement of the product and/or provision of a service, or both, take
place at appropriate stages to ensure that the requirements are being met (see clause 7.1)?
What evidence of conformity with accepted criteria is documented, and what evidence
authorizing the release of product, and/or provision of a service, is recorded (see clause
4.2.4)?
How do you ensure that product and/or service delivery does not take place until all
requirements have been satisfied (unless otherwise approved by a relevant authority and,
where applicable, by the customer)?
Please show me a few normal cases of such approvals.
Please show me examples of any exceptional cases.
Products, and/or services must be monitored (and perhaps measured) to verify that product and
service requirements have been met.
What monitoring and measurement of the product and/or provision of a service, or both, take
place at appropriate stages to ensure that the requirements are being met (see clause 7.1)?
What evidence of conformity with accepted criteria is documented, and what evidence
authorizing the release of product, and/or provision of a service, is recorded (see clause 4.2.4)?
How do you ensure that product and/or service delivery does not take place until all
requirements have been satisfied (see clause 7.1)? Please show me a few normal cases of such
approvals. Please show me examples of the exceptional cases.
How do you ensure that product and/or service delivery does not take place until all
127
Medical Devices: ISO 13485 and ISO 9001
requirements have been satisfied (unless otherwise approved by a relevant authority and,
where applicable, by the customer)?
Please show me a few normal cases of such approvals?
Please show me examples of any exceptional cases?
Do your records show the identity of personnel performing any inspection or testing?
Please may I examine your procedure for dealing with nonconforming products or
nonconforming services?
Does the procedure identify responsibilities and authorities for dealing with nonconformities?
How is a nonconforming product (or a nonconforming service) identified?
How are nonconforming products controlled to prevent unintended use or delivery?
How do you ensure that corrected nonconforming product, and/or service, is subject to
reverification after correction to demonstrate conformity?
What arrangements are in place to ensure that if a nonconformity is discovered, after delivery
or use, appropriate action is taken regarding the consequences of the nonconformity to users of
the product or the results of an inadequate service?
Are records kept and maintained on (see clause 4.2.4):
• the nature of any nonconformities?
128
Guideline audit questions
May I see your procedures to determine, collect and analyse appropriate data to demonstrate
the suitability and effectiveness of the quality management system and to evaluate whether
improvement of the effectiveness of the quality management system can be made?
Does this include data generated as a result of monitoring and measurement and from other
relevant sources?
Has the organization determined, collected and analysed appropriately data to:
• demonstrate the suitability and effectiveness of the quality management system
(see Figure 5.1)?
• evaluate how continual improvements can be made in the effectiveness of the
quality management system (see clause 8.5.1)?
Does this include data generated as a result of monitoring and measurement and from
other relevant sources?
129
Medical Devices: ISO 13485 and ISO 9001
How does the organization identify and implement any changes necessary to ensure and
maintain the continued suitability and effectiveness of the quality management system?
In what ways do the following bring about improvements in the effectiveness of the quality
management system?
• audit results?
• analysis of data?
• corrective and preventive actions?
Nonconformities
Please may I see your procedure on corrective actions?
Does it include corrective actions to be taken in response to customer complaints?
130
Guideline audit questions
131
Medical Devices: ISO 13485 and ISO 9001
Who is responsible for recording the results of the corrective actions taken (see clause 4.2.4)?
Please show me examples.
Who reviews the corrective actions taken?
Please show me evidence of such reviews.
How many customer complaints have there been over a given period?
Is a log kept?
Please show me.
Does it address the need for action to eliminate the causes of potential nonconformities in
order to prevent their occurrence?
Does it state that preventive actions must be appropriate to the effects of the potential
problems?
(d) recording the results of any investigations and of any preventive actions taken
(see clause 4.2.4)?
(e) recording the results of preventive actions taken (see clause 4.2.4)?
(f) reviewing any preventive actions taken and its effectiveness?
132
Appendix 1:
Quality management system mandatory procedures
This appendix includes the mandatory procedures for ISO 9001. It is recommended that any
other procedures, mandatory or otherwise, follow the same format. The mandatory procedures
are as follows.
PC 101 Control of Documents
PC 102 Control of Records
133
Quality management system mandatory procedures
Control of Documents
Controlled Copy
Copy no:
Registered holder:
Position:
Management representative
Date: Supersedes:
PC 101 Issue 1
135
Medical Devices: ISO 13485 and ISO 9001
1. Purpose
The purpose of this procedure is to show how documents are controlled within the quality
management system.
The rigid controls that are imposed on such documents are there for a specific purpose,
namely, to ensure that only approved documents, and the latest current issue and the latest
revision of documents are in use in all locations throughout the organization.
2. Scope
This procedure applies to all the documents within the quality management system. The
framework documentation includes:
The management representative is responsible for giving final approval to all documents that
are part of the organization’s quality management system.
It is inevitable that some documents will have to be changed from time to time. These must be
reapproved by the management representative prior to being reissued to interested parties.
Changes to external documents and external forms cannot be made by the organization, but
136
Quality management system mandatory procedures
the management representative has the responsibility of ensuring that they are properly
controlled.
5.2 Reference letters and numbers, and issue and revision numbers
PD process diagram
PC procedure
PT protocol
WI work instruction
PL policies
FM form
EFM external form
ED external document
The appendices to the quality manual provide useful information and stand-alone documents
as an important part of the quality manual.
External forms and external documents need to be considered as part of the quality
management system documentation since they might have some bearing on the quality of the
services provided by the hospital. Hence they need to be properly controlled.
Each document is given a unique reference number, e.g. 001, which follows the reference
letters. In some cases blocks of numbers, e.g. 101 to 150 are allocated to certain departments
or certain activities.
5.2.2 Issue and revision numbers
The issue number of a document is indicated by an appendage, 1, 2, 3, etc. An original page
does not have a revision status, but if a single page is altered in any way it is given a revision
appendage, e.g. Rev. 1, which indicates the first revision status of a page. Further revisions of
the same page become Rev. 2, Rev. 3, etc.
When a number of pages have undergone revision, the document can be reissued without
revision numbers, but with the grading of Issue 2, Issue 3, etc. The management representative
decides when this will be done.
External forms and external documents are listed in a logical manner by the management
representative.
137
Medical Devices: ISO 13485 and ISO 9001
When, for instance, a procedure is reissued following a number of changes, the superseded
documents must be returned to the management representative. Single pages that have been
superseded must be destroyed by the recipient of the new pages. Such measures should
prevent the continuing use of superseded documents. If the management representative
decides to keep superseded documents for ‘knowledge preservation purposes’ or for any other
reasons, they are clearly identified as such by being stamped ‘superseded’.
It is the responsibility of the head of a unit or department to ensure that relevant versions of
applicable documents are always available at points of use. Such documents must remain
legible and be readily identifiable.
The appendices to the quality manual will change from time to time; these will be issued to
recipients in a controlled manner.
Documents of external origin are listed by the management representative. They are
distributed, and updated when necessary, in the same manner as any other documents. This
ensures that only the latest version of any external document, or external form, is being used.
The management representative uses form FM 103 to keep a record of where documents have
been sent.
5.4 Changes to documents
All staff are encouraged to make suggestions on how to improve the documents on which the
hospital’s quality management system is based. Any such changes should first be discussed with
immediate colleagues who might be affected by the proposed changes.
Requests for any changes should be made on a change request form, FM 104. This is submitted
to the management representative who after due consultation with interested parties, and
perhaps after discussion in a management review meeting, may issue an amendment to the
documentation in accordance with the steps outline below.
Changes in a document are identified by a vertical line placed in the left hand margin,
alongside the changed line(s) or paragraph(s). When a page is changed in this way the revision
number is increased as explained above. When a further change is made on the same page
only the latest change is indicated by a vertical line.
When a number of changes have been made to a document the management representative
may decide to reprint and redistribute the document with a new issue number (with no
revision number).
Form FM 105 is also issued to staff along with any changes to the documents. Such forms
summarize the changes made to a particular document, including the latest changes. They are
intended to be retained as an appendix to the document in question, so that anyone can see
at a glance what changes have been made. As appendices, they are placed at the back of the
relevant part of the documentation.
138
Quality management system mandatory procedures
External documents and external forms are listed in a logical manner by the quality manager.
Many documents and records (see PC 102) are stored on computer. The same rules apply to
electronic storage as apply to storage of hard copy documents and records, but additional
safeguards are required in the way of back-up storage, prevention of unauthorized access to
data, as well as prevention of corruption of data, etc.
The management representative has to be satisfied that adequate controls are in place for
these purposes.
5.8 Bureaucratic documentation
The quality management system documentation must not be bureaucratic. If any member of
staff believes that a document serves little or no useful purpose, such thoughts should be aired
with colleagues with a view to getting the bureaucratic document amended or removed from
the quality management system via the management representative.
139
Medical Devices: ISO 13485 and ISO 9001
To:
Listed below, and attached hereto, are controlled documents for your retention. Please
ensure that the documents are accessible to your colleagues so that there can be no
misunderstanding as to how the organization functions.
If you are receiving a document which supersedes an existing one, please ensure that
you return the superseded document at the same time.
Date:
Management representative:
FM 101 Issue 1.
140
Quality management system mandatory procedures
Acceptance of Documentation
Date:
Recipient:
FM 102 Issue 1.
141
Medical Devices: ISO 13485 and ISO 9001
142
Quality management system mandatory procedures
Reference:
Proposed change:
Comments by reviewer(s):
Signature(s) of reviewer(s):
Date:
Approved/rejected
by management representative: Date:
FM 104 Issue 1.
143
Medical Devices: ISO 13485 and ISO 9001
144
Quality management system mandatory procedures
Control of Records
Controlled Copy
Copy no:
Registered holder:
Position:
Management representative
Date: Supersedes:
PC 102 Issue 1
145
Medical Devices: ISO 13485 and ISO 9001
1. Purpose
The purpose of this procedure is to ensure that records are established and maintained so
as to prove that the quality management system is in place; that it is working effectively in
accordance with the organization’s quality policy; and in pursuance of the organization’s policy
of maintaining and, whenever possible, improving the quality of life of all the residents.
2. Scope
This procedure applies to all the documents specified in ISO 13485 and ISO 9001 as well as
many working document records chosen by the organization. The management representative
might wish to add other records in the light of experience.
3. Responsibilities
The management representative is responsible for ensuring that records are collected, suitably
filed and stored, etc. Responsibility for records in the first instance lies with managers who
create and use the records. All staff are expected to contribute directly, or indirectly, towards
the establishment and maintenance of records during their everyday activities.
4. Associated documents
These are too diverse to list individually, since records arise from many quality management
system documents and from day-to-day operations.
5. Details of procedure
5.1 Quality records
Records arise from the many activities that occur in the organization. They provide objective
evidence as to what has happened.
ISO 13485 and ISO 9001 require, as a minimum, certain listed records to be kept and
maintained. They provide objective evidence as to what has occurred. These are records on
the following:
(a) management review meetings (see clause 5.6.1);
(b) education, training, skills and experience (see clause 6.2.2);
(c) evidence that realization processes and the resulting products meet planned arrangements
(see clause 7.1);
(d) results from the evaluation of suppliers and the necessary actions arising from the
evaluations, if applicable (see clause 7.4.1);
(e) validation of processes where the resulting output cannot be verified by subsequent
monitoring or measurement (see clause 7.5.2);
(f) results of any calibrations on equipment, if applicable (see clause 7.6);
(g) validity of any previous measurements when measuring equipment is found to be,
or suspected of being, out of calibration (see clause 7.6);
(h) results of internal audits and actions arising thereafter (see clause 8.2.2);
146
Quality management system mandatory procedures
(p) contracts;
(q) maintenance carried out within the organization that might have a bearing on the
quality of products and the services provided;
(u) any other records that management deem should be kept for regulatory and statutory
reasons and/or for continuing quality care of residents.
5.2 Collection, care and collation of records
Everyone associated with the creation of records must ensure that they are readily identified;
are legible and remain legible; are stored appropriately; are protected from damage; and can
be easily retrieved.
The management representative is responsible for the collection and collation of records arising
directly from the quality management system documents. They also have to be satisfied that
staff are collecting and collating their records in a satisfactory manner.
Storage will initially take place in designated areas following discussion with appropriate staff.
Longer-term storage will also be decided in consultation with the management representative.
Once each year the management representative has to confirm in writing to the management
review committee that all the defined records are in place, properly filed, preserved, etc.
Many records are stored on computer. The same rules apply to electronic storage as apply to
storage of hard copy records, but additional safeguards are required in the way of back-up
storage, prevention of unauthorized access to data, prevention of corruption of data, etc. (see
procedure PC 101).
5.3 Filing of quality records
147
Medical Devices: ISO 13485 and ISO 9001
All records will be archived from time to time by the management representative in a manner
that will allow easy traceability and retrieval when required. Records are kept and maintained
in a sound condition for a minimum period of years, decided by the organization, except in
those cases in which records are required by law to be maintained for specific periods of time.
148
Quality management system mandatory procedures
Internal Audit
Controlled Copy
Copy no:
Registered holder:
Position:
Management representative
Date: Supersedes:
PC 103 Issue 1
149
Medical Devices: ISO 13485 and ISO 9001
1. Purpose
The purpose of this procedure is to explain how internal audits are conducted on all aspects of
the organization’s quality management system with a view to establishing that the:
quality management system complies with the requirements of ISO 13485 and ISO 9001;
quality management system is being effectively implemented and maintained;
The internal audits must be conducted at planned intervals and are intended to highlight any
problems or difficulties and afford opportunities to make approved changes.
2. Scope
This procedure applies to all the internal auditing activities that are undertaken by or on behalf
of the organization.
3. Responsibilities
Forms:
Internal Audit Schedule, FM 121;
Register of Internal Audits, FM 122;
5. Details of procedure
5.1 General
Internal auditing is one of the most important aspects of the organization’s quality management
system. It must be viewed in a positive manner, because internal quality auditing affords an
opportunity to all parties involved to consider ways of improving how the organization
functions.
5.2 Auditors
All auditing will be conducted by auditors who have received appropriate training. No auditor
is allowed to audit their own work, but auditors can audit work for which they are responsible.
Thus, a manager of a division, say, can audit the work of the people working for them, but the
manager cannot audit the actual work that they do. This could be done by, say, another
manager in the organization.
150
Quality management system mandatory procedures
The management representative ensures that there is a comprehensive schedule for internal
auditing at planned intervals, which embraces all aspects of work carried out in the
organization. Some areas of work that are key to the organization’s activities may undergo
internal auditing at frequent intervals. In addition, when an audit identifies problems, re-
auditing will be arranged in the near future on an agreed date.
The overall schedule for internal audits throughout organization is available for all members of
staff to examine.
During the implementation of the quality management system, internal quality audits can be
carried out as soon as an activity is considered to be ready for an audit. Proper records of
findings are made of all audits, including the preliminary ones.
An internal audit schedule can be prepared on form FM 121. This schedule will show the dates
on which internal audits will be conducted in different areas of the organization.
The form will identify processes and/or activities to be audited and the corresponding
relevant areas of the two standards.
Audits can be delayed or postponed in exceptional circumstances, but only with the approval
of the chief executive or managing director and the management representative. Additional
audits will be arranged by the management representative in consultation with others when a
previous audit has proved to be unsatisfactory.
5.4 Internal audit register
Prior to any audit, the management representative will allocate a number to an audit and
record the actual date of it on the Register of Internal Audits, FM 122. All subsequent
documents associated with the particular audit will include the audit number and date.
The management representative is responsible for maintaining the register at all times so that
the status of internal audits can be readily determined at any time.
5.5 Audit questions
Prior to any audit, an auditor will prepare a number of possible questions (Internal Audit
Questionnaire, FM 123) in connection with the area being audited. These will form the basis
of the audit, but other questions may be asked in the light of what is subsequently revealed to
an auditor.
It has been made clear to all members of staff that any member of staff may be asked
questions by an auditor in order for them to determine whether the quality management
system documentation (a process, procedure, or work instruction, etc.) is being implemented
satisfactorily and whether it is effective.
At the end of the audit this form is sent to the management representative after corrective and
preventive actions have been addressed.
151
Medical Devices: ISO 13485 and ISO 9001
The Nonconformity or Observation Form will need other entries. Someone, for instance,
will have to state on the forms what action is to be taken. On occasions this may have to be
completed after an audit; the person responsible for such action has to be named and their
signature obtained. Observations might not result in the need for action to be taken. The date
by which any changes are to be implemented also has to be given (see procedure PC 105).
It is the responsibility of the management representative to add their signature to the form
once verification of the corrective action, and possibly preventive action, has been confirmed.
5.10 Summary of internal audit
The auditor will complete a summary – an Internal Audit Report (FM 125) - after each audit
where the main findings (nonconformities and observations) are recorded along with an overall
summary of the audit.
At the end of the audit all the forms are sent to the management representative.
The internal audit reports are considered at each management review meeting. They are used
as the basis for any discussions on the successful implementation of the organization’s quality
management system.
The management review committee has the authority to introduce changes via the
management representative with a view to continual improvement of the effectiveness of the
quality management system.
Nonconformity and Observation Forms (FM 124) will all be filed consecutively eventually, but
as an interim measure all outstanding nonconformity and observations forms will be filed
together in two groups. As each outstanding corrective action (and possibly preventive action)
is signed off by the management representative the form will be transferred to its appropriate
sequential position in the ‘closed-off’ section of the file, together with other sheets associated
with the relevant audit.
152
Internal Audit Schedule, 2006
Planned month Jan Feb Mar Apr May June July Aug Sept Oct Nov Dec
Actual month
Planned date
Actual date
ISO 13485 Process/activity
ISO 9001 Reference process diagrams
clause and/or
no. Name of the relevant clause
154
Internal Audit Questionnaire
Audit no: Process/activity/reference documents:
Auditor: Signature:
Departmental representative: Signature:
Signature of management
representative: Date:
156
Quality management system mandatory procedures
Nonconformity:
Observations:
Overall summary:
157
Quality management system mandatory procedures
Controlled Copy
Copy no:
Registered holder:
Position:
Management representative
Date: Supersedes:
PC 104 Issue 1
159
Medical Devices: ISO 13485 and ISO 9001
1. Purpose
The purpose of this procedure is to ensure that all nonconformities are properly documented
and followed through by corrective action(s) and possibly preventive action(s).
2. Scope
It is the responsibility of the management representative to ensure that all nonconformities are
dealt with in the manner prescribed in this procedure.
4. Associated documents
Forms:
Register of Internal Audits Form, FM 122 (see PC 103, Internal Audit)
Nonconformity or Observation Form, FM 124 (see PC 103, Internal Audit).
5. Details of procedure
5.1 Nonconformities
All nonconformities found in the organization must be properly recorded. The nature of the
nonconformity and the name of the person who caused the nonconformity, if this is known,
are clearly recorded on the Nonconformity or Observation Form, FM 124 or Nonconformity
form, FM 132. In some cases, of course, the cause of nonconformity may not be the result of
any individual’s action, or inaction.
A complaint from a customer might have arisen because of a nonconformity (See PC 105).
In such cases forms FM 141 and FM 142 should be used.
The effects of the corrective action taken for the benefit of a customer must be subject to
discussion with the customer to ensure that the action taken has been effective.
160
Quality management system mandatory procedures
All other nonconformities, whatever their source, are addressed in the same manner, except
that some might not require an immediate response in the way of corrective actions.
It is important to ensure that there is not a repetition of a nonconformity. The third part of the
appropriate nonconformity forms or complaint forms will be completed, if possible, perhaps
after discussion with the other interested parties, to prevent a recurrence of the nonconformity
in the future (see PC 106).
In those cases in which a single human failing has caused the nonconformity ‘N/A’
(not applicable) can be written in this section.
The management representative is responsible for maintaining the appropriate register of all
nonconformities.
5.6 Filing of nonconformities
A file will be maintained for nonconformities. The file will be divided into two parts: the first
part will contain ‘active’ nonconformities, and the second will contain those that are ‘closed’.
5.7 Management review meetings
The meeting will consider what action to take about those reported at the last meeting that still
have to be signed off or closed.
161
Medical Devices: ISO 13485 and ISO 9001
If nonconformities are identified; if the reasons for the nonconformities are identified; if
appropriate corrective and perhaps preventive actions are taken; and if all such information is
fully documented, then the chief executive should be in a position to manage the organization
better than would otherwise be the case.
All the documentation associated with nonconformities will form part of the organization’s
quality records.
Records on nonconformities will be maintained for a minimum period of time as specified by
the chief executive or a nominated person.
162
Quality management system mandatory procedures
Register of Nonconformities
163
Medical Devices: ISO 13485 and ISO 9001
Nonconformity Form
No:
Customer:
Telephone no:
Reference no: Internal ref. no:
Nature of nonconformity:
Person responsible
for corrective action(s):
Date: Signature:
Person responsible
for preventive action(s): Signature:
Signature of management
representative : Date:
FM 132 Issue 1.
164
Quality management system mandatory procedures
Corrective Action
(Arising from Nonconformities and Customers’ Complaints)
Controlled Copy
Copy no:
Registered holder:
Position:
Management representative
Date: Supersedes:
PC 105 Issue 1
165
Medical Devices: ISO 13485 and ISO 9001
1. Purpose
The purpose of this procedure is to ensure that corrective action is taken to eliminate the cause of
any nonconformity in order to correct that which is going wrong or that which has gone wrong.
This procedure also applies when corrective action is taken in response to any nonconformities,
however discovered, and when complaints are received from residents or their representatives.
Corrective actions must always be appropriate to the impact of the problems encountered and
the likelihood of it happening again. For example, a vast amount of money should not be
spent after a single nonconformity or a single complaint when either is considered to be a
‘one-off’ event with a very low probability of happening again.
On the other hand if it is thought that the same, or similar, nonconformity or the same, or
similar, resident complaint might happen again sometime in the future, additional action,
preventive action, might be taken to ensure that it does not occur again. Sometimes, such
preventive action might become part of the corrective action, if the action taken is greater than
the essential corrective action necessary to put right that which was going wrong or had gone
wrong. In general it is better to think of corrective actions and preventive action as being quite
distinct and separate.
This procedure applies to all nonconformities whether they are identified by a member of staff
in the organization or by a third party. It also applies to complaints whether they are received
verbally or by letter or telephone.
3. Responsibilities
It is the responsibility of the management representative to ensure that all corrective actions are
dealt with in an expeditious manner and that appropriate documentation is raised.
4. Associated documents
Forms:
Nonconformity or Observation Form, FM 124 (see PC 103)
5. Details of procedure
5.1 Corrective action in response to nonconformities
Corrective action is essentially a backwards looking phenomenon starting, at the latest, from
the time a decision is made that corrective action is necessary in order to put right that which
is going wrong or that which has gone wrong. The implementation of the corrective action may
166
Quality management system mandatory procedures
not always be possible immediately, but it will take place as soon as possible or as appropriate
in the immediate future.
The person who accepts responsibility for the corrective action must sign the form.
All the forms referred to above include space for ‘preventive action’ (see procedures PC 103,
PC 104 and this procedure).
Finally, the prescribed form should only be signed off by a responsible person within the
organization, usually the management representative, when they are certain that the
nonconformity has been satisfactorily dealt with from every point of view and the actions taken
have been completed in every respect.
The corrective action taken should also subsequently be reviewed to decide whether it has
been effective in dealing with the nonconformity.
5.2 Complaints by customers (PD 104)
There should be no doubt as to what is meant by a customer complaint. If anyone in the
organization feels that it is necessary to say ‘Sorry!’ to a customer, because they appears to be
aggrieved by what has happened, or, maybe, by what has not happened, then a complaint has
been received. It may appear to be an unjustifiable complaint, but if the customer evidently
thinks otherwise it would be wise to tread cautiously and to promise to investigate the
complaint without undue delay.
The form includes space for ‘preventive action’ (see procedure PC 106).
The management representative will sign the last section of the form once the complaint
process has been completed.
The management representative is responsible for maintaining the Register of Complaints Form
141, as is the case for the Register of Nonconformities and, similarly, all Complaint Forms
(FM 141 and 142) are systematically filed like Nonconformity forms (see procedures PC 103
and 104).
The management representative will present at each management review meeting details of all
nonconformities and customer complaints, and the organization’s responses.
Such meetings will consider what action to take about those nonconformities that were
reported at the last meeting which still have to be signed off.
All complaints should have been addressed promptly. Management should look upon customer
167
Medical Devices: ISO 13485 and ISO 9001
complaints in a positive manner. They are not be used to ostracize people, although when
incompetence has become evident, appropriate action needs to be taken by the chief
executive.
Most customers usually accept with good grace most mistakes, provided corrective action is
taken promptly. From the organization’s point of view, customer goodwill is thereby usually
retained; adverse publicity is avoided and litigation is less likely.
168
Quality management system mandatory procedures
Register of Complaints
169
Medical Devices: ISO 13485 and ISO 9001
Complaint Form
No:
Organization:
Nature of complaint:
Signature: Date :
Person responsible
for corrective action(s):
Date: Signature :
Person responsible
for preventive action(s): Signature:
Signature of management
representative: Date:
FM 142 Issue 1.
170
Quality management system mandatory procedures
Preventive Action
(Arising from Nonconformities and
Customers’ Complaints and Risk Management)
Controlled Copy
Copy no:
Registered holder:
Position:
Management representative
Date: Supersedes:
PC 106 Issue 1
171
Medical Devices: ISO 13485 and ISO 9001
1. Purpose
(ii) to reduce the likelihood of an earlier, or a similar kind of resident complaint recurring in
the future;
(iii) to prevent an untoward event from occurring for the first time, as determined by Risk
Assessments (RAs) or Failure Mode and Effect Analyses (FMEAs), etc;
(iv) to prevent an untoward event from occurring for the first time because of a very high
consequence rating for a specific possible fault or mistake;
(v) to prevent an untoward event from occurring for the first time because of new
knowledge, new technology, new evidence, etc.
Preventive action must always be appropriate to the impact of the problem encountered and
the likelihood of its happening again. In the second group of possibilities, (iii) to (v), in which
an event has not yet occurred, any preventive action taken must likewise be commensurate
with the perceived likelihood of the untoward incident taking place, but also with the
seriousness of the consequences that might occur.
2. Scope
This procedure applies to all kinds of preventive actions taken by the organization.
3. Responsibilities
It is the responsibility of the management representative to ensure that all preventive actions
are dealt with in an expeditious manner and that appropriate documentation is raised.
4. Associated documents
Procedures
PC 103 Internal Audit
PC 104 Control of Nonconforming Product
5. Details of procedure
5.1 Preventive actions
Preventive action is essentially a forwards looking phenomenon starting, at the earliest, from
the time a decision is made that corrective action is necessary to put right that which is going
wrong or has gone wrong. Action, preventive action, might then be taken to prevent a
recurrence of a nonconformity or a resident complaint.
Preventive action is also taken to prevent an untoward event from occurring for the first time.
172
Quality management system mandatory procedures
Such preventive action might be considered necessary in the light of risk assessments and the
seriousness of the consequences identified in such risk assessments, as well as any new
evidence, new knowledge, new technology, etc. that have led the organization to believe that
an untoward event might happen in the future.
The implementation of the preventive action may not always be possible immediately, but it
should take place as soon as possible or practical.
In the case of preventive actions arising from nonconformities and customer complaints, the
prescribed forms (FM 124, FM 132 and FM 142) should only be signed off by a responsible
person within the organization, usually the management representative, when they are satisfied
that any proposed preventive actions have been implemented. The preventive actions must
also be reviewed to verify that the action taken has been effective in dealing with the
nonconformity or customer complaint.
Resident safety in organizations is of paramount importance. Yet there are risks to be faced by
many residents in organizations. For instance, there are risks associated simply from being in,
or visiting an organization, from cross-infections. Such risks are nothing compared with the
risks incurred by all of us when outside organizations from, for example, road accidents and so
on. Nevertheless, the chief executive in an organization will have documentation in place to
minimize the risks involved in a number of areas. These will include the health and safety
policy and the fire safety policy.
173
Medical Devices: ISO 13485 and ISO 9001
Such documentation includes standard procedures and actions that should prevent any
untoward events or, at worst, minimize the effects of untoward events involving customers and
the organization’s own staff.
The management representative is responsible for ensuring that all such documentation is kept
up to date in accordance with the latest statutory and legal requirements.
The management representative is responsible for ensuring that all employees are regularly
briefed on the prevention of untoward events and on the documents that are in place for
dealing with such events. The chief executive will ensure that records are kept on all staff who
attend briefings on possible untoward events.
5.3.2 Risk Assessments (RAs): Risk Analysis Numbers
When contemplating future untoward events, it is helpful to make an estimate of the likelihood
of an untoward event happening and the resulting consequences should it happen.
Simple risk analysis is a method of combining both the likelihood and consequences of an
untoward event. The Risk Analysis Number is based on two estimated numbers.
Risk Analysis Number = qualitative measure of probability of an untoward event occurring
qualitative measure of the consequences of its occurrence
A qualitative measure of the probability of an untoward event occurring can be rated between
1 and 10 as follows:
1. Impossible.
2. Rare. Event will occur only in exceptional circumstances.
4. Unlikely. The event could occur sometime.
8. Single death.
174
Quality management system mandatory procedures
Consequence
Negligible 1 1 2 4 6 8 10
Minor 2 2 4 8 12 16 20
Serious 4 4 8 16 24 32 40
Major 6 6 12 24 36 48 60
Death 8 8 16 32 48 64 80
Deaths 10 10 20 40 60 80 100
The two numbers chosen are multiplied together to give a Risk Analysis (RA) number. The
levels of Risk Matrix can be established using all possible combinations of numbers. Each
number provides an estimate of the probability of an untoward event happening. The higher
the number, the more serious the failure mode. The chart clearly indicates that an untoward
event has virtually ‘no risk’ at one extreme and ‘high risk’ at the other, as shown by the bold
numbers 60, 64, 80 and 100.
In cases of calculated high risk for an event happening, then preventive action, or actions, are
taken to reduce the probability of an untoward event occurring. The high risk numbers should
help an organization to get its priorities right in deciding what preventive actions (not
corrective actions) should be addressed.
5.3.3 High consequence rating
Although the calculated RA numbers are extremely useful, preventive action, or actions, are
also given to any possible causes of failure that have been given a high consequence rating
such as 8 and 10.
5.4 Records
All changes arising from preventive actions will be recorded and maintained for future
reference.
175