Guest article by Quality Specialist, Daniel Little
This time we are talking to our quality specialist, Daniel Little, who will be discussing the importance of internal and external quality and regulatory systems across the medical device industry.
The article discusses the regulatory requirements and quality management systems in the medical device industry, focusing on the European Union (EU), the United States, and other international standards. It emphasizes the importance of complying with ISO 13485 and Quality System Regulation (QSR) in the EU and the U.S., respectively, while noting that certification to ISO 13485 may not cover all new regulations.
This article also highlights the significance of risk assessment and usability engineering in ensuring device safety. Additionally, it underscores the importance of internal quality management processes, top management involvement, and effective communication. Externally, understanding customer needs, usability testing, and supplier management are key factors. Finally, maintaining a good reputation and seeking recommendations from industry peers play a crucial role in the medical device business.
Medical devices are defined in the EU Medical Device Regulations as (among other things) any instrument, apparatus, appliance, software, implant, reagent or material intended by the manufacturer to be used for diagnosis, monitoring or treatment of human injury, disability or disease, which does not achieve its principal intended action by pharmacological, immunological or means, in or on the human body.
Companies in the medical device industry are required to have a quality management system to ensure the devices they produce are safe and effective. This applies to manufacturers of medical devices and medical device components as well as designers and developers of medical devices. In many countries (such as the UK, the EU, Canada and Australia) they are expected to be certified to ISO 13485 Medical devices — Quality management systems — Requirements for regulatory purposes. Certification to ISO 13485 provides assurances, through external confirmation, that the company’s quality management system meets regulatory requirements. In the USA companies in the medical device industry are required to meet the requirements of the Quality System Regulation (21 CFR Part 820). The requirements of QSR and ISO 13485 are similar and are expected to become even more closely aligned, when the FDA’s proposed Quality Management System Regulations come into effect. Final confirmation of this proposal is expected in December 2023 and these new regulations will come into effect no earlier than December 2024. However, certification to ISO 13485 doesn’t mean companies will already be complying with the new QMSR regulations as some requirements are expected to go further than the ISO requirements. Even in Europe or the UK, being certified to ISO 13485 isn't confirmation that you are meeting all of the relevant regulatory requirements. Companies placing a medical device on the European market are required to comply with the new Medical Device Regulations and devices must comply with the General Safety and Performance Requirements in Annex 1. Some harmonised standards are available which if complied with conveys compliance with certain requirements, these include ISO 13485 as well as ISO 14971 and EN 62366. Most devices will now also require approval by a notified body (class II and higher devices, as well as some class I devices) before a CE mark can be applied to the device and the device can be sold. In Great Britain, companies must comply with the Medical Device Regulations (2002) which references the old EU Medical Device Directive (in Northern Ireland the EU MDR applies). However, these are expected to be replaced with a new regulatory framework from July 2025 although this is expected to broadly align with the EU MDR. In the US there are various routes to market, based on risk class, similar to the EU risk classes. The route for the lowest risk devices is device listing, which requires no review, like applying CE mark without notified body involvement in the EU. The most common route to market is 510(K)/pre-market notification, this requires manufacturers to demonstrate the device is safe, effective, and substantially equivalent to a predicate device (similar to a clinical evaluation in the EU). The confers clearance to sell from the FDA, not approval. The highest risk devices require pre-market approval, which requires clinical trials and can be slow and expensive.
As well as quality system requirements, including requirements for documenting design inputs and outputs (7.4 in ISO 13485, 820.30 of QSR), medical device companies must consider (and document) the risk associated with their device, including usability engineering (or human factors in the USA). Usability engineering focuses on risks associated with the user interface to ensure the device is safe to use with respect to the parts of the device the user interacts with. Risk management and usability are inherently related to the definition of the intended use of the device, as well as user requirements and design inputs. This all might sound like a lot but together these requirements all contribute to the development and manufacture of a safe and effective device.
The Importance Of Internal And External Quality
To state the obvious, a Quality Management System is a system of management, focussed on Quality. But I’d like to look at these 3 words more closely. So what do I mean by Quality? To me Quality all boils down to trying to stop (or reduce) errors, including properly correcting errors, which in turn stops future errors (i.e. corrective actions). A lot of the classic quality management processes are either aimed at stopping errors (e.g. Document Control), identifying errors (e.g. Internal Audits), or correcting errors so they don’t happen again (e.g. Corrective Actions). No errors equals good quality (unless you’ve correctly built a badly designed product, but then errors took place in the design stage).
The next two words are often overlooked but are very important. Management is the way of organising a business, and for a quality management system to be effective the Top Management of an organisation needs to be on board. This is obvious if you read ISO 13485 (or other quality management standards) as a large proportion of the standard is devoted to requirements for management. The word management is used 229 times in ISO 13485:2016 (more than the word quality); the responsibility for quality ultimately falls on top management. Essentially these quality management standards can be seen as a way of ensuring company management do the right thing with respect to quality, when they are under other pressures, such as financial or time pressure. Examples of this include ensuring there is appropriate communication through the organisation, providing the necessary resources to ensure quality, and ensuring employees have the necessary competency to perform their roles. This means that the quality management system isn’t just the concern of a niche department working on their own, but is an integral part of the organisation of the company.
Finally, the word System means multiple interacting processes; the output of one process is often the input to another process. It is important that processes interact with each other so that they all work well. For example, outputs of the Internal Audit process can be inputs from the Nonconformance, CAPA or Change Order processes; there is no point doing internal audits if the findings don’t go anywhere, and there's no point having nonconformance and change order processes if they aren’t used to address audit findings. The nonconformance process can have inputs from many other processes and the outputs of the nonconformance process should feed back into risk management and design control processes.
Through reducing errors and improving quality, a quality management system can have other side-benefits, the main one being improved efficiency. Fewer errors or defects means reduced waste and reduced re-work. Standardised procedures with clear instructions means staff don’t have to figure things out themselves over and over again, meaning less repeated effort. This also makes onboarding quicker, when new starters are able to easily find the information they need and can get trained up quickly they will start to make a valuable contribution sooner. High quality outputs also improves customer satisfaction, which improves customer retention (which also comes with efficiencies), and reduces the cost and work associated with complaints and returns. Which brings us nicely on to the external side of quality management.
Quality management is not just an internal exercise. The interaction of all the different quality processes starts and ends externally to the company. Depending on the nature of the business, everything should start with customer requirements, or the intended use and user needs of the device. Without fully understanding these external inputs it is very unlikely you will produce the correct outputs and deliver the correct product or service. More importantly, it is unlikely you will produce a safe and effective product without understanding how it will be used and the risks associated with this use.
I said everything starts with understanding these external needs, however this is actually a continual process. Formative usability testing is the practice of getting user feedback on the product during development; this is critical to development of a device as it provides invaluable information on how actual users will interact with the device. Since medical devices will be used by specific groups of people, possibly with specific needs or characteristics, which could include elderly patients, children, or neurosurgeons, it is usually not possible to get the same kind of feedback from co-workers. This often provides unique insights that will inform your risk management work, including identifying new hazards or foreseeable sequences of events. So even though it may feel unnatural to spend time and money showing people your device before it is finished it is actually a hugely important part of the design process.
Another way in which the tentacles of your quality management system reach outside of the business is supplier management. This is super important to reduce risk and maintain consistency in the business, not just for reducing the amount you spend on components. Supplier management starts with courting new suppliers and gathering information about them (usually using a survey), to decide whether they are a company you want to work with. If they have a certified quality management system this goes a long way, but is not the only consideration, other practicalities including lead time, capacity and how they manage their own suppliers should be considered. Supplier management doesn’t end with adding them to your Approved Supplier List. Just because they seemed to have a good QMS when you evaluated them, doesn’t mean they will a year or two later. That is why suppliers require constant monitoring (like toddlers) but the effort you need to put into monitoring depends on the risk associated with the supplier. An easy way to monitor suppliers is to log any issues you have with them, for higher risk suppliers you will need to audit them to really see how well their QMS is working. Finally, if you are selling a device in the EU, under the MDR, competent authorities can inspect your suppliers without notice, so it is important that they are aware of this.
The Most Important Things To Look Out For When Conducting Business In The Medical Device Field
Like most modern industries, the medical device field has complex supply chains, involving outsourcing, consultancies, test houses, manufacturers of components, and distributors of final products. When conducting business in this complex ecosystem it is important that the people you do business with are meeting the high quality standards required in this industry. Certification or accreditation of their quality management system to relevant internationally recognised standards (by a respected certification body) is a good start to give you peace of mind. This is also usually quite easy to find. More intangible but at least as important are 1) ensuring that company management actually takes quality seriously (see above), 2) the quality management is well organised and functioning, 3) everyone in the organisation is familiar with the workings of the quality management system and appreciate the value of it. To get a good sense of whether a company meets these 3 points requires having meetings with them or auditing them yourself.
Another thing to look out for is a company’s understanding of the regulatory requirements of the medical device field. Not everyone can be an expert on the complex web of global regulations in this field and companies often use regulatory consultants, but senior management should at least have some awareness and understanding of what regulations impact the business they are in, and possibly the routes to market in relevant regions. Otherwise, how can they make the correct decisions for their business, or interact with their regulatory consultants? Again, this is something you need to ascertain through meetings.
Finally, a good reputation (or a poor reputation) goes a long way which is another reason why maintaining good quality is so important. Getting feedback or recommendations from other people who have worked with a certain company can be invaluable when a lot of the points mentioned here are intangible and difficult to ascertain. On the other hand, evidence of large blips in quality or periods of significant staff turnover in an organisation can be big red flags.