Companies must establish and maintain a quality management system in order to ensure they are producing safe and effective medical devices. ISO 13485 specifies those requirements that companies are expected to follow. This standard in particular has been adopted by regulatory agencies across the world and implemented by manufacturers and suppliers the same.
If you've ever tried to avoid mistakes when implementing ISO 13485:2016 by learning from what other companies did wrong, you know there isn't a lot of readily available data in the public domain. ISO is very different from other regulatory agencies in that regard, such as FDA that publishes annual reports of violations made by companies.
From my own 20+ years of experience though, I can report on the top six mistakes that I consistently run into with companies implement ISO 13485. Here's that list, so you can learn to avoid them at your own company:
#1. Treating processes as “checkbox” activities
One of the biggest mistakes I see is treating ISO 13485 certification as a checkbox activity. Companies do it because they have to - they want to enter markets like Canada or Europe, so it’s a nonnegotiable item on their list to check off.
Sometimes contract manufacturers go for ISO 13485 certification because they feel that they have to in order to be hired by companies in a competitive market. What this means is that the lens through which companies enter the ISO 13485 process is often jaded from the start.
ISO 13485 becomes one more barrier those companies have to get over, and when this happens, you miss the potential benefits of the activities it involves. Essentially, 13485 is about viewing your business as a series of interrelated processes and functions. Implementation should never be about checking a box because this is too narrow of a view.
Looked at from another perspective, implementing ISO 13485 should involve a holistic approach with quality at the core. The implementation process, and processes thereafter should promote a culture of quality across the entire organization, always taking into consideration the level of value it brings to the company and opportunities for improvement. If you take this approach, implementation of ISO 13485 becomes a value-add exercise, rather than a checkbox activity.
#2. internal auditing
We recently had a company reach out that was about to lose its ISO certification. The company had implemented the guidelines to their QMS much as I described in the previous section, as a “just get it done, checkbox activity."
The company had an audit a couple of months back to gain ISO 13485:2016 certification and ended up with two major findings. One of those had to do with internal audits - the company hadn’t been conducting them! This is obviously a huge mistake compliance-wise, but consider how costly of a mistake it was from a business standpoint. If you don’t conduct internal audits, you’re missing out on the opportunity to stay at the pulse of what’s really happening and make improvements as you go.
Internal audits should be scheduled on a frequent basis. How frequent is up to you, but I suggest annually at a minimum. Instead of looking at internal auditing as some kind of policing activity, look at the many things you can gain from it. Look at your deliverables and processes, make sure whomever is responsible is in fact satisfying their role and make sure key documentation is being kept and updated. Look for the opportunities to make improvements.
#3. “Death by CAPA”
Many companies have ineffective CAPA processes. Whether that is poorly defined processes or ineffective investigations, these are the main contributing factors that lead to mistakes made by companies when implementing ISO guidelines around CAPA. For these reasons, it's critical to have a sound understanding of the subtle differences, according to the standard, between "corrective action" and "preventive action"
Corrective Action: eliminate the cause of nonconformities in order to prevent recurrence.
Preventive Action: eliminate the causes of potential nonconformities in order to prevent their occurrence.
“Death by CAPA” can occur when processes are so poor that it is difficult for the company to follow through with eliminating and preventing the cause(s). elements required in CAPA. Alternatively, it happens when everything is treated as a CAPA and the company becomes overburdened.
One thing I have observed is that ISO auditors tend to be more likely to do a deep dive into your CAPA processes, including close questioning on how you got to a root cause. I’m not saying an FDA inspector won’t look at this, but ISO auditors seem to go more into the weeds. They’re interested in the tools you use and their effectiveness.
The bottom line is that you need efficient CAPA processes that help you to prevent recurrence of the same issues. This is something an ISO auditor will look at.
#4. Customer feedback
I see a lot of companies struggle with properly handling customer feedback, especially when they have to manage customers in multiple markets. ISO 13485:2016 takes a broader view than the FDA as it highlights a need to get customer feedback proactively.
This is where companies tend to struggle - a complaint is a type of feedback. It’s reactive in nature, usually because your device didn’t meet the customer’s expectations in some way. The expectation in ISO 13485:2016 for customer feedback has been updated in the 2016 version and expects a proactive approach. In essence, you should be eliciting feedback before it comes to you.
Feedback doesn’t have to be negative. It might come in the form of a letter of commendation, or suggestions for improvements for future products. The bottom line is that you are expected to have the systems and processes in place to proactively gather and then properly handle that feedback.
#5. Management reviews
Management reviews are an expected process to follow in ISO 13485 (and FDA's Part 820, too), in order to ensure QMS procedures are being followed according to the company's quality policy. Companies are required to conduct planned management reviews, and the preparation time can be extremely time consuming. If the company does not have an effective document management system in place, this is a common area where companies slip up during implementation.
And because of the demanding process around management reviews require, it's not uncommon for companies to treat it as a checkbox activity. I’ve seen many companies get to the final months of year and then suddenly panic because they have to do a management review to check a requirement box.
Section 5.6.2 of the ISO 13485 standard offers a list of inputs that medical device companies should consider during management reviews:
Results of audits
Status of corrective and preventive actions
Follow-up to previous reviews
Changes that could impact quality systems
New regulatory requirements
Companies using an ineffective QMS with poor document management will struggle with conducting effective management reviews, as up-to-date information can be easily lost and difficult to trace. As a result, executive management will be unable to properly fulfill their integral role in establishing quality culture. Here is a visual aid to show that relationship between management and quality culture:
When done properly, management reviews are an opportunity for the executive team to understand how well their QMS is functioning, to understand the overall culture and to be proactive within the business. This gives you the opportunity to take corrective proactive or preventive actions so that you don’t end up with systemic issues (and more CAPAs!)
#6. Risk-based processes
The idea of using risk-based processes is something that is highly emphasized in the 2016 version of the ISO standard. The standard reminds companies to consider whether they assessed risk after completing a process or task. Unfortunately, many companies make mistakes when they treat this reminder as a checkbox activity.
It’s important to document all risk assessments and tie them back to your Risk Management File where you can ensure it has been accurately captured. There are different levels of risk, and it’s important to manage them appropriately and score them accurately. This is not something you simply check off.
When it comes to managing risk with your suppliers, there isn't a one size fits all approach. The risk-based processes you put in place should be directly proportional to how critical their part is to ensuring overall safety and efficacy of your device. So one way to assess that level of risk is to look at how their component interacts with patients, for example. Anything that comes into contact with patients should be given a much higher risk score as compared to say, a supplier for labeling.
Using a risk-based process to handle complaints is also necessary. It helps you to prioritize your efforts. A complaint about a device causing harm to a patient should receive a much higher risk score than a complaint about the device packaging. Without a risk-based approach to complaint handling, your processes can become very cumbersome where you end up with a “death by CAPA” scenario as I mentioned above.
Greenlight Guru's medical device QMS software allows your to conduct risk-based processes in a fully traceable system that is compliant with ISO 13485 standards. When a project is complete and in production, keep your risk management file up-to-date and living throughout the entire lifecycle by electronically reviewing, signing, and approving documentation with a single source of truth. Avoid costly mistakes and mitigate risk with the protective guardrails of a purpose-built solution that's designed with your unique needs in mind.
Many companies seem to have common struggles with the implementation of ISO 13485, but often, when you look at those things more closely, there are many ways to avoid these mistakes altogether.
Requirements such as risk, internal audits, management reviews and CAPA should never be a last-minute scramble or an afterthought. If we can lose the checkbox mentality, we start to see some real value from embedding those requirements into the DNA of the business from early on. By taking a closer look at the requirements found in this international QMS standard, you'll begin to understand how to apply your own QMS processes according to these guidelines.
And lastly, I want to reiterate the importance of establishing or evaluating the quality culture within your company. When you can successfully accomplish that most, if not all, of these common issues with ISO 13485 will be avoided altogether.