Six Mistakes to Avoid When Implementing ISO 13485

According to a study from MedPAC, there are more than 5,000 medical device companies in the U.S. alone, and each one is required to ensure the production of safe and effective medical devices. To build systems focused on this end, the International Organization for Standardization (ISO) outlined standard 13485 to provide guidelines for medical device quality management systems. The latest version of this standard, ISO 13485:2016, has now been adopted by regulatory agencies on a global scale to build a comprehensive standard that medical device companies can follow.
 
While this harmonized standard is generally helpful, ISO itself is not a governing regulatory body, unlike traditional government agencies such as the FDA; the organization does not publish audit findings or reports of violations to the general public, making it nearly impossible for device manufacturers to learn from other’s mistakes.
 
During my more than 20 years of experience in the medical device industry, I’ve seen plenty of mistakes made when companies are implementing processes from ISO 13485. However, there are six that stand out as the most common:
 
1. The “Checkbox Effect”
It is common in today’s society to treat repeat activities like a to-do list; finish a job task, check the box and move on to the next task. Unfortunately, this checkbox mindset has become commonplace amongst device manufacturers when implementing ISO 13485 processes to achieve compliance. Many contract manufacturers obtain their certification solely to gain a competitive advantage that will help secure more business, rather than earning a certification for their practiced beliefs in the framework for improving quality assurance.
 
When manufacturers begin implementing ISO 13485, they should take a holistic approach that emphasizes quality from the onset. This plan of attack will help lay a foundation and company culture built on quality standards across the entire business and throughout all future operations and regulatory processes.
 
Companies that adopt a quality-first mindset when completing ISO 13485 practices will find it to be a significant value-add for their business as a whole, rather than a simple check-the-box activity.
 
2. Lack of Internal Auditing
Another process that leads to many mistakes for manufacturers, and just so happens to also be commonly treated as a checkbox activity, is internal auditing.
 
For example, a company recently reached out to us that was about to lose its ISO 13485 certification. This company had undergone an audit a few months prior to gaining its ISO 13485 certification, and the report uncovered two significant findings. First, this company had not been conducting any internal audits, which is a huge red flag for any auditor. Beyond that, their failure to complete internal audits meant that the company had limited insight into systemic issues with their products. This then led to the second adverse audit finding; no necessary improvements had been made to the device based on customer feedback.
 
Ask any expert; internal audits should at least be performed on an annual basis. This process allows organizations to dive into their document management, CAPA procedures and other key systems to ensure tasks and functions are operating effectively. Internal audits must be treated as a valuable opportunity to make improvements and updates to the product and processes.
 
3. Failure to Consider Risk-Based Processes
The 2016 version of ISO 13485 places a high emphasis on the idea of utilizing risk-based procedures. The standard pushes manufacturers to consider whether or not they thoroughly assessed risk after completing any processes or tasks. However, this often turns into a check-the-box activity, too.
 
With varying levels of risks in medical device development and quality assurance, manufacturers must document every aspect of a risk assessment and tie it back to its Risk Management File. From here, all files can be managed appropriately and assigned a proper score, which is something that cannot be checked off absentmindedly.
 
For example, when managing risk with suppliers, there is no “one size fits all” approach. Risk-based processes should be tied to how critical the supplier’s role is with the medical device.
 
You may be wondering how these manufacturers assess the level of risk for suppliers. One way is to carefully evaluate how their component interacts with patients. If the part will come into direct contact with the end-user, it should be assigned a much higher risk score compared to something like labeling.
 
This risk-based approach is also vital when implementing a complaint handling process. If such a process is not in place, operations can quickly fall victim to a “death by CAPA” scenario.
 
4. Neglected CAPA Processes
CAPA refers to the corrective and preventive actions taken by manufacturers to address problematic occurrences, such as systemic issues and quality events. It is critical that manufacturers establish a concrete understanding of these terms to ensure proper implementation. However, the unfortunate reality is that many organizations have poorly defined processes in place or misunderstand these terms, which can lead to additional mistakes and long-term problems. Here are the definitions according to ISO 13485:
 

• Corrective Action: eliminates the cause of nonconformities to prevent a recurrence.
• Preventive Action: eliminates the causes of potential nonconformities to prevent their occurrence.

 
Throughout my many years of hands-on experience, I have come to find that auditors are likely to get in the weeds of the business, namely a company’s CAPA procedures, to ensure full compliance of the methods and tools being used.
 
That said, don’t skip over the process of building effective CAPA procedures within your quality system.
 
5. No Review of Management
Management reviews are required under ISO 13485 and FDA 21 CFR Part 820. These reviews are intended to ensure that procedures are executed adequately and followed from the top down. However, the amount of paperwork involved has led many manufacturers to neglect or slip up while implementing this step.
 
Oftentimes, such reviews can be viewed as another check-the-box activity that is only necessary late in the year. But the extra panic this creates across the organization only compounds the work that needs to be done.
 
Section 5.6.2 of the ISO 13485 standard offers a list of inputs that medical device companies should consider during management reviews, which includes:
 

• Results of audits
• Customer feedback
• Process performance
• Product conformance
• Status of corrective and preventive actions
• Follow-up to previous reviews
• Changes that could impact quality systems
• Improvements
• New regulatory requirements

 
Any company with a quality management system that has poor document management will struggle to conduct meaningful management reviews with all nine of these inputs. This is especially true since ineffective methods make it challenging to keep information adequately updated and able to provide traceability of records.
 
On the other side of the coin, there is a significant opportunity for the executive team to not only take inventory of how well their QMS is functioning, but also find ways to improve company culture and other operations of the business. This process also gives managers the ability to take proactive, preventive actions to identify and correct potential issues early in the process.
 
6. Failure to Find Value in Customer Feedback
Many companies struggle to handle and find value in receiving and soliciting customer feedback. This quality process can also become increasingly more difficult when attempting to complete it proactively, which is recommended by ISO 13485:2016.
 
The area where companies tend to struggle the most is understanding that a complaint is a valuable form of feedback. Despite the situation, both ISO 13485 best practices and the end-users of these devices expect a proactive approach to be taken by companies with regards to managing feedback.
 
It’s important to note that feedback doesn’t have to be critical to be valuable. Feedback can come in many forms, including a letter of commendation, or suggestions for future product improvements. Either way, companies must have systems in place to proactively gather feedback, handle it properly, and ensure quality measures are taken along the way.
 
Conclusion
Many of the mistakes associated with the implementation of ISO 13485 processes are standard across the industry and can be avoided relatively easily. By ditching the checkbox mentality and last-minute scrambles, companies can leverage their quality management systems as powerful tools to develop safe and effective medical devices. This, in essence, is the overall intended purpose of the international standard.
 
While ISO 13485 implementation can be a significant undertaking, many of the mistakes made by companies can be easily avoided. If manufacturers leverage their QMS as a powerful solution for developing safe and effective medical devices, a quality-first culture can be formed. From here, compliance standards are more likely to be met and upheld, and the business will reap the added benefits of valuable insights gained from an effective quality management system.
 

---

Jon Speer is the founder and VP of QA/RA at Greenlight Guru, a medical device quality management MDQMS software. A medical device guru with over 20 years of industry experience, Speer knows the best medical device companies in the world use quality as an accelerator. That’s why he created Greenlight Guru to help companies move beyond baseline compliance to achieve “true quality.”