Annette Schaps, Schaps Consulting, and Chuck Cimalore, Arena Solutions11.26.18
A quality management system (QMS) is a fundamental regulatory requirement for any medical device company that needs to sell or introduce medical devices to the market. The risks associated with not having a robust QMS include making a non-conforming product, leading to customer dissatisfaction (and complaints), and lost market opportunities. This article discusses factors that can impede the execution of a successful QMS in organizations of all sizes, and offers solutions to overcome these obstacles.
The Organizational Environment Influence
Depending upon a company’s size, adopting a successful QMS can pose different challenges. Small and large organizations can have quite different organizational environments. For example, in a very small (less than 10 people) organization, each individual may be involved in many differing tasks, whereas dedicated resources may be assigned in a larger organization. As a result, subsequent processes may be tailored to an individual’s abilities instead of a particular process. This could impede expansion of the organization’s capacity because more individuals with similar abilities would need to be found.
Smaller organizations may also be heavily dependent upon outside funding, whereas a larger organization may be more financially secure. Because of erratic resource loading due to shifts in funds, the execution of processes and procedures may vary. Since different people may execute processes differently, there can be diversity and inconsistencies in the process results over time, making it difficult to assess the true long-term performance or metrics of a process.
A company expecting to be acquired may have very generic procedures or processes in place that simply reiterate the requirements; for example, minimalistic procedures in anticipation of being replaced in the near future. Such processes or procedures do not provide enough detail for another person to take over and encourages an environment where the know-how is not documented, resulting in potential product design and manufacturing errors.
The Regulatory Environment Influence
Also hampering the effectiveness of the QMS is the need to comply with a continuous stream of new and revised regulations. The term “regulation” now appears in the new ISO 13485:2016 Quality Management Systems Regulation 72 times, as opposed to 13 in the prior version. The new Medical Device Regulation (MDR)1 in Europe, which is replacing the Medical Device Directive2 is nearly three times larger (from 60 pages to 175 pages). In the U.S., at least 20 guidance documents were released in the past year alone.
Additionally, products may have multiple regulatory requirements. A wireless footswitch used to activate an ophthalmic laser needs to comply with IEC 60601-13 General Requirements for Basic Safety, IEC 60601-1-24 Electromagnetic Requirements, Radio Equipment Directive,5 and Cybersecurity Requirements to start.
The regional jurisdictions and countries where products are manufactured, sold, distributed, and serviced (as applicable) and the device classification (risk-based) determine the number and extent of applicable regulatory requirements.
When a new regulatory requirement is introduced, the company is expected to evaluate the requirement’s impact on the QMS and develop a plan to respond to the applicable new regulatory requirement (ISO 13485:20166 section 5.6.3 Management Review Output).
ISO Annex SL
Annex SL refers to a high-level structure format developed for quality management systems with the hope of improving alignment with other quality management systems. This approach has already been integrated into ISO 9001:2015 Quality Management System Requirements, ISO 14001 Environmental Management Systems, and ISO IEC 27001: 2013 Information Technology – Security techniques – Information security management system requirements (ISMS). The structure follows a fundamental plan-do-check-act (PDCA) cycle and incorporates risk-based thinking principles.
Annex SL expects companies to document the roles of the organization, determine the processes needed, taking into consideration the roles, and apply a risk-based approach to control the processes. This is to understand the organization and its context.
Understanding the Annex SL structure helps develop a QMS road map. This would assure QMS longevity, since it’s likely many more standards will adopt this structure. For example, typical roles for an organization are: design and development, manufacturing, and distribution, which most companies document in their quality manual.
Examples of main processes needed for the organization can include a new product design procedure, a manufacturing controls procedure, etc., which require documented procedures and product-specific records. Supporting processes may include Training, Document Change Control, etc., which could be set up as workflows.
Regulatory processes can include Medical Device Reporting (MDR) in the U.S. and Technical File Maintenance for CE marked Products in the EU, which require documented procedures. Risk-based approaches to control these processes can include:
A small organization and a very large organization may have the same types of products (and equivalent product catalog numbers) but needs to comply with the same regulatory requirements. Examples where this may be the case can include a company that outsources production, design, regulatory affairs, etc., or a company that has a lower volume of products.
Addressing the Organizational and Regulatory Challenges
How can an effective QMS be created and sustained given these influences? By understanding the issues, organizations could develop/tailor strategies to assure ongoing compliance. This can be performed by utilizing an electronic database to demonstrate how each regulatory requirement has been fulfilled. Systems like Product Lifecycle Management (PLM) that provide visibility into the complete product record across an organization are proving to be key in helping organizations, particularly medical device firms, address their compliance challenges.
A holistic PLM system encompassing quality management can be structured to address all of an organization’s roles and processes no matter whether it is large or small. The main differences between the small organization versus a large organization will differ in the number of people who access and utilize the PLM system.
A robust, holistic PLM-based QMS system is a necessary tool. A holistic PLM tracks, stores, and facilitates document retrieval, and includes mechanisms to help manage projects and document risk, as well as launch and track training. Moreover, the tool helps identify relationships between processes by linking quality information to the product record within a single database (e.g., associate product complaints to the records showing how the device was manufactured and records showing how often it was serviced), ensuring regulatory goals are achieved. This allows organizations large and small to automate quality processes, streamline quality data, and enhance visibility into quality information across the organization. PLM-based QMS supports the Annex SL structure and ensures companies have a QMS in place that can adhere to evolving regulations.
References
Annette Schaps is CEO of Schaps Consulting. She is a Bay area medical device quality and regulatory consultant with over 25 years of experience in small startups to large Fortune 500 organizations. She is also a subcontract Lead Auditor (MDSAP, EN ISO 13485:2016, and ISO 9001:2015) and Technical Expert (sterilization) for a Notified Body. She has a BS in chemical engineering and is a Certified Quality Engineer, Reliability Engineer, RAC, and ISO 27001 Information Security Lead Auditor.
Chuck Cimalore is vice president of strategy for Arena Solutions. Chuck is an expert in web-based PLM/QMS solutions, most recently serving as chief technology officer of Omnify Software (acquired by Arena Solutions in October 2018). With over 17 years of industry expertise, he has helped OEMs streamline development cycles, meet compliance initiatives, and accelerate product innovation.
The Organizational Environment Influence
Depending upon a company’s size, adopting a successful QMS can pose different challenges. Small and large organizations can have quite different organizational environments. For example, in a very small (less than 10 people) organization, each individual may be involved in many differing tasks, whereas dedicated resources may be assigned in a larger organization. As a result, subsequent processes may be tailored to an individual’s abilities instead of a particular process. This could impede expansion of the organization’s capacity because more individuals with similar abilities would need to be found.
Smaller organizations may also be heavily dependent upon outside funding, whereas a larger organization may be more financially secure. Because of erratic resource loading due to shifts in funds, the execution of processes and procedures may vary. Since different people may execute processes differently, there can be diversity and inconsistencies in the process results over time, making it difficult to assess the true long-term performance or metrics of a process.
A company expecting to be acquired may have very generic procedures or processes in place that simply reiterate the requirements; for example, minimalistic procedures in anticipation of being replaced in the near future. Such processes or procedures do not provide enough detail for another person to take over and encourages an environment where the know-how is not documented, resulting in potential product design and manufacturing errors.
The Regulatory Environment Influence
Also hampering the effectiveness of the QMS is the need to comply with a continuous stream of new and revised regulations. The term “regulation” now appears in the new ISO 13485:2016 Quality Management Systems Regulation 72 times, as opposed to 13 in the prior version. The new Medical Device Regulation (MDR)1 in Europe, which is replacing the Medical Device Directive2 is nearly three times larger (from 60 pages to 175 pages). In the U.S., at least 20 guidance documents were released in the past year alone.
Additionally, products may have multiple regulatory requirements. A wireless footswitch used to activate an ophthalmic laser needs to comply with IEC 60601-13 General Requirements for Basic Safety, IEC 60601-1-24 Electromagnetic Requirements, Radio Equipment Directive,5 and Cybersecurity Requirements to start.
The regional jurisdictions and countries where products are manufactured, sold, distributed, and serviced (as applicable) and the device classification (risk-based) determine the number and extent of applicable regulatory requirements.

When a new regulatory requirement is introduced, the company is expected to evaluate the requirement’s impact on the QMS and develop a plan to respond to the applicable new regulatory requirement (ISO 13485:20166 section 5.6.3 Management Review Output).
ISO Annex SL
Annex SL refers to a high-level structure format developed for quality management systems with the hope of improving alignment with other quality management systems. This approach has already been integrated into ISO 9001:2015 Quality Management System Requirements, ISO 14001 Environmental Management Systems, and ISO IEC 27001: 2013 Information Technology – Security techniques – Information security management system requirements (ISMS). The structure follows a fundamental plan-do-check-act (PDCA) cycle and incorporates risk-based thinking principles.
Annex SL expects companies to document the roles of the organization, determine the processes needed, taking into consideration the roles, and apply a risk-based approach to control the processes. This is to understand the organization and its context.
Understanding the Annex SL structure helps develop a QMS road map. This would assure QMS longevity, since it’s likely many more standards will adopt this structure. For example, typical roles for an organization are: design and development, manufacturing, and distribution, which most companies document in their quality manual.
Examples of main processes needed for the organization can include a new product design procedure, a manufacturing controls procedure, etc., which require documented procedures and product-specific records. Supporting processes may include Training, Document Change Control, etc., which could be set up as workflows.
Regulatory processes can include Medical Device Reporting (MDR) in the U.S. and Technical File Maintenance for CE marked Products in the EU, which require documented procedures. Risk-based approaches to control these processes can include:
- Classification of suppliers as high-, medium-, and low-risk.
- Classification of Corrective Actions as a high-, medium-, and low-risk.
- Classification of Devices as high-, medium-, and low-risk.
A small organization and a very large organization may have the same types of products (and equivalent product catalog numbers) but needs to comply with the same regulatory requirements. Examples where this may be the case can include a company that outsources production, design, regulatory affairs, etc., or a company that has a lower volume of products.
Addressing the Organizational and Regulatory Challenges
How can an effective QMS be created and sustained given these influences? By understanding the issues, organizations could develop/tailor strategies to assure ongoing compliance. This can be performed by utilizing an electronic database to demonstrate how each regulatory requirement has been fulfilled. Systems like Product Lifecycle Management (PLM) that provide visibility into the complete product record across an organization are proving to be key in helping organizations, particularly medical device firms, address their compliance challenges.
A holistic PLM system encompassing quality management can be structured to address all of an organization’s roles and processes no matter whether it is large or small. The main differences between the small organization versus a large organization will differ in the number of people who access and utilize the PLM system.
A robust, holistic PLM-based QMS system is a necessary tool. A holistic PLM tracks, stores, and facilitates document retrieval, and includes mechanisms to help manage projects and document risk, as well as launch and track training. Moreover, the tool helps identify relationships between processes by linking quality information to the product record within a single database (e.g., associate product complaints to the records showing how the device was manufactured and records showing how often it was serviced), ensuring regulatory goals are achieved. This allows organizations large and small to automate quality processes, streamline quality data, and enhance visibility into quality information across the organization. PLM-based QMS supports the Annex SL structure and ensures companies have a QMS in place that can adhere to evolving regulations.
References
- Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices (Medical Device Regulation or MDR)
- Council Directive 93/42/EEC of 14 June 1993 (as amended) concerning medical devices
- EN 60601-1:2006/A1:2013 (IEC 60601-1:2005/A1:2012) Medical electrical equipment – Part 1: General requirements for basic safety and essential performance
- EN 60601-1-2:2015 (IEC 60601-1-2:2014) Medical electrical equipment – Part 1-2: General requirements for basic safety and essential performance – Collateral Standard: Electromagnetic disturbances – Requirements and tests
- RED Directive; 2014/53/EU of the European Parliament and of the Council of 16 April 2014 on radio equipment
- EN ISO 13485:2016 (ISO 13485:2016) Medical devices – Quality management systems - Requirements for regulatory purposes
Annette Schaps is CEO of Schaps Consulting. She is a Bay area medical device quality and regulatory consultant with over 25 years of experience in small startups to large Fortune 500 organizations. She is also a subcontract Lead Auditor (MDSAP, EN ISO 13485:2016, and ISO 9001:2015) and Technical Expert (sterilization) for a Notified Body. She has a BS in chemical engineering and is a Certified Quality Engineer, Reliability Engineer, RAC, and ISO 27001 Information Security Lead Auditor.
Chuck Cimalore is vice president of strategy for Arena Solutions. Chuck is an expert in web-based PLM/QMS solutions, most recently serving as chief technology officer of Omnify Software (acquired by Arena Solutions in October 2018). With over 17 years of industry expertise, he has helped OEMs streamline development cycles, meet compliance initiatives, and accelerate product innovation.