Nathan Dowd, Co-Owner, med-sherpa Inc.05.02.22
Your company offers a cool technology, an innovative manufacturing method, or a device (or accessory) that you don’t sell directly to the end user. Do you still need to implement or maintain a quality management system (QMS)? The technical answer lies in the details of exactly what you’re doing, for whom you are doing it, and for what geography. There may be a proverbial thread you could place through the needle and forgo hosting a formal QMS. That being said, if you want to be legitimate and manufacture or sell within the medical device community, then yes, you need a QMS—and a certified one, to boot.
Let’s quickly review; at its core, what is the purpose of having a certified QMS? It ensures all downstream users of your device can rely on the thoroughness, repeatability, accuracy, and reliability of your work. Having your QMS certified by an independent (or notified) body simply adds an unbiased layer of assurance your system meets industry standards of adequacy.
Let’s explore some common anti-QMS rationalizations and why they don’t stand up.
“We only make components for a medical device, not a device in itself.” This is a very common argument. Your immediate customer may even convince themselves that since you are a component manufacturer, a QMS isn’t required. Often, this outcome is left balancing on the technicality of vocabulary, and it misses the fundamental point. The QMS ensures the component is made the same every time, meets all regulatory and technical attributes, and ancillary processes used to repeatedly ensure as much are trustworthy. Your customers would have to substitute their own processes because of your lack of a QMS, forcing them to absorb risk. This will eventually manifest as a burden in deploying and maintaining compensating controls to comply with their QMS and inevitably, grief will outweigh the benefit of using your company.
“My customer’s PO doesn’t specify having a QMS and they take care of all that paperwork.” Depending on your role in the value chain of the design and development of medical devices, the waters get a little murkier in terms of quality assurance, which is why this reason is commonly heard. The world’s leading regulatory standards and regulations apply to all parties contributing to the placing of devices in the market. This is especially true in the United States and European Union. Ignorance of the law is never a defense, even if your customer is unaware or chooses not to enforce said laws upon the other parties in the value chain. In the case of a device failing to be safe or effective, any regulatory body would round up all involved parties in the value chain and hold them accountable to the laws. To come full circle, the business case necessary to rationalize making the device in the first place will almost certainly lead to sales in a territory that has laws requiring medical device manufacturers and others along the value chain to have a valid, certified QMS in place.
“We have a QMS, but it’s not ISO 13485. Does that count?” This is a fun one to debate. The argument for this type of response being rational is rooted in the fact some companies will try to defer the issue to someone else in the value chain (usually an organization higher up in the value chain). This is done to compensate for the gaps between your QMS and those of parties required to be certified to ISO 13485. Keep in mind, if you or your customers want to sell in Europe, for example, ISO 13485 is a must. The good news is if you have a certified QMS (for example, to ISO 9001), much of the content necessary in the certification to ISO 13485 will already exist. As regulations around the world become more stringent surrounding how manufacturers can and should consistently produce safe and effective products, it’ll become increasingly difficult to find an independent party to certify you for medical device production in the absence of strict compliance with the industry standards. Put simply, maintaining a QMS compliant with ISO 13485 is a must for sustaining repeat production in the medical space.
“We’ve been making these parts forever and no one has ever told us we needed a QMS.” In the space of medical device (or their accessories), the necessity to implement and maintain a QMS is sometimes self-determined. Before placing a product on the market, you must be aware of what the product does, where it is going, and if there is an intended use controlled by law. You would be best served by utilizing a trained regulatory affairs professional to assess and develop a regulatory plan for your devices and clearly identify the resulting regulations required to sell in the geographies you sell in. The registration process to place a medical device or accessory into the market usually triggers oversight by geography-specific regulatory bodies. Ignorance of the necessity for a QMS (or other laws for that matter) is unlikely to be a defendable position if there is ever a circumstance where it was determined by a competent authority that a QMS is, in fact, necessary. For examples of this, take a look at all the companies failing to establish and maintain a QMS in the FDA’s ORA Inspection Observations database and see how your situation compares.
“Our products are not marketed for any specific intended medical purpose. It’s up to our customers and users to determine the appropriate quality requirements.” If ever there was a grey area on the argument for the necessity of a medical device caliber QMS, this one might be it. We often hear this from contract manufacturers and manufacturers of components that eventually are used to produce or enhance a medical device. Where your products are incorporated and who uses them is information you should already possess. If or when you become aware products you make are being used in applications associated with medical devices, you cross a threshold that requires some action on your part.
The first step should be to contact the customers using the product and determine how it is being used in the medical device, as well as the possible risks that could result from a failure of your product. If the condition exists that a failure of your product could lead to any decrease in safety (including patient or user injury or death), your product or component is now part of a bigger picture and your company now has some regulatory obligations. Without a QMS of your own to capture the risks associated with your product, including the methods you implement to mitigate them, you may want to consider methods of discontinuing their use to limit your liability in the future. In this hypothetical situation, your customers should already have a medical device QMS and an associated set of controls on where and how they source elements of their finished medical device. If they have not flowed specific requirements for quality to you—including the need for a valid QMS—they have likely violated one of their own processes, and potentially, the law.
So while it’s true it‘s up to your customers (the owners of the device design) to determine applicability of a QMS, you also need to take action if there is an unreasonable risk of an adverse event from the failure of your product. Again, as was mentioned with a previous statement, there is a case where the absence of a medical device QMS can be acceptable, but it requires compensating controls to be in place to ensure the safe and effective performance of the device where your product resides. It is best to seek professional input to determine a path forward with a strong recommendation to institute quality agreements for medical-purpose consumers.
“A medical device QMS will be really expensive to implement. There is no way my company can afford it.” When comparing the state of having a QMS to not having one, yes, there will be a cost of implementation and recurring (usually indirect) costs for keeping it effective. If you’ve already got an ISO 9001 system, upgrading it to comply with ISO 13485 will be less painful than having nothing at all. If you are serious about producing components or accessories for medical devices or finished medical devices, there is no other way to look at the expense of the QMS other than a minimum cost of entry to the market. Your competition will certainly have to abide by the same rules, so there is no competitive advantage to avoiding it. Remember, at its roots the QMS is intended to prevent variation, ensure consistency, and minimize defects for all things that pass through it. All of the attributes of a QMS, when practiced earnestly, will drive down costs and minimize activities to compensate for not having one. Warning letters, repeat audits, and sanctions are expensive, so avoid them the best you can. Bite the bullet and get a stable, ISO 13485 certified QMS in place.
Nathan Dowd is a co-owner of med-sherpa Inc., a N.H.-based regulatory and quality service provider featuring RaaS. The company aids with challenges in addressing audit observations, maintaining and implementing a QMS, and developing a regulatory plan to expand a product footprint. For more information, visit www.med-sherpa.com, or contact info@med-sherpa.com or 888-304-2972.
Let’s quickly review; at its core, what is the purpose of having a certified QMS? It ensures all downstream users of your device can rely on the thoroughness, repeatability, accuracy, and reliability of your work. Having your QMS certified by an independent (or notified) body simply adds an unbiased layer of assurance your system meets industry standards of adequacy.
Let’s explore some common anti-QMS rationalizations and why they don’t stand up.
“We only make components for a medical device, not a device in itself.” This is a very common argument. Your immediate customer may even convince themselves that since you are a component manufacturer, a QMS isn’t required. Often, this outcome is left balancing on the technicality of vocabulary, and it misses the fundamental point. The QMS ensures the component is made the same every time, meets all regulatory and technical attributes, and ancillary processes used to repeatedly ensure as much are trustworthy. Your customers would have to substitute their own processes because of your lack of a QMS, forcing them to absorb risk. This will eventually manifest as a burden in deploying and maintaining compensating controls to comply with their QMS and inevitably, grief will outweigh the benefit of using your company.
“My customer’s PO doesn’t specify having a QMS and they take care of all that paperwork.” Depending on your role in the value chain of the design and development of medical devices, the waters get a little murkier in terms of quality assurance, which is why this reason is commonly heard. The world’s leading regulatory standards and regulations apply to all parties contributing to the placing of devices in the market. This is especially true in the United States and European Union. Ignorance of the law is never a defense, even if your customer is unaware or chooses not to enforce said laws upon the other parties in the value chain. In the case of a device failing to be safe or effective, any regulatory body would round up all involved parties in the value chain and hold them accountable to the laws. To come full circle, the business case necessary to rationalize making the device in the first place will almost certainly lead to sales in a territory that has laws requiring medical device manufacturers and others along the value chain to have a valid, certified QMS in place.
“We have a QMS, but it’s not ISO 13485. Does that count?” This is a fun one to debate. The argument for this type of response being rational is rooted in the fact some companies will try to defer the issue to someone else in the value chain (usually an organization higher up in the value chain). This is done to compensate for the gaps between your QMS and those of parties required to be certified to ISO 13485. Keep in mind, if you or your customers want to sell in Europe, for example, ISO 13485 is a must. The good news is if you have a certified QMS (for example, to ISO 9001), much of the content necessary in the certification to ISO 13485 will already exist. As regulations around the world become more stringent surrounding how manufacturers can and should consistently produce safe and effective products, it’ll become increasingly difficult to find an independent party to certify you for medical device production in the absence of strict compliance with the industry standards. Put simply, maintaining a QMS compliant with ISO 13485 is a must for sustaining repeat production in the medical space.
“We’ve been making these parts forever and no one has ever told us we needed a QMS.” In the space of medical device (or their accessories), the necessity to implement and maintain a QMS is sometimes self-determined. Before placing a product on the market, you must be aware of what the product does, where it is going, and if there is an intended use controlled by law. You would be best served by utilizing a trained regulatory affairs professional to assess and develop a regulatory plan for your devices and clearly identify the resulting regulations required to sell in the geographies you sell in. The registration process to place a medical device or accessory into the market usually triggers oversight by geography-specific regulatory bodies. Ignorance of the necessity for a QMS (or other laws for that matter) is unlikely to be a defendable position if there is ever a circumstance where it was determined by a competent authority that a QMS is, in fact, necessary. For examples of this, take a look at all the companies failing to establish and maintain a QMS in the FDA’s ORA Inspection Observations database and see how your situation compares.
“Our products are not marketed for any specific intended medical purpose. It’s up to our customers and users to determine the appropriate quality requirements.” If ever there was a grey area on the argument for the necessity of a medical device caliber QMS, this one might be it. We often hear this from contract manufacturers and manufacturers of components that eventually are used to produce or enhance a medical device. Where your products are incorporated and who uses them is information you should already possess. If or when you become aware products you make are being used in applications associated with medical devices, you cross a threshold that requires some action on your part.
The first step should be to contact the customers using the product and determine how it is being used in the medical device, as well as the possible risks that could result from a failure of your product. If the condition exists that a failure of your product could lead to any decrease in safety (including patient or user injury or death), your product or component is now part of a bigger picture and your company now has some regulatory obligations. Without a QMS of your own to capture the risks associated with your product, including the methods you implement to mitigate them, you may want to consider methods of discontinuing their use to limit your liability in the future. In this hypothetical situation, your customers should already have a medical device QMS and an associated set of controls on where and how they source elements of their finished medical device. If they have not flowed specific requirements for quality to you—including the need for a valid QMS—they have likely violated one of their own processes, and potentially, the law.
So while it’s true it‘s up to your customers (the owners of the device design) to determine applicability of a QMS, you also need to take action if there is an unreasonable risk of an adverse event from the failure of your product. Again, as was mentioned with a previous statement, there is a case where the absence of a medical device QMS can be acceptable, but it requires compensating controls to be in place to ensure the safe and effective performance of the device where your product resides. It is best to seek professional input to determine a path forward with a strong recommendation to institute quality agreements for medical-purpose consumers.
“A medical device QMS will be really expensive to implement. There is no way my company can afford it.” When comparing the state of having a QMS to not having one, yes, there will be a cost of implementation and recurring (usually indirect) costs for keeping it effective. If you’ve already got an ISO 9001 system, upgrading it to comply with ISO 13485 will be less painful than having nothing at all. If you are serious about producing components or accessories for medical devices or finished medical devices, there is no other way to look at the expense of the QMS other than a minimum cost of entry to the market. Your competition will certainly have to abide by the same rules, so there is no competitive advantage to avoiding it. Remember, at its roots the QMS is intended to prevent variation, ensure consistency, and minimize defects for all things that pass through it. All of the attributes of a QMS, when practiced earnestly, will drive down costs and minimize activities to compensate for not having one. Warning letters, repeat audits, and sanctions are expensive, so avoid them the best you can. Bite the bullet and get a stable, ISO 13485 certified QMS in place.
Nathan Dowd is a co-owner of med-sherpa Inc., a N.H.-based regulatory and quality service provider featuring RaaS. The company aids with challenges in addressing audit observations, maintaining and implementing a QMS, and developing a regulatory plan to expand a product footprint. For more information, visit www.med-sherpa.com, or contact info@med-sherpa.com or 888-304-2972.