Guest Column | April 9, 2015

ISO 9001:2015 — What Medical Device Manufacturers Need To Know

By Marcelo Trevino, President, Global Regulatory Affairs and Quality Systems, TregMedical Compliance Services

Quality Systems & Regulatory Compliance Best Practices

ISO 9000 is the core of all international quality management systems standards. Established in 1987, the family of standards is designed to help organizations ensure they meet both customer needs and regulatory requirements.

For the better part of a decade, that included medical device manufacturers. Before ISO 13485 — the international quality standard for medical devices that was first published in 1996 — medical device companies used ISO 9000.

Although medical device makers now follow ISO 13485, the impact of ISO 9000 impact can still be felt in the industry, albeit somewhat indirectly. When ISO 13485 was initially written, it was based on ISO 9000 and adopted many elements from it, so it is a direct descendant of the original quality management standard.  Plus, ISO 13485 is generally harmonized with ISO 9000, so as ISO 9000 has evolved every few years to meet industry needs, so too has ISO 13485.

Consequently, when the latest revisions to ISO 9000 are published — likely during the fall of this year — medical device companies should definitely take notice, since corresponding changes to ISO 13485 are sure to follow. ISO 9001:2015 will represent the most significant change since 2000, when the standard moved from a checklist approach for inspecting the final product, to a process management approach that took into account all the critical areas of an organization and its interactions.

While the scope of ISO 9000 will not change significantly with the introduction of ISO 9001:2015, the structure will. The technical committee has put great effort into making the standard more user friendly, regardless of whether you are a manufacturer or a service provider. In addition, the proliferation of international regulatory requirements demanded certain revisions.

At the very least, ISO 9001:2015 will give medical device companies a preview of some forthcoming revisions to ISO 13485 and a head start on implementing the necessary changes to ensure compliance. (Companies that are subject to ISO 9000 will have a three-year runway to comply with the new version after its official release date, as has occurred with previous revisions.) This article will review some of the critical changes in the current draft international standard (DIS) that we can reasonably expect to see in ISO 9001:2015, what these changes will mean to medical device manufacturers, and what they can do to start preparing.

Organizational Context
One of the biggest changes to the DIS is the addition of a new Section 4, called “Context of the organization.” Essentially, this section asks organizations to consider — from a risk-management perspective — all the different internal and external factors that are critical to fulfill the needs of the customer. Those factors could include anything that might affect the organization’s ability to achieve its intended results, whether it’s infrastructure, people, regulations, or even raw materials.

For example, if the organization is relying on just one supplier and the material is scarce, could it eventually reach a point where the organization can no longer obtain it? Will that affect its ability to fulfill the product?

What if the company has been relying for several years on engineers who are ready to retire? What happens if they all retire next week?

Or, what if new regulations emerge that require a very unique test or maybe new sterilization standards that require additional work, additional equipment, and additional technical knowledge that the organization doesn’t have? How will it react to that change?

These are the factors that companies need to think about with the ISO 9001:2015 standard. Companies need to be able to explain how these elements are captured in its quality system, and then what kind of projects or assessment it will conduct to demonstrate it will be able to meet those objectives.

This new section is significant, because it contains activities that companies weren’t required to do in the past. Organizations would usually come up with a list of objectives, set up a plan, and review them periodically — and that was pretty much it. Now, companies will be required to go in-depth and justify what else is happening. Management will have to analyze all of the factors from a risk perspective and how they will mitigate potential problems, so that they can continue to meet customer expectations while ensuring the quality system is effectively implemented and maintained.

Managing Objectives
Another major change comes in Section 6.2, “Objectives and plans to achieve them.”

The current version of the standard requires organizations to define objectives and conduct reviews to check in on their status relative to the objectives. As long as a company can show that it are reviewing objectives, there was really nothing else within the standard triggering further action.

The DIS, on the other hand, is more prescriptive about what needs to be done with those objectives. Organizations will no longer be able to just say, “We have this objective, and this is where we are.” They will now  need to indicate what steps will be taken, what resources are required, who will be responsible for those objectives, and what will happen when an action cannot be completed (e.g., if a a goal is not met ). This has been the primary intent of the current version, but the DIS makes requirements more prescriptive.

Something must continually be happening to move the organization toward that goal. The organization can’t just say, “Well, we’re not meeting the objective,” and then several quarters pass and they are still not meeting it.  Results will need to be evaluated relative to goals, and organizations will need to show that information is being used to take action within the quality system to achieve them.

Let’s say an organization wants its yield to be 99 percent, but it typically achieves only 80 percent. Under ISO 9001:2015, that organization will need to indicate what it intends to do to meet the plan — buy new equipment, train more people, etc. to bridge that gap. Then it will have to demonstrate that those actions are having the desired effect of helping attain the stated goal. It will have to be able to show that it is doing enough to achieve that 99 percent.

So, the DIS adds more context about what is expected — not just defining the objectives, but defining who will be assigned to them, what actions will be taken to reach them, how progress will be monitored, and how results will be evaluated.

Life Science Training Institute

ISO 13485 revisions are also coming soon. Are you prepared?
Register for Marcelo Trevino’s upcoming online seminar:

Analyzing and Understanding ISO 13485 Proposed Changes

July 22, 2015 | 1:00-2:30PM EDT

Risk Management
The term “preventive action” has completely been removed from the DIS of ISO 9001:2015. In its place is “risk management,” a concept that is addressed in detail in Section 6.1, “Actions to address risks and opportunities.”

In the past, industry struggled with what constitutes a preventive action versus a corrective action. In many cases, companies would consider the steps taken to avert recurrence of a known issue as “preventive action,” even though that is considered corrective action. Technically speaking, preventive action involves identifying projects and activities to help the organization be more productive and avoid potential problems before they happen in the first place.

To sidestep this confusion, the technical committee eliminated the distinction completely, and instead inserted the concept of risk management to force organizations to think in a truly preventive mindset. As I mentioned in the discussion of organizational context, organizations have to examine all of the internal and external factors that impact it, and determine which could have major consequences — i.e., prevent it from delivering the products and/or services it provides.

Perhaps everything is fine now, but what will happen in the next five years? Will the company have enough people? Is new legislation coming that will require it to do things differently than it does now?  That’s the preventive concept, incorporated into that risk management. It’s not trying to force a corrective action into a preventative category, just to be compliant. It’s analyzing the significant factors ahead of time.

Leadership And Commitment
Another important legacy concept that disappeared from the DIS is that of the Management Representative.

Previous versions of ISO 9001 required an organization to appoint a single individual, known as the management representative, who acted like the point of contact for quality objectives. The management representative was responsible for ensuring that quality objectives were clearly understood and that the quality policy was disseminated across the organization. They were relied upon to orchestrate everything related to the quality system.

Section 5.1 of the DIS, called “Leadership and commitment,” instead spreads out that responsibility across the entire leadership team within an organization, rather than relying on one individual to drive the quality system. Collectively, corporate leadership will be required to understand and support quality, to promote awareness of the process approach to the quality system throughout the company, and to enable continual improvement activities.

Leadership will be expected to make sure that sufficient resources are allocated to comply with the quality system. For instance, does the organization have the necessary monitoring systems to evaluate whether it is meeting its goals or not? If it is not meeting its goals, does it have the necessary resources or competent personnel to enact change?

So, the new standard will provide more context on the expectations for leadership, removing the burden from one individual and distributing it among the members of the organization that make critical decisions.

Takeaways For Medical Device Manufacturers
As indicated earlier, the International Standards Organization (ISO) is also in the process of finalizing ISO 13485. However, the DIS of that standard does not follow the new format we see in ISO 9001:2015. Although much of the terminology and concepts in ISO 9001 remain the same — other than the items we discussed in the preceding sections — the structure has been overhauled in the DIS. There are now 10 sections instead of the previous eight, several clauses have been renamed, and other clauses have been moved around.

One of the main things medical device manufacturers can start working on now is aligning their documentation systems with the new ISO 9001 clause formatting. Eventually, ISO 13485 will have to align with ISO 9001. It might not occur with the first release of ISO 13485, but it will happen.

Also, it wouldn’t hurt for medical device companies to start incorporating the important concepts from ISO 9001:2015 — looking at internal and external factors, managing objectives, incorporating risk management, and taking a new approach to quality system leadership — into their quality system today. (Obviously, if the company makes products other than medical devices, it probably should start harmonizing now.)

The amount of time required to align documentation and incorporate the concepts will depend on the size of the organization, the complexity of its processes, and the complexity of its quality system. Some companies may be able to accomplish the modifications pretty quickly, if they have flexibility built into their systems. But for large companies with very complicated processes, it will take much longer.

Perhaps the most difficult hurdle any organization will face is the culture change. The concepts in ISO 9001:2015 require much higher levels of commitment and understanding from senior management, and everyone must embrace the risk management way of thinking. That’s a big shift, from the previous standard.

And it’s also a great reason to start incorporating ISO 9001:2015 ideas into the organization right away. Manufacturers will have three years to establish compliance, but for some companies, it may take every day of that time frame to align with the new standard.