Karandeep Singh Badwal, Director of QRA Medical and an internal auditor for ISO 13485, outlines some of the common mistakes found in the quality management systems for medical devices.
A quality management system (QMS) is integral to the correct functioning of a medical device company, not to mention being a requirement for regulatory approval in many jurisdictions. In my years as a quality and regulatory consultant, however, I have come across mistakes that companies regularly make, which they are perhaps unaware of, or that often go unnoticed until spotted by an external auditor.
Before I go on to discuss these mistakes, I will provide a brief summary of what a QMS is and the relevant standards and regulations for such systems for medical devices.
Standards for medical devices
A QMS is basically a structured system of procedures and processes covering all aspects of design, manufacturing, supply, risk management, management responsibility, customer-related processes, and corrective and preventive actions (CAPAs). Its purpose is to have an optimal end product and, more importantly, minimise risk for end users.
Under the EU’s Medical Devices Regulation (MDR), you are required to have a quality management system as per Article 10(9). The current international standard for a quality management system is ISO 13485:2016 Medical devices – Quality management systems – Requirements for regulatory purposes, while the regulation within the USA is FDA 21 CFR 820, which is very similar to the international standard.
The first common mistake I come across is companies not validating all software within the scope of their QMS. Although software validation is conducted by most companies I audit, they don’t always fully understand the scope within which a software is deemed part of a QMS – hence the need for validation. Examples include complaints portals, which may simply be a ‘contact us’ page on a website that sends a notification – via email or, perhaps, a software system – to the company. This system needs to be validated to ensure feedback or complaints are being received and responded to accordingly, as per the company’s internal complaints procedure. It is surprising how often I come across systems that have faults within them, meaning complaints or feedback are not received.
Another issue I find is supplier evaluation. Medical device companies always make sure they validate physical suppliers, but they often fail to evaluate service suppliers, such as file-sharing systems, project management tools (if in the scope of the QMS) and, especially, external consultants.
One of the first questions I ask a company when I am brought in as an external auditor is, ‘Have they conducted a supplier evaluation on me?’ Why? Because they need to ensure I have the relevant qualifications and experience to be able to conduct an audit to their requirements. If they have not, they are not compliant and this can be flagged up as a non-conformity during an external audit.
Extremely complicated procedures that only quality staff understand is another issue I come across. Procedures should be written by those who are to conduct the processes and then amended by a quality staff member to ensure they are compliant. If a procedure is so complex that it is not understood by process operators, they will not be able to follow it correctly, eventually leading to non-conformities. The complexity of a procedure should be matched to the competency of those who will be using it. If procedures are not understood by company staff then, in most cases, quality is to blame, not the staff.
“One of the first questions I ask a company when I am brought in as an external auditor is, ‘Have they conducted a supplier evaluation on me?’”
Internal audits are required to be impartial, as in auditors should not audit their own work (a common mistake companies make). But what does this mean? In short, the quality team cannot audit any work in which it is involved; likewise, any other department. So how do we get around this?
Human resources, or any other non-quality-related department, may audit quality and vice versa. Internal auditors must be appropriately trained, ideally with some form of internal auditor qualification(s) and relevant experience. Alternatively, some companies use external consultants to conduct internal audits on their behalf. As mentioned above, however, you must ensure a supplier evaluation is conducted on them, that they are trained on your auditing procedures, and that your procedure mentions somewhere that you may use external consultants in lieu of internal staff for such audits.
A lesser-known mistake that I see is almost always exclusive to Software as a Medical Device companies. They state that customer property is not applicable within the scope of their QMS, their justification being that they are not handling physical product. However, intellectual property and patient data, which may be stored on their internal systems, can be deemed to be customer property.
As medical devices are becoming more and more complex, so too is the risk that can be associated with their use. This article has summarised some of the common mistakes I see a lot of medical device companies making within their QMS, but, in most cases, they are relatively easy to fix. Always ensure you optimise your QMS, because this helps to ensure devices remain safe and keeps the potential for harm or injury to a minimum.
Choose your course
Our certified training follows a natural pathway so that you can progress through the levels and keep developing your skills and knowledge.
Apply to join IRCA
Start your application for IRCA certification.