Blog

Archive for ISO 9001:2008

How to reconcile the conflict between ISO 13485 and ISO 9001

This blog explains how to reconcile the conflict between ISO 13485 and ISO 9001, and discusses whether you should maintain dual certification.

how to reconcile diverging standards How to reconcile the conflict between ISO 13485 and ISO 9001

The previous version of ISO 13485 was released in 2003. That standard was written following the same format and structure of the overall quality system standard at the time (i.e., ISO 9001:2000). In 2008, there was an update to the ISO 9001 standard, but the changes were minor, only clarified a few points, and the periodic review of ISO 13485 in 2008 determined there was not a need to update 13485 at that time. Unfortunately, the proposed structure of the ISO 9001 standard was radically different, and this forces companies with dual certification to reconcile the conflict between ISO 13485 and ISO 9001.

On December 1-5, 2014, the working group for the revision of ISO 13485 (i.e., TC 210 WG1), met at AAMI’s Standards week to review the comments and prepare a first Draft International Standard (DIS). We should have some updates on the progress of the DIS later in December, but hopefully, the news will not be a delay of publication until 2016. The following is a summary of the status before last that meeting.

Updated ISO 13485 and ISO 9001 Standards Being Released

In 2015, there will be a new international version of ISO 9001 released. This new version will have dramatic changes to the standard–including the addition of a new section on risk management and adoption of the new High-Level Structure (HLS) changing from 9 sections to 11. The ISO 13485 standard is also anticipated to have a new international version released in 2015, but the ISO 13485 standard will maintain the current HLS with nine sections. Timing of the ISO 9001:2015 release and the ISO 13485:2015 release will likely be around the same time (Correction: the ISO 13485:2016 standard was released in February 2016). Both standards are expected to have a three-year transition period for implementation. The combination of the three-year transition and lessened requirements in the new version of ISO 9001 for a structured quality manual should allow most manufacturers to wait until the ISO 13485 release before they begin drafting a quality plan for compliance with the new standards. Some of my clients have already indicated that they may drop their ISO 9001 certification when it expires, instead of changing their quality system to comply with the ISO 9001:2015 requirements. However, my clients will not have the ability to allow their ISO 13485 certification to lapse. Will Health Canada be updating GD210 and continue to require ISO 13485 certification for medical device licensing? What should companies do?

Update on the reconciliation of ISO 13485:2016 and ISO 9001:2015 on May 29, 2020:

  • GD210 was never updated, and instead, it was replaced the MDSAP
  • ISO 13485:2016 certification, under the MDSAP program, is required for Canadian Medical Device Licensing
  • Many device companies have dropped the ISO 9001 certification.

Recommendations

From the experience of preparing for the ISO 13485:2016 and ISO 9001:2015 releases, I learned that obtaining draft versions of the standards before publication is invaluable. I was able to use the drafts to help prepare quality plans for the transition. Second, companies need to train their management teams and auditors on the differences between the current and the new standards to enable a gap analysis to be completed. Any manager that is responsible for a procedure required by the current version of a standard should receive training specific to the changes to understand how they will meet the requirements for documented information. Most companies will need to improve their risk management competency (which was updated again in December 2019). I recommend that companies begin drafting their quality plans and enter discussions with their certification body for quality system changes as early as possible. I also recommend that medical device companies maintain a quality manual structure that follows the ISO 13485:2016 standard rather than the ISO 9001:2015 standard. Following ISO 13485:2016 will help everyone locate information faster.

There is also specific text in the introduction of ISO 9001:2015 that states it is not the intent of the standard to imply the need to align your quality management system to the clause structure of the standard. Companies that maintain ISO 9001 certification should consider including cross-references between the two standards in their quality manual.

Historical Note

There are also European National (EN) versions of each standard (e.g., EN ISO 13485:2012). The EN versions are harmonized with the EU directives, but the content of the body or normative sections of the standards are identical. Historically, the differences were explained in Annex ZA, and that was the last Annex in the EN version of the standard. In 2009 the harmonization annex for ISO 14971 (i.e., the medical device risk management standard) was split into three parts to match up with the three directives for medical devices (i.e., the MDD, AIMD, and IVDD). The new annexes (i.e., ZA, ZB, and ZC) were moved to the front of the EN version of the standard. The changes to ISO 14971 consisted of a correction and the change to Annex ZA. In 2012, there were new harmonization annexes created for ISO 13485 to follow the same format that was used for the EN ISO 14971 annexes. It is expected that these “zed” annexes will be released with a new EN version of the standard shortly after the international standard is published.

Posted in: ISO 13485:2016, ISO 9001:2008, ISO Certification

Leave a Comment (2) →

Management Representative Requirement: ISO 9001:2008

The author reviews the Management Representative section 5.5.2 of ISO 9001:2008 requirement and provides eight (8)  proposed actions to take for companies who receive a finding against this section.

The idea for this posting was from a thread I found on Elsmar Cove: http://elsmar.com/Forums/showthread.php?t=45658

One person posted a question about the requirement for the Management Representative (MR) to be a member of the organization’s management (see section 5.5.2 of ISO 9001:2008). Companies that are seeking initial certification sometimes struggle with this requirement. Some struggle because they do not have anyone in-house that is sufficiently trained to be the MR. Other companies struggle because they are very small and outsource their QA functions to a consultant. The following blog is targeted at helping these companies.

Auditing

I audit companies to the ISO 13485 (medical Quality Management System (QMS) & 9001 (QMS) Standards. The intent of both Standards was always to have the MR be part of management, but some companies did not interpret the Standards in this way. With the 2008 revision of 9001, the possibility of misinterpreting the meaning is much less likely. Companies that receive findings during the Stage 1 or Stage 2 audit for this requirement usually fall into one of two categories. Category #1: our company is small, and the only person that knows enough about ISO requirements is not a member of management. Category #2: our company is small, and we outsource QA functions.

The good news is that any manager can be assigned the responsibility of being MR. One of my clients assigned this responsibility to the VP of Sales. Another company appointed this responsibility to the Director of R&D. Both of these individuals had to put in the time to learn about their quality management systems, but both have embraced the challenge, and I have learned much from them. They have a different perspective and bring a lot of value to the MR role. The bad news is: whomever you assign has to learn enough to be competent in the position.

The definition of “Management” is typically a stumbling block. Most people think of managers requiring that they have other people reporting to them. This is not absolute. The MR should report directly to a top manager, such as the President or CEO, to prevent conflicts of interest. As a manager, they should not require a great deal of direct supervision, and the President or CEO should not be overly burdened by adding one person to their list of direct reports. Some auditors like to see a “deputy MR” identified. My advice is to have the CEO or President sufficiently trained that they can be the “back-up” when the MR is on vacation.

Every manager should know enough about their subordinate’s job duties that they can “fill in. MR’s should be involved in senior staff meetings too, but not necessarily at the same frequency as every other senior staff manager. Typically, operations and sales have the most frequent meetings with the CEO–often weekly. Finance generally is monthly. HR and the MR might be bi-monthly or quarterly. Communication of the status of quality objectives should be regular reports to all senior staff, but you don’t have to have a Management Review to communicate the status. If the company is small enough to have only one QA person, there probably isn’t a need for more than one or two management review meetings per year.

Management Representative Finding: 8 Proposed Actions to Take

If your company has a finding against clause 5.5.2, I recommend the following actions:

1. Assign a person that is already a member of your senior staff as MR.

2. Document the responsibility in the person’s job description.

3. Document the responsibility in the org chart.

4. Assign the person’s direct supervisor (typically the CEO or President) as a “deputy MR.”

5. Find an excellent webinar on ISO training for the new MR and their boss (ideally one with a quiz and a certificate).

6. Have the new MR develop a 45-minute presentation for the senior staff on the topic of Management Responsibilities. This training should cover all of section 5 in the Standard.

7. Give the senior staff a 15-minute multiple-choice quiz to evaluate the effectiveness of the training.

8. Have the new MR discuss the delegation of various management review inputs (see section 5.6.2) with their boss. Quality should be a shared responsibility, and Management Reviews will be more effective if everyone participates.

Posted in: ISO 9001:2008, ISO Certification

Leave a Comment (0) →