ISO 13485 - Medical Device Quality Management System Standard

H

HFowler

We are a manufacturer of electrical cable assemblies and wiring harnesses for industrial use. My General Manager wants me to get us registered to ISO 13485 as quickly as possible. Another facility is currently producing components for a medical device customer and we would be part of the risk mitigation for that facility. I am curious as to whether component manufacturers or sub-tier suppliers need to be ISO 13485 registered. We don't produce medical devices. I asked the other facility (in another country) if it is a customer requirement that they be registered and was told that it is. I just want to be sure that someone didn't just see "market and margin" and and say, "let's go for medical device certification". Do medical device companies typically require their suppliers to be ISO 13485 registered?
 
G

gramaley

"Required" What does that mean?

If one company "requires" that your company be certified to ISO 13485, you only have to meet that requirement if you choose to do business with them. They are not required to have their supply chain meet ISO 13485, in most cases, unless you are providing them with something that would be considered a medical device in its own right.

A wire harness manufacturer is not making medical devices. In my view, I would much rather know that a supplier of wire harnesses is applying IPC 620, not merely ISO 13485. My risk controls for my medical devices are better managed by targeting specific quality and reliability areas in my component suppliers. Unfortunately a lot of regulatory people don't know very much about IPC standards for workmanship, and they jump to the conclusion that ISO 13485 is a cure for their needs.

Regulators actually know that ISO 13485 is only a means toward managing risks and quality. It really doesn't provide any meaningful guidance on how to properly crimp wires, solder, or inspect electronic assemblies. Most of the companies we work with are operating in Aerospace electronics and have ISO 9001 certs that are properly accredited. They also follow rigorous quality standards that are appropriate for electronics, specifically.

The point I am trying to make is, there is a very clear need for medical device manufacturers to take more seriously, the quality requirements for their products, and stop relying on ISO 13485 as the sole justification for approving suppliers. It is wreckless.

ISO 13485 is very nice, and it certainly does have a lot of tools you can use to think about managing risks, especially when it gets into more serious aspects of risk management under ISO 14971,which is the core "heart and soul" standard that is integrated with of ISO 13485. This is what sets ISO 13485 apart from ISO 9001. However, what you would end up within your ISO 14971 Risk Management System activities is a list of references that simply point back to your workmanship standards.

ISO 13485 demands you have some risk management system. The risk controls (output from the risk management activities) will simply flow out to your product realization activities and more than likely use workmanship standards, like IPC 610, or something you have created that works well enough to "reduce risk" to an acceptable level.

So, unless you are making something that is considered a medical device, you don't need ISO 13485. Maybe your customers want this badly, and may not back down. That may not be in their best interest or yours, it is a business decision, not a regulatory decision. Regulators do not require ISO 13485 from part suppliers, where the parts supplied are not considered medical devices.

You can always just say "No, we aren't doing that". The FDA will not be beating down your door, because they don't require it.
 
Ronen E

Ronen E

Problem Solver
Moderator
:applause:

A very insightful and important post!

Unfortunately, it seems that the next ISO 13485 revision will effectively move in the direction of application of the standard to component (of medical devices) manufacturers; actually, to everyone involved in "medical devices life-cycle". :(

Ronen.
 
G

gramaley

There is no question that ISO 13485 can be adopted by anyone. And from a business standpoint, it give such a great perception of control, it is very helpful to medical device manufacturers to carry these from their supply chain.

I neglected to mention that in many countries, most medical devices enter the healthcare system via a huge number of distributors, not manufacturers. So in Asia especially, ISO 13485 is becoming increasingly important as a regulatory instrument to regulate distributor GMP. There is new Guidance coming out of the Asian Harmonization Working Party that reflects this in their "Good Distribution Practice" requirements, which is basically modeled after ISO 13485 sections.

So imagine, Singapore has 120 registered manufacturers, and 800+ distributors (I confirmed this with HSA Singapore). So the regulators need to have a "GMP/QSR" types system to help track down where the devices come from, and how they are being managed before entry into the healthcare system. ISO 13485 has some very significant prospects for use here, but I fear that it is not able to really do what people may need most.

If you audit a distributor in Singapore, and find they are importing from 50 different manufacturers from all over the world, how can you know the conditions under which those devices were manufactured, inspected or designed?

Regulatory submissions, such as ASEAN submission used by Singapore HSA help answer some of those questions about the manufacturer's device, which the distributor usually helps register with HSA, but what is really happening at the factories?, how could they know? If you never visit the manufacturer's plant, and inspect the QMS, I think a lot of risk is being taken by these regulators for some of the higher risk devices especially. This is why an affordable, credible, localized infrastructure for certifying to ISO 13485 is the best solution. It is why the IAF created the accreditation system that is now underpinning ISO 13485 worldwide.

We stand now on the verge of being able to determine the credibility of certificates issued in each country, by local CABs, accredited by local ABs, to truly international norms of accreditation. This brings credibility up, but adjusts costs of certification down to local labor costs (not to mention inspection in the native tongue (do you know the Brazil equivalent for soldering workmanship standards)).

ISO is now developing the "CERTO" database, so you won't have to do all the deciphering of a certificates credibility as I presented in this attachment. This will have an initial go-live date of 2015, and I'm pressing for ISO 13485 certs to be part of this. Only IAF accredited certs will be allowed into the database. Client certification data will be uploaded from IAF accredited CABs. This will make it easier than trying to translate a foreign language on a foreign cert at a foreign website.
 
Ronen E

Ronen E

Problem Solver
Moderator
gramaley said:
There is no question that ISO 13485 can be adopted by anyone. And from a business standpoint, it give such a great perception of control, it is very helpful to medical device manufacturers to carry these from their supply chain.

I neglected to mention that in many countries, most medical devices enter the healthcare system via a huge number of distributors, not manufacturers. So in Asia especially, ISO 13485 is becoming increasingly important as a regulatory instrument to regulate distributor GMP. There is new Guidance coming out of the Asian Harmonization Working Party that reflects this in their "Good Distribution Practice" requirements, which is basically modeled after ISO 13485 sections.

So imagine, Singapore has 120 registered manufacturers, and 800+ distributors (I confirmed this with HSA Singapore). So the regulators need to have a "GMP/QSR" types system to help track down where the devices come from, and how they are being managed before entry into the healthcare system. ISO 13485 has some very significant prospects for use here, but I fear that it is not able to really do what people may need most.

If you audit a distributor in Singapore, and find they are importing from 50 different manufacturers from all over the world, how can you know the conditions under which those devices were manufactured, inspected or designed?

Regulatory submissions, such as ASEAN submission used by Singapore HSA help answer some of those questions about the manufacturer's device, which the distributor usually helps register with HSA, but what is really happening at the factories?, how could they know? If you never visit the manufacturer's plant, and inspect the QMS, I think a lot of risk is being taken by these regulators for some of the higher risk devices especially. This is why an affordable, credible, localized infrastructure for certifying to ISO 13485 is the best solution. It is why the IAF created the accreditation system that is now underpinning ISO 13485 worldwide.

We stand now on the verge of being able to determine the credibility of certificates issued in each country, by local CABs, accredited by local ABs, to truly international norms of accreditation. This brings credibility up, but adjusts costs of certification down to local labor costs (not to mention inspection in the native tongue (do you know the Brazil equivalent for soldering workmanship standards)).

ISO is now developing the "CERTO" database, so you won't have to do all the deciphering of a certificates credibility as I presented in this attachment. This will have an initial go-live date of 2015, and I'm pressing for ISO 13485 certs to be part of this. Only IAF accredited certs will be allowed into the database. Client certification data will be uploaded from IAF accredited CABs. This will make it easier than trying to translate a foreign language on a foreign cert at a foreign website.
Click to expand...

Hi Grant,

I feel that this thread is diverging a bit too much... What is the topic? :)

Coming back to my comment - distributors are different from component manufacturers, they require quite different QMSs. Generally I'm in for QMSs that are fit for purpose, including for medical devices distributors. This is not a new concept, and as I mentioned a year and a half ago in this thread, Singapore has given us a very good example with their GDPMD. Australia has a similar guideline (which is unfortunately still voluntary here, probably due to lobbying) - the AUSTRALIAN CODE OF GOOD WHOLESALING PRACTICE FOR THERAPEUTIC GOODS FOR HUMAN USE, which dates back to 1991(!) in it's first issue. I don't buy into the notion of "one size fits all" just because the sign on the from door say "<something> Medical Devices <something>". A high quality, dependable cable harness is a high quality, dependable cable harness, regardless of whether it is used in a MRI machine or a space shuttle.

Component manufacturers should adequately implement a QMS and relevant workmanship (or practices in general) standards, and where health and safety concerns are involved we have regulations and regulatory administrations to protect the public. As seen in the PIP crisis, bodies motivated by commercial considerations are not the best candidates for safeguarding public wellbeing. True, there has also been a major regulatory oversight breakdown, but IMO that's just because of enforcement slack, not because an inherent, conceptual flaw. It seem that steps are being taken now to eliminate that slack.

To highlight my main point, I think that a lot of organizations involved in "the life-cycle of a medical device" can do with an ISO 9001 QMS, provided that it is tailored for their situation and that they actually implement it effectively. Carrying an irrelevant ISO 13485 certificate is just feeding a chain of parasites, unnecessarily increasing the burden for the (component) manufacturer, and - most important - is adding small to zero value for the patient.

If you take out sections 6, 7 & 8 (as the new proposed ISO 13485 revision currently allows), what's left?... Is it any better fit-for-purpose than ISO 9001?

Cheers,
Ronen.
 
Last edited:
G

gramaley

Thanks Ronen, and I agree with all the same points. Although it does appear I could have moved off topic, I made a discovery while writing about the component supplier issues, reading my own thoughts. And I think you will agree with this.

At the level of detail of a soldering standard, a wire harness supplier, it is inherently important to have competent auditors that can talk to the people at the plant, and understand their workmanship standards, which in their own language or culture are best understood by native auditors. So in a roundabout way, this was exactly a big point in our promoting use of local auditors, that have met certain international norms for competency and credibility. And yes, IAF has a solid support system for ISO 9001 already serving globally, even for medical device manufacturing abroad. I believe India is only now moving from ISO 9001 to ISO 13485 for medical device QMS.

So I am simply saying that, it is important to know, that your suppliers quality is properly managed. I am also saying, that using local, competent CABs is critical, and so whether you are relying on an ISO 9001 cert or an ISO 13485 cert, make sure they are properly accredited under the IAF framework, to make sure they have a solid foundation under your supplier chain and can really know that those workmanship standards and other factors that support the upstream medical device safety and effectiveness are being taking into account, even where the foreign supplier's methods might not make sense to us "What is the equivalent to IPC standards" for Japan, China or Singapore? Local expertise is far more important than many would give credit for.
 
G

Gwhittaker22

Registered
Marc said:
Standard Title: ISO 13485:2003 - Medical devices - Quality management systems - Requirements for regulatory purposes

ISO 13485:2003 is a Quality Management System for medical devices, specifically for regulatory purposes. It is based on ISO 9001:2000 with some modifications. The standard includes a process model similar to that of ISO 9001:2000 but requires more documented procedures that consistently meet customer requirements and regulatory requirements applicable to medical devices and related services.

The ISO 13485:2003 standard is an update and compilation of the older ISO 13485:1996 & ISO 13488:1996 standards. This update was in response to the publication of ISO 9001:2000.

The ISO 13485:2003 standard does not reference the requirements of ISO 9001 but does provide medical device manufacturers with a standalone standard for quality management systems that need to demonstrate compliance to regulatory requirements.

Updates and additions/corrections welcomed by posting in this thread.
Click to expand...
Hello Marc:

Would you know if there are any GAP analysis between ISO 13485 & AS9100? I work for a DOD subcontractor but I need to understand how the FDA, CFR 21 overlap with AS9100. I will be dealing with contracts based in the FAR and FDA simultaneously...

George
 
Marc

Marc

Fully vaccinated are you?
Leader
I don't know off hand. One of the medical device people here may be able to help.
 
Ajit Basrur

Ajit Basrur

Leader
Admin
Gwhittaker22 said:
Hello Marc:

Would you know if there are any GAP analysis between ISO 13485 & AS9100? I work for a DOD subcontractor but I need to understand how the FDA, CFR 21 overlap with AS9100. I will be dealing with contracts based in the FAR and FDA simultaneously...

George
Click to expand...

While I do not the most appropriate answer to your question, I would like to direct you to one of the existing thread, Clear differences between ISO 13485 and AS 9100D requirements that mention the specific clauses per AS9100 that may not be found in ISO 13485.
 
G

Gwhittaker22

Registered
Hello Everyone:

The Texas Commercial Code is a pretty good reference for understanding the potential effect of the impact of omitting provisions in the QMS that address the biggest gap between ISO 13485, AS9100, and IATF 16949. It seems that the basic requirements of the UCC strongly suggest that it is prudent for any seller of goods or services , to include provisions in the QMS that address the following:

More is better when it comes to considering if the QMS provides benefit to the Strategic Plan of the organization, company, firm, etc. How would an auditor argue against exercising basic business common sense?

This language suggests that it is better to include customer satisfaction and continuous improvement provisions in the basic QMS. In many ways it makes common sense that one always sells things based on contract law, and that strongly suggests that it is in the best interest of any firm to make sure the customer is "Happy" with the goods or service, and that it is an expressed consideration of the firms operating policies. I work with medical devices and DOD products. One is highly regulated for good reason; It is highly likely that you could harm a person unintentionally with Medical Devices, and you could fail to harm someone in DOD matters.

Continuous improvement is pretty much the inverse of increasing Risk. The Quality department may be considered an extension of the legal department in contracts and commercial transactions. The daylight between compliance with the UCC law and the customer's contract requirements via your QMS is not very great!

George
 

Attachments

  • TEXAS COMMERCIAL CODE TEXT FOR ARTICLE 2 MATTERS-08JUN20.doc
    80.5 KB · Views: 99
You must log in or register to reply here.

Similar threads

QCBOB
New to ISO 13485, any suggestions?
Replies
6
Views
382
FRA 2 FDA
FRA 2 FDA
J
ISO 13485 - Control of Records (4.2.5) question
2
Replies
10
Views
789
Tidge
T
B
Electronic QMS Documentation
Replies
2
Views
232
bimeri
B
M
Design and Development Exclusion for Marker Band Components
Replies
1
Views
222
AndreaPBeagle
A
I
FDA Quality System Regulation Amendments
Replies
0
Views
273
indubioush
I
Top Bottom