4️Quality and Risk Management

Relevant QMS Standards for Medical Software

  • ISO 90001: Quality Management Systems

  • ISO/IEC/IEEE 90003: Software engineering - Guidelines for the application of ISO 9001:2015 to computer software

  • ISO 13485: Medical devices - Quality Management Systems

ISO 9001

ISO 9001 is an international standard that sets out the criteria for a quality management system (QMS). It's designed to help organizations ensure that their products and services consistently meet customer requirements and that they continuously improve quality. It covers various aspects of a QMS, including leadership commitment, customer focus, process improvement, risk management, and the importance of evidence-based decision-making. ISO 9001 certification demonstrates an organization's dedication to quality and its ability to meet customer expectations.

The structure of ISO 9001:2015 follows a framework known as the High-Level Structure (HLS), which is a common structure for all ISO management system standards. It consists of the following main sections:

  1. Scope: This section defines the scope of the standard, outlining what the standard covers and the intent behind its implementation.

  2. Normative References: Any external documents or standards referred to in the ISO 9001 standard.

  3. Terms and Definitions: Definitions of key terms used throughout the standard to ensure clarity and consistency in interpretation.

  4. Context of the Organization: Understanding the organization and its context, including the needs and expectations of interested parties (such as customers, suppliers, employees, etc.).

  5. Leadership: Emphasizes the role of top management in establishing the quality policy and objectives, demonstrating leadership and commitment to the QMS.

  6. Planning: This section focuses on actions to address risks and opportunities, as well as setting quality objectives and planning to achieve them.

  7. Support: Resources, competency, awareness, communication, and documented information necessary for the QMS are covered here.

  8. Operation: This includes planning and control of processes related to the organization's products and services.

  9. Performance Evaluation: Monitoring, measurement, analysis, and evaluation of the QMS to ensure it's effective and achieving intended results.

  10. Improvement: Continual improvement of the QMS through corrective actions, addressing nonconformities, and enhancing overall performance.

This structure follows the "Plan-Do-Check-Act" (PDCA) cycle, encouraging organizations to plan their processes, implement them, check for effectiveness, and continuously improve them.

ISO 13485

ISO 13485 is an international standard that specifies requirements for a quality management system (QMS) for medical devices and related services. Here are the main sections of ISO 13485:2016:

  1. Scope: Defines the scope of the standard and specifies that it is applicable to organizations involved in the life cycle of medical devices.

  2. Normative References: Lists any external documents or standards referenced in ISO 13485.

  3. Terms and Definitions: Provides definitions of key terms used throughout the standard for clarity and consistency.

  4. Quality Management System (QMS) Requirements:

    • General requirements for establishing and maintaining a QMS specific to medical devices.

    • Documentation requirements, including the creation and maintenance of documentation related to the QMS.

  5. Management Responsibility: Emphasizes the responsibility of top management in demonstrating commitment to the QMS, establishing quality policy and objectives, and ensuring the effectiveness of the QMS.

  6. Resource Management: Covers the allocation of resources, including personnel, infrastructure, and work environment, necessary for the QMS.

  7. Product Realization:

    • Planning and design and development requirements for medical devices.

    • Processes related to purchasing, production, and service provision.

  8. Measurement, Analysis, and Improvement:

    • Requirements for monitoring and measuring processes within the QMS.

    • Methods for ensuring compliance with regulatory requirements.

    • Processes for monitoring customer satisfaction and implementing corrective and preventive actions.

ISO 13485 emphasizes the importance of meeting regulatory requirements, maintaining effective processes throughout the product life cycle, and ensuring the safety and efficacy of medical devices. It's designed to help organizations in the medical device industry establish and maintain a comprehensive QMS to meet customer and regulatory requirements.

IMDRF QMS Guidance

The International Medical Device Regulators Forum (IMDRF) has developed guidance documents, including the "IMDRF Medical Device Single Audit Program (MDSAP)" for quality management systems (QMS) related to medical devices. The MDSAP follows a framework that includes several sections:

  1. Preface:

    • Introduction to the purpose and scope of the MDSAP document.

    • Explanation of its applicability and relevance to medical device quality management.

  2. Scope:

    • Defines the scope of the MDSAP and specifies the types of organizations and medical devices it covers.

  3. Normative References:

    • Lists any external documents, standards, or regulations referenced in the MDSAP.

  4. Terms and Definitions:

    • Provides definitions of key terms and concepts used throughout the MDSAP for clarity and consistency.

  5. Introduction to the MDSAP:

    • Overview of the structure and purpose of the MDSAP program.

    • Explanation of the goals and objectives of the MDSAP in harmonizing and aligning regulatory requirements for medical devices.

  6. MDSAP Requirements:

    • Detailed requirements and criteria for the MDSAP, which align with the regulatory requirements of participating regulatory authorities.

    • Specific emphasis on the key elements of a QMS for medical devices, such as management responsibility, resource management, product realization, measurement, analysis, and improvement.

  7. Auditing Requirements:

    • Guidelines and criteria for auditing organizations' QMS against the MDSAP requirements.

    • Explanation of audit processes, criteria for auditor competence, and audit report formats.

  8. Conformity Assessment:

    • Details the assessment process to determine whether an organization's QMS meets the MDSAP requirements.

    • Clarifies how regulatory authorities use MDSAP audit reports as part of their regulatory processes.

The IMDRF MDSAP aims to facilitate a more efficient and harmonized approach to auditing and assessing the QMS of medical device manufacturers across different regulatory jurisdictions. It helps streamline and standardize regulatory requirements, benefiting both regulatory authorities and medical device manufacturers by reducing duplication of efforts and ensuring compliance with global quality standards.

The International Medical Device Regulators Forum (IMDRF) provides guidance related to quality management systems (QMS) for medical devices. When addressing hazards within this context, the IMDRF QMS guidance typically identifies several categories or sources of hazards that medical device manufacturers should consider:

  1. Device Design and Construction Hazards:

    • Design flaws, incorrect specifications, or inadequate construction that might lead to malfunctions, failures, or safety hazards in the medical device.

  2. Use-Related Hazards:

    • Risks associated with the intended use of the device, including potential misuse, inadequate user instructions, or insufficient labeling that could lead to harm or misuse of the device.

  3. Biological Hazards:

    • Risks associated with the interaction between the device and the biological environment, such as infections, allergic reactions, or other adverse biological responses.

  4. Chemical Hazards:

    • Risks related to the presence of harmful chemicals or materials within the device, including leaching of substances, toxicity, or chemical reactions that could cause harm.

  5. Physical Hazards:

    • Risks associated with physical aspects of the device, such as sharp edges, mechanical failures, electrical hazards, or other physical properties that could cause injury.

  6. Software-Related Hazards:

    • Risks associated with software components in medical devices, including software malfunctions, errors, cybersecurity vulnerabilities, or inadequate software validation.

  7. Environmental Hazards:

    • Risks arising from the device's interaction with the external environment, including temperature variations, humidity, electromagnetic interference, or other environmental factors affecting device performance.

  8. Manufacturing and Quality Control Hazards:

    • Risks associated with manufacturing processes, such as defects, inconsistencies, or failures during production that could impact the safety or efficacy of the device.

Understanding and assessing these categories or sources of hazards are crucial for medical device manufacturers to develop robust risk management strategies and ensure the safety and effectiveness of their products throughout the device life cycle.

Software as a Medical Device (SaMD): Application of Quality Management System

Risk Management

ISO 14971

ISO 14971 is an international standard that specifies requirements for risk management in medical devices. It's crucial for ensuring the safety and effectiveness of medical devices throughout their life cycle. Here are the main sections typically found in ISO 14971:

  1. Scope: Defines the purpose and application of the standard, specifying its relevance to the entire life cycle of medical devices.

  2. Normative References: Lists any external documents or standards referenced in ISO 14971.

  3. Terms and Definitions: Provides definitions of key terms used throughout the standard to ensure consistent interpretation.

  4. Risk Management Process:

    • Establishes a systematic process for managing risks associated with medical devices.

    • Includes risk analysis, evaluation, control, and monitoring throughout the device's life cycle.

  5. Risk Management Framework:

    • Outlines the framework and principles for implementing risk management in accordance with the standard.

    • Emphasizes the importance of risk management planning, risk analysis methods, and risk control measures.

  6. Risk Management Process:

    • Identifies the steps and activities involved in the risk management process, including risk assessment, risk evaluation, risk control, and risk communication.

  7. Risk Management File:

    • Addresses the documentation requirements for risk management activities, including the creation and maintenance of a risk management file.

  8. Production and Post-Production Information:

    • Covers requirements for monitoring and updating risk management information during production and post-production phases.

  9. Review of Risk Management:

    • Discusses the need for periodic review and assessment of the effectiveness of the risk management process.

ISO 14971 provides a structured approach to identifying, assessing, and controlling risks associated with medical devices. Its comprehensive framework helps manufacturers ensure that their devices meet necessary safety standards and regulatory requirements.

Risk Management Process

  • Risk Analysis

  • Risk Evaluation

  • Risk Control

  • Evaluation of Residual Risk

IMDRF Guidance on Risk Categorization

PreviousThe Healthcare EnvironmentNextSoftware Development Life Cycle

Last updated