An important starting point within the development project is the business case. Depending on the business activities, the scope of the quality management system (QMS) is determined (by the Quality Assurance Manager). Both the QMS and product development must have a risk-based control mechanism. With that, work processes for the QMS can be made.
Where to think about for the business case?
What will the (total) product development cost, the product its cost price, when and on which market can and do I want to bring the device? Who are my customers and how much and at what price am I going to sell my product? When the business case is (sufficiently) positive, the product can be further developed. The business case requires to be updated at the end of phase 1, 2 and 3. The main purpose of the business case is to rationalize whether the deployment of resources is justified.
Are there important factors to keep in mind for defining the scope of the QMS?
When the development process is fully outsourced, or when the production of the medical device is outsourced, the QMS does not have to comply with this process-wise and standard elements of, for example, ISO13485:2016 can be declared inapplicable in the quality manual. This makes implementing and maintaining the quality management system more manageable, but an effective supplier management system must be in place (see ISO13485:2016, §7.4). If the activities are eventually brought in-house, the scope of the quality management system can be expanded in consultation with the Notified Body.
Please note, when the business is legally divided into entities, then all subsidiaries must be brought within the scope / use the same QMS. Example the dHealth Holding B.V. has the entities dHealth Medical B.V., dHealth Research B.V.. and dHealh Manufacturing B.V.. In this example, dHealth Medical B.V. is the legal manufacturer of the Medical Device, dHealth Research B.V. is the developer and dHealth Manufacturing B.V. takes care of the production of the Medical Device. This means that dHealth Research and dHealth Manufacturing become suppliers of dHealth Medical. As part of supplier management, dHealth Medical will have to make written agreements and assess/ audit its ‘suppliers’ QMS on a regular base (e.g., once a year).
How to start with a risk-based control mechanism?
A distinction can be made between business risks such as the risk of production disruptions and product risks that can affect the patient or user.
To assess product risks, it is advisable to use the methodology as described in ISO14971:2019. Multiply the probability that the hazard will occur by the probability of damage upon occurrence by the damage caused by the hazard upon occurrence, see the tables in the presentation for how this is calculated.
For the business risks, you can make an inventory of the operational risks, and these are easily estimated via probability estimation multiplied by the impact estimation (on a Likert scale). It is advisable to divide business risks into categories. This so that you get an overall picture of the risk areas and get more certainty of completeness. Examples of risk areas are the risk of: Management and reputational damage, financial damage such as: liability, fraud, costs or profit loss, physical damage such as health, safety or productivity and damage caused by non-compliance with laws and regulations. The multiplication shows the risk class. The amount of risk mitigating measures to be taken depends on the level of risk and the effectiveness of the mitigation.
What is good to keep in mind for the work processes?
A risk based QMS (both product and business risks) has the advantage that not all work processes need to be described in detail, usually a flowchart is sufficient to describe the process. Policy documents or protocols are written out, but no more than necessary in terms of textual description. High risk mitigation usually requires a protocol or procedure that describes the boundaries and actions that need to be taken within the company policy.
When an Enterprise Resource Planning (ERP) system is used that enforces order of action and completeness, it is not necessary to turn all work activities into process flows, for example the creation of a purchase order. Exception applies to processes in which several colleagues / departments are involved, so when a purchase order needs approval or needs to be transferred to another department, it is necessary to describe a process of this.
Internal auditing is also made easier by risk assessment, depending on the risk, processes are audited / revised annually, biennially, triennially, or quadrennially. Only the high-risk processes are reassessed annually.
The work processes should be categorized into management processes, resource processes, customer processes, product realization processes and improvement processes, (chapter 4, 5, 6, 7 and 8 of the ISO13485:2016 standard). This will provide to structure to your QMS. A QMS that complies with the requirements for medical device development and production will include a large amount of work processes. Having a structure provides an overview of the available processes and demonstrates completeness.
For each work process, make a reference to the standard (9001 or 13485). Multiple standard paragraphs can apply to one process flow. Depending on the program used for process management, an analysis can then be made of the set-up business processes and this helps with the external audit, since the auditor of the Notified Body can specifically ask questions about certain standard elements.
If your QMS database allows you to create reports, then adding references to work processes will allow you to create a report that you can use to verify if all the required processes are there and will allow you to easily create an overview that you can use during audits.