Hello all and welcome to another week of MedTech Compliance Chronicles. After a couple weeks of setting the foundations of the QMS we are beginning to go into the more explicitly laid out requirements. We will begin as both the standard (ISO 13485:2016) and the regulation (21 CFR part 820) do, with management responsibility.
To be clear up front, when either the standard or regulation are talking about management responsibility, the mean management at a high enough level to actually have the power and authority to make the necessary decisions and/or changes in the company, its policies or its operations. ISO tends to refer to this level of management as ‘top management’ while part 820 refers to them as ‘management with executive responsibility.’ In either case, an important note is that these responsibilities cannot be delegated. Even if the actual work in carrying out the responsibility is delegated, the responsibility itself is not. The reasoning behind not being about to delegate such responsibility is to ensure that the quality of medical devices is actively on the minds of those who run companies that produce them and, when necessary, to ensure the correct individuals are held accountable should blatant disregard for the regulations occur.
From a practical standpoint, anyone who has ever worked for a medical device manufacturer can attest to the importance of having top management consider quality in their decision making. The efforts of many employees and of years of work can be greatly impacted by a single decision made at a high enough level. For this reason, combined with the importance of maintaining the integrity of the QMS at all times, specific requirements around management responsibility were developed. In general, (top) management must establish and maintain a policy and objectives related to quality, must plan all QMS activities, must assign proper responsibilities, resources and authorities necessary for the QMS to function adequately and must regularly review the QMS.
Quality Policy and Quality Objectives
From a sheer regulatory standpoint, top management is required to establish a quality policy and objectives related to quality. The policy must demonstrate top management’s “commitment to quality” and be effectively communicated and understood throughout the organization. The general theme between part 820 and ISO 13485:2016 continues with ISO also requiring the same things with some additional requirements that primarily just make the regulatory requirements clearer or easier to implement. ISO gives the additional requirements to the policy that it be applicable to the purpose of the organization, that it establish a framework for establishing and reviewing the quality objectives and that it be reviewed. For the quality objectives, ISO provides the additional requirement, that some might have considered implied, that the quality objectives be measurable.
Now that we have technical requirements listed out, let's talk about what a quality policy is intended for and what it ideally should help the organization do. The quality policy can often seem like a ‘check-in-the-box’ statement that organizations are legally required to have or they get in trouble. That opinion of a quality policy can, sadly, be true depending on your organization but you will ultimately not quite get what you should be getting out of your QMS. The quality policy is meant to drive quality objectives which are measurable indicators of the overall performance of your QMS. The quality policy is the high-level, overarching approach of the organization to quality and is meant to be applicable to the whole organization. It should establish a ‘quality first’ mindset in all employees.
Quality Objectives
Quality objectives are where we take the guiding principles of the quality policy and turn them into specific, measurable criteria for performance review. A general statement from a quality policy can turn into various quality objectives. For example, a commitment in the quality policy to customer satisfaction can turn into a quality objective to decrease return rates by X% over Y months. This can further be broken down into more specific objectives for different departments like giving manufacturing, assembly and shipping different goals all based on how that department can affect the rate of returns, all leading back to achieving the quality objective that was directly established from the quality policy.
The important thing to remember about quality objectives is that they must be tied to the quality policy and they should be tied to the organization's overall strategy and goals. Quality objectives are where you really get the chance to show the individual employee how the quality policy relates to their job and how they directly influence quality.
Authority, Responsibility & Resources
The next requirement of top management is that they assign the responsibilities and authorities and provide the resources necessary for the proper implementation and continued effectiveness of the QMS. These requirements, though fairly straightforward, are what ensures that quality management is actually carried out as it is documented. It is one thing to write a bunch of procedures and other documents that are legally required, it is another thing altogether to actually buy the proper machinery, keep the required environmental conditions, hire the appropriate employees and train them appropriately. Assigning responsibility, authority and resources is how top management actually follows through on their commitment to quality from the quality policy.
Authority and responsibility go hand in hand. From a QMS standpoint with the ultimate goal being the production of a safe and effective medical device, the primary focus with authority and responsibility is that 1) that all quality related activities have a clearly identified responsible person and 2) to ensure proper objectivity when verifying any work related to quality. To clarify on the second point, in the simplest terms this means that people do not check their own work. This usually manifests as a very clear distinction between inspectors and manufacturing personnel. This also, and more related to the authority side of things, means that the chain of command of an organization should be sufficiently segregated to allow for practical application of the QMS. For example, though it is technically possible for an inspector to report to a manufacturing supervisor, the responsibility of a manufacturing supervisor usually involves getting product out the door as fast and efficiently as possible. Such a relationship could cause the inspector not to report failures in fear of upsetting his boss because the failures will put a hold on product shipment. How you choose to set up your organization is ultimately up to you, you just need to be conscious about these kinds of interactions and ensure you do everything you can to mitigate them.
Additionally, you must make sure you provide all of the required resources necessary to carry out all of your QMS processes. ISO 13485:2016 lists a lot more resource specific requirements than part 820 and for that reason, next week will be a whole post on resource management.
Management Review
The final requirement of top management is that they regularly review the QMS. No matter how perfectly you think you have set something up, every process has a way of drifting over time. To ensure that your QMS continues to be effective over time it is crucial for those with policy and decision making authority to keep up-to-date with its status. Management review is how the FDA makes sure that medical device manufacturers are doing this.
Every management review will have a list of inputs and outputs. The ‘inputs’ to management review are basically all of the overarching QMS processes (production controls, monitoring and measurement, post-market surveillance, etc.). The ‘outputs’ of management review will be whatever specific input was being reviewed at the time as well as any decisions related to it. Management review must be conducted at regular intervals and it does not really get more specific than that. You should determine the point at which to review each process based on the risk that process poses to the safety and effectiveness of the finished device, keeping in mind that every process does not have to be reviewed at the same time. Many smaller companies do an annual management review of the entire QMS, while larger companies that have more to review might review more critical processes annually and others biennially or triennially.
Conclusion
The first step to implementing anything effectively is in making sure that those who have ultimate control over its implementation are actively involved in the process and continued monitoring of the system. The management requirements set out by the FDA are their way of making sure that quality is actually implemented as an integral part of the organization and not just handed off to someone down the chain or just forgotten about. Remember that top management is, at a minimum, responsible for establishing a quality policy and objectives, assigning the necessary authorities, responsibilities and resources to effectively operate the QMS and continually review the effectiveness of the QMS.
I hope that you have a deeper understanding of management responsibilities as required by the US FDA and ISO 13485:2016. Join us next week for a discussion on clause 6 of ISO 13485:2016, resource management!
Comments