0% found this document useful (0 votes)
3 views17 pages

Iso Module Two

Uploaded by

amruthavarshini
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
3 views17 pages

Iso Module Two

Uploaded by

amruthavarshini
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 17

Module II: Implementation & Performance Evaluation

8.3 Design and development of products and services

8.3.1 General The organization shall establish, implement and maintain a design and development
process that is appropriate to ensure the subsequent provision of products and services.

8.3.2 Design and development planning In determining the stages and controls for design and
development, the organization shall consider:

a) the nature, duration and complexity of the design and development activities;

b) the required process stages, including applicable design and development reviews;

c) the required design and development verification and validation activities;

d) the responsibilities and authorities involved in the design and development process;

e) the internal and external resource needs for the design and development of products and
services;

f) the need to control interfaces between persons involved in the design and development process;

g) the need for involvement of customers and users in the design and development process; h) the
requirements for subsequent provision of products and services;

i) the level of control expected for the design and development process by customers and other
relevant interested parties;

j) the documented information needed to demonstrate that design and development requirements
have been met.

8.3.3 Design and development inputs The organization shall determine the requirements essential
for the specific types of products and services to be designed and developed. The organization shall
consider:

a) functional and performance requirements;

b) information derived from previous similar design and development activities;

c) statutory and regulatory requirements;

d) standards or codes of practice that the organization has committed to implement;

e) potential consequences of failure due to the nature of the products and services.

Inputs shall be adequate for design and development purposes, complete and unambiguous.
Conflicting design and development inputs shall be resolved. The organization shall retain
documented information on design and development inputs

8.3.4 Design and development controls

The organization shall apply controls to the design and development process to ensure that:

a) the results to be achieved are defined;

b) reviews are conducted to evaluate the ability of the results of design and development to meet
requirements;
c) verification activities are conducted to ensure that the design and development outputs meet the
input requirements;

d) validation activities are conducted to ensure that the resulting products and services meet the
requirements for the specified application or intended use;

e) any necessary actions are taken on problems determined during the reviews, or verification and
validation activities;

f) documented information of these activities is retained.

8.3.5 Design and development outputs

The organization shall ensure that design and development outputs:

a) meet the input requirements;

b) are adequate for the subsequent processes for the provision of products and services;

c) include or reference monitoring and measuring requirements, as appropriate, and acceptance


criteria;

d) specify the characteristics of the products and services that are essential for their intended
purpose and their safe and proper provision.

The organization shall retain documented information on design and development outputs

8.3.6 Design and development changes

The organization shall identify, review and control changes made during, or subsequent to, the
design and development of products and services, to the extent necessary to ensure that there is no
adverse impact on conformity to requirements. The organization shall retain documented
information on:

a) design and development changes;

b) the results of reviews

c) the authorization of the changes;

d) the actions taken to prevent adverse impacts.

8.4 Control of externally provided processes, products and services

8.4.1 General

The organization shall ensure that externally provided processes, products and services conform to
requirements. The organization shall determine the controls to be applied to externally provided
processes, products and services when:

a) products and services from external providers are intended for incorporation into the
organization’s own products and services;

b) products and services are provided directly to the customer(s) by external providers on behalf of
the organization;

c) a process, or part of a process, is provided by an external provider as a result of a decision by the


organization.
The organization shall determine and apply criteria for the evaluation, selection, monitoring of
performance, and re-evaluation of external providers, based on their ability to provide processes or
products and services in accordance with requirements. The organization shall retain documented
information of these activities and any necessary actions arising from the evaluations

8.4.2 Type and extent of control

The organization shall ensure that externally provided processes, products and services do not
adversely affect the organization’s ability to consistently deliver conforming products and services to
its customers. The organization shall:

a) ensure that externally provided processes remain within the control of its quality management
system;

b) define both the controls that it intends to apply to an external provider and those it intends to
apply to the resulting output;

c) take into consideration:

1) the potential impact of the externally provided processes, products and services on the
organization’s ability to consistently meet customer and applicable statutory and regulatory
requirements;

2) the effectiveness of the controls applied by the external provider; d) determine the
verification, or other activities, necessary to ensure that the externally provided processes, products
and services meet requirements.

8.4.3 Information for external providers

The organization shall ensure the adequacy of requirements prior to their communication to the
external provider. The organization shall communicate to external providers its requirements for:

a) the processes, products and services to be provided.

b) the approval of:

1) products and services;

2) methods, processes and equipment;

3) the release of products and services;

c) competence, including any required qualification of persons;

d) the external providers’ interactions with the organization;

e) control and monitoring of the external providers’ performance to be applied by the


organization;

f) verification or validation activities that the organization, or its customer, intends to perform at
the external providers’ premises.

8.5 Production and service provision

8.5.1 Control of production and service provision


The organization shall implement production and service provision under controlled conditions.
Controlled conditions shall include, as applicable:

a) the availability of documented information that defines:

1) the characteristics of the products to be produced, the services to be provided, or the


activities to be performed;

2) the results to be achieved;

b) the availability and use of suitable monitoring and measuring resources;

c) the implementation of monitoring and measurement activities at appropriate stages to verify that
criteria for control of processes or outputs, and acceptance criteria for products and services, have
been met;

d) the use of suitable infrastructure and environment for the operation of processes;

e) the appointment of competent persons, including any required qualification;

f) the validation, and periodic revalidation, of the ability to achieve planned results of the processes
for production and service provision, where the resulting output cannot be verified by subsequent
monitoring or measurement;

g) the implementation of actions to prevent human error;

h) the implementation of release, delivery and post-delivery activities.

8.5.2 Identification and traceability

The organization shall use suitable means to identify outputs when it is necessary to ensure the
conformity of products and services. The organization shall identify the status of outputs with
respect to monitoring and measurement requirements throughout production and service provision.
The organization shall control the unique identification of the outputs when traceability is a
requirement, and shall retain the documented information necessary to enable traceability

8.5.3 Property belonging to customers or external providers

The organization shall exercise care with property belonging to customers or external providers while
it is under the organization’s control or being used by the organization. The organization shall
identify, verify, protect and safeguard customers’ or external providers’ property provided for use or
incorporation into the products and services. When the property of a customer or external provider
is lost, damaged or otherwise found to be unsuitable for use, the organization shall report this to the
customer or external provider and retain documented information on what has occurred.

NOTE

A customer’s or external provider’s property can include materials, components, tools and
equipment, premises, intellectual property and personal data.

8.5.4 Preservation

The organization shall preserve the outputs during production and service provision, to the extent
necessary to ensure conformity to requirements.
NOTE Preservation can include identification, handling, contamination control, packaging, storage,
transmission or transportation, and protection.

8.5.5 Post-delivery activities

The organization shall meet requirements for post-delivery activities associated with the products
and services. In determining the extent of post-delivery activities that are required, the organization
shall consider:

a) statutory and regulatory requirements;

b) the potential undesired consequences associated with its products and services;

c) the nature, use and intended lifetime of its products and services;

d) customer requirements;

e) customer feedback.

NOTE Post-delivery activities can include actions under warranty provisions, contractual obligations
such as maintenance services, and supplementary services such as recycling or final disposal.

8.5.6 Control of changes

The organization shall review and control changes for production or service provision, to the extent
necessary to ensure continuing conformity with requirements. The organization shall retain
documented information describing the results of the review of changes, the person(s) authorizing
the change, and any necessary actions arising from the review

8.6 Release of products and services

The organization shall implement planned arrangements, at appropriate stages, to verify that the
product and service requirements have been met. The release of products and services to the
customer shall not proceed until the planned arrangements have been satisfactorily completed,
unless otherwise approved by a relevant authority and, as applicable, by the customer

The organization shall retain documented information on the release of products and services. The
documented information shall include:

a) evidence of conformity with the acceptance criteria;

b) traceability to the person(s) authorizing the release

8.7 Control of nonconforming outputs

8.7.1 The organization shall ensure that outputs that do not conform to their requirements are
identified and controlled to prevent their unintended use or delivery.

The organization shall take appropriate action based on the nature of the nonconformity and its
effect on the conformity of products and services. This shall also apply to nonconforming products
and services detected after delivery of products, during or after the provision of services. The
organization shall deal with nonconforming outputs in one or more of the following ways:

a) correction;

b) segregation, containment, return or suspension of provision of products and services;


c) informing the customer;

d) obtaining authorization for acceptance under concession. Conformity to the requirements shall
be verified when nonconforming outputs are corrected.

8.7.2 The organization shall retain documented information that:

a) describes the nonconformity;

b) describes the actions taken;

c) describes any concessions obtained;

d) identifies the authority deciding the action in respect of the nonconformity.

Clause 9 Performance evaluation

9.1 Monitoring, measurement, analysis and evaluation

9.1.1 General

The organization shall determine:

a) what needs to be monitored and measured;

b) the methods for monitoring, measurement, analysis and evaluation needed to ensure valid
results;

c) when the monitoring and measuring shall be performed;

d) when the results from monitoring and measurement shall be analysed and evaluated. The
organization shall evaluate the performance and the effectiveness of the quality management
system. The organization shall retain appropriate documented information as evidence of the results

9.1.2 Customer satisfaction

The organization shall monitor customers’ perceptions of the degree to which their needs and
expectations have been fulfilled. The organization shall determine the methods for obtaining,
monitoring and reviewing this information.

NOTE Examples of monitoring customer perceptions can include customer surveys, customer
feedback on delivered products and services, meetings with customers, market-share analysis,
compliments, warranty claims and dealer reports

9.1.3 Analysis and evaluation

The organization shall analyse and evaluate appropriate data and information arising from
monitoring and measurement. The results of analysis shall be used to evaluate:

a) conformity of products and services;

b) the degree of customer satisfaction;

c) the performance and effectiveness of the quality management system;

d) if planning has been implemented effectively;

e) the effectiveness of actions taken to address risks and opportunities;


f) the performance of external providers;

g) the need for improvements to the quality management system.

NOTE Methods to analyse data can include statistical techniques

9.2 Internal audit

9.2.1 The organization shall conduct internal audits at planned intervals to provide information on
whether the quality management system:

a) conforms to:

1) the organization’s own requirements for its quality management system;

2) the requirements of this International Standard;

b) is effectively implemented and maintained.

9.2.2 The organization shall:

a) plan, establish, implement and maintain an audit programme(s) including the frequency, methods,
responsibilities, planning requirements and reporting, which shall take into consideration the
importance of the processes concerned, changes affecting the organization, and the results of
previous audits;

b) define the audit criteria and scope for each audit;

c) select auditors and conduct audits to ensure objectivity and the impartiality of the audit process;

d) ensure that the results of the audits are reported to relevant management;

e) take appropriate correction and corrective actions without undue delay

f) retain documented information as evidence of the implementation of the audit programme and
the audit results.

how to apply the major areas of ISO 19011, impartiality during audit
Audit results can provide input to the analysis aspect of business planning, and can contribute to the
identification of improvement needs and activities.
An audit can be conducted against a range of audit criteria, separately or in combination, including but
not limited to:

 — requirements defined in one or more management system standards;


 — policies and requirements specified by relevant interested parties;
 — statutory and regulatory requirements;
 — one or more management system processes defined by the organization or other parties;
 — management system plan(s) relating to the provision of specific outputs of a management
system (e.g. quality plan, project plan).

This document provides guidance for all sizes and types of organizations and audits of varying scopes
and scales, including those conducted by large audit teams, typically of larger organizations, and
those by single auditors, whether in large or small organizations. This guidance should be adapted as
appropriate to the scope, complexity and scale of the audit programme.
This document concentrates on internal audits (first party) and audits conducted by organizations on
their external providers and other external interested parties (second party). This document can also
be useful for external audits conducted for purposes other than third party management system
certification. ISO/IEC 17021-1 provides requirements for auditing management systems for third party
certification; this document can provide useful additional guidance (see Table 1).
Table 1 — Different types of audits

1st party audit 2nd party audit 3rd party audit


Internal audit External provider audit Certification and/or accreditation audit
Other external interested party audit Statutory, regulatory and similar audit
To simplify the readability of this document, the singular form of “management system” is preferred,
but the reader can adapt the implementation of the guidance to their own situation. This also applies
to the use of “individual” and “individuals”, “auditor” and “auditors”.
This document is intended to apply to a broad range of potential users, including auditors,
organizations implementing management systems and organizations needing to conduct
management system audits for contractual or regulatory reasons. Users of this document can,
however, apply this guidance in developing their own audit-related requirements.
The guidance in this document can also be used for the purpose of self-declaration and can be useful
to organizations involved in auditor training or personnel certification.
The guidance in this document is intended to be flexible. As indicated at various points in the text, the
use of this guidance can differ depending on the size and level of maturity of an organization’s
management system. The nature and complexity of the organization to be audited, as well as the
objectives and scope of the audits to be conducted, should also be considered.
This document adopts the combined audit approach when two or more management systems of
different disciplines are audited together. Where these systems are integrated into a single
management system, the principles and processes of auditing are the same as for a combined audit
(sometimes known as an integrated audit).
This document provides guidance on the management of an audit programme, on the planning and
conducting of management system audits, as well as on the competence and evaluation of an auditor
and an audit team.

Reporting of non conformities

10.2 Nonconformity and corrective action

10.2.1 When a nonconformity occurs, including any arising from complaints, the organization shall:
a) react to the nonconformity and, as applicable:

1) take action to control and correct it;

2) deal with the consequences;

b) evaluate the need for action to eliminate the cause(s) of the nonconformity, in order that it does
not recur or occur elsewhere, by:

1) reviewing and analysing the nonconformity;

2) determining the causes of the nonconformity;

3) determining if similar nonconformities exist, or could potentially occur;

c) implement any action needed;

d) review the effectiveness of any corrective action taken;

e) update risks and opportunities determined during planning, if necessary;


f) make changes to the quality management system, if necessary. Corrective actions shall be
appropriate to the effects of the nonconformities encountered.

10.2.2 The organization shall retain documented information as evidence of:

a) the nature of the nonconformities and any subsequent actions taken;

b) the results of any corrective action.

9.3 Management review

9.3.1 General

Top management shall review the organization’s quality management system, at planned intervals,
to ensure its continuing suitability, adequacy, effectiveness and alignment with the strategic direction
of the organization.

9.3.2 Management review inputs

The management review shall be planned and carried out taking into consideration:

a) the status of actions from previous management reviews;

b) changes in external and internal issues that are relevant to the quality management system;

c) information on the performance and effectiveness of the quality management system, including
trends in:

1) customer satisfaction and feedback from relevant interested parties;

2) the extent to which quality objectives have been met;

3) process performance and conformity of products and services;

4) nonconformities and corrective actions;

5) monitoring and measurement results;

6) audit results;

7) the performance of external providers;

d) the adequacy of resources;

e) the effectiveness of actions taken to address risks and opportunities (see 6.1);

f) opportunities for improvement.

9.3.3 Management review outputs

The outputs of the management review shall include decisions and actions related to:

a) opportunities for improvement;

b) any need for changes to the quality management system;

c) resource needs.

The organization shall retain documented information as evidence of the results of management
reviews.
Quality management system and terms and definitions

terms and definitions related to quality management systems (QMS) in ISO 13485, which is the
international standard for medical device quality management:

1. Quality Management System (QMS): A set of interrelated or interacting elements that an


organization uses to establish policies, objectives, and processes to achieve quality
management and meet regulatory requirements.
2. Medical Device: Any instrument, apparatus, appliance, software, material, or other article
used for medical purposes, including diagnosis, prevention, monitoring, treatment, or
alleviation of disease or injury.
3. Risk Management: The systematic application of management policies, procedures, and
practices to the activities of analyzing, evaluating, controlling, and monitoring risks to
achieve the desired outcome.
4. Corrective Action: Action taken to eliminate the cause(s) of a detected nonconformity or
other undesirable situation.
5. Preventive Action: Action taken to eliminate the cause(s) of a potential nonconformity or
other undesirable situation in order to prevent occurrence.
6. Validation: Confirmation through the provision of objective evidence that the requirements
for a specific intended use or application have been fulfilled.
7. Verification: Confirmation through the provision of objective evidence that specified
requirements have been fulfilled.
8. Nonconformity: Non-fulfillment of a requirement.
9. Customer Complaint: Expression of dissatisfaction or concern by a customer regarding a
medical device or its performance.
10. Audit: Systematic, independent, and documented process for obtaining objective evidence
and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.
11. Management Review: A formal evaluation by top management of the organization's QMS to
ensure its continuing suitability, adequacy, and effectiveness.
12. Document Control: A systematic approach to managing all documents within the QMS,
including creation, approval, distribution, and revision.
13. Training: Actions taken to acquire knowledge, skills, and competencies necessary for
employees to perform their assigned tasks effectively.
14. Supplier Control: Process of evaluating, selecting, and monitoring suppliers based on their
ability to meet specified requirements.
15. Traceability: The ability to identify and trace the history, distribution, location, and
application of a medical device, its constituent parts, and the materials used.

These terms and definitions provide a foundation for understanding the key concepts within ISO
13485 and quality management systems in the context of medical devices.

Identification of Processes Included in the Quality Management System

 Work environment
 Review of requirements related to the product
 Validation of processes
 Preservation of property
ISO 13485 ISO 9001
The organization shall establish and The organization shall establish and
maintain the quality management system maintain the quality management system
documented and implemented within the documented and implemented within the
organization with conformity to the organization with conformity to the
requirements of the ISO 13485 Standard requirements of the ISO 9001 Standard
The organization is required to maintain the The organization is required to act
effectiveness of the quality management continually to improve the effectiveness of
system the quality management system
While establishing the quality management While documenting its quality management
system the organization shall refer to the system, the organization shall refer to the
following issues: following issues:
The main processes of the quality The main processes of the quality
management system shall be identified and management system shall be identified and
documented according to the application of documented according to the application of
the standard (chapter 1.2). The identified the standard (chapter 1.2). The identified
processes must be implemented processes must be implemented
The relations, applications, and sequences The relations, applications, and sequences
between the processes will be defined and between the processes will be defined and
implemented implemented
Methods and criteria for effective Methods and criteria for effective
monitoring and control of the processes will monitoring and control of the processes will
be defined and applied be defined and applied
Any resources and information needed for Any resources and information needed to
supporting these processes shall be support these processes shall be adequate
adequate and available and available
The processes will be controlled, The processes will be controlled,
monitored, measured, and analyzed monitored, measured, and analyzed
according to prior specifications according to prior specifications
The organization will implement specific The organization will implement specific
measures for obtaining improvement: measures for obtaining improvement:
achievement of objectives and achievement of objectives and
maintenance of effectiveness maintenance of effectiveness
The processes will be planned, The processes will be planned,
implemented, and realized according to the implemented, and realized according to the
requirements of the ISO 13485 Standard requirements of the ISO 9001 Standard
Outsourced processes that have a direct Outsourced processes that have a direct
affect on the product’s quality shall be affect on the product’s quality shall be
included in the quality management system included in the quality management system
and shall be submitted to control and and shall be submitted to control and
monitoring as well as for continual monitoring as well as for continual
improvement improvement

Quality management system


DOCUMENTATION REQUIREMENTS

Clause 4.2.2 iso 13485

Subclause 4.2.1 is a general paragraph presenting the main documentation requirements of a quality
management system according to the ISO 13485 standard.

The purposes of the documentations are as follows:

• The achievement of quality objectives

• The prevention of nonconformities throughout the processes

• The achievement of unity and equality between all the organizational units

The quality manual is a document with a clear goal: to introduce and communicate the
intentions,scope, and structure of a quality management system in an organization.
Medical device file

Device Master Records (DMR)

The organization must maintain a specific file describing the documents for the medical device
specifications. Such a file is often referred to as a Technical File or Device Master Record (DMR).
This file will serve as a table of contents of specific documentations required for obtaining
materials, components, and specifications for manufacturing, and realization evaluation and
control of a specific medical device.

support them in a documentary manner:

• The quality objective of the medical device

• The requirements for procedures, specifications, and instructions

• The need for controls, verifications, and validations

• The requirements for records and evidence

The objective of such a file is to refer each of the organizational participants to one definite
location or file that contains master records and specifications relevant to the medical device.

4.2.3 Control of Documents

Documents must be controlled.

This is a key element of a quality management system. In order to achieve document control, a
method must be maintained. The main idea is to provide control over the documents under the
quality management system and to eliminate any confusions and mix ups of different documents
from different sources.
A Documented Method

The standard demands a method for controlling the documentation that serves the organization
for the purpose of effective planning, operations, performance, and control of process.

Definition of Document

The organization needs to distinguish between documents that will be controlled and documents
that will not be included under the QMS

. Allow me to define what a document is:

 Plans, requirements, or specifications for realization or activities

• Input for a process

• Communication of information

• Sharing of knowledge, information, or data

I suggest a table that will specify all the documents under the QMS. The fields of the table are:

• Identification number

• Description or name

• Relevant process/relevant department

• Responsible for review

• Responsible for approval

• Media

• Location

• Internal/external

• Other characteristics such as public or classified

Approval and Release of Documents

Each document used by the organization must be supervised, reviewed, and approved before
submission for use. The objective isto ensure that the document was appropriately designed, is
suitable for working, and will assist the organization in meeting the medical device objectives as
well as regulatory requirements.

Identification of Documents

Any document (internal or external) must be identified. Documents must have a name, catalogue
number, or other means of identification: an element that can identify it and submit it to the
control.

Securing Documents and Their Use

The method shall ensure that documents will remain safe and available for use.
Updated and Revised Documents (and Their Status)

The method must ensure that the latest version is always the version in use—and not an older
one. Therefore you must define a method for maintaining updated versions and elimination of
use of older versions.

Managing editions must include:

• Date of last update

• The reason/description for the update/comment

• The function that demanded the update

• The function that authorized the update

• Expiry date of the document

Changes as a Necessity

The standard demands that documents will be periodically reviewed and reapproved according
to need.

You need to identify these events and request initiation of a change, review the change and its
consequences, and reapprove the document. The method will determine:

• Identification of events or requests for change

• Identification of the relevant documents

• Identification of parties, roles, and authorities needed for the review and approval

• Method of review: what are the inputs, where and when will the review take place

• Approval and records

• Submission to the process of removing obsolete editions, and distributing and implanting the
new one

Document Removal

The method will ensure the use of updated documents throughout the organization, in work
stations, departments, or any other locations where the documents are stored. It will be
achieved with the removal of invalid documents and their replacement with the updated ones.
The input for the removal activity will be a change on a document. The method will include the
following steps:

• The document to be replaced will be identified. Whenever a change on a document is initiated,


it will result in a removal of the old edition.

• The second stage is the evaluation of the removal: where or which organizational units use the
document.

• The physical removal itself: from the work station or from a server.

• The introduction of the new edition to the relevant parties


Availability and Distribution of Documents

Each document will be available to the relevant role or function at the point of use. Defining the
availability and distribution of documents must include the following:

• User authorization: Who is authorized to use a document

• Location of the document: Where must a document be kept before and after use

• Form of availability. Paper, magnetic, system form, a product model

Archiving

Activities for archiving old documents and obsolete editions will be determined. It is necessary to
define what is to be done with old versions that are not updated, how one handles them, and
whether they are to be disposed of or archived. Invalid documents that are not disposed of are
to be indicated or marked.

Retention Time

For obsolete editions of a document, it is necessary to define the retention time according to the
following conditions:

• The retention time will be as short as the lifetime of the relevant medical device (the medical
device that the document relates to) as defined by the manufacturer.

• When regulatory requirements set retention time for obsolete documents, according to the
type of the relevant medical device, the retention time will be set accordingly.

• In any case, retention time of an obsolete edition of a document will not be less than the
lifetime of records that relate to this obsolete edition of a document.

Control of Records

Type of Records A record is evidence of performing a process or activity or an output of a


process. According to the standard, records will serve two main purposes: • Verification of
execution. Records are used to prove conformity to requirements or specifications. A procedure,
specification, or other documented requirement demands the execution of a process or activity.
With records it is possible to verify that it was done according to the specification: time,
sequence, responsibility, and activities. • Evaluation of effectiveness. With the records one can
review the effectiveness of an activity and appraise the results against criteria.

You might also like