ISO 9001 and ISO 13485: New Risk Management Requirements Present Challenges

The new ISO 9001:2015 standard and the anticipated reboot of ISO 13485 could create hurdles for medical device manufacturers.

January 27, 2016

5 Min Read
ISO 9001 and ISO 13485:  New Risk Management Requirements Present Challenges

The new ISO 9001:2015 standard and the anticipated reboot of ISO 13485 could create hurdles for medical device manufacturers.

Thomas C. Bowles

Recent months have seen extraordinary changes in the standardization landscape, particularly regarding the application of risk management. While risk-based decision making has always been implied in every version of the ISO 9001 standard, it is now explicit. And the new ISO 9001:2015 standard released last September does not make just a single mention of risk management as we find in Section 7 of ISO 13485; risk-based thinking is now pervasive throughout the entire standard, appearing in nine different sections.

[In an MD&M West session on ISO 13485 and ISO 9001, Bowles will help the attendees understand the changes to ISO 9001 and ISO 13485 and provide them the tools needed to help implement the new standards.]

While the additional requirement for risk management is the most striking change to the standard, there are other meaningful changes that the standards subcommittee has implemented in an effort to harmonize all of the top-level standards to follow the common Annex SL template. The overall goal is to provide a stable framework of requirements to satisfy our needs for the next 10 years. This revision is based on the introduction of seven major quality management principles, including the following:

  • Enhanced customer focus.

  • Focused leadership.

  • Engagement of people.

  • A system approach to management.

  • Improvement.

  • Risk-based decision-making.

  • Mutually beneficial supplier relationships.

Following these harmonizing guidelines requires us to apply new thinking and understanding to our quality management approach. Where the previous specification dealt primarily with products, we must now give equal attention to goods and services. The long-standing distinction between documents and records has been dissolved and reformed into “documented information”, recognizing the technological shift to electronic information systems. The new standard now emphasizes a process-based approach yielding outputs rather than products (which was a narrower interpretation) using a plan-do-check-act cycle to refine the processes. There is now a focus on leadership rather than management. Where management is mostly about processes and control, leadership on the other hand is more about behavior and the ability to motivate groups towards achieving a desired goal.

The new standard has been reorganized from eight sections into 10. However, the content remains generally the same; the two new sections come from within. The previous subsection 5.4 —Planning has been promoted to a full Section 6 to give emphasis to the planning process and Section 8—Measurement, Analysis and Improvement has been split into two sections, Section 9—Performance Evaluation and Section 10—Improvement comprising nonconformance, corrective action, and continuous improvement. With that restructuring comes the emphasis on applying the plan-do-check-act cycle to all processes and the quality management system as a whole.

Another important concept introduced in this new standard is context of the organization. The intent of this new section is that the organization determine all of the internal and external influences and issues that are relevant to its purpose and define those that affect its ability to achieve the intended outcomes. This, for the first time, requires us to define the interested parties, those stakeholders that affect our decision making and processes, and to recognize the needs and expectations of our customers. This is a broader and more comprehensive approach than the traditional “voice of the customer.” As a part of this process, organizations must now define the scope of their quality management system. The standard even allows organizations to exclude parts of the standard from their Scope where it is justified. Organizations have not had this flexibility.

The key question is how will this new ISO 9001 standard will integrate into our quality management system based on ISO 13485 in its coming incarnation? The planned revision to ISO 13485 was expected last year, prior to the issuance of ISO 9001, but has been delayed at least a year, well into 2016. In the meantime, the two standards have taken a divergent approach to management controls, product life cycles, and even risk management. The bad news is that the new revision to ISO 13485 is not expected to be aligned with the drive towards harmonization by following the Annex SL template. We do expect the new standard to focus on management responsibility, the supply chain and outsourcing, product lifecycle management, and the heightened emphasis on maintaining the infrastructure and, for the first time, real guidance on software validation. Unfortunately, organizations that are certified to both standards have lost our lockstep connection between the standards that were nearly verbatim. There are additional headaches in store for those organizations that have combined ISO 9001 and ISO 13485 on a single certification certificate. The divergent specifications will probably require separate certification audits and a separation in our quality manual and our quality management system. Those of us also certified to AS9100 for aerospace quality systems face an even greater challenge since we have also lost that lockstep to ISO 9001 as well.

This very fluid standardization situation is the environment that organizations certified to more than one standard find themselves in, trying to comply with standards that no longer track each other. Unification is one of the ultimate goals of the harmonization efforts.

Thomas C. Bowles is director of quality assurance at FUTEK Advanced Sensor Technology Inc. Reach him at [email protected]. You can also hear him discuss ISO 9001 and ISO 13485 at the MD&M West conference on February 11, 2016, at 1 p.m. 


Sign up for the QMED & MD+DI Daily newsletter.

You May Also Like