The 2015 revision of the ISO 9001 quality standard contains fundamental changes to the structure and contents of the standard and offers a preview of some revisions to ISO 13485 expected in the coming year.

Walt Murray

(click to enlarge)

ISO recently published quality management system (QMS) standard ISO 9001:2015. As a result, regulated companies with or that are seeking ISO 9001 certification now have three years to meet the QMS requirements in the 2015 edition of the standard.

The 2015 version follows a new, higher-level structure developed by ISO to ensure that management system standards are aligned with a set of common requirements. All ISO management system standards are now required to adopt the structure, with the purpose of making it easier for organizations to address the requirements of more than one ISO management system standard within a single, integrated system.

One of the key changes in the 2015 revision is an explicit requirement for risk-based thinking to support and improve the understanding and application of the process approach. In fact, risk is covered in nearly every section of ISO 9001:2015, and there are considerable changes to the application of risk.

Risk-based thinking makes preventive action part of strategic and operational planning, so reference to preventive action has been replaced with "actions to address risks and opportunities" in ISO 9001:2015. The standard now requires that organizations and top management identify--from a risk-management perspective--and address any internal and external factors that may affect their QMS's ability to deliver intended results to customer requirements.

ISO 9001:2015 Helps Forecast Forthcoming ISO 13485 Changes

The updated standard directly affects all kinds of manufacturing organizations, including medical device manufacturers. The changes also have implications for other standards, including ISO 13485, which outlines QMS requirements for medical devices.

For medical device manufacturers, the publication of ISO 9001:2015 offers something of a preview of forthcoming revisions to ISO 13485, as corresponding changes are expected to follow.

ISO 13485 is often harmonized with ISO 9001. Whereas ISO 9001 can be used by any company within any industry sector, ISO 13845 is tailored specifically to medical device companies. Currently, ISO is in the process of finalizing draft international standard (DIS) ISO 13485:201X, which is expected to shift to a similar orientation as 9001:2015. Medical device companies will then have three years to transition to the new ISO 13485.

As such, ISO 9001:2015 can help medical device manufacturers anticipate some changes that will eventually be reflected in the ISO 13485 standard. For instance, the final ISO 9001:2015 standard and the DIS of 13485 have increased representation of risk.

Like the final ISO 9001:2015, the DIS of ISO 13845 places significant emphasis on risk management and stating that a risk-based approach is needed when developing processes. Preventative maintenance is not enough. Anything the medical device company does that affects the QMS must be viewed from a risk perspective. It requires device manufacturers, as well as their subtier suppliers and contractors, to apply risk management and risk analysis from product development through product realization.

Like ISO 9001:2015, when processes are outsourced, the DIS of ISO 13485 wants organizations to look at controls from a risk perspective. If a supplier fails to meet specifications, how will that affect the organization's quality system?

Risk is further emphasized in a number of other areas of the DIS of ISO 13485, including human resources. If an employee is incompetent, what are the risks to quality?

For medical device manufacturers providing life-enhancing products, there are risks in all systems, processes, and functions. That is why in the medical device industry, where safety to the patient and consumer is paramount, risk management is a critical part of all processes.

With both ISO 9001:2015 and DIS ISO 13845 emphasizing a more risk-based view of the entire quality system, medical device manufacturers should be working now on incorporating the concepts of risk management and risk-based thinking to ensure that risk is considered from the beginning and throughout the quality system.

Walt Murray is director of quality and compliance consulting services at MasterControl. Reach him at [email protected]. To learn more, check out MasterControl's three-part webinar series on preparing for ISO 9001:2015 changes or hear Murray speak about process validation planning at the MD&M West Conference.

[image courtesy of MASTERCONTROL]