Page 1 of 6 Global Harmonization Task Force SG3 ISO/DIS 9001: 2000 and ISO/DIS 9000: 2000 And Revision of ISO 13485 and 13488 GENERAL COMMENTS The Global Harmonization Task Force Study Group Three (GHTF SG3) is providing these comments and suggestions to ISO TC 176 and ISO TC210 WG1 for consideration. As described in the Memorandum of Understanding between the GHTF and ISO TC210, the members of SG3 look forward to working closely with WG1 to develop a revised set of standards which meet the needs of the regulated medical device community. GHTF SG3 will also be making these comments and suggestions available to other organizations, such as national standards bodies, medical device regulatory agencies and the medical device community in an effort to communicate concerns regarding the ISO 9001 2000 revision and the need to revise ISO 13485 and 13488. ISO 9001: 2000 has been drafted by ISO TC 176 to accommodate a wide community of users. These users have desired an update of the previous version of ISO 9001 which was largely based on a need for a contract between a supplier and a customer and the need of the customer to be assured of the quality of the purchased product. The revisions in ISO 9001: 2000 are intended to extend this concept to facilitate a third party assessment and certification of quality systems to a wide range of organizations, including manufacturers, service organizations and others. ISO TC 176 has stated The ISO 9001: 2000 quality management systems requirements has been specifically developed to be applicable to any type of generic product (hardware, software, services and processed materials), to be applied by any size of organization and can be implemented by any sector of industry or commerce without the need for guidance. Also, the intent is to be compatible with the environmental management system standard (ISO 14001). Whereas the objective of TC 176 may be met by these revisions, many of the revisions make the use of ISO 9001: 2000 inappropriate for the regulated medical device industry. As a tool for an industry in which the quality system is regulated, a standard must be precise in its requirements, capable of being objectively audited and limited to those quality system requirements which assure safety and performance of products. The major concerns with the ISO 9001: 2000 DIS continue to be: The process model diagram (figure 1) adds no value to the description of the process approach: the text in the second paragraph of 0.2 Process approach is clear. Currently, the figure adds confusion leading some assessment organizations to add additional requirements beyond those in the standard. We suggest that the figure and the related text in 0.2 be eliminated.
Page 2 of 6 Permissible exclusions allow the reduction of certain requirements by particular organizations. The regulated medical device industry must have clearly identified requirements that cannot be reduced by individual organizations. The permissible exclusion provision is open to too many interpretations and does not consistently accomplish the tiering of the current ISO 9001, 9002 and 9003 structure. Whereas customer satisfaction is key for commercial success, it is not a quality system requirement in the medical device industry. The medical device quality system requirements are aimed primarily at providing safe medical devices that perform as intended. Customer satisfaction belongs to the psychological domain, which is very subjective. Current quality assurance standards are in the logical domain that can be objectively evaluated. Customer satisfaction may at times be in direct conflict with safety and performance concerns. Reuse of single use devices is an example of this situation. The concepts of continual improvement and quality improvement: (ISO/DIS 9000:2000 2.2.12 Quality improvement - part of quality management focused on increasing effectiveness and efficiency. Note: The term continual quality improvement is used when quality improvement is progressive and the organization actively seeks and pursues improvement opportunities. ) are pervasive throughout ISO/DIS 9001:2000 i.e., 5.4.1, 5.4.2, 8.5.1, and go beyond the baseline quality assurance requirements of 9001:1994. Regulators in the medical device industry, for public health purposes, must be concerned with product quality and improvement through corrective and preventive actions to ensure product safety and performance. Regulators are not and should not be regulating business performance, quality efficiency, or improvements of the management system outside of corrective and preventive actions. Several requirements in ISO 9001: 1994 contain more detail, (for example internal audit, control of nonconforming product, and the corrective action); much of this detail should be retained. ISO/DIS 9001: 2000 has been generalized, and this specificity has been deleted. As such, the standard is less prescriptive and instructive which will result in inconsistency in the application and assessment of the standard. Various sections of ISO/DIS 9001: 2000 DIS are poorly worded and constructed. Some structures are in conflict with ISO Directives in that requirements are included in notes and definitions. Some examples of these are noted in the detailed comments below. RECOMMENDATIONS TO ISO/TC 210 WG1 ISO/DIS 9001: 2000 is a complete revision of the 1994 version of ISO 9001. This will outdate the current ISO 13485 and 13488. GHTF SG3 recommends that:
Page 3 of 6 ISO/DIS 9001: 2000 combines ISO 9001, 9002, 9003: 1994 into a single standard. ISO TC210 WG1 should revise both ISO 13485 and 13488 to maintain the tiering of requirements that fit many existing medical device regulatory schemes. The level and nature of the requirements should remain essentially the same. ISO 13485 and 13488 should be revised to be as similar as possible to the format and terminology of ISO 9001: 2000. This will allow organizations to meet the requirements of both ISO 9001: 2000 and ISO 13485 or 13488 with one quality system. Specific comments as detailed below should be considered in the revised ISO 13485 and 13488. SPECIFIC COMMENTS Requirement The term requirement as used throughout ISO/DIS 9001: 2000 is not always qualified, and can be misleading in intent. The term requirement is a broad based concept which should be qualified in the revised ISO 13485 and 13488. This qualification may be quality system requirement, customer requirement, standard requirement, etc. Documentation Throughout ISO 9001 2000 DIS there are references to documentation and requirements for documentation and records. These requirements are often not clear. A distinction for documented procedures is identified in section 4.2 a) that is not continued through the rest of ISO 9001 2000 DIS. For example, the last sentence of section 5.3 of ISO 9001 2000 DIS uses the term controlled which may or may not be interpreted as documented. ISO 9001 1994, 13485 and 13488 are more precise regarding requirements for documentation and records. The revised ISO 13485 and 13488 should maintain the precision and consistency in requirements for documentation and records. Process Model The process model in 0.2 of ISO 9001 2000 DIS should not be included in the revised ISO 13485 and 13488. This model is theory and inappropriate for a requirements standard. It would be misleading to organizations and assessment bodies, which may interpret it as a justification to add additional requirements on a case-by-case basis to tailor the standard to a specific organization. Additional requirements for the medical device sector should be debated and applied in an open public forum to assure a level playing field of requirements and enforcement.
Page 4 of 6 Customer Satisfaction Customer satisfaction is included in 1.1(b), 5.2 and various other sections of ISO 9001 2000 DIS. Although customer satisfaction is essential for a successful commercial enterprise, it is inappropriate as a regulatory requirement. Aspects of customer satisfaction should not be included in the revised ISO 13485 and 13488. Section 8.2.1 of ISO 9001 2000 DIS specifically requires monitoring of customer satisfaction. This should be replaced with the concepts from the existing ISO 13485 and 13488, which supplements ISO 9001 1994 in section 4.14.1. These concepts require a documented feedback system to provide early warning of quality problems. Permissible Exclusions Section 1.2 of ISO 9001 2000 DIS allows for exclusion of quality system requirements. This is inappropriate for regulatory purposes. The revised ISO 13485 and 13488 should not include the provision for permissible exclusions, but should rather include the tiering of 13485 and 13488 as described above. Continual Improvement Section 4.1 of ISO 9001 2000 DIS requires continual improvement of the organization. This requirement is carried forward in many other sections of the DIS. Continual improvement may be a key element of success for some commercial enterprises, but it is inappropriate as a regulatory requirement. The revised ISO 13485 and 13488 should continue to include requirements for compliance with customer, safety, performance and regulatory requirements. However any reference to continual improvement should be not be included in the revised ISO 13485 and 13488. Quality Policy Section 5.3 d) of ISO 9001 2000 DIS requires that only appropriate levels of the organization should receive and understand the quality policy. ISO 9001 1994 requires all levels to understand the quality policy. ISO 13485 and 13488 should be revised to include all levels. Quality Planning Section 5.4 of ISO 9001 2000 DIS includes enhanced requirements for quality planning. The enhancements clarify what was previously a confusing requirement. The revised ISO 13485 and 13488 should include these enhancements. Reporting Relationships Section 5.5.2 of ISO 9001 2000 DIS does not include the requirement that the management representative and the quality function have the organizational freedom as described in 4.1.2.1 of ISO
Page 5 of 6 9001 1994. The revised ISO 13485 and 13488 should include the requirement for the same level of organizational freedom as ISO 9001 1994. Work Environment Section 6.4 of ISO 9001 2000 DIS includes requirements for the work environment. This section should be deleted from the revised ISO 13485 and 13488. Requirements such as employee cleanliness and health should be included in sections 6.2 and 6.3 of the revised ISO 13485 and 13488 as appropriate. Realization Section 7.0 of ISO 9001 2000 DIS is titled Product and/or service realization. The term realization is confusing in this context and may not be appropriately translated. The revised ISO 13485 and 13488 should use a more appropriate term. Design and/or Development Section 7.3 in ISO 9001 2000 DIS is captioned Design and/or development. This is confusing and misleading. The issue is particularly significant because medical device regulations make a distinction between activities that precede formally establishing design input requirements and subsequent activities. The section should be reverted back to Design control and design control concepts carried through the rest of section 7.3. The definition for design and development in ISO 9000 2000 DIS should not be adopted, but rather a more appropriate definition for design control should be added to the revised ISO 13485 and 13488. The flow of activities in Section 7.3 of ISO 9001 2000 DIS is poorly worded and confusing. The imprecise use of the term requirement and the use of various elements for design inputs and review should be clarified in the revised ISO 13485 and 13488. Distinctions between design control for new or custom products should be clarified from contract review and routine orders for existing products. In section 7.3.6 of ISO 9001 2000 DIS a requirement for development validation is inappropriate and should be deleted in the revised ISO 13485 and 13488. Process Validation Section 7.5.5 of ISO 9001 2000 DIS includes new requirements for process validation. The complex issue of output that cannot be verified is clarified in the DIS. The revised ISO 13485 and 13488 should include these new and clarified requirements. Software Validation The wording in ISO 9001 2000 DIS in section 7.6 regarding software validation is unclear and should be reworded in the revised ISO 13485 and 13488.
Page 6 of 6 Control of Nonconformity Section 8.3 of ISO 9001 2000 DIS allows only one disposition of nonconforming product: correction and re-verification. The three other possible dispositions from ISO 9001 1994, Section 4.14.1 should also be available in the revised ISO 13485 and 13488. Improvement Section 8.5 of ISO 9001 2000 DIS is titled Improvement. The revised ISO 13485 and 13488 section 8.5 should be titled Corrective and Preventive Action. Paragraph 8.5.1 of ISO 9001 2000 DIS should be deleted in the revised ISO 13485 and 13488.