It’s 1995 and I am excited to be in my first team meeting, leading the implementation of not only ISO 13485, but the new Quality System Regulation! I’ve read everything I can read about what a “Quality Management System” or QMS is, and why we need one. We have an ISO 9001 certificate, so it’s not completely foreign – but it’s apparently going to change how we manufacture. And my R&D colleagues are up in arms over the controls this will bring for them!
First things first – we need to educate everyone. I pull in the VCR and TV cart, and we pop in the beginning of the 4-hour series of videotapes called “New Quality System Regulation.” We learned together – deciding on how these new concepts would fit in our business. Our tolerance for not doing it by the book was low – we were an international company – a small subsidiary of a large company. And we were determined to shine. Thus began my auspicious career as a serial QMS implementation offender.
I have implemented many full QMS since and improved even more. I have harmonized, I have simplified, I have streamlined, and even beefed up. I have applied similar processes for IVD’s, Medical Devices, Pharmaceuticals, Biologics, and Human Cell and Tissue Products. Of course, with practice, most things become rote and quite easy. But I can tell you, it’s not as clear-cut with QMS implementation.
Many articles have been written espousing the ease of new electronic QMS (eQMS) system implementations – one-size-fits-all, standard regulatory expectations make for simplified workflows! Maybe theoretically, this is true. But every company, every product, every site, every nuance of regulatory structure, and every management team has a different threshold for how much risk they want to take in how they manage their business and their QMS. No eQMS is one size fits all…
In each case, there are essential questions to answer. Where is the company in its maturity? A start-up may take more risk – or less. If they are a privately held company, they may have no one to “answer to” if they receive a few observations during an audit. Or is it traded publicly – and the risk for a 483 or major nonconformance would be too much? What is the likelihood that they will be inspected by the FDA at all? A lower-risk device may not be high on an FDA priority list; on the contrary, a critical service, like sterilization or biocompatibility testing, may pop up on the list fairly often.
What is the “personality” of the organization? A highly detail-oriented CEO may need complete visibility into each site’s performance, while a more strategic or visionary CEO may just need to know nothing is burning down. Is the company an amalgam of several acquisitions? Or has it been grown together organically?
I have never completed an implementation or improvement of a QMS without completing a full risk assessment of the company, its processes, practices, and people.
I have never completed an implementation or improvement of a QMS without completing a full risk assessment of the company, its processes, practices, and people. And the risk assessment has never been a cut-and-paste activity. The assessment tool itself must be customized. Does high risk mean it will give me a warning letter or an internal nonconformance? Does the risk level need to include how the human resource is expended – high risk means we need more people to run the system or does high risk mean we need different skill sets/people to run the system?
Twenty-seven years later, in 2022, no pre-canned workflow can answer these questions. Every time a new implementation or improvement is started, I’m in the same spot as in 1995. Pulling the team together to learn about the regulations and how they apply to that place, at that time, with that product or service. And then it begins again.