How to effectively implement and manage Quality Management Systems - Pt 2

Regulatory
Written By Mike Pogose

In part 1, we outlined the key concepts of a quality management system (QMS), explored what a QMS is – and what it is not – discussed why a QMS is required by law and who needs it, and provided an overview of the structure of a QMS. Now, in part 2, we'll move on to the practical side of implementing and managing a QMS effectively. Now then, back to Kipling’s six honest men…

Who are the stakeholders involved in a QMS?

Since a QMS is essentially about how an organisation operates, everyone whose work affects product quality or production is involved. In other words, a QMS touches nearly all parts of the business. Here's a breakdown of key stakeholders:

  • The Chief Technical Officer (CTO) or Chief Product Officer (CPO) and their teams are responsible for design and development, which includes gathering customer requirements and potentially validating those requirements with customers.

  • The Chief Medical Officer (CMO) or Chief Scientific Officer (CSO) provides clinical subject matter expertise, covering areas like clinical or performance evaluations and postmarket surveillance.

  • The Chief Information Officer (CIO), if separate from the CTO, may oversee information security and data protection.

  • The Chief Operating Officer (COO) or Chief Financial Officer (CFO) is responsible for human resources, infrastructure, and the work environment.

  • Don’t forget marketing - yes, even your marketing department needs to understand what claims are being made, what evidence has been demonstrated and ensure marketing aligns with regulatory documentation.

Ultimately, the Chief Executive Officer (CEO) is accountable for ensuring the organisation has the necessary resources – money, people, infrastructure and tools – to operate the QMS effectively.

A note on certification

An ISO 13485 or 9001 QMS and an ISO 27001 ISMS can be certified, which gives assurance to customers of adequacy, conformity and effectiveness:

  • Adequacy means that the QMS adheres to the standards and regulations that are claimed for it

  • Conformity means that the company is actually following their own QMS, not just having it as an ornament to be shown to customers

  • Effectiveness means that the company is achieving its Key Performance Indicators (KPIs) or Objectives and Key Results (OKRs) for product and service quality i.e. fitness for purpose of the things it makes and does

A QMS can be certified to provide assurance that it is adequate, conforms to the standards, and is effective. This certification can come from different types of bodies:

  • A certification body (CB): These are usually used by suppliers to medical device manufacturers.

  • A UK Approved Body (AB) or EU Notified Body (NB): These are used to certify the QMS for higher-risk devices (Class IIa and above, or Class B and above IVDs under the EU IVDR).  As stated in both the EU MDR and IVDR “The manufacturer shall lodge an application for assessment of its quality management system with a notified body” i.e. any QMS certificate from a CB will ultimately need to be replaced by a certificate from an NB, so the manufacturer may as well start with an NB certificate and save the cost of a prior CB certification.  

In the US, the FDA doesn’t require QMS certification but does inspect companies to ensure their QMS is operational before devices are marketed.

In Canada and some other jurisdictions, an MDSAP (Medical Device Single Audit Programme) QMS certificate is required, again not a CB certificate.

Where are the activities covered by the QMS?

It's never too early to begin setting up a QMS, especially when you're planning a minimum viable product (MVP). However, it’s essential to allow enough time for the QMS to be fully established before you seek certification.

Generally, setting up a QMS and generating enough records for a successful audit takes at least six months. Conveniently, that’s about how long it takes to wait in the queue to be audited. During this time, you’ll need to:

  • Customise the QMS templates for your organisation.

  • Obtain approval from key stakeholders (CEO, CTO, CMO, etc.).

  • Begin using the QMS to generate records that demonstrate that the QMS is operational.

If your QMS includes 20 procedures, you could aim to design and establish one per week, which means a minimum of 20 weeks to complete the process. With bespoke templates and expert input, this process can be streamlined of course. Once the QMS is in place, you’ll need around three additional months to show that it’s being used effectively across all areas of the organisation. This involves:

  • Fully integrating all staff and contractors into the human resources procedure.

  • Incorporating critical suppliers into the supplier management process.

  • Validating all software tools used in the eQMS and eDMS.

  • Conducting management reviews – regular meetings where top management assesses the adequacy, conformity, and effectiveness of the QMS.

  • Implementing an internal audit programme to show that the company can effectively monitor its own QMS.

  • Creating Corrective and Preventive Action (CAPA) records to demonstrate that issues found through audits or product development are being addressed systematically.

In addition, when it comes time for certification, the auditing body (such as an AB or NB) will typically want to see evidence that at least one product has gone through the design control process. This involves planning, design input, design output, design verification, and design review. For SaMD and SiMD, this means completing the entire process from requirements analysis to detailed design and verification, even if design validation or transfer hasn’t been finalised yet.

For physical hardware, it may mean that a prototype or pilot batch has been produced according to the QMS.

The timeline for setting up and certifying a QMS is often overlaid on the company’s engineering schedule, which may take longer than actual QMS implementation.

How to store and retrieve ‘documented information’

In today's world, it's assumed that all documents and records will be stored digitally and in the cloud, rather than on paper. This allows remote access for staff, contractors, and external bodies such as certification bodies (CBs), Approved Bodies (ABs), and Notified Bodies (NBs), who may conduct audits partly on-premises and partly via videoconference.

There are many eQMS and eDMS solutions available, and part of your company’s regulatory strategy should involve deciding which platform to use. Key considerations include:

  • How much you’re willing to spend on setup and subscriptions?

  • The preferences and familiarity of your team – for example, whether software engineers are already comfortable using platforms like Atlassian Jira and Confluence, which are perfectly acceptable, if configured appropriately, as eQMS and eDMS solutions.

How Hardian Health can support you

At Hardian Health we can support you through establishing and maintaining your QMS, including developing the regulatory strategy that will define which QMS and IMS elements are mandatory or desirable; we can also support you through establishing and maintaining Medical Device Files (MDFs) documented under the procedures in the QMS.

Hardian Health is a clinical digital consultancy focused on leveraging technology into healthcare markets through clinical strategy, scientific validation, regulation, health economics and intellectual property.

Mike Pogose

By Mike Pogose, Director of Quality Assurance & Regulatory Affairs

Previous

UCL spin-out achieves FDA Breakthrough Designation with Hardian 
Next

Big challenges meet bright solutions at the Hardian Health Tech Summit