Which of the following is a structured and documented management system describing the policy responsibilities and implementation plan for ensuring quality?

Documentation requirements [4.2]

What is this requirement and what happens if one does not meet this requirement?

The quality management system is being implemented in order to help an organisation to constantly develop its quality. Thus, it is important when building a quality system that one conforms to the requirements and guidelines set in the standard, especially if one plans the auditing of the quality management system. The foundation of the plan is the strategic work being done in a library. The goals which are set must be based on the strategic goals of an organisation. It is important that one determines processes that are used in producing and delivering products, as well as how their success and efficiency is to be monitored.

On the other hand, the continuous maintenance of the QM systems is important. The needs of the customers, especially, can change dramatically over a very short period of time. This means that the QM system and its documentation must be updated at least annually and that one needs to nominate for every part of the system and its documentation an individual who will be responsible for this updating activity.

Sound planning usually results in a sound system when it is also implemented properly. When management provides adequate resources for the planning, it sends a signal that the planning is a worthwhile activity. On the other hand, if one does not maintain the QM system, it will become obsolete and outdated quite soon and this can even impede the efficiency of the people working within the library.

2.3 Standards and Guidelines for a QMS

Structure of a medical device quality management system

The components of a QMS (Fig. 3.1) can broadly be described as below.

Management Responsibility: This component of the QMS defines the supervisory activities (e.g., audit, metric review) that are needed to ensure that the QMS is compliant with quality objectives and policies and that the processes are being executed properly. For those reading the book who come from a traditional IT background, the easiest way to understand Management Responsibility is that this is analogous to the classical IT governance function, responsible for operational excellence, keeping the QMS compliant with all regulatory and customer expectations. To quote from 21 CFR Part 820, “Management with executive responsibility shall review the suitability and effectiveness of the quality system at defined intervals and with sufficient frequency according to established procedures to ensure that the quality system satisfies the requirements of this part and the manufacturer's established quality policy and objective.”

Resources: This component of the QMS is responsible for the “people” aspect of the classic “people–process–tools” troika. It ensures all the activities are properly resourced, personnel have proper technical background and are trained appropriately for their job functions, and that personnel are provided with the proper tools necessary to perform their responsibilities.

Design Control: This component of the QMS, as the name implies, is responsible for ensuring that all phases of the product design process are properly executed. Specifically, the Design Control component defines processes such that product plans are clearly articulated, design inputs (e.g., requirements) and outputs (e.g., software design, code) are clearly defined, and the entire system as well as subsystems (electrical, mechanical, and software) is verified and validated as per design input, with links being maintained throughout (e.g., linking every design input with design output, ensuring that all requirements have test cases, etc.). A critical aspect of Design Control is defining processes for risk management, to ensure that risks to patient safety and product efficacy are controlled, not just during product design (premarket) but also after the product is released (postmarket)

Process and Production Control: This component of the QMS serves to ensure that products are being manufactured according to the product design, that manufacturers and suppliers are being assessed for quality, and that the final shipped product meets regulatory and customer requirements as articulated in quality objectives and policies.

Product Surveillance: This component of the QMS defines processes for postmarket monitoring of signals such that the MDM is aware of operational issues with their product. Operational issues are captured through various means including complaint handling (the customer tells you what is wrong), proactive monitoring (performance logs and metrics are collected from the devices themselves), and vigilance (social media monitoring, proactively querying users, etc.). The operational issues are then analyzed to check if they are resulting from product defects. If defects are identified, the risk of the defect to patient safety and product efficacy is evaluated using the risk management process.

Corrective and Preventive Action (CAPA): This component of the QMS defines processes for improving product and process quality once an actual or potential product defect is identified. The first step in CAPA is identifying the defect and isolating the defective component(s). Once that is done, interim control measures need to be defined such that more defects are not introduced while the root cause for the defect is being identified. The next phase of a CAPA is root cause analysis, to investigate whether the root cause of the defect was in the process definitions within the QMS itself (a faulty process will produce a faulty product) or whether there were issues with process execution. Example process execution issues include failing to allocate proper resources for the activity or personnel were not provided proper training. Once the root cause is identified, other defective components may be discovered as stemming from the root cause. The defective items need to be fixed (correction) and the root cause in the QMS needs to be remediated through corrective/preventive actions such that further defective items are not produced. An effectiveness plan needs to be defined, such that the QMS is monitored, for a certain period of time, to ensure that the root cause has actually been remediated by the corrective/preventive actions taken, and that no more defective components are being produced as a result.

Change Management: This component of the QMS defines the process for managing change. The product design may have to undergo change based on the root cause of defects identified as part of the CAPA process, because of technological enhancements, or due to changing customer and regulatory requirements. Change Management ensures that the product and all related documentation (sometimes called the Design History File) are kept in sync. The QMS itself also might change. This could be because of the root cause of defects was traced to processes within the QMS. Even when there is nothing fundamentally wrong with the QMS, quality objectives and policies undergo changes, driven by new regulations and standards and customer expectations. The changes are usually effected through the definition of a Quality Plan. A Quality Plan contains the rationale for why an update to the QMS is required, the activities and process updates that are required to accomplish the QMS update, and finally, roles, responsibilities, and timelines for effecting the change.

One of the major misconceptions that used to abound in the medical device industry a few years ago was whether regulatory authorities like the FDA even had jurisdiction over the security of a device, given that their remit, as defined in the laws, limit them to safety and efficacy. This misconception had so taken root that the FDA itself had to issue additional clarification to address this under the section “Dispelling Myths” [27].

Myth: Cybersecurity for medical devices is optional.

Understanding the Facts: Medical device manufacturers must comply with federal regulations. Part of those regulations, called quality system regulations (QSRs), requires that medical device manufacturers address all risks, including cybersecurity risk. The pre- and post-market cybersecurity guidances provide recommendations for meeting QSRs.

Cybersecurity threats contribute to system risks, and hence, what the FDA is saying is that any QMS, that is compliant with FDA's quality objectives (which are the law), must address this aspect.

As to the EU jurisdiction, the mandate for cybersecurity is more directly written into law than in the US CFR. For the EU, medical device cybersecurity falls under EU-Regulation (EU) 2017/745 on medical devices (also known as MDR) and EU-Regulation (EU) 2017/746 on in vitro medical devices (also known as IVDR) [12]. The Medical Device Coordination Group has published a Document MDCG 2019-16 titled “Guidance on Cybersecurity for medical devices” that extracts out, in Sections 1.3 and 1.4 [13], the exact clauses from the EU-MDR and EU-IMDR regulations that mandate cybersecurity measures. Health Canada also makes explicit the consideration of cybersecurity features of products as part of device regulatory submissions in the following manner, where “these elements” in the extract below refer to the cybersecurity requirements articulated in the guidance document [5]:

During the evaluation of Class III and Class IV medical device license and license amendment applications, Health Canada will consider these elements in the assessment of the safety and effectiveness of the device. The elements listed above, and Health Canada's expectations with respect to each element, are outlined in the subsequent sections of this guidance document.

Now that it has been established that cybersecurity is a definitive regulatory requirement, common to multiple jurisdictions, cybersecurity should be considered to be one of the quality objectives of a medical QMS. This raises two critical questions:

What cybersecurity elements need to be incorporated within a medical QMS in order for it to be compliant with global regulatory quality objectives on cybersecurity?

How can an MDM integrate these cybersecurity elements into the QMS?

Let us look at these two questions in a bit of detail.

Public archives and government libraries

There are also examples of registered quality system management in public archives and government libraries. In Italy, the Biblioteca della Regione Piemonte and the Biblioteca dell’Assemblea Legislativa della Regione Emilia-Romagna in Bologna have certified quality systems. In Portugal, the Arquivo Municipal do Porto developed its quality system by using ISO 9001 (Real, 2006).

In Spain, some examples of quality systems within the public sector are the Alicante Provincial Council Archives (Martinez Micó, 2001), the National Archives of Catalonia (Cruellas and Petit, 2005) and the General Archive of the Universidad Complutense de Madrid in 2006 became the first university archive in Spain to obtain the quality management certificate according to the ISO 9001:2000 standard (Simón Martín et al., 2010).

In Brazil, ISO 9001 was adopted by the Biblioteca Ministro Victor Nunes Leal do Supremo Tribunal Federal (Walter, 2005). In Mexico, the Archivo General del Poder Ejecutivo del Estado de México (General Archive of the Executive Branch) was the first archive to be awarded the ISO 9001 certification (Alanís Boyzo and Valverde Mejía, 2003). In Singapore, the National Archives received the ISO 9001:2000 certification for its imaging and preservation services in 2003.

Criteria for identifying regulations, standards, and guidance that drive cybersecurity strategy

Which regulations, standards, and guidance should the MDM's QMS comply with? Who decides and based on what? Regulations and guidance issued by regulatory regimes in countries which the MDM does business in obviously have to be tracked through the QMS. But what about cybersecurity standards cited by regulators, such as NIST CCF [1] or NIST 800–53 [2] or the UL2900 series [3]? Does the MDM intend to comply with them too? One should remember that once a decision is taken to formally comply with a standard, one has to continuously monitor compliance else one runs the risk of being written up by an auditor. Unfortunately, decisions to comply with standards are sometimes taken without first considering the cost of maintaining compliance by personnel who are not authorized to approve the resultant financial load on the organization's resources. Besides standards cited by regulatory bodies, there are IT cybersecurity standards (e.g. ISO/IEC 27001 [4] for infrastructure, FedRAMP [5] for cloud deployments, and HITRUST [6] for data privacy) that MDMs need to comply with in order to satisfy customer requirements and corporate IT policies. Decisions should be made as to which of these standards are to be tracked through QMS compliance processes and which through IT governance processes that exist outside the QMS. Usually, regulations and regulatory guidance are tracked through the QMS because the QMS is what regulators audit, while general IT cybersecurity standards are tracked outside the QMS through the IT governance process.

6.3.5 Using a Client’s QMS

The Forensic Laboratory may occasionally be required to use and conform to a Client’s QMS and procedures as a condition of performing work for that Client.

The Forensic Laboratory’s QMS may not match the Client’s QMS, in a number of areas. In the event that a situation such as this arises, the Forensic Laboratory shall attempt to conform to as much as possible to their own QMS within the constraints imposed upon them by the Client’s QMS, as appropriate.

Ideally, at the proposal stage of work with a Client, the Forensic Laboratory Client Account Manager shall ascertain whether the Forensic Laboratory’s QMS is acceptable to the Client.

If the Client decides not to accept the Forensic Laboratory’s QMS and requires that the Forensic Laboratory conforms to its QMS, the Client Account Manager must document and agree to the differences between the Forensic Laboratory’s and the Client’s QMS and confirm to the Client the following items, in writing:

those aspects of the Forensic Laboratory QMS that will be followed;

those aspects of the Client QMS that will be followed;

areas where no provision is identified or agreed. This may be subject to later agreement and updated documentation.

The Forensic Laboratory will then proceed with the case using the identified “hybrid” QMS.

Top Management may also consider excluding the case from the Forensic Laboratory’s QMS.

What is this requirement and what happens if one does not meet this requirement?

ISO 9001 states the requirements necessary to establish a quality management system at organisations that need to demonstrate their ability to provide products that meet customer and applicable regulatory requirements and to enhance customer satisfaction.

The first aim of a quality system is to meet customer requirements and to enhance their satisfaction. For this reason, the scope of the standard embraces all activities in an organisation that serves to meet the satisfaction of customers. Does the library do any activity not useful for either internal or external customers? Then, why should it perform a task that does not add any value to library processes? Thus one can consider that few if any activities conducted in the library can be considered to be outside the scope of the quality management system.

There are two interesting notes in this clause. The first refers to the fact that although the term 'product' is widely used, ‘it applies to the product intended for, or required by, a customer or the product realization processes’, so, in that sense, a service is considered as a product. It is helpful because most of the library’s interactions with library users are considered a service and the standard establishes the quality requirements to produce these services.

The second note is a reminder that statutory and regulatory requirements may be expressed as legal requirements. One has to prepare a quality system which takes into consideration not only the users’ requirements but also the social and legal framework in which the library exists. For example, some library users would be very happy if a library simply ignored the existence of copyright laws, but the library cannot meet this demand.

The quality system helps to optimise internal processes and to improve the professionalism of the library’s teams, and thus one can assume that it will increase customers’ satisfaction. Why is it, then, that one sometimes hears customer – internal or external – complaints that after the implementation of the QMS, things have become more complicated? One can usually find the reason for this contradiction in a poorly focused application of the standard. One must keep in mind that the implementation of the standard and one’s own QMS must never increase bureaucracy or hinder the everyday work, but they are intended to help it.

ISO 9001 – Quality management systems

Readers may be familiar with the International Standard ISO 9001 – Quality management systems. A significant number of global organizations insist that their suppliers are certified to ISO 9001. When purchasing a centrifugal pump, for example, besides requiring that the supplier be certified to ISO 9001, an oil and gas organization will insist that the pump conforms to the standards API 610 – Centrifugal pumps for petroleum, petrochemical and natural gas industries or the identical ISO standard with the same title, ISO 13709. In this way by reference to the conformance clauses in the standard, the buyer can verify if the goods delivered meet the required standard and specification.

General [0.1]