ISO 13485: QMS Requirements of Medical Devices for Regulatory Purposes

by Dr. IJ Arora

ISO 13485:2016 is a standard that addresses quality management system requirements for those within the medical device industry. It is based on the systems-based approach found in ISO 9001:2015, but because it emphasizes requirements for regulatory purposes, it does not align with ISO’s harmonized structure (HS). In many ways, ISO 13485 does align with the HS, particularly in the structure and foundational principles of quality management.

The introduction of ISO 13485 explicitly states that the standard is aligned with ISO 9001, and this connection is important for understanding how the two standards relate to each other. I am a bit surprised as to why ISO 13485 isn’t fully harmonized with the HS as defined in Annex SL, which is the specific document within ISO standards that outlines the HS. I believe that if this standard were aligned to the HS, it would make implementation much less laborious for all involved.

The ISO 9001 foundation

The 2015 version of ISO 9001, which is presently under revision, provides a good basis for all standards. As mentioned, ISO 13485 has its roots in ISO 9001, which is why the key QMS principles (e.g., customer focus, leadership, process approach, continual improvement, and evidence-based decision making) central to ISO 9001 are also embedded in ISO 13485.

ISO 13485 includes several core concepts and clauses from ISO 9001. Clause 4 on quality management systems (e.g., structure, documentation requirements, and the scope of the QMS); cause 5 on management responsibility (e.g., top management involvement, resource allocation, and internal audits); and clause 8 relating to measurement, analysis, and improvement (e.g., monitoring, corrective actions, and continual improvement), are just some of these examples.

As I study, teach, consult, and audit using ISO 13485, I wonder why the standard Is not fully harmonized with similar standards as laid out in Annex SL. In consulting, I feel the pain of organizations that must meet regulatory requirements and so tend to overlook the process-based management system (PBMS) approach as the fundamental to the plan-do-check-act (PDCA) cycle. This regulatory focus is one reason why, although ISO 13485 shares many similarities with ISO 9001, it is not fully aligned with the HS. ISO 13485 places a strong emphasis on compliance with regulatory requirements specific to the medical device industry. The standard’s clauses addressing design and development, post-market surveillance, risk management, and traceability requirements are all far more extensive than those found in ISO 9001. Annex SL focuses more on general management practices and less on industry-specific regulatory controls. The detail and specificity required for medical device safety and compliance often necessitates a structure that goes beyond the framework of the HS.

Overcoming differences

Different scopes and audiences are also a consideration in that, while ISO 9001 is a general quality management standard applicable across industries, ISO 13485 is designed specifically for organizations that manufacture medical devices. These organizations must meet stringent regulatory requirements that go beyond what ISO 9001 addresses. Because of this, ISO 13485 requires more detailed processes related to product lifecycle management, post-market activities, risk management, and regulatory controls, which aren’t adequately covered under the more generalized HS. ISO 13485 includes a much stronger emphasis on managing the product’s entire lifecycle, from design and development to post-market activities (e.g., complaint handling and vigilance). Although ISO 9001 mentions product realization, ISO 13485 goes into much greater depth, including extensive requirements for design control and risk management. These elements reflect the higher level of scrutiny needed in the medical device industry, where safety and compliance are paramount.

With that said, I believe that these differences don’t prevent ISO 13485 from being organized according to the HS format. The standard would not only help medical device manufacturers’ management systems conform with specific regulatory requirements but also meet the obligations for continual improvement. After all, registered organizations in the aerospace and automobile industries already do just that via sector-specific management system standards that are harmonized with ISO 9001.

The structural differences in the clauses found in ISO 13485 and the standards adopting the HS are not too far apart. Although ISO 13485 is aligned with ISO 9001, it diverges when it comes to specifics that are unique to the medical device sector and regulatory requirements.

ISO 13485’s clause 7, “Product Realization” includes additional elements, such as design controls and regulatory compliance requirements, that are critical in the medical device industry. Post-market surveillance and complaint handling are central to ISO 13485, but the HS doesn’t go to the level of detail necessary for medical device manufacturers.

ISO 13485 emphasizes the need for continuous monitoring of device performance, even after they are on the market, ensuring any issues are identified and addressed in a timely manner. I believe ISO 9001’s subclause 9.1.2, “Customer Feedback,” can be updated to incorporate this requirement.

Risk management is a vital consideration. ISO 13485 integrates risk management into the standard in a way that is far more structured and pervasive than what is found in ISO 9001. ISO 13485 has a more detailed approach to identifying, assessing, and mitigating risks throughout the lifecycle of medical devices. However, these added requirements could be added to subclause 6.1.1 (““Actions to Address Risks and Opportunities”) or subclause 8.1.1 (“Operation Planning and Control”) found in the HS.

ISO 13485 includes specific requirements for design and development processes, which are critical in medical devices due to their complexity and potential risk to patient safety. The HS doesn’t provide this level of detail for other types of products or industries.

Identifying similarities

Notwithstanding the differences between ISO 13485 and the standards that align with the HS, there are also some key similarities. As with ISO 9001, ISO 13485 is built around seven quality management principles: customer focus, leadership, engagement of people, process approach, improvement, evidence-based decision making, and relationship management. Continual Improvement of the quality management system is part of both standards, emphasizing the need for a strong focus on monitoring, auditing, corrective actions, and reviews. Document control is another similarity. Both ISO 13485 and ISO 9001 stress the importance of clear and accurate documentation to ensure that quality management processes are defined, monitored, and maintained effectively.

In keeping itself separate from the HS, ISO 13485’s clause structure, despite being based on ISO 9001, serves to meet the unique needs of the medical device industry. The decision not to fully harmonize the standard with the structure seen in Annex SL likely stems from the need to ensure a tailored regulatory focus. ISO 13485 is aligned with a variety of regulatory frameworks across different countries and regions (e.g., FDA, EU MDR, TGA, etc.). These regulations require specific processes that go beyond the generic, high-level harmonized framework provided by Annex SL to facilitate combined/ integrated management systems. The structure of ISO 13485 allows for a more detailed, industry-specific approach to product safety, efficacy, risk management, and compliance. Product lifecycle control is an essential part of the medical device industry, and it has a complex lifecycle that includes design controls, manufacturing processes, and post-market activities that require more attention than the HS would provide.

Looking at a few additional clauses reveals that ISO 13485 follows a specific structure that allows it to emphasize the unique aspects of medical device quality management while maintaining consistency with other ISO standards.

For example, Clause 1, “Scope,” is relatively straightforward and outlines the scope of the standard, which is specific to organizations that design, manufacture, and maintain medical devices. The clause also highlights exclusions (for example, aspects not applicable to the organization), which is quite typical in a quality management standard.

Clause 2, “Normative References,” lists the documents referenced within ISO 13485, which is typical for any ISO management system standard. The important point here is that ISO 13485 requires compliance with relevant regulations and standards, particularly those in the medical device sector.

Clause 3, “Terms and Definitions,” is crucial because the terminology in the medical device industry can be very specifically. Definitions clarify terms that might have different meanings in other industries (e.g., what qualifies as a “medical device,” “design verification,” or “post-market surveillance”). This ensures uniformity and understanding across the industry.

Clause 4, “Quality Management System (QMS),” describes the basic requirements for establishing and maintaining a QMS, which is a fundamental aspect of ISO 13485. This clause outlines the need for a quality policy, the establishment of objectives, and the requirement to continually improve the QMS. These are common in all ISO standards but are tailored here to fit the needs of the medical device industry.

Clause 5, “Management Responsibility,” covers executive involvement as a key theme. In ISO 13485, it emphasizes top management’s responsibility for ensuring that quality objectives are met. This clause also requires that management provide resources for quality activities and review the performance of the QMS regularly, ensuring alignment with regulatory requirements and customer needs.

Clause 6, “Resource Management,” could have been aligned to clause 7, “Support,” found in the HS. This clause in ISO 13485 requires the organization to manage resources effectively, which includes personnel training and competence (a critical area in the medical device industry). This ensures that employees have the skills needed to produce safe and effective devices. It also covers infrastructure and the control of the work environment, ensuring that conditions are suitable for maintaining product quality.

Clause 7, “Product Realization,” diverges further from the HS. Product realization in the medical device sector involves the entire lifecycle of the device—from planning, design, development, and manufacturing to service and post-market activities. This clause is extensive and includes requirements for design controls, risk management, validation, and traceability, all of which are critical in the medical device industry. The detailed focus on design and development, verification and validation, and product monitoring ensures that all aspects of a medical device’s journey, from conception to post-market surveillance, are covered.

Clause 8, “Measurement, Analysis, and Improvement,” requires organizations to evaluate the effectiveness of their QMS through regular monitoring, measurement, and audits. It also focuses on corrective and preventive actions (CAPA) to improve quality. Preventive action in the HS has not been thrown out like the proverbial baby with the bath water. It has instead been replaced by requirement to appreciate risk. For medical devices, complaints and nonconformance reporting are key to ensuring ongoing safety and compliance. ISO 13485 could also have gone from preventive action to risk.

Post-market surveillance and vigilance is a requirement of the medical device standard. Unlike many other ISO standards, ISO 13485 places significant emphasis on post-market surveillance, which is the process of monitoring the performance of medical devices once they are in use. This is a major distinguishing factor from other ISO standards. Manufacturers are required to establish processes for post-market feedback, complaint handling, and field safety corrective actions (FSCA), which are essential for identifying and managing risks after the product is on the market.

In conclusion, I would opine and agree that although ISO 13485 is indeed based on ISO 9001, it diverges from the HS identified in Annex SL because the unique needs of the medical device industry—such as regulatory compliance, product lifecycle management, and patient safety—require a more detailed and specialized approach than the HS can provide. The clause structure of ISO 13485 reflects these specific requirements, making it a robust and industry-specific standard that ensures the safety and quality of medical devices while maintaining alignment with the foundational principles of quality management in ISO 9001.

This balance of maintaining core quality principles while addressing the needs of the medical device industry is why ISO 13485 has not fully adopted the HS but instead continues to incorporate elements of ISO 9001 alongside medical-device-specific regulatory needs. That it could still at the least attempt to align the primary clauses as risk to the HS would help all parties involved.

Note – The above article was recently featured in Exemplar Global’s publication called “The Auditor”. Click here to read it.

One-Off or Systemic: The Search for Root Causes

by Julius DeSilva

Accidents and failures, whether in maritime, aviation, healthcare, or nuclear settings, are often subjected to intense scrutiny to determine their root causes. However, the challenge lies in distinguishing whether an event is an anomaly or a symptom of a deeper systemic issue. This analysis is crucial as it directly influences the actions taken to prevent a recurrence or occurrence elsewhere. A management system approach, such as those outlined in ISO 45001 for occupational health and safety, ISO 9001 for quality management, or ISO 14001 for environmental management, provides a structured framework for systematically and proactively addressing risks when data exists.

Analysis of root causes: systemic failures

Root cause analysis is a fundamental investigative tool used to trace an incident to its origins. However, many organizations focus on immediate, apparent causes rather than examining systemic contributors and true root causes. Systemic failures result from weaknesses in policies, processes, or culture, and therefore, often recur in different forms over time.

The management system approach advocated by ISO standards and other industry-specific standards like the ISM code emphasize continual improvement and risk-based thinking. The intent of these standards is to reduce the probability of systemic failures by integrating safety, quality, efficiency, security, and environmental management into everyday operations.

Systemic failure example: Chernobyl

I recently read the book Midnight in Chernobyl, which outlined the 1986 Chernobyl nuclear disaster and the underlying systemic failures that contributed to this incident. Unlike isolated accidents, Chernobyl resulted from a combination of design flaws, operational errors, and a deficient safety culture. Key systemic issues included:

  • Design flaws. The RBMK reactor used in Chernobyl had an inherent positive void coefficient, meaning an increase in steam production could accelerate the reaction uncontrollably.
  • Operational failures. A safety test was conducted under unsafe conditions, including a reduced power level and disengaged emergency shutdown mechanisms.
  • Cultural and regulatory gaps. A lack of safety culture, insufficient training (and thus competency), and an authoritarian management style amounting to complacency discouraged questioning of unsafe practices.

These root causes culminated in an explosion that released massive amounts of radioactive material. European countries are so tightly packed that winds freely spread the outfall without borders. The systemic nature of the disaster was later addressed through international nuclear safety reforms, including the establishment of the International Atomic Energy Agency’s safety standards and stricter ISO frameworks such as ISO 19443, which outlines quality management system requirements for organizations working within the nuclear sector.

Other systemic failures

Deepwater Horizon oil spill (2010)

Another example of a systemic failure is the Deepwater Horizon oil spill. This incident was not merely the result of a single mistake but a consequence of systemic lapses in safety practices, regulatory oversight, and risk management. Contributing factors included:

  • Cultural deficiencies. The organization prioritized cost cutting over risk mitigation
  • Inadequate risk assessments. There was poor well-integrity testing and misinterpretation of pressure data.
  • Regulatory weaknesses. There was insufficient government oversight and a lack of stringent industrywide safety protocols.

This catastrophe led to significant regulatory changes, including the implementation of stricter safety and environmental policies within the oil and gas industry, aligned with ISO 45001 and ISO 14001.

The Boeing 737 MAX crashes (2018, 2019)

The Boeing 737 MAX crashes further illustrate systemic failure. Investigations revealed that flaws in the aircraft’s Maneuvering Characteristics Augmentation System (MCAS) were not adequately addressed due to:

  • Design and engineering oversights. Critical safety features were made optional rather than standard.
  • Regulatory gaps. The FAA relied excessively on Boeing’s self-certification.
  • Organizational pressures. The corporate culture emphasized speed-to-market delivery over comprehensive safety testing.

This resulted in significant regulatory reforms, including tighter oversight and compliance with international aviation safety standards.

Fixes vs. systemic longer-term improvement

Addressing failures can be approached through quick fixes or long-term systemic improvements. Each approach has its advantages and disadvantages:

Quick fixes

Pros:

  • Immediate resolution of pressing issues
  • Cost-effective in the short term
  • Prevents further damage or loss

Cons:

  • Does not address underlying systemic issues
  • Can lead to recurring problems if not supplemented with deeper analysis
  • Often reactive rather than proactive

Systemic longer-term improvements

Pros:

  • Addresses root causes, reducing the likelihood of recurrence
  • Enhances organizational resilience and safety culture
  • Aligns with ISO management systems, ensuring continuous improvement

Cons:

  • Requires significant time and resources
  • May face resistance from stakeholders due to cultural inertia
  • Implementation complexity can slow down immediate corrective actions

A balanced approach is often necessary—implementing short-term fixes to mitigate immediate risks while developing long-term systemic improvements to ensure sustainable safety and risk management practices.

What if we cannot foresee all risks?

Even with rigorous management systems and risk assessments, not all risks can be predicted. Organizations must be prepared to address unforeseen risks through:

  • Resilient systems. It is important to develop adaptable and robust safety management frameworks that can respond effectively to new threats.
  • Proactive learning. The organization can encourage a culture of continuous learning and scenario planning to anticipate emerging risks.
  • Redundancies and safeguards. Implementing fail-fail safe redundancies and contingency plans can mitigate the effects of unforeseen events.
  • Stakeholder collaboration. Engaging industry experts, regulators, and other stakeholders to share knowledge can help improve collective risk awareness.

Despite the lessons from Chernobyl, 25 years later the Fukushima disaster occurred. An earthquake of this magnitude was not foreseen as a risk even though in 1896 (as highlighted by an engineer on the project) an earthquake of magnitude 8.5 hit near the coast where the reactor was to be built. After Chernobyl, the 1970s-built reactor in Fukushima was not upgraded with the latest safety features due to high costs. Japan’s nuclear industry had a history of regulatory complacency and reluctance to accept international recommendations

ISO 31000, which addresses risk management, emphasizes the importance of resilience and adaptability in the face of unpredictable risks. By fostering a commitment to learning and preparedness across the organization, businesses can better navigate uncertainties while maintaining operational safety and efficiency.

The benefits of a management system approach

A management system approach, as defined by ISO standards, provides the following advantages:

  • Structured risk management. ISO 31000 ensures systematic identification, assessment, and mitigation of risks.
  • Continuous improvement. The Plan-Do-Check-Act (PDCA) cycle described in ISO 9001, ISO 45001, and ISO 14001 encourages learning from incidents to prevent recurrence.
  • Organizational culture change. Implementing ISO standards fosters a risk-oriented mindset, reducing the likelihood of systemic failures.

ISO management systems, when implemented and sustained, can act as a preventive tool to proactively manage risk.

Conclusion

Understanding whether an accident is an anomaly or a systemic failure is critical in determining the appropriate response. Sadly, at times industry must incur the cost of the nonconformity to learn the lesson. Organizational “can-do” attitudes lead to risk normalizations where dangerous conditions are seen as normal. Further, organizational and demographic cultures do not encourage challenging authority or questioning of decisions. Absence of accidents, incident reports, and near misses give a false sense of complacency that things are working well. This may lead to over-confidence in decision making, lapses in regulatory oversight, and deferring of resource allocation to other “priorities.”

Systemic failures indicate deeper vulnerabilities requiring long-term corrective actions. The application of ISO management systems offers a proactive and structured approach to accident prevention, ensuring that organizations move beyond reactive responses to fostering a culture of continuous improvement and risk management. By embracing these principles, industries can mitigate systemic risks, ensuring safer and more resilient operations.

Note – The above article was recently featured in Exemplar Global’s publication ‘The Auditor’. Click here to read.

The Baltimore Bridge Collapse : Another Case of a Failed Management System ISO 55001:2024

By – Dr. IJ Arora

Can good management systems make organizations immune to disasters? The Baltimore bridge or simply the Bay Bridge or more precisely the Francis Scott Key Bridge that collapsed in 2023 because of the allision with the container vessel MV Dali is a tragedy, perhaps caused by the failure of several management systems, the ship, the port, the state and whoever else was involved.   

The National Transportation Safety Board (NTSB) investigation is ongoing, and will no doubt look at the part played by the MV Dali, its crew and operator. However, my thought is the MV Dali or other ships plying the waters by simple statistical probability were considered as a risk by the authorities. I mean there is the water channel, ships sailing in and out, and a bridge, there was likely to be an allision someday. Perhaps not a matter of if but when! Thus should the bridge have been safer and better designed, based on known and appreciated risks? After all, not all accidents can be completely avoided. However, each tragedy has lessons learnt as responsive action. The lessons become the data that drive risk identification and trends and, thus making the system proactive.  I am sure  the NTSB is considering all this. In the meantime, without going into the ongoing investigation, are there some basics which are common indications of failures of the system. Be it the Titan submersible, or the Boeing management system,  as an SME in  process-based process-based management systems I see a common cause; the failure of the system to  deliver conforming products and services. 

In this short article I want to discuss this bridge collapse in the context of the management system, considering ISO 9001:2015 generically and ISO 55001:2024 Asset Management System requirements specifically. Could simply designing a good system based on the standard have enabled the organization to better assess the associated risks? Perhaps they were assessed and justified as a low probability of occurrence. If that were the case, the discussion would be on prioritization of risks. ISO 55001 was first published in 2014. It was developed as a standalone standard for asset management, building upon the principles of ISO 9001 (quality management) and other relevant standards. 

I am aware that as of September 2024, the investigation into the Baltimore bridge collapse is still ongoing.  Therefore, while the exact cause of the collapse remains under investigation, we can consider several factors that could have contributed to the incident. MV Dali, experienced a series of electrical blackouts before the allision.  The vessel SMS (safety management system based on the ISM Code) implementation could be a factor. Bridge stability, its age and condition are I am sure are being investigated as a potential contributing factor. Then there is always human element.  There may have been errors on the part of the ship’s crew or bridge operators. Was the system designed to support them in such a scenario? What factors may have caused operators at all levels to perhaps not follow requirements, to justify the risks. The NTSB’s investigation will highlight a detailed analysis of the ship’s navigation systems, the bridge’s structural integrity, and the actions of the individuals involved in the reasons for this tragedy. Their final report will provide a comprehensive understanding of the incident and may include recommendations to prevent similar occurrences in the future. 

However, even at this stage we can agree that bridges in general are national assets. They are valuable infrastructure that provides essential services to communities. While it is not publicly known whether the State of Maryland specifically implemented ISO 55001 for its bridges, the principles and practices outlined in this standard could have been beneficial in managing the risks associated with the Baltimore bridge. The implementation of this standard and or even if the generic standard ISO 9001 were implemented the authorities could have performed: 

  • Risk Assessments: ISO 55001 requires organizations to conduct regular risk assessments to identify potential threats and vulnerabilities. A thorough assessment of the bridge’s condition, age, and traffic load could have helped identify potential risks and inform maintenance and repair decisions, as also change in procedures, protection of navigation channels and so on. 
  • Life Cycle Management: The standard emphasizes the importance of managing assets throughout their entire lifecycle, from planning and acquisition to maintenance and disposal. By following ISO 55001, the state could have developed a comprehensive plan for the bridge’s maintenance, upgrades, and eventual replacement. 
  • Performance Measurements: ISO 55001 requires organizations to establish measurable Objectives or Key Performance Indicators (KPIs) to measure the effectiveness of their asset management activities. This could have helped the state monitor the bridge’s condition and identify any signs of deterioration. 
  • Continual Improvement: The standard promotes a culture of continual improvement, encouraging organizations to learn from past experiences and make necessary adjustments to their asset management practices. 

I agree, it is impossible to say definitively whether ISO 55001 would have prevented the Baltimore bridge collapse. However, the principles and practices outlined in the standard could have helped to reduce the risk of such incidents. By adopting a systematic and proactive approach to asset management, organizations can improve the reliability and safety of their infrastructure. A systematic study must go beyond what the MV Dali contributed to the Baltimore bridge collapse, it is also important to consider the broader context and the potential contributions of other factors: 

  • Bridge Design and Maintenance: The age and condition of the bridge are likely to be factors in the investigation. Older infrastructure may be more susceptible to damage or failure, especially if it has not been adequately maintained or upgraded. 
  • Vessel Traffic: The frequency and intensity of vessel traffic in the area can also influence the risk of collisions. The bridge is in a busy shipping channel; therefore, the likelihood of incidents was higher. 
  • Safety Measures: The presence or absence of safety measures, such as buoys, warning systems, or restricted areas, can also impact the risk of collisions/allisions. This needs to be studied and are factors the authorities would know. 
  • Human Element and Factors: Errors on the part of both the ship’s crew and bridge operators can contribute to accidents. Factors such as fatigue, inexperience, or inadequate training may play a role. What led to these?  Error proofing, mistake proofing and FMEA (Failure Mode Effect & Analysis) are tools that could be part of the effective management system. 

Let us therefore consider ISO 55001 and the relevant clauses of the standard which could apply to the collapse of the Baltimore Bridge. 

Clause 4: Context of the Organization 

  • Clause 4.1: Understanding the external context, such as the age of the bridge, traffic volume, and environmental factors, is crucial for risk assessment. 
  • Clause 4.2: Identifying the needs and expectations of relevant interested parties, including the public, commuters, and regulatory bodies, is essential for effective asset management. 

Clause 6: Planning 

  • Clause 6.2.1: The bridge’s asset management plan should have included clear objectives for its maintenance, repair, and replacement. 
  • Clause 6.2.2: Specific objectives related to safety, reliability, and cost-effectiveness should have been established. 
  • Clause 6.2.3: Detailed planning for maintenance, inspections, and upgrades would have been necessary to ensure the bridge’s structural integrity. 

Clause 7: Support 

  • Clause 7.1: Adequate resources, including funding, personnel, and expertise, should have been allocated for bridge maintenance and inspection. 
  • Clause 7.2: Ensuring that personnel involved in bridge management have the necessary competence and training is essential. 
  • Clause 7.3: Raising awareness among all relevant stakeholders about the importance of bridge maintenance and safety is crucial. 

Clause 8: Operation and Maintenance 

  • Clause 8.1: Regular inspections and monitoring of the bridge’s condition would have helped identify potential problems early on. 
  • Clause 8.2: A well-defined maintenance schedule, including preventive and corrective maintenance, would have been necessary to address issues before they escalated. 

Clause 9: Performance Evaluation 

  • Clause 9.1: Establishing key performance indicators (KPIs) to measure the bridge’s performance, such as safety records, traffic flow, and maintenance costs, would have provided valuable insights. 
  • Clause 9.2: Regular monitoring and evaluation of these KPIs would have helped identify areas for improvement. 

Clause 10: Improvement 

  • Clause 10.2: The bridge’s management should have implemented a system for monitoring and measurement, including data collection and analysis. 
  • Clause 10.3: Predictive maintenance techniques could have been used to identify potential failures before they occurred. 

My objective of writing this article is to awaken this basic thought in organizations that by applying the principles of a standard, be it generic ISO 9001 or an industry specific standard or as in this case the asset management system standard ISO 55001, the organization (State of Maryland) could have strengthened its asset management practices and potentially mitigated the risks associated with the Baltimore bridge collapse. 

The above article was recently published in the Exemplar Global publication – ‘The Auditor’.

Are Medical Audits Improving Systems Or Only Driving Fixes? 

Is there a potential downside to medical audits wherein the audits are focused on finding and fixing problems? A recent discussion with a medical professional piqued my interest in the value of Medical Audits given that QMII, a subject matter expert in auditing, has ventured into the medical auditing field. This led to a conversation with a few additional healthcare professionals to understand a little more about medical audits, their findings and how organizations address them. My additional reading outlined a lack of effective systemic corrective action. In this article, I discuss some aspects of the medical audit process and what organizations can do to improve the process of audits and of implement corrective action.  

There are various types of medical audits including clinical audits, billing/coding audits, financial audits, operational audits and compliance audits. While there are regulations, protocols and standards against which these audits are conducted, in many cases, industry-best practices are also used as audit criteria. This brings subjectivity into the audit as ‘best practices’ knowledge may vary from auditor to auditor based on their experience. Auditing to an auditor’s experience has a major drawback not just in the medical industry but in all industries. It takes the auditors away from requirements which then results in biased inputs to the leadership that may be inaccurate.  This also leaves the auditee (the organization being audited) on the receiving end of findings for which there are no certain requirements. That is, they may make changes to their system based on the finding of one auditor only to find that another auditor objects to the very actions they implemented based on the previous auditor. 

Medical Audits and Recommendations 

In medical audits, it is common practice for auditors to provide recommendations to address findings. These recommendations are based on experience and industry-best practices. In ISO audits this is not allowed. In most industries, including the healthcare industry, there is no obligation to act upon any of the recommendations of an auditor. However, if auditors are perceived to be in a position of authority, then there is an underlying implication that the audit recommendation must be implemented. This is for fear of the nonconformity occurring again only for someone to say, “the auditor told you what to do and no action was taken”. This then also implies, audits do not delve deeply enough to identify systemic weaknesses within the processes or the workflow. 

In speaking with the medical professionals within my professional circle of friends, it was surprising to hear that in many cases the personnel being asked to address the audit findings are unaware of any root cause analysis methodologies nor have they been given any formal training in the subject. Further, they are not clear about what a CAPA is but do know that they need to provide some action to close out the finding. In such cases, is it then fair to expect effective corrective action? Perhaps, the lack of effective corrective actions perpetuated the need for auditor recommendations! 

Without proper training, it is but natural for personnel responding to audit findings to default to the recommendations of the auditor and implement those actions prescribed by the auditor as the corrective action in and of itself. Sadly, in such cases the root cause of the issue goes unaddressed. Sometimes such cases may lie in inadequate resources, technology or even lack of guidance/policy from leaders. While the aim of the audits is to identify where the process may require additional controls, all for providing better healthcare for the patient, the outcome may only be a band-aid. 

What can be done to change this? 

While change may not come overnight, there are a few key steps that can be taken to improve the audit process overall right up until corrective action and meet the end goal of providing better healthcare.  

Auditor training – Auditors must be trained to remain objective through the audit process, to focus on the requirements (criteria) of their audit, to focus on factual evidence and objectively assess it (yes, no experience!). Further they must understand the implications of providing recommendations and thus not provide any recommendations. The auditors are but to focus on assessing the effectiveness of the corrective action plan submitted and verifying the effectiveness of actions taken.  

Root Cause Analysis Training – Healthcare organizations must invest in providing their personnel with training in the different root cause analysis methodologies and how to apply it to identify the root cause(s) of a problem.  

Reinforcing that Recommendations need not be accepted/addressed – Organizations must be professional to build the courage to stand up to auditors and not accept recommendations. Auditors do not know all facets of the process from the short sample of the organization they witness. If their “advice” in the recommendations is wrong/ineffective, who then pays the price? 

Auditor Selection – ISO 19011 provides guidance on the behaviors and skills that an auditor should exhibit, and these are applicable to an auditor selected to conduct any type of audit. Auditors must be evaluated periodically to ensure they are remaining objective through an audit and working to identify the effectiveness of controls and adequacy of resources in assessing if the overall objectives have been met. To learn more about how QMII can support your organization’s audit process, click here

Julius DeSilva, Senior Vice-President

Excellence in Auditing Presented by Dr. IJ Arora for Exemplar Global

“How Auditing Helps Prevent Tragedy,” presented by Dr. IJ Arora with Wendy Edwards (Project Director of Exemplar Global) at the Exemplar Global’s Excellence in Auditing Expo!

Click the link here to understand the critical role auditing plays in averting potential disasters. Whether you’re in risk management, quality assurance, or simply interested in safety and security, this discussion offers valuable perspectives and actionable takeaways.

Link to the Presentation

Responsibly Implementing Artificial Intelligence

Artificial Intelligence (AI) entered our lives stealthily and not before long has become an integral part of all we do. From choosing a playlist, to self-driving cars, to providing service desk support to name a few. Some people have openly embraced AI while others approach it more cautiously afraid of the domination and ‘rise of the machines. Along with the opportunities that AI presents, also come risks and therefore responsibility. ISO in December of 2023 published a management system standard, ISO/IEC 42001, that provides a framework for organizations looking to use a process-based approach to managing risks and opportunities associated with use of Artificial Intelligence.

What is AI system?

As defined by ISO/IEC 22989 and artificial intelligence system is and engineered system that generates outputs such as content, forecasts, recommendations, or decisions for a given set of human-defined objectives. Artificial intelligence can then further be broken down into various subcategories from weak AI to strong AI. There are also various associated terms that are used within the industry that wall within the realm of Artificial Intelligence systems. These include Autonomous AI system, Machine Learning, and Cognitive Computing to name a few.

An integrated standard approach

In structuring the standard ISO/IEC follows the harmonized 10 clause structure that is applicable to standards such as ISO 9001 and ISO 45001. This will make it easy for organizations seeking to integrate the requirements into their existing management system. Like other ISO management system standards, ISO/IEC 42001 is not prescriptive within the standard clauses. It does however, similar to ISO/IEC 27001 include an Annex of controls that must be considered and that must be justified when not applicable. Annex A has a total of 38 controls that are split among the 10 control objectives. As a risk-based standard it requires organizations to conduct an impact analysis, conduct a risk assessment and then implement controls to treat the risk to an acceptable level.

ISO/IEC 42001 control areas

The 10 control areas of Annex A intend to:

  • Provide management commitment and direction
  • Establish organizational accountability
  • Determine and provide resources
  • Assess the AI system impacts
  • Provide a framework for managing the AI system life cycle
  • Control data used within AI systems
  • Provide a framework for communication with interested parties
  • Ensure responsible use of AI systems
  • Mange relationships

ISO/IEC 42001 also makes reference to the NIST Risk Management Framework, developed to better manage risks to individuals, organizations, and society associated with artificial intelligence (AI).

Next Steps for Companies seeking to align to ISO/IEC 42001

If your organization is seeking to demonstrate a responsible use of AI systems and choosing to align with the ISO /IEC 42001 framework, the next steps would be to:

  1. Conduct as “As-Is” assessment – Identify what controls and resources are already in place within the existing management system.
  2. Conduct an Impact Assessment – Annex A controls provide a structure of how to achieve this and Annex B provides further guidance. This requirement supports the requirements of the EU AI Act. Inputs to the assessment will come from an understanding of the organizational context and the needs of the interested parties.
  3. Conduct a Risk Assessment – to identify potential risks and opportunities for users and society. The assessment should include the implication for deploying AI systems.
  4. Develop Risk Treatment Controls – Identify measures that the organization will implement to mitigate the risks to an acceptable level and then a plan to ensure the effectiveness of controls implemented.
  5. Implement and monitor the controls and system, with an aim to driving continual improvement and ensuring the responsible use of AI.

To learn more about how QMII can support your implementation of ISO/IEC 42001 reach out to QMII solutions team at info@qmii.com or call us at +1 (888) 357-9001.

-By Julius DeSilva, Senior Vice-President