ISO 9001 and Regulatory Compliance In the Medical Device Industry

Lack of attention to quality systems can result in hefty fines, indirect costs

by Joe Tsiakals

Hundreds of millions of dollars in fines and actions have recently been levied against two U.S. medical device manufacturers. The faults included the failure of top management to establish appropriate quality systems to help ensure that products were safe and operations could consistently meet applicable requirements and specifications.

These examples of ongoing enforcement actions by the U.S. Food and Drug Administration do not indicate new or surprising initiatives for those of us familiar with the FDA.

In one example involving Abbott Laboratories, defective product was not identified. Instead, Abbott's practices for corrective and preventive action (CAPA) and for process validation were called into question, and other quality system deficiencies were cited--to the tune of over $300 million in losses to the bottom line.

In a consent degree of permanent injunction the U.S. District Court for the Northern District of Illinois issued against Abbott on November 2, 1999, Abbott agreed to pay $100 million in fines while admitting no guilt.1

The decree provided the FDA invasive supervisory rights, with FDA expenses to be paid by Abbott, for a minimum of five years. The action also required Abbott to incur, conservatively estimated, an additional $200 million in costs associated with product recalls and corrective actions, excluding the long-term impact of lost sales and product withdrawals.

On December 15, 2000, the U.S. Attorney for the Northern District of California, the U.S. Department of Justice and the FDA announced that Lifescan, a California subsidiary of Johnson & Johnson (J&J), pleaded guilty in federal court to criminal charges and was ordered to pay criminal and civil fines totaling $60 million.2

The criminal charges stemmed from defects in a blood glucose monitoring device, the SureStep system, which the company knew about but failed to disclose to customers, patients and the FDA. Among the remedies agreed to, Lifescan will operate under the supervision of the U.S Probation Office for three years. During the criminal investigation, J&J recalled the SureStep system from the market at a cost of $40 million.

Recently, J&J also recalled about 850,000 units of a new generation of glucose monitors for erroneous displays. According to newspaper reports, Lifescan's senior management has been replaced and J&J may face a number of liability suits. The total cost to J&J may well be in excess of $200 million.

The importance of ISO 9000
The entire scope of ISO 9001:2000 covers the necessity for top management to set up and see that quality management systems are followed to ensure safe product and compliance with requirements and specifications. The standard reads:

This International Standard specifies requirements for a quality management system where an organization

a) needs to demonstrate its ability to consistently provide product that meets customer and applicable regulatory requirements, and

b) aims to enhance customer satisfaction through the effective application of the system, including processes for continual improvement of the system and the assurance of conformity to customer and applicable regulatory requirements.3

The FDA regulatory requirements for medical device quality systems are found in the Quality System Regulation, also known as the QSR.4 The QSR was the first revision of the FDA's medical devices original good manufacturing practice (GMP) regulation issued in December 1978.

The revision achieved the the primary purpose of incorporating many of the new quality system concepts of ISO 9001:1994 into the GMPs. Even though design control was the recognized major addition, new requirements in the QSR included those for management review and CAPA.

Japan's approach to regulating the design and manufacturing of medical devices is similar to that of the FDA. ISO 9000 requirements are embedded within their country's regulations.

Contrasting with this are the regulatory requirements for designers and manufacturers of medical devices for the European market. They must follow the medical device directive issued by the European Commission. It directly references the use of ISO 9001:1994 and ISO 9002:1994 as do the corresponding regulations for Canada and Australia. Most of the rest of the world uses either the FDA approach or the European approach.

The influence of the sector
All firms that design, manufacture, process, pack, label and ship medical devices are required to comply with governmental regulations based either directly or indirectly on the ISO 9000 series. It should not surprise anyone that the medical device sector, although small, is extremely interested in the development and the progression of refining requirements for ISO 9000.

It's also not surprising that this sector is the only one with its own International Organization for Standardization, known as ISO, technical committee on quality management, ISO/TC 210. This committee is focused primarily, but not exclusively, on the ISO 9000 series developed by another ISO technical committee, ISO/TC 176.

Nor is it surprising that ISO/TC 210 had a disproportionate level of influence in the development of ISO 9001:2000 by ISO/TC 176. ISO/TC members participating in ISO/TC 176 task groups developing the ISO 9000:2000 series included representatives from the United States, United Kingdom, Japan, Switzerland, the Netherlands, Denmark and Canada,

Officially, three liaison members represented ISO/TC 210, each working on one of the three writing teams for ISO 9001. Included among these three were the chairman of ISO/TC 210 and the convenor (working group chairman) of the ISO/TC 210 quality systems working group. In addition, a key member of the ISO/TC 176 subcommittee for definitions has been a member of ISO/TC 210. Four other long-term, influential members of ISO/TC 176 are from the medical device sector.

Aiding regulated industries
The needs of regulated industries were among the major considerations identified in the planning phase for the new revision, ISO 9001:2000. There are seven references to regulatory requirements in the new standard. Regulatory considerations are identified under the ISO 9001:2000 clauses for scope and management commitment and are included as requirements for the design and development inputs of products and processes.

The traditional approach used by companies for achieving regulatory compliance focuses on individual requirements and their corresponding procedures.

This often results in the establishment of extensive bureaucracies of paper and those managing the paper. Everything has to be described in documented procedures, and all work has to be recorded. This tends to be neither effective nor efficient in assuring that requirements are met. Simply focusing on requirements and compliance to these requirements results in an ever increasing array of more requirements and paper.

The trouble with complex document bureaucracies has been lack of clarity for top management as to the key issues affecting quality. What is the actual performance of the product? Of the process? How do we correct the problems we have now? How do we anticipate potential problems and take action to avoid them?

Process approach and continual improvement
Integrated throughout ISO 9001:2000 are quality system elements that lead to minimizing complexity and achieving an effective quality system. Two concepts intertwined throughout the standard are the process approach and continual improvement.

New is the fact that the standard is structured now around four main processes:

1. Management responsibility.
2. Resource management.
3.Product realization.
4. Measurement, analysis and improvement.

A process model and the process approach are described in the introduction. The approach emphasizes identification and management of numerous linked activities.

This approach highlights the importance of understanding and meeting requirements, considering processes in terms of added value, obtaining results of process performance and effectiveness, and continual improvement of processes based on objective measurement.

The solution to many of the problems faced by regulated industry involves addressing how organizations identify real and potential deficiencies to improve. Organizations are now required to "plan and manage the processes necessary for the continual improvement of the quality management system." Continual improvement is also mentioned under the standard's quality objectives and quality planning clauses.

The last clause of ISO 9001:2000, clause 8.6, is titled "continual improvement." There are specific requirements for corrective action for eliminating the causes of known nonconformities.

The requirements for preventive action require determining potential nonconformities and their causes and taking appropriate action to prevent their occurrence. Of great importance is the clause 8.6 lead sentence that describes a quality improvement loop.

The clause states that continual improvement will be facilitated through "use of the quality policy, objectives, audit results, analysis of data, corrective and preventive action, and management review."

These are seven important clauses of the standard that, when linked as an effective set of processes, provide the necessary visibility and involvement of top management for making sure requirements are met. Six of the clauses specifically feed into the management review.

Management review is the periodic gathering of an organization's top management to discuss the current state of quality and compliance and to determine appropriate action. With real and meaningful management reviews it is inconceivable that the regulatory actions mentioned at the beginning of this paper could occur. This last clause of the standard becomes the most important part for tying everything together.

Avoiding bureaucratic pitfalls
ISO 9001:2000 has been developed so organizations can avoid the pitfalls and inefficiencies associated with the traditional bureaucratic and piecemeal approach to meeting requirements. This new standard is offered as a key for achieving an overarching objective of the top management of the medical device industry: to obtain a highly effective quality system that meets all customer and regulatory requirements.


1. Consent Decree of Permanent Injunction, United States of America, Plaintiff v. Abbot Laboratories, a corporation, Nov. 2, 1999, Civil Action 99C 713.

2. Special Conditions of Probation, United States of America, Plaintiff v. Lifescan Inc., a corporation, Dec. 15, 2000, No. CR 00-20356-JF.

3. ANSI/ISO/ASQ Q9001-2000, Quality management system--requirements (Milwaukee: ASQ, Dec. 15, 2000).

4. Quality System Regulation (Title 21, Code of the Federal Register, Section 820), October 1996.

JOE TSIAKALS is senior director of corporate quality for Amgen Inc., Thousand Oaks, CA. He is a member of the ISO/TC 176 writing team for ISO 9001:2000 and served in the same role for the development of ISO 9001:1994. He is a founding member of ISO/TC 210 and has more than 25 years of experience in quality management and engineering in regulated industry. Along with Charles Cianfrani and Jack West, Tsiakals authored the book ISO 9001:2000 Explained, published by ASQ Quality Press.

Average Rating


Out of 0 Ratings
Rate this article

Add Comments

View comments
Comments FAQ

Featured advertisers