A quality policy is the highest-level document for a medical device company. It is the star on the top of the Christmas tree, and the guiding light for a medical device QMS. So how does a company make one?
If you are wondering how to make an excellent quality policy for your company, you’ve come to the right place. In this article, we will cover the ISO 13485 and FDA requirements for a quality policy, and provide examples of quality policies from various medical device companies.
Once you are done, you will be well on your way to knowing how to make the perfect quality policy to support your company and medical device QMS.
Table of Contents
What are the ISO 13485 (5.3) Quality Policy requirements?
A quality policy is considered the highest-level document in a QMS and is intended to guide the organization’s quality and regulatory objectives. It is created by a company’s top management team and is communicated throughout the organization.
Let’s look line by line at what ISO 13485 requires for a quality policy.
Top Management shall ensure that the quality policy:
From the first line, we can see that the Quality Policy is the responsibility of the top management team. Management commitment to quality is emphasized throughout ISO 13485 and is considered one of the defining features of making a successful medical device QMS.
It also makes sense in the context of the quality policy. A quality policy is supposed to highlight the vision and strategic direction of the company. ISO 13485 does not want a quality policy that is just thrown together by a quality team to meet requirements. The standard wants top management to really think through how they want quality to be implemented throughout the organization, and how they can dedicate the resources needed to make this happen.
a). is applicable to the purpose of the organization
This means that a quality policy cannot just be copied or generic. If a company provides services, it would not make sense to reference good quality products and vice-versa for a manufacturing company. For larger medical device companies, this can be broader, as there are many different purposes for the organization.
However, if a company only makes a certain type of medical device, the company can specifically reference that device to achieve this requirement. One example is seen below, where Alma Medical Imaging‘s quality policy references “Design, development, sale and Service of medical imaging software”. This includes all of the main activities of the company from both an organizational and regulatory perspective.
b) includes a commitment to comply with requirements and to maintain the effectiveness of the quality management system;
The next requirement from ISO 13485 is that the organization shows a commitment to comply with requirements and maintain the QMS. What types of requirements are relevant? All regulatory requirements such as EU MDR and FDA, customer requirements, and the requirements of ISO 13485 itself.
What does maintaining the effectiveness of the QMS look like? This means that the quality policy and QMS change as needed to meet regulatory, customer, or ISO 13485 updates. It could also mean updating the QMS based on changes to product or organizational goals.
To meet the criteria, many companies choose to plainly state in their quality policy they will meet all needed requirements. Every ISO 13485 quality policy we will look at in the example section includes some reference to meeting applicable laws and regulations. When you are making a quality policy for your medical device company, you can go down the same path and plainly reference what standards or regulations the company needs to meet.
Here’s a section from UroPharma‘s quality policy, that clearly states what requirements they need to meet:
c) provides a framework for establishing and reviewing quality objectives.
This requirement is all about the quality policy providing the strategic objectives and principles of the organization. As stated, the quality policy is considered the highest-level document in a medical device organization. The next level includes the quality objectives, which are supposed to either emerge from the quality policy, or aid in the success of the quality policy.
Here, an organization can really highlight what is unique about the organization or its goals. Quality objectives can even be directly inserted into the quality policy if they are considered of large enough importance.
For example, the policy could reference meeting the requirements of EU MDR, and one of the objectives could be passing an EU MDR audit. In this way, we can see that the quality policy and quality objectives are very much connected to the development of a medical device QMS.
d) is communicated and understood within the organization;
This ISO 13485 requirement includes two things; that the quality policy is communicated within the organization, and that it is understood within the organization.
In order for the organization to ensure the quality policy is understood, many companies choose to include training on the quality policy as part of their training process. This is a great way of consistently making sure all employees know the reasons behind the quality policy and its importance to the organization. It also goes a step further than just stating the policy.
As far as communicating the quality policy, many organizations choose to feature the quality policy in a variety of places outside of training. They will put up large signs, place the quality policy slogan on cups or placards, and reference the quality policy in lots of different company meetings. There are all great tactics in ensuring that the quality policy is constantly communicated.
It is extremely common for auditors to ask different employees “What is the quality policy?” during an audit. So, it is helpful to have the quality policy in as many visible places as possible. Employees are not required to memorize the policy line-by-line, but they should know where to find the policy when needed.
e) is reviewed for continuing suitability
Reviewing the quality policy for continuing suitability is needed for any major changes to regulatory guidelines or products. If the standard changes for a specific type of medical device that a company produces, it can be easy to see why the policy might need to change.
Reviewing the quality policy is also a requirement for management review. So, to meet this requirement all the organization needs to do is make sure they have a compliant management review procedure in place which discusses the need for changes to the policy. We’ve written a whole article on management review, so check that out here if you want to make a management review procedure that meets all ISO 13485 requirements.
What are the FDA Quality Policy Requirements?
Now that we know the ISO 13485 requirements, what are the FDA Quality Policy requirements? Luckily, the FDA requirements are extremely brief and are easily met as long as a company is meeting the ISO 13485 requirements.
Here is the quality policy section from 21 CFR Part 820.20(a):
Quality policy. Management with executive responsibility shall establish its policy and objectives for, and commitment to, quality. Management with executive responsibility shall ensure that the quality policy is understood, implemented, and maintained at all levels of the organization.
As you can see, all of these requirements have already been covered by ISO 13485. The quality policy needs to be established by top management, and ensure it is implemented, understood, and maintained.
Medical Device Quality Policy Examples
Now that we know what is required for an ISO 13485 and FDA-compliant quality policy, let’s review some examples of quality policies from a wide range of medical device companies.
The first example is from Stryker. Since the organization is so large, the policy is rather generic in order to include all of the different company activities. It also highlights their commitment to quality data, and how the data is reviewed by top management.
The next example is from Medtronic. While their policy is also generic for the same reasons, what we can see through every quality policy is a commitment to meet needed requirements and to the effectiveness of the QMS.
The next example we will look at is from a smaller company, OraSure Technologies. One unique thing about their quality policy is that it features the name and signature of the CEO, to really drive home management’s commitment.
The final example we will look at is from Polymed Medical Devices. This quality policy provides much more detail about what specific quality processes will apply to their products. More than the other policies, their policy would make me feel comfortable if they were supplying my company.
Wrapping Up
A quality policy is the first step in creating a great medical device quality management system. So it’s important to know how to create a policy that supports the organizational goals and meets all requirements. By following this article and seeing the examples, you are well on your way to creating an awesome quality policy.
If you have any questions or ideas, feel free to leave them in the comments below.
Finally, if you feel this article was useful, check out our ISO 13485 section to see similar articles and subscribe to our newsletter below.