Waqas Imam Although determining the context of the organization is not a requirement in ISO 13485, it is an explicit requirement in ISO 9001:2015. This standard specifies that an organization must identify both the internal and external factors that may have an effect on its strategic objectives, and those that could impact plans for the Quality Management System (QMS).
That said, context of the organization is mentioned in the ISO 13485 standard, which states: “The design and implementation of an organization’s quality management system is influenced by the . . . organizational environment, changes in that environment, and the influence that the organizational environment has on the conformity of the medical device.” But, it is just a statement concerning the context of the organization, and does not constitute any specific requirement.
Most companies that want to become certified according to ISO 13485 have already gained their ISO 9001 certifications, or at least have plans to implement ISO 9001:2015. This is usually because it is the most general Quality Management System standard, and it is demanded by many customers in various industries, including the medical device sector. This means that an integrated management system encompassing the requirements of both standards will require the determination of the context of the organization, as well as the identification of any necessary actions to be taken.
What does this entail?
Clause 4 of ISO 9001:2015, Context of the organization, requires a company to evaluate and understand itself, and the context in which it operates. This will include determining what conditions, both internal and external, could influence:
- the QMS
- the company’s culture, strategic objectives, and operational goals
- the complexity of its products
- the flow of processes and information
- the size of the organization
- the company’s markets, customers, etc.
This practice is also an excellent way to detect business risks and opportunities related to the organization’s context.
Where should you start?
There is no prescribed method or required set of steps listed in the standard for determining the organization’s context. However, there are some steps that are only logical, and some milestones that can keep you on track.
The first step is to figure out which of these new requirements are already covered in your current documentation. This can save you some time, because some of the requirements from ISO 13485:2003 that have to do with the Quality Manual have been carried over into this new clause (you can learn more about this by reading How to manage a Quality Manual as per ISO 13485:2016 requirements.)
If your company has implemented ISO 13485:2003 already, then you have probably defined the scope of the QMS in the Quality Manual, along with the sequence of processes and the interactions between them. If not, this can be done in text form, or through a flowchart (see How to create an ISO 9001 process flowchart (PDF)).
What kinds of internal and external factors should be included?
Clause 4 of ISO 9001:2015 is somewhat vague, and there is a risk of casting the net too widely when identifying the internal and external influences. To avoid this, you will need to focus just on those issues that play a role in customer satisfaction and your ability to deliver quality products and/or services.
So, when determining internal context, you will need to consider the environment in which your company operates, and anything that could affect the company’s ability to achieve its strategic objectives. A company’s internal context might include its leadership style, its approach to contractual relationships with customers, and the needs and expectations of interested parties. The elements you should take into consideration would be those related to the company culture, beliefs, values, and principles, in addition to the complexity of its business processes and the organizational structure.
When examining external context, you should consider factors related to the organization’s social, political, legal, ethical, environmental, economic, and technological environments. Some examples of elements of the external context include:
- Legal requirements and changes to the law
- Regulatory requirements applicable to medical devices
- Economic shifts in the company’s market
- Competition within the company’s market
- Potential incidents affecting corporate image/reputation, such as product recalls, lawsuits, etc.
- Suppliers’ ability to meet your company’s requirements
- Technological changes
Generally speaking, your CEO and other top management probably keep all of this in mind, but perhaps never actually recorded it all in one place. The best method for getting this done is through a brainstorming session. Synthesizing all of this information will be invaluable as you evaluate where you stand as an organization.
Who are interested parties, and why do they matter?
To put it simply, the identification of relevant interested parties requires your company to decide which people and organizations your company affects with its activities, and how you want to manage these relationships.
Interested parties can include customers and end users, partners and suppliers, legal and regulatory bodies, neighboring businesses, etc. They could also include people within your own organization, owners and shareholders of the company, and even the general public. In short, who are the people and organizations that affect your company, or are affected by what goes on inside your company? Identifying their needs and expectations, and then determining which of these you actually need to address, is critical to implementing an effective Quality Management System. Their opinions and feedback can be a huge help as you look for potential improvements in your organization.
Write it down
Once you have put together all of this information, it needs to be documented. The ISO 13485 standard makes this quite clear. You have two options for doing this:
- Create a new document, which the certification body will examine before the audit instead of a Quality Manual.
- Address these new requirements in your existing Quality Manual. This can be more efficient, because the Quality Manual already meets the old requirements, and you’ll only need to add a section related to context of the organization and interested parties. Another benefit is that employees, who are already familiar with the Quality Manual, won’t have to familiarize themselves with some new documentation structure.
Keep it up
Management review must be conducted at regular intervals to monitor the company’s internal and external context. Once you have an initial understanding of the internal context, management can perform external “PEST” (political, economic, social, technological) and SWOT (strengths, weaknesses, opportunities, threats) analyses and see real benefits from this new requirement, rather than simply fulfilling it on paper.
Context of the organization may seem like just another “document it and forget it” requirement, but that shouldn’t be the case. Understanding the context of your organization and learning the opinions of your interested parties are both important for identifying opportunities for improvement, so don’t just go through the motions.
Why not find out more about the changes in ISO 13485 with this Infographic: What’s new in the 2016 revision of ISO 13485.
