This article is aimed at people working with quality management systems since it will present how to create controlling documents that are essential for QMS.

It will focus on purpose and scope which may seem simple at a first glance. And sure enough, writing a purpose and scope that will work in an audit or inspection is not that difficult. But if you aim a bit higher than just passing an audit, drafting the purpose and scope properly and with excellence is very useful.

The introduction of an SOP

First and foremost, there is nothing in the MDR, the QSR, or the ISO 13485 that requires the manufacturer to have any specific contents in the introduction of an SOP (Standard operating procedure) or a controlling document.

From that point of view, one could say that writing almost anything could be right from the regulatory stance. But, then again, some things are more or less common to include, and if something is very often included, it is usually seen as the best practice.

There is a number of things that might be found in the introduction of an SOP. Typical sections in the introduction would be:

  • Purpose
  • Scope
  • Responsibilities
  • Knowledge requirements
  • Equipment
  • Access rights
  • Definitions
  • Acronyms
  • References
  • Audience or intended audience, and
  • Table of contents.

Sometimes, other variations of these terms can be found. For example, the scope could be referred to as the application, and definitions and acronyms are sometimes grouped together.

How to write a purpose

To illustrate how to write a really good purpose, let us use a risk management procedure as an example.

An example of an SOP could be the one that covers risk assessment. Risk assessment is a part of the larger risk management process. According to the ISO 14971, risk assessment comprises risk analysis and risk evaluation.

Risk management planning chart

Having said that, risk assessment is basically half of the overall risk management process. And this is important when determining the purpose of the procedure.

In this case, with risk assessment, one could address the first output of the risk assessment, which would be the identification, estimation and evaluation of risk. And then the overall purpose, which is to create safe medical devices could be added.

Purpose

The purpose of this procedure is to ensure that:

  • Risks are identified, estimated and evaluated
  • Released products are safe

When trying to define the purpose, the main idea should be what is going to come out of the process, and what is that result going to be like. That is the most tangible and important purpose.

But it makes sense to also supplement that purpose with the greater purpose, which is – what will come out of the main process that the procedure is part of.

Regulatory requirements in QMS

But what if a company is really skilled at performing risk management? Could the risk management procedure be skipped? The answer is no.

There is a regulatory requirement to have a documented risk management procedure. One of the purposes of these procedures, then, is to satisfy the regulatory requirement for a documented procedure. This has been added as a third purpose of the same procedure.

Purpose

The purpose of this procedure is to ensure that:

  • Risks are identified, estimated and evaluated
  • Released products are safe
  • Regulatory requirement on having a document procedure for risk management is met

Efficiency in QMS

There is another perspective that will lead to two more purposes for this particular procedure. It is relating to efficiency.

From a business perspective, it means that resources should not be wasted with lots of trial and error. And the procedure should facilitate the efficient and effective implementation of the risk management process, as opposed to what would be the case if everyone was doing it without guidance from the procedure.

Another perspective that supports the efficiency is that risk assessment should be carried out in a consistent way. The underlying assumption is that by doing things the same way over and over again, greater efficiency is achieved.

Purpose

The purpose of this procedure is to ensure that:

  • Risks are identified, estimated and evaluated
  • Released products are safe
  • Regulatory requirement on having a document procedure for risk management is met
  • Risk management work is efficient
  • Risk assessment is carried out in a consistent way

Keep in mind though, that even if there is a documented procedure, it does not always result in an efficient or even consistent process, because procedures could include wasteful steps, so even if the risk assessment is done in the same way over and over again, resources might still be wasted.

To sum it all up, the example procedure has five purposes.

The first one focuses on the actual output of this procedure and the steps in the process that documents.

The second one is the overall purpose of the main process where this procedure is a part.

The third one is bringing up the regulatory requirement, which in this case is a purpose in itself.

And the last two are addressing efficiency and business-oriented reasons for the procedure.

It seldom happens that someone gets a nonconformity due to a poor purpose in a procedure. Still, if the purpose is clear, it is much easier to create the rest of the procedure.

The most common pitfall with the purpose section is describing what the procedure covers and includes, instead of why it is there. What the procedure covers should be saved for the scope section, that is where it belongs.

The scope of an SOP or a controlling document

Speaking of the term scope, understanding it can be challenging. In project management, the project’s scope is what is included in the project and what is not, and that is a good way of understanding the scope for a procedure as well: what is included and what is not.

Adding another question to this makes it even easier: To what and where does the procedure apply?

As previously said, in the example of risk management, an appropriate start of the scope would be to address the process. In this case, it is the risk assessment process.

The second part is about what products or projects this procedure applies to.

If there is, again, a hypothetical company that makes both medical and non-medical devices, it needs to specify that a procedure applies to either one or the other or both types of devices.

If it is selling medical devices to the European Union, it might also have accessories to the medical devices in the product range. Accessories should be regulated in the same way as medical devices, but they are still accessories. And since they are regulated the same way as medical devices, risk management requirements also apply to accessories, so they are included and are within scope.

And the procedure should be applied for new product development, which may be quite apparent, but also when changes are made to existing medical devices and accessories.

Scope

The procedure covers Medtech Inc’s risk assessment process.

This procedure applies to:

  • Medical devices
  • Accessories to medical devices
  • New product development
  • Changes to existing medical devices and accessories

Optional additions to the SOP

There are two more things to mention, and they can be seen as optional. The first thing is to explain what is not within scope, just to be on the safe side.

This is done to prevent someone from becoming too creative with how this procedure could be applied. It may be wise to include these “exclusions”. It can be skipped if there is no fear of someone using the device outside of scope.

And the last thing to mention is that the word application might be the right word to use instead of, or together with the word scope. It makes sense because it would be answering the question of what and to whom the procedure applies.

Scope

The procedure covers Medtech Inc’s risk assessment process.

This procedure applies to:

  • Medical devices
  • Accessories to medical devices
  • New product development
  • Changes to existing medical devices and accessories

For clarification, risk management planning, risk control and risk management activities following thereafter are not covered by this procedure.

This procedure is applicable to any one engaged in:

  • Performing risk assessment
  • Reviewing or approving outputs from risk assessment

Would you like to know more about Quality Management?

If you want to know more about ISO 13485 and quality management for medical devices, take a look at our online Quality Management for Medical Devices and ISO13485 course. This comprehensive course is specifically tailored to make the requirements of the ISO 13485 as tangible and concrete as possible, so participants can confidently work in an organisation where ISO 13485 requirements apply. It introduces tools and methods on how to work successfully and efficiently within a quality management systems.

Our online courses are frequently taken by competent authorities, notified bodies and medical device manufacturers and distributors.

Peter Sebelius

Peter Sebelius - Author image

Peter Sebelius (PMP) is a highly esteemed trainer, consultant and entrepreneur in the medical device industry. He is a member of the Joint Working Group that is revising the ISO 13485 and ISO 14971 standards.

He has vast ‘hands on’ experience too, having developed, amongst other things, a mechanical chest compression and an ex vivo perfusion machine for lungs. He has received numerous awards including the Great Design Award and the title “This year’s specialist” by Veckans affärer.