GP-002 Quality planning
Procedure flowchart
Chapter 1: Quality Planning and Management Review
Management Review Inputs (ISO 13485:2016 clause 5.6.2)
Purpose
To define the methodology to manage all the activities related to the planning of our Quality Management System (QMS).
Scope
All the aspects of the QMS that can have a significant impact directly or indirectly on the process of quality planning and the QMS.
Definitions
- SWOT: SWOT analysis is a framework for identifying and analyzing an organization's strengths, weaknesses, opportunities and threats.
- CAME: CAME (Correct; Adapt to; Maintain; Explore) is the tool that will help us put into practice what was obtained in the SWOT analysis. We are going to correct weaknesses, face threats from the environment; we are going to maintain the strengths and finally we are going to explore the opportunities.
- Threats: External risks that we do not have direct control over.
Responsibilities
JD-001
To provide the company with the necessary resources to implement and improve the QMS, approve the T-002-002 Quality objectives, the T-002-004 Annual management review report and the T-002-007 Process validation cards. To perform and approve the SWOT and CAME analysis during the Management Review.
JD-004
To monitor the T-002-002 Quality objectives, the T-002-003 Quality indicators, the actions to address the risks, and to prepare the T-002-004 Annual management review report and the T-002-007 Process validation cards.
JD-003
To help the JD-001 and JD-004 on the activities related to the process planning. To attend to the annual management review meeting and review the T-002-004 Annual management review report.
JD-005
To help the JD-001 and JD-004 on the activities related to the process planning. To attend the annual management review meeting and review the T-002-004 Annual management review report.
Inputs
- Quality planning requirements
- Quality Policy
- QMS background and previous experience
- Customer and legislation requirements
Outputs
- Successful implantation of the QMS and continuous improvement.
T-002-002 Quality objectivesT-002-003 Quality indicatorsT-002-004 Annual management review reportT-002-005 Quality calendarT-002-007 Process validation cards
Development
This procedure is organized into two main chapters:
- Chapter 1 - Quality Planning: Covers quality objectives, quality indicators, and the annual Management Review process according to ISO 13485:2016 clause 5.6.
- Chapter 2 - Process validation and risk-based approach: Covers the validation of QMS processes and the simplified risk-based approach required by ISO 13485:2016 clause 4.1.2.b. Process risks are reviewed annually during the Management Review.
Chapter 1: Quality Planning
Human resources quality planning
We have planned an organizational structure of our personnel established in the Annex-3 Organization chart defined in our human resources tool, and the substitutes for each position are recorded in the Annex-4 Substitution table. When necessary, the implemented changes are recorded as defined in the Procedure GP-001 Documents and records control and GP-005 Human resources and training.
The experience, knowledge and responsibilities required for each position are defined in the T-005-001 Job description. When the corresponding job description is modified or created, it will be done in accordance with the Procedure GP-001 Documents and records control and GP-005 Human resources and training.
The activities related to the training actions and the methodology we have implanted to satisfy the needs to accomplish the personnel competence requirements are described in the procedure GP-005 Human resources and training.
Organizational philosophy
The Quality policy (Annex-1 Quality policy) defines the company philosophy regarding quality. It is reviewed and approved yearly, and communicated to our personnel. The quality policy lays the foundation on which the quality objectives are established, and recorded at the T-002-002 Quality objectives.
The quality policy is accessible to all the members of the company in electronic format within this QMS and also through our website.
Quality objectives
Every year, during the annual management review, the top management establish the new quality objectives for the year. Each quality objective is related to an associated individual planning and contains the following information:
- Objectives definitions
- Resources
- Deadlines and follow-up
- Responsible
- Quantification whenever possible
- Indicators follow-up
The objectives are approved by the JD-001. For each proposed objective, the previously planned follow-up is carried out with the periodicity defined in the T-002-002 Quality objectives.
New project quality planning
When a new project arises from the annual management review or during any other activity or requirement, it will be planned and registered as a new objective to ensure all the relevant aspects required during the planification are considered.
The specific tasks and activities that arise form the new planification, new objectives or open projects are managed with our different tools:
- Design and development activities are registered at the Atlassian suite of applications according to the
GP-012 Design, redesign and developmentprocedure. It includes a roadmap of the foreseen activities and estimated times of achievement. Each validated tool is documented in its correspondingR-002-007 Process validation card. - Trello boards for the different departments or areas (see corresponding
R-002-007 Process validation card).
In addition to the regular monitoring of objectives mentioned above, people involved in the different activities perform periodic meetings to share the advances and problems, and review and establish the roadmap and priorities.
| Meeting name | Frequency | Lead | Attendees |
|---|---|---|---|
| Medical data science daily | 3 days per week | JD-005 | People involved in the development of the device |
| Product development weekly | Once a week | JD-003 | All technical employees, including those not directly involved in the device |
| Medical data science biweekly | Once every two weeks | JD-005 | The whole company, including the JD-001 |
| Quality biweekly | Once every two weeks | JD-004 | The whole company, including the JD-001 |
| HR weekly | Once a week | JD-006 | JD-006, JD-001and any other head of department required |
| Sales daily meeting | Once a day | JD-002 | Sales department |
| Sales end-of-week meeting | Once a week | JD-002 | The whole company, including the JD-001 |
Management of non-achieved quality objectives
When a quality objective is not fully achieved within the established timeframe, the following process is applied to ensure proper evaluation, documentation, and continuous improvement in accordance with ISO 13485:2016 clauses 5.6 and 8.5.1:
1. Impact assessment
The responsible person for the objective evaluates the impact of not achieving the objective on:
- QMS effectiveness: Assessment of whether the non-achievement affects the overall functioning of the quality management system.
- Product quality and safety: Evaluation of any potential impact on the medical device's safety, performance, or intended use.
- Regulatory compliance: Review of implications for current certifications and regulatory requirements.
- Customer satisfaction: Consideration of effects on customer expectations and service delivery.
2. Root cause analysis
A root cause analysis is conducted to identify the underlying reasons for not achieving the objective. Common categories include:
- External factors: Regulatory body delays, market conditions, third-party dependencies.
- Strategic decisions: Deliberate prioritization of other objectives based on business or regulatory needs.
- Resource constraints: Limitations in personnel, budget, or time.
- Scope changes: Modifications to the original objective due to evolving requirements.
3. Decision and justification
Based on the impact assessment and root cause analysis, the top management decides one of the following actions:
| Decision | Criteria |
|---|---|
| Extend | The objective remains relevant, progress has been made, and completion is expected in the next period. |
| Modify | The objective needs adjustment due to changed circumstances or requirements. |
| Close | The objective is no longer relevant or has been superseded by other priorities. |
The decision and its justification are documented in the corresponding R-002-002 Quality objectives record.
4. Corrective actions
If the root cause analysis reveals a systemic issue or process deficiency, corrective actions are defined according to GP-006 Non-conformity. Corrective and preventive actions. When the non-achievement is due to strategic decisions or external factors beyond the organization's control, corrective actions may not be required, provided this is properly justified.
5. Documentation and review
The complete analysis is documented in:
- Individual objective record (
R-002-002): Impact assessment, root cause analysis, decision, and corrective actions. - Quality objectives list (
R-002-001): Summary of all objectives with their final status. - Management review report (
R-002-004): Consolidated review of quality objective performance as input for the annual management review.
This process ensures transparency, accountability, and continuous improvement while demonstrating to regulatory authorities that non-achieved objectives are properly managed and do not compromise product quality or patient safety.
Quality indicators
The evaluation of the performance of the processes is carried out through the T-002-003 Quality indicators. All these indicators are registered in the same document that contains different sections to document the progression throughout the years. This file is contained in the pertinent folder and named as a record, in accordance with the Procedure GP-001 Documents and records control.
The quality indicators are established by the top management covering all the company areas to ensure all the processes are under control. In the T-002-003 Quality indicators it will be assigned a standard planned value (values that define the acceptance limits for each process) for each indicator, and they are monitored quarterly (or as indicated in the record). With the data obtained in the different indicators it is evaluated whether the process is under control or not (the results obtained are within the planned results), and if any additional action must be implemented to achieve the planned value.
If the indicators show that a process is out of control, the situation is corrected to return the process to a controlled situation, and if necessary, the pertinent actions are taken as described in the Procedure GP-006 Non-conformity. Corrective and preventive actions.
On those processes that are under control, actions of continuous improvement can be suggested, with the intent of optimising the results. In this case, new objectives will be set to achieve these improvements. Annually, the person responsible for the process proposes to the JD-004 the actions to improve the process. The JD-004 collects all the proposals and exposes them at the annual management review meeting to establish the required actions (as new objectives, changes, preventive actions...) to achieve the improvements approved.
Responsibility, authority and communication
Responsibility and authority
Our top management ensures that the responsibilities and authorities are defined, documented, and communicated within the organization, through the Annex-3 Organization chart published in our human resources tool.
The top management documents the interrelation of all the personnel who manage, carry out and verify and, where appropriate, approve any process that affects the quality and guarantees the independence and authority necessary to carry out these tasks.
Management representative
The top management designates a management representative who has the responsibility and authority to:
- Ensure that the processes required for the QMS are documented.
- Inform the top management about the effectiveness of the QMS and any need for improvement.
- Ensure awareness of the applicable regulatory requirements and QMS requirements in the whole organization.
The position is filled by the person designated in the Quality Manual: JD-004 and JD-005.
Internal communication
The top management ensures that the appropriate communication processes are established within the organization and that communication is carried out considering the effectiveness of the QMS. It is documented in the Quality manual Internal communication section.
External communication
The Procedure GP-021 Communications defines the principles and limits in communications with customers, clinicians, scientists, technicians, investors, advertisements, social networks and web content.
Management review (ISO 13485:2016 clause 5.6)
At least once a year, a meeting is held to monitor compliance with the QMS. As a result of this meeting, the T-002-004 Annual management review report is elaborated and it is signed by all the attendees: JD-001, JD-004 and other partners. Any necessary actions derived from the conclusions of this meeting will be treated in accordance with the Procedure GP-006 Non-conformity. Corrective and preventive actions.
The objective of this review is to ensure that the quality planning is efficient. The conclusions reached at this meeting will be the basis for the continuous improvement of our QMS.
During this meeting we also review the company context by using the SWOT analysis to identify the main strengths, weaknesses, opportunities and threats and address them as appropriate following the CAME analysis. Results of this review are recorded in the T-002-004 Annual management review report.
Review inputs (ISO 13485:2016 clause 5.6.2)
In accordance with ISO 13485:2016 clause 5.6.2, the inputs for the management review shall include, but are not limited to:
| Input | Description | Source document |
|---|---|---|
| Feedback | Customer feedback, including complaints | GP-014 Feedback and complaints, Hubspot |
| Complaint handling | Analysis of complaints received during the period | GP-014 Feedback and complaints |
| Reporting to regulatory authorities | Vigilance reports, incident notifications | GP-004 Vigilance system |
| Audits | Results of internal and external audits | GP-003 Audits, R-003-005 Internal audit report |
| Process monitoring and measurement | Quality indicators performance | T-002-003 Quality indicators |
| Product monitoring and measurement | Product conformity data, release records | Technical File records |
| Corrective actions | Status and effectiveness of corrective actions | GP-006 NC and CAPA, Jira |
| Preventive actions | Status and effectiveness of preventive actions | GP-006 NC and CAPA, Jira |
| Follow-up from previous reviews | Status of actions from previous management reviews | Previous T-002-004 |
| Changes affecting QMS | Changes to regulations, standards, organization | R-001-005 List of applicable standards |
| Recommendations for improvement | Suggestions from personnel and stakeholders | Meeting inputs |
| New or revised regulatory requirements | Updates to applicable regulations and standards | R-001-005 List of applicable standards |
| Training | Training plan status and effectiveness | R-005-003 Training plan, GP-005 Human resources |
| Supplier evaluation | Supplier performance and approved supplier list | R-010-001 Suppliers evaluation, GP-010 Purchases |
| Risk management activities | Process and product risk management status | R-002-007 Process validation cards, GP-013 Risk management |
| Post-market surveillance | PMS data and trends | GP-007 Post-market surveillance |
| Infrastructure | Status of infrastructure and work environment | GP-018 Infrastructure and facilities |
Annual review of applicable standards and regulations
During each Management Review, the R-001-005 List of applicable standards and regulations (based on template T-001-005) shall be reviewed to ensure all applicable regulatory requirements remain current. This review shall include:
-
Version verification: Check each standard and regulation listed to identify if new versions have been published since the last review.
-
New requirements identification: Identify any new standards, regulations, or guidelines that have become applicable to our products or QMS.
-
Impact analysis: When a new version or new requirement is detected:
- Document the changes between versions
- Assess the impact on the QMS, product design, clinical evaluation, or other affected processes
- Define necessary actions to achieve compliance with the new requirements
- Establish timelines for implementation
-
Compliance status update: Update the compliance status column in R-001-005 to reflect current conformity levels.
-
Documentation: Record the results of this review in the
T-002-004 Annual management review report, including:- List of standards/regulations reviewed
- New versions identified
- Impact analysis results
- Planned actions and deadlines
Any non-compliance or gap identified shall be addressed following the Procedure GP-006 Non-conformity. Corrective and preventive actions.
Review outputs (ISO 13485:2016 clause 5.6.3)
The outputs of the management review should be recorded and should include the revised inputs and any decisions and actions related to:
- Improvements necessary to maintain the suitability, adequacy and effectiveness of the QMS and its processes
- Product improvement in relation to customer requirements
- Changes necessary to respond to new or revised applicable regulatory requirements
- Resources needs
All the relevant information from this meeting, including the results and conclusions are recorded in the T-002-004 Annual management review report.
In relation to the proposed changes and the ones finally adopted, the version's management of this report is done as it is defined in the Procedure GP-001 Documents and records control. The necessary actions implemented are developed accordingly following this procedure, or the GP-006 Non-conformity. Corrective and preventive actions when corresponding.
Mandatory attendees
It is necessary that the following people assist each management review:
- Executive committee:
JD-001JD-003JD-005
- Management representative
JD-004, that will act as the meeting coordinator.
The meeting will be convened by the assistants with the periodicity agreed in this procedure (typically in the first trimester of the year). They will use any means that allow leaving written evidence of the call, with written evidence of the correct reception by those called.
When the attendees confirm their assistance, the JD-004 will convene a meeting specifying the date selected by the attendees, by written means allowing the evidence. A change in a date already confirmed will be allowed at the request of one of the attendees, provided that it is due to major causes and is accepted by the rest of the attendees.
As an exception, it will be possible to hold a management review in the absence of one of the mandatory assistants only if there is a prior written agreement signed by all of them. It will be announced in written form by the management representative and keeping evidence of all the mandatory attendees.
Chapter 2: Process validation and risk-based approach
This chapter fulfills the requirement to apply a risk-based approach to the control of QMS processes. This is distinct from product risk management (GP-013, ISO 14971), which addresses medical device safety risks.
Process validation
Each QMS process is documented in a T-002-007 Process validation card, which includes:
- Process description and requirements
- Validation method and evidence
- Identified risks that could affect process effectiveness
- Control measures for significant risks
The process validation cards are maintained as records (R-002-007) by the process owner.
Risk-based approach
Per ISO 13485:2016 clause 4.1.2.b, risks are considered as part of process validation and planning. This approach:
- Identifies potential risks during process validation
- Documents control measures for significant risks
- Reviews process effectiveness annually during Management Review
ISO 13485:2016 requires a "risk-based approach" but does NOT require:
- FMEA-style RPN calculations for QMS processes
- Quarterly process risk reviews
- A separate process risk register
These complex methods are appropriate for product risk (ISO 14971), not for QMS process control. Our simplified approach fulfills clause 4.1.2.b while remaining practical.
Connection with Management Review
Process validation cards (R-002-007) are a required input to the annual Management Review (see table in clause 5.6.2 section above).
Process validation cards can be created or modified at any time during the year by the process owner, independently of the Management Review cycle. This allows the organization to respond promptly to new tools, process changes, or identified risks without waiting for the annual review.
However, all process validation cards are revalidated and reapproved annually during each Management Review. During this annual revalidation:
- Each process owner confirms the card remains current and accurate
- Identified risks and control measures are reviewed
- The card receives a new version number documenting the revalidation
- Any discrepancies or required updates are documented in
T-002-004 Annual management review report
This ensures that all validated processes are formally reviewed at least once per year by top management, while still allowing interim updates when needed.
During the Management Review, process validation cards are revalidated:
- Each process owner presents the status of their process validation card
- Identified risks and control measures are reviewed
- Process effectiveness is evaluated based on quality indicators and audit findings
- The card is reapproved with a new version number
- Any discrepancies or required changes are documented in
T-002-004 Annual management review report - Actions for improvement are assigned and tracked
Documentation of changes: Any substantive changes to process validation cards (new tools, changed methods, new risks identified, etc.) shall be summarized in the T-002-004 Annual management review report. The cards themselves are updated with a new version in the Version control table, but the rationale and discussion of significant changes are documented in the Management Review report for traceability.
This ensures that process risks are formally reviewed at least annually by top management, fulfilling both clause 4.1.2.b (risk-based approach) and clause 5.6 (management review).
Review frequency
| Activity | Frequency | Responsible | Output |
|---|---|---|---|
| Process validation card update | Any time (when changes occur) | Process owner | Updated R-002-007 |
| Process validation card revalidation | Annually (during Management Review) | All owners | New version with reapproval |
| Triggered review | When significant changes occur | Process owner | Updated R-002-007 |
Triggers for process review
A process validation review is triggered by:
- Significant non-conformities affecting the process
- Changes to process tools, systems, or methods
- Relevant audit findings
- Changes in regulatory requirements
Actions identified are managed according to GP-006 Non-conformity. Corrective and preventive actions.
Quality calendar
We have implemented a quality calendar (R-002-005 Quality calendar) that compiles all the relevant events and actions to perform each month to ensure all the programmed activities are developed at the required frequency.
This calendar contains a Gantt chart with all the events and a Google Calendar, inserted also in our QMS. This type of calendar allows us to program alarms and reminders to the activities responsibles, and to see the quality calendar from our day-to-day personal Google Calendar.
Associated documents
T-001-005 List of applicable standards and regulationsT-002-001 Quality objectives listT-002-002 Quality objectivesT-002-003 Quality indicatorsT-002-004 Management review reportT-002-005 Quality calendarT-002-007 Process validation cardT-005-001 Job descriptionAnnex-1 Quality policyAnnex-2 Process mapAnnex-3 Organization chartAnnex-4 Substitution tableGP-001 Documents and records controlGP-005 Human resourcesGP-006 Non-conformity. Corrective and preventive actionsGP-013 Risk management(for product risks)GP-021 Communications
Signature meaning
The signatures for the approval process of this document can be found in the verified commits at the repository for the QMS. As a reference, the team members who are expected to participate in this document and their roles in the approval process, as defined in Annex I Responsibility Matrix of the GP-001, are:
- Author: Team members involved
- Reviewer: JD-003 Design & Development Manager, JD-004 Quality Manager & PRRC
- Approver: JD-001 General Manager