ISO 13485:2016 imposes new requirements concerning risk-based quality management
ISO 13485 revised: Companies seeking to market their medical devices on various markets such as the European Union, Canada and Japan will now be required to establish a quality management (QM) system, and obtain certification in accordance with ISO 13485. The new provisions of the ISO 13485:2016 are based on the ISO 9001:2008, but go further in imposing further regulatory requirements on medical device manufacturers. Revision of the twelve-year-old standard was urgently needed. The third edition of March 1, 2016, reflects the technological progress, made since the standard first took effect, and the global changes to regulations that have been introduced since then. Manufacturers and service providers in the medical device sector must therefore prepare to meet changed and extended requirements. We have summarized the main changes.
A risk-based approach to the QM system (Clause 4)
In the new edition the use of a risk-based approach to control processes in the QM system is no longer limited to the phases of product realization. Instead, a risk-based approach is now applied to all processes of the QM system, too, such as document control, outsourced processes, complaint management, and many more. The validation of all types of computer software used in the QM system is now expanded to include software applications outside product realization, in areas including document control and complaints management. The new standard describes the contents of Device Master Records (DMR) in greater detail and gives examples of mandatory documents.
Management responsibilities clarified (Clause 5)
ISO 13485:2003 already included requirements for the planning and implementation of a QM system and provisions for regular management reviews to ensure the QM system’s effectiveness. However, the wordings in ISO 13485:2003 left room for individual interpretation of the requirements. By contrast, ISO 13485:2016 now demands a definition of the “role” that an organization plays within the scope of the regulatory requirements (e.g. representative, importer, manufacturer, etc.) and, taking a risk-based approach, of the processes related therewith. For this purpose, the new standard describes the input and output of the regular management review of the QM system’s effectiveness in greater detail, leaving less room for interpretation. Management representatives now have the additional responsibility of promoting awareness of the significance of regulatory requirements among all employees of the organization.
Resource management related to human resources and sterile products (Clause 6)
In the new standard the requirements for employees, which affect product quality, focus more clearly on employee “competence”, which is based on education, training, capabilities, and experience. The subclause “Work environment” was expanded by adding “contamination control” and now also includes requirements for the validation of sterilization processes, including sterile barrier systems.
Risk-based approach to product realization (Clause 7)
This is the most comprehensive Clause of the standard. It specifies the requirements and their risk-based implementation for all product-realization processes, including the planning of product-realization and customer-related processes; design and development; purchasing, production and service provision, and the control of monitoring and measuring equipment. The new edition now includes special requirements for the validation of software used in monitoring and measuring equipment. The aspect of “usability” has been added to the design and development process. In the future, the reasons for the selected sample size in design verification and design validation must be provided and documented.
There are now separate subclauses describing the requirements for transferring design and development outputs to production (transfer design) and for the contents of the design history file (DHF)
Defined processes for measurement, analysis and improvement (Clause 8)
This Clause describes aspects including the requirements for the manufacturer’s feedback system. The manufacturer must define processes for recording and evaluating production and postproduction data and integrating them into the risk-management process.
Notification to the regulatory agencies is now addressed by a separate subclause of the standard and has been extended by the addition of adverse event reporting. Regarding the control of nonconforming products, the standard now differentiates between corrections and corrective actions for nonconformities identified before and after delivery.
Which aspects will become easier and which aspects will become more complex for manufacturers?
As the structuring of the requirements has been improved and as requirements are now described in more detail, overall understanding of the requirements should become easier, which should benefit both manufacturers and the auditors of the Notified Bodies.
The revised and/or amended Clauses of ISO 13485:2016 have been aligned to the US FDA Quality System Regulation (QSR) for medical devices (21 CFR Part 820). Given this, the new standard should not pose a major challenge for manufacturers who already hold registrations in the U.S. and undergo regular surveillance audits by the FDA. In these cases, alignment of the requirements to the FDA requirements should make life easier for manufacturers.
For manufacturers distributing their products on other markets (e.g. the EU), the challenges posed by the new standard should also be manageable. The EC conformity assessment procedures build on the principle of the “safety and efficacy” of medical devices, and the new ISO 13485:2016 does not change these requirements. And, while the new standard includes more detailed description of the requirements for QM systems, the same requirements also had to be met under the previous ISO 13485:2003 standard. The ZZ Annexes of EN ISO 13485:2016 will once again show that not all of the requirements of the EU directives are covered directly by the standard, but must be addressed in the manufacturer’s QM system.
Interestingly, the scope of the ISO 13485:2016 standard now clearly references the organizations involved in the various phases of the product life cycle, including the suppliers of products and services. The “roles” of an organization, for example, include manufacturer, authorized representative, importer, and distributor.
Suppliers or service providers in the medical device industry who so far have based their QM systems on the ISO 13485:2003 standard alone or have not yet documented any QM system at all (e.g. authorized representatives) may find the introduction of the new standard more of a challenge. For these parties, the changes of the new standard and, in particular, the risk-based approach for all processes in the QM system and the requirement to validate the application of computer software will certainly cause higher implementation efforts.
Organizations with a QM system based on the ISO 13485:2016 and the ISO 9001:2015 standards are facing another challenge. The ISO 13485:2016 standard is not based on the “High Level Structure” of the new ISO 9001:2015, which comprises ten clauses; instead, it still has the eight-clause structure. Given this, the two standards no longer match as far as their structure and numbers of clauses are concerned. The differences in the requirements of ISO 9001:2015 and
ISO 13485:2016, particularly the differences in the requirements for the management and improvement of the QM system, are greater than those in previous versions of the standards. Given this, management systems that are based on these two standards are becoming more extensive, complex and difficult to maintain.
How should manufacturers of medical devices best prepare for the new ISO 13485:2016? May some organizations even benefit from the new Standard?
There will be a three-year transition period from ISO 13485:2003 to ISO 13485:2016. It is still unclear as to exactly when the EN ISO 13485:2016 standard will be published and subsequently harmonized. Irrespective of this, we recommend all organizations affected by the change to start analyzing the measures necessary for adjusting their QM system to
ISO 13485:2016 as soon as possible. ISO 13485:2016 – Annex A, which describes the differences between the two revisions, may prove helpful in this context. The analysis of the existing QM system and its continuous improvement should be objectives for the QM system’s effectiveness in all cases, and use of the ISO 13485:2016 standard may prove beneficial in this context.
Organizations holding registrations in Canada will have to switch from the Canadian Medical Devices Conformity Assessment System (CMDCAS) to the Medical Device Single Audit Program (MDSAP) in near future. We recommend reading the “MDSAP Companion Document”, which is publicly available at the FDA, to monitor the status of implementation of the ISO 13485:2016 requirements into the MDSAP program.
What can TÜV SÜD do for manufacturers?
To help you estimate the individual efforts involved in your implementation of ISO 13485:2016 and prepare for the change in the best possible way, TÜV SÜD will provide you with basic information related to the new standard. Our factsheet, which is available for download here, summarizes the information at a glance. Our specialists and experts will be happy to answer any further questions you may have.
For more medical engineering seminars, click here.