How ready are you for ISO 13485:2016?

At this stage, companies have less than six months to be compliant, and many are scrambling—and if they’re not yet, they should be! Basically, we’re coming down to the crunch, so if you’re not yet set up to be compliant, now is the time to take action.

I recently sat down to catch up with Kyle Rose, president of Rook Quality Systems. They help companies achieve ISO 13485 certification by using the Greenlight Guru’s Quality Management Software platform. If you need some tips and tricks to deal with 13485:2016 before it’s too late, here’s what we discussed.

Get Ready for ISO 13485:2016
It’s time to wake up! ISO 13485:2016 is upon us and many companies out there are already behind. If you are one of those, the cutoff to be certified is February 2019.

Kyle told a story of two clients. Both have their audits scheduled. Part of the process before the ISO auditor comes is that you must have done your internal audit to the new standard. Those companies are now scrambling. Kyle’s company is flying consultants to Texas and California in order to help get them ready.

All internal documentation and processes must be organized and in top shape, but this can be a tough ask with a short amount of time available. Kyle says his company does its best to help out, but it’s always better if there is a good plan in place to tackle the audit.

If you miss the deadline for ISO 13485:2016 certification, there are several possible ramifications for your company. For starters, you could lose your ISO certification and right to sell into the EU marketplace. You could lose CE mark and Health Canada certifications. (Note: If you are certified with Health Canada now, then you need to be compliant in 2018 with 13485:2016.)

MDSAP (Medical Device Single Audit Program) also plays into this, as it is a push to certify companies for multiple markets under one audit. The standard they are going with is ISO 13485:2016. Basically, if you don’t take steps to ensure you are compliant by the deadline, it could have a severe impact on your company’s ability to do business.

What Can You Be Doing Now?
Kyle and others from his company have been onsite as ISO auditors and have conducted their audits for 13485:2016. He has a few things to pass on that he learned from the experience:

1. Start by creating a GAP analysis or internal audit plan to review your current QMS. You have to know what’s missing when it comes to complying with the new standard so you can take steps to rectify those. The ISO auditor is going to want to see this GAP analysis. It is considered a key document in the process for the 2016 standard. They want to see the planning and management review materials that went into your preparedness.
2. Kyle’s company recommends management reviews on a quarterly schedule. This way, you can engage all who need to be involved in the process, make a plan to address any gaps, then follow up and assess the results next time. It tends to be a simple matter just to increase management reviews (and it’s a good look at audit time), showing you take it seriously. I feel that a lot of companies have previously not taken management reviews very seriously. Senior management has often been out of the loop on significant issues, and the review itself treated as a checkbox activity. The clear message is that it’s not just about compliance, it’s an opportunity to improve your business and emphasize quality. This is one of many reasons why using cloud-based software like Greenlight Grow can provide great benefits to companies. One significant part of the issues around management reviews is that companies view them as time-consuming and difficult, particularly when they need to dig around for information. In essence, with a software like Greenlight, you could do a management review at any time because everything is tracked and centrally available.
3. Section 4.1.6 talks about validation and use of electronic quality systems or software used within the system. These all need to be validated to the standard. It’s important to do a GAP analysis on your QMS and look for any discrepancies with the 2016 standard. Take a risk-based approach to get the highest priority gaps taken care of before your audit. Be careful if you’re using Dropbox, Box, or other similar programs, as these tend to be difficult to validate with all of the changes that they roll out. Kyle recommends keeping a paper copy in order to track changes. He wouldn’t typically recommend these as good systems for managing medical devices, but people do and it can be done if you manage it closely. The important thing is you cannot ignore the validation part, no matter what system you use. If it touches your QMS, it is required. You can expect auditors to look at these types of things and want to see your evidence. It’s a growing area of concern because more companies are using different software platforms to manage their QMS.
4. When using software packages or working with external consultants, these become suppliers. According to ISO 13485, you should have written agreements with them describing their role in the QMS. The supplier area has long been a focus of FDA inspections, so ensure due diligence is done, agreements are signed, and monitoring is happening to bring ISO in line with the FDA. All quality-related items need to be in the agreement. Remember, it is always on you to be responsible for the safety and quality of your product. No matter what third party you use, it is your name on the product and your requirement to have a QMS—even if your third-party manufacturer is ISO 13485 certified!
5. There is a trend toward auditors expecting more information to be stored on-site. For example, if you were previously using a third-party manufacturer and were asked by an auditor for your device master record (DMR), it might have been acceptable that the manufacturer has it. Today, we’re moving away from that. They’re going to want to see that you have the DMR and other records yourself.
6. The term “medical device file” has appeared in ISO 13485. This is essentially a merger between the technical file and DMR. Typically, you will already have all of this information—it’s just a matter of ensuring it is put together into this medical device file.

Remember there’s a good chance you will need to rewrite up to three-quarters of your procedure. Most have a new risk-based component added and while some will be minor alterations, others will take more work. ISO is also looking for you to document what your role is in each market. Most companies will have something somewhere about this, but ensure you check in and document what they’re looking for. 

---

Jon Speer is the founder and VP of QA/RA at Greenlight Guru, a software company that produces the only modern quality management software solution exclusively for medical device companies. Device makers in more than 250 cities in 26 countries use Greenlight Guru to get safer products to market faster with less risk while ensuring compliance. Speer is a medical device industry veteran with over 18 years of experience, having helped dozens of devices get to market over his career in a variety of roles, including product development, project management, quality, and regulatory. He is also a thought leader, speaker, and regular contributor at numerous leading industry publications.