Maria Fagan, President and Co-Founder, Regulatory and Quality Solutions LLC (R&Q)04.03.18
For the first time in 13 years, the International Organization for Standardization (ISO) has updated ISO 13485, the medical device industry’s framework for quality management systems (QMS). With an emphasis on risk management in the quality system process, the changes impact organizations in the medical device supply chain, auditors/certification bodies, training providers, and consultants.
Over half the transition time from the 2003 edition to the new ISO 13485:2016 is behind us. The transition period ends in March 2019, leaving any ISO 13485:2003 certification invalid. The proposed revisions to the current version of ISO 13485 can be summarized in these points:
Following is an overview of 17 key differences between ISO 13485:2003 and ISO 13485:2016. (This article will cover points 1-7; remaining points will be explained in part two of this article which can be found here.)
1. Introduction and Scope Statement Clarifications (Sections 0, 1, and 2)
Adding to what was listed in the previous edition, the scope of a quality management system includes:
The new edition also outlines several key concepts, including the risk-based approach. To document a requirement means firms must establish, implement, and maintain the procedures to accomplish that requirement.
The scope adds wording to define use of the QMS throughout the product lifecycle, the idea that an organization should identify outsourced processes, the ability to declare non-applicable sections of the standard for the organization’s QMS (from sections 6, 7, or 8), and some clarifications of terminology and phrases used.
In 2003, there was an exclusion for design control insofar as it is excluded for regulatory purposes. If regulatory authorities outline an exclusion regarding regulatory requirements, the standard will not apply to those requirements; the exclusion is maintained as it was in the 2003 edition.
In addition, the requirements outlined in sections 6, 7, or 8 may be tailored to the organization’s role. Anything required in Clauses 6, 7, or 8 can be deemed not applicable because the organization’s role would be outlined in the QMS documentation as “not applied,” and outside the QMS’s scope. For instance, a distributor may not need to maintain a production infrastructure, so those requirements would not apply. Keep in mind, the role may be specific to a product or geography.
2. New and Modified Definitions (Section 3)
Every definition in the 2003 standard has either been modified or removed, and several new definitions have been added.
This section is important because understanding the definitions is the source of many of the requirements’ interpretations. Also, users of the standard must understand the hierarchy of how the definitions are used. In other words, when interpreting the requirements, the first place to look for definitions are those included in Clause 3 of the standard. The next place to look is within the normative references; for ISO 13485, the only normative reference is ISO 9000. The dictionary definition prevails if the word is not in either of these places. This provides an opportunity to define words within quality system processes. The dictionary definition may be chosen if it is the best option, then documented appropriately.
While this section has little impact on compliance issues, the new definitions of manufacturer, distributor, medical device, and risk provide clarification to ensure proper understanding of the standard’s applicability and requirements.
The supply chain explanation included in the prior version has been removed.
3. General Clarification Requirements—Risk (Section 4)
Within the context of the 13485 standard, risk is outlined as related to product safety and performance and meeting applicable regulatory requirements. The standard requires application of a risk-based approach throughout the QMS. This leads to a proactive response to mitigating risks to “as low as possible” and taking preventative action throughout the system.
If a resulting risk might impact another process, an associated risk analysis must be completed when creating process flow diagrams to assess the risk related to a particular process. Manufacturers are also required to record risk-related information to protect from the “20-20 hindsight” auditors might have. It will document why decisions were made at a particular time. Also, it will help with revisiting and making adjustments to past decisions when mitigating risk, as appropriate.
Manufacturers must define their organization’s role as well. Are you the legal manufacturer? Are you responsible for regulatory requirements, notifications, post-market surveillance (PMS), and vigilance? Are these requirements properly defined and documented? The proposed changes to this Clause will require this information to be justified and documented accordingly.
4. Updates to the Management Review (Section 5)
The biggest difference to this section is the update of management review inputs. For example, in the 2003 edition, we listed “status of preventive and corrective action” as an input. We’ve changed that to “information related to…corrective action” and “…preventive action.” This conveys that top management needs more information than just a status; it needs all the information related to this subsystem. For instance, management may also need to understand any delays in taking corrective action, why they are late, if there are adequate resources, or what might affect the corrective action system’s suitability, adequacy, and effectiveness.
The old standard included “results of audits.” The new edition outlines “information related to…audits.” Top management must be aware of information from internal and external audits, the amount of audit resources, and if there are resources to address audit findings. These should all be brought into management review to ensure the audit system is suitable, adequate, and effective.
The overall idea is to understand each of the subsystems and verify that subsystem (corrective action, audits, management review, supplier controls, etc.) is suitable, adequate, and effective. This should encourage top management that the overall QMS is suitable, adequate, and effective as well.
5. Competency/Training Effectiveness (Section 6)
With the updated standard, it’s no longer sufficient to express simply that personnel have been trained. There must be confirmation that competent personnel—including top company managers and vice presidents—can perform their assigned jobs and duties. Incorporating a risk-based approach, the new standard focuses on ensuring the actions taken and training provided establish the personnel’s competency.
With a low-risk procedure, the competency file’s language may read something like “read and self-assess your competency,” so management can judge whether or not someone is capable of doing that procedure. For higher risk procedures (like a final test or a complicated assembly), personnel should be observed while performing the task to establish competency. Periodically, managers and supervisors may want to address the competency of their work force.
Organizations should shift from training files to competency files that include job responsibilities or description, training certifications, and resumes to show what is known from a historical experience. They also must be separated from performance evaluations, which are not necessary for audits.
The section regarding “infrastructure” now requires documentation of the infrastructure requirements and general record keeping to avoid product mix-up and to ensure orderly product handling. This is required to support all procedures to demonstrate compliance, not just maintenance records (as an example). Also included: the interval for maintenance must be planned.
6. Work Environment (Health and Cleanliness) (Section 6.4)
Much of this section was reorganized for clarity. It refers to the work environment and how it affects the product quality in terms of product safety and performance.
This means manufacturers must specify the requirements for anywhere in the work environment that might adversely affect product quality. Manufacturers must also establish requirements regarding sterile product concern and preventing potential cross-contamination of product.
Manufacturers must also outline the health, cleanliness, or clothing of the personnel to avoid adverse effects to product quality, and what additional action will be taken to ensure personnel don’t adversely affect product quality.
7. Product Realization (Planning) (Section 7)
Emphasis on risk management continues wherever it affects product safety and performance and meeting regulatory requirements. Added to the list of processes (as revalidation, measurement, handling, storage and traceability, etc.), the new standard addresses the requirement for planning a company’s resources and other requirements of infrastructure and support, and how the product will move into post market.
Click here to read the second part of this article.
Maria Fagan is co-founder and president of R&Q, a regulatory and quality consulting firm that helps medical device and combination product companies bring safe and effective products to market and keep them there. Maria and partner Lisa Casavant launched R&Q in 2008 and the firm has now serviced over 175 clients. R&Q has ranked on the Inc. 5000 fastest-growing private companies list multiple times. Maria has worked in regulated industry for over 30 years, focusing on medical device quality and regulatory for the past 25 years. Prior to founding R&Q, she held positions of increasing responsibility at MEDRAD Inc. (now owned by Bayer), a medical device manufacturer, in both quality and regulatory arenas. She received a B.S. degree in mechanical engineering from the University of Pittsburgh and holds a certificate in business management from Carnegie Mellon University. Her international experience includes regulatory director of Europe, Middle East, and Africa for MEDRAD which included regulatory submissions and post-surveillance activities.
Over half the transition time from the 2003 edition to the new ISO 13485:2016 is behind us. The transition period ends in March 2019, leaving any ISO 13485:2003 certification invalid. The proposed revisions to the current version of ISO 13485 can be summarized in these points:
- Harmonization of regulatory requirements
- Inclusion of risk management throughout the QMS
- Further clarity regarding validation, verification, and design activities
- Strengthening of supplier control processes
- Increased focus regarding feedback mechanisms
Following is an overview of 17 key differences between ISO 13485:2003 and ISO 13485:2016. (This article will cover points 1-7; remaining points will be explained in part two of this article which can be found here.)
1. Introduction and Scope Statement Clarifications (Sections 0, 1, and 2)
Adding to what was listed in the previous edition, the scope of a quality management system includes:
- Explicit inclusion of storage and distribution as well as final decommissioning and disposal of the product within the QMS
- A new statement that this standard may be used by organizations in the supply chain (voluntarily or by contract)
- The inclusion of “associated activities” (e.g., service of product at customer)
- A need to identify the organization’s role for regulatory purposes (e.g., distributor, supplier, manufacturer, etc.)
- Further clarification that the standard does not include other management systems (e.g., environmental)
The new edition also outlines several key concepts, including the risk-based approach. To document a requirement means firms must establish, implement, and maintain the procedures to accomplish that requirement.
The scope adds wording to define use of the QMS throughout the product lifecycle, the idea that an organization should identify outsourced processes, the ability to declare non-applicable sections of the standard for the organization’s QMS (from sections 6, 7, or 8), and some clarifications of terminology and phrases used.
In 2003, there was an exclusion for design control insofar as it is excluded for regulatory purposes. If regulatory authorities outline an exclusion regarding regulatory requirements, the standard will not apply to those requirements; the exclusion is maintained as it was in the 2003 edition.
In addition, the requirements outlined in sections 6, 7, or 8 may be tailored to the organization’s role. Anything required in Clauses 6, 7, or 8 can be deemed not applicable because the organization’s role would be outlined in the QMS documentation as “not applied,” and outside the QMS’s scope. For instance, a distributor may not need to maintain a production infrastructure, so those requirements would not apply. Keep in mind, the role may be specific to a product or geography.
2. New and Modified Definitions (Section 3)
Every definition in the 2003 standard has either been modified or removed, and several new definitions have been added.
This section is important because understanding the definitions is the source of many of the requirements’ interpretations. Also, users of the standard must understand the hierarchy of how the definitions are used. In other words, when interpreting the requirements, the first place to look for definitions are those included in Clause 3 of the standard. The next place to look is within the normative references; for ISO 13485, the only normative reference is ISO 9000. The dictionary definition prevails if the word is not in either of these places. This provides an opportunity to define words within quality system processes. The dictionary definition may be chosen if it is the best option, then documented appropriately.
While this section has little impact on compliance issues, the new definitions of manufacturer, distributor, medical device, and risk provide clarification to ensure proper understanding of the standard’s applicability and requirements.
The supply chain explanation included in the prior version has been removed.
3. General Clarification Requirements—Risk (Section 4)
Within the context of the 13485 standard, risk is outlined as related to product safety and performance and meeting applicable regulatory requirements. The standard requires application of a risk-based approach throughout the QMS. This leads to a proactive response to mitigating risks to “as low as possible” and taking preventative action throughout the system.
If a resulting risk might impact another process, an associated risk analysis must be completed when creating process flow diagrams to assess the risk related to a particular process. Manufacturers are also required to record risk-related information to protect from the “20-20 hindsight” auditors might have. It will document why decisions were made at a particular time. Also, it will help with revisiting and making adjustments to past decisions when mitigating risk, as appropriate.
Manufacturers must define their organization’s role as well. Are you the legal manufacturer? Are you responsible for regulatory requirements, notifications, post-market surveillance (PMS), and vigilance? Are these requirements properly defined and documented? The proposed changes to this Clause will require this information to be justified and documented accordingly.
4. Updates to the Management Review (Section 5)
The biggest difference to this section is the update of management review inputs. For example, in the 2003 edition, we listed “status of preventive and corrective action” as an input. We’ve changed that to “information related to…corrective action” and “…preventive action.” This conveys that top management needs more information than just a status; it needs all the information related to this subsystem. For instance, management may also need to understand any delays in taking corrective action, why they are late, if there are adequate resources, or what might affect the corrective action system’s suitability, adequacy, and effectiveness.
The old standard included “results of audits.” The new edition outlines “information related to…audits.” Top management must be aware of information from internal and external audits, the amount of audit resources, and if there are resources to address audit findings. These should all be brought into management review to ensure the audit system is suitable, adequate, and effective.
The overall idea is to understand each of the subsystems and verify that subsystem (corrective action, audits, management review, supplier controls, etc.) is suitable, adequate, and effective. This should encourage top management that the overall QMS is suitable, adequate, and effective as well.
5. Competency/Training Effectiveness (Section 6)
With the updated standard, it’s no longer sufficient to express simply that personnel have been trained. There must be confirmation that competent personnel—including top company managers and vice presidents—can perform their assigned jobs and duties. Incorporating a risk-based approach, the new standard focuses on ensuring the actions taken and training provided establish the personnel’s competency.
With a low-risk procedure, the competency file’s language may read something like “read and self-assess your competency,” so management can judge whether or not someone is capable of doing that procedure. For higher risk procedures (like a final test or a complicated assembly), personnel should be observed while performing the task to establish competency. Periodically, managers and supervisors may want to address the competency of their work force.
Organizations should shift from training files to competency files that include job responsibilities or description, training certifications, and resumes to show what is known from a historical experience. They also must be separated from performance evaluations, which are not necessary for audits.
The section regarding “infrastructure” now requires documentation of the infrastructure requirements and general record keeping to avoid product mix-up and to ensure orderly product handling. This is required to support all procedures to demonstrate compliance, not just maintenance records (as an example). Also included: the interval for maintenance must be planned.
6. Work Environment (Health and Cleanliness) (Section 6.4)
Much of this section was reorganized for clarity. It refers to the work environment and how it affects the product quality in terms of product safety and performance.
This means manufacturers must specify the requirements for anywhere in the work environment that might adversely affect product quality. Manufacturers must also establish requirements regarding sterile product concern and preventing potential cross-contamination of product.
Manufacturers must also outline the health, cleanliness, or clothing of the personnel to avoid adverse effects to product quality, and what additional action will be taken to ensure personnel don’t adversely affect product quality.
7. Product Realization (Planning) (Section 7)
Emphasis on risk management continues wherever it affects product safety and performance and meeting regulatory requirements. Added to the list of processes (as revalidation, measurement, handling, storage and traceability, etc.), the new standard addresses the requirement for planning a company’s resources and other requirements of infrastructure and support, and how the product will move into post market.
Click here to read the second part of this article.
Maria Fagan is co-founder and president of R&Q, a regulatory and quality consulting firm that helps medical device and combination product companies bring safe and effective products to market and keep them there. Maria and partner Lisa Casavant launched R&Q in 2008 and the firm has now serviced over 175 clients. R&Q has ranked on the Inc. 5000 fastest-growing private companies list multiple times. Maria has worked in regulated industry for over 30 years, focusing on medical device quality and regulatory for the past 25 years. Prior to founding R&Q, she held positions of increasing responsibility at MEDRAD Inc. (now owned by Bayer), a medical device manufacturer, in both quality and regulatory arenas. She received a B.S. degree in mechanical engineering from the University of Pittsburgh and holds a certificate in business management from Carnegie Mellon University. Her international experience includes regulatory director of Europe, Middle East, and Africa for MEDRAD which included regulatory submissions and post-surveillance activities.