Over half the transition time from the 2003 edition to the new ISO 13485:2016 standard is behind us. The transition period ends in March 2019, leaving any ISO 13485:2003 certifications invalid.
(This article is the second installment of a two-part series highlighting 17 key differences between ISO 13485:2003 and ISO 13485:2016. This article covers points 8-17; points 1-7 can be read by clicking here.)
8. Additional Detail Added to Design Stages (Sections 7.3.1, 7.3.7 and 7.3.9)
7.3.1 – Design and Development Planning: For design and development planning, organizations must maintain and update documentation, including how decision points are reached and supported and a determination of resources needed to carry out planning activities. Also, documented evidence identifying whether or not planned activities are suitable to the product’s requirements and planning items outlined are included in a NOTE in this section.
7.3.7 – Design and Development Transfer (new sub-clause): There is a new clause added to the next revision of the standard, currently called Control of design and development (D&D) changes. The original content of this sub-clause will be moved to 7.3.8, which will focus on the organization’s transfer plans with regard to suppliers (contract manufacturers, for example), including manufacturing and its environments, personnel (training), and installation of equipment as applicable.
7.3.9 – Design and development records (new sub-clause): This requires that all D&D records be properly maintained and identified (processes, product type, manufacturing, etc.).
9. Verification (Sections 7.3.5 and 7.3.6)
The 2003 edition simply outlined the necessity of documenting results and the report.
For manufacturers, this means it is now necessary to include conclusions and necessary action to be taken. Methods of verification, criteria for acceptance or failure, justification for and risk associated with sample sizes, and verification of device interfaces (i.e., user instructions or failure models) must also be documented.
The plan must be documented, established, implemented, and maintained so that if you fail, you can reuse the plan as you are maintaining, doing revisions, or anything else necessary to ensure the product meets requirements.
10. Validation (Sections 7.3.5 and 7.3.6)
This updated section addresses the use of preclinical and clinical evaluations. This was previously in a note, and is now incorporated into requirements.
As with verification, it is now required to document the validation plan, the methods of validation, criteria for acceptance or failure, justification and risk association for sample sizes, and validation of device interfaces, (i.e., instruction, failure modes, etc.). Any validation activity must be conducted on final production units or documented equivalent devices.
11. Purchasing (Section 7.4.1)
A procedure must now be in place which defines:
- The process of supplier approval
- How suppliers will be monitored for continued compliance to established requirements
- A requirement to document the rationale and justifications for supplier use
- What criteria is used to evaluate those suppliers
- What/when re-evaluation is required
It is also important to understand the meaning of outsourcing. Outsourcing defines a more intimate relationship with an external organization outside your QMS (this is how it’s defined within ISO 9000). Any organization outside your QMS (even if they share your name or are another business unit) is considered external. You can define the control over anything internal to your QMS. Anything outside your QMS must have a written quality agreement (for example, if a custom part is being produced). Purchasing something from a catalog is not considered outsourced and needs to be defined within your processes.
For manufacturers, this means a written quality agreement—often a formal separate document—is required. In other words, any controls necessary would be outlined within a written quality agreement in order to have an agreement on both sides of the controls. You must also state how you are going to communicate whether it’s a written document, e-mail, or phone call.
An additional requirement includes, where applicable, the supplier’s agreement to notify the manufacturer of any changes to the agreed upon contract or requirements as appropriate.
12. Production and Service (Validation of Processes) (section 7.5.2)
The words “IS NOT” have been added to this clause as part of this provision. If a process cannot, or IS NOT, verified, validation is required. In addition, even though protocols have been an existing requirement, the standard now requires procedures for sterilization and packaging validation processes.
Production and service are together, so any time needed to validate a production process must be validated for service.
The cleanliness requirements are the same. Also, you must review service reports and include with feedback and complaints.
13. Identification and Traceability (Section 7.5.3)
The words “IS NOT” will likely be added to this clause as a part of this provision as well. As with the previous point, if a process cannot, or IS NOT, verified, validation is required. Similarly, even though protocols have been an existing requirement, the standard may finally require procedures for sterilization and packaging.
This refers to identification within your control: identification of what is going into the product to provide traceability in order to scope investigations, corrective actions, etc. The is not the UDI regulation, which is for customers and users to identify the product and manufacturer.
14. Preservation of Product (Section 7.5.5)
The 2003 edition of the standard does not include shipping conditions and their impact on product and packaging integrity as a consideration. In addition, the 2003 edition of the standard does not specifically reference sterile device packaging considerations like sterile barrier testing or expiry dating. The 2016 edition will include these items just as they currently are under the device directives—another area of harmonization between the product and quality system requirements.
The use of the word product—as opposed to medical device—is intentional here. The word product by itself means the output of process like paperwork, device history files, or the subassemblies or components sent. If you have the transfer of subassemblies or components from an external provider to internal, you must have a packaging validation to ensure that package gets delivered to you without being damaged.
A phrase also addresses that packaging alone cannot provide the protection and preservation of the product and that those conditions must be defined and recorded. For example, if there is a temperature that must be maintained for the product, you must specify the requirement of the temperature and record that requirement was met before delivering the product to the customer.
15. Feedback/Customer Communication
There is a new complaint handling and reporting section, which outlines requirements for a complaint file. An investigation must be made for complaints, or you must justify not investigating.
This section will require that procedures detailing feedback processes must also now define the requirements of inputs and outputs from feedback sources and be incorporated into the risk management program. That feedback must then be statistically analyzed for proper entry in the CAPA system. This will allow the risk to be assessed with solid data to create better corrective and preventive actions.
The regulatory reporting section outlines that you must establish a procedure for regulatory reporting and that you meet the applicable regulatory requirements.
16. Nonconforming Product
This section is subdivided into two sections: Before Delivery and After Delivery. Before Delivery refers to the product still in your control. After Delivery means the product could be in the field or at the client site.
There is also a separate section that addresses re-work to a non-conforming product.
17. Improvement—Simplified and Strengthened
This addresses taking action without undo delay for corrective actions. The intent here is to incorporate the risk-based approach. If there is a high risk associated with the nonconformance, you must take action quickly and without delay. If there is a lower risk involved, action may be delayed. The risk may help understand how much time may be spent to take corrective action, given your resources.
There is a requirement to review product and process data as a part of the CAPA process (historical non-conformances, trends, process changes, product problems such as complaints, failures, PMS, vigilance reports). In addition, if accepted as written, there is a requirement for the CAPA process to link to ensure the corrective actions taken are proportional to the risk.
The updated standard stresses the need to do gap analysis, understand the pieces that are now more explicit, and pay attention to required additional training and details. At R&Q we provide a gap analysis, and we also provide training for personnel to go through the clause by clause details of the changes. Remember, you should form that approach for closing the gap, create a quality plan that helps close those gaps, and understand how you will maintain conformity.
Maria Fagan is co-founder and president of R&Q, a regulatory and quality consulting firm that helps medical device and combination product companies bring safe and effective products to market and keep them there. Maria and partner Lisa Casavant launched R&Q in 2008 and the firm has now serviced over 175 clients. R&Q has ranked on the Inc. 5000 fastest-growing private companies list multiple times. Maria has worked in regulated industry for over 30 years, focusing on medical device quality and regulatory for the past 25 years. Prior to founding R&Q, she held positions of increasing responsibility at MEDRAD Inc. (now owned by Bayer), a medical device manufacturer, in both quality and regulatory arenas. She received a B.S. degree in mechanical engineering from the University of Pittsburgh and holds a certificate in business management from Carnegie Mellon University. Her international experience includes regulatory director of Europe, Middle East, and Africa for MEDRAD which included regulatory submissions and post-surveillance activities.