ISO 13485:2016 – What Are the Changes About?

By Linda M. Chatwin, Esq, RAC, Walt Murray

March 7, 2016

Categories: 03-Manufacturing Execution, 05-Quality/Regulatory, RC - Medtech Regulatory Resource Center

ISO published the final draft of the latest ISO 13485 quality management standard for medical devices and placed it out for voting on October 29, 2015. Accordingly, publication of the 2016 version of ISO 13485 occurred on March 1 2016. There is to be a three-year transition period. Of note, there is now somewhat of a difference between ISO 13485 and the newly published ISO 9001:2015 standard, of which companies that are certifying to both will need to take into account. According to the Introduction of ISO 13485:2016:

This International Standard is intended to facilitate global alignment of appropriate regulatory requirements for quality management systems applicable to organizations involved in one or more stages of the life-cycle of a medical device.

This International Standard includes some particular requirements for organizations involved in the life-cycle of medical devices and excludes some of the requirements of ISO 9001 that are not appropriate as regulatory requirements. Because of these exclusions, organizations whose quality management systems conform to this International Standard cannot claim conformity to ISO 9001 unless their quality management system meets all the requirements of ISO 9001.

The ISO 13485 standard specifies risk-based applications, importantly based on these three points:

Actions taken by a business in its operational and management areas must contain measures for controlling risk
Critical factors in decisions driving the operations and management of the company must be evaluated as risk and opportunistic (or risk/benefit) driven outcomes
Planning becomes an imperative and tangible, documented activity with appropriate actions and review at specified intervals at executive level decision-making

Changes in the Standard

Risk is mentioned some 15 times throughout the standard, to be considered in outsourcing and supplier controls, with respect to software validations, and in the training of personnel commensurate with risks inherent in the processes they perform. Risk is to be taken into account in product planning processes. Risk management activities should also be incorporated during the processes of:

Verification, validation and revalidation
Documentation of risk management in product realization
Monitoring, testing and traceability
Corrective actions and preventive actions

In this context, management of risk is an explicit part of executive decision-making about company (quality) objectives. Executive management reviews must specifically address how risk management is incorporated into the areas presented at the reviews. The following model needs to be applied in actions and reviews.

One will recognize alignment with familiar FDA terms, such as establish, implement and maintain documented processes. There is also a requirement to meet the regulations, statutes, ordinances and directives regarding safety and performance of the medical device. In fact, there is also a statement that unique identification, when required, shall be incorporated. In order to comply with ISO 13485:2016, the company must now maintain a medical device file much like the European requirements. The elements of the file are to demonstrate conformity with the standard, and essentially constitute the technical file of the product.

What and Who Do the Changes Affect?

Functions and Facilities

Leadership. Top management responsibilities are clarified, with emphasis on results of activities and effectiveness of the quality system and measurable quality objectives.
Human Resources. The standard specifies that the organization shall determine any user training needed to ensure specified performance and safe use of the medical device.
Facilities must be arranged in order to prevent mix-ups. The work environment is to be documented, and control of contamination and particulate matter where needed for aseptic and sterile products.

Processes and Records

Design and development planning requirements are stated to more closely reflect regulatory expectations of design control planning. The company must produce verification and validation plans, and records of verification and validation must be maintained.
A design history file must be documented and maintained, and changed product must include an evaluation of the change effect on products, processes and activities.
Purchasing process focuses on the supplier sourcing and selection criteria, taking into account supplier performance and the risk involved with respect to the medical device specifications, including notification of changes in purchased materials.
An analysis of installation and servicing activities must be made to determine where procedures are required. This now aligns with the new process validation guidance.
Corrective and preventive actions must verify that the actions do not have an adverse effect on product, and that corrective actions are taken without undue delay.
Design and development transfer sub-clause was added.
Complaint handling is added as a completely new sub-clause to the standard. The requirement to report to the appropriate authorities is also expanded.

Products

Status identification of product is required throughout the stages of production and storage.
Requirement to identify the test equipment used to perform measurement activities and details related to kinds of controls that are to be documented, and to include the rationale for investigations, as well as documenting and justifying concessions. Specific rework issues are also addressed.
The organization must determine the appropriate verification, validation, monitoring, measurement, inspection and test, handling, storage, distribution and traceability activities for its products.
Cleanliness of product requirements is enhanced for non-sterile product whose use depends on cleanliness.

Final Step: Prepare for a Successful Transition

Plan the transition: What will be needed? From whom? When? Risks?
Consider ISO 9001: Does the company also need to maintain that certification?
1. How to reconcile the requirements of the two standards
2. How to meet the requirements of each
3. Is some division in the quality system needed?
What paradigm shifts will the company need? Are they aligned and what is the significance?
Review related procedures: What changes will be needed?
What and when should training be considered?

About The Author

Linda M. Chatwin, Esq, RAC

Head of North American Advisory Services group

UL, LLC

Linda Chatwin has been involved with regulated medical products for more than 30 years. She understands the regulatory maze required to bring products to market. She holds a regulatory affairs certification and is an attorney in the United States. She has obtained product approvals for a wide range of products, and remains involved in changing requirements for medical devices worldwide. Currently, she heads the North American Advisory Services group for UL, LLC, assisting clients with regulatory issues and challenges, including implementation of UDI processes. Chatwin travels worldwide to speak about changing market access issues.

About The Author

Walt Murray

Quality Management and Regulatory Affairs Professional

Mastercontrol, Inc.

Walt Murray is a quality management and regulatory affairs professional with more than 32 years of experience working with internationally recognized, highly regulated companies, including Aventis-Pasteur, Merck, Pfizer, Stryker, USANA and Del Monte Foods. A Six Sigma Black Belt, Murray is certified in quality and environmental systems auditing (AQS Systems), critical-thinking skills and process control. He also has extensive training and consulting expertise in quality event/CAPA management, risk management, supplier control and audit management.

Having personally performed more than 200 third-party audits, for a variety of Fortune 500 life sciences companies, Murray has hosted investigational and systems audits by the FDA, Therapeutic Goods Administration (TGA), Medicines and Healthcare Products Regulatory Agency (MHRA) and Health Canada.

Murray holds a Bachelor of Science degree in analytical chemistry from the University of Richmond and has completed graduate-level coursework at the University of Tennessee, Knoxville. He is an active member of the Society of Manufacturing Engineers (SME), the Regulatory Affairs Professional Society (RAPS), the American Society for Quality (ASQ), the Society for Quality Assurance (SQA) and the Intermountain Biomedical Association (IBA), as well as board member of BioUtah’s Compliance Forum. His broad knowledge base makes him a much sought-after speaker at national and international compliance forums such as MD&M, AdvaMed, SQA, INTERPHEX and others.

Currently, Murray leads the quality and compliance consulting services division of MasterControl, a leading provider of quality management software solutions to regulated companies worldwide.

ISO 13485:2016 – What Are the Changes About?

Changes in the Standard

What and Who Do the Changes Affect?

Processes and Records

Products

Final Step: Prepare for a Successful Transition

Share this:

Related Articles

About The Author

About The Author