The new ISO 13485:2016 standard was published on March 1, and there were quite a few changes as compared to the version released in 2003 (i.e., the term ‘regulatory’ appears 72 times in the new standard as compared to only 16 times in the 2003 version), according to Roberta Goode, president and CEO of Goode Compliance International.
During a recent MedTech Intelligence webinar, An Overview on the Changes in ISO 13485:2016: How to Ensure Compliance (listen to the webinar on demand), Goode provided an update of where updates to the standard were made:
- Risk-based approach predominant in new standards
- Role of organization must now be specified
- Technical documentation is required to maintain records
- Outsourced controls (i.e., Controls should be proportionate to the risk involved; include written quality agreement with suppliers)
- Software validation (All QMS software must be validated)
- Human resources
- Infrastructure
- Work environment
- Contamination control
- Planning of product realization (i.e., if additional training is required for the device end user, this must be minimized and documented accordingly)
- External communication (i.e., Requirements for notification of regulatory authorities)
- Design & development planning, including clarification of what should be documented during this phase, including traceability
- Design verification and validation
- Design transfer
- Design changes
- Design files (including for each device type and device family)
- Supplier approval (How the supplier will be monitored for continued compliance to established requirements. Companies also need to document rationale for supplier’s selected)
- Change notification (Include supplier’s agreement to notify manufacturer to any changes)
- Risk-based verification (Risk-based approach to process of supplier approval and change notification)
- Conformance to specification (Production and service provisions be monitored and controlled)
- Cleanliness (Document contamination control of products)
- Servicing records
- Process verification and validation (QMS states that if process cannot or is not verified, then validation is required)
- Sterile packaging validation (Requires procedures for validation of sterilization)
- UDI
- Protection (i.e., records regarding confidential health information, IP, etc. shall be protected)
- Product preservation (Requirement for assessment of shipping conditions and impact of conditions on product and package integrity)
- Feedback (i.e., Procedures detailing feedback process shall specify inputs and outputs from feedback sources and be incorporated into the risk management program and statistically analyzed for proper entry into the CAPA system. Allows risks to be assessed with solid data. )
- Complaint handling (Additional details relating to content requirements for complaint handling procedures)
- Test methods (Specific call out for test method validation and the expectation that you’ll not only document management and approval but also equipment and individuals conducting measurements, such as training and calibration)
- Non-conforming product (Root cause of non-conforming product and then document actions taken if corrective actions needed)
- Actions (Corrective actions for non-conforming product that are different before and after delivery)