What To Expect From The Upcoming ISO 13485 Revisions, Part 1

By Marcelo Trevino, independent expert

Earlier this month, 50 delegates from ISO Technical Committee 210 Working Group 1 (ISO TC 210 WG1) met in Stockholm to review comments submitted by industry on the draft international standard (DIS) of ISO 13485, the international quality standard for medical devices. The group intended to analyze all the comments and prepare a second DIS during the three-day meeting. But due to the overwhelming number of comments they received — approximately 870 in all — and the amount of discussion the comments required, they decided not to move forward. Instead, the committee will reconvene in early December to continue their work.

As a result, the long-awaited replacement for ISO 13485:2003 will be delayed beyond its originally projected Q1 2015 publication. The second DIS still needs to be drafted and sent out for further comment, and then that round of comments must be incorporated into a third revision. At that point, we could realistically be looking at availability in the neighborhood of Q1 2016.

There’s good and bad news related to the delay. The bad news is that 13485:201X (as the revision is being referred to) is now in danger of being published after the impending ISO 9000 revisions, which are expected by the end of 2015. One of the aims of ISO TC 210 WG1 was to align ISO 13485 with ISO 9000, the baseline for any standard related to quality. ISO 9000 was last revised in 2008, but since ISO 13485 hasn’t been revised since 2003, it was never properly harmonized with ISO 9000. If ISO 9000 is published first, will further revisions — and delays — be necessary for ISO 13485? Or will manufacturers be left trying to reconcile diverging standards? It’s hard to say at this point.

The good news, on the other hand, is that the delay gives quality managers time to better prepare for the transition to 13485:201X. The proposed revisions are considerable, and it’s important for medical device companies to start preparing now. Even though the standard will continue to evolve as it moves toward publication, a high percentage of what the DIS currently contains will likely end up in the final version.

In this three-part article series, we will look at the anticipated changes to ISO 13485, to help you get ready for its eventual publication and enforcement. This installment will explore the primary motivations behind the revisions and discuss what’s new in sections 4 through 6.

Why ISO 13485 Is Being Revised
Historically, ISO standards have been revisited every few years, in an effort to continuously improve them. Doing so gives ISO the opportunity to regularly solicit feedback— to hear what’s working and what’s not with a standard — and make changes that will streamline processes and address industry concerns.

One of the main issues ISO TC 210 WG1 is seeking to address in this version of ISO 13485 is the wide breadth of international regulatory changes that have occurred since the 2003 revision. It’s no longer enough to merely comply with FDA requirements; in today’s global medical device industry, companies must address the demands of regulators from countries around the world. The most recent European version of the standard, EN ISO 13485:2012, tried to do just that, linking EU medical device directives to the ISO quality standard. Now, ISO wants to take it to the next level, incorporating requirements that are currently part of other international regulations. The DIS was also designed to allow more flexibility to integrate with other management systems including ISO 14001 (environmental management systems), ISO 27001 (information security management), and others.

Another objective of the working group is to make the standard more applicable to the entire supply chain in the medical device industry. While the existing version is mainly tailored to device manufacturers, the DIS aims to be relevant to suppliers of components and services, as well. This way, everyone can work off the same standard. Exclusions are now allowed for sections 6 and 8, in addition to section 7, of the standard if they are not applicable to the activities undertaken by the organization or to the nature of the medical device for which the quality management system is applied. 

In addition, the DIS places a huge emphasis on risk management, due to the fact that notified bodies and international regulatory authorities are now paying greater attention to it. While the current ISO 13485 standard focuses primarily on risk management in design controls (see section 7), the DIS takes a risk-based view of the entire quality system. For example, if you conduct a management review, have you considered the product implications of failing to review critical items? With training, what are the consequences of ineffective training, and what changes in your quality system could mitigate that? When it comes to calibration, what are the implications of doing it incorrectly, and what controls do you have in place to manage it?

Finally, the revisions also seek to address the entire lifecycle of a device. The current standard concentrates on quality up until the device is delivered into the hands of the customer. But thanks to the Poly Implant Prothèse (PIP) breast implant scandal and the resulting international regulatory scrutiny around product safety — including unannounced notified body audits — the working group wants to ensure that the quality standard covers all aspects of the product lifecycle.

Noteworthy Changes In DIS ISO 13485
The draft standard significantly expands upon the current standard in several sections. We will now take a look at some of the more significant changes you can reasonably expect to see in the final standard, working through the DIS section by section.

Section 4 – Quality Management System

4.1.2 – General Requirements: The draft standard specifically states that a risk-based approach is needed when developing processes. That tells you that you can't just come up with, for example, a new preventative maintenance system. Have you considered a risk as well? Anything you do that affects the quality system needs to be viewed from that risk perspective. The draft standard also states that roles undertaken by the organization under regulatory requirements shall be documented.

4.1.3 – General Requirements: Records needed to demonstrate compliance with the standard and appropriate regulatory requirements shall be established and maintained. 

4.1.5 – General Requirements: When you outsource processes, the standard wants you to look at the controls that are going to be put in place for that supplier, from a risk perspective. What happens if the supplier doesn't meet the specifications you provided? How will that affect your production cycle or anything that's related to that component? The standard wants organizations to consider those things ahead of time, so that you have controls in place to mitigate such issues right away.

4.1.6 – General Requirements: The standard will require validation of all computer software that is used as part of the quality system. While it has never been a requirement of ISO 13485, software validation has long been discussed in the industry, and not without some controversy. For example, questions arise like, “What if you use an Excel spreadsheet to control a process? Do you have to validate that spreadsheet?” Sometimes organizations don't even know where to begin with software validation — what to validate and how to validate it.

Under these revisions, computer software can be used for, but is not limited to, product design, testing, production, labeling, distribution, inventory control, data management, complaint handling, equipment calibration and maintenance, and corrective and preventive action. If software involves or affects the quality system, you need to validate it. Plus, you need to have a very specific justification for how you validated that software, keeping records associated with what you did and demonstrating that the software tool is doing what it's supposed to.

4.2.1.2 – Documentation Requirements: Another addition is the requirement to keep a file for the device that you're manufacturing, basically a technical file. In the past, this was addressed through the Medical Devices Directive, but it’s being added as part of ISO 13485. It lists 26 elements that ISO expects manufacturers to keep as part of the file, including product description, drawings, specifications, procedures, packaging specifications, instructions for use (IFU), labeling, clinical data, etc. This technical file concept is not new, but the standard will specifically require you to have it.

Section 5 — Management Responsibility

5.4.2 – Quality Management System Planning: This section contains a note clarifying what quality systems planning normally includes, namely quality objectives consistent with quality policy, action items to accomplish objectives, monitoring progress, and revision.

5.5.1 – Responsibility and Authority: The standard already requires that you specifically appoint personnel who will have responsibility and authority for execution and implementation of your quality system. However, the draft seeks more clarity about how those specific individuals are nominated as responsible for activities having to do with monitoring of the product, and also for post-production activities. Again, this goes back to the international aspect of every country having its own requirements of how they want quality issues reported, managed, and controlled. Going forward, you must determine what kinds of skills will be required of quality personnel and what responsibilities they need to have, and that has to be clearly defined.

5.5.2 – Management Representative: A note has been added stating that the responsibility of a management representative can include liaison with external parties, including regulatory authorities, on matters relating to the quality management system.

5.6.1 – Management Review; General: Although the revised standard still does not stipulate how often you should conduct management review meetings, it does ask for your rationale behind the frequency you choose. You can't just say, “I'm going to have them once a year.” You have to explain why you think holding them once a year is appropriate for your organization.

5.6.3 – Review Output: The DIS states that Outputs of the Management Review shall include improvement needed to maintain the suitability and adequacy of the quality management system and its processes, the current standard only requires improvement to maintain effectiveness of the quality system and its processes.

Section 6 — Human Resources

6.2.1 – Human Resources, General: The existing standard requires personnel performing work affecting product quality, safety, or effectiveness to be “competent,” but the draft breaks down the type of personnel to which this refers. For example, it is very specific about personnel who are involved with fulfilling process requirements, regulatory requirements, and quality system compliance. It also requires the organization to define what education, skills, and training those individuals need to have to perform each role.

6.2.2 – Competence, Training and Awareness: A new aspect of this section is the need to check the effectiveness of any training you're conducting. It states that, as an organization, you need to have a methodology to evaluate if the effectiveness of the training is commensurate with the risks associated with the work that an individual is performing. You won’t be able to just say, “Well, we trained them, we had a class, and they passed the exam.” Now, you need conduct risk assessment. What happens if the training was not clear enough? What are the consequences? What mitigation activities should we have in place in the organization to prevent mistakes from happening?

This one is somewhat controversial, because many organizations might not even know how to do something like this. It is very subjective. You could say, “Well, for us, effectiveness is doing A, B, C and D, and that's enough.” But an auditor might disagree. The committee is trying to define something in the standard that everybody can follow, that isn’t subject to interpretation, but it’s a fine line.

6.3 – Infrastructure: There is a heightened emphasis on maintenance-related activities. If you decide, as an organization, that maintenance is important, then you need to have very clearly documented procedures that specify how those activities are being performed, planned intervals for maintenance, and how records associated with how those activities are being maintained.

This section also now discusses ensuring that you handle orders in a streamlined way to prevent mix-ups that may affect the supply chain of your product.

Also in this section, information systems (IS) are now viewed as infrastructure, which isn’t the case in the current version of ISO 13485. The draft standard doesn’t require you to do anything differently; however, if IS is something that may affect the quality of your product, you should have procedures, training, and personnel in place to manage related activities.

6.4 – Work Environment: The last part under section 6 deals with the work environment. The working group has added a lot of stress on cleanliness and monitoring in clean rooms and manufacturing areas that deal with sterilized products, to ensure that you are monitoring for particles that could have an adverse effect on the product. They reference ISO 14644, the standard used for controlled environments, as guidance for medical device companies to use in managing clean rooms.

In general, this section contains more specificity about what is meant by the term “work environment.” They point out conditions to be considered such as noise, temperature, humidity, lighting, or weather, and areas of infrastructure such as inspection areas, storage areas, and distribution areas — but it can denote any area within an organization that is dealing with manufacturing the product.

6.4.2 – Particular Requirements For Sterile Medical Devices: Finally, then there is now a section on sterile medical devices. The standard asks you to take additional measures for these particular products, where you really need to prevent contamination with particulate matter or microorganisms, and maintain the degree of cleanliness during assembly or packaging operations.

That takes us to the end of section 6 of the draft standard. In Part 2 of this series, we will explore the changes to section 7 of DIS ISO 13485, which includes requirements for product realization, customer related processes, design and development, purchasing, production and service provision, and control of monitoring and measuring equipment.