ISO 13485 Medical Device Quality System Standard And Other Regulatory Conundrums

The 2003 edition of ISO 13485 has now been withdrawn and fully replaced by the 2016 edition.[i]  As a result, a technical report on the 2003 edition, ISO TR 14969, also was withdrawn and replaced by a new ISO handbook, ISO 13485:2016 A practical guide,[ii] released in 2017. An earlier Med Device Online article discussed some of the issues these changes caused for small device companies.[iii]

Thought everything was settled? ISO 13485 is up for periodic review, and the ISO Technical Management Board (TMB) has indicated that the technical committee responsible for ISO 13485 should revise the standard to comply with the new High-Level Management System Structure (MSS) for all documents of this type. The 2015 version of ISO 9001 is in the new structure, and it is organized in a vastly different format. 

There has been outcry by the industry and regulators to leave the structure alone; they reason the industry already has too many changes in regulations and standards to deal with – why pile on a change that is meaningless in the technical content of the standard? The ISO 13485:2016 revision dodged that bullet by convincing the TMB to not adopt the structure in the 2016 edition, and the TMB is not sure about letting it slide one more time. But, a change to the MSS also is forthcoming, and the Technical Committee may have good reason to avoid the pressure by ISO’s TMB. 

At any rate, this change in structure would not take place until the next edition is effective so, regardless of the outcome, industry would have a few years to comply with the new document.  The big problem, of course, would be to get the technical committee started on the new revision, considering all the other work in process in the industry. And, eventually, companies would have to deal with the changes in revising their quality system policies and procedures.

Today, we have EU MDR/IVDR issues more pressing than the structure of the 13485 standard.  There is no harmonized quality system standard for the MDR or the IVDR, as the harmonization process for standards has not been activated. The industry has just over a year to establish the process, put in place a quality system standard (a new EN ISO 13485:20XX, presumably), and complete a Notified Body (NB) audit to provide evidence of compliance.

The Notified Body situation currently is impossible; as of this writing, only BSI UK has updated its certification as a Notified Body – and the company will (likely) be de-certified by Brexit in March.   BSI is trying to get its Netherlands office Notified to the MDR and the IVDR, and has asked its clients to transfer MDR and IVDR certificates to this new office.  However, is the client’s responsibility to complete the certificate transfer. An Italian NB reported it is in the last stages of receiving approval for NB status, but NB availability remains an impossible situation for the industry. Technically, the EU expects to have all necessary pieces in place in time to meet the MDR’s May 2020 full implementation deadline, but lacks the throughput to certify the entire industry to the new regulations in time to keep all the products on the market. The IVDR’s full implementation is slated for 2022.

The International Medical Device Regulators Forum (IMDRF) put its imprint on the MDSAP Audit Process,[iv] which currently provides a single audit for five regulatory schemes at a cost to the client. The audit is being conducted to ISO 13485:2016, as well as the regulatory requirements of the five regulators involved. This may be helpful to companies seeking to meet regulatory requirements in multiple markets. Unfortunately, the EU is not participating in the MDSAP program, except as observers. MDSAP does not audit for the EU MDD or MDR requirements — or for that matter, the AIMDD, IVDD, or IVDR. Therefore, medtechs will require Notified Body audits to meet these requirements. 

IMDRF is broadening its impact with more than just MDSAP.  They have released a number of documents, building on those created by its predecessor organization, the Global Harmonization Task Force (GHTF), such as one covering Software as a Medical Device (SaMD).[v]  One of the recent documents impacting standards is Optimizing Standards for Regulatory Use. Further, a working group on standards is collaborating with standards groups to seek membership for Regulatory Authorities on various technical committees responsible for standards that impact medical devices, including IVDs.  IMDRF, in its document on standards — Optimizing Standards for Regulatory Use, IMDRF/Standards WG/N51 FINAL:2018[vi] — states, “The ultimate outcome: global regulatory harmonization.”

An additional issue identified by the FDA is its expectation to update its Quality System Regulation, 21 CFR 820,[vii] through some type of adoption of ISO 13485:2016. This effort, too, is fraught with problems. The FDA must, by law, release its regulations to the public at no cost.  ISO 13485 is a copyrighted document, published by ISO, and has a cost associated with it. Therefore, ISO would not look favorably on FDA adopting the standard and publishing it for the general public.

So, how FDA’s intent may be realized will take some time to determine. The effort probably will require some type of congressional action to adopt the standard totally in replacing 21 CFR 820.  ISO 13485 may end up being a recognized standard that FDA can point to as an alternative method of achieving compliance with 21 CFR 820, which would simplify the issue. However, it may be that 21 CFR 820 is revised to more closely parallel ISO 13485:2016 than the current regulation.  Still, the FDA could expect strife with ISO when the standard is revised.

Another, less obvious issue is the wider requirement for risk management in ISO 13485:2016.  The standard indicates in 0.2 Clarification of concepts[viii] that “’risk’ pertains to safety or performance requirements of the medical device or meeting applicable regulatory requirements.”  ISO 13485 then refers to ISO 14971 for risk management. Yet, the next edition of ISO 14971 specifically mentions that it only refers to product risk, and not to business risks, which could include regulatory compliance.[ix] 

It is true that a risk management process modeled on the ISO 14971 process of “identifying hazards, estimating and evaluating risks, controlling risks, and monitoring the effectiveness of these risks” (as described in ISO 14971:2007) could be developed to manage compliance and other risks.  However, maintaining a focus on product safety risks is best done by eliminating the distractions of business risks, where decisions on product safety may be confused with cost and time decisions. The risk management standard’s intent is that safety decisions be made in such a way that product benefit outweighs product risk, and that the only cost consideration would be prohibitive risk control costs that preclude the availability of product benefits.

Adding to the manufacturer’s dilemma is the planned Q4 2019 release of a new edition of the medical device risk management standard. The ISO Technical Management Board stepped in here, too, causing more potential confusion. First, the TMB decided that the structure of ISO 14971:2007 was not correct in that it did not have a section titled “Normative References;” the technical committee for the standard (TC 210 JWG1) responded that such a section was not needed, as there were no normative references. The TMB responded to TC 210 JWG1 by requiring the inclusion of a Normative References section, but allowing it to remain blank when no normative references exist, supposedly clarifying this issue.

Second, the TMB indicated that ISO 14971 needed to be reorganized further by removing most of the informative annexes previously in the standard to the technical report, ISO TR 24971 (TR)[x] — created in 2013 to address requests for more information than had been provided in ISO 14971:2007. The TMB felt user needs could be more quickly met by using the technical report, which could be updated more quickly than the standard, thus separating requirements into one document and informative annexes in another. 

Some people saw this simply as a way for ISO to sell two documents instead of one. But, is a practical response to a problem that had been following ISO 14971 throughout its existence: all updates had added more information, but not revised the standard’s structure. So, a full-scale revision process was initiated for new versions in 2003 and 2007 — and now 2019 — to get more information. In 2013, the revision was moved to create the technical report to quickly address information requests. 

So, the next edition of ISO 14971 will consist of 10 sections of requirements —  one of which will be blank due to a lack of Normative References — and 3 annexes: one annex providing rationale for the requirements (this will only change when the requirements change); one annex containing the flowchart for the risk management process outlined in the requirements; and a final annex titled, “Fundamental Risk Concepts,” which partially came from the Annex E in the 2007 edition. 

Everything else from ISO 14971 and the 2013 edition of ISO TR 24971 will appear in the new ISO TR 24971:20XX (hopefully, in 2019, if all goes well). It is expected to contain 10 numbered sections, directly providing information on the corresponding numbered section of the standard. Additionally, the new 24971 will probably contain 8 clauses identified by alphabetic characters, containing information that more broadly applies to more than one section of the standard.  One example is the Annex H: it will apply to IVD risk management, similar to the Annex H appearing in the 2007 edition, but it has been updated.

Finally, the ISO TMB stipulated that the risk management process was not to be changed, as no comments were received to make changes. Still, some enhancements will appear in the standard to improve the process: adding a definition for benefit, increasing the text describing the requirements for production and post-production risk management, and renaming this section “Production and post-production activities.” This also became section 10 due to the renumbering caused by revising Clause 2 to “Normative References” from “Terms and Definitions” (the latter became Clause 3 and forced everything else down one section).

Hopefully, manufacturers have a robust enough risk management process to be able to accept all of the changes without implementing major revisions to the risk management process.  We know they already have enough on their plates — with the ISO 13485, the MDSAP audit process, and the extensive requirements changes in the new MDR and IVDR — to keep them, their consultants, and their suppliers burning the midnight oil for the next several months, if not years.