By Marcelo Trevino, President, Global Regulatory Affairs and Quality Systems, TregMedical Compliance Services
Last year, I wrote a series of articles about what to expect from the upcoming ISO 13485 revisions, based on the first draft international standard (DIS). Now, as we near the ISO Technical Committee 210 Working Group’s vote to approve the final draft of the standard (no more changes or comments are allowed at this time), it seemed prudent to revisit the latest — and hopefully last — version of of ISO 13485:201X, to help you prepare.
If the committee approves the final draft, an official ISO 13485 should be released early in 2016.
Noteworthy Changes in ISO 13485
As one would expect, the standard’s numbering and clauses will change, due to new clauses and sub-clauses that have been added. This standard also establishes levels of nonconformance grading to align with the Medical Device Single Audit Program (MDSAP), details of which can be reviewed through GHTF Document SG3 N19. However, this standard does not align with the ISO 9001:2015 changes — which I described in a previous article — as many had hoped it would. After the standard is published, there will be a three-year transition period, with harmonization to ISO 9001:2015 and EN versions of ISO 13485 to follow at a later date.
The new ISO 13485 seeks to facilitate global alignment while allowing organizations to be involved in different stages of the product life-cycle. A risk-based approach is predominant throughout the new standard, which places greatly enhanced emphasis on understanding of and adherence to international regulatory requirements. In fact, the term “regulatory” appears 72 times in the new draft, as compared to 16 in the current version.
Additionally, the final draft offers new definitions for the following terms: clinical evaluation, complaint, distributor, importer, lifecycle, manufacturer, medical device family, performance evaluation, postmarket surveillance, purchased product, risk, risk management and sterile barrier system.
Let’s look at the most prominent changes in the updated ISO 13485:
Section 4 — Quality Management System (QMS)
General Requirements: A risk-based approach is required when developing processes, including outsourced processes. Roles also must be documented to meet regulatory requirements (i.e., specifying the legal manufacturer, defining processes, and identifying records to be kept to meet regulatory requirements through postmarket surveillance, vigilance, etc.).
General Requirements: Computer software used for the QMS must be validated prior to initial use and after any change is made.
Documentation Requirements: A medical file (similar to a technical file) is required for regulatory purposes, and the establishment of methods to protect confidential health information is now required.
Section 5 – Management Responsibility
Responsibility and Authority: Responsibilities and authority must be documented, including the interrelation of personnel affecting quality and liaison with external parties and regulatory authorities.
Management Review; General: Rationale must be documented for the frequency of management reviews.
Review Output: Input and output requirements have been added to the standard to maintain the suitability and adequacy of the QMS.
Section 6 – Resource Management
Human Resources; General: Documented processes are required to establish competence, provide training and ensure quality awareness throughout the organization.
Competence, Training, and Awareness: Increased emphasis is being placed on defining, maintaining, and updating the competence of personnel involved with quality system compliance and regulatory requirements. Thus, it is now required to evaluate the effectiveness of any training commensurate with the risks associated with the work individuals perform.
Infrastructure: Heightened emphasis on maintenance-related activities of production equipment means that companies must have clearly documented procedures to specify how those activities are being performed. There also is a new requirement to handle orders in a streamlined way to prevent mix-ups that may affect the supply chain of the product.
Work Environment: This section stipulates that companies must control their work environment by specifying requirements for health, cleanliness, and gowning of personnel involved in production activities to prevent cross-contamination. It also emphasizes the importance of conducting maintenance activities on equipment used for production.
The work environment area also adds a reference to ISO 14644 (air cleanliness classification and monitoring) and ISO 14698 (cleanrooms and associated control environments). Manufacturers must consider conditions such as noise, temperature, humidity, lighting, weather, and adequate infrastructure for manufacturing, inspection, storage, and distribution areas.
Contamination control includes documentation of planned arrangements for controlling contaminated — or potentially contaminated — product in order to prevent contamination of the work environment, personnel, or product.
Particular Requirements For Sterile Medical Devices: A new section addressing sterile medical devices will require additional measures for the control of contamination by microorganisms or particulate matter, focusing particularly on the cleanliness required during assembly and packaging operations. Validation of sterility control methods is now required, as well.
Section 7 – Product Realization
Planning of Product Realization: A requirement has been added to document how risk-management activities are being handled for product handling. Planned processes for verification, validation, monitoring, measurement, inspection, test activities, handling, storage, distribution, and traceability now are required, as well. Documented risk management throughout development-planning activities is also a new addition to the standard.
Determination of Product Requirements: Manufacturers now must determine whether there is a need for user training to ensure specified performance and safe use of a product. Manufacturers also must ensure that applicable regulatory requirements are met as part of the product review requirements. (Regulatory bodies will be seen as a customer of the organization for this purpose).
Communication with Regulatory Authorities: This new clause states that documented arrangements must be in place for communicating with regulatory authorities regarding four matters: product information, regulatory inquiries, complaints, and advisory notices.
Design and Development Planning: This section includes a requirement to update documents with design and development progress and to ensure there is traceability of outputs to inputs. Furthermore, inputs must include usability and should be verified and validated. Outputs must be in a form suitable for verification against inputs. Also, the competence of personnel in design and development activities must be defined and demonstrated, and a review by a specialist (independent reviewer) is now required.
Design and Development Verification/Validation: The verification and validation plan must be documented, including methods, criteria for acceptance, failure, justification for sample sizes, and the risk associated with the sample sizes selected. Validation must be conducted on final production units or documented equivalent devices. A verification and validation of the user instructions also is required, including a review of failure modes.
Design and Development Transfer: This new clause requires a documented plan for design transfer to another facility or outsourcing partner. This should include plans for supplier quality and capability, manufacturing personnel capability and training, manufacturing process and process validation, materials, manufacturing tools and methods, work environment, installation, and service.
Design and Development Changes and Files: This section includes requirements to control changes, documentation to be kept, approval requirements, reports and testing to justify changes, etc. Design and development files must be maintained for each medical device type or family. This file must include records to demonstrate conformity to the requirements, as well as records to justify any changes.
Supplier Documentation: This new section requires manufacturers to document processes for supplier approvals and for monitoring continued compliance. Justifications must be in place for selecting suppliers, including criteria for evaluation and reevaluation.
Purchasing Information: This section makes more official the need for quality agreements with suppliers, as well as the need for suppliers to render notification of changes related to or affecting your product. Verification of processes must be done commensurate with risks and results of evaluations and reevaluations
Validation of Production and Service Provision: Production and service provisions must be planned, monitored, and controlled to ensure products meet established specifications. Also, a requirement has been added to include procedures for validation of sterilization and packaging.
Processes must be validated for production and service provision where output cannot be, or is not, verified. Statistical techniques applied and rationale for sample sizes must be documented, as well, including approval of changes and validation of software after changes. Servicing records must be reviewed to determine whether events in the field should be considered and reported as complaints, or used to improve the product as part of design inputs.
Product Identification and Traceability: If unique device identification (UDI) is required by the regulatory agency in a country where a manufacturer sells its product, that manufacturer needs to establish and maintain a UDI for its device. In addition, there is a new requirement to establish procedures that separate and distinguish returned products from conforming products.
Preservation of Product: This new section states that shipping conditions and their impact on product and package integrity, including management of sterile device packaging, must be assessed.
Requirements for Sterile Medical Devices: Cleanliness requirements must be defined to manufacture devices, regardless of whether those devices must go through a sterilization process. A new requirement has been added to document the cleanliness of products that cannot be cleaned prior to sterilization, or to document use when cleanliness plays a significant factor in the device’s use.
Sterile products require additional measures to ensure sterility is preserved; records of sterilization process parameters must be maintained for every batch. Sterilization records also must be traceable to each production batch. Documented procedures must be in place for validation of sterilization and sterile barriers prior to implementation; conclusion results must be documented, as well. Sterile barrier systems (of sterile medical devices) are considered a constituent part of the medical device.
Section 8 – Measurement Analysis and Improvement
Feedback: Feedback procedures, inputs to the risk management process, and statistical analysis must be considered for evaluation through the corrective and preventative action (CAPA) process.
Complaint Reporting: Procedures must be established for timely complaint handling and investigation, as well as managing regulatory notifications/reporting.
Monitoring and Measurement of Product: Records now must identify the test equipment used to perform measurement activities and the person(s) authorizing release of the product.
Control of Nonconforming Product: Evaluation of nonconformances must include a determination of the need to investigate, or a documented justification for lack of investigation. Requirements also have been incorporated to address management of nonconforming product before product delivery, after delivery, and rework.
Corrective And Preventive Action / Rework: A new clause added to the standard’s CAPA section is intended to ensure that the corrective or preventive actions do not adversely affect the product’s ability to meet applicable regulatory requirements, or affect the safety and performance of the product. Corrective action plans also must be commensurate with risk. CAPAs should analyze impacts to the quality management system and regulatory requirements before action plans are finalized and executed. There also is a requirement that the CAPA process must include product and process data review, and the CAPA must link to product risk management.
The Final Draft International Standard of ISO 13485:201X has reached its final draft stage, wherein ISO member countries are reviewing and have two months to establish their position and vote. Thus, the standard should be published early in 2016.
Depending on the maturity of each organization’s quality system, some changes might be needed, though some organizations might not implement any changes because some of the new requirements are already part of their existing quality system.
The current version of the standard (ISO 13485:2003) incorporated a process approach; the new proposed standard adds risk analysis and risk management to the processes approach, which will be one of the most significant and challenging changes for most organizations. Organizations without a robust post-market data collection process will have to establish processes similar as those required with 21 CFR 820 to address expectations about complaint handling.
The European Medical Device Directives are also undergoing a revision; therefore, we should expect additional changes when these requirements harmonize in the future, resulting in the release of a new EN ISO 13485 standard.