What To Expect From The Upcoming ISO 13485 Revisions, Part 2

By Marcelo Trevino, independent expert

The International Organization for Standardization (ISO) is currently in the process of revising ISO 13485, the international quality standard for medical devices. When the final version is released — potentially in 2015 — it will be the first revision to the standard in over a decade. In this three-part article series, we are looking at the proposed changes to ISO 13485, to help you prepare for its eventual publication and enforcement.

Noteworthy Changes In Draft International Standard (DIS) ISO 13485
In Part 1, we explored the primary motivations behind the revisions and what’s new in sections 4 through 6 of the draft standard. In this installment, we will examine what’s likely to change in section 7, which covers requirements for product realization, customer-related processes, design and development, purchasing, production and service provision, and control of monitoring and measuring equipment.

Section 7 – Product Realization

7.1 – Planning of product realization: As with previous clauses, there is an increased focus on risk management in this section. One of the biggest changes to section 7.1 is a requirement to document how the risk management activities are being handled for product planning. The draft guidance highlights several areas where risk management should be incorporated: verification, validation, revalidation, monitoring, testing, and traceability. You will need to conduct an assessment considering the risk as you’re planning for those activities, and that process has to be documented.

Also, a note was added asking organizations to look at IEC-62304, which is a guidance related to software lifecycle processes. If your device incorporates software, the guidance wants you to look at all the different lifecycles of that software, so you're planning ahead of time for future changes.

7.2.1 – Determination of requirements related to the product: The main elements that changed in this section, which is under 7.2 – Customer-related processes, is the addition of a requirement to determine user training to ensure that the product will be used in a safe and effective manner. (By user, it means the physician or the person who will install the device.) While training is sometimes taken into account by manufacturers, it's not always done consistently. This change seeks to ensure that the training process gets firmed up, and that there are more controls in place when it comes to training.

The other element that's new in section 7.2.1 is the requirement that organizations protect confidential health information from their customers. This information could arrive in two ways: It could be customer-provided feedback for the organization to incorporate into the requirements for making the product, or it could be postmarket surveillance data. Any kind of information that comes from the customer needs to be protected in a confidential manner.

7.2.3.2 – Communication with regulatory authorities: This is a new clause. Mainly, it says that there should be documented arrangements in place for communicating with regulatory authorities regarding four matters: product information, regulatory inquiries, complaints, and advisory notices. You need to have a documented procedure explaining how you're going to be handling these communications. 7.3.1 – Design and development planning: The draft standard requires that you document your planning. The previous version (ISO 13485:2003) mandated that you plan design- and development-related activities, but the revision insists upon a more robust approach to documenting those activities.

Another addition to this section says that you should have a process in place to ensure traceability of your design and development outputs to design and development inputs. Also, it indicates that you should look at the resources that you will need for design and development, including the competence of the personnel will be involved with those activities. You really need to evaluate the personnel conducting design activities and not just appoint someone without the appropriate background. A new note clarifies that design and development review, verification, and validation have distinct purposes and can be conducted and recorded separately or in any combination as suitable for the product and the organization.

7.3.5 – Design and development verification: There is more emphasis in this section on developing a documented process for planning design and development verification activities. It also specifically indicates that verification plans should cover acceptance criteria and sample sizes that you will utilize, along with the rationale behind selecting them. Also, if the intended use requires the device to be connected with other devices, design verification activities have to confirm that design outputs still meet design inputs when connected — you have to look at the verification and validation from that perspective, not just the device itself. Will the device continue to do what it’s supposed to do once it's connected to another device or another system?

7.3.6 – Design and development validation: The changes to this section are similar to those in 7.3.5, only they are related to validation rather than verification: documented methods, acceptance criteria, and sample sizes.

One addition that is unique to 7.3.6 is ensuring that validation is conducted on product that is representative of what you are manufacturing.

7.3.7 – Design and development transfer: This is another new clause, basically requiring a documented plan if you are going to transfer your design to another facility or an outsourcing partner, for example. You must also ensure that your design and development outputs are suitable for production specifications. In other words, if you move your product, will the new site be able to take your specifications and start manufacturing the products the same way you would have at the existing site? Can this be demonstrated with objective evidence?

The revisions point out eight aspects the organization should consider: supplier quality and capability, manufacturing personnel capability and training, manufacturing process and process validation, materials, manufacturing tools and method, manufacturing environment, installation, and service. You need to have a process in place that explains how each of these items will be addressed if you transfer the design to another supplier.

7.3.9 – Design and development records: Also a new clause, this one mainly just explains the types of records you need to keep in a file as part of your design and development activities. Previously, it was pretty much up to the manufacturer to decide how it were going to manage its records and provide evidence it was meeting all the requirements. Now, the draft standard is very prescriptive about the types of documentation to keep in the file, as appropriate. Examples include:

• Results of preclinical tests related to the device and its conformance with specifications
• Biocompatibility studies
• Electrical safety and electromagnetic compatibility
• Software verification and validation
• Report on clinical evaluation
• Postmarket clinical follow-up plan and evaluation report

While manufactures are required to keep a file, they may determine what is important to include in their file, so they can have records available. For example, biocompatibility is not applicable to all devices, so it will not appear in every device’s file.

7.4.1.1 – Supplier approval: Revisions to this section clarify the types of criteria to consider before approving a supplier. You need to have a plan on how you will select suppliers — how you will evaluate, re-evaluate, and then approve them based on their ability to meet your requirements.

And again, we see an emphasis on risk analysis. Now, you really need to determine whether you will have more strict controls, depending on how important their product is to your manufacturing operations. In cases where the product is extremely important, you will probably want to audit that supplier more frequently, require them to be ISO 13485 certified, and ask them to have periodic meetings to assess how they are performing. If, on the other hand, the supplier is not as critical, you might not be so stringent. The expectation is that you show that you performed a risk assessment to justify requirements for all of your critical suppliers.

7.4.1.2 – Monitoring of suppliers: Organizations must demonstrate that they are checking in on how their suppliers are performing and are utilizing that data as part of the re-evaluation process. If a supplier is not meeting your requirements, you have to show what you are doing to help the supplier improve their performance, or that you are disqualifying them, or that you are engaging in other activities that take into account your risk assessment. You need to have evidence that you are reviewing the data.

7.4.1.3 – Supplier documentation: Following up on 7.4.1.2, this new section asks that you keep records of your supplier evaluations, including any actions taken as a result of the evaluations.

7.4.2 – Purchasing information: The new addition to this section is having quality agreements with your suppliers. Say, for example, a supplier makes a change related to your product or deviates from the original plan — there are very specific roles and responsibilities that need to take place there. The supplier needs to communicate with you amend contracts if needed. Suppliers can't simply change something without letting you know. This is not a new concept, but now the draft standard wants you to make the process more official.

7.5.2 – Validation of processes for product and service provision: Here, the committee is adding a requirement to include procedures for validation of sterilization and packaging. If you comply with the European Medical Device Directive (MDD), you should already be doing this; now, ISO is going to call for it.

They also added a reference to the ISO 11607 standard for packaging terminally sterilized medical devices. This is just another reference you can use as a guidance to help comply with ISO 13485 requirements.

7.5.3 – Product identification and traceability: Another new section, 7.5.3.1 states that if unique device identification (UDI) is required by the regulatory agency in a country where you sell your product, you need to establish and maintain a UDI for your device. This is likely an FDA-driven clause (since FDA recently implemented UDI rules in the U.S.), but as it becomes a more established practice, additional regulatory bodies will start asking for UDI.

Also important to point out is that the section requires that you have procedures in place to separate and distinguish returned products from conforming products. If you receive returns from a hospital or distribution center, for example, you need to prevent that product from getting mixed up with your existing product.

7.5.4 – Customer property: Again, the standard asks you to look at the regulatory requirements from all countries in which you must preserve confidential health information. If confidentiality is a requirement in a country where your product is sold, you need to have a procedure to address how you will to safeguard confidential information and treat it as customer property. 7.5.5 – Preservation of product: This new section instructs you to evaluate your packaging and shipping containers to ensure they are designed to protect the device from contamination and damage — not only during the processing of the device, but also during handling, storage, and distribution. It forces you to look at the complete lifecycle for that package and perform the necessary validations.

For example, if you plan to ship your devices to a region that is extremely cold, do you know that your package will be able to protect the product? Or is the product going to freeze, resulting in an adverse effect? The same thing goes for high temperatures or other environmental factors. You have to take that into account as you perform your validation.

7.5.5.1 – Particular requirements for sterile medical devices: The last section of section 7 (also new) elaborates on particular requirements for sterile medical devices. If you have a sterile product, you have to take additional measures to make sure that sterility will be preserved, wherever you plan to ship it and however long it will take to get there. How do you demonstrate that the product is going to remain sterile? Again, you really need to have the validation to prove that that package is appropriate.

In the third and final installment in this series, we will look at section 8, which covers monitoring and measurement of product changes, control of nonconforming product changes, and improvement, corrective, and preventive action changes. We will also wrap the series up with a discussion of implications and advice to prepare.