What To Expect From The Upcoming ISO 13485 Revisions, Part 3

By Marcelo Trevino, independent expert

The International Organization for Standardization (ISO) is currently in the process of revising ISO 13485, the international quality standard for medical devices. When the final version is released — potentially in 2015 — it will be the first revision to the standard in over a decade. In this three-part article series, we are looking at the proposed changes to ISO 13485, to help you prepare for its eventual publication and enforcement.

In Part 1, we explored the primary motivations behind the revisions and what’s new in sections 4 through 6 of the Draft International Standard (DIS) ISO 13485, and Part 2 examined what’s likely to change in section 7. In this third and final installment in this series, we will look at section 8, which covers monitoring and measurement of product changes, control of nonconforming product changes, and improvement, corrective, and preventive action changes. We will also review the major themes in the DIS and discuss what medical device manufacturers should be doing now to prepare for the final version.

Section 8 – Measurement, Analysis, And Improvement

8.2.1 – Feedback: Basically, what changed here is that the draft standard asks organizations to come up with a documented process for gathering data from production and post-production activities. While the current standard is rather general, stating that you have to gather feedback and providing guidance on how to do so, the draft standard is more prescriptive about documenting how  you  gather that data.

Not only would it require you to gather feedback, but also to incorporate that feedback as part of your risk management program. Any data that you obtain should become inputs of your risk management process, to help you determine what effects the feedback will have on the product and whether any changes are necessary within your design or production activities to address concerns.

In addition, you would have to evaluate that data using some kind of statistical methodology, where appropriate. Each organization would have to decide what method makes the most sense, based on your product and your processes and activities. And if you aren't using any statistical methods, then you have to provide rationale justifying why you have chosen not to.

Once you have that analysis, then you need to determine if that needs to go into your corrective and preventative action (CAPA) process. If the notified bodies start seeing trends and issues in your data, but you aren’t having any CAPAs related to them, that would probably become an issue. They want to make sure that you are really acting upon feedback, not just reviewing it.

The last change worth mentioning in this section relates to regulatory requirements, something we have seen across the draft. It asks organizations to look beyond just their local requirements to all international regulations that apply to your product, especially related to post-market activities. Certain countries have very unique requirements regarding conducting and handling the data from post-market activities, so you have to make sure that is incorporated into your policies.

8.2.3 – Monitoring and measurement of processes: This section added a note about the type and extent of monitoring and measurement appropriate to each process, and its impact on the conformity to product requirements and on the effectiveness of the quality system. Organizations need to determine the best way to monitor their processes, depending on their environment and process complexity.

For instance, if you are analyzing production data and you find there is an issue with calibration, the action you take might be different than if you are evaluating data from your post-market activities or your preventative maintenance system.  The calibration monitoring for a tool used in-process might be different than the calibraton monitoring for a tool used in final inspection to release product. You need to be able to justify how tight your controls are based on the circumstances and complexity of each process.

8.2.4 - Monitoring and measurement of product: This section now includes a note that says, "Records shall identify the test equipment used to perform measurement activities and the person(s) authorizing release of product." For every batch that you manufacture, you need to show what equipment was used. So if you have 10 measuring gauges, for example, you need to be able to trace it down to which one you used to measure some aspect of the device before final release. And not only do you have to trace it back to that instrument, you have to show who in your organization authorized the approval.

I think it is also important to mention that this was brought up with the latest revision of ISO 14971, the risk management standard. Now, ISO is tying it in with this section in ISO 13485, so that it is consistent across the standards.

8.3.1 – Control of nonconforming product (general): Section 8.3 in the draft guidance has been broken down in several different subsections, the first of which is 8.3.1. This clause requires that the evaluation of non-conformance includes a determination of the need to investigate. You have to be able to show how an issue was investigated and how you notified everybody who needed to be involved in the investigation and was associated with the nonconformity.

Also, there is now a link between the nonconformity and the CAPA system. You must be able to show if the issue warranted a CAPA or if it was just managed within the system itself. Obviously, you would have to justify why you decided to not escalate it to a CAPA versus just leaving it within the nonconformance management system.

8.3.2 – Actions in response to nonconforming product before delivery: This section discusses the actions necessary to handle the nonconformities before you ship the product out of your facility. If you identify the nonconformities before the product leaves the facility, it provides an outline of all the actions that must completed before you release the product. For example, you need to make sure you eliminate the nonconformity, document your criteria for releasing it, ensure the product meets all specifications, and have addressed the relevant regulatory requirements that other countries may impose.

8.3.3 – Actions in response to nonconforming product after delivery: This section is very similar to 8.3.2, except it applies to nonconformities you identify after the product has been released. Organizations need to have a documented procedure for issuing and implementing an advisory notice.

8.3.4 – Rework: This clause is not new — rework was already included in the current standard as part of controlling nonconforming products. However, now they have added a section for it.

The section states that if you establish rework, you need to look at any potential adverse effects on the product. Not only that, but it also has to become part of your risk-management process. When you decide that a product needs to be reworked, you need to also consider the implications and retest the product. How will does the rework affect the design of the product or any other manufacturing process?

8.3.4 – Records: Again, there is not much new here. They just added a specific clause to make sure that you keep all the records associated with your management of nonconformities. These records could include any decisions, people involved, and authorizations that took place before the product was released.

8.4 – Analysis of data: Basically, this section asks you to gather data to demonstrate that your quality system is suitable and effective, you are making improvements, and you are taking appropriate actions. If you think about it, the standard is all about making sure that you have a solid system in place that is continually evolving.

Two requirements were added at the end of this section. The first is audits. You need to look at your data from audits to see if you are having more issues in a given area that could potentially become a larger problem. And since the draft guidance doesn’t specify the types of audits, I think you have to take supplier audits into account as well.

Then second new requirement is to review data from service reports, as applicable. So if you manufacture a device on which you will perform service, you have to review the data, looking for potential issues. If your product is an implantable device, for example, most likely this requirement wouldn’t apply to you. But if you make capital equipment, you will need to have data that shows what servicing activities you are engaged in and an analysis of how that data is behaving.

8.5.2 – Corrective action: Moving to the last section — 8.5.2 (improvement) — they have added a subsection that asks you to come up with a corrective action plan that is commensurate with the risk. Depending on the risk of the problem you are experiencing, you would need to establish why you decided to go one way or another with your response to it.

And the other thing that they added was two requirements that organizations should address in a documented procedure. One is reviewing product and process data analysis to identify nonconformities for corrective action. This is just tying it back to what we covered earlier in the section under control of nonconforming product. The other is determining and implementing action needed, including, where appropriate, updating documentation.

Finally, there is a comment about analyzing your corrective actions as part as your management review process. This is not something new, but they added a line to really make it clear that you need to have feedback incorporated as part of your management review.

8.5.3 – Preventive action: The changes to this section are very similar to the previous section. There is a requirement that you review product and process data analysis to identify potential nonconformities in order to prevent their occurrence. And at the end, there is the same request that analysis of preventive action should provide feedback to the management review.

Reviewing The Important Changes In DIS ISO 13485
In summary, there are basically five sections in the draft standard where major changes have been made:

1. Regulatory requirements: The first section (0.1) establishes an emphasis on regulatory requirements that we see across the rest of the draft standard. This includes not only the local requirements that apply to your facility, but if you are an organization that commercializes its products globally, you also need to take into consideration all relevant international requirements. There are many references to this throughout the draft standard.
2. Risk management: Another theme that permeates the draft standard is the need to incorporate risk management into all the main quality system processes within your organization. Almost everything you do needs to be based on that risk, justifying that what you are doing is adequate and conforms to what you defined as part of your design and production activities.
3. Validation, verification, and design transfer: We covered this topic at length in the previous article. The draft standard puts a lot more structure into place surrounding these activities. You must have plans in place and documented evidence to show what you have been doing for validation, verification, and design transfer activities.
4. Outsourced processes and supplier control: The draft standard asks organizations to do a lot more when it comes to outsourcing processes and putting into place controls for assessing your suppliers — again based on risk.
5. Feedback: Finally, the draft requires you to monitor and measure the performance of your quality management system not only during production, but also post-market. You also have to incorporate those activities as part of your risk management process.

The committee has also improved the linkage between all the different clauses within the standard. Now, everything is more interconnected. They expect you to have systems in place that allow you to demonstrate conformance across the requirements in a more streamlined manner. For example, there is not just one section that discusses risk-management or regulatory requirements or CAPA — instead we see these topics addressed throughout the standard. It is a much more integrated approach.

How To Prepare (Now) For ISO 13485:201X
Although publication of the final standard may be months (or even years) away, there are several things medical device manufacturers should be doing now to ready themselves for its eventual release, since much of what we see in the draft standard will likely carry through to the final release.

One suggestion I would make is to take a close look at your risk-management processes. Review EN ISO 14971:2012 and determine ways to make your processes more robust based on your risk analysis activities. ISO 13485:2003 required manufacturers to perform many risk-management activities, but the new standard will expand risk-management into other processes. So using EN ISO 14971:2012 as a baseline is a good idea.

Another thing is to make sure you are up to date on regulatory requirements. You have to have a clear understanding of the expectations of all the different regulatory bodies in countries where you are commercializing your product. Having an essential requirements matrix is a good starting point. You can see if your product is affected or not, and determine if you need to revise procedures to comply with the changes. It would be smart for companies to start putting in timelines for updating procedures and completing training in advance of the final release.

In addition, figuring out ways to improve relationships with your critical suppliers will be crucial. This is mainly being driven by unannounced audits. Notified bodies will be asking for more audits and more records to show how you are managing your critical suppliers. I think it is important to use these coming changes to the standards as leverage to enhance supplier relationships.

Given the increased emphasis on feedback, you should also make sure that you have solid procedures in place to capture postmarket data in your medical device reports (MDRs). The coming changes to ISO 13485 present a great opportunity for you to start thinking about how to make those processes more robust. Maybe you need to start utilizing new software or hire additional resources to better manage customer complaints and analyze risk across the countries in which you sell. Regardless, now is the time to consider how to better organize these activities in your organization, to ensure you will be able to comply with the new standard when it arrives.