In some markets, such as the European Union, Canada, and Japan, medical device manufacturers must implement and obtain certification of a quality management (QM) system according to ISO 13485. The new ISO 13485:2016 edition of the standard builds on the ISO 9001:2008 standard but includes additional regulatory requirements for the medical device industry. Following the last revision, this third edition of March 1, 2016, incorporates 12 years of technological progress and global regulatory changes. In view of the above, manufacturers and service providers in the medical device industry are facing changed and extended requirements. A summary of the key changes:
A risk-based approach to the QM system (Clause 4)
In the new edition the use of a risk-based approach to control processes in the QM system is no longer limited to the phases of product realization. Instead, a risk-based approach is now applied to all processes of the QM system, too, such as document control, outsourced processes, complaint management, and many more. The validation of all types of computer software used in the QM system is now expanded to include software applications outside product realization, in areas including document control and complaints management. The new standard describes the contents of Device Master Records (DMR) in greater detail and gives examples of mandatory documents.
Management responsibilities clarified (Clause 5)
ISO 13485:2003 already included requirements for the planning and implementation of a QM system and provisions for regular management reviews to ensure the QM system’s effectiveness. However, the wordings in ISO 13485:2003 left room for individual interpretation of the requirements. By contrast, ISO 13485:2016 now demands a definition of the “role” that an organization plays within the scope of the regulatory requirements (e.g. representative, importer, manufacturer, etc.) and, taking a risk-based approach, of the processes related therewith. For this purpose, the new standard describes the input and output of the regular management review of the QM system’s effectiveness in greater detail, leaving less room for interpretation. Management representatives now have the additional responsibility of promoting awareness of the significance of regulatory requirements among all employees of the organization.
Resource management related to human resources and sterile products (Clause 6)
In the new standard the requirements for employees, which affect product quality, focus more clearly on employee “competence”, which is based on education, training, capabilities, and experience. The subclause “Work environment” was expanded by adding “contamination control” and now also includes requirements for the validation of sterilization processes, including sterile barrier systems.
Risk-based approach to product realization (Clause 7)
This is the most comprehensive Clause of the standard. It specifies the requirements and their risk-based implementation for all product-realization processes, including the planning of product-realization and customer-related processes; design and development; purchasing, production and service provision, and the control of monitoring and measuring equipment. The new edition now includes special requirements for the validation of software used in monitoring and measuring equipment. The aspect of “usability” has been added to the design and development process. In the future, the reasons for the selected sample size in design verification and design validation must be provided and documented.
There are now separate subclauses describing the requirements for transferring design and development outputs to production (transfer design) and for the contents of the design history file (DHF)
Defined processes for measurement, analysis and improvement (Clause 8)
This Clause describes aspects including the requirements for the manufacturer’s feedback system. The manufacturer must define processes for recording and evaluating production and postproduction data and integrating them into the risk-management process.
Notification to the regulatory agencies is now addressed by a separate subclause of the standard and has been extended by the addition of adverse event reporting. Regarding the control of nonconforming products, the standard now differentiates between corrections and corrective actions for nonconformities identified before and after delivery.
Which aspects will become easier and which aspects will become more complex for manufacturers?
As the structuring of the requirements has been improved and as requirements are now described in more detail, overall understanding of the requirements should become easier, which should benefit both manufacturers and the auditors of the Notified Bodies.
The revised and/or amended Clauses of ISO 13485:2016 have been aligned to the US FDA Quality System Regulation (QSR) for medical devices (21 CFR Part 820). Given this, the new standard should not pose a major challenge for manufacturers who already hold registrations in the U.S. and undergo regular surveillance audits by the FDA. In these cases, alignment of the requirements to the FDA requirements should make life easier for manufacturers.
For manufacturers distributing their products on other markets (e.g. the EU), the challenges posed by the new standard should also be manageable. The EC conformity assessment procedures build on the principle of the “safety and efficacy” of medical devices, and the new ISO 13485:2016 does not change these requirements. And, while the new standard includes more detailed description of the requirements for QM systems, the same requirements also had to be met under the previous ISO 13485:2003 standard. The ZZ Annexes of EN ISO 13485:2016 will once again show that not all of the requirements of the EU directives are covered directly by the standard, but must be addressed in the manufacturer’s QM system.
Interestingly, the scope of the ISO 13485:2016 standard now clearly references the organizations involved in the various phases of the product life cycle, including the suppliers of products and services. The “roles” of an organization, for example, include manufacturer, authorized representative, importer, and distributor.
Suppliers or service providers in the medical device industry who so far have based their QM systems on the ISO 13485:2003 standard alone or have not yet documented any QM system at all (e.g. authorized representatives) may find the introduction of the new standard more of a challenge. For these parties, the changes of the new standard and, in particular, the risk-based approach for all processes in the QM system and the requirement to validate the application of computer software will certainly cause higher implementation efforts.
Organizations with a QM system based on the ISO 13485:2016 and the ISO 9001:2015 standards are facing another challenge. The ISO 13485:2016 standard is not based on the “High Level Structure” of the new ISO 9001:2015, which comprises ten clauses; instead, it still has the eight-clause structure. Given this, the two standards no longer match as far as their structure and numbers of clauses are concerned. The differences in the requirements of ISO 9001:2015 and ISO 13485:2016, particularly the differences in the requirements for the management and improvement of the QM system, are greater than those in previous versions of the standards. Given this, management systems that are based on these two standards are becoming more extensive, complex and difficult to maintain.
How should manufacturers of medical devices best prepare for the new ISO 13485:2016? May some organizations even benefit from the new Standard?
There will be a three-year transition period from ISO 13485:2003 to ISO 13485:2016. It is still unclear as to exactly when the EN ISO 13485:2016 standard will be published and subsequently harmonized. Irrespective of this, we recommend all organizations affected by the change to start analyzing the measures necessary for adjusting their QM system to ISO 13485:2016 as soon as possible. ISO 13485:2016 – Annex A, which describes the differences between the two revisions, may prove helpful in this context. The analysis of the existing QM system and its continuous improvement should be objectives for the QM system’s effectiveness in all cases, and use of the ISO 13485:2016 standard may prove beneficial in this context.
Organizations holding registrations in Canada will have to switch from the Canadian Medical Devices Conformity Assessment System (CMDCAS) to the Medical Device Single Audit Program (MDSAP) in near future. We recommend reading the “MDSAP Companion Document”, which is publicly available at the FDA, to monitor the status of implementation of the ISO 13485:2016 requirements into the MDSAP program.
What can TÜV SÜD do for manufacturers?
To help you estimate the individual efforts involved in your implementation of ISO 13485:2016 and prepare for the change in the best possible way, TÜV SÜD will provide you with basic information related to the new standard. Our factsheet, which is available for download here [ PDF 503 kB ], summarizes the information at a glance. Our specialists and experts will be happy to answer any further questions you may have.