New ISO 13485:2016 standard

New Revision to ISO 13485:2015 postponed to 1Q 2016


Article Posted in I 3 CONSULTING website in INDIA by Mrs. Beena on January 10th 2016

This document is for informational purposes only and is not intended to provide legal advice. Legal interpretations and questions regarding ISO 13485:2016 business or regulatory compliance should be directed to regulatory compliance departments by contact us.

Countdown begins for launch of the new ISO 13485:2016 standard!!!

Last meeting of the Technical Committee Working Group held in July 2015, the published draft version of ISO 13485:2015 was submitted to the vote of the Working Group members. The draft was not approved.

A new round of Working Group members meeting to publish the final version in 2015 has not happened, so it is expected to meet in the coming months. In summary, there are basically five sections in the draft standard where major changes have been made

Regulatory requirements: The New ISO 13485:2016 standard emphasises regulatory requirements in 80 different places compared to 16 in the e earlier version. This includes not only the local requirements that apply to your facility but if you are an organization that commercializes its products globally, you also need to take into consideration all relevant international requirements.

Risk management: The New ISO 13485:2016   standard emphasises the need to incorporate risk management into all the main quality system processes within your organization. Almost everything you do needs to be based on that risk, justifying that what you are doing is adequate and conforms to what you defined as part of your design and production activities.

Validation, verification, and design transfer: The New ISO 13485:2016 standard emphasises a lot more structure in place surrounding these activities. You must have plans in place and documented evidence to show what you have been doing for validation, verification, and design transfer activities.

Outsourced processes and supplier control: The New ISO 13485:2016 standard asks organizations to do a lot more when it comes to outsourcing processes and putting into place controls for assessing your suppliers — again based on risk.

Feedback: The New ISO 13485:2016 standard requires you to monitor and measure the performance of your quality management system not only during production but also post-market. You also have to incorporate those activities as part of your risk management process.

The good things are….
In general, the new ISO 13485 standard is more flexible than the old. In the past, organizations could only exclude section 7 requirements (on product realization) and then only if they could justify their decision.
Now, they can exclude any requirement in sections 6, 7, or 8 if they can justify doing so because of the nature of their activities or products. Regulatory requirements while the ISO 13485:2003 expected you to establish a QMS that complies with ISO 13485, the new one now explicitly expects you to also comply with all applicable regulatory requirements. This need to comply with regulatory requirements is given greater emphasis now and is repeated throughout the new standard. You’re now also expected to set objectives for meeting regulatory requirements.

As you may have noticed the phrase “statutory and regulatory requirements” in ISO 13485:2003 has been removed. Now we can simply refer to “regulatory requirements” which, of course, include statutory and other legal requirements also.

The difficulty things are …
Risk-based approach
The new ISO 13485:2016 standard expects you to apply a “risk-based approach” to your organization’s QMS processes. The old standard also expected you to think about risk, but only during product realization (in section 7). Now, you’re expected to apply risk management methods and techniques to all QMS processes, including outsourced processes.

Medical Device File
Manufactures now expected to include a description of each medical device or family of devices and to include all associated specifications, procedures, and records so-called MDF

Record keeping
When you follow ISO 13485:2016 standard you need to record supplier monitoring and re-evaluation activities and to consider privacy regulations when you develop methods for protecting confidential health information.

How to prepare for ISO 13485:2016
Although publication of the final standard may be months away, there are several things medical device manufacturers should be doing now to ready themselves for its eventual release, since much of what we see in the draft standard will likely carry through to the final release. The best part you can start following is to take a close look at your risk-management processes. Review EN ISO 14971:2012 and determine ways to make your processes more robust based on your risk analysis activities. ISO 13485:2003 required manufacturers to perform many risk-management activities, but the new standard will expand risk-management into other processes. So using (EN) ISO 14971:2012 as a baseline is a good idea to start following.

Secondly, you need to make sure you are up to date on regulatory requirements. You have to have a clear understanding of the expectations of all the different regulatory bodies in various countries where you are marketing your product especially in European countries which require CE Marking. You can check if your product is affected or not, and determine if you need to revise procedures to comply with the changes. It would be good for companies to start putting in timelines for updating procedures and completing training in advance of the final release of ISO 13485:2016

In addition, you need to find ways to improve relationships with your critical suppliers as this is a very important. This is mainly being driven by unannounced audits. Certifying Bodies and Notified bodies for CE Marking will be asking for more audits and more records to show how you are managing your critical suppliers. Nowadays Medical Device Notified Bodies are inspecting critical supplier’s premises.

ISO 13485:2016 draft standard more emphasis on feedback, you should also make sure that you have solid procedures in place to capture postmarket data in your medical device reports (MDRs). So Hurry up. The recent changes in the MDD regulation also points out the importance of Clinical Evaluation, Post Market Surveillance, Post Market Clinical Follow-up as part of CE Marking Certification.

4.1.2 – General Requirements: The draft standard ISO 13485:2015 specifically states that a risk-based approach is needed when developing processes. That tells you that you can’t just come up with, for example, a new preventative maintenance system. Have you considered a risk as well? Anything you do that affects the quality system needs to be viewed from that risk perspective.

4.1.3 – General Requirements: Records needed to demonstrate compliance with the standard and appropriate regulatory requirements shall be established and maintained.

4.1.5 – General Requirements: When you outsource processes, the standard wants you to look at the controls that are going to be put in place for that supplier, from a risk perspective. What happens if the supplier doesn’t meet the specifications you provided? How will that affect your production cycle or anything that’s related to that component? The standard wants organizations to consider those things ahead of time, so that you have controls in place to mitigate such issues right away.

4.1.6 – General Requirements: The standard will require validation of all computer software that is used as part of the quality system. While it has never been a requirement of ISO 13485, software validation has long been discussed in the industry, and not without some controversy. For example, questions arise like, “What if you use an Excel spreadsheet to control a process? Do you have to validate that spreadsheet?” Sometimes organizations don’t even know where to begin with software validation — what to validate and how to validate it.

Under these revisions, computer software can be used for, but is not limited to, product design, testing, production, labeling, distribution, inventory control, data management, complaint handling, equipment calibration and maintenance, and corrective and preventive action. If software involves or affects the quality system, you need to validate it. Plus, you need to have a very specific justification for how you validated that software, keeping records associated with what you did and demonstrating that the software tool is doing what it’s supposed to. – Documentation Requirements: Another addition is the requirement to keep a file for the device that you’re manufacturing, basically a technical file for Medical Device CE Marking. In the past, this was addressed through the Medical Devices Directive, but it’s being added as part of ISO 13485. It lists 26 elements that ISO expects manufacturers to keep as part of the file, including product description, drawings, specifications, procedures, packaging specifications, instructions for use (IFU), labeling, clinical data, etc. This technical file concept is not new, but the standard will specifically require you to have it even you are not planning for CE Marking. It a tough Job!!!

5.4.2 – Quality Management System Planning: This section contains a note clarifying what quality systems planning normally includes, namely quality objectives consistent with quality policy, action items to accomplish objectives, monitoring progress, and revision.

5.5.1 – Responsibility and Authority: The standard already requires that you specifically appoint personnel who will have responsibility and authority for the execution and implementation of your quality system. However, the draft seeks more clarity about how those specific individuals are nominated as responsible for activities having to do with monitoring of the product, and also for post-production activities. Again, this goes back to the international aspect of every country having its own requirements of how they want quality issues reported, managed, and controlled. Going forward, you must determine what kinds of skills will be required of quality personnel and what responsibilities they need to have, and that has to be clearly defined.

5.5.2 – Management Representative: A note has been added stating that the responsibility of a management representative can include liaison with external parties, including regulatory authorities, on matters relating to the quality management system.

5.6.1 – Management Review- General: Although the revised standard still does not stipulate how often you should conduct management review meetings, it does ask for your rationale behind the frequency you choose. You can’t just say, “I’m going to have them once a year.” You have to explain why you think holding them once a year is appropriate for your organization.

5.6.3 – Review Output: ISO 13485:2016 states that Outputs of the Management Review shall include improvement needed to maintain the suitability and adequacy of the quality management system and its processes, the current standard only requires improvement to maintain the effectiveness of the quality system and its processes.

6.2.1 – Human Resources, General: The existing standard requires personnel performing work affecting product quality, safety, or effectiveness to be “competent,” but the draft breaks down the type of personnel to which this refers. For example, it is very specific about personnel who are involved with fulfilling process requirements, regulatory requirements, and quality system compliance. It also requires the organization to define what education, skills, and training those individuals need to have to perform each role.

6.2.2 – Competence, Training and Awareness: A new aspect of this section is the need to check the effectiveness of any training you’re conducting.

6.3 – Infrastructure: There is a heightened emphasis on maintenance-related activities. If you decide, as an organization, that maintenance is important, then you need to have very clearly documented procedures that specify how those activities are being performed, planned intervals for maintenance, and how records associated with how those activities are being maintained.This section also now discusses ensuring that you handle orders in a streamlined way to prevent mix-ups that may affect the supply chain of your product.

Also in this section, information systems (IS) are now viewed as infrastructure, which isn’t the case in the current version of ISO 13485. The draft standard doesn’t require you to do anything differently; however, if is something that may affect the quality of your product, you should have procedures, training, and personnel in place to manage related activities.

6.4 – Work Environment: The working group has added a lot of stress on cleanliness and monitoring in clean rooms and manufacturing areas that deal with sterilized products, to ensure that you are monitoring for particles that could have an adverse effect on the product. They reference ISO 14644, the standard used for controlled environments, as guidance for medical device companies to use in managing clean rooms.

In general, this section contains more specificity about what is meant by the term “work environment.” They point out conditions to be considered such as noise, temperature, humidity, lighting, or weather, and areas of infrastructure such as inspection areas, storage areas, and distribution areas — but it can denote any area within an organization that is dealing with manufacturing the product.

6.4.2 – Particular Requirements for Sterile Medical Devices: Finally, then there is now a section on sterile medical devices. The standard asks you to take additional measures for these particular products, where you really need to prevent contamination with particulate matter or microorganisms and maintain the degree of cleanliness during assembly or packaging operations.
While the section on product realization still covers the same basic topics, a few noteworthy items have been added. While the old standard expected you to identify your product verification, validation, monitoring, inspection, and testing requirements, the new one has added a few more to this list. It now also expects you to establish your product handling, storage, measuring, revalidation, and traceability requirements as well.

7.1 – Planning of product realization: As with previous clauses, there is an increased focus on risk management in this section. One of the biggest changes to section 7.1 is a requirement to document how the risk management activities are being handled for product planning. The draft guidance highlights several areas where risk management should be incorporated: verification, validation, revalidation, monitoring, testing, and traceability. You will need to conduct an assessment considering the risk as you’re planning for those activities, and that process has to be documented.
Also, a note was added asking organizations to look at IEC-62304, which is a guidance related to software lifecycle processes. If your device incorporates software, the guidance wants you to look at all the different lifecycles of that software, so you’re planning ahead of time for future changes.

7.2.1 – Determination of requirements related to the product: The main elements that changed in this section, which is under 7.2 – Customer-related processes, is the addition of a requirement to determine user training to ensure that the product will be used in a safe and effective manner. (By user, it means the physician or the person who will install the device.) While training is sometimes taken into account by manufacturers, it’s not always done consistently. This change seeks to ensure that the training process gets firmed up and that there are more controls in place when it comes to training.
The other element that’s new in section 7.2.1 is the requirement that organizations protect confidential health information from their customers. This information could arrive in two ways: It could be customer-provided feedback for the organization to incorporate into the requirements for making the product, or it could be postmarket surveillance data. Any kind of information that comes from the customer needs to be protected confidentially. – Communication with regulatory authorities: This is a new clause. Mainly, it says that there should be documented arrangements in place for communicating with regulatory authorities regarding four matters: product information, regulatory inquiries, complaints, and advisory notices. You need to have a documented procedure explaining how you’re going to be handling these communications. 7.3.1 – Design and development planning: The draft standard requires that you document your planning. The previous version (ISO 13485:2003) mandated that you plan design- and development-related activities, but the revision insists upon a more robust approach to documenting those activities.

Another addition to this section says that you should have a process in place to ensure traceability of your design and development outputs to design and development inputs. Also, it indicates that you should look at the resources that you will need for design and development, including the competence of the personnel will be involved with those activities. You really need to evaluate the personnel conducting design activities and not just appoint someone without the appropriate background. A new note clarifies that design and development review, verification, and validation have distinct purposes and can be conducted and recorded separately or in any combination as suitable for the product and the organization.

7.3.5 – Design and development verification: There is more emphasis in this section on developing a documented process for planning design and development verification activities. It also specifically indicates that verification plans should cover acceptance criteria and sample sizes that you will utilize, along with the rationale behind selecting them. Also, if the intended use requires the device to be connected with other devices, design verification activities have to confirm that design outputs still meet design inputs when connected — you have to look at the verification and validation from that perspective, not just the device itself. Will the device continue to do what it’s supposed to do once it’s connected to another device or another system?

7.3.6 – Design and development validation: The changes to this section are similar to those in 7.3.5, only they are related to validation rather than verification: documented methods, acceptance criteria, and sample sizes.
One addition that is unique to 7.3.6 is ensuring that validation is conducted on product that is representative of what you are manufacturing.

7.3.7 – Design and development transfer: This is another new clause, basically requiring a documented plan if you are going to transfer your design to another facility or an outsourcing partner, for example. You must also ensure that your design and development outputs are suitable for production specifications. In other words, if you move your product, will the new site be able to take your specifications and start manufacturing the products the same way you would have at the existing site? Can this be demonstrated with objective evidence?
The revisions point out eight aspects the organization should consider: supplier quality and capability, manufacturing personnel capability and training, manufacturing process and process validation, materials, manufacturing tools and method, manufacturing environment, installation, and service. You need to have a process in place that explains how each of these items will be addressed if you transfer the design to another supplier.

7.3.9 – Design and development records: Also a new clause, this one mainly just explains the types of records you need to keep in a file as part of your design and development activities. Previously, it was pretty much up to the manufacturer to decide how it was going to manage its records and provide evidence it was meeting all the requirements. Now, the draft standard is very prescriptive about the types of documentation to keep in the file, as appropriate. Examples include Results of preclinical tests related to the device and its conformance with specifications Biocompatibility studies Electrical safety and electromagnetic compatibility Software verification and validation Report on clinical evaluation Post-market clinical follow-up plan and evaluation report. While manufacturers are required to keep a file, they may determine what is important to include in their file, so they can have records available. For example, biocompatibility is not applicable to all devices, so it will not appear in every device’s file. – Supplier approval: Revisions to this section clarify the types of criteria to consider before approving a supplier. You need to have a plan on how you will select suppliers — how you will evaluate, re-evaluate, and then approve them based on their ability to meet your requirements.
And again, we see an emphasis on risk analysis. Now, you really need to determine whether you will have stricter controls, depending on how important their product is to your manufacturing operations. In cases where the product is extremely important, you will probably want to audit that supplier more frequently, require them to be ISO 13485 certified, and ask them to have periodic meetings to assess how they are performing. If, on the other hand, the supplier is not as critical, you might not be so stringent. The expectation is that you show that you performed a risk assessment to justify requirements for all of your critical suppliers. – Monitoring of suppliers: Organizations must demonstrate that they are checking in on how their suppliers are performing and are utilizing that data as part of the re-evaluation process. If a supplier is not meeting your requirements, you have to show what you are doing to help the supplier improve their performance, or that you are disqualifying them, or that you are engaging in other activities that take into account your risk assessment. You need to have evidence that you are reviewing the data. – Supplier documentation: Following up on, this new section asks that you keep records of your supplier evaluations, including any actions taken as a result of the evaluations.

7.4.2 – Purchasing information: The new addition to this section is having quality agreements with your suppliers.
In short
The old section on purchasing has been subdivided into four new sections and new requirements have been added. While the old standard expected you to establish supplier selection and evaluation criteria, it didn’t provide any details. Now it does. You now need to consider your medical device and the risk you’re taking in addition to the effect purchased products have on the safety and performance of your medical device. And in addition to making sure that your suppliers are capable of meeting your organization’s requirements, you now also need to worry about whether they can meet all relevant statutory requirements.

Supplier monitoring
But you’re not done yet. Now that you’ve selected a supplier, you not only need to monitor the supplier’s performance, you now also need to consider your risk whenever suppliers underperform, and you need to respond in a way that is proportional to the risk that you’re taking. And while both old and new standards want you to establish a record of supplier evaluations, now you’re also expected to record your supplier monitoring and re-evaluation activities.

Purchased product risks
Like the old ISO 13485 standard, the new one expects you to verify that purchased products meet purchase requirements. But now you’re also expected to consider the risk associated with the product you’ve purchased and to worry about what to do when unanticipated changes are made to purchased products and to determine whether or not these changes affect your medical device or your product realization process.
7.5.2 – Validation of processes for product and service provision: Here, the committee is adding a requirement to include procedures for validation of sterilization and packaging. If you comply with the European Medical Device Directive (MDD), you should already be doing this; now, ISO is going to call for it.
They also added a reference to the ISO 11607 standard for packaging terminally sterilized medical devices. This is just another reference you can use as a guidance to help comply with ISO 13485 requirements.

7.5.3 – Product identification and traceability: Another new section, states that if unique device identification (UDI) is required by the regulatory agency in a country where you sell your product, you need to establish and maintain a UDI for your device. This is likely an FDA-driven clause (since FDA recently implemented UDI rules in the U.S.), but as it becomes a more established practice, additional regulatory bodies will start asking for UDI.
Also important to point out is that the section requires that you have procedures in place to separate and distinguish returned products from conforming products. If you receive returns from a hospital or distribution center, for example, you need to prevent that product from getting mixed up with your existing product.
7.5.4 – Customer property: Again, the standard asks you to look at the regulatory requirements from all countries in which you must preserve confidential health information. If confidentiality is a requirement in a country where your product is sold, you need to have a procedure to address how you will to safeguard confidential information and treat it as customer property. 7.5.5 – Preservation of product: This new section instructs you to evaluate your packaging and shipping containers to ensure they are designed to protect the device from contamination and damage — not only during the processing of the device, but also during handling, storage, and distribution. It forces you to look at the complete lifecycle for that package and perform the necessary validations. – Particular requirements for sterile medical devices: The last section of section 7 (also new) elaborates on particular requirements for sterile medical devices. If you have a sterile product, you have to take additional measures to make sure that sterility will be preserved, wherever you plan to ship it and however long it will take to get there. How do you demonstrate that the product is going to remain sterile? Again, you really need to have the validation to prove that that package is appropriate.
8.2.3 – Monitoring and measurement of processes: This section added a note about the type and extent of monitoring and measurement appropriate to each process, and its impact on the conformity to product requirements and on the effectiveness of the quality system. Organizations need to determine the best way to monitor their processes, depending on their environment and process complexity.
For instance, if you are analyzing production data and you find there is an issue with calibration, the action you take might be different than if you are evaluating data from your post-market activities or your preventative maintenance system.  The calibration monitoring for a tool used in-process might be different than the calibration monitoring for a tool used in final inspection to release the product. You need to be able to justify how tight your controls are based on the circumstances and complexity of each process.

Process validation
Both old and new standards expect you to establish procedures to validate production and service delivery processes that generate outputs that can’t be verified until the product is in use or the service has been delivered. Now you’re also expected to establish validation plans and to revalidate processes whenever necessary.
8.2.4 – Monitoring and measurement of product: This section now includes a note that says, “Records shall identify the test equipment used to perform measurement activities and the person(s) authorizing release of product.” For every batch that you manufacture, you need to show what equipment was used. So if you have 10 measuring gauges, for example, you need to be able to trace it down to which one you used to measure some aspect of the device before final release. And not only do you have to trace it back to that instrument, you have to show who in your organization authorized the approval.
I think it is also important to mention that this was brought up with the latest revision of ISO 14971, the risk management standard. Now, ISO is tying it in with this section in ISO 13485, so that it is consistent across the standards.

8.3.1 – Control of nonconforming product (general): Section 8.3 in the draft guidance has been broken down in several different subsections, the first of which is 8.3.1. This clause requires that the evaluation of non-conformance includes a determination of the need to investigate. You have to be able to show how an issue was investigated and how you notified everybody who needed to be involved in the investigation and was associated with the nonconformity.
Also, there is now a link between the nonconformity and the CAPA system. You must be able to show if the issue warranted a CAPA or if it was just managed within the system itself. Obviously, you would have to justify why you decided to not escalate it to a CAPA versus just leaving it within the nonconformance management system.

8.3.2 – Actions in response to nonconforming product before delivery: This section discusses the actions necessary to handle the nonconformities before you ship the product out of your facility. If you identify the nonconformities before the product leaves the facility, it provides an outline of all the actions that must completed before you release the product. For example, you need to make sure you eliminate the nonconformity, document your criteria for releasing it, ensure the product meets all specifications, and address the relevant regulatory requirements that other countries may impose.

8.3.3 – Actions in response to nonconforming product after delivery: This section is very similar to 8.3.2, except it applies to nonconformities you identify after the product has been released. Organizations need to have a documented procedure for issuing and implementing an advisory notice.

8.3.4 – Rework: This clause is not new — rework was already included in the current standard as part of controlling nonconforming products. However, now they have added a section for it. The section states that if you establish rework, you need to look at any potential adverse effects on the product. Not only that, but it also has to become part of your risk-management process. When you decide that a product needs to be reworked, you need to also consider the implications and retest the product. How will does the rework affect the design of the product or any other manufacturing process?

8.3.4 – Records: Again, there is not much new here. They just added a specific clause to make sure that you keep all the records associated with your management of non-conformities. These records could include any decisions, people involved, and authorizations that took place before the product was released.

8.4 – Analysis of data: ISO 13485:2016, this section asks you to gather data to demonstrate that your quality system is suitable and effective, you are making improvements, and you are taking appropriate actions.
Two requirements were added at the end of this section.

(A)The first is audits. You need to look at your data from audits to see if you are having more issues in a given area that could potentially become a larger problem.
(B) The second new requirement is to review data from service reports, as applicable.

8.5.2 – Corrective action: Moving to the last section — 8.5.2 (improvement) — they have added a subsection that asks you to come up with a corrective action plan that is commensurate with the risk. Depending on the risk of the problem you are experiencing, you would need to establish why you decided to go one way or another with your response to it.
And the other thing that they added was two requirements that organizations should address in a documented procedure. One is reviewing product and process data analysis to identify nonconformities for corrective action. This is just tying it back to what we covered earlier in the section under control of nonconforming products. The other is determining and implementing action needed, including, where appropriate, updating documentation.

Finally, there is a comment about analyzing your corrective actions as part as your management review process. This is not something new, but they added a line to really make it clear that you need to have feedback incorporated as part of your management review.

8.5.3 – Preventive action: The changes to this section are very similar to the previous section. There is a requirement that you review product and process data analysis to identify potential nonconformities in order to prevent their occurrence. And at the end, there is the same request that analysis of preventive action should provide feedback to the management review.

The servicing section has also changed. In addition to having to document your organization’s servicing procedures and reference materials, you’re now also expected to analyze servicing records in order to identify servicing complaints and improvement opportunities.

User training
While the old standard focused on the need to identify product requirements specified by customers and regulatory bodies, the new one wants you also to think about the safety and performance of your products and the associated training needs of product users and to verify that regulatory requirements will be met and user training will be available before you agree to supply products to customers.

While the old ISO 13485 standard discussed the need to handle complaints, this important material was spread over several sections. The new standard brings most of it together in one new section and broadens and expands it to include all kinds of complaints (not just customer complaints). It now also expects you to develop and document complaint handling procedures that comply with all applicable regulatory requirements. The old standard merely asked you to establish arrangements, not procedures.

Delivery of nonconforming product
The section on the unintended delivery of nonconforming products has also been reorganized and reworded and new subsections and new detail has been added. The result is a much more useful section. The new standard now expects you to investigate nonconforming products that have been delivered, to determine if corrective action is needed, and to consider whether or not responsible external parties need to be notified.

The section on improvement has also been enhanced. In addition to having to maintain the suitability and effectiveness of your QMS, you’re now also expected to maintain the safety and performance of your products whenever improvements are being considered. In addition, before you implement corrective and preventive actions, you’re now expected to verify that they comply with all applicable regulatory requirements and that they do not compromise the safety and performance of your medical devices.

Thanks for reading this article.
Mrs. Beena. [Senior Consultant, Team Lead and Lead Auditor]

More details are available on the home page of the website

Quick Contact