by Michael Kanis, Vice President, Business Development, NextPhase Medical Devices
ISO 13485:2016: An Introduction
The international standard ISO 13485 governs the manufacture of medical devices. The first edition was published by the International Organization for Standardization (ISO) in 1996. The ISO currently reviews standards at least every five years to determine whether they need to be updated. The first update to ISO 13485 was released in 2003. This has now been superseded by ISO 13485:2016, which came out on March 1, 2016. According to the ISO, this set of standards was updated "to respond to the latest quality management system practices, including changes in technology and regulatory requirements and expectations."1 The standard is used by medical device manufacturers to ensure the quality of their products and by third-party entities to certify companies that manufacture such devices.
When a new edition of the standard is published, it does not immediately invalidate certifications issued in accordance with previous versions. A transition period retains certifications to the previous standard while the transition is made to the new edition. For the first two years, certifications can still be issued in accordance with the 2003 version. As of March 1, 2018, that period has concluded and all new certifications and certification renewals must be done according to ISO 13485:2016. Prior certifications under ISO 13485:2003 remain valid until March 1, 2019. Within the European Union, recent certifications have been done according to EN ISO 13485:2012, which comprises ISO 13485:2003 with the addition of a forward and annexes. Companies certified under the 2003 standard are expected to schedule an audit prior to the expiration of current certification.
At NextPhase Medical Devices, we first earned ISO 13485 certification in 2002. Our current certification is according to EN ISO 13485:2012. It was issued by TUV Rheinland. As we work toward 13485:2016 certification, we thought it a good idea to share some of what we know with others traveling the same path.
ISO 2016: A Greater Emphasis on Risk Management
According to the ISO, the 2016 version of standard 13485 "has a greater emphasis on risk management and risk-based decision making, as well as changes related to the increased regulatory requirements for organizations in the supply chain."2 Risk management is an approach that attempts to anticipate all possible problems, disruptions, failures, or other crises that can have an impact on the realization of an enterprise. Many of the changes in ISO 13485:2016 are intended to bring medical device manufacturing in line with other standards related to risk management during the design, production, and validation phases.
The majority of changes are found in §4 and §§6 through 8.
Updates included in ISO 13485:2016...
Quality Management Systems (§4)
Section 4 addresses quality management systems. It adds a requirement that companies must maintain documentation that defines the roles of the organization, stipulating that companies take these roles into consideration when determining processes. This section also mandates the adoption of a "risk based approach to the control of the appropriate processes needed for the quality management system." This is an expansion of the risk management approach over the 2003 standard, which only required such an approach for product design controls and realization processes. Some items are added to an existing list of requirements related to changes in processes and to requirements concerning the validation of the computer software used in quality management systems.
The documentation requirements for quality management systems have expanded to include the maintenance records necessary to proper planning, operation, and control of processes. The documents that must be included to demonstrate compliance with international standards and local regulations are also enumerated. The archival process must prevent the deterioration or loss of documents. Steps must also be taken to ensure the privacy of appropriate medical records.
Resource Management, Including Employees (§6)
Section 6 includes standards related to the management of resources, including employees. Companies must have documented processes for ensuring that their employees have competence in their areas of responsibility. Documents related to the training and evaluation of employees must be maintained. The requirements for the handling of products now include an infrastructure that prevents product mix-ups and facilitates the handling of products. The work environment of the employees must also be documented. Additional standards related to sterile instruments are added for the prevention of contamination by microorganisms or particulate matter.
Product Realization (§7)
Section 7 contains the largest number of additional standards. These relate to the process of moving a product from conception to completion. Customer-related processes involved in the determination of requirements are more closely defined, while standards dealing with the management of interfaces between design and development groups have been dropped. A new requirement stipulates compliance with regulations regarding communication with regulatory authorities.
Updated Design and Development Standards
Standards for design and development planning have been updated, including slight expansions to the requirements for the inputs that must be considered. It also states that the requirements must be able to be validated and verified. Documentation is to be maintained concerning the processes used for validation, including methods, criteria for acceptance, and statistical techniques. Design and development verification must be carried out in accordance with documented processes that ensure that the outputs meet the requirements. This includes verification of any interfaces between devices. A new subsection requires documented procedures for the transfer of development outputs from the design team to the manufacturing process. A design and development file that includes records demonstrating conformity to the requirements must also be maintained. Companies must also develop procedures to control and document any changes to the design.
Updated Purchasing Standards
Standards relating to purchasing have also been added. The criteria for selecting suppliers must be established and should include the effect of the purchased product on device quality. The manufacturer must monitor and reevaluate suppliers to determine whether they are meeting requirements, and this process must be documented. Contracts between the company and suppliers must include an agreement that the supplier notify the manufacturer of impending changes to the purchased product prior to making those changes. The manufacturer shall evaluate the effect of such changes on the manufactured device.
Updated Production and Service Provision Standards
Additional rules for production and service provision are included, including standards for controls and product cleanliness. Organizations are now required to carry out analysis of servicing activities in which they or their suppliers participate. This is done both as input to the improvement process and to allow complaints to be properly addressed. Companies are also required to document procedures for validating the software used in production or to provide services. The extent of the validation must be proportional to the risks associated with the use of the software. The system used to assign unique device identifiers to medical devices must be documented. Procedures for handling the return of nonconforming devices to ensure that they are kept separate from conforming devices shall also be recorded, and processes to prevent product alteration during storage, distribution, and handling must be specified.
Data Collection, Analysis, and Improvement (§8)
Section 8 concerns data collection for the purposes of demonstrating conformity to standards and improving processes. New requirements mandate the documentation of procedures used for the feedback process. This information is intended to serve as input for risk management and product realization. New subclauses in the 2016 standard require documented procedures for handling complaints in accordance with regulatory requirements and the notification of regulators when complaints that meet certain criteria are received. Records must also be maintained to identify test equipment used for data collection.
This section also includes standards for the control of nonconforming products, covering cases where the nonconformity is discovered both before and after delivery. Specific steps to address nonconformity prior to delivery can include the elimination of the problem, precluding the intended use, or releasing the product under concession. If the product is offered under concession, justification must be provided and approval from proper regulatory agencies must be obtained. Documented procedures for issuing advisory notices and correcting the problem must be in place for instances when the nonconformity is discovered after delivery. In both cases, the standard stipulates verifying that the corrective action does not adversely affect the product performance or its ability to meet regulatory requirements.
Conclusion
Within the next year, certifications issued in accordance with ISO 13485:2003 will become invalid. Before that point, medical device manufacturers need to schedule an audit to be certified according to ISO 13485:2016. This revised standard adds a focus on risk-management models and brings the standards up to date with current regulatory practices for both manufacturers and those in their supply chains. Companies who adopt these standards will ensure the quality of their products and their compliance with regulatory requirements.
At NextPhase, we’ll be working hard to meet these new standards and update to ISO 13485:2016. If you are heading in that same direction, we hope you have found this article informative and helpful.
About the Author...
Michael Kanis is the Vice President, Business Development for NextPhase Medical Devices. He holds a B.S. in Marketing and Entrepreneurial Studies from Babson College. Mike is responsible for all marketing and sales for the firm.