Deb Kacera, Regulatory & Industry Strategist, Pilgrim Quality Solutions
How much effort will it take to get your organization ready for ISO 13485:2016? The new quality system requirement takes effect in March 2019. Medical device manufacturers that aren’t prepared for this change will need to do some heavy lifting to stay compliant with the updated standards.
Do you know if you need to do light or heavy lifting to get ready for the new version of ISO 13485? Here is some insight on where to start when reviewing changes between the old and new standard.
Checkpoint 1: Has your organization kept pace with regulatory requirements?
If you’ve been keeping pace with evolving regulatory requirements, your organization will have a simpler path to ISO 13485:2016 compliance. It depends on whether your organization is aligned with internationally converging quality regulations and guidances, as well as the maturity of your existing quality system.
It is important to examine whether your company’s Quality Management System (QMS) has evolved since the last changes in 2003 to align with:
- The Global Harmonized Task Force “GHTF” (now IMDRF) Guidance Document’s philosophy from Risk Management to Supplier Management
- The FDA Medical Device Quality System Regulation (21 CFR Part 820)
- The European Medical Device Regulations
- The Medical Device Single Audit Program (MDSAP)
If you’ve been keeping pace with the above requirements, your path to ISO 13485:2016 will be relatively simple. You will need to evaluate the wording that has been added to the standard to look for areas where you will still have some “minor lifting” left to do.
However, if you have not fully embraced ISO 13485:2003 (especially the footnotes defined there) and your organization is not aligned with the international standards above, then you have some “heavy lifting” to do to be ready for March 2019 deadline. Many of the updates in ISO 13485:2016 are significant changes for organizations where risk, responsibility, and regulatory requirements need to be embedded into the quality system.
Checkpoint 2: Focus on the right changes
Regardless of the amount of “lifting,” you need a starting point that will help you focus on making the right changes quickly. A good place to start is by identifying the differences between the old and the new versions of ISO 13485. These changes are indicated in Annex A of the new standard. At a high level, these changes encompass the following areas:
a) Leveraging a risk-based approach to processes beyond product realization that could impact safety and performance of your medical devices
b) Ensuring all countries’ regulatory requirements that you need to maintain are part of any “process analysis” especially during a change “impact assessment”
c) Validating the application of computer software used in an automated Quality Management Solution
d) Implementing corrective action without undue delay
e) Protecting confidential health information based on regulatory requirements
f) Implementing controls on suppliers
g) Ensuring that calibration and maintenance is defined and measured
h) Expanding risk management procedures and integrating into the Quality Management System
i) Ensuring the linkage of training competency and evaluation to the level of risk
Take a close look at your existing processes in each of these areas. Do some of your existing processes need heavy lifting to meet these new requirements? If so, now is the time to act.
Checkpoint 3: Review common challenges in moving to ISO 13485:2016
Let’s dig deeper into a few of the changes mentioned above and evaluate your “lifting” requirements. Here are some ideas to consider when evaluating how these changes impact your organization or value chain.
Leveraging a risk-based approach to quality management system processes
This area of the standard requires you to examine the various QMS processes that impact patient safety and product quality, and assess all QMS processes to determine if the input and/or output processes have risk elements that need to be evaluated, either qualitatively or quantitatively. The analysis of supplier assessments/audits, supplier audit frequency, selection of sampling plans and inspection frequency for incoming products, and evaluation of training program competency are just a few QMS areas that should tie to a definable risk assessment. These can pose significant challenges to many organizations.
Audits and Risk-based Audit Planning
Have you evaluated and documented the risks associated with each of your suppliers?
Risk can be incorporated into audit planning as you prepare for new or follow-up supplier audits. This can be a quantifiable value that allows the lead auditor to determine the frequency and type of audit for each auditee. Risk can be calculated based on data from a number of sources, including the QMS. Data points to consider when calculating supplier risk and audit frequency could include:
- Geographic location of the supplier
- Number of suppliers providing a similar product or service. Is this a “sole-sourced” vendor?
- Product or service provided by supplier
- Risk value of the products and/or service that the auditee is providing in relationship to the finished medical device
- Severity of previous audit findings
- Observations during regulatory/notified body audits
- Customer complaints with a product malfunction or death/serious injury where the root cause was traced back to the supplier
The product design and the development of the manufacturing process will yield critical steps that need to be defined because they impact the quality of the process and/or the safety and performance of the device.
When determining the training requirements for these process steps, the type of training, the training content, and then the competency required of the individual must be analyzed. In the updated standard there is a note that the methodology to check that training requirements and effectiveness should be proportionate to the risk associated with the work.
Does your business associate the risk for both role-level training and for job-specific requirements? Of course the answer would be “it depends.” If someone has the role of a “Qualified Person,” who is signing off on a Batch Release, or if a Quality Manager is signing off as a CAPA Approver, these roles have a risk associated with their job activities. How is that risk accounted for in the respective training requirements? A specific lab test that a Lab Technician needs to run for a product may have a unique risk depending on the specific product and/or process criticality; therefore, a specific training document or lab procedure may be linked to a critical characteristic that has a specific risk value.
How will your organization capture this information and link it to objective evidence required for the competency of each role and/or requirement? If you don’t have a plan for this, now is the time to act.
Confidential Health Information
If your company is collecting patient information, what information is confidential and who has the ability to access the information? At a minimum, this question should be addressed for your complaint system records.
What other records may contain this information within your organization? Companies need to identify who in their value-chain (sites, departments, and suppliers) may have access to confidential health information in electronic records or even reports that are generated from electronic systems. Should these sites, departments, and suppliers have access to confidential health information? If not, you may need to redact information manually or create unique reports for outside partners.
We are all managing change through processes defined within our organizations. However, ISO 13485:2016 specifically asks us to ensure that we are evaluating both product and process changes and their impact to regulatory requirements. Examine your ISO 13485 readiness by considering the following questions:
- What is your internal process when a product or process changes occurs?
- Which team members get involved?
- Who determines the significance of each change?
- When is it appropriate to get a Notified Body and/or regulatory agency engaged in the discussion?
- How do you notify and communicate to your Notified Body and/or regulatory agency?
- How do you document the process for objective evidence that you have done your due diligence?
A Faster Path to ISO 13485:2016 Compliance
Quality Management Software can speed your company’s path to ISO 13485:2016 compliance. Pilgrim SmartSolve® has in-the-box best practices for:
- Audit Management – Captures auditee risk as a part of the audit planning process.
- CAPA Management – Provides a guided processes to implement corrective actions quickly.
- Change Management – Allows specific cross-functional teams and business process workflows to be dynamically managed based on the significance of each proposed change.
- Document Management – Controls standard operating procedures and other documentation throughout their lifecycle.
- Inspection Management – Automates sampling plans and inspection frequency for incoming inspection.
- Training Management – Manages certifications for both role-related and job-related training requirements.
The time to act is NOW. Your organization should already have your team defined and your gap analysis complete as you are moving toward the March 2019 deadline. Remember, many of the auditing organizations are going to be very busy with all the new certifications for Medical Device companies and their value-chains, from ISO 9001:2015 (September 2018), ISO 13485:2016 (March 2019), MDSAP (December 2018), and the inevitable Medical Device Regulation (MDR). Start preparing today to avoid bumps on your path to ISO 13485:2016 compliance.
Managing Change the Smart Way: SmartSolve
5-Minute Overview Video
SmartSolve® Manage all types of change to prepare for ISO 13485:2016 compliance.