ISO 13485 - Frequent Errors and How to Address Them

In this blogger’s time auditing organisations with newly implemented ISO 13485 systems (both from scratch and from using pre-existing quality systems) a lot of the same issues appear at the stage 1 audit.

The standard is quite dense (especially when including the annexes and appendices, though they aren’t necessarily needed for many organisations) and follows a different structure to most current standards, so it can feel daunting to those new to it. Some very specific requirements are buried in unusual places in the standard and some requirements are not made very clearly.

To go alongside the ISO 13485 Implementation Guide, this blog has been developed to capture some of the key gaps, omissions and errors that this auditor has encountered in their time auditing organisations that have just started to implement the standard. This also includes a brief suggestion on methods that could help to meet these requirements, where applicable, and maybe benefit the system.

Software Validation

One of the clauses buried in an usual spot, clause 4.1.6 requires software that is used in the QMS requires validation. This is mirrored in clause 7.5.6, which requires that software used in production/service provision also requires validation.

The first key error often seen here is the claim that these clauses do not apply; the standard does not permit for clauses outside of 6, 7 and 8 to not be applied for one thing, for another software includes any software (so Word, Outlook, Excel and any electronic production control systems for example would apply).

The next is the assumption this requires a significant amount of work to address but the clauses provide another requirement; that the specific approach and activities associated with software validation and revalidation shall be proportionate to risk. For software like word the risk is very low and so simply checking the software is accurately providing information as part of routine auditing could meet this requirement. Other controls in place can also affect risk, such as if an ERP system is in use but externally monitored by a supplier who are specialists and provide regular updates and support.

A good place to start with software therefore is to perform a software specific documented risk assessment for the entire system and operations processes and use this to determine the controls necessary.

Documentation requirements

For organisations unused to it, the amount of documentation the standard requires can be daunting, but it makes sense when considering that the aim of the standard is to ensure that an organisations standards for operations are clear and therefore that it is clear when they have not been adhered to.

The first key part of this is the manual- this has specific things it must do, basically working as an introduction to the system (including the system scope, overall process flow map and document structure description) and then as a sign-post document, referencing the procedures in the system and what they apply to. A big, thick manual (or indeed procedure) does not encourage staff or potential customers to open it and use it as a an introduction to the system or a tool for them to understand how to do their work, so keep it concise.

Clause 4.2.3 states that medical device files must be maintained. Manufacturers and distributors may think of these as technical files and keeping these makes sense as it is also a regulatory requirement. For other organisations in the supply chain, the requirement to keep these cannot simply be stated as not applying, though it can be applied within the capabilities of the organisation. A part file can be maintained, containing the batch records for batches produced as well as specifications for product and packaging, any labelling applied, reference to procedures, and so on.

Back to procedures; a good practice for this may be to go through a copy of the standard with a highlighter and highlight a clause whenever it calls for a procedure, then further highlighting the specific requirements of the procedure as listed in the clause. Then, add these to a list and use this as the start of your structure. Procedures can be or include process flow diagrams to help work as an operative’s guide to conducting their activities, but it does pay to include text elements describing specific elements that standard wants included.

Also, keep a good eye on good documentation processes; records and documents need to remain legible, so any errors or changes in records need to include a record. Correction fluids should not be used, with corrections being made by a single neat line and then identified by initials and a date.

Finally for this section, a big missed element is the retention periods of records and documents. Records must be retained for product lifetime (where this is known) or for a minimum of 2 years. Customers will also often define this and so this should be clear where it is the case.

Further, documents, including procedures, that are made obsolete must be have 1 copy retained for at least the life time of resulting records. This means that if you have a procedure for production control that references a batch record form that is retained for 10 years, the documented procedure must also be retained for 10 years. These periods must be clearly communicated as understood and demonstrably being adhered to. Keeping copies of documents effectively indefinitely on an electronic server or system is fine as long as this is stated.

Regulatory requirements

For those organisations that are medical device manufacturers or distributions, it probably goes without saying that you need to be constantly aware of the associated regulations and any changes to them. The standard hammers this point in and refers to regulatory requirements consistently.

For other organisations though, suppliers and service providers, it is often considered that there is no need for this. However, the regulations are still important; they effect your customers and their needs may change as a result, so it is always important to include them in management review as a talking point.

 It is also frequently believed that there is no need to apply clause 8.2.3, reporting to regulatory authorities. Medical device manufacturers need to report in structured methods to their regulators, following vigilance and PMS processes and with detailed plans for issuing advisory notices and performing recalls. Distributors also need to have some dedicated structure for these activities, at least in as far as they relate to the support of the manufacturer.

However, for suppliers and service providers, though not needed in a structured manner and unlikely to be needed at all, their may still be a requirement to report to a regulator, for example when assisting with a recall or to prevent a public health risk if a defect or problem is found. The procedures should at least state that this will be done when required and that records will be retained.

Work environment and cleanliness

Similar to the previous clause discussion, this one is frequently believed to not apply to an organisation that is not involved in the final manufacture of a medical device, particularly where the device is not sterile. However, to one level or another, the clause does apply to most organisations who seek the standard. There is a risk of contaminating the medical device manufacturer’s site (or the hospital) when you send materials that are, or are packed in, contaminated materials. This can then lead to further contamination at the site and it is spreading.

For this reason, at least rudimentary cleanliness controls should be in place and for some organisations more may be needed. Again, risk assess this process and determine controls proportionately.

When controlling cleanliness and the work environment, here are some key things to consider. Pest control should be in place, at least for rodent control and for some materials fly control should be in place too. Particles and dust may also be a problem in terms of contamination and should be adequately controlled with air extraction where it is significant or with clean rooms and cabinets if required. Electrostatic discharge is another example of a risk factor in the environment that may require control by use of anti-static coats, shoes/shoe straps, flooring, desk surfaces and wrist straps. And a regime for testing these.

This leads on the final point of control for all of the above; procedures should be maintained that describe the measures put in place to maintain the work environment and records kept to show this has been done as required. Cleaning sheets, ESD test sheets, pest control reports and cleanroom validation plans are all examples of this.

Planning and risk assessment

Clause 7.1 includes a lot of discussion on planning and how to achieve this. Buried in this clause is a relatively short requirement that often gets overlooked: the need to have a document risk assessment process in production. This is almost a passing comment but is actually quite important to implement. The risk assessment should address risks that the process introduces that could impact product conformity to requirements and the potential risk to patients and end users (though the latter requirements are more specifically required for manufacturers, suppliers and service providers should also consider this to some degree). Again the level of detail and control put in place for this process should be based on the risk; medical device manufacturers have a lot more to consider than their suppliers, but consideration is still required.

PFMEA is a good way to address this requirement, providing a scoring system and therefore a method of prioritising actions to address risks based on which are highest. The clause also references ISO 14971, the standard for risk assessment in medical devices, which encourages PFMEA methodology and includes guidance on elements to consider relating to patient safety and good methods for addressing risk and implementing controls.

Control of suppliers and outsourced processes

This is the final key area where errors are made. Clause 7.4 includes the usual requirements that organisations with ISO 9001 would recognise. Criteria must be documented for the evaluation and selection of suppliers and these should again be proportionate to risk. Supplier questionnaires are often identified as in use (or attempted to be in use) and these can be useful but on their own they are quite weak as evidence of evaluation. For one thing, some suppliers simply don’t respond to them or respond to requests with a standard statement; if this is the case, the criteria is not fulfilled but if the supply is needed what can be done?

A questionnaire/supplier file should be accompanied by agreements for supply and quality (as applicable, see next paragraph for more) but also by suitable inspection and assessment of their product or service. This is the part that matters, so it should be assessed suitably. A new supplier could have their first 3 orders go through additional inspection, for example, to determine quality is adequate, this is stronger than simply using a questionnaire. Then, for continuous evaluation and re-evaluation, ensure data is collected on performance and discussed as part of management review.

Further to this, consider clause 4.1.5, which requires outsourced processes to be controlled, including by written quality agreements; this is not optional, their must be written quality agreements in place with outsourced process providers. An outsourced process is a process that can effect product conformity that an external provider is doing on behalf of the organisation, so could include a finishing process for metal parts, part drawing and design or population and testing of a provided PCB by an external provider. Ensure these are in place. 

Authored by: NQA Regional Assessor - Tam Rowell