ISO 13485 Transition Key Changes
The “annex-SL” layout of other new standards places more emphasis on organizations deciding how much control they need to implement based on risk and regulatory requirements; however it seems the working group for ISO 13485 were yet to be convinced of this new layout when they addressed the update to the standard.
By its’ nature, the medical device industry has a high requirement for documentation and record keeping, but conversely the automotive industry also has higher requirements for this and the new IATF 16949 standard has adopted the HLS. Perhaps the next update to ISO 13485 will incorporate this layout, but for now the old remains, including the requirement for a quality manual and “preventative action” instead of “risks and opportunities”.
For organizations that implement both ISO 9001:2015 and ISO 13485:2016, Annex B lists the interrelationships between the two where they exist and highlights where they are not in correspondence. However, the only clauses that cannot be identified to correspond between the two are those unique to medical devices as before (e.g. medical device files, cleanliness and contamination control).
While we are investigating the annexes, Annex A includes a correspondence of changes from the old version of ISO 13485 to the new one and can be used to identify to the sub-clause where the changes are to be found (but we will run through some of these with commentary on some important ones).
Relationship to the new EU regulations
The standard was prepared with the EU medical device directives in mind and released a corrigendum to cover it. The Z annexes (the three at the front of the document) reference the standard against the directives to demonstrate which elements go towards supporting compliance with the directives.
Remember, conforming to the standard does not imply compliance to the directives, so organizations will need to check their system against these requirements as well and Annex Z helps this process along.
With the new EU medical device regulations published and the transition dates set (2020 for medical devices and implants, 2022 for IVD), this information will become moot soon enough. It is likely that at least another corrigendum to again demonstrate how the standard corresponds to the regulations in its’ current state, though again each organization will be required to review their systems against the regulations to check for compliance.
With the standard so fresh out of the gates, it is unlikely that an entire new revision will be issued when a corrigendum will cover this; as the regulation was already in discussion at the time of this issue of the standard, some elements have already been included, such as UDI. However, it may not be surprising if a new revision is published around 2022 when the IVD regulation is implemented and, as discussed already, this may adopt the HLS of the other standards being published.
Recurring themes in this revision
Most of the new and amended requirements of this revision can be identified as corresponding to one (or more) of the following themes evident in the document:
Plan, do check, act: the emphasis on the plan here is deliberate; several processes now require evidence of planning, either directly stated or inferred by the manner of the requirements and records. For the latter point, human resources is a good example of this, as you will see in the blog. The PDCA cycle is management system 101 and although planning has been a requirement of quality standards for a long time this is being further highlighted going forward. In particular, planning is beneficial for processes and changes that are multi-disciplinary, where risks must be considered or where decisions can result in unforeseen impacts. Remember, failure to plan is planning to fail…
Risk based thinking: risk is specifically stated (or, again, implied) as a basis for decision making in many clauses in the standard. Straight out of the gate, in section 4.1, risk is discussed as a driving in factor in deciding the level of control the QMS must have over the organizations processes. Risk is discussed in the context of this document as always being related back to the risk of conformity of the medical devices and not, for example, business risk; though this could be considered, the priority is medical device conformance to requirements of the organization, the standard and regulations. This therefore extrapolates to risk the device has on patients and users. Risks are to be identified and addressed appropriately and ISO 14971 (risk management in medical devices) can offer further support in implementing risk management.
Evidence based decision making: data should be gathered and used to inform decisions. This can be used in conjunction to risks when making decisions; risk assessment outputs are data after all. Justifications and rationales are required to be documented for many steps where decisions are made and ownership of those decisions becomes traceable ultimately to top management, who are responsible for the resources making those decisions. This is an auditing tool, but first it is a tool for organizations to make the right decisions that provide safety for them, their customers and their patients.
Details and examples: It’s all in the details. The standard now has extra information in many areas of how requirements can be met for a given clause. Examples include the methods of control that can be applied to a process and methods for preserving products. These can help an organization decide on how to control a process and, again, the number and type of controls to be implemented should be based on risk inherent in the process and how it can impact the medical device.
Special processes: QMS for medical devices has rightly been standalone due to risk and level of scrutiny, but also due to the specialism of the industry. There are several special processes and elements of the QMS, such as medical device files, contamination control and cleanliness, sterilisation and identification. In the new revision more detail has been included for many of these, in some cases they have even received new sub-clauses to highlight their importance.
Record keeping: Many elements of the above require records to be kept, as well as documented procedures made (or updated) to include the new requirements. As already touched upon, where decisions are made records must be kept to identify who and why.
These have been highlighted in the rest of this blog where they correspond to risk, records, planning and decision making.
Quality management system
Adoption of the risk based approach is first discussed in the general requirements section. Here it related to implementation and maintenance of procedures and the validation of software used as part of the management system. The depth and detail of these is based on the risk the process or software has on product quality, so a high risk process should have more detailed procedures and software controlling it should have a higher degree of validation carried out.
There is now a requirement for organizations to protect documents and records from deterioration and loss and to protect confidential health information gathered by the organizations activities, such as through clinical studies, post market surveillance, vigilance and incident reporting. The latter point shouldn’t be surprising with the recent interest in protection of personal data that the European Union has had, with organizations already required to comply with related regulation for information security and access.
Management responsibility and resources
Management review has some new inputs, namely monitoring and measuring results for the system and products and reporting to regulatory authorities. There is also a new output relating to changes to regulatory requirements and how these will be met. The former point in particular highlights the standards focus on evidence based decision making and that top management should take this on board as well.
Importantly, there is now a requirement to have a documented procedure for management review and that the interval between management review meetings is to be documented. This will allow auditors to better identify where management review is late or not carried out completely and the responsibility to carry it out is on top management.
The human resources clause includes new documentation requirements for processes to:
These processes were a requirement previously but now they must be documented and so be demonstrated to be implemented in a controlled manner and planned; meeting these requirements effectively can be achieved through planning training and awareness activities with staff. The work infrastructure must now be planned so as to prevent product mix-up (i.e. zoning) and ensure orderly handling of product from one process to another, promoting processing in a logical manner. The work environment must now have documented requirements where it can affect product conformity, such as requirements to control bioburden and prevent electrostatic discharge. Contamination control has become its own sub-clause with expanded requirements for where product must be clean or sterilized following manufacture process steps.
Design and development
The lists of requirements in many clauses in product realization have been expanded upon, focussing on provision of resource and competence of personnel. Design and development has also seen a focus on recording of decision making and collection of data as records to be maintained. The end goal is to demonstrate evidence based decision making and planning in design and development, where test data is gathered and acted upon rationally and logically with consideration to the requirements of the customer, organization and regulations.
Design and development has seen a requirement for management of interfaces between design interfaces removed, though this function may still be a requirement of internal procedures where determined by the organization. The contents of design reviews must include identification factors (product being reviewed, attendees and date) and input requirements must be available for verification and validation (i.e. they must be measurable as outputs).
There are now more documents and records needed for verification and validation activities, including:
The plans for the activities
Interface considerations (i.e. usability engineering)
Product to be used for validation
Records of the activities
New sub-clauses have also been added detailing requirements for design transfer to production and maintenance of design files. There is now a need for documented procedures for design transfer and records of the results and conclusions of transfer activities must be retained. The design file must include the output documents of the preceding design clause, including records of changes to design, and so act as a history of the product design and decision making.
Supplier evaluation has been strengthened following scandals in the medical device sector; organizations now have more requirements for ensuring product and material from outside the organization conforms.
The standard now lists requirements for supplier selection criteria that focus on:
Effect of supplier performance on the quality of the medical device
Risk associated with the medical device
Meeting regulatory requirements.
Monitoring and re-evaluation of suppliers now require planning by the organization and action must be taken if requirements are not met, proportionate to the risk of the supply on conformity of the medical device.
Changes to supplied product and material are also under closer scrutiny; organizations must now include an agreement with the supplier to notify in the event of any changes (where appropriate) and if the organization becomes aware of changes in verification activities they must take action to ensure the change does not affect product realization or the finished device.
This sub-clause therefore has two phases to consider; the suppliers must agree to notify of changes but the organization must also check product to ensure this is adhered to and, where change is necessary, verification that the change is suitable must be carried out and recorded.
More detail on how requirements can be met have been added, including:
Types of process controls that may be utilized
Situations where procedures may be required
Methods to achieve product preservation
Record requirements for servicing and validation activities
“Special processes” have also seen additional requirements:
A new scenario has been added to the list of when contamination control can be required
Requirements for sterile barrier systems have been implemented
Procedures for validation requirements following process changes
Procedures for the use of statistical techniques in validation activities
Software validation is given some more attention in this clause for where it is used as a part of production or service provision, with the requirement for a documented procedure for these activities. Again, the extent of the validation process is proportionate to the risk associated with the use of the software and consequences any failure may have on the finished products’ conformity.
This requirement may cause concern to some organizations, particularly those who use customised or modified systems to control manufacture or production planning. However, assessment of process risks will highlight where activities must be carried out to validate software and choosing a supplier of software who conduct validation on the software and its customisations may be beneficial in meeting this requirement by mitigating risks.
Unique device identifiers is a new requirement in the identification clause; organizations that have a regulatory requirement for UDI must document a system for applying UDI. The FDA in the United States has already initiated a UDI programme that, as of September past, is now live for all devices. In the EU, UDI must be implemented for class III devices and implantable in 2021 with other device classes to be added in 2 year increments. Aside from this, the sub-clause also includes more details on requirements for identification through product realization, particularly for monitoring, measuring, inspection and release purposes.
Measurement, analysis and improvement
Feedback has been expanded, indicating that it should come from production and post-production activities and that it should feed as an input back into risk management processes. Two new sub-clauses have been added to detail requirements for complaint handling and reporting to regulatory bodies, requiring documented procedures and records of activity for each to be retained. There was also a requirement added for identification of test equipment used for measuring activities, the intention being that equipment used for product conformity assessment can be traced.
The sub-clause for control of non-conforming products has been expanded; more detail is given regarding kinds of controls that can be implemented, requirements for concessions and re-works and records to be retained from issuance of advisory notices. The requirements for non-conformance detected before and after delivery have been separated to better highlight actions to be taken, and their order, based on the risk associated in each case.
The need to include results of investigations and rationales for decision making has been added, further supporting the organizations need to demonstrate evidence based decision making. This is conjunction with the concession requirements, which states concessions must be justified, with evidence and rationale demonstrating that regulatory requirements are still met and the persons authorising release of product are identified.
Other new requirements for the clause include determination of appropriate methods of data analysis, including statistical techniques and the extent of their use, in the procedures for data analysis. Service reports and audits have also been added to list of data inputs. Corrective actions and preventative actions now require a verification step to ensure they have not generated adverse effects.
There is now also a requirement that any necessary corrective action is taken without undue delay. Though subjective and not really expanded upon in the standard, the planning and documenting of actions to be taken still must be performed and it stands to reason that decision making regarding timelines is included here and is based on risk; corrective actions should not result in generation of new risks and should deal with the root cause of non-conformity.
Final points: what is missing?
Overall a lot of effort has been placed into addressing the points referenced earlier; risk, decision making, record keeping and planning. It is worth remembering when reading this list of new requirements that they have come about largely in response to the new approach of the HLS (though it is not directly embraced, the concepts it is focusing on more are also being highlighted in the revision of ISO 13485).
However, these have also come about due to recent controversies, scandals and concerns in the medical device industry. Many of these requirements tighten controls and provide more audit trails and the new upcoming MDR also has this in mind. To an organization these may appear challenging, but a lot of it is simply documentation of processes and ideas already implemented. And besides, it is worth remembering that any of us could become patients at any time; the thought that the medical devices we are exposed to are coming under increasing scrutiny must provide a degree of reassurance that we are in safe hands.
There are some notable elements of the new HLS that are not implemented as completely as in the other updated standards. The requirement for a management representative for example was removed from ISO 9001:2015 but is still present in ISO 13485:2016. The ownership of the QMS remains with top management in both cases, however this has become more clear in ISO 9001, although responsibility for its’ every day running is handed down in the organization. Preventative action has been raised previously and with good cause; it’s role in the planning of operations is far more clearly demonstrated in ISO 9001:2015 due to its’ strategic redeployment to clause 6.
And finally, continual improvement remains a divisive subject here. Where ISO 9001 now requires an organization to continually improve performance, ISO 13485 requires organizations to ensure and maintain the continued ability of the QMS to meet requirements. This may not seem so important when reading the actual clauses, but it comes from a simple concept; a QMS for medical devices either meets requirements or does not, so continual improvement implies that it is not meeting requirements at some point in time and must be improved to do so. To avoid this implication, continual improvement as it exists in the HLS is not included in ISO 13485.