The Revitalized ISO 13485: Ready for Business

ISO 13485 was updated to keep up with movements in industry and to address the changes to ISO 9001:2008, the foundation standard for ISO 13485. The old 13485 Standard was based upon ISO 9001:2000, while the new 13485 is based upon ISO 9001:2008. Industry expected the new 13485 to use the latest 9001 (2015) Standard, but Technical Committee 210 felt that the older ISO 9001 Standard better serves the needs of medical device suppliers, regulators and clients.


OMTEC transparent 2016

Want more information on FDA regulations or the CAPA process? Want to hear more from John Gagliardi? Come to OMTEC 2016 and attend one, or both, of Mr. Gagliardi's two sessions: "FDA Focus on Design Control" and "CAPA: Using Risk-Based Decision-Making Toward Closure".

Find more info by clicking here. 


Anyway, the new changes to 9001 are revolutionary in comparison to the new 13485. Not only is the format different, but the expectation for using risk management in both standards is renowned. The medical device industry doesn’t move that fast, nor does it “turn the corner” for changes that could upset some rather steadfast industry norms. In a few years, this will give the next change to ISO 13485 a chance to catch up and use the ISO 9001:2015 to modernize and re-develop another revision in a more meticulous and deliberate fashion.

The new ISO 13485 is applicable across the whole supply chain and will address the entire life cycle of a medical device. The final standard is expected to be published in March 2016. Some of the demonstrative changes include:

• Harmonization of regulatory requirements
• Inclusion of risk management throughout the QMS (and with outsourcing)
• Additional transparency with regard to validation, verification and design activities
• Strengthening of supplier control processes
• Increased focus regarding feedback processes
• Software Validation

The new ISO 13485 is more flexible than the old standard. You can now, with proper justification and explanation, exclude any requirements in sections six, seven or eight; as opposed to just section seven. This change alone will make a marked difference on the waythat small companies approach their QMS in terms of using the appropriate and applicable sections for operations that demand a “lean and mean” rather than a cumbersome, multi-level situation. I work with small as well as large companies, and they often wonder why requirements that deal with resources and measurement/analysis/improvement can’t be reduced for ease of manageability and applicability.

Risk Management
The update’s largest impact will pertain to risk management. Much like ISO 9001:2015, the new 13485 expects you to apply a “risk-based approach” to your company’s QMS processes. The old 13485 expected you to think about risk only during product realization (Section 7.1). Now you are expected to apply risk management methods and techniques to ALL QMS processes, including subcontracted ones. ISO 14971 (Risk Management) had a recent update and the industry is still reeling from the ALARP to ALAP (“as low as reasonably possible” to “as low as possible”) mentality for improvement, corrective action and mitigation. If your company is confused about how to assimilate risk management into your way of life, don’t be dismayed. Companies are struggling with this encompassing change, and many do not understand the big picture when it comes to dealing with uncertainties throughout and concerning just about every process initiative.

In a related way, product quality terminology has been replaced with product safety and performance, which is much like FDA’s safety and efficacy requirements for medical devices in the marketplace. Reading between the lines, the old 13485 implied product safety and performance, but now it is not only emphasized but more explicit. I am sorry to belabor this point, but risk management plays a huge role in making sense out of moving forward in a way that impedes uncertainty and increases assurances.

Records and Documentation
The 21 Code of Federal Regulations (CFR) has a requirement for a Device Master Record (DMR), which is a compilation of records and documents containing the procedures and specifications of a finished device. Device specifications, production process specifications, quality assurance procedures and specifications, packaging and labeling specifications, etc. must be included as part of the DMR when it comes to complying with the QS Regulation. The new 13485 expects you to include a description of each medical device or family of medical devices, as well as associated specifications, procedures and records. Sounds more like a DMR to me. Frankly, it is about time, because we have been using the DMR as objective evidence during ISO audits (as well as FDA Inspections) when a medical device file was requested.

Design and Development
Design and development now align more closely with the QS Regulation. The expectation is that design and development planning of internal and documented updates is necessary on a regular basis as the design progresses. This ensures traceability of design outputs to inputs and the use of competent resources to carry out this side-by-side journey down the road. As in the past, this relationship between inputs and outputs must be reported and challenged during design review sessions to establish verification assurances prior to design validation and later on, as part of verification activities during manufacturing and all supporting quality control/assurance activities. Speaking of design review, the requirement for “specialist personnel” on an ad hoc basis is becoming more closely aligned with the use of an “independent reviewer” stated in 21 CFR, Part 820. The intent of the “specialist” phrase has always been in place to meet the regulatory requirements of several governmental prerogatives. Alignment is now realized.

Finally, the topic of design transfer is being addressed directly rather than assuming that the transfer of design to production was going to be addressed in a documented fashion. The old 13485 devoted only a single line and two notes to this important transfer process, whereas the new 13485 puts an emphasis on transferring essential outputs (for device functionality and safety) and making sure that they are in line with manufacturability before they become production specifications. The new sub-clause for transfer will focus on plans and planning this transfer activity with regard to contractors, environmental concerns, competency of personnel and the installation, operation and performance of equipment prior to full-scale manufacturing, handling and distribution.

The expectations for addressing design changes will remain basically the same with further risk-based emphasis on changes to product function, performance, safety and intended use of the device. Lastly, design and development documentation and the proper maintenance as well as identification of this objective evidence comes closer and closer to looking like the requirement for a Design History File (DHF) found in the QS Regulation. As with the DMR, we have always presented the DHF during ISO audits to show the evolution and continuing documentation generated during the product’s lifecycle. ISO 13485 is not calling this record a DHF, but we know exactly what the auditor means when she asks for this type of objective evidence.

Purchasing Controls
Purchasing Controls has a new “make-over” to (once again) clarify the importance of this ISO section. As with FDA, ISO 13485 has put suppliers and contract manufacturers on a whole new level of compliance. The advent of a world economy has necessitated more controls on an overseas supply chain shipping components, raw materials and finished medical devices into the U.S. and Europe. Of course, the emphasis is on risk management at the early stages of supplier compliance and the use of requirements reviews. Not only is it important that these suppliers meet your company’s requirements, but now you also have an obligation to assure that they are meeting the applicable regulatory requirements related to the Medical Device Directive, the Essential Requirements and post production surveillance. While the old 13485 expected you to establish supplier selection and evaluation criteria, it didn’t provide any details. Now it does!

You need to at least consider the classification of the medical device from a risk standpoint and, as I mentioned previously, the safety and performance of these devices take a front row seat when making decisions about evaluation and monitoring activities for at least your critical supply chains. Once you select a supplier, you have a mandate to document monitoring activities. If the supplier doesn’t meet the expected requirements, you must respond in a way that puts risk first and monetary considerations a distant last. Recording your supplier monitoring and re-evaluation activities is now a requirement, whereas before it was a “nice to have.” Having at least a signed “no-change agreement” is a strong statement coming from 21 CFR, Part 820 in that if a supplier makes a change to product or process, they are to contact your company prior to making that change in case there are regulatory implications (like resubmissions to FDA) or re-design situations.

Machine Qualifications and Process Validations
These requirements will remain basically the same. There will, however, be an expectation that requires formalized plans for revalidation based upon generating quality data, trends and evaluating the outputs using risk as a foundation. That step-by-step process flow could be delineated in a Master Validation Plan. The synergy between production and process controls, the use of quality data to make decisions about changes and the ever-present link between possible re-design is a building block for manufacturing and quality assurance. As a side note, there will be an increased emphasis on the validation of software used in the medical device, but also, and more importantly from a process efficiency and effectiveness basis, used in the QMS. This has always been a critical expectation of 21 CFR, Part 820, and now the new 13485 will embrace a very similar, documented approach. I have yet to be part of an ISO audit that “went there,” whereas FDA challenges software validations all the time.

Servicing and Complaint Handling
As with 21 CFR, Part 820, this natural process relationship has more explicit emphasis focused on the requirement to analyze service records in order to identify servicing complaints and opportunities for improvement. Complaint handling will not be just an arrangement for looking at feedback but, in fact, a separate section that will expect you to develop and document complaint handling procedures that apply with the applicable regulatory standards, e.g. US FDA 21 CFR, Part 820 and Part 803 (complaint handling and medical device reporting). This new ISO will consider all complaints. This increased focus on feedback mechanisms is part of the critical path to understand how risk management, review of quality data, surveillance opportunities to draw proactive conclusions about the safety and efficacy of the device as well as the effectiveness of process controls.

Corrective and Preventive Action (CAPA)
There will be a more unambiguous approach to reviewing product and process data as part of CAPA analysis and root cause determinations. The use of historical non-conformance, defectives, trends, process changes, product problems that are related directly to your company as well as worldwide issues, complaints, failures, vigilance reports, medical device reports, recalls, etc. will be paramount to decision-making. There is a requirement for the CAPA process to link to product risk management to ensure that proportionate risk analysis associated with outcomes are studied and formally analyzed.

Closing Statements
Most likely, some upgrades to your present QMS will have to occur. Frankly, we have been expecting this emphasis on risk management ever since risk became a popular point some years ago. This increased focus on risk analysis and risk management as it relates to the entire quality system could be a challenge for companies that presently drive strategy by the seat of their pants rather than by using quality data and statistical analysis for decision-making. We live in a quantitative world that uses hardware and software to solve problems. The days of making qualitative decisions based on “a hunch” are over, my friends. This new ISO 13485 is aligned with the quantification of data and the competency of people at all levels in the organization—not just the employee who comes onto the scene when daily problems require riding in on a white horse and “saving the day.”

John Gagliardi has had success over the past 45 years in the medical device and pharmaceutical industries because of his practical approach to process-orientation and business. He has been actively involved in research and development, quality assurance, training, operations, process architecture, FDA inspections and regulatory affairs. Mr. Gagliardi specializes in building systems in a compliant and business-ready manner. Mr. Gagliardi can be reached by This email address is being protected from spambots. You need JavaScript enabled to view it.

MidWest Process Innovation, LLC