Medical device companies have until March 1, 2019 to update their quality management systems to the ISO 13485:2016 standard. The simultaneous introduction of the Medical Device Single Audit Program and transitions to ISO 9001:2015 will leave manufacturers busy and certification bodies slammed. Therefore, it’s important to start the process now.
Regular BONEZONE contributor John Gagliardi suggests that ISO 13485 implementation is like building a bridge, connecting your current quality management system with the new risk-based and regulatory-sensitive scenarios required by the 2016 update. How do you make this happen and stay on schedule? He offers five steps for construction.
Step 1: Make the Argument to Implement
Ask: is this bridge meant for my company’s future, and can I still afford to build it? You must decide to build the bridge to the Isle of 13485:2016. ISO is a great business system, and you need it in order to remain viable in the global economy we live in. Still, it should be a “want to” decision, as well as a “have to” chore. Set up a budget, please. You don’t want to use petty cash to make this happen, because you’ll get irritated every day and stop treating your employees to company picnics.
Step 2: Understand the Standard
Attending a webinar will give you an overall impression and maybe some snippets of information about implementation. Don’t rely on it. The webinar producers can give your company ideas, but you and the transition team must assimilate any changes succinctly and specifically into your QMS architecture. This is a unique experience on all counts. There is not an Rx for generic bridges to venture to the Isle of 13485. You must design it and build it.
Step 3: Seek Help to Determine if You Can Recycle Old Parts
The reason that this analysis should be conducted by a third party is because you are too close to what is actually happening. Yes, I am talking about feet on the floor to ensure that their processes work on a daily basis, etc. You and your colleagues are too close. Don’t be in denial over this strategy. You will mutually admire your present QMS and not give it an effective read.
Your internal audit team can (and should) acquaint themselves thoroughly with the new ISO requirements, but could still be novices when it comes to implementation experience. This is especially accurate when it comes to risk management, design and purchasing controls linking with manufacturing, validation and verification. These six processes alone work hard together as they cross the bridge into compliance land. It’s a pretty sight on the shoreline with procedural nuances abounding. If your auditors don’t understand process architecture and implementation linkages, this could turn into a process-in-a-bottle exercise. Instead, you need to have your auditors join the third-party person and receive some hands-on training, as well.
Step 4: Formally Plan Who Needs to Be Involved
This step will upset some (most) individuals at the executive levels in any organization. Everyone should be formally trained to understand the new ISO Standard to varying degrees. Yes, even the people who live in the strategic company clouds and are not tactically involved in the day-to-day must be competently aware of what caused their “easy chairs” to be put into cold storage for a few months. They won’t like it.
Also, top level management must understand how risk management will challenge and stretch the fabric of their 2003 processes and the present way of doing business. “I still can’t believe it, but it’s been about 12 years since ISO 13485:2003 came into our lives and our company is real comfortable.” Maybe too comfortable, you say. Incorporation of risk-based approaches beyond product realization means that risk-based decision-making will eventually be part of making all quality-based decisions. (In case you aren’t embracing this major requirement just yet, this means that all sections of the new ISO Standard are affected, and not just Section 7.1 of Product Realization.) Also, risk continues to be considered in the context of the safety and performance of the medical device and in meeting regulatory requirements, e.g. submissions, post market surveillance, recalls, medical device reporting, vigilance reports, etc.
Record Keeping – Record supplier monitoring and re-evaluation activities and consider privacy regulations when you develop methods for protecting confidential health information
Product Realization – Establish product handling, storage, measuring, revalidation and traceability requirements.
Design Inputs – Consider risk management outputs to clarify product usability and safety requirements and make sure that input requirements can be verified or validated.
Design Verification and Validation – Simply put, this design controls change expects you to verify that design outputs meet input requirements when these devices are connected or interfaced, and to validate that intended use or application requirements are met when devices are connected or interfaced.
Design Changes – Establish processes to control changes and to evaluate their significance and impact. Your expected to maintain a file for each medical device or family of medical devices that documents these changes.
Design Transfer – This subject has been elevated in importance and has now received its own subsection, i.e., a special emphasis is given to ensure that outputs are suitable for manufacturing before they become official production specifications.
Purchasing – Consider your medical device and the risk you’re taking in addition to the effect that purchased products have on the safety and performance of your medical device. You want to make sure that your suppliers are capable of meeting all relevant statutory requirements.
Supplier Monitoring – Consider your risk whenever suppliers underperform and respond in a way that is proportional to the risk that you’re taking. You’re also expected to record your supplier monitoring and re-evaluation activities.
Purchased Product Risks – Consider the risk associated with the product you’ve purchased and be concerned about what to do when unanticipated changes are made to purchase products and to determine whether or not these changes affect your medical device or your product realization process.
Process Validation – Establish validation plans and revalidate processes whenever necessary.
Servicing – Analyze servicing records in order to identify servicing complaints and improvement opportunities.
Complaint Handling – The new standard brings this in line with 21 CFR, Part 820.198.
Delivery of Non-conforming Product – Investigate nonconforming products that have been delivered to determine if corrective action is needed and to consider whether or not responsible external parties need to be notified, e.g. FDA in the case of a possible recall.
Improvement – The section on improvement has also been enhanced to align more closely with preventive action.
- Incorporation of risk-based approaches beyond product realization – “Hip shots” aren’t allowed any more.
- Increased linkage with regulatory requirements – This new standard is much like the cGMP-QS Regulations. ISO 13485:2016 specifically asks us to ensure that we are evaluating both product and process changes.
- Application to suppliers throughout the lifecycle and supply chain for medical devices – Here’s a classic comment that I’ve heard: “Why do we have to make sure our suppliers have validated processes, when we can’t even keep up with validating our own?”
- Harmonization of software validation requirements – There are more explicit requirements for software validation use throughout the QMS.
- Emphasis on appropriate infrastructure, particularly for production of sterile medical devices.
- The addition of requirements for validation of sterile barrier properties.
- Additional requirements in design controls on consideration of usability, use of external standards, verification and validation master planning, explicit design transfer activities and maintaining design records, e.g. the Design History File (DHF).
- Emphasis on complaint handling and reporting to regulatory authorities much like the requirements in 21 CFR, Part 820.198 and medical device reporting (MDR).
- Planning and documenting corrective action and preventive action, and implementing corrective action without undue “lag” times. Yes, corrective and preventive actions must be tracked and reviewed for timeliness and, of course, effectiveness.
MidWest Process Innovation, LLC