Your old Quality Management System 'dolled up' with the language of the revised Standard is not going to be adequate.
When you are first audited against ISO 13485:2016 the Auditors, whether a Notified Body or Certification Body, will, as usual, be seeking objective evidence of your compliance with the Standard. This being an audit against the ISO 13485 revision of 2016, the extent of the implementation and maintenance of new or changed requirements versus the previous version. and against ISO 9001:2015 requirements, will be of particular interest.
What's different about ISO 13485:2016?
There are six key areas with changed or new requirements that whose requirements you can expect them to concentrate on.
1. Familiarize Yourself with the New Definitions in ISO 13485:2016
Be sure to include a review of the definitions in Part 3 of the Standard in the development, or migration, of your Quality Management System (QMS). We draw your attention in particular to these:
- Advisory notice - covers changes in the use, modification, return or destruction of a medical device and regulatory requirements also apply. If your organization holds the marketing authorisation/licence, don't ignore the requirements here.
- Clinical evaluation - the verification of clinical safety and of performance is now included in expanded EU Regulations - check it out.
- Complaint - definition differs from ISO 9000.
- Labelling - as in Regulations, the definition includes instructions for use.
- Manufacturer - the definition now includes seven explanatory Notes.
- Medical device - the definition here is different from that in EU or FDA Regulations and you will need to reconcile your QMS against both.
- Post-market surveillance - because of the emphasis Regulators place on feedback from the market, especially after the launch of new products, expect external auditors also to emphasise requirements here.
2. Learn the Expanded Requirements for Risk Management in ISO 13485:2016
By now we are familiar with risk-based thinking as required by ISO 9001. But risk gets a different treatment in ISO 13485. While ISO 9001 is concerned with business risk and consequential effect on customer satisfaction,
ISO 13485 focuses on the medical device itself and the risks in use, and misuse, to patients and end-users' safety. A fully-featured risk management process is needed where risks are analysed, evaluated and, where a reduction in risk is needed, a risk treatment plan is developed, which must also be implemented and reviewed.
Providers of goods and services to the medical device sector (e.g. component manufacturers and logistics companies) are not excused from requirements here and, for lack of support and information from the medical device manufacturers, may struggle with this one.
3. Take Note of Resource Management with Special Attention to People
The provision of adequate resources, and in particular the human resource, needs special attention. The work environment (e.g. cleanroom) and contamination control (e.g. staff attire, behaviour and habits) will be focused on. The use of temporary staff will get much attention. Staff will be interviewed about contamination control.
4. Review Management Responsibility in Accordance with Expanded Requirements of ISO 13485:2016
Quality Objectives and plans to achieve them will be examined. Responsibilities and authorities will be checked to ensure that all responsibilities for regulatory requirements have been assigned and that authorities - especially regarding the release of the product - are defined.
Internal communication will get renewed attention as it is key to ensuring that the good intentions documented in the MDMS get implemented and are maintained.
5. Make sure to Gather and Retain Documentation - Procedures and Records & Up to 139 Instances May Apply in the ISO 13485:2016 Standard
There are now 139 (sic) instances in the 2016 Standard where documentation is mentioned, In developing your system a careful check needs to be made to ensure that all applicable mentions of documentation are acted upon.
These requirements give regulators tick-box items to check and so external auditors will not want to leave any unchecked instances behind for a subsequent regulatory inspection to find. This could be an area that provides many avoidable Minor Non-compliances. Be sure you are not caught out.
And if you are a manufacturer of a Class 1 device in Europe expect your self-declaration of conformity to CE Mark Regulations also to be checked.
6. Review the Increased Design Controls, Environment Controls and Manufacturing Controls for You and Your Suppliers in ISO 13485:2016
There are generally more detailed requirements in these areas. Carefully reading the Standard combined with a knowledge of your business is necessary to get a good result here.
If you are using the services of a consultant to implement or upgrade your Medical Device Management System (MDMS), you are strongly advised to study the Standard yourself to make sure that no detailed requirement is missed. An ISO 13485:2016 Transition Course would be a good way of gaining knowledge of both the Standard and its interpretation.
7. Ensure All Additional Requirements from the EU Regulations are Included in Your Medical Device Management System
Regulators participated in numbers in the Technical Committee that drew up the ISO 13485 revision in 2016. The greatly increased number of additional, specific requirements ensued. You may need to develop checklists for use in internal audits to help ensure that no applicable ones get missed in future audits.
And I hope it's quite clear that a re-badged ISO 9001 Quality Manual with the same old processes and procedures is just totally inadequate for the requirements here.
Note also that the Annexes to the EN (European Union Harmonised) edition of the 2016 Standard refer to obsolete Regulations. The 2017 MDD and IVDR regulations now apply. As before, compliance with the ISO 13485 Standard does not ensure compliance with EU Regulations.
You must ensure that all additional requirements from the EU Regulations are included in your MDMS. As such they form part of your MDMS and external Auditors will include regulatory compliance in the scope of their audit. You have now been forewarned!
Best of luck!
Note: First published in Aug 2018; revised and updated in May 2021.