Congratulations – maybe it was driven by legal/regulatory because you’re a finished device manufacturer, or maybe it was a sales/marketing decision to further contract manufacturing capabilities – your organization has made the decision to certify to ISO 13485:2016.
Here we present key points to be aware of as you are navigating the standard and implementing the QMS in your organization. Their awareness will help you avoid the common pitfalls to successfully implementing ISO 13485:2016.
What ISO 13485 is (and isn’t):
- It is based on ISO 9001 – but there are important differences
The quality management system requirements given in ISO 9001: 2015 are applicable to any organization, regardless of its type or size, or the products and services it provides. On the other hand, the requirements given in ISO 13485:2016 are applicable to medical devices, and as noted in the title of the standard, for regulatory purposes. For any QMS, an understanding of the seven quality management principles is foundational.
- ISO 13485:2016 follows the High-Level Structure (HLS) of the Management System Standards (MSS)
- Though technically a voluntary standard, it has (mostly) achieved “regulatory status”
- There are other regulations. In other words, gaining ISO 13485 certification is one of the components of satisfying medical device regulations
- Similarly, there are other standards that may need to be applied, for example, ISO 14644, ISO 14971 and more
Precisely define your scope:
- Understand what’s the scope of certification
Precisely defining your scope will not only help your implementation of the standard, but it is also a critical consideration point when your organization is audited.
- Understand what’s the scope on the certification
ISO 13485 certification requires a clear scope.
An organization “shall not exclude part of processes, products, or services from the scope of certification when those processes, products or services have an influence on the safety and quality of products” (IAF MD 9:2017)
Management and organization culture alignment
- Perfunctory versus lived
Regardless to say, management should not treat their role in the organization’s continued certification perfunctorily. Like the effect that ethical leadership has on the rest of the organization, the tone at the top will drive the adaption of ISO 13485 in the organization. A helpful analogy is comparing the requirements in clause 5 (Management Responsibility) to individual health. If the Quality Policy is the goal, Quality Objectives are the vitals, Management Reviews are regular checkups, and ensuring resource availability is ensuring proper nutrition.
Under-documenting or over-documenting:
0. quality manual | |
1. control of documents | 17. installation AS NEEDED |
2. control of records | 18. servicing AS NEEDED |
3. management review | 19. validation (of e-QMS, processes, sterilization, monitoring systems) |
4. competence / training / awareness | 20. identification |
5. infrastructure | 21. traceability |
6. maintenance | 22. preservation of product |
7. work environment | 23. monitoring and measurement |
8. control of contaminated product / sterile devices – AS NEEDED | 24. customer feedback |
9. risk management | 25. complaint handling |
10. product realization | 26. regulatory notification |
11. customer communication | 27. internal audits |
12. design and development | 28. product release |
13. change control | 29. non-conforming product |
14. purchasing / receiving | 30. analysis of data |
15. production controls AS NEEDED | 31. corrective actions |
16. product cleanliness / controls AS NEEDED | 32. preventive actions |
In the language of the FDA, the 3 device specific files/records are:
a. DMR (Device Master Record) reference clause 4.2.3.
b. DHF (Device History File) reference clause 7.3.10.
c. DHR (Device History Record) reference clause 7.5.1.
And the 40 types of required records (as applicable) are as follows:
- management review
- HR (training, etc.)
- PM
- risk management activities
- requirements met
- customer order reviewed
- D&D plan
- D&D inputs
- D&D outputs
- D&D reviews
- D&D verification
- D&D validation plan
- D&D validation
- D&D transfer
- ECO
- supplier evaluation
- purchasing information
- receiving
- installation
- servicing
- sterilization parameters
- validation of processes, sterilization/sterile barrier
- traceability
- customer property disposition
- preservation condition
- calibration
- validation of computer software used in monitoring/measurement
- feedback
- complaint handling
- reporting to regulations
- internal audit
- product release
- NCR
- advisory notice actions
- rework
- data analysis
- corrective actions
- preventive actions
- DCO
- validation of e-QMS
Risk-based approach
- Critical for medical devices
Risk-based thinking was a key change in the 2015 revision of ISO 9001.
ISO explained that “by considering risk throughout the system and all processes, the likelihood of achieving stated objectives is improved, output is more consistent, and customers can be confident that they will receive the expected product or service.”
Maintaining ISO 13485
- The last pitfall to avoid is thinking you are “done” after implementation and initial certification
Implementation should really be considered as just the start of the journey. As the standard explains, continued certification is an ongoing process in terms of following and continually improving your processes and making the product as safe and effective as possible.
Certification and re-certification audits cover the entire standard, while surveillance audits include at minimum a review of internal audits, management review, actions taken on previous audit non-conformances, complaints handling, effectiveness of achieving quality objectives, progress of improvement activities, continuing operational control, and any organizational changes.