Section 4 – Quality Management System
4.1.2 – General Requirements: The standard specifically states that a risk-based approach is needed when developing processes. That tells you that you can't just come up with, for example, a new preventative maintenance system. Have you considered a risk as well? Anything you do that affects the quality system needs to be viewed from that risk perspective. The standard also states that roles undertaken by the organization under regulatory requirements shall be documented.
4.1.3 – General Requirements: Records needed to demonstrate compliance with the standard and appropriate regulatory requirements shall be established and maintained.
4.1.5 – General Requirements: When you outsource processes, the standard wants you to look at the controls that are going to be put in place for that supplier, from a risk perspective. What happens if the supplier doesn't meet the specifications you provided? How will that affect your production cycle or anything that's related to that component? The standard wants organizations to consider those things ahead of time, so that you have controls in place to mitigate such issues right away.
4.1.6 – General Requirements: The standard will require validation of all computer software that is used as part of the quality system. While it has never been a requirement of ISO 13485, software validation has long been discussed in the industry, and not without some controversy. For example, questions arise like, “What if you use an Excel spreadsheet to control a process? Do you have to validate that spreadsheet?” Sometimes organizations don't even know where to begin with software validation — what to validate and how to validate it.
Under these revisions, computer software can be used for, but is not limited to, product design, testing, production, labeling, distribution, inventory control, data management, complaint handling, equipment calibration and maintenance, and corrective and preventive action. If software involves or affects the quality system, you need to validate it. Plus, you need to have a very specific justification for how you validated that software, keeping records associated with what you did and demonstrating that the software tool is doing what it's supposed to.
4.2.3 – Documentation Requirements: Another addition is the requirement to keep a file for the device that you're manufacturing, basically a technical file. In the past, this was addressed through the Medical Devices Directive, but it’s being added as part of ISO 13485. It lists 26 elements that ISO expects manufacturers to keep as part of the file, including product description, drawings, specifications, procedures, packaging specifications, instructions for use (IFU), labeling, clinical data, etc. This technical file concept is not new, but the standard will specifically require you to have it.
Section 5 — Management Responsibility
5.4.2 – Quality Management System Planning: This section contains a note clarifying what quality systems planning normally includes, namely quality objectives consistent with quality policy, action items to accomplish objectives, monitoring progress, and revision.
5.5.1 – Responsibility and Authority: The standard already requires that you specifically appoint personnel who will have responsibility and authority for execution and implementation of your quality system. However, the standard seeks more clarity about how those specific individuals are nominated as responsible for activities having to do with monitoring of the product, and also for post-production activities. Again, this goes back to the international aspect of every country having its own requirements of how they want quality issues reported, managed, and controlled. Going forward, you must determine what kinds of skills will be required of quality personnel and what responsibilities they need to have, and that has to be clearly defined.
5.5.2 – Management Representative: A note has been added stating that the responsibility of a management representative can include liaison with external parties, including regulatory authorities, on matters relating to the quality management system.
5.6.1 – Management Review; General: Although the revised standard still does not stipulate how often you should conduct management review meetings, it does ask for your rationale behind the frequency you choose. You can't just say, “I'm going to have them once a year.” You have to explain why you think holding them once a year is appropriate for your organization.
5.6.2 – Review Output: The standard states that Outputs of the Management Review shall include improvement needed to maintain the suitability and adequacy of the quality management system and its processes, the current standard only requires improvement to maintain effectiveness of the quality system and its processes.
Section 6 — Human Resources
6.2.– Human Resources, General: The ' old' standard requires personnel performing work affecting product quality, safety, or effectiveness to be “competent,” but the new standard breaks down the type of personnel to which this refers. For example, it is very specific about personnel who are involved with fulfilling process requirements, regulatory requirements, and quality system compliance. It also requires the organization to define what education, skills, and training those individuals need to have to perform each role.
6.2. – Competence, Training and Awareness: A new aspect of this section is the need to check the effectiveness of any training you're conducting. It states that, as an organization, you need to have a methodology to evaluate if the effectiveness of the training is commensurate with the risks associated with the work that an individual is performing. You won’t be able to just say, “Well, we trained them, we had a class, and they passed the exam.” Now, you need conduct risk assessment. What happens if the training was not clear enough? What are the consequences? What mitigation activities should we have in place in the organization to prevent mistakes from happening?
6.3 – Infrastructure: There is a heightened emphasis on maintenance-related activities. If you decide, as an organization, that maintenance is important, then you need to have very clearly documented procedures that specify how those activities are being performed, planned intervals for maintenance, and how records associated with how those activities are being maintained.
This section also now discusses ensuring that you handle orders in a streamlined way to prevent mix-ups that may affect the supply chain of your product.
Also in this section, information systems (IS) are now viewed as infrastructure, which isn’t the case in the current version of ISO 13485. The standard doesn’t require you to do anything differently; however, if this is something that may affect the quality of your product, you should have procedures, training, and personnel in place to manage related activities.
6.4 – Work Environment: The last part under section 6 deals with the work environment. The new standard has added a lot of stress on cleanliness and monitoring in clean rooms and manufacturing areas that deal with sterilized products, to ensure that you are monitoring for particles that could have an adverse effect on the product. They reference ISO 14644, the standard used for controlled environments, as guidance for medical device companies to use in managing clean rooms.
In general, this section contains more specificity about what is meant by the term “work environment.” They point out conditions to be considered such as noise, temperature, humidity, lighting, or weather, and areas of infrastructure such as inspection areas, storage areas, and distribution areas — but it can denote any area within an organization that is dealing with manufacturing the product.
6.4.2 – Contamination Control: Finally, then there is now a section on sterile medical devices. The standard asks you to take additional measures for these particular products, where you really need to prevent contamination with particulate matter or microorganisms, and maintain the degree of cleanliness during assembly or packaging operations.
Section 7 – Product Realization
7.1 – Planning of product realization: As with previous clauses, there is an increased focus on risk management in this section. One of the biggest changes to section 7.1 is a requirement to document how the risk management activities are being handled for product planning. The standard highlights several areas where risk management should be incorporated: verification, validation, revalidation, monitoring, testing, and traceability. You will need to conduct an assessment considering the risk as you’re planning for those activities, and that process has to be documented.
Also, a note was added asking organizations to look at IEC-62304, which is a guidance related to software lifecycle processes. If your device incorporates software, the guidance wants you to look at all the different lifecycles of that software, so you're planning ahead of time for future changes.
7.2.1 – Determination of requirements related to the product: The main elements that changed in this section, which is under 7.2 – Customer-related processes, is the addition of a requirement to determine user training to ensure that the product will be used in a safe and effective manner. (By user, it means the physician or the person who will install the device.) While training is sometimes taken into account by manufacturers, it's not always done consistently. This change seeks to ensure that the training process gets firmed up, and that there are more controls in place when it comes to training.
The other element that's new in section 7.2.1 is the requirement that organizations protect confidential health information from their customers. This information could arrive in two ways: It could be customer-provided feedback for the organization to incorporate into the requirements for making the product, or it could be post market surveillance data. Any kind of information that comes from the customer needs to be protected in a confidential manner.
7.2.3.– Communication with Customers and Regulatory Authorities: This is a new clause. Mainly, it says that there should be documented arrangements in place for communicating with clients and regulatory authorities regarding four matters: product information, regulatory inquiries, complaints, and advisory notices. You need to have a documented procedure explaining how you're going to be handling these communications.
7.3.2 – Design and development planning: The standard requires that you document your planning. The previous version (ISO 13485:2003) mandated that you plan design- and development-related activities, but the revision insists upon a more robust approach to documenting those activities.
Another addition to this section says that you should have a process in place to ensure traceability of your design and development outputs to design and development inputs. Also, it indicates that you should look at the resources that you will need for design and development, including the competence of the personnel will be involved with those activities. You really need to evaluate the personnel conducting design activities and not just appoint someone without the appropriate background. A new note clarifies that design and development review, verification, and validation have distinct purposes and can be conducted and recorded separately or in any combination as suitable for the product and the organization.
7.3.6 – Design and development verification: There is more emphasis in this section on developing a documented process for planning design and development verification activities. It also specifically indicates that verification plans should cover acceptance criteria and sample sizes that you will utilize, along with the rationale behind selecting them. Also, if the intended use requires the device to be connected with other devices, design verification activities have to confirm that design outputs still meet design inputs when connected — you have to look at the verification and validation from that perspective, not just the device itself. Will the device continue to do what it’s supposed to do once it's connected to another device or another system?
7.3.7 – Design and development validation: The changes to this section are similar to those in 7.3.5, only they are related to validation rather than verification: documented methods, acceptance criteria, and sample sizes.
One addition that is unique to 7.3.6 is ensuring that validation is conducted on product that is representative of what you are manufacturing.
7.3.8 – Design and development transfer: This is another new clause, basically requiring a documented plan if you are going to transfer your design to another facility or an outsourcing partner, for example. You must also ensure that your design and development outputs are suitable for production specifications. In other words, if you move your product, will the new site be able to take your specifications and start manufacturing the products the same way you would have at the existing site? Can this be demonstrated with objective evidence?
The revisions point out eight aspects the organization should consider: supplier quality and capability, manufacturing personnel capability and training, manufacturing process and process validation, materials, manufacturing tools and method, manufacturing environment, installation, and service. You need to have a process in place that explains how each of these items will be addressed if you transfer the design to another supplier.
7.3.10 – Design and development files: Also a new clause, this one mainly just explains the types of records you need to keep in a file as part of your design and development activities. Previously, it was pretty much up to the manufacturer to decide how it were going to manage its records and provide evidence it was meeting all the requirements. Now, the draft standard is very prescriptive about the types of documentation to keep in the file, as appropriate. Examples include:
- Results of preclinical tests related to the device and its conformance with specifications
- Biocompatibility studies
- Electrical safety and electromagnetic compatibility
- Software verification and validation
- Report on clinical evaluation
- Post Market Clinical Follow-up (PMCF) - plan and evaluation report
While manufactures are required to keep a file, they may determine what is important to include in their file, so they can have records available. For example, biocompatibility is not applicable to all devices, so it will not appear in every device’s file.
7.4.1 – Supplier approval: Revisions to this section clarify the types of criteria to consider before approving a supplier. You need to have a plan on how you will select suppliers — how you will evaluate, re-evaluate, and then approve them based on their ability to meet your requirements.
And again, we see an emphasis on risk analysis. Now, you really need to determine whether you will have more strict controls, depending on how important their product is to your manufacturing operations. In cases where the product is extremely important, you will probably want to audit that supplier more frequently, require them to be ISO 13485 certified, and ask them to have periodic meetings to assess how they are performing. If, on the other hand, the supplier is not as critical, you might not be so stringent. The expectation is that you show that you performed a risk assessment to justify requirements for all of your critical suppliers.
7.4.1 – Monitoring of suppliers: Organizations must demonstrate that they are checking in on how their suppliers are performing and are utilizing that data as part of the re-evaluation process. If a supplier is not meeting your requirements, you have to show what you are doing to help the supplier improve their performance, or that you are disqualifying them, or that you are engaging in other activities that take into account your risk assessment. You need to have evidence that you are reviewing the data.
7.4.1 – Supplier documentation: Following up on 7.4.1.2, this new section asks that you keep records of your supplier evaluations, including any actions taken as a result of the evaluations.
7.4.2 – Purchasing information: The new addition to this section is having quality agreements with your suppliers. Say, for example, a supplier makes a change related to your product or deviates from the original plan — there are very specific roles and responsibilities that need to take place there. The supplier needs to communicate with you amend contracts if needed. Suppliers can't simply change something without letting you know. This is not a new concept, but now the draft standard wants you to make the process more official.
7.5.6 – Validation of production and service provision: Here, the committee is adding a requirement to include procedures for validation of sterilization and packaging. If you comply with the European Medical Device Directive (MDD), you should already be doing this; now, ISO is going to call for it.
They also added a reference to the ISO 11607 standard for packaging terminally sterilized medical devices. This is just another reference you can use as a guidance to help comply with ISO 13485 requirements.
7.5.8 – Product identification and traceability: Another new section states that if unique device identification (UDI) is required by the regulatory agency in a country where you sell your product, you need to establish and maintain a UDI for your device. This is likely an FDA-driven clause (since FDA recently implemented UDI rules in the U.S.), but as it becomes a more established practice, additional regulatory bodies will start asking for UDI.
Also important to point out is that the section requires that you have procedures in place to separate and distinguish returned products from conforming products. If you receive returns from a hospital or distribution center, for example, you need to prevent that product from getting mixed up with your existing product.
7.5.10 – Customer property: Again, the standard asks you to look at the regulatory requirements from all countries in which you must preserve confidential health information. If confidentiality is a requirement in a country where your product is sold, you need to have a procedure to address how you will to safeguard confidential information and treat it as customer property.
7.5.5 – Preservation of product: This new section instructs you to evaluate your packaging and shipping containers to ensure they are designed to protect the device from contamination and damage — not only during the processing of the device, but also during handling, storage, and distribution. It forces you to look at the complete lifecycle for that package and perform the necessary validations.
For example, if you plan to ship your devices to a region that is extremely cold, do you know that your package will be able to protect the product? Or is the product going to freeze, resulting in an adverse effect? The same thing goes for high temperatures or other environmental factors. You have to take that into account as you perform your validation.
7.5.5 – Particular requirements for sterile medical devices: The last section of section 7 (also new) elaborates on particular requirements for sterile medical devices. If you have a sterile product, you have to take additional measures to make sure that sterility will be preserved, wherever you plan to ship it and however long it will take to get there. How do you demonstrate that the product is going to remain sterile? Again, you really need to have the validation to prove that that package is appropriate.
Section 8 – Measurement, Analysis, And Improvement
8.2.1 – Feedback: Basically, what changed here is that the draft standard asks organizations to come up with a documented process for gathering data from production and post-production activities. While the current standard is rather general, stating that you have to gather feedback and providing guidance on how to do so, the draft standard is more prescriptive about documenting how you gather that data.
Not only would it require you to gather feedback, but also to incorporate that feedback as part of your risk management program. Any data that you obtain should become inputs of your risk management process, to help you determine what effects the feedback will have on the product and whether any changes are necessary within your design or production activities to address concerns.
In addition, you would have to evaluate that data using some kind of statistical methodology, where appropriate. Each organization would have to decide what method makes the most sense, based on your product and your processes and activities. And if you aren't using any statistical methods, then you have to provide rationale justifying why you have chosen not to.
Once you have that analysis, then you need to determine if that needs to go into your corrective and preventative action (CAPA) process. If the notified bodies start seeing trends and issues in your data, but you aren’t having any CAPAs related to them, that would probably become an issue. They want to make sure that you are really acting upon feedback, not just reviewing it.
The last change worth mentioning relates to regulatory requirements, something we have seen across the draft. It asks organizations to look beyond just their local requirements to all international regulations that apply to your product, especially related to post-market activities. Certain countries have very unique requirements regarding conducting and handling the data from post-market activities, so you have to make sure that is incorporated into your policies.
8.2.5 – Monitoring and measurement of processes: This section added a note about the type and extent of monitoring and measurement appropriate to each process, and its impact on the conformity to product requirements and on the effectiveness of the quality system. Organizations need to determine the best way to monitor their processes, depending on their environment and process complexity.
For instance, if you are analyzing production data and you find there is an issue with calibration, the action you take might be different than if you are evaluating data from your post-market activities or your preventative maintenance system. The calibration monitoring for a tool used in-process might be different than the calibration monitoring for a tool used in final inspection to release product. You need to be able to justify how tight your controls are based on the circumstances and complexity of each process.
8.2.6 - Monitoring and measurement of product: This section now includes a note that says, "Records shall identify the test equipment used to perform measurement activities and the person(s) authorizing release of product." For every batch that you manufacture, you need to show what equipment was used. So if you have 10 measuring gauges, for example, you need to be able to trace it down to which one you used to measure some aspect of the device before final release. And not only do you have to trace it back to that instrument, you have to show who in your organization authorized the approval.
We think it is also important to mention that this was brought up with the latest revision of ISO 14971, the risk management standard. Now, ISO is tying it in with this section in ISO 13485, so that it is consistent across the standards.
8.3.1 – Control of nonconforming product (general): Section 8.3 in the standard has been broken down in several different subsections, the first of which is 8.3.1. This clause requires that the evaluation of non-conformance includes a determination of the need to investigate. You have to be able to show how an issue was investigated and how you notified everybody who needed to be involved in the investigation and was associated with the nonconformity.
Also, there is now a link between the nonconformity and the CAPA system. You must be able to show if the issue warranted a CAPA or if it was just managed within the system itself. Obviously, you would have to justify why you decided to not escalate it to a CAPA versus just leaving it within the nonconformance management system.
8.3.2 – Actions in response to nonconforming product before delivery: This section discusses the actions necessary to handle the nonconformities before you ship the product out of your facility. If you identify the nonconformities before the product leaves the facility, it provides an outline of all the actions that must completed before you release the product. For example, you need to make sure you eliminate the nonconformity, document your criteria for releasing it, ensure the product meets all specifications, and have addressed the relevant regulatory requirements that other countries may impose.
8.3.3 – Actions in response to nonconforming product after delivery: This section is very similar to 8.3.2, except it applies to nonconformities you identify after the product has been released. Organizations need to have a documented procedure for issuing and implementing an advisory notice.
8.3.4 – Rework: This clause is not new — rework was already included in the current standard as part of controlling nonconforming products. However, now they have added a section for it.
The section states that if you establish rework, you need to look at any potential adverse effects on the product. Not only that, but it also has to become part of your risk-management process. When you decide that a product needs to be reworked, you need to also consider the implications and retest the product. How will does the rework affect the design of the product or any other manufacturing process?
8.3.4 – Records: Again, there is not much new here. They just added a specific clause to make sure that you keep all the records associated with your management of nonconformities. These records could include any decisions, people involved, and authorizations that took place before the product was released.
8.4 – Analysis of data: Basically, this section asks you to gather data to demonstrate that your quality system is suitable and effective, you are making improvements, and you are taking appropriate actions. If you think about it, the standard is all about making sure that you have a solid system in place that is continually evolving.
Two requirements were added at the end of this section. The first is audits. You need to look at your data from audits to see if you are having more issues in a given area that could potentially become a larger problem. And since the draft guidance doesn’t specify the types of audits, we think you have to take supplier audits into account as well.
Then second new requirement is to review data from service reports, as applicable. So if you manufacture a device on which you will perform service, you have to review the data, looking for potential issues. If your product is an implantable device, for example, most likely this requirement wouldn’t apply to you. But if you make capital equipment, you will need to have data that shows what servicing activities you are engaged in and an analysis of how that data is behaving.
8.5.2 – Corrective action: Moving to the last section — 8.5.2 (improvement) — they have added a subsection that asks you to come up with a corrective action plan that is commensurate with the risk. Depending on the risk of the problem you are experiencing, you would need to establish why you decided to go one way or another with your response to it.
And the other thing that they added was two requirements that organizations should address in a documented procedure. One is reviewing product and process data analysis to identify nonconformities for corrective action. This is just tying it back to what we covered earlier in the section under control of nonconforming product. The other is determining and implementing action needed, including, where appropriate, updating documentation.
Finally, there is a comment about analyzing your corrective actions as part as your management review process. This is not something new, but they added a line to really make it clear that you need to have feedback incorporated as part of your management review.
8.5.3 – Preventive action: The changes to this section are very similar to the previous section. There is a requirement that you review product and process data analysis to identify potential nonconformities in order to prevent their occurrence. And at the end, there is the same request that analysis of preventive action should provide feedback to the management review.