Deb Kacera, Regulatory and Industry Strategist, Pilgrim Quality Solutions

Earlier this week, we hosted a webinar titled “ISO 13485:2016 – Will Your Transition Be a Marathon or a Sprint?” This webinar is the first in a series of four webinars that Pilgrim will be hosting to support medical device organizations during the transition to ISO 13485:2016.

In the webinar, Dan O’Leary, President of OMBU Enterprises, presented an overview of changes to the Standard, as well as a deeper dive into the areas of Risk, Design Control, Supplier Management, and CAPA. The presentation provided additional insights that went beyond the standard to help everyone who attended get a handle on the scope of their transition.

If you missed the webinar, or would like to hear it again, you can watch the on-demand presentation here. In this post, we’ll review some key takeaways from the webinar that will help you focus on important but possibly lesser known aspects of the upcoming changes.

Takeaway 1: ISO 13485 isn’t the only ISO Standard to Review

The term “normative reference” is an key term to understand for ISO 13485:2016 compliance. A normative reference is another standard that is built into the standard you’re working on. In this case, the ISO 9000:2015 Quality Management Systems – fundamentals and vocabulary – is the only normative reference for ISO 13485:2016. It is important to review the fundamentals and vocabulary of ISO 9000:2015 as you begin your transition to ISO 13485:2016.

The latest version of ISO 13485 has a stronger focus on risk and risk management. There is also a risk management standard for the medical device industry – ISO 14971:2007. This standard is not a normative reference for ISO 13485. However, there is a tight linkage between ISO 14971:2007 and ISO 13485:2016.

Auditors will expect that medical device manufacturers will manage risk in a way that is aligned with the industry. Therefore, ISO 14971 is another standard that needs your review and consideration as you transition to ISO 13485:2016, especially if your risk management processes need to be strengthened. It is also important to realize that ISO 14971:2007 is the most current version of the ISO 14971 to date.

“ISO 13485:2016 unifies many threads in medical device quality. The changes are far-reaching and effective implementation requires knowledge, planning, and resources.” Dan O’Leary, President, OMBU Enterprises

Takeaway 2: Regulatory Requirements for All Countries You Sell Into

ISO 13485:2016 is embedding the impact of Regulatory Requirements within all the processes of the medical device quality management system. This means that for every country where you have approved products, you will have to implement all processes and evaluate any product changes across registration, listings, pre-market submissions, adverse event reporting, field safety corrective actions, and the new, evolving Unique Device Identifier (UDI).

Takeaway 3: CAPA is Causing Controversy!

The latest version of ISO 13485 states that Corrective and Preventive Action (CAPA) investigations should be handled without “undue delay.” In your organization, the phrase “undue delay” will likely depend on the product involved and the severity of the issue.

There is no clear example of what ISO considers to be an undue delay, but it is clear that corrective action investigations need to be addressed quickly. Since there is no timeframe specified for a CAPA investigation, you may wish to document the risk related to the CAPA or the justification of why a corrective action investigation was initiated within a certain time period.

Also, you must now ensure that corrective actions do not impact your organization’s ability to meet regulatory requirements. Make sure you spend time to consider and review for impact all of the regulatory requirements for the countries where you have product approvals.

Takeaway 4: Standards and Regulations will Clash. Adjust Your Processes Accordingly.

One of the main drivers behind the revision to ISO 13485 is the need to harmonize the standard with other regulatory requirements that affect medical device manufacturers. But with so many regulations and standards in play, it is inevitable that there will be clashes.

A very simple disconnect between ISO 13485:2016 and ISO 9001:2015 is the inclusion of the phrase “preventive action.” ISO 13485 continues to require “preventive action” in addition to “corrective action,” while ISO 9001 no longer uses the phrase “preventive action.” However, the spirit of risk-based thinking to eliminate the potential for nonconformities is still a key theme throughout both standards.

Takeaway 5: Read the Whole Standard. Then Read it Again!

There is a new requirement within ISO 13485 for the monitoring and control of outsourced processes, including written supplier agreements. Guess where you’ll find it in the new standard? Here’s a hint: It isn’t in the Purchasing section (7.4). Rather, it is a part of the general Quality Management System requirements in section 4. This requirement would be easy to miss, especially if you’re focused on changes in a different area of the standard.

There are also broad themes of risk, responsibility, and roles throughout the standard that are helpful to understand. Be sure to read and absorb changes in all areas of the standard, not just those that seem to apply to your area of influence.

For many organizations, preparing for ISO 13485:2016 will be a marathon, not a sprint. That’s why Pilgrim has resources and solutions to help every step of the way. If you’re ready to get started on your ISO 13485 journey, download our on-demand webinar to learn how to begin your ISO 13485:2016 gap analysis.