Thursday, April 25 2024

News on the standard ISO 13485 version 2016: Medical devices - quality management systems - Requirements for regulatory purposes

13/10/2023

The third edition of the standard ISO 13485 was published in march 2016. In the French site AFNOR you can buy it (PDF English or French version) at 86.70 euros ex. VAT. In the Luxembourg site ILNAS the PDF version is at 73.80 euros ex. VAT.

The three pillars of the ISO 13485 standard version 2016 are:

  • regulatory requirements
  • the risk-based thinking. More specifically risks concerning requirements:
    • regulations
    • safety
    • performance
  • recordings

Requirements of ISO 13485 version 2016

See the quiz "ISO 13485 version 2016 requirements"

The course T 22v16 ISO 13485 readiness version 2016 and its free online demo without registration

The course T 42v16 ISO 13485 Internal audit version 2016 and its free demo without registration

The training package T 72v16 ISO 13485 version 2016 readiness and internal audit

1. The structure is the old one!

The committee responsible for the 2016 version of ISO 13485 (ISO / TC210 Technical Committee) chose to remain on the old version of the structure (ISO 9001: 2008) in order not to be punctuated by the recent evolutions (high level structure defined in Annex SL of the ISO / IEC Directives Part I) or because the work of the new version started too late.

So the clauses and sub-clauses are:

  • 1 Scope
  • 2 Normative references
  • 3 Terms and definitions
  • 4 Quality management system
    • 4.1 General requirements
    • 4.2 Documentation requirements
      • 4.2.1 General
      • 4.2.2 Quality manual
      • 4.2.3 Medical device file
      • 4.2.4 Control of documents
      • 4.2.5 Control of records
  • 5 Management responsibility
    • 5.1 Management commitment
    • 5.2 Customer focus
    • 5.3 Quality policy
    • 5.4 Planning
      • 5.4.1 Quality objectives
      • 5.4.2 Quality management system planning
    • 5.5 Responsibility, authority and communication
      • 5.5.1 Responsibility and authority
      • 5.5.2 Management representative
      • 5.5.3 Internal communication
    • 5.6 Management review
      • 5.6.1 General
      • 5.6.2 Review input
      • 5.6.3 Review output
  • 6 Resource management
    • 6.1 Provision of resources
    • 6.2 Human resources
    • 6.3 Infrastructure
    • 6.4 Work environment and contamination control
      • 6.4.1 Work environment
      • 6.4.2 Contamination control
  • 7 Product realization
    • 7.1 Planning of product realization
    • 7.2 Customer-related processes
      • 7.2.1 Determination of requirements related to product
      • 7.2.2 Review of requirements related to product
      • 7.2.3 Communication
    • 7.3 Design and development
      • 7.3.1 General
      • 7.3.2 Design and development planning
      • 7.3.3 Design and development inputs
      • 7.3.4 Design and development outputs
      • 7.3.5 Design and development review
      • 7.3.6 Design and development verification
      • 7.3.7 Design and development validation
      • 7.3.8 Design and development transfer
      • 7.3.9 Control of design and development changes
      • 7.3.10 Design and development files
    • 7.4 Purchasing
      • 7.4.1 Purchasing process
      • 7.4.2 Purchasing information
      • 7.4.3 Verification of purchased product
    • 7.5 Production and service provision
      • 7.5.1 Control of production and service provision
      • 7.5.2 Cleanliness of product
      • 7.5.3 Installation activities
      • 7.5.4 Servicing activities
      • 7.5.5 Particular requirements for sterile medical devices
      • 7.5.6 Validation of processes for production and service provision
      • 7.5.7 Particular requirements for validation of processes for sterilization and sterile barrier systems
      • 7.5.8 Identification
      • 7.5.9 Traceability
      • 7.5.10 Customer property
      • 7.5.11 Preservation of product
    • 7.6 Control of monitoring and measuring equipment
  • 8 Measurement, analysis and improvement
    • 8.1 General
    • 8.2 Monitoring and measurement
      • 8.2.1 Feedback
      • 8.2.2 Complaint handling
      • 8.2.3 Reporting to regulatory authorities
      • 8.2.4 Internal audit
      • 8.2.5 Monitoring and measurement of processes
      • 8.2.6 Monitoring and measurement of product
    • 8.3 Control of nonconforming product
      • 8.3.1 General
      • 8.3.2 Actions in response to nonconforming product detected before delivery
      • 8.3.3 Actions in response to nonconforming product detected after delivery
      • 8.3.4 Rework
    • 8.4 Analysis of data
    • 8.5 Improvement
      • 8.5.1 General
      • 8.5.2 Corrective action
      • 8.5.3 Preventive action
  • Annex A (informative) Comparison of content between ISO 13485:2003 and ISO 13485:2016
  • Annex B (informative) Correspondence between ISO 13485:2016 and ISO 9001:2015
  • Annex ZA (informative) Relation between this European Standard and the Essential Requirements of EU Directive 90/385/EEC
  • Annex ZB (informative) Relation between this European Standard and the Essential Requirements of EU Directive 93/42/EEC
  • Annex ZC (informative) Relation between this European Standard and the Essential Requirements of EU Directive 98/79/EEC

2 Risk-based thinking and applicable regulatory requirements are the big novelty

The term risk appears repeatedly (20 times, before it was 3 times). It is defined according to ISO 14971 (combination of the probability of occurrence of a damage and its potential gravity) and not according to ISO 9000 (effect of uncertainty). The risk is linked with:

  • processes required by the QMS
  • outsourced processes
  • software applications
  • effectiveness of training
  • changes in design and development
  • criteria for evaluating and selecting suppliers
  • failure to comply with purchase specifications
  • verification of the purchased product
  • validation of software applications of production processes
  • use of monitoring and measuring equipment software
  • feedback from production and post-production activities

The term "applicable regulatory requirements" appears more than 40 times, it is quoted in almost every paragraph!

3. Changed terms

  • complaint
  • labelling
  • medical device

4 New terms

  • authorized representative
  • clinical evaluation
  • distributor
  • importer
  • life-cycle
  • manufacturer
  • performance evaluation
  • post-market surveillance
  • risk
  • risk management

5. Other novelties

  • sub-clause 4.2.3 New sub-clause. Medical device file. Demonstrate conformity to the requirements of the ISO 13485 : 2016 standard and compliance with applicable regulatory requirements. This file shall include documents such as:
    • description of the medical device
    • intended use (purpose), labelling, instructions for use
    • specifications
    • procedures for manufacturing, packaging, storage, handling, distribution, servicing, measuring and monitoring
    • requirements for installation
  • sub-clause 6.2  Document the process for establishing competence, providing training and ensuring awareness of personnel
  • sub-clause 6.4.2 New sub-clause. Contamination control. Prevent the contamination of:
    • the work environment
    • personnel
    • product
  • sub-clause 6.4.2 New sub-clause. Documented requirements for control of contamination for sterile medical devices. Maintain cleanliness during assembly or packaging processes
  • sub-clause 7.1 Required measurement, handling, storage, distribution and traceability activities
  • sub-clause 7.2.3 Communication. Communicate with regulatory authorities
  • sub-clause 7.3.3 Design and development inputs shall include requirements (...) usability. according to the intended use. Note towards IEC 62366-1. Evaluate (take into account) the intended use. Requirements shall be able to be verified or validated
  • sub-clause 7.3.6 Document verification plans. Medical device connected or have an interface with other devices. Include:
    • methods
    • acceptance criteria
    • statistical techniques
    • rationale for sample size
  • sub-clause 7.3.7 Document validation plans. Medical device connected or have an interface with other devices. Include:
    • methods
    • acceptance criteria
    • statistical techniques
    • rationale for sample size
  • sub-clause 7.3.8 New sub-clause. Transfer of design and development. The documented procedure shall include the verification that:
    • outputs are suitable for manufacturing
    • production capability can meet product requirements
  • sub-clause 7.3.9 Procedure for control of design and development changes. Impacts of the change
  • sub-clause 7.3.10 New sub-clause. Design and development files. Records of these files include:
      • demonstration of compliance with requirements
      • control of changes
  • sub-clause 7.4.1 Monitoring and re-evaluation of suppliers. Reaction proportionate to the risk associated when non-fulfilment of specifications
  • sub-clause 7.4.2 Notification by the supplier of changes in the purchased product
  • sub-clause 7.4.3 Verification and action of changes in the purchased product
  • sub-clause 7.5.4 Analyse records of servicing activities 
  • sub-clause 7.5.8 Document procedure for product identification and status
  • sub-clause 8.2.1 Feedback. Use this data as potential input into risk management
  • sub-clause 8.2.2 New sub-clause. Complaint handling. Documented procedure. Maintain records about complaint
  • sub-clause 8.2.3 New sub-clause. Reporting to regulatory authorities. Documented procedure. Notify events. Issue advisory notice
  • sub-clause 8.3.2 New sub-clause. Product concession before release. Justification and approval
  • sub-clause 8.3.3 New sub-clause. Product concession after release. Maintain records
  • sub-clause 8.3.4 New sub-clause. Rework. Maintain records

6. Requirements related to documentation:

Quality manual (sub-clause 4.2.1 b)

Documented procedures (25) :

  • Validation of the application of software (sub-clauses 4.1.6, 7.5.6 and 7.6)
  • Control of documents (sub-clause 4.2.4)
  • Control of records (sub-clause 4.2.5)
  • Management review (sub-clause 5.6.1)
  • Control the work environment (sub-clause 6.4.1)
  • Design and development (sub-clause 7.3)
  • Design and development transfer (sub-clause 7.3.8)
  • Design and development changes (sub-clause 7.3.9)
  • Purchasing (sub-clause 7.4)
  • Control of production (sub-clauses 7.5.1 and 8.2.6)
  • Servicing activities (sub-clause 7.5.4)
  • Validation of processes (sub-clauses 7.5.6 and 7.5.7)
  • Identification and traceability (sub-clauses 7.5.8 and 7.5.9)
  • Preservation of product (sub-clause 7.5.11)
  • Control of monitoring and measuring equipment (sub-clause 7.6)
  • Feedback (sub-clause 8.2.1)
  • Complaint handling (sub-clause 8.2.2)
  • Reporting to regulatory authorities (sub-clause 8.2.3)
  • Internal audit (sub-clause 8.2.4)
  • Control of nonconforming product (sub-clause 8.3.1)
  • Advisory notices (sub-clause 8.3.3)
  • Rework (sub-clause 8.3.4)
  • Analysis of data (sub-clause 8.4)
  • Corrective action (sub-clause 8.5.2)
  • Preventive action (sub-clause 8.5.3)

Records (55) :

  • role of the organization (sub-clause 4.1.1)
  • process control (sub-clauses 4.1.3 e et 4.2.1 d)
  • validation of software applications (sub-clause 4.1.6)
  • general documentation of the QMS (sub-clause 4.2.1)
  • quality manual (sub-clause 4.2.1 b)
  • regulatory requirements (sub-clause 4.2.1 e)
  • medical device file (sub-clause 4.2.3)
  • control of records (sub-clause 4.2.5)
  • responsibilities, authorities and independence (sub-clause 5.5.1)
  • management review (sub-clauses 5.6.1 et 5.6.3) 
  • personnel competence (sub-clause 6.2 e)
  • infrastructure maintenance (sub-clause 6.3)
  • work environment (sub-clause 6.4.1)
  • requirements for health, cleanliness and clothing (sub-clause 6.4.1 a)
  • contamination control (sub-clause 6.4.2)
  • risk management (sub-clause 7.1)
  • planning of product realization (sub-clause 7.1)
  • proces and product compliance (sub-clause 7.1 d)
  • review of requirements related to product (sub-clause 7.2.2)
  • communication with customer (sub-clause 7.2.3)
  • design and development inputs (sub-clause 7.3.3)
  • design and development  outputs (sub-clause 7.3.4)
  • design and development review (sub-clause 7.3.5)
  • design and development verification (sub-clause 7.3.6)
  • design and development validation (sub-clause 7.3.7)
  • design and development transfer (sub-clause 7.3.8)
  • design and development changes (sub-clause 7.3.9)
  • design and development files (sub-clause 7.3.10)
  • supplier control (sub-clause 7.4.1)
  • purchasing information (sub-clause 7.4.2)
  • verification of purchased product (sub-clause 7.4.3)
  • verification and approval of medical devices before release (sub-clause 7.5.1)
  • cleanliness of product (sub-clause 7.5.2)
  • installation and verification of medical devices (sub-clause 7.5.3)
  • realized servicing activities (sub-clause 7.5.4)
  • batch sterilization process parameters (sub-clause 7.5.5)
  • process validation (sub-clause 7.5.6)
  • sterilization process validation (sub-clause 7.5.7)
  • unique identification (sub-clause 7.5.8)
  • traçeability (sub-clause 7.5.9.1)
  • shipping package consignee (sub-clause 7.5.9.2)
  • customer property problem (sub-clause 7.5.10)
  • preservation of product (sub-clause 7.5.11)
  • calibration and verification results of measuring equipment (sub-clause 7.6)
  • validation results of monitoring and measuring software (sub-clause 7.6)
  • feedback (sub-clause 8.2.1)
  • complaint handling (sub-clause 8.2.2)
  • reporting to regulatory authorities (sub-clause 8.2.3)
  • internal audits (sub-clause 8.2.4)
  • monitoring and measurement of product (sub-clause 8.2.6)
  • nonconformities (sub-clause 8.3.1)
  • concession authorization (sub-clause 8.3.2)
  • advisory notices (sub-clause 8.3.3)
  • realized rework (sub-clause 8.3.4)
  • analysis of data (sub-clause 8.4)
  • corrective action undertaken (sub-clause 8.5.2)
  • preventive action undertaken (sub-clause 8.5.3)

7. The verb shall is present 253 times in clauses 4 to 8

In the 2012 version it was 207 times

8. COMMENTs

  1. The expression "conformity to requirements" is a pleonasm because the definition of conformity is "satisfaction of a requirement" thus one obtains "satisfaction of a requirement to requirements"
  2. No process mapping requirements
  3. The expression maintain records should be retain records, according to ISO 9001 v 2015, annex A.6, sub-clauses 4.1.3 e, 4.1.6, 4.2.5, 5.6.1, 6.2 e, 6.3, 7.1, 7.2.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.9, 7.4.1, 7.4.2, 7.4.3, 7.5.1, 7.5.3, 7.5.4, 7.5.5, 7.5.6, 7.5.7, 7.5.9.2, 7.5.10, 7.6, 8.2.2, 8.2.3, 8.2.4, 8.3.1, 8.3.2, 8.3.3, 8.3.4, 8.4, 8.5.2, 8.5.3
  4. No requirement for staff satisfaction. The motivation and commitment of the staff are not addressed but only awareness is present (sub-clause 6.2)
  5. The sub-clause 7.2 Customer-related processes should be Customer-related products