13485: 2016 was issued in March 2016 with a 36 month implementation period. It is important to note, that depending on when your re- certification falls due, you may wish to certify to ISO 13485: 2016 in advance of the March 2019 deadline, which will leave you with less time in which to complete the transition. For those of you that have yet not begun the transition process, the message is simple; the time to begin transitioning to ISO 13485: 2016 is now.
In this newsletter on ISO 13485: 2016, we will explore how to transition to the 2016 version of the standard in the least disruptive manner.
Part 2: Five Steps to Compliance on ISO 13485
I would recommend a simple 5 step process to achieve a stress free transition to full compliance with ISO 13485: 2016 as follows;
1. Carry out a Gap Analysis
2. Develop a simple Implementation Plan
3. Carry out Training
4. Revise Documents
5. Audit against the Requirements of ISO 13485: 2016
More details on each of the 5 steps are given below; after that we will look at what is involved in the changes to ISO 13485.
The Five Steps to ISO 13485 Compliance
Step 1: Gap Analysis
The first step is to perform a Gap Analysis. The output from the Gap Analysis should be a list of the changes required to your current procedures and a list of any new procedures that may be required to comply with the 2016 version of the standard. Before performing the Gap Analysis, it is advisable to communicate with your Notified Body to ascertain what their expectations are in relation to compliance with the new requirements. This can be done by contacting your Notified Body or discussing it at the next surveillance audit. Notified Bodies are not allowed to offer consultancy advice but should be happy to answer your questions on the new requirements.
Step 2: Implementation Plan
The second step of the transition process should be to develop an implementation plan for updating all the affected documents and systems. Begin with the items with the longest lead times e.g. the validation of Quality System software. Leave the regulatory changes until last as further changes may become necessary due to the replacement of the Medical Devices Directives (MDD). Any new requirements arising from the latter can be added to the Implementation Plan later on. Be sure to add the implementation of the ISO 13485: 2016 to the company’s Quality Objectives at the next available opportunity.
Step 3: Training
The third step of the transition process should be training.
• I would suggest initially training key personnel in the changes to ISO 13485, and the expectations of Notified Bodies and the HPRA. It would be best to use an external training body for initial training so that you can show the source of the training for all personnel within your company.
• Next I would suggest that the ISO 13485 training is incorporated into GMP training for all employees to let them know the changes that will be coming down the tracks.
• Following this, internal auditors should be trained in the requirements of ISO 13485: 2016 and how to audit against them.
• Another consideration on the training side is training for suppliers. If you intend to contract certain key suppliers to comply with ISO 13485: 2016, you may want suppliers to inform you how they intend to undertake the necessary training or you may want to recommend to suppliers where training courses can be found such as on www.sqt-training.com or you may consider inviting personnel from your suppliers to partake in your company’s ISO 13485: 2016 training.
Step 4: Revision of Documents
Use your Implementation Plan to update procedures as they come through for revision for other reasons. This will avoid a situation where a document is revised for a particular reason and then revised again in order to comply with ISO 13485: 2016. For documents that do not otherwise come due for revision, aim to have these completed at least 6 to 8 months in advance of the March 2019 deadline.
Step 5: Auditing
The final step of implementation is auditing; this should involve internal auditing and also auditing of any suppliers that have been newly contracted to comply with ISO 13485: 2016. It is a good idea to have records generated and to have audited these against the requirements of ISO 13485: 2016 before your Notified Body arrives to perform the recertification audit.
Part 3: Principal Changes to ISO 13485: 2016
The changes to ISO 13485 can be broken into 4 main groupings as follows;
a. QMS changes; designed to broaden the scope of application of ISO 13485 and to achieve better harmonization with 21 CFR Part 820 and other regulations.
b. The application of Risk Management to all aspects of the QMS.
c. Regulatory changes; designed to better align ISO 13485 with the Medical Devices Directives and other regulations.
d. Clarifications and Administrative, Normative and Definition changes.
QMS and Scope Changes
The 2016 version of ISO 13485 is a major step forward in global harmonisation of Quality Management Systems. A number of changes to the product realization section of the standard can be seen as attempts to line up the standard with the requirements of the US QSR 21 CFR Part 820. This will make life easier for any companies already supplying medical devices to the USA and may mean that these changes are relatively easy to comply with. A good example of this is the new requirement to validate software that is used to support the QMS. This has always been a requirement of Part 820 but up to now ISO 13485 only required the validation of software that could “affect the ability of the product to conform to specified requirements”.
For companies to whom Part 820 does not apply this change may mean significant software validation effort is required. The lead time involved in software validation should not be underestimated; this is not something that can be easily achieved in the last 6 weeks before the certification audit.
Assistance on ISO 13485: 2016 Compliance
If you require assistance with any aspect of the implementation of ISO 13485: 2016, please contact John Lafferty at Northridge Quality and Validation:
tel. +353 87 2801793
or visit our website www.northridge.ie
Northridge Quality and Validation can carry out or provide assistance with any of the following; Gap Analysis, Software Validation, Procedure Updates, Internal Auditing or Supplier Auditing.
If you require assistance with training, please contact our training partner SQT Training Ltd.:
tel +353 61 339040
About the Author
John Lafferty is a Quality Management professional with over 25 years experience in the Medical Devices Industry. John runs the Quality Management consultancy, Northridge Quality and Validation and is one of the leading Healthcare Tutors with SQT Training Ltd. In addition to his consultancy work John delivers training courses in Quality Management Systems, Validation, Software Validation and Risk Management for Medical Devices.