7 ISO 13485:2016 Changes That Can Make Your Company Better
Has your medical device company lost its competitive edge? If you’re struggling to comply with quality standards, it may be time to go back to the basics.
Understanding the evolution of regulatory standards as they are updated from one version to the next is surprisingly helpful. Seeing what’s changed is an indicator of what organizations need to do to create a quality-driven organization and product. Specifically, the ISO 13485:2016 updates tell a story of some areas you should pay attention to as you strive to build a market-leading company.
OriGen Biomedical recently achieved ISO 13485:2016 certification and MDSAP after a successful quality management system (QMS) audit. “We are all proud,” said president Richard Martin. “[Certification] shows the commitment of all OriGen employees to continuous improvement and compliance with the highest regulatory standards.”
We've identified seven specific changes between the previous and current versions of ISO 13485. Focusing on these areas can give your company a competitive edge.
7 ISO 13485:2016 Changes That Can Improve Your Company
Complying with ISO 13485:2016 is now compulsory for device manufacturers to achieve MDSAP certification to quality standards in the US, Australia, Brazil, Japan, and Canada. Working toward ISO 13485:2003 is no longer an option, but it’s still worthwhile to take a look back. By understanding how the ISO standard for medical device quality evolved in recent years, it’s possible to drill down on the pulse of device quality best practices.
The 2016 update to the ISO 13485 standard had a heavy, new emphasis on risk management. There were new requirements for validation, traceability, and supplier quality control. These recent updates tell a story about what it takes to achieve quality-driven improvements in today’s market.
1. A Risk-Based Focus
Risk is defined in ISO 14971 as “the probability of occurrence of harm and the severity of that harm.” The most concerning types of harm include patient safety issues, including injury or death.
ISO 13485 placed an unprecedented focus on a risk-based approach, which included over a dozen mentions of risk in the standard text. The idea behind a risk-based approach is to balance quality management activities with the likelihood of harm in order to achieve safety and compliance.
A risk-based approach is now required throughout the entire QMS instead of just in product development processes. Beyond the need for risk management in every stage of the product life cycle, the specific requirements are less clear. It’s up to the manufacturer to actively identify and assess risks in every part of the QMS, and apply appropriate controls. ISO 13485 or other standards don’t attempt to define an acceptable risk or suggest how device firms should try to balance risk controls with agility.
RELATED READING: An ISO 13485 Risk Management Plan Example You Can Steal and Use
In many areas of the QMS, such as supplier management and corrective and preventive action, a simple scale can be used to describe the results of risk assessment. For example, risks can be ranked as low, medium, or high according to clearly-defined scales. In other areas of the QMS, such as quality assurance or design validation, a more complex approach to calculating risk is almost always necessary.
It’s not possible for any organization to achieve a zero percent measure of risk. However, organizations can prioritize risk response by quantifying risks and focusing their efforts on the highest-ranked issues. The risk-based approach can inform continuous improvement and compliance efforts by encouraging the proactive identification of issues before they impact product quality.
2. Expanded Documentation Control
ISO 13485:2016 introduced new process-based requirements for document control, specifically related to document “release.” Release is a set of criteria that must be met in order for a document to be moved to the next stage. For example, an instrument calibration exercise may need to meet certain requirements for results and supervisory review before the activity is considered completed and released.
The update to the ISO standard introduced the “four-eyed principle,” which is essentially a requirement that individuals should never check their own work. A second set of eyes is almost always required, and in some cases, there are specific requirements for an objective reviewer. The expanded document control requirements can be complex and a headache if organizations are trying to manage release requirements on a paper-based system. It’s easy to lose track of documents or fail to capture a required signature.
However, the new requirements for document release are much simpler with document management software, which sends automated reminders for approvers and reviewers. The document control process is really about creating systems of accountability. The four-eyed principle can ensure that documentation is created according to SOPs and compliance requirements.
RELATED READING: How to Solve 5 Common Document Control Procedure Problems
3. More Robust Training Effectiveness
Clause 6.2 of ISO 13485:2016 includes a subtle expansion of training requirements to address the need for effective training. Specifically, the quality management system must:
- Document processes for establishing competence
- Provide training and ensure awareness
Effective training is an important component of any QMS. However, the 13485:2016 update makes it clear that training activities should be more rigorous than checking a box.
It’s no longer enough to document that employees have completed their training requirements. Now, organizations need to quantify, measure, and correct an employee’s ability to competently perform their role. This will generally require firms to:
- Create a list of skill requirements for each position description
- Establish criteria for successful training, such as test score requirements
- Evidence that employees have met the minimum requirements for training, testing, and certification
4. Enhanced Customer-Related Processes
Device manufacturers have a new requirement under 13485:2016 to capture feedback during production and post-production and integrate feedback into the QMS and risk management activities. ISO 13485:2016 has expanded the requirements for nonconformance investigations and CAPA processes. Additional sub-clauses have expanded the requirements to measure complaint handling activities and report certain complaints to regulators when necessary.
This requirement is closely tied to the risk-based approach, which is an enormous emphasis of ISO 13485:2016. The update to the standard is about introducing tighter feedback loops and a more iterative approach to continuous improvement. Measuring the product’s ability to meet customer requirements continuously can help organizations address unforeseen risks and avoid quality issues that spiral into patient safety issues or product recalls.
RELATED READING: The Best ISO 13485 Audit Checklists on the Web
5. Tighter Design and Development Correlation
ISO 13485:2016 introduced new requirements to document the design process, including planning and results. Creating a system of traceability from design inputs to outputs has been formalized as an official requirement, though it was a best practice under ISO 13485:2003.
The current version includes a requirement to document design verification activities, including clear evidence-based justification where applicable. For example, a planned testing activity should designate a testing sample size and explain why this sample size is statistically significant. Finally, ISO 13485:2016 introduced an entirely new requirement for planning design transfer to manufacturing.
The latest version of the standard has put additional responsibility on product design teams to create a comprehensive standard of product quality, which is based on clear, scientific evidence. It also makes it clear that the product design file should be a living document, subject to updates whenever necessary.
6. More Rigorous Supplier Management
ISO 13485:2016 created a clear requirement to assess the level of risk each supplier could introduce. The update shifted additional risk responsibility to the device manufacturer to ensure potential suppliers introduce the least degree of risk possible.
Suppliers must be monitored regularly to create an accurate, updated risk assessment. More than ever, there’s a need for regular communication between manufacturers and suppliers around risk and quality topics. The frequency and depth of supplier audits can vary according to the supplier’s potential impact on product quality. Finally, the definition of “supplier” doesn't just include suppliers who provide goods such as product inputs. It includes suppliers who provide services, including a QMS vendor, consultants, and every other service provider.
RELATED READING: The 6 Most Common Warnings for FDA 21 CFR 820 Noncompliance
Across industries, third-party risk management is an enormous challenge. ISO 13485:2016 does not provide prescriptive guidance on how to create a unified risk assessment system or audit suppliers; it simply creates the requirement. Organizations that create a systemic approach to assessing and monitoring suppliers can gain an edge on compliance and visibility throughout the entire product ecosystem. Effective supplier management can prevent a host of issues, ranging from third-party cybersecurity data breaches to product safety concerns.
7. Stronger Complaint Handling
The update to ISO 13485:2016 addressed complaint handling with significantly more detail than ISO 13485:2003 or ISO 9001:2015. In the updated standard, complaints are a mandatory input for management review. In addition, clause 8.2.2 defines a list of procedural requirements for medical device suppliers:
- Comply with regulatory complaint-handling requirements
- Create a process to receive and route information
- Evaluate complaints
- Report complaints to regulatory authorities, if needed
- Perform a root-cause investigation
- Handle related complaint, such as inputs or suppliers
- Implement corrective and preventive action
- Address any third-party involvement
- Review servicing records, if applicable
- Apply complaints to the risk-management lifecycle
These requirements make it clear that device manufacturers shouldn’t view complaints as another check-box activity. Complaints are a potential source of valuable insight on ways to improve the product and QMS. Effectively analyzing and acting on complaints is much easier in a QMS software, which has linked quality processes to discover patterns and trigger updates based on complaint investigations.
Meet and Exceed ISO 13485:2016 Quality Standard Requirements
ISO 13485 is designed to create a framework for an effective quality management system at medical device firms. It’s not a checklist of requirements, and ISO alone may be insufficient to meet certain cGMP standards per regulatory agencies. If your organization is struggling to achieve a quality-driven culture, taking a step back to look at how ISO 13485 evolved between 2003 and 2016 can provide some quality inspiration.
The changes to ISO 13485:2016 are essentially designed to push device manufacturers to create more iterative feedback loops within quality management processes. Every process is an opportunity for accountability, and every nonconformance or failed test is a chance to drive improvements in product quality. Achieving an agile approach to risk and quality requires visibility and collaboration, which is generally easiest with an enterprise Quality Management System (eQMS) designed specifically for life sciences firms.
Qualio is the first cloud quality management software (eQMS) for the entire life sciences ecosystem. We make it easy for companies to unite their teams, processes, and get products to market quickly and scale successfully. Our nimble eQMS software can speed time-to-certification with ISO and MDSAP at fast-growing MedTech companies.