The document discusses proposed changes to ISO13485:201X from ISO13485:2012. Key changes include a stronger emphasis on risk management, more requirements for outsourced processes and supplier control, expanded regulatory requirements, and increased focus on validation, verification, and design transfer. There will also be greater requirements for feedback and tying nonconformities to corrective and preventive action programs. The numbering system will stay the same but some changes from ISO9001:2015 will be adopted and the standard will more closely align with medical device regulations.
3. PROPOSED CHANGES - NOTES
ISO9001:2015 & ISO13485:201X are going in divergent
directions.
ISO13485:201x is moving in the direction of more closely aligning
with the Medical Device Directives.
The clause numbering system will stay the same as it currently is
and will not follow the new numbering of Annex SL. However
some of the changes in ISO9001:2015 are going to be adopted.
The emphasis throughout the proposed new ISO13485 will be
risk based for all of the processes
4. AGENDA
Projected timeframe for issue quarter 1 2016
Affect of ISO9001:2015 on ISO13485:201X
Main proposed changes to ISO13485:201X
5. CLAUSES 0.1 & 0.2– GENERAL REQUIREMENTS
0.1 - There are 7 expectations of your quality system
0.2 – 4 New goals
6. CLAUSE 1.2 – GENERAL REQUIREMENTS
Has been expanded to include the option of non-applicability to
clauses 6 & 8
7. CLAUSE 3 – GENERAL REQUIREMENTS
A number of new definitions have been added
8. CLAUSE 4.1 – GENERAL REQUIREMENTS
“The roles must be defined and documented for regulatory
authority requirements
9. CLAUSE 4.1.3 GENERAL REQUIREMENTS
4.1.3 – Records are required to demonstrate compliance with the
Standard and appropriate regulatory requirements shall be
established and maintained.
11. CLAUSE - 4.1.6 GENERAL REQUIREMENTS
Clause 4.1.6: software must be validated prior to initial use and when
changes are made to it
There is also a new note that defines areas
18. CLAUSE 5.5.2 - MANAGEMENT REPRESENTATIVE
Note added regarding liaison with regulatory and other external bodies
19. CLAUSE 5.6 – MANAGEMENT REVIEW (GENERAL)
“”The rationale for the frequency will require to be documented”
“any new or revised regulatory authority requirements will now be a
topic at the management review meeting
“ The management review meeting will also have a risk based
approach to it”
“The risk based analysis will also come under the competency
assessment criteria under clause 6,2,2“
“
21. CLAUSE 5.6.3 – MANAGEMENT REVIEW OUTPUT
5.6.3 – Review Output: The DIS states that Outputs of the Management
Review shall include improvement needed to maintain the suitability and
adequacy of the quality management system and its processes,
22. CLAUSE 6.2.1 HUMAN RESOURCES
Competency based: Broader areas covered regarding personnel performing product
quality safety or effectiveness
23. 6.2.2 – COMPETENCE, TRAINING AND AWARENESS
There is now a requirement to check the effectiveness of training whrether it is
conducted internally or external to the organisation
24. 6.3 – INFRASTRUCTURE:
Infrastructure
Order handling methods
Information security systems
25. 6.4 – WORK ENVIRONMENT
A lot of emphasis is now being placed on monitoring of cleanliness
26. 6.4.2 - SPECIFIC REQUIREMENTS FOR
STERILE MEDICAL DEVICES
There is greater emphasis placed on control of micro organisms
27. 7.1 – PLANNING OF PRODUCT REALIZATION:
IIncreased focus on risk management
28. 7.2.1 – DETERMINATION OF REQUIREMENTS RELATED TO THE PRODUCT
Risk based approach
Customer information protection
29. 7.2.3.2 – COMMUNICATION WITH REGULATORY
AUTHORITIES
new clause: Regulatory authorities communication must be documented in four areas
30. 7.3.1 – DESIGN AND DEVELOPMENT PLANNING
More robust approach on documenting design planning activities
Resources & competences
Separate design reviews of verification & validation of design
31. 7.3.5 DESIGN & DEVELOPMENT VERIFICATION
Documented verification acceptance criteria, including sample sizes
32. 7.3.7 DESIGN & DEVELOPMENT TRANSFER
New clause - requiring a documented plan on how you are going to
transfer the design to another facility or outsource it
33. 7.3.9 DESIGN & DEVELOPMENT RECORDS
New clause – Types of records required kept in a file
34. 7.4.1.1 – SUPPLIER APPROVAL
Supplier approval criteria including a risk assessment
35. 7.4.1.2 – MONITORING OF SUPPLIERS
Supplier ongoing performance measurement and re-evaluation with emphasis
on improvement where delinquent – including risk assessment reviews
50. 8.4 – ANALYSIS OF DATA
Audit – resource utilization
Reviews of service reports
51. 8.5.2 – CORRECTIVE ACTION
Corrective action plan commensurate with risks involved
Reviews of product & process data
Documentation updating
Management review of corrective action effectiveness
52. 8.5.3 – PREVENTIVE ACTION
Tie up between corrective & preventive action programmes
53. SUMMARY
• Regulatory requirements
• Risk management
• Validation, verification and design transfer
• Outsourced processes & supplier control
• Feedback
The “X” in the year header denotes that no date has been set for the release of this updated Standard. The stage we are at at the moment is that DIS 2 has been issued this is the second Daft information standard put out for discussion and comment on.
In this presentation I am going to outline my understanding of what the proposed changes might be and their impact.
Note: Only applies to devices sold within European union which carry CE markings
Annex Z The change was made to the 2012cStandard as a number of European countries objected to the inference that ISO 13485 inferred compliance to the Medical Device Directive (MDD). To solve this problem, annexes at the beginning of the new standard have now been expanded to link the clauses of ISO 13485 to the Medical Device Directive
There are three annexes as follows: -
Annex ZA: Relationship between this European Standard and Requirements of EU Directive 93/42/EEC on Medical Devices
Annex ZB: Relationship between this European Standard and Requirements of EU Directive 90/385/EEC on Active Implantable Medical Devices
Annex ZC: Relationship between this European Standard and Requirements of EU Directive 98/79/EC on In Vitro Diagnostic Medical Devices
There was no textual change to the Standard. The foreword was changed and annex z added to the front of the existing 2003 version
Divergent direction: The proposed new standard is an interim measure to more closely align with the medical device directives which apply to the sales and distribution of medical devices within EU countries. The new SL high level structure of ISO9001:2015 will not apply to this standard. Tradionally it has closely followed the development of ISO9001, but a split has occurred and ISO13485 is aligning more with the MDD, however some of the changes adopted in ISO9001:2015 appear to going to be adopted..
Clause Numbering: The current numbering system will remainwith 8 clauses addressed not the 10 as is now required by ISO9001:2015..
Risk based approach: In the proposed new standard much more emphasis is placed on the risks, so you will constantly have to assess and justify your approach to the risks you are exposed to throughout the whole of the Standard
4
Update to Quality Manual: The Quality manual will need updating to address these new requirements.
0.1 – Seven expectations:: There is one additional expectation g) which covers the need to take cognisance of regulatory requirements
0.2 – New goals: Improvements to processes will be based on objective measurement tying in objective with process improvement:
Expansion on Non-applicability: You now have the option to exclude other parts of clauses 6 & 8 not just clause 7, but you have to document your rationale behind each of your exclusions.
Changes to definitions: This will require the creation of a glossary of terms in your quality manual or updating of your definitions in line with these proposed changes
The changes are as follows:
Removed: Supply chain explanation
Added: Clinical evaluation, Distributer, Life-cycle, Manufacturer, Post-market surveillance, Performance evaluation, Pre-clinical evaluation, Risk, Risk management
Modified: Active medical device, Complaint, labelling, Medical device
Regulatory authority: There is a change here where the management representative will have responsibility for handling regulatory affairs. This responsibility and authority must be documented along with the associated competencies. This may change the role of the qualified person if there are two functions existing.
Record keeping: The main changes here will be risk management records and evidence of meeting the regulatory requirements. In later slides we will see the impacts in greater detail
4.1.5 – General Requirements: When you outsource processes, the standard requires that you look at the controls that are going to be put in place for that supplier, from a risk perspective.
Examples of the things that need addressing are – “What happens if the supplier doesn't meet the specifications you provided?” “How will that affect your production cycle or anything that's related to that component?”
The proposed standard will require organizations to consider those things ahead of time, so that they have controls in place to mitigate the risk as soon as possible.
Software validation: The standard will require validation of all computer software that is used as part of the quality system. While it has never been a requirement of ISO 13485, software validation has long been discussed in the industry,. For example, questions arise like, “What if you use an Excel spreadsheet to control a process? Do you have to validate that spreadsheet?” Sometimes organizations don't even know where to begin with software validation — what to validate and how to validate it.
Under these revisions, computer software can be used for, but is not limited to, product design, testing, production, labelling, distribution, inventory control, data management, complaint handling, equipment calibration and maintenance, and corrective and preventive action.
If software involves or affects the quality system, you need to validate it. Plus, you need to have a very specific justification for how you validated that software, keeping records associated with what you did and demonstrating that the software is doing what it's supposed to.
This validation also applies when changes or updates are made to the software
Note: This note provides guidance on the areas that are involved in the validation process
Outsourced processes risk assessments: Any outsourced processes must have a risk assessment done on the suppliers ability to produce. This is not just an assessment of the initial sample/batch but their ongoing ability to supply over time
Technical file documents: There is a list of items A-Z which is not exhaustive and can be used as a guideline as applicable to meet the regulatory requirements It lists 26 elements that ISO expects manufacturers to keep as part of the file, including product description, drawings, specifications, procedures, packaging specifications, instructions for use (IFU), labelling, clinical data, etc. This technical file concept is not new, but the standard now will specifically require you to have it.
In the past this was addressed through the relevant medical device directive, but is now made explicit in ISO13485
Outsourced processes: Any outsourced processes must have a risk assessment done on the suppliers ability to produce. This is not just an assessment of the initial sample/batch but their ongoing ability to supply over time
4.2.1.2 – Documentation Requirements: Another addition is the requirement to keep a file for the device that you're manufacturing, basically a technical file. In the past, this was addressed through the Medical Devices Directive, but it’s being added as part of ISO 13485. It lists 26 elements that ISO expects manufacturers to keep as part of the file, including product description, drawings, specifications, procedures, packaging specifications, instructions for use (IFU), labelling, clinical data, etc. This technical file concept is not new, but the standard will specifically require you to have it.
Patient records: Where for example data is captured and sent over the internet and also maintained in medical centres it will have to be protected from hacking and theft
Quality policy: This is not a change but a personal observation All too often quality policies are cribbed from the internet and do not reflect the values and ethics of the company. The top team should all be involved with putting the quality policy together as that is the core of the QMS. Also they should all approve it, not just get the quality manager to write one cand then get the MD to sign and date it. It is a key document and should be regularly reviewd to ensure that it still meets with the values and ethics the company has.
It is important also to test the understanding by employees of how the quality policy impacts on their jobs and their contribution to ensuring the policy is adhered to. All to often it is a set of “fancy words that have no resinence to the rank and file employees never mind the management team
Section 5 — Management Responsibility
5.4.2 – Quality Management System Planning: This section contains a note clarifying what quality systems planning normally includes, namely quality objectives consistent with quality policy, action items to accomplish objectives, monitoring progress, and revision.
5.4.2 – Quality Management System Planning: There is a note clarifying what quality system planning is and includes, quality objectives that are consistent with the quality policy. You will require to demonstrate action on items to accomplish those objectives, monitor their progress, and review and update them in a timely manner.
5.5.1 – Responsibility and Authority: This clause has been expanded to include all staff rather than the narrow definition of “those affecting quality”. It seeks to clarity how those specific individuals are nominated as being responsible for monitoring of the product, and also for post-production activities.
If we accept the premise that “quality is everybody's business” then we must broaden our thinking to include everybody, not just those directly associated with quality. It is to get away from the thinking of “We make it, you inspect it” . The role of QC is increasingly becoming a production responsibility with the quality department taking the role of quality assurance.
This will have the knock-on effect on the defining along with the demonstration of competence levels. You are going to be required to determine what kinds of skills and there levels that will be needed by personnel and what responsibilities and authorities they will need to have.
5.5.2 – Management Representative: The management representative will require to have the knowledge to deal with regulatory bodies along with other external bodies, They will not just be a point of contact
ISO9001:2015 No management representative requirement: Unlike the new version of ISO9001:2015 which does not require a management representative as the intention is to broaden the responsibilities and authorities for quality across the management team, this standard is sticking to having a MR and possibly broadening the role to cover regulatory matters.
5.6.1 – Management Review; General: There is a lot of discussion around how often management reviews should takes place in standards in general
This is often interpreted as covering the whole Standard over a 3 year period doing the minimum amount of reporting. I Myself I take the viewpoint that it should be done every quarter. My thinking is if the financial performance is reported quarterly which is standard practice then the QMS performance should also be reported on every quarter. This is an additional source of data to manage the business around.
The broader base and source the data is taken from will result in better quality of decision making to manage the business around. You can compare apples with apples and if the financial vary from the quality data it should be investigated especially as the financial reports are all lagging indicators i.e “how we performed over the previous 3 months
Frequency rationale: If you are going to say “I'm going to have them once a year.” then you have to explain logic behind your thinking on why you consider this timeframe is appropriate for your organization.
Risk based approach: Again we see the emphasis on risk assessment, both from a documentation and training standpoint
The header in the table is 2003 there is no textual difference between the 2003 & 2012 standards. The only main change was alignment with the EU Medical Device Directives
Management review output: Management reviews will only be effective if data is recorded correctly in the first place. If the culture in the organisation is a blame one then the issues will be covered up and not recorded so there is nothing to analyse and report on. The culture in the organisation needs to be that “errors” are an opportunity to improve not be used to apportio0n blame.
5.6.3 – Review Output: The DIS states that Outputs of the Management Review shall include improvement needed to maintain the suitability and adequacy of the quality management system and its processes, the current standard only requires improvement to maintain effectiveness of the quality system and its processes.
The current standard only requires improvement to maintain effectiveness of the quality system and its processes.
6.2.1 – Human Resources, General: The emphasis is broadened to include all personnel performing work affecting product quality, safety, or effectiveness to be “competent,”
The draft now breaks down the type of personnel to which this refers. For example, it is very specific about personnel who are involved with fulfilling process requirements, regulatory requirements, and quality system compliance.
It also requires the organization to define what education, skills, and training those individuals need to have to perform each role.
If we accept the premise that “everybody is responsible for quality” rather than having the mind-set of “we make it” “you inspect it”. There is a general acceptance now that the production personnel will be responsible for the QC function and the traditional quality department having responsibility for QA. This breaks down the make it/inspect it mentality which was introduced when mass manufacturing started at the beginning of the industrial revolution. Before that quality was built into the product by the artisan who made it, he had a pride in his work. Current thinking is self-managed teams who collectively take responsibility for the product’s quality
6.2.2 – Competence, Training and Awareness: There is now a requirement to check the effectiveness of any training undertaken whether internal or external
The organization needs to have a methodology to evaluate if the effectiveness of the training is commensurate with the risks associated with the work that the individual is performing.
Keeping a record saying they have been trained will no longer be acceptable in its own right. Now, you need to conduct a risk assessment. Some of the questions to be answered during the risk assessment are “What happens if the training was not clear enough?” “What are the resulting consequences?” “What mitigation activities do we have in place to prevent mistakes from happening?”
6.3 – Infrastructure: Planned maintenance is now a consideration we must take into account, this is similar to the old QS9001 for the automotive industry. You will need to have very clearly documented procedures that specify how those activities are being performed, the planning maintenance intervals and have records to demonstrate what maintenance activities have occurred.
Order handling methods: This clause also now requires you to consider ways for ensuring that you handle orders in a way to so as to prevent mix-ups that affect the product supply chain.
information security systems: are now viewed as infrastructure, which was not the case in the current version of ISO 13485. Information Security is something that can affect the quality of your product, so you need to have procedures in place to train your personnel to manage those activities.
6.4 – Work Environment: The last part under section 6 deals with the work environment. A lot of stress has been place on cleanliness and monitoring within clean rooms and manufacturing areas that deal with sterilized products, to ensure that monitoring for particles is carried out that could have an adverse effect on the product. They reference ISO 14644, the Standard used for controlled environments, as guidance for medical device companies to use in managing clean rooms.
This clause contains more clarity on what is meant by the term “work environment.” which was always difficult to define exactly where the boundaries were. Examples are provided on conditions to be considered such as noise, temperature, humidity, lighting, or weather, and areas of infrastructure such as inspection areas, storage and distribution areas — but it can be any area within an organization that is dealing with product manufacture.
6.4.2 – Specific Requirements For Sterile Medical Devices: There is now a sub-clause on sterile medical devices. The Standard requires that you take additional measures for these types of products, where there is a need to prevent contamination with particulate matter or micro-organisms, and maintain the degree of cleanliness during assembly and packaging operations.
7.1 – Planning of product realization:
Here again there is an increased focus on risk management.
One of the biggest changes to section 7.1 is a requirement to document how the risk management activities are being handled for product planning. The draft guidance highlights several areas where risk management should be incorporated: verification, validation, revalidation, monitoring, testing, and traceability. You will need to conduct an assessment considering the risk as you’re planning for those activities, and that process has to be documented.
A note was also added requesting organizations to look at IEC-62304, which is guidance related to software lifecycle processes. If your device incorporates software, then the guidance requires you to look at all the different lifecycles of that software, so you're planning ahead of time for future changes.
Risk based approach: The word “risk appears 19 times throughout the Standard. This shows a new emphasis whereby risk management is the key approach
7.2.1 – Determination of requirements related to the product: The main elements that changed in this section, which is under 7.2 – Customer-related processes, is the addition of a requirement to determine user training to ensure that the product will be used in a safe and effective manner. (By user, it means the physician or the person who will install the device.) While training is sometimes taken into account by manufacturers, it's not always done consistently. This change seeks to ensure that the training process gets firmed up, and that there are more controls in place when it comes to training.
Customer information protection: The other element that's new in section 7.2.1 is the requirement that organizations protect confidential health information from their customers. This information could arrive in two ways: It could be customer-provided feedback for the organization to incorporate into the requirements for making the product, or it could be post-market surveillance data. Any kind of information that comes from the customer needs to be protected in a confidential manner.
7.2.3.2 – Communication with regulatory authorities:
This is a new clause. Documented arrangements must be in place for communicating with regulatory authorities regarding the following four areas:
product information,
regulatory inquiries,
complaints,
advisory notices.
There must be a documented procedure explaining how you intend handling these communications.
7.3.1 – Design and development planning: This draft standard requires that you now require document your planning. In previous versions it was mandated that you plan design- and development-related activities, but this revision insists upon a more robust approach to documenting those activities.
Another addition to this sub-clause requires that you to have a process in place to ensure traceability of your design and development outputs to design and development inputs.
In addition you need to look at the resources that you will need for design and development stages, including the competence of the personnel who will be involved with those activities. Evaluation of the personnel conducting the design activities must be demonstratable, not just appoint someone without the appropriate background
A new note clarifies that design and development review, verification, and validation have distinct purposes and can be conducted and recorded separately or in any combination that is suitable for the product and the organization.
7.3.5 – Design and development verification:
There is more emphasis in this clause on developing a documented process for planning the design and development verification activities.
It also specifically indicates that verification plans should cover the acceptance criteria and sample sizes utilized in the design, along with the rationale behind the selection of them.
if the intended use requires the device to be connected with other devices, then the design verification activities must confirm that the design outputs still meet the design inputs when connected — you have to evaluate at the verification (check) and validation (prove) stages, not just the device itself but how it performs with other devices or systems. The question to ask is “Will the device continue to do what it’s supposed to do once it's connected to another device or another system?”
7.3.7 – Design and development transfer:
This is a new clause, requiring a documented plan, if you are going to transfer your design to another facility or an outsourcing partner, for example. You must ensure that your design and development outputs are suitable for the production specifications. In other words, if you move your product, will the new site be able to use your specifications and manufacture the products the same way you would have at the existing site? Can this be demonstrated with objective evidence to support your product?
There are eight aspects the organization needs to consider as follows
supplier quality and capability,
manufacturing personnel capability and training,
manufacturing process and process validation,
materials,
manufacturing tools and methods,
manufacturing environment,
installation,
service.
You need to have a process in place that explains how each of these items will be addressed if you transfer the design to another supplier.
7.3.9 – Design and development records:
Again a new clause added, this explains the types of records you need to keep in a file as part of your design and development activities. Previously, it was up to the manufacturer to decide how they were going to manage their records and provide evidence that the device was meeting all the requirements. Now, the draft standard is very prescriptive about the types of documentation required to be kept in the file. Examples include:
Results of preclinical tests related to the device and its conformance with specifications
Biocompatibility studies
Electrical safety and electromagnetic compatibility (EMC)
Software verification and validation
Report on clinical evaluation
Post market clinical follow-up plan and evaluation report
While manufactures are required to keep a file, they may determine what is important to include in their file, so they can have records available. For example, biocompatibility may not applicable to all devices, so it will not appear in every device’s file.
7.4.1.1 – Supplier approval:
This clause clarifies the types of criteria to consider before approving a supplier. You need to have a plan on how you will select suppliers — how you will evaluate, re-evaluate, and then approve them based on their ability to meet your requirements.
Yet again, we see an emphasis on risk analysis. You will be required to demonstrate whether you will have strict controls, depending on how important the vendor products are to your manufacturing operations. In cases where the product is extremely important, you will possibly want to audit those supplier more frequently, requiring them to be ISO 13485 certified, and have periodic meetings to assess how they are performing. If, on the other hand, the supplier is not as critical, you might not be so stringent. The expectation is that you show that you performed a risk assessment to justify requirements for all of your critical suppliers.
7.4.1.2 – Monitoring of suppliers: Organizations must demonstrate that they are checking in on how their suppliers are performing and are utilizing that data as part of the re-evaluation process. If a supplier is not meeting your requirements, you have to show what you are doing to help the supplier improve their performance, or that you are disqualifying them, or that you are engaging in other activities that take into account your risk assessment. You need to have evidence that you are reviewing the data.
7.4.1.3 – Supplier documentation: Following up on 7.4.1.2, this new requirement requires you keep records of your supplier evaluations, including any actions taken as a result of these evaluations.
7.4.2 – Purchasing information: This again is a new requirement requiring you to have quality agreements with your suppliers. If as an example, a supplier makes a change relating to your product or deviates from the original plan — then there are very specific roles and responsibilities that need to take place there.
The supplier needs to communicate with you these amendments to your contracts. Suppliers can't simply change something without letting you know. This is not a new concept, but now the draft standard requires this to be documented and communicated to you from your suppliers.
-
7.5.2 – Validation of processes for product and service provision:
There is now an added requirement to include procedures for validation of sterilization and packaging. If you comply with the European Medical Device Directive (MDD), you will already be doing this; now, the new proposed draft of ISO13485 is going to call for it
.
They also added a reference to the ISO 11607 Standard for packaging terminally sterilized medical devices. This is just another reference you can use as guidance to help you comply with the ISO 13485 requirements.
-
7.5.3 – Product identification and traceability:
Another new sub-clause, 7.5.3.1 states that if a unique device identification (UDI) is required by the regulatory agency in a country where you sell your product, you need to establish and maintain a UDI for your device.
This is likely an FDA-driven clause (since FDA recently implemented UDI rules in the U.S.), but as it becomes a more established practice, additional regulatory bodies will start asking for UDI.
It is also important to point out that this sub-clause requires that you have procedures in place to separate and distinguish returned products from conforming products. If for example you receive returns from a hospital or distribution centre, you need to prevent that product from getting mixed up with your existing product.
7.5.4 – Customer property:
The standard requires that you to look at the regulatory requirements from all countries in which you must preserve confidential health information. If confidentiality is a requirement in a country where your product is sold, you need to have a procedure to address how you will to safeguard confidential information and treat it as customer property.
7.5.5 – Preservation of product: This new section instructs you to evaluate your packaging and shipping containers to ensure they are designed to protect the device from contamination and damage — not only during the processing of the device, but also during handling, storage, and distribution. It forces you to look at the complete lifecycle for that package and perform the necessary validations.
For example, if you plan to ship your devices to a region that is extremely cold, do you know that your package will be able to protect the product? Or is the product going to freeze, resulting in an adverse effect? The same thing goes for high temperatures or other environmental factors. You have to take that into account as you perform your validation.
7.5.5.1 – Particular requirements for sterile medical devices: This is also a new requirement that elaborates on particular requirements for sterile medical devices.
If you manufacture a sterile product, you have to take additional measures to make sure that sterility will be preserved, wherever you plan to ship it and however long it will take to get there. Some questions to ask yourself “How do you demonstrate that the product is going to remain sterile?” Again, you need to have the validation records to prove that that your product meets this requirement
8.2.1 – Feedback:
what has changed here is that the draft standard requires organizations to come up with a documented process for gathering data from production and post-production activities. While the current standard makes general references, this is now more explicit stating that you have to gather feedback and providing guidance on how to do so, the draft standard is more prescriptive about documenting how you gather that data.
Not only will you be required to gather feedback, but also to incorporate it as part of your risk management programme. Any data that you obtain become inputs of your risk management process, to help you determine what effects the feedback will have on the product and whether any changes are necessary within your design or production activities to address these concerns.
In addition, you will have to evaluate that data using some kind of statistical methodology. Each organization will have to decide what method makes the most sense, based on your product and your processes and activities. And if you aren't using any statistical methods, then you have to provide the rationale, justifying why you have chosen not to.
Once you have the analysis, then you need to determine if that needs to go into your corrective and preventative action (CAPA) process. If the notified bodies start seeing trends and issues in your data, but you aren’t raising any CAPAs related to them, then that will become an issue. They want to make sure that you are really acting upon feedback, not just reviewing it.
The last change relates to regulatory requirements, something we have seen across the draft. It asks organizations to look beyond their local requirements to all international regulations that apply to your product, especially related to post-market activities. Certain countries have very unique requirements regarding conducting and handling the data from post-market activities, so you have to make sure that it is incorporated into your policies.
8.2.3 – Monitoring and measurement of processes:
This clause has an added note about the type and extent of monitoring and measurement appropriate to each process, and its impact on the conformity to product requirements and on the effectiveness of the quality system. Organizations need to determine the best way to monitor their processes, depending on their environment and process complexity.
For example, if you are analysing production data and you find that there is an issue with calibration, the action you take might be different than if you are evaluating data from your post-market activities or your preventative maintenance system.
The calibration monitoring for a tool used “in-process” might be different than the calibration monitoring for a tool used in “final” inspection to release product. You will require to be able to justify how tight your controls are based on the circumstances and complexity of each process.
8.2.4 - Monitoring and measurement of product:
This clause now includes a note that states that, "Records shall identify the test equipment used to perform measurement activities and the person(s) authorizing release of product."
Every batch manufactured, will require you to demonstrate what equipment was used. So if 10 measuring gauges have been used in the process , then you need to be able to trace them down to which one you used to measure some aspect of the device before its final release. Not only do you have to trace it back to that instrument, you have to show who in your organization authorized the approval.
It is also important to mention that this was brought up with the latest revision of ISO 14971, the risk management standard.
Now, ISO is tying it in with this section in ISO 13485, so that it is consistent across the standards.
8.3.1 – Control of nonconforming product (general):
Clause 8.3 of the draft guidance has been broken down in several different subsections, the first of which is
8.3.1. This clause requires that the evaluation of non-conformance includes a determination of the need to investigate. You need to show how an issue was investigated and how you notified all the stakeholders involved in the investigation and were associated with the nonconformity.
There is now also a link between the nonconformity and the CAPA system. You will require to be able to show if the issue warranted a CAPA, or if it was just managed within the system itself.
Obviously, you would have to justify why you decided to not escalate it into a CAPA versus just leaving it within the non-conformance management system.
8.3.2 – Actions in response to nonconforming product before delivery:
This clause discusses the actions required to handle the nonconformities before the product is shipped out of your facility.
If you identify the nonconformities before the product leaves the plant, it provides an outline of all the actions that must be completed before you release the product.
As an example, you will need to make sure you eliminate the nonconformity, document your criteria for releasing it, ensure the product meets all specifications, and have addressed the relevant regulatory requirements that other countries may have imposed.
8.3.3 – Actions in response to nonconforming product after delivery:
This clause is similar to 8.3.2, except that it applies to nonconformities identified after the product has been released.
Organizations need to have a documented procedure for issuing and implementing an advisory notice.
8.3.4 – Rework:
This clause is not new — rework was already included in the current standard as part of controlling nonconforming products.
However, now a new section has been added:
.
The section states that if you establish rework, you need to look at any potential adverse effects on the product. Not only that, but it also has to become part of your risk-management process.
When you decide that a product needs to be reworked, you will require to also consider the implications and retest has on the product. How does the rework affect the design of the product or any other manufacturing
8.3.4 – Records:
Again, very little is new here. A specific clause to make sure that you keep all the records associated with your management of nonconformities.
These records would include any decisions, people involved, and authorizations that took place before the product was released.
8.4 – Analysis of data:
This clause requires that you gather data to demonstrate that your quality system is suitable and effective, you are making improvements, and that you are taking actions.
The standard is all about making sure that you have a solid system in place that is continually evolving.
Two requirements were added at the end of this section.
The first is audits. You need to look at your data from audits to determine if you are having more issues in a given area that could potentially become a larger problem. The draft guidance doesn’t specify the types of audits, but you can assume this also covers supplier audits.
Then second new requirement is to review data from service reports. So if you manufacture a device on which you will perform a service, you have to review the data, looking for potential issues.
An example might be If your product is an implantable device, then most likely this requirement wouldn’t apply to you. But if you make capital equipment, you will need to have data that shows what servicing activities you are engaged in and an analysis of how that data is behaving.
8.5.2 (improvement)
A sub-clause is added that requires you to come up with a corrective action plan that is commensurate with the risk.
Depending on the risk of the problem you are experiencing, you would need to establish why you decided to go one way or another with your response to it.
The other thing that has been added was two requirements that organizations need to address in a documented procedure.
One is reviewing product and process data analysis to identify nonconformities for corrective action. This is just tying it back to what we covered earlier in the previous slide under “control of nonconforming product”.
The other is determining and implementing the actions needed, including, where appropriate, updating of the documentation.
Finally, there is a comment about analysing your corrective actions as part as your management review process. This is not something new, but a line has been added to make it clear that you need to have feedback included as part of your management review process
8.5.3 – Preventive action:
The changes to this clause are similar to the previous clause on corrective action. There is a requirement that you review the product and process data analysis to identify potential nonconformities in order to prevent their occurrence.
At the end of the paragraph, there is the same request that analysis of preventive actions should provide feedback to the management review process
1. Regulatory requirements: The first section (0.1) establishes an emphasis on regulatory requirements which we see across the rest of the draft standard. This includes not only the local requirements that apply at your facility, but if you are an organization that commercializes its products globally, you also need to take into consideration the relevant international requirements. There are many references to this throughout the draft standard.
2. Risk management: Another theme that permeates the draft standard is the need to incorporate risk management into all the main quality system processes within your organization. Almost everything you do needs to be based on that risk, justifying that what you are doing is adequate and conforms to what you defined as part of your design and production activities.
3. Validation, verification, and design transfer: The draft standard puts a lot more structure into place surrounding these activities. You must now have plans in place and documented evidence to show what you have done for validation, verification, and design transfer activities.
4. Outsourced processes and supplier controls: The draft standard requires that organizations do a lot more when it comes to outsourcing processes and putting into place controls for assessing suppliers — again based on risk.
5. Feedback: The draft requires you to monitor and measure the performance of your QMS not only during production, but also post-market. You also have to incorporate those activities as part of your risk management process.
The linkage between all the different clauses within the standard has been improved. Now, everything is more interconnected. You to have systems in place that allow you to demonstrate conformance across the requirements. It is a much more integrated approach.