If your organization is one of the more than 59,000 certified to ISO 13485, you should already be planning for your transition to the newest version of the standard. As of February 28, 2019, all ISO 13485:2003 certificates will expire, with the Medical Device Single Audit Program (MDSAP) requiring manufacturers to transition by January 1, 2019.
ISO 13485 is based on the popular ISO 9001 for quality management systems, although key structural differences make it a standalone standard. In this post, we’re looking at what the changes are in ISO 13485:2016, and what companies can do to streamline the transition process.
One of the main reasons for updating ISO 13485:2003 is to bring it into alignment with regulatory requirements. The new standard is closely linked to regulations in terms of:
- Complaint management.
- Reporting issues to regulators.
Many regulatory bodies worldwide are incorporating ISO 13485 into their requirements, making it a natural fit for organizations marketing product internationally.
Risk Management in ISO 13485
What makes ISO 13485 different from other post-ISO 9001:2015 standards is that it doesn’t have the new high-level Annex SL structure that’s received so much focus. However, it’s still similar to other new standards in that it requires risk-based approaches to protecting quality and safety. In fact, it’s mentioned over a dozen times in the 2016 version, compared with just two instances in ISO 13485:2003.
To comply with the new standard, companies will need to show they take risk into account for the entire organization’s Quality Management System (QMS) processes, including:
- Supplier and contract manufacturer selection.
- Product realization.
- Employee training.
- Design and development.
- Corrective action.
- Software use and validation.
Validating your computer systems ensures they are up to the task of protecting safety and quality. ISO 13485 has more specific requirements for validation of systems like like Enterprise Resource Planning (ERP), QMS and Laboratory Information Management Systems (LIMS), as well as any other applications used in the development or maintenance of medical devices.
Software validation is a lengthy and resource-intensive process, and can take months to complete. That’s why many life sciences companies opt for automated validation, which can turn a 4-day validation project into one that’s completed in a day.
Transitioning to ISO 13485:2016
It’s not exactly panic time yet, but there’s no time to waste when it comes to preparing for the new standard. What steps should you focus on?
- Learning: Not only will you want to purchase a copy of ISO 13485, you’ll also need to think about whom you’ll send for internal auditor training from your organization. Unless you’re bringing in consultants to do the audit, but even then the training will still help you smooth the transition.
- Analyzing gaps: Which areas of the standard do you already have controls for, and where will you need to create new controls or processes?
- Auditing your processes: As you conduct your internal audits in preparation for certification (or recertification), it’s important to pay attention to past compliance issues.
- Taking corrective action: Auditors are going to want to see effective problem-solving using the QMS.
Compliance with ISO 13485 provides a solid foundation for compliance with many global regulations, including European Medical Device Directives (MDD), MDSAP and 21 CFR Part 280. And while the changes to the most recent version of the standard will require some strategic planning to meet, it will ultimately make products safer and organizations more effective.