How ISO 13485:2016 section 7 changes impact your QMS
There is no question whether ISO 13485:2016 section 7 changes will impact your Quality Management System (QMS). In my previous blog I stated that the two major themes in changes to the ISO 13485 standard are taking a risk based approach and documenting everything. They are also two of the core differences in section 7, “Product Realization”.
13485:2016 Section 7- Product Realization
Planning of product realization (13485:2016 Section 7.1)
Two new sentences “The organization shall document one or more processes for risk management in product realization. Records of risk management activities shall be maintained.” have been added to the standard. As they use ‘shall’, they are mandatory requirements. During product realization, infrastructure and work environment (along with handling, storage, distribution and traceability) have all been added and must be taken into consideration.
Customer-related processes (13485:2016 Section 7.2)
In sections 7.2.1 Determination of requirements related to product & 7.2.2 Review of requirements related to product, there is the additional requirement that “any user training needed to ensure specified performance and safe use of the medical device”. Where 7.2.2 just points to the requirement stated in 7.2.1. Section 7.2.3 is now listed as “Communication”, instead of “Customer Communication”. The new 2016 version states that the organization shall PLAN and DOCUMENT arrangements for communication with customers. Whereas previously it was not explicit. There is also the added statement that the organization must communicate with regulatory authorities in accordance to applicable regulatory requirements. This means there should also be documented arrangements for communicating with regulatory authorities.
Design and development (13485:2016 Section 7.3)
Organizations are now responsible for maintaining design and development planning documents and updating them as feedback flows into them. There must also be methods for ensuring that both design inputs and outputs have traceability. To top it off, this must all be performed by competent personnel. As for design inputs, there is now the additional requirement that usability be considered. Design outputs must provide adequate information for purchasing, production and service. They also need to contain reference to the product acceptance criteria. An organization must be able to be verify or validate all design inputs and outputs. For design reviews, records must now include the participants involved, the date of the review, and most importantly, identification of the design under review.
The changes made to design and development verification and validation are very similar. In both, it is now required that a verification/validation plan be documented. The plan must include methods for acceptance criteria and, as appropriate, statistical techniques with rationale for sample size. Design validation must be performed on representative product. This could be initial production units, batches, or their equivalents. Rationale for the choice of product used for validation must also be recorded. Three new clauses have been added to section 7: Design and development transfer, Control of design and development changes, and Design and development files. From these sections, the general requirements are documented procedures for design transfer, ensuring that design outputs are verified as suitable for manufacturing, and any outcomes or conclusions during the transfer must also be recorded. There must also be procedures for design and development changes, where review of the changes must include an evaluation of the effect of the changes on parts and product in the process and any changes to the risk management. The final clause states that the organization must maintain a design and development file for each medical device type, or device family.
Purchasing (13485:2016 Section 7.4)
Risk is also taking effect in the purchasing process. Organizations are now required to consider the performance of the supplier and determine the level of risk the supplier has on an organization’s medical device. The higher the risk, the more stringent the controls that must be set in place. Records of this process must be maintained.
When a supplier makes any changes to the agreed upon product, no matter how small, they must notify the organization. The standard states that, as applicable, a written agreement should be made so that the supplier is required to notify the organization before the change is made. Once the organization is made aware of the changes, they must determine whether the changes affect the product realization process or the medical device. All of this must be documented.
As before, the organization must establish methods of verifying purchased product. The additional element is the extent to which the verification activities are carried out. The organization must base this on their supplier evaluation results and the proportionate risks associated with the purchased product.
Production and service provision (13485:2016 Section 7.5)
Servicing activities (13485:2016 Section 7.5.4)
If servicing of the medical device is an applicable requirement, the organization shall document servicing procedures, reference materials, and reference measurements, as necessary. This is nothing new. In addition, 13485:2016 section 7.5.4 now states that “The organization shall analyze records of servicing activities carried out by the organization or its supplier: a) to determine if the information is to be handled as a complaint: b) as appropriate, for input to the improvement process”. If it is determined that the information is not to be handled as a complaint, then justification is required.
The majority of changes in going from ISO 13485:2003 to ISO 13485:2016 relate to risk and documentation and the training required to competently implement them all. The mindset when transitioning should be: Question each change and the impact that each change will have on the Quality Management System. Document that change, and if no further actions are required, document WHY no further action is deemed necessary.
I welcome reader feedback and questions. My final blog on ISO 13485:2016 will cover Section 8, “Measurement Analysis and Improvement”.
Michael May is a Jr. QA/RA Specialist st StarFish Medical. He uses his background in biomaterials engineering to help clients with QA/RA challenges. He is on track to complete his first blog trilogy before ISO 13485:2016 compliance is required.
Does it seem to anybody else that there’s increasing redundancy between 13485 and 14971? Will they someday merge?
Thank you for the question.
With risk being heavily emphasized in 13485:2016, there is much more cohesion between the two standards. Although, I believe that the areas covered in 14971 are much more detailed than in 13485 which often references 14971. For this reason I don’t believe they will ever be merged into one standard, but, will both apply a similar approach to addressing problems and requirements.
Thanks Mike for the insightful article.
For servicing activities, what is the best way to distinguish between a routine service request and a complaint?
For supplier qualification procedure, would it be sufficient to provide a score card each critical supplier? For moderately critical to non-critical, we can just use annual monitoring? Thanks.
Question related to Para 7.2.2. When does the “organization’s commitment to supply product to a customer” take place – when a quote is issued or when the customer order is accepted. We issue many budgetary quotations to customers through sales on a wide variety of ‘one off’ configurations to our standard product. It’s an iterative process to try to define the final configuration. Engineering gets involved for approval only when the final configuration is determined. Is this OK or do they need to approve every budgetary quotation? Thanks.
My apologies for the late response. I recently returned from my vacation to Central America.
As for you question. The standard mentions that it is the organization’s responsibility to review the requirements related to the product before commitment to supply product to the customer. From this, I would say that engineering does not need to approve each budgetary quotation. They would still need to review and provide final approval before entering any type of supply agreement.
As you stated, regarding 7.4.2, “The standard states that, as applicable, a written agreement should be made so that the supplier is required to notify the organization before the change is made.” We have this covered using Purchase Order T&Cs when ordering via email or fax. However, when ordering from a supplier’s website, there is no place to submit our T&Cs in order to comply with 7.4.2. Do you have any suggestions?
In the past we had Purchase Orders with a similar statement. The FDA challenged us, stating that is not enough. They requested that we have written agreements with increased requirements for supply controls for suppliers of all critical parts before the new ISO 13485: 2016 came into effect. Therefore, I would suggest that you have a separate written agreement with your suppliers that specifically covers notification of any departure from specifications. It is amazing what a difference it makes when you ask the supplier to sign a legal document.
Hope this helps,
Vesna Janic, Director QA/RA
great post with respect to the implications of 13485: 2016.
can you provide your insight on what elements of ISO 13485: 2016 you would envision being applicable to a Distribution facility, that will also need to consider provisions for the MDR with the EEA?
David, Thank you for your interest and your question. The MDR defines requirements for Distributors that were not in the MDD. These include but are not limited to requirements surrounding storage and transportation, compliant handling, recalls, product identification, traceability, record keeping, communications with Competent Authorities, and verifying that the manufacturer meets certain requirements such as having a CE Mark. Implementing 13485:2016 is a common way to ensure that processes are in place to meet these requirements. The elements that I would consider key would be the following (in no particular order):
– Customer order processing & delivery
– Work environment and contamination control
– Complaint handling
– Reporting of incidents (notifying Manufacturer and potentially the Authorized Representative)
– Field safety corrective actions (i.e. Recalls & Service Notifications)
– Traceability of product
– Documentation and record control
This would be in addition to the basics such as Management Responsibility, Training, CAPAs, Change Control, Non-conformance management, Audits, etc.
Deborah Pinchev, QA/RA Manager
Is Supplier Agreement mandatory, in ISO 13485:2016, for manufacturers of Class 1 plastic medical devices, we have an internal control for evaluation and re-evaluation of suppliers, performance of suppliers.
Some of our approved vendors are unwilling to sign this agreements. Under these circumstances, Is vendor agreement a must, we have internal controls to monitor the performance of Suppliers. Purchase order are also mailed to supplier, prior to purchase of materials
Thanks so much for this information. Where could I find a definition of servicing activities? We have just had a surveillance audit and the auditor has implied that if we remove out implantable spinal screws this is servicing, but I am not sure if I agree?
I am afraid that standard does not provide useful definition of servicing activities; example for services are from automotive industry (ISO 9000).
ISO 13485:2016 Section 7.3.4 requires from design and development to provide appropriate information regarding service provision. Section 7.5 -Production and service provision requires planning, monitioring and controlling of production and services
ISO 13845:2016 Section 7.5.3 Installation servicing activities specifically exclude implantation in, or fitting to the patient.
I am not sure if this answers your question. I would assume that auditor considers removing the crews as ‘replacing the parts’ and therefore servicing the device. Please let us know how you resolved this issue with your auditor.
Could you share with me that how to address medical device-related risks for ISO 13485:2016 Clause 7.1?
If you don’t already have, I would recommend you to purchase:
• ISO 14971: 2019 ed 3 Application of Risk Management to Medical Devices
• ISO TR 24971:2020 Medical Devices – Guidance on the application od ISO 14971
• A practical guide ISO 13485:2016 Medical devices, Advice from ISO/TC 210
• CSA’s guidance The ISO 13485 essentials —A practical handbook for implementing the ISO 13485:2003 Standard fro manufacturers of medical devices..
The first 2 documents are solely focused on Risk Management and your Standard Operating Procedure for Risk Management should be based on requirements outlined in ISO 14971. The other 2 documents have a lot of good tips on how to interpret ISO 13485 including Risk management process. Personally, I still find the old guide to ISO 13485: 2003 very informative.
Risk assessment (risk analysis and risk evaluation) and risk control need to be documented where they are used in product realization, with risk assessments being performed at various stages and actions identified to reduce or control risks. You need to set up document and record control of the records arising from risk management. It is important to remember that these are not static documents and you will end up with several revisions during design and development process and you need to keep updates during production based on received complaints, as part of change control or when resolving non-conformances. Sometimes, you may have to consider some of QMS processes as well (acceptance activities, training and supply chain are some of the example). In practice that means that prior to regulatory submission, you will end up with risk management plan, risk assessment/analysis matrix and risk management report that will address is if overall residual risk is acceptable. Once you start manufacturing your device, you will take input from post market surveillance and update your risk assessment /analysis and report as needed.
In summary, product risks that are outlined during the design and development phase of the product lifecycle need to be updated as the post-market data becomes available. At Starfish Medical, we have risk assessment/analysis file that has a risk matrix identifying the hazards that were addressed for the product to meet its safety and functionality expectations (e.g. general safety and performance requirements, essential principles, and other applicable regulatory requirements), assessing the risks (severity and probability) associated with the hazards and identifying mitigating actions to reduce these risks. As StarFish Medical is a contract manufacturer, we transfer these files to our clients to continue updating them with the input from the post-market surveillance and include appropriate experts as needed (clinical).
If you don’t have experience with medical devices Risk Management, you may need external help to set up the process and train personnel who will handle Risk Management. Let us know if you need help from our experts.
Director of QA/RA