There is no question whether ISO 13485:2016 section 7 changes will impact your Quality Management System (QMS). In my previous blog I stated that the two major themes in changes to the ISO 13485 standard are taking a risk based approach and documenting everything. They are also two of the core differences in section 7, “Product Realization”.
13485:2016 Section 7- Product Realization
Planning of product realization (13485:2016 Section 7.1)
Two new sentences “The organization shall document one or more processes for risk management in product realization. Records of risk management activities shall be maintained.” have been added to the standard. As they use ‘shall’, they are mandatory requirements. During product realization, infrastructure and work environment (along with handling, storage, distribution and traceability) have all been added and must be taken into consideration.
Customer-related processes (13485:2016 Section 7.2)
In sections 7.2.1 Determination of requirements related to product & 7.2.2 Review of requirements related to product, there is the additional requirement that “any user training needed to ensure specified performance and safe use of the medical device”. Where 7.2.2 just points to the requirement stated in 7.2.1. Section 7.2.3 is now listed as “Communication”, instead of “Customer Communication”. The new 2016 version states that the organization shall PLAN and DOCUMENT arrangements for communication with customers. Whereas previously it was not explicit. There is also the added statement that the organization must communicate with regulatory authorities in accordance to applicable regulatory requirements. This means there should also be documented arrangements for communicating with regulatory authorities.
Design and development (13485:2016 Section 7.3)
Organizations are now responsible for maintaining design and development planning documents and updating them as feedback flows into them. There must also be methods for ensuring that both design inputs and outputs have traceability. To top it off, this must all be performed by competent personnel. As for design inputs, there is now the additional requirement that usability be considered. Design outputs must provide adequate information for purchasing, production and service. They also need to contain reference to the product acceptance criteria. An organization must be able to be verify or validate all design inputs and outputs. For design reviews, records must now include the participants involved, the date of the review, and most importantly, identification of the design under review.
The changes made to design and development verification and validation are very similar. In both, it is now required that a verification/validation plan be documented. The plan must include methods for acceptance criteria and, as appropriate, statistical techniques with rationale for sample size. Design validation must be performed on representative product. This could be initial production units, batches, or their equivalents. Rationale for the choice of product used for validation must also be recorded. Three new clauses have been added to section 7: Design and development transfer, Control of design and development changes, and Design and development files. From these sections, the general requirements are documented procedures for design transfer, ensuring that design outputs are verified as suitable for manufacturing, and any outcomes or conclusions during the transfer must also be recorded. There must also be procedures for design and development changes, where review of the changes must include an evaluation of the effect of the changes on parts and product in the process and any changes to the risk management. The final clause states that the organization must maintain a design and development file for each medical device type, or device family.
Purchasing (13485:2016 Section 7.4)
Risk is also taking effect in the purchasing process. Organizations are now required to consider the performance of the supplier and determine the level of risk the supplier has on an organization’s medical device. The higher the risk, the more stringent the controls that must be set in place. Records of this process must be maintained.
When a supplier makes any changes to the agreed upon product, no matter how small, they must notify the organization. The standard states that, as applicable, a written agreement should be made so that the supplier is required to notify the organization before the change is made. Once the organization is made aware of the changes, they must determine whether the changes affect the product realization process or the medical device. All of this must be documented.
As before, the organization must establish methods of verifying purchased product. The additional element is the extent to which the verification activities are carried out. The organization must base this on their supplier evaluation results and the proportionate risks associated with the purchased product.
Production and service provision (13485:2016 Section 7.5)
Servicing activities (13485:2016 Section 7.5.4)
If servicing of the medical device is an applicable requirement, the organization shall document servicing procedures, reference materials, and reference measurements, as necessary. This is nothing new. In addition, 13485:2016 section 7.5.4 now states that “The organization shall analyze records of servicing activities carried out by the organization or its supplier: a) to determine if the information is to be handled as a complaint: b) as appropriate, for input to the improvement process”. If it is determined that the information is not to be handled as a complaint, then justification is required.
The majority of changes in going from ISO 13485:2003 to ISO 13485:2016 relate to risk and documentation and the training required to competently implement them all. The mindset when transitioning should be: Question each change and the impact that each change will have on the Quality Management System. Document that change, and if no further actions are required, document WHY no further action is deemed necessary.
I welcome reader feedback and questions. My final blog on ISO 13485:2016 will cover Section 8, “Measurement Analysis and Improvement”.
Michael May is a Jr. QA/RA Specialist st StarFish Medical. He uses his background in biomaterials engineering to help clients with QA/RA challenges. He is on track to complete his first blog trilogy before ISO 13485:2016 compliance is required.