New ISO 13485: Device Companies Have Three Years to Transition
March 2, 2016
The International Organization for Standardization (ISO) released its long-awaited revision to ISO 13485, the global standard for medical device quality management systems (QMS), which replaces the previous version from 2003.
The new revision places a greater emphasis on QMS throughout the supply chain and product lifecycle, as well as device usability and postmarket surveillance requirements. Over the next three years, ISO 13485:2003 and ISO 13485:2016 will coexist, allowing manufacturers, accreditation/certification bodies and regulators time to transition to the new standard.
According to a draft transition planning guidance, organizations will still be able to be accredited for either ISO 13485:2003 or ISO 13485:2016 for the first two years of the transition period; however, after the second year, new accreditation will only be given for ISO 13485:2016. After the third year, the guidance says, "any existing certification issued to ISO 13485:2003 will not be valid."
Many organizations involved with medical device development, including manufacturers and service providers use ISO 13485 to "demonstrate [their] ability to provide medical devices and related services that consistently meet customer and applicable regulatory requirements."
Regulators worldwide have integrated ISO 13485 into their regulatory systems, including those in the US, EU, Canada, Australia and Japan. The standard is sometimes adapted to meet local requirements, for example, EN ISO 13485:2012 in the EU adds a forward and several annexes to the standard specific to the region.
ISO 13485 is also used for the Medical Device Single Audit Program (MDSAP), an international effort to reduce redundant audits of medical device manufacturers.
"Many jurisdictions have got quality management system requirements for medical device manufacture and supply, so it's really important that there's a common understanding between the regulator and the industry as to what's required for that quality management system," said Eamonn Hoxey, former chair of ISO's technical committee for quality management and corresponding general aspects for medical devices in a video interview on ISO's website.
ISO 13485:2016 Major Revisions
The decision to revise ISO 13485 was made following the most recent review of the 2003 standard, according to Hoxey.
"When we did the last review, we had discussions with the regulatory authorities and we – both industry and the authorities – felt that it was time to revise the standard … Since 2003, a number of jurisdictions have either revised or introduced regulations for medical devices, so we want to make sure the quality management system requirements align fully with those regulatory requirements."
When asked about the new revision, ISO representative Maria Lazarte, relayed a list of major changes from the technical committee for ISO 13485.
Some of the biggest changes between the 2003 and 2016 version include:
- Incorporation of risk-based approaches beyond product realization. Risk is considered in the context of the safety and performance of the medical device and in meeting regulatory requirements;
- Increased linkage with regulatory requirements, particularly for regulatory documentation;
- Application to organizations throughout the lifecycle and supply chain for medical devices;
- Harmonization of the requirements for software validation for different software applications (QMS software, process control software, software for monitoring and measurement) in different clauses of the standard;
- Emphasis on appropriate infrastructure, particularly for production of sterile medical devices, and addition of requirements for validation of sterile barrier properties;
- Additional requirements in design and development on consideration of usability, use of standards, verification and validation planning, design transfer and design records;
- Emphasis on complaint handling and reporting to regulatory authorities in accordance with regulatory requirements, and consideration of post-market surveillance; and
- Planning and documenting corrective action and preventive action, and implementing corrective action without undue delay.
Speaking to those changes, Hoxey said "it's important to bear in mind that ISO 13485 does deal with the whole lifecycle from design and development, through manufacture, transport … and on to the end of life."