NQA - ISO 13485 Gap Guide
0 likes103 views
This document provides a detailed comparison of the changes between ISO 13485:2003 and ISO 13485:2016 for quality management systems in the medical device industry. It outlines numerous additions and clarifications to requirements for areas such as documentation, risk management, design and development, purchasing, production, complaints handling, nonconforming products, and data analysis. Organizations must transition to the new 2016 standard and undergo an audit to ensure compliance with the new requirements before March 2019.
NQA - ISO 13485 Gap Guide
- 2. INTRODUCTION • Does not follow Annex SL i.e. the new format/ clause numbering of ISO 9001:2015. • Does not replicate the ISO 9001:2015 changes. • Requires a risk-based approach to control of processes. • Has several additional sub-clauses added. • Provides for stronger emphasize on ensuring applicable regulatory requirements are considered and complied with throughout deployment of the QMS and for the products/services. • Effects design and development - minor improvements concerning greater traceability between inputs and outputs, design transfer requirements, the need for design files and the increased extent of design change considerations. • Provides greater control over external providers especially if they increase risk to the product, more records required and increased verification action where supplier don’t comply with your requirements. • Clarifies and strengthens the validation requirements. • Requires more inputs to the risk management processes e.g. from customer feedback (see 8.2.1) • Has a new sub clause devoted to complaints and their handling. • Improves product preservation and contamination control. • Strengthens controls of non-conforming product. • Mandates more inputs for analysis of data. • Provides more definitions of terms (section 3). • Documented procedures now required by the following clauses;4.1.6, 4.2.4, 4.2.5, 5.6.1, 6.2, 7.1, 7.3.1, 7.3.8, 7.3.9, 7.4.1, 7.5.6, 7.5.7, 7.5.8, 7.5.9.1, 7.5.11, 7.6, 8.2.1, 8.2.2, 8.2.4, 8.3.1, 8.3.3, 8.4, 8.5.2 and 8.5.3. ISO 13485:2016 – what’s changed? From May 2017, NQA is able to carry out transition audits to the revised medical device standard as a part of your next assessment. Every organization which wishes to maintain certification to this standard must undergo a transition audit before March 2019 including resolution of any/all non-conformances raised during the transition audit. To help get you started, the helpful annexes in the new standard have been expanded to give you more detail on where to focus your attention to understand and implement the required changes. The work required will of course depend on your products/services and the non- applicable cause specific to your QMS. OUR VALUES We will help you understand the changes, interpret the new concepts and act on the implications. Keep updated with the changes at www.nqa.com/change Please get in touch if you have any questions – call 0800 052 2424. IN SUMMARY ISO 13485:2016:
- 3. Introduction Detailed comparison of content between ISO 13485:2003 and ISO 13485:2016 Foreword — clarifies the effect of the third edition of this International Standard. 4.1 General • Includes substantially more detail related to the nature of the organization covered by this International Standard’s requirements and the life-cycle stages covered. • Explains that the requirements can be used by suppliers or other external parties either voluntarily or as a result of contract arrangements. • Alerts organizations about their obligations related to regulatory requirements focused on quality management systems. • Alerts organizations about differences in local regulation definitions and their obligation to understand how these definitions will affect their quality management system. • Adds the obligation to meet the organization’s own quality management system requirements. • Specifically calls out the focus on the necessity to “meet customer and applicable regulatory requirements for safety and performance.” • Emphasizes that the product requirements that are important are those related to safety and performance. • Adds two influences on the nature of the quality management system that were not in the original listing (organizational environment and regulatory requirements). • Clarifies that the organization does not have to align its documentation to the clause structure of this International Standard. 0.2 Clarification of concepts — adds two additional criteria associated with the description of appropriate requirements • Compliance with regulatory requirements; • The requirement is necessary for the organization to manage risks. • Limits application of risk to the safety or performance requirements of the medical device or meeting applicable regulatory requirements. • Clarifies that the term “documented” includes the need to establish, implement and maintain. • Clarifies that the term “product” applies to outputs that are intended for, or required by, a customer, or any intended output resulting from a product realization process. 0.3 Process approach explanation of process approach extended 0.4 Relationship with ISO 9001 — states the relationship between ISO 13485:2016 and ISO 9001:2015 • Indicates the structural relationship between ISO 13485:2016 and ISO 9001:2015 will be outlined in Annex B. • The use of italic text within standard to indicate changes from ISO 9001:2008 has been eliminated. 1. Scope 1.0 Scope indicates the applicability of this International Standard to organizations that are involved in one or more stages of the life-cycle of a medical device • Indicates that this International Standard can also be used by suppliers or external parties that provide product, including quality management system- related services to medical device organizations • Specifically calls out the responsibilities for monitoring, maintaining, and controlling outsourced processes • Expands requirements that can be not applicable to those in Clauses 6 and 8 • Clarifies that the term “regulatory requirements” includes statutes, regulations, ordinances or directives and limits the scope of the “applicable regulatory requirements” to those requirements for the quality management system and the safety or performance of the medical device
- 4. 2. Normative references 3. Terms and definitions 4. Quality management system 4.1 General requirements • QMS must additionally be maintained and managed in accordance with applicable regulatory requirements • Added requirement to document the role(s) of the organization • Requires the determination of processes “taking into account the roles undertaken by the organization” • Requires the application of a “risk based approach to the control of the appropriate processes needed for the quality management system” • Added requirements related to validation of the application of computer software used in the quality management system • Processes must be managed IAW regulatory requirements • Controls over outsourced processes must be implemented but in proportion to the risk involved and the ability of the external provider to meet requirements. Controls must include written quality agreements • When changes are made to the QMS processes, the changes must be evaluated for their impact on the: - QMS - the medical devices 4.2 Documentation requirements includes control of records within the document control requirements • Lists the documents that would be included in the medical device file • New requirement related to protection of confidential health information. • New requirement related to security, deterioration and loss of documents Several new definitions added and some existing definitions refined. 5. Management review 5.6 Management review — Includes requirement for the documentation of one or more procedures for management review and the requirement for management reviews at “documented planned intervals” • Lists of inputs and outputs of management review have been expanded adding: - Complaint handling (input) - Reporting to regulatory authorities (input) - Changes need to respond to new/revised regulatory requirements (output) 6. Human resources 6.2 Human resources — new requirement for documentation of processes (proportionate to the risk) to establish • Competence • Providing needed training • Ensuring awareness of personnel 6.3 Infrastructure - adds requirement that • infrastructure:- - prevents product mix-up - ensures orderly handling of product. • Supporting services now includes information systems • Maintenance requirements must now include frequency of maintenance and must apply (where appropriate) to:- - equipment used in production - the work environment - monitoring and measurement. 6.4 Work environment and contamination control • Added documentation requirements for work environment • Added requirement related to control of contamination with microorganism or particulate matter for sterile medical devices • Added requirements to list e.g. 7.1(b) plan provision of resources specific to the infrastructure including the work environment. • One or more processes for risk management of product realisation shall be documented
- 5. 7. Customer-related processes 7.2 Customer-related processes added requirements related to • Communication with regulatory authorities • Provision of any user training needed to ensure performance and safe use of the medical device 7.3.2 Design and development (D&D) planning (was 7.3.1) – changes include • Separating from the old clause 7.3.1, hence emphasising the importance, of the need to plan the reviews needed at each stage of design and development • The need to plan/assure how design outputs will be traceable to design inputs • Eliminated the requirement related to the management of the interfaces between different groups involved in design and development 7.3.3 Design and development inputs • Input requirements shall be able to be verified or validated • Usability of the medical device is now an input 7.3.5 Design and development review added requirements to • Details of the contents of records to be retained e.g. the identification of the design under review, participants and the date of review. 7.3.6 Design and development verification, added requirements for • Documentation of verification plans and interface considerations. • Records of verification 7.3.7 Design and development validation, added requirement for • Documentation of validation plans, product to be used for validation and interface considerations • Records of validation. 7.3.8 Design and development transfer — new sub-clause, includes • Need for a documented procedure(s) and to ensure that production capability can meet product requirements • Records to be made of the results and conclusion of design transfer 7.3.9 Control of design and development changes • Adds the requirement to evaluate the effect of change on: - products in process - the outputs of risk management - product realization processes • Added detail to consider in the determination of the significance of a design and development changes 7.3.10 Design and development files — new sub-clause added • Required for each type/family of devices • Needs to reference records which demonstrate conformity to requirements for D&D • Needs to reference records for D&D changes 7.4.1 Purchasing process • Focuses the supplier selection criteria on the effect of the supplier performance on the quality of the medical device, the risk associated with the medical device, and the product meeting applicable regulatory requirements • New requirements added related to monitoring and re-evaluation of suppliers and action to be taken when purchasing requirements are not met • Provides additional details related to the content of the records. e.g. records required of the results of the selection, monitoring and re-evaluation process 7.4.2 Purchasing information • New requirement added to include a written agreement with suppliers for notification of changes in purchased product 7.4.3 Verification of purchased product • New requirements added on the extent of verification activities and action to be taken when the organization becomes aware of any changes to the purchased product 7.5.1 Control of production and service provision, additional requirements for • Qualification of infrastructure • Measurement of process parameters and product characteristics 7.5.2 Cleanliness of product • Added contamination control to be considered as well as cleanliness • Clause now applies if product cannot be cleaned prior to sterilisation or its use and it cleanliness is of significance in use 7.5.4 Servicing activities • New requirement for analysis of records for servicing activities 7.5.6 Validation of processes for production and service provision • Added requirements to be included in the documented procedure for validation: - acceptance criteria for validations - where appropriate, statistical techniques to be used and the rationale for the sample sizes used to validate the processes. - criteria triggering re-validation • Relates the specific approach to software validation to the risk associated with the use of the software • Adds requirements related to the validation records, e.g. the conclusion of the validation 7.5.7 Particular requirements for validation of processes for sterilization and sterile barrier systems • Added requirements for sterile barrier systems and revalidating after process and/or product changes 7.5.8 Identification • Added requirement for unique device identification • New requirement for a documented procedure for product identification and regarding identification and product status during production 7.5.11 Preservation of product • Product now to be protected from alteration, contamination and/or damage when exposed to expected conditions and hazards during processing, storage, handling and distribution • Adds details as to how preservation can be accomplished
- 6. 8. Feedback 8.2.1 Feedback • Feedback required from production and post-production activities • Adds a requirement to utilize feedback in risk management processes in order to monitor and maintain product requirements 8.2.2 Complaint handling – new sub clause builds on 2012 version requiring a procedure for this topic including • Receiving and recording information • Evaluating if there is any form of complaint within the feedback received from any source • The need to report ‘information’ to appropriate regulatory bodies • Complaint-related product handling • Keeping complaint records 8.2.3 Reporting to regulatory authorities — new sub-clause • Documented procedure required for providing notification to regulatory authorities ONLY if applicable regulatory requirements require notification of complaints that meet specified criteria for adverse events or issuance of advisory notices • Records for reporting to be maintained 8.2.6 Monitoring and measurement of product • Adds requirement to identify the test /measuring equipment used to perform measurement activities 8.3 Control of nonconforming product, added details related to kinds of controls that shall be documented • Need to document in procedure responsibilities and authorities for identification/ documentation/segregation/evaluation/disposition of non-conforming product • Need to determine the need for investigation and notifying external parties responsible for the nonconformity • Records to be maintained of evaluations, investigations and the rationale for decisions • Adds requirements related to concessions: justification and approval needs to be provided and applicable regulatory requirements met • Separated requirements for nonconformities detected before delivery, detected after delivery and rework • Adds requirements for records related to the issuance of advisory notices and results of rework. 8.4 Analysis of data, adds • The requirement to include determination of appropriate methods, including statistical techniques and the extent of their use. • List of 6 minimum inputs for analysis adding audits and service reports (as appropriate) to those already listed in 2012 version. 8.5.2 Corrective action, adds requirement • To verify that the corrective action does not have an adverse effect on product • For corrective action to be taken without undue delay
- 7. www.nqa.com