Transcription
ISO 13485:2016MEDICAL DEVICES MANAGEMENT SYSTEMIMPLEMENTATION GUIDE50,000CERTIFICATESGLOBALLYTRANSPARENT90
ISO 13485:2016IMPLEMENTATION GUIDE2ISO 13485:2016 IMPLEMENTATION GUIDE
ContentsIntroduction to the standardP04Benefits of implementationP06Risk based thinking / auditsP07Process based thinking / auditP08SECTION 1: ScopeP10SECTION 2: Normative referencesP11SECTION 3: Terms and definitionsP12SECTION 4: Quality management systemP14SECTION 5: Management responsibilityP16SECTION 6: Resource managementP18SECTION 7: Product realizationP20SECTION 8: Measurement, analysis and improvementP22Get the most from your managementP24Next steps once implementedP25Medical devices trainingP27Useful linksP28ISO 13485:2016 IMPLEMENTATION GUIDE3
INTRODUCTIONTO THE STANDARDThe International Standard ISO 13485:2016 defines criteria for a Quality ManagementSystem for Medical Device Manufacturing; this ensures that all medical devices meet properregulatory compliance laws and customer needs.ISO 13485 derived from ISO 9001, a quality management standard that is available to businesses in a widevariety of industries. However, medical device and pharmaceutical companies have specialized requirementsthat made some of the requirements of ISO 9001 difficult to apply, and therefore ISO 13485 was developed toaddress these needs.LEADERSHIPIMPROVEMENTeffective leadership creates a unity of purposeand direction. Strong direction ensures allactivities within the organization are aligned tostrategies, polices and processes to collectivelyachieve planned objectives.improvement is not about an admission ofweakness or fault, but simply a desire to dobetter and keep doing better for the benefit of allinvolved.ENGAGEMENTOF PEOPLEinvolving people means ensuring they arecompetent, empowered and engaged. Effectiveengagement of people gives the organization thetools to achieve its aims.PROCESS APPROACHthis has been a staple of quality managementstandards for many years. Knowing your inputs,actions and intended outputs makes day-today operations predictable and repeatable.Effectively managing processes ensuresresources are used efficiently and highlightsareas for improvement.4ISO 13485:2016 IMPLEMENTATION GUIDEEVIDENCEbased decision making – how many of us haveever made an impulse purchase? Do we reallybelieve that businesses don’t also make thatsame mistake sometimes? Of course they do!But, by applying evidence-based decisionmaking, decisions can be based on knownrequirements and the planned outcomes,direction and purpose of the organization,having involved the customers, end-users andwith improvement in mind.RELATIONSHIPMANAGEMENTapplies to all relationships of the organization.Often it pays to know your competitors asclosely as you know your customers. Buildingnetworks, engaging the general public, reachingyour target audience, all of these things areessential to achieve the aims of a profitableenterprise.
RELATIONSHIP WITHISO 9001while ISO 13485 a stand-alone standard, itis based on ISO 9001:2015. ISO 13485 isintended to assist global alignment of regulatoryrequirements for the quality managementsystems (QMS) of organizations that areinvolved in one or more stages of the life cycleof a medical device. Including requirements fororganizations involved in the life cycle of medicaldevices and excluding requirements of ISO 9001that are not regulatory requirement appropriate.Organizations whose QMS conforms toISO 13485 cannot claim conformity to ISO 9001unless it meets all the requirements of ISO 9001.COMPATIBILITY WITHOTHER MANAGEMENTSYSTEMSthe ISO 13485 Standard does not includerequirements specific to other managementsystems such as environmental management.However, the standard enables an organizationto integrate its own quality management systemwith related management system requirements.It is also possible to adapt its existingmanagement system(s) to form a QMS thatcomplies with the requirements of ISO 13485.ISO 13485:2016 IMPLEMENTATION GUIDE5
BENEFITS OFIMPLEMENTATIONImplementing a Quality Management System for Medical Device Manufacturing toyour business can cite numerous benefits. ISO 13485 provides a framework for goodmanagement practice which demonstrates the businesses commitment to manufacturinghigh-quality medical devices.ISO 13485 was created to ensure thatmedical devices, no matter wherethey are from, demonstrate the samereliability and quality. Having thisstandard can help expand potentialmarket and lead advantages forregulatory approval in major marketslike the European Union and Canada.Having ISO 13485 can also havea positive impact, indicating anorganization’s commitment to highquality.Larger medical device businessesprefer to work with vendors who haveimplemented a quality managementsystem for medical devices and areISO 13485 certified. Revisions in the2016 update to this standard meant thatcompanies are responsible for ensuringthat any subcontractors also conform toISO 13485 standards. Subcontractorsthat are already ISO 13485 certified arelikely to be prioritized.The standards documentation isdesigned to help personnel haveaccess to the information they need,when they need it. Having access tothe right information can reduce thetime and expense associated withproduct development. Documenting theprocesses associated with their medicaldevices could also help organizationsdevelop a consolidated knowledgebase; this can help to identify problems,improve the product, and streamline themanufacturing process.6ISO 13485:2016 IMPLEMENTATION GUIDE
RISK BASEDTHINKING/AUDITSAudits are a systematic, evidence-based, process approach to evaluation of yourQuality Management System. They are undertaken internally and externally to verify theeffectiveness of the QMS. Audits are a brilliant example of how risk-based thinking isadopted within quality management.1st Party Audits- Internal AuditsInternal audits are a great opportunity for learning withinyour organization. They provide time to focus on a particularprocess or department in order to truly assess its performance.The purpose of an internal audit is to ensure adherence topolicies, procedures and processes as determined by you, theorganization, and to confirm compliance with the requirementsof ISO 13485.Audit PlanningDevising an audit schedule can sound like a complicatedexercise. Depending on the scale and complexity of youroperations, you may schedule internal audits anywhere fromevery month to once a year.Risk-based ThinkingThe best way to consider frequency of audits is to look at therisks involved in the process or business area to be audited.Any process which is high risk, either because it has a highpotential to go wrong or because the consequences wouldbe severe if it did go wrong, then you will want to audit thatprocess more frequently than a low risk process. How youassess risk is entirely up to you. ISO 13485 doesn’t dictate anyparticular method of risk assessment or risk management. Youmay wish to review ISO 14971 for more information on riskmanagement.2nd Party – External AuditsSecond party audits are usually carried out by customers orby others on their behalf, or you may carry them out on yourexternal providers. 2nd party audits can also be carried out byregulators or any other external party that has a formal interestin an organization. You may have little control over the timingand frequency of these audits, however establishing your ownQMS will ensure you are well prepared for their arrival.3rd Party – Certification AuditsThird party audits are carried out by external bodies,usually UKAS accredited certification bodies such as NQA.The certification body will assess conformance to theISO 134851:2016 standard. This involves a representativeof the certification body visiting the organization andassessing the relevant system and its processes. Maintainingcertification also involves periodic reassessments. Certificationdemonstrates you have a commitment to quality.CERTIFICATIONASSURES: regular assessment to continuallymonitor and improve processes. credibility that the system can achieveits intended outcomes. reduced risk and uncertainty andincrease market opportunities. consistency in the outputs designed tomeet expectations.ISO 13485:2016 IMPLEMENTATION GUIDE7
PROCESS BASEDTHINKING/AUDITSA process is the transformation of inputs to outputs, which takes place as a series ofsteps or activities which result in the planned objective(s). Often the output of one processbecomes an input to another subsequent process. Very few processes operate in isolationfrom any other.“Process: set of interrelated or interactingactivities that use inputs to deliver anintended result.”ISO 9000:2015 Fundamentals and VocabularyEven an audit has a process approach. It begins withidentifying the scope and criteria, establishes a clear courseof action to achieve the outcome and has a defined output(the audit report). Using the process approach to auditing alsoensures the correct time and skills are allocated to the audit.This makes it an effective evaluation of the performance of theQMS.“Consistent and predictable results are achieved moreeffectively and efficiently when activities are understood andmanaged as interrelated processes that function as acoherent system.”ISO 9000:2015 Fundamentalsand VocabularyUnderstanding how processes interrelate and produceresults can help you to identify opportunities for improvementand thus optimise overall performance. This also applieswhere processes, or parts of processes, are outsourced.Understanding exactly how this affects or could affect theoutcome and communicating this clearly to the businesspartner (providing the outsourced product or service) ensuresclarity and accountability in the process.The final process step is to review the outcome of the auditand ensure the information obtained is put to good use. Aformal Management Review is the opportunity to reflect on theperformance of the QMS and to make decisions on how andwhere to improve. 8ISO 13485:2016 IMPLEMENTATION GUIDE
CLAUSESUnlike most ISO Standards, ISO 13485 does not follow Annex SL. ISO 13485 is focused anddriven by regulations to ensure medical devices on the market are safe and effective whilethe Annex SL structure focuses on the satisfaction of the customer.ISO 13485:2016 consists of 8 core clauses:1. Scope5. Management responsibility2. Normative references6. Resource management3. Terms and definitions7. Product realization4. Quality management system8. Measurement, analysisand improvementISO 13485:2016 IMPLEMENTATION GUIDE9
CLAUSE 1:SCOPEThe ISO 13485 standard identifiesrequirements for a quality managementsystem that organization needs todemonstrate their ability to provide medicaldevices and services that meets customerand applicable regulatory requirementsconsistently. This standard can be appliedto organizations that are involved in oneor more stages of the life-cycle. ISO 13485can also be used by suppliers and externalparties that provide products and servicesto such organizations.The intention is if your organization is involved with medicaldevice provision, ISO 13485 establishes the QMS requirementsto be met. Whether you have a specific product or not, therequirements focus on your organizations ability to consistentlyprovide a product that meets customer and applicableregulatory requirements.The scope of ISO 13485 is not just for manufacturers but thirdparties such as those involved in the supply chain or deliveringservices. The section sets out that the Standard is applicableto all organizations involved in the product life-cycle of medicalproducts, including design, repair, installation, maintenance,and storage of medical devices.10ISO 13485:2016 IMPLEMENTATION GUIDE
CLAUSE 2:NORMATIVEREFERENCES‘Normative references’ simply means any other documents which are referenced within themanagement system standard. In the case of ISO 13485:2016, there are many referencesmade to ISO 9000:2015, Quality management systems – Fundamentals and vocabulary.ISO 9000:2015 is the only normative reference for ISO 13485; it is integral to the standard. Whilst it is not mandatory to purchaseISO 9000:2015, it would be valuable to understand the standard and apply it to ISO 13485.ISO 13485:2016 IMPLEMENTATION GUIDE11
CLAUSE 3: TERMSAND DEFINITIONSThe terms and definitions given in ISO 9001:2015 apply. But be aware that the definitionsprovided for ISO 13485 may differ from the definition in ISO 9000:2015 due to theapplication of the medical device sector.When you write your quality management systemdocumentation, you don’t have to use these exactterms. However, it does help to clarify the meaningand intention if you can define the terms you haveused. Providing a glossary within your systemdocumentation may be useful.Advisory noticenotice issued by the organization, subsequent to delivery ofthe medical device, to provide supplementary information or toadvise on action to be taken in the: use of a medical device, modification of a medical device, return of the medical device to the organization that suppliedit, or destruction of a medical device.Authorized representativenatural or legal person established within a country orjurisdiction who has received a written mandate from themanufacturer to act on his behalf for specified tasks withregard to the latter’s obligations under that country orjurisdiction’s legislation.Clinical evaluationassessment and analysis of clinical data pertaining to amedical device to verify the clinical safety and performance ofthe device when used as intended by the manufacturer.12Distributornatural or legal person in the supply chain who, on his ownbehalf, furthers the availability of a medical device to the enduser.Implantable medical devicemedical device which can only be removed by medical orsurgical intervention and which is intended to: be totally or partially introduced into the human body or anatural orifice, or replace an epithelial surface or the surface of the eye, and remain after the procedure for at least 30 days.Importernatural or legal person in the supply chain who is the firstin a supply chain to make a medical device, manufacturedin another country or jurisdiction, available in the country orjurisdiction where it is to be marketed.Labellinglabel, instructions for use, and any other information thatis related to identification, technical description, intendedpurpose and proper use of the medical device, but excludingshipping documents.Life-cycleall phases in the life of a medical device, from the initialconception to final decommissioning and disposal.ComplaintManufacturerwritten, electronic or oral communication that allegesdeficiencies related to the identity, quality, durability, reliability,usability, safety or performance of a medical device that hasbeen released from the organization’s control or related to aservice that affects the performance of such medical devices.natural or legal person with responsibility for design and/ormanufacture of a medical device with the intention of makingthe medical device available for use, under his name; whetheror not such a medical device is designed and/or manufacturedby that person himself or on his behalf by another person(s).ISO 13485:2016 IMPLEMENTATION GUIDE
Medical devicePost-market surveillanceinstrument, apparatus, implement, machine, appliance,implant, reagent for in vitro use, software, material or othersimilar or related article, intended by the manufacturer to beused, alone or in combination, for human beings, for one ormore of the specific medical purpose(s) of:systematic process to collect and analyse experience gainedfrom medical devices that have been placed on the market. diagnosis, prevention, monitoring, treatment or alleviation ofdisease; diagnosis, monitoring, treatment, alleviation of orcompensation for an injury; investigation, replacement, modification, or support of theanatomy or of a physiological process; supporting or sustaining life; control of conception; disinfection of medical devices; providing information by means of in vitro examination ofspecimens derived from the human body;and does not achieve its primary intended action bypharmacological, immunological or metabolic means, in oron the human body, but which may be assisted in its intendedfunction by such means.Medical device familygroup of medical devices manufactured by or for thesame organization and having the same basic design andperformance characteristics related to safety, intended use andfunction.Productresult of a process.Purchased productproduct provided by a party outside the organization’s qualitymanagement system.Riskcombination of the probability of occurrence of harm and theseverity of that harm.Risk managementsystematic application of management policies, proceduresand practices to the tasks of analysing, evaluating, controllingand monitoring risk.Sterile barrier systemminimum package that prevents ingress of microorganismsand allows aseptic presentation of the product at the point ofuse.Performance evaluationSterile medical deviceassessment and analysis of data to establish or verify theability of an in vitro diagnostic medical device to achieve itsintended use.medical device intended to meet the requirements for sterility.ISO 13485:2016 IMPLEMENTATION GUIDE13
CLAUSE 4:QUALITYMANAGEMENTSYSTEMIn this section, clause 4 addresses the requirement to document procedures relating to thequality management process.4.1 Q uality management system – General requirements:A lot of requirements, overall viewpoint that is further expanded in particular clauses, can beabbreviated to: Meet requirements of the standard and applicableregulations Document roles undertaken (scope) Determine processes needed for QMS and theirinteractions Apply controls based on risk, including outsideprocesses (which also need written quality agreements inplace) Determine criteria for each process to achieve Ensure availability of resources and information foroperation and monitoring Maintain process effectiveness by action Monitor, measure and analyze Keep records Control change Validate software used in QMS4.2 Q uality management system – Documentation requirements:Document the following: Manual Medical device files/batch records and technical files orspecifications Procedures and records required by this standard,regulations, customers and any other identifiedrequirement14ISO 13485:2016 IMPLEMENTATION GUIDE Good documentation practices are required as recordsand changes to them must remain legible. Example of achange: 205 250 T.R Signature XX/XXX/XXXX
ISO 13485:2016 IMPLEMENTATION GUIDE15
CLAUSE 5:MANAGEMENTRESPONSIBILITYSection 5 focuses the need for top management to be instrumental in the implementationand maintenance of the Quality Management System. On top of the planning of the QMS,top management needs to be involved in the review of the system to ensure it meets therequirements and shows there is improvement.Management commitmentEvidence of commitment to the implementation anddevelopment of the QMS should be shown by topmanagement. Top management is the person or groups ofpeople who has the control of your organization at the highestlevel.Evidence of top management’s commitment can be shownby communication to the organization of meeting customerand regulatory requirements made, establishment of qualitypolicy, ensure quality objectives are establish, conductingmanagement reviews and make certain of the availabilityof resources.Customer focusTop management must ensure that customer and regulatoryrequirements are met. It is important that top managementensure that actions are implemented to address anyrequirements, risks and opportunities. If this does not achievemeeting customer requirements or regulatory requirements,a Plan-Do-Check-Act approach is continued to furtherimprovements until they are met.Quality policyThis section states the top management are responsible todefine the quality policy and to ensure the quality policy:aligns to the organizations purpose; shows commitment tofollow requirements and maintain effectiveness; supplies aframework for reviewing quality objectives; is fully understoodand communicated throughout within the organization; andreviewed for continued suitability.Top management’s commitment to quality should becommunicated through the quality policy. Clear objectivesshould be demonstrated in the quality policy to show thatyour organization is committed to implementing the policyand the objectives should be relevant to your organization andyour customers.16ISO 13485:2016 IMPLEMENTATION GUIDEPlanningThe quality objective set by Top Management must berealistic and are established at relevant functions andlevels throughout your organization. Objectives suchas meeting customer and regulatory requirements formedical devices or reducing errors etc are examples ofachievable and measurable outcomes for the QMS.Although the objectives do not need to be carried outby the top management personally, ensuring that actionis taken for the objectives to be achieved is still topmanagement responsibility.Planning will take place at the initial stages ofdevelopment and implementation, however, asobjectives can change over time, planning may beongoing and assist the QMS to be effective whilechanges are made and after. Risk based considerationswill also be included in the planning due to the effectsthe changes may on your QMS.Examples of inputs intoQMS planning: Quality policy Quality objectives Regulatory requirements etcExamples of outputs fromQMS planning: Quality manual Gap analysis Action plans etc
Responsibility, authority andcommunicationResponsibilities and authorities shall be established,documented and communicated for those roles that affectquality, also to document the interrelationship between eachrole. This documentation forms part of your QMS and has tobe controlled.Top management shall assign responsibility to a memberof management as the representative. The representative’sresponsibilities could be entirely related to the QMS activitiesor be in conjunction with other responsibilities within theorganization. There should be no conflict of interest betweenthese responsibilities.Top management must establish processes that ensureappropriate communication regarding the effectiveness of theQMS within the organization. This communication should goboth ways, allowing personnel to ask questions and makesuggestions about improving the QMS.Management reviewManagement review is an essential element of a qualitymanagement system. It is the formal point at which topmanagement review the effectiveness of the QMS and ensureits alignment to strategic direction.It is not essential for one single management review meetingto take place covering the full agenda. If you currently holda range of meetings that cover the inputs between them,there is no specific need to duplicate. However, you mayfind that a big-picture view is made easier by consideringthe management review inputs in one meeting rather thanseparating them. It really depends on the size and structure ofyour organization and who attends each of the meetings.Management review meetings commonly take place asan annual event, however much like internal audits, theirfrequency is not specified by ISO 9001:2015. It’s up to youto decide. During implementation and early stages of settlingin to your QMS, it may make sense to hold meetings morefrequently.You will need to retain documented information on yourmanagement reviews, these would normally be meetingminutes or perhaps call recordings if you carry outconference calls.ISO 13485:2016 IMPLEMENTATION GUIDE17
CLAUSE 6:RESOURCEMANAGEMENTSection 6 is short and it covers the necessity to control all resources. This includes humanresources, infrastructure and work environment.Provision of resourcesInfrastructureThe requirements to provide adequate resources shall bedetermined by the organization, these include: implementingthe QMS and maintaining its effectiveness and to meetregulatory and customer requirements. Regardless of whetherassociated processes are performed by and external party oryour organization, responsibility for the provision of resourceswill reside with your organization. Review of your resource needsshould be done of a regular basis and is usually part of themanagement review, when a new contract is considered, a newbusiness strategy is considered and when there are regulatoryrequirement changes.This includes determining, providing and maintaining thepremises, hardware, software, transportation, storage, technologyetc that are needed to achieve conformity to product and process.This will prevent product mix-up and secure orderly handling ofproducts.Human resourcesPeople are the most important resource for an organization, andneeds enough people with the right competences to do the work.Roles who affect quality must have necessary competence andhave the appropriate training for the skills required for those roles.The organization shall document the processes of establishingcompetence, providing the needed training and ensure theawareness of personnel.18ISO 13485:2016 IMPLEMENTATION GUIDEWork environment andcontamination controlThis isn’t referring to the great outdoors. This means providingan environment that is suitable for what you are trying to achieve.Whether that is a factory, office, studio or any other type ofworking space, make sure you have the right atmosphere toenable work environment conditions suitable for the monitoringand control of products produced, in order to prevent productdamage or contamination. Adequate controls, parameters andindicators, maintenance of appropriate sanitation and hygiene etcall contribute to an effective working environment.Organizations must plan and document requirements in order tocontrol contaminated products and prevent contamination of thework environment, staff or products. The section also states forsterile medical devices, requirements shall be documented forthe control of contamination with microorganisms and to keep therequired cleanliness during assembly or packaging processes.
ISO 13485:2016 IMPLEMENTATION GUIDE19
CLAUSE 7:PRODUCTREALIZATIONSection 7 concerns itself with the product requirements that deal with the planning and creationof the product or service. It includes requirements such as planning, design and development,purchasing and control of monitoring and measuring equipment. The standard allowsrequirements in this section to be excluded if they are not applicable to the organization.Planning ofproduct realizationIt is important for an organization to plan and developfor product realization and document the processesneeded. These plans should be consistent and alignwith the requirements of the other processes in theQMS. Additionally, the organization needs to addressactivities such as handling, storage, distribution andtraceability activities.The clause also states the need to have a documentrisk assessment process in production. This is almosta passing comment but is actually quite importantto implement. PFMEA is a good way to address thisrequirement. It also references ISO 14971, the standardfor risk assessment in medical devices, which may beuseful as well.Customer-related processesYour organization must determine requirements for customerexpectation, and determination of any user training needed toensure specified performance and safe use of medical devices.Prior to a commitment to supply products to a customer, thereshould be a review of the requirements related to products toensure customer requirements are fully understood.There should be plans and documentation of communicationwith customers and regulatory authorities. Communicationwith customers is in relation to: product information; enquiries,contracts and orders; feedback; and notices.Design and developmentWhen designing or developing your product or service, you willneed to consider the legal requirements, any other standardsthat may apply, the potential consequences of failure andanything you have learned along the development journey.You will be required to retain documented information ondesign inputs.Design and development controls refers to any touch pointsalong the design process where validation, verification, testing,authorisation or any form of sign-off or acceptance may berequired.You will be required to retain documented information ondesign and development control activities.Once you have determined the design inputs and thenecessary controls to assure conformity, you will then needto ensure your outputs meet those requirements. This is theplace where you would also keep records of monitoring,measurement, traceability (e.g. of materials or measurements)and acceptance criteria.This could be in the form of a bill of materials, technicalspecification or handbook, user guide, process manual,system guide or service level agreement.Any changes to the design and development of the productor service must be identified, controlled, recorded andcommunicated to ensure the product or service conforms tothe customer and other applicable requirements along withclear authorisation for the changes.There needs to be a documentation of procedures to controldesign and development changes. The significance ofchanges must be determined through function, performance,usability, safety and applicable regulatory requirements for themedical device. Before any changes are made, it needs to bereviewed, verified, validated and approved.For each medical device type or medical device family, adesign and development file must be maintained.20ISO 13485:2016 IMPLEMENTATION GUIDE
PurchasingPurchasing process must conform to documented procedures.Criteria for the evaluation and selection of suppliers mustbe established by the organization and should be basedon: th
ISO 13485 derived from ISO 9001, a quality management standard that is available to businesses in a wide variety of industries. However, medical device and pharmaceutical companies have specialized requirements that made some of the requirements of ISO 9001 difficult to apply, and
