Changes in the new ISO 13485 may conflict with many of the requirements in FDA’s quality system regulation.
“This has the potential to create further confusion in implementing a medical device quality management system, especially when it must satisfy both QSR and ISO 13485:2016,” says Dan O’Leary, president of Ombu Enterprises.
Improvements in the new standard, released late February, include broadening its applicability to include all organizations involved in the life cycle of a device, greater alignment with regulatory requirements and a greater focus on post-market surveillance including complaint handling.
He pointed out some of the inconsistencies between the QSR and the new ISO standard. For example, in the QSR, suppliers must notify the manufacturer of changes so the manufacturer can evaluate the effect of the change on the finished device. This makes sense, since the manufacturer is the expert on the device, says O’Leary.
But in the 2016 ISO standards, the supplier notifies the manufacturer of changes that affect their ability to meet specified purchasing requirements.
“The new version of the standard runs the risk of looking like configuration control requiring the supplier to obtain concurrent approval of all device customers. However, the requirement in practice becomes notification of the intent to ship nonconforming product,” he says.
Control of Nonconforming Product
O’Leary also highlights inconsistencies in evaluating nonconforming products. For example, in the QSR, evaluation of a nonconforming product requires notification to the “persons or organizations responsible for the nonconformance.”
He notes that while the new ISO notification requirements don’t preclude internal notification, a restriction to external parties, presumably suppliers, seems to limit the effectiveness of the standard and raises questions about the lack of internal notifications.
He also notes inconsistencies in process validation requirements in FDA’s QSR versus ISO 13485:2016. For example, in the QSR, a process requires validation when the results cannot be fully verified by subsequent inspection and test. In the 2016 ISO standard, a process requires validation when the output cannot be verified by subsequent monitoring or measurement.
“The 2016 version seems to clarify the use of sampling plans with the addition of process output that “is not verified,” but it doesn’t address which characteristics are subject to verification, he explains.
The new 13485, which revised a 2003 version, also contains significant changes in terms of validation of computer software, says John Beasley, senior consultant at MedTech Review. Compliance with computer software validation could be a full time job at some companies, he says.
Computer Software Validation
“The FDA has always had, since 1996, a requirement for validation of computer software that is used not only in production but also in the quality management system. But that requirement is not a specific item that is looked at in the QSIT audit that FDA investigators do,” he tells GMP.
“So, I am asking the question, ‘What does your validation of computer software look like?’ and I’m encouraging people to get it ready because when the ISO auditor comes in for the new standard, they will look at it,” Beasley adds.
The 2016 ISO standard also places greater emphasis on having the appropriate quality infrastructure, particularly for the production of sterile medical devices, and more focus on risk management, ISO says.
Another change worth noting involves management review of new and revised regulatory requirements, Beasley says. “In the new version, it isn’t enough that you make management aware of the new and revised requirements. You need to document how management will respond to these modified requirements,” he explains.
“So when China comes up with new rules on clinical trials and you are coming for a revision to your medical device license in China, are you going to have to provide information on a clinical trial that will be acceptable to the China FDA? How are you going to respond? Are you going to investigate? Who are you going to investigate with?” he says.
It costs roughly $158.
Handling nonconforming products is one of the device industry's biggest headaches. Order a copy of Managing Nonconforming Product. Device systems expert Dan O'Leary does the sleuthing and deducing for you by providing a comprehensive report of nonconforming product management and pertinent regulatory passages.