Changes in the new ISO 13485 may conflict with many of the requirements in FDA’s quality system regulation.
“This has the potential to create further confusion in implementing a medical device quality management system, especially when it must satisfy both QSR and ISO 13485:2016,” says Dan O’Leary, president of Ombu Enterprises.
He pointed out some of the inconsistencies between the QSR and the new ISO standard. For example, in the QSR, suppliers must notify the manufacturer of changes so the manufacturer can evaluate the effect of the change on the finished device. This makes sense, as the manufacturer is the expert on the device, O’Leary tells IDDM.
But in the 2016 ISO standard, the supplier notifies the manufacturer of changes that affect their ability to meet specified purchasing requirements.
“The new version of the standard runs the risk of looking like configuration control requiring the supplier to obtain concurrent approval of all device customers. However, the requirement in practice becomes notification of the intent to ship nonconforming product,” he says.
O’Leary also highlights inconsistencies in evaluating nonconforming products. For example, in the QSR, evaluation of a nonconforming product requires notification to the “persons or organizations responsible for the nonconformance.”
He notes that while the new ISO notification requirements don’t preclude internal notification, a restriction to external parties, presumably suppliers, seems to limit the effectiveness of the standard and raises questions about the lack of internal notifications.
He also notes inconsistencies in process validation requirements in FDA’s QSR versus ISO 13485:2016. For example, in the QSR a process requires validation when the results cannot be fully verified by subsequent inspection and testing. In the 2016 ISO standard, a process requires validation when the output cannot be verified by subsequent monitoring or measurement.
“The 2016 version seems to clarify the use of sampling plans with the addition of process output that ‘is not verified’, but it doesn’t address which characteristics are subject to verification,” he explains.