ISO 13485:2016

Norm for regulatory

compliance
MANISH JOSHI
Risk subjects

• Manufacturer is compelled to evaluate impact of

use of the device:
• On patient
• On intended user
• On bystanders
• On general environment
• Manufacturer is compelled to evaluate effect of
product impact in all life cycle, from manufacturing
to disposal
Norms

• Device lifecycle is regulated as per:

• ISO 13485 for Quality Systems
• ISO 14971 for Risk Management
• ISO 14155 and various guidelines for Clinical Investigations
• Each product category is then regulated by
technical norms
• For electro medical devices
• For sterile devices
• For devices in contact with the body
• Multiple harmonised and not harmonised norms for technical
regulation
Quality Management System

• Full company management system

• Internal processes
• Processes directed to the customer
• Continuous feedback
• For an organization to function effectively, it has to
identify and manage numerous linked processes
Definitions….

• Process: an integrated set of activities that uses

resources to transform inputs into outputs
• System: several processes are interconnectedusing
such input-output relationships.
• NOTE: Processes are interconnected to form a
system because the output from one process
becomes the input for another process.
Process approach: a
management strategy
• Managers shall identify and rule:
• processes that make up their organization,
• the interaction between these processes
• the inputs and outputs that glue these processes
together
• Each process is evaluated by its capacity to reach a
set goal
Typical processes for any
company
• Quality Management/ Management review
• Training
• Design and Development
• Production Management
• Service Provision
• Logistic Management
• Customer Relationship Management
• Product Purchasing/ Supplier qualification
Manufacturers’ responsibility

• Develop the QS and apply regulation as applicable

to their specific products and operations
• Establish
• requirements for each type or family of devices to
ensure that devices are safe and effective,
• methods and procedures to design, produce, distribute,
etc. devices that meet the requirements
General rule for all systems

The responsibility for

• meeting system and product
requirements
• having objective evidence of
meeting these requirements
MAY NOT BE DELEGATED
Aim of the standard
ISO 13485:2016 clause 1.1

• Specify requirements on SYSTEM

• Facilitate global alignment of appropriate
regulatory requirements
• Provide an unique, integrated approach

Evaluation of process risk

Subsequent management
Receivers
ISO 13485:2016 clause 1.1

• Companies that need to implement and maintain

a “strong” QMS
• Consistently manage the life cycle of a MD or IVD
• Meet customer requirements
• Meet regulatory requirements
• Any company regardless size or type
• Manufacturers of finished devices
• Manufacturers of subassemblies (no regulatory requirements as
per MDD or IVD)
• Suppliers of services
Receivers
• organization involved in stages of the life-cycle of a
medical device
• including the design and development, production,
storage and distribution, installation or servicing of
medical devices, and the design, development, and
provision of associated activities
• suppliers or other external parties providing goods
and services
• sterilization services, calibration services, distribution services)
Mandatory?
• Voluntarily choose to conform to the
requirements of this standard
• OR may be required by contract to conform
• As all HARMONISED standards, allows
claiming presumption of compliance to
Essential Requirements of Medical Device
Directive/ IVD Directive
Role of the company

• The organization shall:

• identify its role(s) under appropriate
regulatory requirements,
•  identify the regulatory requirements that
are appropriate for its activities under
these roles, and
•  incorporate these appropriate regulatory
requirements within its quality
management system.
Relationship to other standards
• Can be used as an part of an integrated
system
• Business 9001 series
• Environment ISO 14000 series
• Health and safety
• Ethics
Relationship to ISO 9001:2015
• Common approach:
• process approach
• risk-based thinking
• Different structure
• ISO 13485:2016 still reflects the structure from
ISO 9001:2008
ISO 9001:2015 ISO 13485:2016

Understanding the context of the Quality management system

organization, its quality management
system and processes

Leadership, policy and responsibilities Management

Processes for planning and consideration Resource management

of risks and opportunities

Processes for support, including Product realization

resources, people and information

Operational processes related to

customers and products and services

Processes for performance evaluation Measurement, analysis and improvement

Processes for improvement

Risk based approach
• “One size fits all” or “worst case” approach is
not feasible
• Technically
• economically
• “Sizing” the system on the company
• objectives,
• products / services
• Processes
• size and organizational structure
•  appropriate regulatory requirements
Limitations to applicability
• Some product limitations (clause 6, 7 or 8)
• Not sterile (waive 6.4.2 and 7.5.1.3)
• Not cleaned (waive 7.5.1.2.1)
• Not installed (waive 7.5.1.2.2)
• Not serviced (waive 7.5.1.2.3)
• Not active implantable (waive 8.2.4.2)
• Exclusion of design activities
4 Quality management
system
• QMS defined and maintained
• According to ISO standard
• According to regulatory requirements
• Documentation of role of organization
• manufacturer, authorized representative, importer or
distributor.
System planning
clause 4.1.2

• Determine processes
• Control them via a risk based
approach
• Determine process
flow/interactions
System functioning
clause 4.1.3 and 5.4.2

• Criteria and methods to ensure process

effectiveness
• Resources
• Achieve planned results (including quality
objectives)
• Monitor, measure
• Record (written)
System change control
clause 4.1.4

• Impact on QMS
• Impact on products
• Control:
• Non- distruption of QMS (see also clause 5.4.2)
• Compliance to regulatory requirements
Control of outsourced processes
Clause 4.1.5

• The organization shall retain responsibility of

conformity
• Monitor and control
• Written quality agreements NEW
SW validation
clause 4.1.6

• SW used in the QMS NEW

• First use
• changes
• Risk based approach to SW validation
• NOTE: written records required
• NOTE: CEI 62304
4.2 Documentation
requirements
• Quality policy
• Quality objectives
• Quality manual
• Procedures and records
• Documents for planning, operation and control
(work instructions)
• Others?
4.2.2 Quality manual
(unvaried)
• a) the scope of the QMS,
• justification for any exclusion or non-application;
• b) the documented procedures;
• outline the structure of the documentation
• c) interaction between the processes
4.2.3 Medical device file
NEW
• For each medical device type or medical device
family
• Documents generated to demonstrate conformity
with
• requirement of ISO
• compliance with applicable regulatory requirements
Contents of file

• a) general description of the medical device,

intended use/purpose, and labelling, including any
instructions for use;
• b) specifications for product;
• c) specifications or procedures for manufacturing,
packaging, storage, handling and distribution;
• d) procedures for measuring and monitoring;
• e) as appropriate, requirements for installation;
• f) as appropriate, procedures for servicing.
IVD regulation proposal
ANNEX II TECHNICAL DOCUMENTATION

• DEVICE DESCRIPTION AND SPECIFICATION,

INCLUDING VARIANTS AND ACCESSORIES
• INFORMATION SUPPLIED BY THE MANUFACTURER
• DESIGN AND MANUFACTURING INFORMATION
• GENERAL SAFETY AND PERFORMANCE
REQUIREMENTS
• RISK/BENEFIT ANALYSIS AND RISK MANAGEMENT
• PRODUCT VERIFICATION AND VALIDATION
Written SOP for document
control
4.2.4 Control of documents
• a) review and approve documents for adequacy
prior to issue;
• b) review, update as necessary and re-approve
documents;
• Review by the same authority as issue
• c) ensure that the current revision status of and
changes to documents are identified;
• d) ensure that relevant versions of applicable
documents are available at points of use;
• e) ensure that documents remain legible and
readily identifiable;
Written SOP for document
control
4.2.4 Control of documents
• f) ensure that documents of external origin,
determined by the organization to be necessary for
the planning and operation of the quality
management system, are identified and their
distribution controlled;
• g) prevent deterioration or loss of documents;
• h) prevent the unintended use of obsolete
documents and apply suitable identification to
them
• controls needed for the identification, storage,
security and integrity, retrieval, retention time and
disposition of records
4.2.5 Control of records
(unvaried)
• provide evidence of
• conformity to requirements
• the effective operation of the QMS
• shall remain legible, readily identifiable and
retrievable.
• Changes to a record shall remain identifiable
• NOTE: Good documentation practices
Filing of documents and
records
• Filing for a predefined period
• Procedures: At least same of medical device lifetime
• BUT
• At least more than the resulting records

• Records: at least 2 years from release

• BUT filing time also in compliance to regulatory
requirements
5.1 Management commitment
and
5.2 customer focus
• Communication
• Quality policy
• Quality objectives
• Management reviews
• Availability of resources
• Customer focus
• Regulatory requirements focus
 5.3 Quality policy
• a) is applicable to the purpose of the organization;
• b) includes a commitment to comply with
requirements and to maintain the effectiveness of the
quality management system;
• c) provides a framework for establishing and
reviewing quality objectives;
• d) is communicated and understood within the
organization;
• e) is reviewed for continuing suitability.
5.4.1 Quality objectives

• Quality objectives
• Efficiency, efficacy
• Regulatory requirements
• Product requirements (example: expected AqLs)
• Measurable
• Consistent with the quality policy
 5.5.1 Responsibility and authority
5.5.2 Management representative
• Define and communicate responsibilities
• Organizational chart
• Job profiles
• Personnel affecting quality
• ensure the independence and authority
• Management representative
• Responsible of QMs
• Reports to top management
• Promotes the QMS in the organization
5.6 Management review

• Top management responsibility

• documented planned intervals
• Evaluate the need of change to the QMS
• Risk based approach
• NOTE: written procedure and records required
 5.6.2 Review input
• a) feedback;
• From customers
• From predicate devices
• b) complaint handling;
• c) reporting to regulatory authorities;
• d) audits;
• e) monitoring and measurement of processes;
• f) monitoring and measurement of product;
 5.6.2 Review input
• g) corrective action; NOT IN 9001:2015
• h) preventive action
• i) follow-up actions from previous management
reviews;
• j) changes that could affect the quality management
system;
• k) recommendations for improvement;
• l) applicable new or revised regulatory requirements.
Inputs from other clauses

• Status of work environments (clause 6.4.1)

• Information from servicing activities (clause 7.5.4)
• DHF Change control (clause 7.3.10)
• Other chosen by organization
5.6.3 Review output

• Improvement
• Of system
• Of product
• Changes for new regulatory requirements
• Resources needed
Documented procedure for HR
(unvaried)
6.2 Human resources
• establishing competence,
• providing needed training,
• achieve or maintain the necessary competence
• Check effectiveness (risk based approach)
• ensuring awareness of personnel
• NOTE: records of education, training, skills and
experience
Written procedure
6.3 Infrastructure

• Requirements for the infrastructure

• a) buildings, workspace and associated utilities;
• b) process equipment (both hardware and software);
• c) supporting services
• Ensure that infrastructures are adequate for
processes, prevent product mixup
• Define maintenance
• NOTE: Keep records of maintenance
6.4.1 Work environment
6.4.2 Contamination control

• Requirements for work environment

• Requirements for health, cleanliness and clothing
of personnel
• Processes to maintain adequacy
• Reference norms ISO 14644 (cleanrooms) and ISO
14698 (biocontamination control)
• Prevent contamination of work environment or
other product
 7.1 Planning of product
realization
• document one or more processes for risk
management in product realization NEW
• Plan product realization
• quality objectives/ product specs
• Equipment, infrastructure and work environment;
• verification, validation, monitoring, measurement,
inspection and test, product acceptance
• handling, storage, distribution and traceability
• records
Process risk management

• Process criticality level

• Required product verification/ quality control
• Required process validation
• Training
• Equipment maintenance
• Work environment maintenance
7.2.1 Determination of
requirements related to
product
• Specified by customer
• Delivery
• Post delivery
• Not specified by customer, defined by the intended
use
• Regulatory
• User training
7.2.2 Review of requirements
related to product
• Product ID and requirements
• Regulatory requirements
• traceability
• Contract and order
• User training NEW
• Change control
• NOTE: records of review
7.2.3 Communication

• To customers
• a) product information;
• b) enquiries, contracts or order handling, including
amendments;
• c) customer feedback, including complaints;
• d) advisory notices.
• To regulatory authorities NEW
• Meddev
 7.3 Design and development
• Documented procedure
• Plan
• Input
• Output
• Review
• Verification
• Validation
• Transfer NEW
• Change control
• Documented DHF to be kept updated with changes
(clause 7.3.10) NEW
7.3.2 Design and
development planning
• a) the design and development stages;
• b) the review(s) for each stage;
• c) the verification, validation, and design transfer
activities at each stage;
• d) the responsibilities and authorities
• e) traceability of outputs to inputs;
• f) the resources (including competence)
 7.3.3 Design and
development
• defined per class
inputs
• a) functional, performance, usability (IEC 62366), safety
• b) regulatory requirements and standards;
• c) applicable output(s) of risk management;
• d) information derived from previous designs;
• e) other requirements
• reviewed for adequacy and approved.
• complete, unambiguous, able to be verified or validated,
and not in conflict with each other.
 7.3.4 Design and
development outputs
• Meet inputs
• Provide appropriate info
• Adequate for subsequent verification and validation
• Specify essential product specs
• List of materials
• Shape/ design
• Packaging
• Refer to QC criteria
7.3.5 Design and
development review
• Systematic review
• At predefined stages
• Evaluate ability of results to match inputs
• Propose corrective actions
• representatives of functions concerned with the
design and development stage being reviewed, as
well as other specialist personnel
7.3.6 Design and
development verification
• Aim: ensure that the outputs have met the inputs
• Document verification plans that include methods,
acceptance criteria and, as appropriate, statistical
techniques with rationale for sample size NEW
• Verification of connections as applicable
7.3.7 Design and
development validation
• Ensure that device meets the intended use
• methods, acceptance criteria, and, as appropriate,
statistical techniques with rationale for sample size NEW
• Representative product NEW
• Clinical evaluation/ performance evaluation as
integral part of validation
• Completed prior to product release
7.3.8 Design and
development transfer
NEW
• Transfer of design and development outputs to
commercial manufacturing
• Issue of manufacturing work instructions
• Process capability
• Process validation
• QC processes validation
7.3.9 Control of design and
development changes
• Evaluation of impact of change
• function, performance, usability,
• Safety
• applicable regulatory requirements
• Existing product
• Review, verification, validaiton
• Formal approval and release
7.4.1 Purchasing process

• Selection (risk based) NEW

• Supplier performance
• Product impact
• Monitoring and continuous evaluation
• NC control proportionate NEW to supplier risk class
• NOTE: records of evaluation, selection, monitoring
and re-evaluation
 7.4.2 Purchasing information
• Information on product
• Specs
• Quality levels for acceptance
• Information on supplier
• QMS
• Personnel training
• As applicable, written agreement that the supplier
notify the organization of changes NEW
• NOTE: records for traceability
7.4.3 Verification of
purchased product
• Extent of verification as per risk assessment NEW
• Supplier performance
• Product
• Changes of purchased products and their impact
• Verification at supplier shall be described in the
quality contracts
• NOTE: records of verification and change control
 7.5.1 Control of production
and service provision
(unvaried)
• Production control (manufacturing, labeling,
packaging, release, post delivery activites)
• Qualification of infrastructure
• Monitoring and control
• Monitoring and control equipment
• Traceability as per Serial Number or Batch number
7.5.2 Cleanliness of product
(unvaried)
7.5.5 Particular requirements for sterile
medical devices
• Control of cleanliness status
• Prior or alternate to sterilization
• Control of cleaning processes
• Removal of process residues
• Can be manufactured out of cleanroom prior of
(validated) cleaning procedures
• Traceability of sterilization batch
 7.5.3 Installation activities
7.5.4 Servicing activities
• Performance and validation of installation
• Control of external providers of installation/ servicing
processes
• Analysis of servicing records for NC control and
improvement
7.5.6 Validation of processes for
production and service provision
• For high risk processes
• resulting output cannot be or is not verified
• deficiencies become apparent only after the product is in
use or the service has been delivered
• Demonstrate the ability of these processes to
achieve planned results consistently
• Required for sterilization and for packaging (clause
7.5.7)
 Validation SOP
• criteria for review and approval of the processes;
• equipment qualification
• qualification of personnel;
• methods, procedures and acceptance criteria;
• as appropriate, statistical techniques (rationale for
sample sizes) NEW
• revalidation, including criteria for revalidation;
• approval of changes to the processes NEW
• NOTE: records required
SW validation (see also
clause 4.1.6)
• SW used in production and service provision
• Risk based approach NEW to validation of SW used
in production
• At first use
• Change control
7.5.8 Identification (unvaried)

• Throughout the whole device life

• production, storage, installation and servicing
• Identification of QC status
• Includes cleanliness status
• UDI number as per applicable regulation
• Identification of returned product
7.5.9 Traceability (unvaried)

• As per regulatory requirements

• Detailed requirement for implantables
• records of components, materials, and conditions for
the work environment
• Traceability by distributors
• Detailed requirements for customer property
identification and state of compliance
7.5.11 Preservation of product

• during processing, storage, handling, and

distribution
• protect product from alteration, contamination or
damage
• packaging design (and validation) NEW
• Labeling with storage instructions
• NOTE: record of special storage conditions
Equipment SOP (unvaried)
7.6 Control of monitoring and measuring equipment

• Monitoring and measurement consistent with

product quality criteria
• Equipment
• Identified
• Calibrated and recalibrated
• Protected by tampering
• Protected during storage and handling
• Control of instrument NC
8 Measurement, analysis and
improvement
• Product conformity
• QMS conformity
• QMS continuous effectiveness

• Appropriate (statistical) methods

• Appropriate depth of controls
Feedback SOP NEW?
8.2.1 Feedback

• Feedback on whether the organization

• Has met customer requirements
• Post production information as per regulatory
requirements
• Feedback output is the input of risk management
• Product conformity
• Improvement
Complaint SOP
8.2.2 Complaint handling

• a) receiving and recording information;

• b) evaluating information, determine if is a
complaint;
• Justification of not acceptance of complaint
• c) investigating complaints;
• Including impact of external parties
• d) determining the need to CA reporting
• e) handling of complaint-related (NC product)
product;
• f) determining the need to initiate corrections or
corrective actions
 8.2.3 Reporting to regulatory
authorities NEW
• the organization shall document procedures for
providing notification to the appropriate regulatory
authorities.
• NOTE: appropriate records
 8.2.4 Internal audit
• Compliance to
• planned and documented arrangements,
• requirements of this International Standard,
• quality management system requirements established by
the organization,
• applicable regulatory requirements
• Also product requirements
• Effective implementation and maintenance
 Audit SOP (unvaried)
• Responsibilities (impartiality and competence)
• Planning
• conducting audits
• recording and reporting
• Audit plan as per risk approach
• Process criticality
• Results from previous audits
• Reporting of NC found during audits
• Follow up of CA
 8.2.5 Monitoring and
measurement
• Of processes (clause 8.2.5)
• Suitable methods for monitoring
• Production records and evaluation of collected data
• Of products (clause 8.2.6)
• Evidence of conformity with the acceptance criteria
• Identify of control personnel
• For release
• For any control for implantables
• Quarantine of products under QC evaluation
NC product SOP
8.3 Control of nonconforming product

• Aim: NC product is identified and controlled to

prevent its unintended use or delivery.
• Identification and documentation
• Segregation,
• Evaluation,
• determination of the need for an investigation
• notification of any external party responsible for the NC
• Disposition of nonconforming product
• Rationale of decisions
8.3.2 Actions in response to NC
product detected before delivery

• NC correction (reword see clause 8.3.4)

• Limitation to use
• Use under concession
• Justified
• Approved by customer
• Still in compliance with regulatory requirements
• Detailed record (of justification and responsible board)
Regrade for use under
concession
• 3.12.4 regrade: alteration of the grade of a NC
product in order to make it conform to
requirements differing from the initial requirements
• 3.6.3 grade: category or rank given to different
requirements for an object having the same
functional use
8.3.3 Actions in response to NC
product detected after delivery
• action appropriate to the effects, or potential
effects
• document procedures for issuing advisory notices
• At any time

• NOTE: new clause but same content as old version

SOP for rework NEW
8.3.4 Rework
• takes into account the potential adverse effect of
the rework
• procedures shall undergo the same review and
approval as the original procedure
• product shall be verified NEW
• Increased sampling?
Some definitions
ISO 9000:2015

• 3.12.8 rework: action on a NC product to make it

conform to the requirements
• Rework can affect or change parts of the nonconforming
product or service.
• 3.12.9 repair: action on a NC product to make it
acceptable for the intended use
• does not necessarily make the product or service
conform to the requirements, a concession may be
required.
• Includes repair during maintenance.
• can affect or change parts of the NC product
“Management review input”
SOP
8.4 Analysis of data
• determine, collect and analyse appropriate data
• a) feedback;
• b) conformity to product requirements;
• c) characteristics and trends of processes and product
including opportunities for improvement;
• d) suppliers;
• e) audits;
• f) service reports, as appropriate
 8.5 Improvement
• Ensure consistent
• suitability, adequacy and effectiveness of the quality
management system
• Medical device safety and performance
• Inputs for improvement
• quality policy, quality objectives,
• audit results,
• postmarket surveillance
• analysis of data, corrective actions, preventive actions and
management review
 8.5.2 Corrective action
• a) reviewing nonconformities (including complaints);
• b) determining the causes of nonconformities;
• c) evaluating the need for action to ensure that NCs do not
recur;
• d) planning and documenting action needed and implementing
such action, including, as appropriate, updating
documentation;
• e) verifying that the corrective action does not adversely affect
the ability to meet applicable regulatory requirements or the
safety and performance of the medical device; NEW
• f) reviewing the effectiveness of corrective action taken
 8.5.3 Preventive action
a) determining potential NCs and their causes;
b) evaluating the need for action to prevent occurrence
c) planning and documenting action needed and
implementing such action, including, as appropriate,
updating documentation;
d) verifying that the action does not adversely affect the
ability to meet applicable regulatory requirements or
the safety and performance of the medical device; NEW
e) reviewing the effectiveness of the preventive action
taken, as appropriate.
This project has received funding from the European Union’s Horizon 2020 research and innovation
programme under grant agreement No 731053

3rd - 7th September 2018 UBORA Design School 2018 - Pisa 92