Both old and new medical device standards
cover essentially the same
topics. However, there are some important differences. Some of
these
are discussed below.
The ISO 13485 standard was updated for two
main reasons: to keep up
with changes in the industry and to address changes
in the underlying
ISO 9001 standard. While the old ISO
13485 2003 standard was based on
the old ISO
9001 2000 standard, the new one is based on
ISO 9001 2008.
While some people expected the new ISO 13485 standard to use the
latest
ISO 9001 2015 standard, ISO TC 210
evidently feels that the older ISO 9001
standard better serves the needs of medical
device suppliers, regulators,
and customers.
|
Flexibility
In general, the new
ISO 13485 standard is more flexible than the old.
In the past, organizations could only exclude section 7
requirements
(on product realization) and then only if they could justify
their decision.
Now, they can exclude any requirement in sections 6, 7, or 8
if they can
justify doing so because of the nature of their activities or
products.
|
Regulatory
requirements
While the old standard expected you
to establish a QMS that complies
with ISO 13485, the new one now explicitly expects you to also
comply
with all applicable regulatory requirements. This need to comply
with
regulatory requirements is given greater emphasis now and is
repeated
throughout the new standard. In fact, you're now also expected
to set
objectives for meeting regulatory requirements (in addition to
setting
objectives for meeting product requirements).
As you may have noticed, the
peculiar redundancy in the
phrase
“statutory and regulatory
requirements” has been removed. Now
we can simply refer to “regulatory requirements” (which,
of course,
include statutory and other legal requirements).
|
Risk
based approach
The new standard expects you to
apply a “risk based approach”
to your organization's QMS processes. The old standard
also expected
you to think about risk,
but only during product realization (in section 7).
Now, you're expected to apply risk
management methods and techniques
to all QMS
processes,
including outsourced processes.
|
Medical
device file
While both old and new standards
expect you to establish a special file
for each type of medical
device, the new one clarifies exactly what this
means. You're now expected to include a description
of each medical
device or family of devices and to include all
associated specifications,
procedures, and records.
|
Record
keeping
Record keeping requirements have
also changed. The new standard now
expects you to record supplier monitoring and re-evaluation
activities and
to consider privacy regulations when you develop methods for
protecting
confidential health information.
|
Product
realization
While the section on product
realization still covers the same basic
topics, a few noteworthy items have been added. While the old
standard
expected you to identify your product verification,
validation,
monitoring,
inspection, and testing requirements, the new one has added a
few more
to this list. It now also expects you to establish your product handling,
storage, measuring, revalidation, and traceability
requirements as well.
|
User
training
While the old standard focused on
the need to identify product
requirements specified by customers
and regulatory bodies, the
new one wants you also to think about the safety
and performance
of your products and the associated training
needs of product users
and to verify that regulatory requirements will be met and
user training
will be available before you agree to supply products to
customers.
|
Design
and development inputs
The section on design
and development inputs has also been
expanded. In addition to all the old requirements, the new
standard
now also wants you to consider risk management outputs, to
clarify
product usability and safety requirements, and to make sure
that
input requirements can be verified or validated.
|
Design
and development verification and validation
This section has also been expanded.
The new standard not only
expects you to document your verification
and validation
plans and
arrangements (something the old
standard overlooked) it now also
wants you to think about how to verify
and validate medical
devices
that connect to or interface with other medical devices. It
now expects
you to verify that design outputs meet input requirements when
these
devices are connected or interfaced and to validate that
intended
use or application requirements are met when devices are
connected or interfaced.
|
Design
and development changes
While the old
ISO 13485 2003 standard
expected you to control
design and development changes, it didn't really talk much
about how
this should be done. The new ISO
13485 2016 standard fills in some of
the gaps. It not only asks you to establish processes to
control changes
and to evaluate their significance and impact, it now also
expects you to
maintain a file for each medical device or family of medical
devices that
documents these changes.
|
Design
and development transfer
This topic has been elevated in
importance and has now received
its own subsection. The old standard devoted only a single
line and
two notes. Now special emphasis is given to the need to ensure
that
outputs are suitable for manufacturing before they become
official
production specifications.
|
Purchasing
Purchasing has also changed. The old
section on purchasing has
been subdivided into four new sections and new requirements
have
been added. While the old standard expected you to establish
supplier
selection and evaluation criteria, it didn't provide any
details. Now it does.
You now need to consider your medical device and the risk
you're taking
in addition to the effect purchased
products have on the safety
and
performance of your medical device. And in addition to making
sure that
your suppliers are capable of meeting your organization's
requirements,
you now also need to worry about whether they can meet all
relevant statutory requirements.
|
Supplier
monitoring
But you're not done yet. Now that
you've selected a supplier, you
not only need to monitor the supplier's performance, you now
also
need to consider your risk whenever suppliers underperform,
and
you need to respond in a way
that is proportional to the risk that
you're taking. And while both old and
new standards want you to
establish a record of supplier evaluations, now you're also
expected
to record your supplier monitoring and re-evaluation
activities.
|
Purchased
product risks
Like the old ISO 13485 standard, the
new one expects you to verify that
purchased products meet purchase requirements. But now you're
also
expected to consider
the risk
associated with the product you've
purchased and to worry about what to do when unanticipated
changes
are made to purchased products and to determine whether or not
these
changes affect your medical device or your product realization
process.
|
Process
validation
Both old and new standards expect
you to establish procedures to
validate
production and service delivery processes
that generate outputs
that can't be verified until the
product is in use or the service has been
delivered. Now you're also expected to establish validation
plans and to
revalidate processes whenever necessary.
|
Servicing
The servicing
section has also changed. In addition to having to
document your organization's servicing
procedures and reference
materials, you're now also expected to analyze servicing
records in
order to identify servicing complaints
and improvement opportunities.
|
Complaints
While the old ISO
13485 standard discussed the need to handle
complaints, this important material was spread over several
sections.
The new standard brings most of it together in one new section
and
broadens and expands it to include all kinds of complaints
(not just
customer complaints). It now also
expects you to develop and
document complaint handling
procedures that comply with all
applicable regulatory requirements. The old standard merely
asked you to establish arrangements, not procedures.
|
Delivery
of nonconforming product
The section on the unintended
delivery of nonconforming product
has also been reorganized and reworded and new subsections and
new detail has been added. The result is a much more useful
section.
The new standard now expects you to investigate
nonconforming
products that have been delivered, to determine if
corrective action
is needed, and to consider whether or not responsible external
parties need to be notified.
|
Improvement
The section on improvement has also
been enhanced. In addition
to having to maintain the suitability and effectiveness of
your QMS,
you're now also expected to maintain the safety
and performance
of your products whenever improvements are being considered.
In addition, before you implement corrective and preventive
actions,
you're now expected to verify that they comply with all
applicable
regulatory requirements and that they do not compromise the
safety and performance of your medical devices.
|