One thing that seems to be constant in the global medical device industry is change.
At this present time, there are numerous changes impacting the medical device industry happening, including a significant update to the industry’s fundamental QMS standard ISO 13485 and two new sets of regulations in Europe.
Without an understanding of these changes and how they impact you, it is easy to be overwhelmed by it all.
This ebook provides an overview into some of the major changes happening right now, and provides some recommendations to consider when managing these changes.
It covers changes to ISO 13485:2016, the EU Medical Device Regulation and In Vitro Diagnostic Device Regulation.
It was co-authored by Rod Beuzeval, Director Meddev Solutions, and Jon Speer, Founder & VP QA/RA Greenlight Guru.
Overview of ISO 13485:2016
The ISO 13485 standard has long defined quality management system requirements for the medical device industry. This standard is generally accepted throughout the world as “state of the art” with respect to QMS requirements and has often been accepted as a de facto must for medical device companies with interests in many geographic markets, including Canada and Europe.
Since the publication of ISO 13485:2003, management standards have continued to evolve and new management systems approaches were introduced, such as the High-Level Structure (HLS), also referred to as Annex SL. The HLS is a set of 10 clauses that ISO management systems are required to use in the future. Although the mandate is to utilise the HLS for all ISO management system standards, ISO 13485:2016 does not use this.
The reason is simply that the HLS does not provide a suitable structure for the complexities and regulatory requirements of medical devices. To a large extent, ISO 13485 keeps the fundamentals of quality management systems based on the HLS (e.g. ISO 9001) and adds or subtracts, requirements that are/are not relevant to medical devices. For the 2016 version, another objective of the working group that developed the new standard was to ensure ISO 13485 would better support the global alignment of regulatory requirements for medical devices. The new standard mentions “regulatory requirements” 37 times, as opposed to being mentioned only nine times in the previous 2003 version.
The Medical Device Quality Management System Standards ISO 13485:2016 and EN ISO 13485:2016 have been published respectively in March and April 2016. This initiated a 3-year transition period, so manufacturers will have to be in compliance with the new standard by March 2019.
The revised ISO 13485 standard is more aligned with US FDA 21 CFR part 820 and includes various updates (such as Medical Device File), refined requirements in design control (e.g. design verification, design validation, design transfer), and the addition of new procedures (e.g. Management Review Procedure). However, one of the main differences is the implementation of a risk-based approach for most of the QMS processes. While the concept of a “risk-based” QMS is technically new language with respect to ISO 13845, and quality system requirements in general, the expectation is that this concept is in alignment with current interpretation and industry best practices.
Of particular importance is the “Clarification of Concepts” section of the Introduction to ISO 13485. It includes a statement that says, “when a requirement is qualified by the phrase ‘where appropriate,’ it is deemed to be appropriate unless the organization can justify otherwise.” This has implications for clauses 6 and 8 in terms of non-applicability, whereas in previous versions of the standard, only clause 7 could be non-applicable.
Due to the inclusion of several new clauses, several sub-clauses have been renumbered.
Changes to this section primarily involve:
· All processes that are part of a manufacturer’s quality management system will now need to be developed using a risk-based approach.
Simply put, assessing risks extends beyond just evaluating risks of a product and now includes your entire quality management system. Incorporating risk-based decision making into all of your QMS procedures and processes is expected.
· The identification of outsourced processes and means of monitoring. Processes that are outsourced must also apply a risk-based thinking approach.
There is an increasing trend of outsourcing processes to suppliers. Yet, supplier management has been challenging for many medical device companies. The expectations defined in this clause are more explicit with respect to requirements of supplier management, including applying risk-based approaches.
· Software used as part of the quality system must be validated and documented.
Some interpret that this has always been a requirement of ISO 13485, albeit one that was unwritten. Bottom line is that any software in use for QMS , as well as quality data and records, needs to be established, documented, and validated.
· Maintenance of a technical file and device master file (Medical Device File) for each manufactured device that includes a description of the device along with all relevant specifications and records.
Again, the need to maintain a medical device file has always been an implicit requirement of ISO 13485. The addition of this clause includes a technical file and a device master record—the latter of which brings ISO 13485:2016 in closer alignment with FDA 21 CFR Part 820.
Changes to this section primarily involve:
· Increased emphasis on regulatory requirements.
As noted earlier, ISO 13485:2003 only made nine references to regulatory requirements. However, in the past several years, requirements and expectations from regulatory bodies has been increasing. These expectations lie squarely with management within a medical device company.
· Documentation of the interrelation of all personnel.
Medical devices have been increasing in complexity. Additionally, the resources and personnel are also increasing in complexity. As such, ensuring the right resources are identified, including suppliers, and their interactions is more important than it ever has been.
· Clarifications of existing requirements regarding quality management system planning, responsibility and authority, management representation and management review.
A QMS should be the heart of a medical device company. A QMS should be continually evaluated and monitored for appropriateness and effectiveness.
The standard will now require device manufacturers:
· To define the specific skills and experience required for personnel (competence and ensuring awareness) involved in the maintenance of the quality management system.
The additions to this clause are putting a heavier emphasis on competency of resources involved with a company’s QMS.
· Requirements to maintain systems for ensuring that personnel maintain the requisite knowledge through ongoing training, as well as a mechanism for assessing the effectiveness of such training.
Training, especially effectiveness of training, is of increasing importance. Establishing robust processes to ensure training effectiveness is a critical aspect of an effective QMS.
· To ensure Infrastructure prevents product mix-up and ensures orderly handling of product.
Over the years, there have been too many issues with product mix-ups, mislabelling, and product identification.
· A new clause in this section also addresses contamination control issues for sterile medical devices, and includes requirements related to the validation of processes intended to ensure the integrity and effectiveness of sterile device manufacturing requirements.
There are a few reasons driving this particular change, including increases in device reprocessing. It is also an important aspect for manufacturing processes pertaining to sterile medical devices.
The standard will now require device manufacturers:
· To Incorporate risk management principles in determining the application of these requirements.
ISO 14971 has been harmonized since 2007. However, the previous version of ISO 13485 was in 2003, prior to this harmonization. ISO 14971 addresses product risk management throughout the entire product lifecycle. Now ISO 13485:2016 aligns with ISO 14971:2007.
· Incorporate new sub-clauses in design and development for transfer of design and development outputs to manufacturing.
Somewhat surprisingly, the requirements of ISO 13485:2003 were non-existent with respect to transfer from design and development to manufacturing. The 2016 version remedies this, and in doing so, better aligns with FDA 21 CFR Part 820.30 regulations.
· Maintain a design and development file.
ISO 13485:2003 described maintaining records of design and development. However, it did not explicitly require a design and development file. This addition in the 2016 version is more explicit and aligns with FDA 21 CFR Part 820.30(j) Design History File.
· Ensure applicable regulatory requirements are met.
As noted above, ISO 13485:2016 has established increased explicit emphasis on regulatory requirements in numerous areas. Regulatory requirements are of special focus with respect to product realization.
· Identify user training required to ensure the performance and safe use of the medical device.
Increased emphasis on training is prevalent throughout ISO 13485:2016. This is also the case regarding the use of medical devices, especially as it relates to design and development validation.
· Establish criteria for evaluation and selection of suppliers including performance and risk.
While a long-standing practice for most medical device companies includes defining criticality of suppliers, ISO 13485:2016 is putting much more emphasis on ensuring your QMS has provisions in place to address assessing, qualifying, evaluating, and monitoring suppliers.
· Performing supplier performance monitoring as part of re-evaluation process, additional record requirements.
The importance of supplier due diligence and ongoing monitoring is being emphasized.
· Ensuring purchasing information includes, as applicable product specifications. Suppliers to agree to prior notification of changes.
Are you noticing a trend with clause 7? There is an increased expectation on controls regarding suppliers throughout the entire product realization process.
· In addition, servicing activity records must be analysed to determine if the issue is a complaint or be utilized as an improvement input.
ISO 13485:2003 was very general with respect to servicing. However, ISO 13485:2016 addresses the importance of evaluating servicing activities as customer feedback and/or complaints.
· Add UDI where required by national or regional regulations.
Unique device identification (UDI) is a newer requirement defined by FDA and other regulatory bodies. The UDI criteria has evolved since the 2003 version of ISO 13485.
· Add requirements for the validation of the application of computer software used for monitoring and measurement of requirements.
Computer software used for monitoring and measurement has changed a great deal since 2003. Suffice it to say, computer software has infiltrated our world in a number of capacities. As a result, computer software validation is required and expected as a result.
Under this section of the revised standard, device manufacturers will be expected to formalize their processes for obtaining feedback from both production and post-production activities, and to develop sound methods for incorporating that feedback into its risk management program.
· Strengthens requirements regarding the investigation and control of nonconforming products.
Requirements for nonconforming products were non specific in ISO 13485:2003. ISO 13485:2016 is much more specific with requirements, including detecting nonconforming product before delivery, after delivery, and rework.
· New sub-clauses have been created in monitoring and measurement for complaint handling and reporting to regulatory authorities.
ISO 13485:2003 include provisions for customer feedback. The 2016 version expands on requirements and includes provisions for addressing customer complaints. The primary reason for this is to better align with regulatory requirements. The new provisions in ISO 13485:2016 are very much in sync with FDA 21 CFR Part 820.198.
The published version of ISO 13485:2016 will provide a three-year transition period for device manufacturers.
However, given the extent of the anticipated changes, as well as the structural differences between the revised ISO 13485:2016 and ISO 9001:2015, transitioning to the new requirements is likely to require a considerable investment of time and resources.
There are a couple of items worth noting regarding timing ISO 13485:2016. Medical device companies interested in obtaining ISO 13485 certification for the first time will be certified to the 2016 version. Also, companies with existing ISO 13485 certification should expect to update this to ISO 13485:2016 upon renewal.
The QMS updates in regard to ISO 13485:2016, and especially for the risk-based approach, will lead to a significant change in manufacturers’ processes as well as associated procedures or work instructions. These changes making the training of ISO 13485:2016 a critical part of the implementation.
Therefore, medical device manufacturers and other ISO 13485 certified organizations are advised to promptly begin the process of evaluating the application of the standard’s new requirements to their existing quality management system, in order to determine the scope of required changes and the time required to implement them. A recommended next step is to evaluate your company’s existing QMS against revised requirements defined in ISO 13485:2016.
FREE RESOURCE: Click Here to Download this FDA QSR & ISO 13485 Internal QMS Audit Checklist.
It is highly recommended that organizations review the timing of their transitions and seek support from consultants and experts as needed. It is useful to bear in mind that registrars and notified bodies have limited resource and a large percentage of their medical device customers have not started to transition yet, this may mean that by delaying the transition to near the deadline may mean that the notified body simply does not have the resource to meet your expected timeline. Be sure to contact your registrar to discuss timing of (re-)certification to ISO 13485:2016.
In September 2012, the European Commission published proposals for the Medical Device Regulation (EU) 2017/745 (MDR) and the In-Vitro Diagnostic Medical Devices Regulation (EU) 2017/746 (IVDR).
As part of the legislative review process, in April 2014, the European Parliament came up with a total of 347 amendments for the proposed MDR and 254 amendments for the proposed IVDR. The European Council responded in September 2015 to the proposals adapted by Parliament. Negotiations between the parties took place to resolve the differences in the text.
The official version of the Regulation consists of 92 pages, plus 83 pages of Annexes. The highest article number is 123. The Articles reference 17 Annexes making this a significant document over the previous directives.
The big adjustment with the updates in EU is the shift from items being directives to becoming regulations in EU. Simple translation is that these changes are now laws—similar to FDA medical device regulations.
The MDR combines the former Medical Device Directive and Active Implantable Medical Device Directive into one document. The regulation is directly applicable to a member state, unlike a directive which requires implementation into the national legislation of the member state (and subsequent inconsistencies). This is illustrated by the incorporation of European guidance (MEDDEVs) into the Regulation, which were infamous for being interpreted in different ways:
All specifically feature in the MDR, and all now have to be applied as written.
In addition to stronger regulation, the scope of the products has become broader, to include Medical Devices which may not have the intended medical purpose or include devices for the purpose of prognosis of a disease or any other health condition such as:
Of note, products which have historically not been regulated as medical devices are not considered within the scope of the EU MDR. As a result, it is important to review the revised MDR with respect to your product to determine how and if the regulations now apply.
For higher class and implantable devices, the EU MDR will introduce many new concepts relating to clinical evaluation and clinical investigation, as well as Post-Market Clinical Follow-up (PMCF) and Periodic Safety Update Reports (also known as PSURs). This will require a thorough review of the manufacturer’s clinical strategy and PMCF plans and require manufacturers to conduct clinical performance along with providing evidence of Safety and Performance in accordance to the risk associated with the device.
With the new rules, medical device manufacturers will need to perform a gap analysis to identify gaps in clinical evidence under new rules for devices currently on the market and perform the required update since the compliance to current MEDDEV 2.7.1 rev 4 may not be sufficient.
The qualification requirements for auditing and reviewing notified body staff are steeply increased. Greater emphasis will be placed on clinical data and clinical evaluations. Equivalence, currently used to justify references to studies done with other devices, will be more rigorously interpreted, making this a far more challenging way to demonstrate clinical safety or performance for medical devices.
For implantable Class III devices, clinical investigations will be expected since it will generally no longer be accepted to follow the equivalence approach, although some exceptions can be made. Clinical investigation requirements will not be applicable for class III/implantable devices that have been lawfully placed on the European market in accordance with the old AIMDD and MDD where conformance has been based on sufficient clinical data and applicable Common Specifications (CS).
Common Specifications have ben newly introduced to allow the commission to introduce requirements that provide a means of complying with the general safety and performance requirements. These can be introduced where no harmonized standard exists, or where the harmonized standard is not considered sufficient. A manufacturer will be expected to comply with them if they are applicable to the device, unless they can duly justify that they have adopted solutions that ensure a level of safety and performance that is at least equivalent.
Unique Device Identification (UDI) is also a new requirement in Europe. The UDI will need to be placed on the device, and in the case of class III or implantable devices, prior to application for conformity assessment by a notified body. The EU requirements are similar to the US FDA requirements. The devices (and indeed manufacturers, authorized representatives and importers) will need to be registered in a newly created electronic system.
Finally, the MDR concentrates the harmonization efforts between European Member States by means of a new regulatory body called the Medical Device Coordination Group (MDCG). The objective of the MDCG is to enhance cooperation between the Member States while at the same time increasing the Commission’s power to act as needed in certain cases.
The Regulations were formally published in the Official Journal of the European Union in May 2017, starting the official transition period of the MDR to full implementation by May 2020.
The EU MDR represents a dramatic shift in the regulatory landscape for all “economic operators” within the European medical device industry. This affects manufacturers, authorized representatives, importers, distributors, notified bodies, and competent authorities.
The timescale to full implementation may seem a long way off, but with significant implications for the medical device sector this is not a long time at all. It is recommended to start grasping the MDR text and its impact. There are a number of resources available to industry to start understanding the impact. Training providers, consultant services, and even MDR guidebooks are available to assist getting ahead.
By ensuring that you take the lead and seek help where it is needed, when the time comes for assessment, being confident it is right first time will reduce the burden on yourselves and the notified bodies. For those manufacturers that previously did not need to comply but are now covered by the scope of changes, it is key to understand the impact and seek support if required.
The new In Vitro Diagnostic Device Regulation (IVDR), which was drafted at a similar time to the EU MDR entered into force on May 25, 2017 and will replace the existing In Vitro Diagnostic Device (IVD) Directive.
The EU IVD Regulation is appreciably different to the current IVD Directive, including changed classification rules and requirements for conformity assessment. The intent is to strengthen the current approval system for in-vitro diagnostics.
Due to constant technological and scientific progress, the IVD Directive, 98/79/EC is no longer ‘fit for purpose’. Significant differences in the application and interpretation of the rules have emerged over time, which are not in line with the intent of the main objectives of the Directive.
The revision, published by the European Commission, will provide a robust, transparent and sustainable regulatory framework for in-vitro diagnostic medical devices.
Again, the revision is being introduced as a regulation instead of a directive, which means that it has to be directly applied in each member state as opposed to transposed into national legislation. A Regulation has been determined to be the most appropriate legal mechanism, because it enacts clear and detailed rules which do not give room for differing transposition by member states. Moreover, a Regulation ensures that legal requirements are implemented at the same time throughout the European Union.
The new regulation introduces a wider scope of regulated IVDs that will require notified body conformity assessment. Currently, devices under the existing directive are estimated to be self-declared devices for approximately 80% of IVD’s on the market in the EU, where the manufacturer has sole responsibility for meeting the requirements of the directive. Under the new regulation, 80% of IVD’s will require some form of conformity assessment by a notified body.
The scope of regulated IVD devices will include:
Classification criteria has been enhanced, based on risk, the published regulation introduces a new risk-rule classification system based on the Global Harmonization Task Force (GHTF) classification rules. This change to the classification system will have an impact on all manufacturers of IVDs. In the new classification system, IVD devices will be divided into four Classes of risk: A (lowest risk), B, C, and D (highest risk). By using the seven classification rules, devices will be divided into one of the four classes that will dictate notified body involvement.
The conformity assessment procedure for lowest-risk Class A devices will be the sole responsibility of the manufacturer, except when they are intended for self-testing, near-patient testing, or are sold sterile. In these cases, a notified body is required to verify the design, or sterilization process. Class B, C, and D devices are characterized by increasing risk levels and will all require notified body involvement.
Akin to the requirements of the MDR, there shall be at least one person responsible for regulatory compliance within an organization. This requirement states that manufacturers shall have available within their organization, or, for micro and small enterprises, at the minimum “permanently and continuously at their disposal” at least one responsible person accountable for regulatory compliance who possesses expert knowledge in the field of in-vitro diagnostic medical devices.
The qualifications of this person can be demonstrated by evidence of formal qualification awarded on the completion of either of the following:
Again, there is the requirement for increased identification and traceability. Manufacturers must identify their devices with a Unique Device Identification (UDI). This information will be held in the electronic register for the device.
Information around clinical evidence will be more stringent. Manufacturers of high-risk devices are to make a summary of safety and performance with key elements of the supporting clinical data publicly available. It will be necessary to collect clinical evidence for all IVD devices. Clinical evidence is defined as clinical data and performance evaluation results pertaining to the device of sufficient amount and quality to allow a qualified assessment of whether the device achieves the intended clinical benefit(s) and safety, when used as intended by the manufacturer.
The EU Commission has been tasked to set up and manage an electronic system to collate and process reports by manufacturers on serious incidents, field safety corrective actions, field safety notices, and periodic summary reports. Manufacturers of devices classified in Class C or D will also have to report any statistically significant increase in the frequency or severity of incidents that are not individually serious incidents, but which have an impact on the risk-benefit analysis.
Notified bodies have been given increased authority and involvement. They will have a right and duty to carryout unannounced factory inspections and to conduct physical or laboratory tests on devices. The regulation also requires rotation of the notified body’s personnel involved in the assessment of IVDs at appropriate intervals, unlike current requirements of not being able to lead the audit, it now introduces the requirement to not allow repeated presence. The aim of which is to strike a reasonable balance between the knowledge and experience required to carry out thorough assessments, with the understanding that “a fresh pair of eyes” will challenge the systems more appropriately.
To demonstrate conformity with the general safety and performance requirements, manufacturers will now need to prepare a performance evaluation report, which is proportionate to the risk Class of the device.
Again, like the requirements of the MDR, provisions regarding registration of devices and economic operators, in particular those governing the Unique Device Identification system have been documented. Manufacturers, authorized representatives, importers, and devices will all need to be registered.
Although Vigilance and Post-Market Surveillance (PMS) have always been a requirement, there are more prescriptive measures laid out in the new regulation which includes specific direction on the use of data gathered by the manufacturer's Post-Market Surveillance system. In addition, there will be new documentation requirements such as Periodic Safety Update Reports (PSURs) with additional requirements based on the device classification.
As with the MDR, the In Vitro Diagnostics Regulation will allow the EU Commission to publish Common Specifications which shall then be taken into account by manufacturers as well as notified bodies. These Common Specifications will exist in parallel to the Harmonized Standards will be considered State of the Art. These specifications provide a means to comply with the general Safety and Performance requirements and the requirements for Performance Studies and Performance Evaluation and/or Post-Market Follow-Up.
Common Technical Specifications currently exist for some high-risk In Vitro Diagnostics devices. It is likely this will be expanded. As with common specifications for other medical devices, a manufacturer will be expected to comply with them if they are applicable to the device, unless they can duly justify that they have adopted solutions that ensure a level of safety and performance that is at least equivalent.
The timeline for the changes has started. With the publication of the IVDR a 5 year transition has begun. IVDR entered into force on May 25, 2017, which will replace the existing In Vitro Diagnostic Device (IVD) Directive 98/79/EC in May 2022.
With these changes in the EU IVDR, the manufacturer needs to be proactive by building a plan and evaluating the impact on it organization with gap analysis to identify all changes per the regulation. The early planning and action from the manufacturer is the best way to ensure smooth transition to the new requirements.
For those manufacturers that previously did not need to comply but are now covered by the scope of changes, it is key to understand the impact and seek support if required.
FREE RESOURCE: Click Here to Download this FDA QSR & ISO 13485 Internal QMS Audit Checklist.
The medical device industry is undergoing immense regulatory changes via updates to ISO 13485:2016, EU MDRs, and EU IVDRs. Being proactive is essential to ensuring that you are able to comply with the changes in time.
Changes to the way your devices are classified, assessed for conformity, documented and registered are massive changes in their own right. Coupled with the added scrutiny of clinical data, risk, post market and vigilance reporting you would think that enough is enough. But alas, there are also the changes to the way your organization functions in terms of a Quality Management System.
All of these changes will need to be carefully planned, with gaps identified and action plans in place to ensure you are in a position to comply when the due date looms. The correlation between ISO 13485:2016 and the new directives will need to be well understood as simply complying with ISO 13485:2016 will not automatically infer compliance with either of the EU MDR and IVDR changes. It is important to understand the regulation requirements and incorporate those into your QMS as you are transitioning to ISO 13485:2016.
Also, it is prudent to remember that the registrars and notified bodies are under extreme resource pressure. If you leave everything to the last minute, it is likely that you will not meet the deadlines established to comply with ISO 13485:2016 and EU MDR and IVDR.
Notified bodies have finite personnel and time to ensure transition for their customers; it would be impossible if every customer of a notified body wanted to transition to the new requirements in the last month prior to the deadline. In addition to the topics discussed within this white paper, notified bodies are also involved with the Medical Device Single Audit program. If you are a manufacturer that sells into Canada, the United States, Australia, Brazil or Japan, these changes are likely to also affect you. Indeed, Health Canada have already announced that their CMDCAS program will be terminated as of January 2019 and will only accept MDSAP certificates. This adds complexity to the changes being managed by manufacturers, notified bodies, and regulators, at an already complicated time.
Medical device companies will not escape personnel and time restraints. The sheer volume of work required to ensure compliance to the new regulations is significant, with a large increase in the documentation required to be produced in addition to the requirement for product UDI and more stringent processes. Also, the need to have a responsible person within the organization or available to them will have an impact, particularly to smaller organizations with only a few employees.
Finally, there are the group of manufacturers that previously fall outside of the regulations, which with these changes, are now potentially impacted by medical device regulations. These companies will possibly be impacted most of all; it may be that these organizations simply are not able to continue manufacturing these devices any longer, or they will need to comply, potentially at significant cost and effort.
Compliance is not an option; you must comply and the transition times are just around the corner. It is important to understand these changes and make sure you have the right support to ensure that you are not left without the ability to design, manufacture and place your devices on the market.
Looking for an all-in-one QMS solution to advance the success of your in-market devices and integrates your quality processes with product development efforts? Click here to take a quick tour of Greenlight Guru's Medical Device QMS software →
Rod Beuzeval has been working in the Pharmaceutical and Medical Device sectors for over 19 years. He holds a degree in engineering and has earnt Regulatory Affairs Certification from the Regulatory Affairs Professional Society. Recently he has joined forces with a small team of experts to form Meddev Solutions...