ISO13485-Medical Device Quality Management
4.1 General Requirements
4.1.1, The organization shall document the role(s) undertaken by the organization under the applicable regulatory requirements.
Manufacturer
Authorized representative } Importer
Distributor
4.1 General requirements
4.1.2a, The organization shall determine the processes needed for the quality management system and the application of these processes throughout the organization taking into account the roles undertaken by the organization.
4.1.2b, Apply a risk based approach to the control of the appropriate processes needed for the quality management system.
4.1.4 a-c: Changes to QMS processes shall be evaluated for their impact on the QMS, evaluated for their impact on the medical devices and controlled in accordance with ISO 13485 and regulatory requirements.
4.1.5: When the organization outsources a process that affects
product conformity:
-
- Monitor and control the process
- Retain responsibility for conformity to ISO 13485:2016, customer and
applicable regulatory requirements
-
- Controls shall be proportionate to the risk involved and the ability of the external party to meet requirements
¨ Controls shall include written quality agreements.
4.1.6: Organization shall document procedures for validating
computer software used in the QMS.
-
-
- Software shall be validated prior to use and in response to changes in the software or its application.
- Approach for software (re)validation shall be proportionate to the risk associated with the use of the software.
- Maintain records.
-
4.2.3 Medical Device File: For each medical device (family), organization shall establish and maintain (a) file(s) containing/referencing documents required by 13485 or applicable regulatory requirements. File contents:
-
-
-
- General description of device, intended use/purpose, labelling, instructions for use;
- Specifications for product;
- Specifications or procedures for manufacturing, packaging,
-
-
storage, handling and distribution;
-
-
-
- Procedures for measuring and monitoring;
- Requirements for installation (as appropriate);
- Requirements for servicing (as appropriate).
-
-
4.2.4 Control of documents: Required procedure needs to address preventing deterioration or loss of documents.
4.2.5 Control of records: Organization is required to define and implement methods for protecting confidential health information contained in records in accordance with regulatory requirements.
5.6 Management Review
5.6.1 General: Organization must document procedures for management review. Top management must review the QMS at documented, planned intervals.
5.6.2 Inputs: New inputs include feedback (previously customer feedback), complaint handling and reporting to regulatory authorities.
6.2 Human resources: The organization must document process(es) for establishing competence, providing needed training and ensuring awareness of personnel.
6.3 Infrastructure: The organization must document the requirements for the infrastructure needed to prevent product mix-up and ensure orderly handling of product.
Infrastructure was clarified to include information systems.
Maintenance was clarified to be applicable to equipment used in production, controlling the work environment and monitoring/measurement.
6.4.1 Work environment: The organization shall document the requirements for the work environment needed to achieve conformity to product requirements.
6.4.2 Contamination control: For sterile medical devices, the organization must document requirements for control of contamination with microorganisms/particulate matter and maintain required cleanliness throughout assembly/packaging.
7.1b Planning of product realization: Organization needs to provide resources specific to the product, including infrastructure and work environment.
7.1c: Organization shall determine required handling, storage, distribution and traceability activities.
- Customer-related processes
7.2.1: Determination of requirements related to product: The organization must determine any user training needed to ensure specified performance and safe use of the medical device.
7.2.2. Review of requirements related to the product: This review must occur prior to the organization’s commitment to supply product to the customer and ensure that applicable regulatory requirements are met and any user training previously identified is or will be available.
7.3 Design and development
7.3.2 Design and development planning: During design and development the organization must document:
The review(s) needed at each design/development stage;
The methods to ensure traceability of design and development outputs to design and development inputs;
The resources needed, including competence of personnel.
The requirement for management of interfaces was eliminated.
7.3.3 Design and development inputs: Inputs relating to product requirements must be determined/records maintained. Inputs shall include:
Usability requirements
Requirements shall be able to be verified or validated.
7.3.5 Design and development review: Design review records must include the identification of the design under review, the participants involved and the date of the review.
7.3.6 Design and development verification: Organization is required to document verification plans that include methods, acceptance criteria and, as appropriate, statistical techniques with rationale for sample size.
When the intended use of the medical device requires connection/interface with another, then the verification shall include confirmation that design outputs meet design inputs when connected/interfaced.
7.3.7 Records of results and conclusions of verification and necessary actions must be maintained.
7.3.8 Design and development transfer: Organization must document procedures for transfer of design and development outputs to manufacturing. Procedure must ensure that outputs are verified as suitable for manufacturing before becoming final production specs and that production capability can meet product requirements. Results/conclusions of transfer shall be recorded.
7.3.9 Control of design and development changes: The organization must determine the significance of the change to function, performance, usability, safety and applicable regulatory requirements for the medical device and its intended use.
The review of design and development changes shall include evaluation of the effect of the changes on constituent parts/WIP/delivered product, inputs/outputs of risk management and product realization processes.
7.3.10 Design and development files: Organization must maintain a design/development file for each medical device (family). File must:
Include or reference records generated to demonstrate conformity to the requirements for design/development
Include or reference records for design and development changes.
7.4.1 Purchasing process: New criteria for evaluation and selection of suppliers must :
Be based on the performance of the supplier
Be proportionate to the risk associated with the medical device
Organization needs to plan the monitoring and re-evaluation of supplier, including their ability to meet requirements for purchased product. Results of monitoring shall be an input to the supplier re-evaluation process.
Nonfulfillment of purchasing requirements shall be handled based on risk associated with the purchased product and compliance with applicable regulatory requirements.
Records relating to selection, monitoring, and re-evaluation of suppliers must also be maintained.
7.4.3 Verification of purchased product: When the organization becomes aware of any changes to the purchased product, the organization must determine whether these changes impact the product realization process or the medical device.
7.5.2 Cleanliness of product: The organization shall document requirements for cleanliness of product or contamination control of product if… product cannot be cleaned prior to sterilization or its use, and its cleanliness is of significance in its use.
- 5. 4, Servicing activities: The organization shall analyze records of servicing activities carried out by the organization or its suppliers:
To determine if the information should be handled as a complaint;
As an input to the improvement process, as appropriate.
- 5. 6, Validation of processes for production and service provision: Requirement for organization to document procedures for validation of processes.
These procedures must include revalidation/criteria for revalidation and approval of changes to processes.
Requirement for a documented procedure for validation of computer software remains. Specific approach used must be proportionate to the associated risk and the effect on the ability of the product to conform to specifications.
Records of results/conclusions/necessary actions from validation activities shall be maintained.
7.5.7, Particular requirements for validation of processes for sterilization and sterile barrier systems: Concept of sterile barrier systems introduced. Processes need to be validated prior to implementation and following product/process changes.
Records of results/conclusion/necessary actions from validation shall be maintained.
Reference to ISO 11607-1 and -2.
7.5.8, Identification: If required by regulatory requirements, the organization shall document a system to assign unique device identification to the medical device.
The organization shall document procedures to ensure that medical devices returned to the organization are identified/distinguished from conforming product.
7.5.11, Preservation of product: Organization must protect product from alteration/contamination/damage during processing/storage/handling/distribution by:
Designing and constructing suitable packaging and shipping containers
Documenting requirements for special conditions needed if packaging alone is not sufficient.
If special conditions are required, they must be controlled and recorded.
8.2.1, Feedback: Organization must document procedures for a feedback process, including production and post- production activities.
Feedback gathered shall be a potential input into risk management for monitoring and maintaining product requirements as well as the product realization or improvement processes.
8.2.2, Complaint Handling: This is a new section. A document procedure is required for timely handling in accordance with applicable regulatory requirements.
Justification for not investigating a complaint needs to be documented.
If the investigation reveals that activities outside of the organization contributed to the complaint, then relevant information needs to be exchanged between the parties.
Records shall be maintained.
8.2.3, Reporting to regulatory authorities: New requirement that if applicable regulatory requirements require notification of complaints that meet specified reporting criteria of adverse events or issuance of advisory notices, the organization shall document procedures for providing notification to the appropriate regulatory authorities.
Records of reporting to regulatory authorities shall be maintained.
8.2.6, Monitoring and measurement of product: Records need to identify the test equipment used to perform measurement activities.
8.3, Control of nonconforming product: The documented procedure must also define the responsibilities and authorities for the identification, documentation, segregation, evaluation and disposition of nonconforming product.
The “evaluation” must include a determination of the need for an investigation and notification of any external party responsible for the nonconformity.
Records of the evaluation/investigation/rationale for decisions must be maintained.
Actions in response to nonconforming product detected before delivery (now in 8.3.2) are separated from actions in response to nonconforming product detected after delivery (now in 8.3.3).
8.3.2: Nonconforming product accepted by concession only if justification is provided, approval is obtained and applicable regulatory requirements are met.
8.3.3: The organization shall document procedures for issuing advisory notices in accordance with applicable regulatory requirements. Procedures shall be capable of being implemented at any time. Records shall be maintained.
8.4, Analysis of data: The required procedure shall now include determination of appropriate methods, including statistical techniques and the extent of their use.
The analysis of data needs to include input from audits and service reports, as applicable.
8.5.2, Corrective action
8.5.3, Preventive action: Required procedure(s) need(s) to include a verification that the corrective/preventive action does not adversely affect the ability to meet applicable regulatory requirements or the safety/performance of the device.