The clock is ticking: in less than a year—February 28, 2019—previous ISO 13485:2003 certificates will no longer be valid. And if you plan to participate in the Medical Device Single Audit Program (MDSAP), that deadline is even earlier, as you’ll need to make the switch by the first of the year.
If you feel like you’re behind schedule, taking concrete action can help eliminate some of the stress. Let’s look at 5 practical steps you can focus on right now to make sure you’re ready ahead of the deadline.
- Perform a Gap Analysis Against ISO and FDA Requirements
If you haven’t already, you need a firm grasp on where you currently stand regarding the requirements you need to comply with. From there you can make a comprehensive list of gaps that you need to address.
In addition to purchasing and downloading ISO 13485:2016 itself, several additional resources can help you get started:
- International Medical Device Regulators Forum (IMDRF): On the IMDRF website, you can find Quality Management Systems (QMS) audit guidelines for medical devices [PDF].
- FDA regulations: If you sell medical devices in the U.S., you’ll need to comply with all requirements in 21 CFR part 820.
- FDA inspection guidance: In addition to the regulatory requirements, the FDA also provides guidance on QMS inspections.
So what do you do if you have a laundry list of items that need to be fixed? Of course you’ll need a plan to correct them all, but you also need a way to prioritize them. Many experts recommend using risk as a guideline, assigning a risk level to each gap and tackling high-risk items first.
- Evaluate Your Risk Management Processes
Risk management isn’t just important in terms of tracking compliance obligations. In fact, regulators expect to see that you use Risk Management tools throughout your QMS and quality processes.
These tools should include:
- Design controls and planning tools such as Failure Modes and Effects Analysis (FMEA).
- Defined Supplier Quality Management controls to prevent safety failures originating from supply chain partners.
- Employee training tracking systems to ensure everyone is up-to-date on best practices, internal protocol and any required certifications.
- Complaint Handling and Corrective Action tools to ensure fast resolution of any problems identified either within your facility or by consumers.
One key point to remember is that a one-and-done risk assessment doesn’t count as risk management. True risk management is a continuous cycle of hazard identification, risk assessment, corrective action and continuous monitoring—steps that correlate with the Plan-Do-Check-Act cycle.
- Get your QMS Documentation in order
Not surprisingly, QMS documentation is a key part of ISO 13485 certification and compliance. You’ll want to formalize your Document Control system to centralize a long list of documents such as:
- Quality policy and quality manual, including documented procedures for all processes.
- Medical device files.
- Records related to employee training, management participation and equipment maintenance and calibration.
- Product realization documents ranging from customer requirements review to design and development files.
- Computer validation processes and records.
- Supplier quality agreements.
- Monitoring and analysis results.
- Validate Your Software Systems
ISO 13485:2016 contains stronger requirements around validation of key systems and applications, including:
- Enterprise Resource Planning (ERP) systems.
- Laboratory Information Management Systems (LIMS).
- Any other software used in your product development or maintenance processes.
Validation includes running test scripts for Installation Qualification (IQ), Operational Qualification (OQ) and finally, Performance Qualification (PQ). The process can be time-consuming—think on the timescale of several months—so it pays to plan ahead on this one. If you use an automated validation service, that can reduce the time required by as much as 75%.
- Focus on Solving Past Problems
An important practical step to take as you prepare for the transition to the new ISO 13485 standard is to look back at previous issues.
You’ll want to pay special attention to things like previous customer complaints, corrective actions and failed audit findings. More than just verifying that the individual problems themselves have been resolved, you’ll want to also ask how those lessons learned apply to other processes and potential risks. This is the very essence of risk-based thinking, and you can bet that regulators will be looking hard at prior compliance issues.
Finally, as you work through these steps, consider how your findings can be incorporated into your internal audit program. Only then can you ensure consistent checks are in place to address gaps and maintain improvements you make permanently.