ISO 13485:2016 & MDSAP: How to Prepare Your QMS Now

No matter how confident you are in the current state of your QMS, the next three years will challenge even strongest quality systems.

New international regulatory demands—ISO 13485:2016 and The Medical Device Single Audit Program (MDSAP)—both require an even tighter grip on quality management processes. 

These new rules and revisions stretch throughout the QMS, especially for those managing large networks of suppliers and vendors. Document management, change control, supply chain, product lifecycle, as well as device usability and postmarket surveillance requirements will all be affected. 

To give you an idea of what’s coming, we’ve summed up the key takeaways medical device companies should be aware of regarding these new rules.

Processes Affected by ISO 13485:2016

ISO 13485:2016, which will ultimately replace the previous version from 2003, won't just apply to medical device companies. It will also impact suppliers and other third parties that provide products or product components, including QMS-related services for the company. 

Regulators point out that the requirements of ISO 13485:2016 are applicable to organizations regardless of size and type, except where explicitly stated.

[Free White Paper:] Preparing for the Medical Device Single Audit Program (MDSAP)

That means wherever regulations are specified to apply to medical devices, they also apply equally to associated services. Even if a process is not conducted by the contracting organization, the company is still responsible and accountable for monitoring, maintaining, and controlling that process as part of its QMS.

Speaking to industry representatives at a recent RAPS conference, Kim Trautman, former FDA associate director for international affairs at the CDRH made it clear that those who manufacture or are otherwise active in the delivery of devices will have to address these requirements one way or another.

“You might not want to do this project, but if you’re marketing pretty much anywhere in the major countries or jurisdictions of the world, [ISO] 13485 is—in some way, shape or form—a requirement, and we have to learn how to deal with it.”

Changes Between ISO 13485:2003 and ISO 13485:2016

ISO representative Maria Lazarte, offered a list of significant changes from the technical committee for ISO 13485. These include:

• Incorporating risk-based approaches beyond product realization. Risk is considered in the context of the safety and performance of the medical device and in meeting regulatory requirements
• More linkage with regulatory requirements, particularly for regulatory documentation
• Application to organizations throughout the lifecycle and supply chain for medical devices
• Harmonizing software validation requirements for different software applications (QMS software, process control software, software for monitoring and measurement) in different clauses of the standard
• Planning and documenting corrective action and preventive action, and implementing corrective action without undue delay
• Emphasis on appropriate infrastructure, particularly for the production of sterile medical devices, and additional requirements for validating sterile barrier properties
• Additional requirements in design and development and consideration of usability, use of standards, verification and validation planning, design transfer and design records
• Emphasis on complaint handling and reporting to regulatory authorities in accordance with regulatory requirements, and consideration of post-market surveillance 

MDSAP to Be Fully Implemented by 2019

In addition to new ISO standards, medical device regulatory teams have another looming challenge: The International Medical Device Regulators Forum’s Single-audit Program (MDSAP).

Expected to be fully implemented by 2019, the program’s goal of allowing a single regulatory audit of medical device manufacturers’ QMS to satisfy the needs of multiple agencies should prompt most companies to start preparing now.

According to Fabio Pereira Quintino, chairperson of the MDSAP Regulatory Authority Council, the smooth transition from the pilot program to full implementation gives no reason to believe current deadlines won’t be met.

In essence, MDSAP enables medical device manufacturers to contract with an authorized third party auditing organization to conduct a single audit which satisfies all regulatory authorities in a given market. Besides FDA, other authorities participating in the program include those in Australia, Brazil, Canada, and Japan.

In September of 2016, FDA’s director of the Division of International Compliance Operations announced that the Agency is recognizing MDSAP audit reports as a substitute for FDA Establishment Inspection Reports, making it clear that FDA is taking the program very seriously and intends to follow up with all forthcoming regulatory requirements.

How to Start Preparing for MDSAP Now 

The best first step to preparing for MDSAP audits is to put your current internal audit and/or record requirements under the microscope. Compare your processes against forthcoming requirements and begin creating your plan to fill the gaps, if there are any.

Greater transparency in your audit process will also be essential. Here are some steps you can take to start shifting to the approach regulators will expect to see: 

• Increase the sample size and frequency of records audits
  
• Get management involved in reviewing reports of records audits and the records themselves
  
• Give management in-person access to reviewing sampled records
  
• Challenge your ability to produce requested records in a timely manner
  

In an increasingly global regulatory environment, new regulations like these have the potential to streamline quality management processes and bring new operational efficiencies to manufacturers––but it comes at a price. A new level of requirements are beginning to align with a greater push toward quality as an enterprise-wide expectation rather than department-level endeavor.                                                                                                                                               

Those that take the opportunity to prepare for new ISO requirements and MDSAP audits not only position themselves for compliance in a global regulatory environment, but also position themselves for success in meeting other challenges of the future.