Understanding ISO 13485
- Εμφανίσεις: 2695
ISO 13485: 2003 represents the requirements that medical device manufacturers must incorporate into their management systems. The current document supersedes its 1996 incarnation as well as EN 46001, EN 46002 and ISO 13488.
Though based on ISO 9001, 13485 removes 9001’s emphasis on continual improvement and customer satisfaction. In its place is an emphasis on meeting regulatory as well as customer requirements, risk management and maintaining effective processes.
ISO 13485: 2003 represents the requirements that medical device manufacturers must incorporate into their management systems. The current document supersedes its 1996 incarnation as well as EN 46001, EN 46002 and ISO 13488.
Though based on ISO 9001, 13485 removes 9001’s emphasis on continual improvement and customer satisfaction. In its place is an emphasis on meeting regulatory as well as customer requirements, risk management and maintaining effective processes, namely the processes specific to the safe design, manufacture and distribution of medical devices.
13485 is in part designed to produce a management system that facilitates compliance to the requirements of customers and-preeminently-various global regulators. While being certified to 13485 does not fulfill the requirements of either the FDA or foreign regulators, the certification aligns an organization’s management system to the requirements of the FDA’s Quality System Regulation (QSR) requirements as well as many other regulatory requirements found throughout the world. Therefore, 13485 certification serves to create a management system that can be thought of as a framework on which to build compliance to various regulatory and customer requirements.
If the proper management system framework is in place it should facilitate the identification and implementation of country-specific requirements for the management system of medical device manufacturers. ISO 13485 is not specific enough to contradict country specific requirements, and should serve as a baseline management system for all.
13485 dictates that risk management must be thoroughly documented and conducted throughout a product’s entire lifecycle, from initial concept to delivery and post-delivery. However, the standard leaves the specifics to a related standard, ISO 14971: 2001, Application of Risk Management for Medical Devices. While 13485 states that a manufacturer’s management team is charged with the management of device-related risks and the development of risk management plans, 14971 defines a list of steps to be taken by management in order to fulfill risk-related requirements. While it is not mandatory that a manufacturer be 14971 certified in order to attain 13485 certification, being certified to the former standard can ease the attainment of certification to the latter.
The fact that ISO 13485 counsels the application of ISO 14971 speaks to its importance for those seeking 13485 certification. Compliance programs for both standards, when implemented together, can help manufacturers build an enterprise program for risk management and quality assurance. Evidencing the consistent assessment and mitigation of risks throughout all stages of a product’s lifecycle is important for achieving certification to both 13485 and 14971.
Issues and Trends
The purpose of 13485 certification is sometimes misunderstood. 13485 certification does not fulfill the requirements of 9001, nor is it equivalent to or have the ability to take the place of any country-specific requirement for medical device manufacturers. As previously mentioned, the standard is in part meant to serve as a means to the creation of a management system that aligns with the requirements of various regulators.
The ISO 13485 accomplishes a harmonization by writing specific medical device requirements in a generic framework that allows any specific or unique needs of local regulation to be addressed.
Medical device manufacturers also should realize the importance that risk management bears in a 13485 management system. A lot of places typically look at risk management only at the design and development function and they don’t carry it through the entire lifecycle of the product or process. People think that it is just a little snippet in time during the design and development phase.
While, medical device manufacturers are not giving risk management its due gravity in their management systems the recognition of the need for thorough enterprise-wide risk management practices is growing. Risk assessments have become a key activity that manufacturers perform throughout the product lifecycle, whether they are designing new products, choosing suppliers, inspecting finished goods or performing corrective actions based on customer complaints. A combination of increased regulation and technological advances is forcing medical device manufacturers to couple their management systems with enterprise-wide risk management programs.
13485 is no longer thought of as pertaining solely to finished medical device manufacturers. Today, such manufacturers are requiring their sub-tier suppliers to also attain 13485 certification. Medical device manufacturers want to realize better products and better services. I see it more from the financial standpoint for them-for cost savings, making sure they have good suppliers, that they’re communicating with them properly and managing them properly. This is risk management enacted to establish supplier quality, as it is difficult for a manufacturer to single-handedly regulate the quality programs of its suppliers.
The Certification Process
Like any ISO certification, medical device manufacturers wishing to obtain 13485 certification first need to educate themselves on the requirements of regulators and customers, as well as what a 13485-compliant management system will entail. Then a management system that conforms to the standard’s requirements needs to be implemented within the organization.
The first step to creating the management system should be drafting a quality manual; the quality manual outlines an organization’s goals, processes and procedures for compliance and quality management. An employee with the know-how to develop and implement such a program can create the management system internally; otherwise, a hired consultant with an expertise in the 13485 market can be used. After the quality manual has been written and a management system has been implemented, the organization needs to seek a certification body it is comfortable with.
When seeking a certification body, the organization needs to be sure that the registrar is accredited by an accrediting body to include 13485 certification in their scope. The organization seeking certification should ask to see credentials and references from a prospective registrar.
It also is important to keep the target market in mind. For instance, if a medical device manufacturer wants to sell in North America, it should seek certification through a registrar accredited by a North American accreditation body to ensure they will meet country-specific or customer requirements.
If a consultant is required, the organization needs to be sure that the prospect has expertise in 13485, and requesting referrals from an accredited registrar also can aid in finding the right match. It is important that the consultant understands the organization’s business, that the consultant has dealt with organizations of a similar size before and has had experience with similar product lines.
Also, an organization should be wary of consultants that endeavor to radically change a management system that is already performing well. The consultant should come in and align their knowledge with your requirements and the customer requirements, and that will work time after time.
The steps to attaining 13485 certification are similar to those of 9001, with some type of off-site document review followed by a preassessment and then assessment. After certification, an organization will be subject to on-going surveillance by its certification body. The duration of the assessment is contingent on an organization’s scope-its size, number of personnel, and type and complexity of products manufactured. Taking these elements into consideration, an organization can expect an assessment to last anywhere from a couple of days to more than a month.
The frequency of surveillance assessments will be determined by an organization’s scope as well as its performance, though they will usually be conducted annually or semi- annually. However, organizations should expect a complete reassessment three years after initial certification. A surveillance assessment takes into account concerns such as the fulfillment of management responsibilities, the execution of internal audits and how an organization is performing in relation to the state of the industry and customer expectations.
ISO 13485 Tomorrow
An increase in 13485 certification and further regulatory harmonization are possibilities in the standard’s future. At present few organizations voluntarily seek this sector-specific certification, but that that will change as customers elect to mandate it.
Reference Quality Magazine