13485 revision: What it means for medical device OEMs and their supply chains

The medical technology industry has gone through some changes in the last 14 years, as has its regulatory environment, and it was time that ISO 13485 reflected that evolution. The global standard for medical device quality management systems recently underwent its first revision since 2003, and it contains a number of changes that must be taken into account by medical device manufacturers and their critical suppliers. And, yes, there is a deadline: Companies must show compliance to ISO 13485:2016 by March 1, 2019. That might seem a ways off, but Notified Bodies have a lot on their plate right now, and audits are taking longer than ever before. PlasticsToday checked in with Garth Conrad, Vice President, Quality, at C. R. Bard, now part of BD, to learn more about how the revision affects the medical manufacturing space.

“There are three things I would focus on in the revision,” said Conrad: The approach to risk management, greater convergence with FDA CFR Part 820 and supply-chain management.

Previously, ISO 13485 essentially compartmentalized risk management activities around product development and post-market complaints. “The revision comprehensively takes risk management and applies it throughout the controls of a quality management system,” said Conrad. “The new version drives you to consider risk in all areas of your quality system—purchasing controls, management review and the basic documentation system for managing change control. Different levels of risk management now are incorporated into your system,” explained Conrad.

ISO 13485:2016 also integrates “more of the flavor of what you see in FDA CFR Part 820 in terms of requirements,” said Conrad. “Regulators around the world are beginning to converge to a more common set of requirements and expectations.” The European Union’s new Medical Device Regulation (MDR), which starts to go into effect in 2020, was influenced by the breast implant scandal, in which a French manufacturer of implants was found to be using non-medical grade silicone. As a result, the MDR includes a number of safeguards that were absent in the Medical Device Directive, which it replaces. “ISO 13485:2016 was drafted a little before then, but it did capture some of [the same] expectations,” said Conrad.

The third foot of this three-legged stool is supply chain management. “Regulators understand that the majority of medical devices are not made by OEMs, who have deep and wide supply chains,” said Conrad. “As such, quite a bit of information in the revision relates to purchasing controls and flow-down of requirements into the OEM’s supply base.”

While medtech OEMs are not required to work with suppliers that have ISO certification, they must ensure that suppliers have adequate quality control systems in place. “Maintaining ISO certification guarantees a certain level of compliance. If OEMs require ISO certification from their suppliers, they are in the game at a certain level of performance,” said Conrad. Other avenues are available, he added, including FDA’s Medical Device Single Audit Program (MDSAP).

Suppliers certified to ISO 13485, however, should exercise due diligence and upgrade to the 2016 revision, particularly if they are categorized as critical suppliers. “As an OEM, part of our certification when we gain CE marking or clearance requires that critical suppliers be identified and maintained as part of the certificate,” explained Conrad. “Critical supplier classification is based on the component they are producing or material or service they are delivering. It will be a little different for everybody.” Contract sterilizers would be considered critical suppliers, for example, and that classification could apply to a plastics processor to whom production is being outsourced, added Conrad.

For companies marketing medical devices in Europe this can be a do-or-die situation. After March 1, 2019, OEMs may not use components manufactured by suppliers that are not in compliance with ISO 13485:2016 until the non-compliance issue has been resolved. It is imperative for any medical device manufacturer doing business in countries that recognize CE marking to monitor the progress of their suppliers in obtaining ISO 13485:2016 certification.

Procrastination is not a viable strategy, even if the compliance deadline seems fairly distant. Auditors and Notified Bodies are stretched very thin right now, according to Conrad. Not only are they dealing with the ISO 13485:2016 revision, they are also wrapped up with MDSAP compliance, which is set to start next January, and the European Union’s Medical Device Regulation. “That’s further out—2020 to 2022—but the amount of work associated with that is immense,” said Conrad. “In our experience, the response time for audits and the certification update process has been 25 to 50% longer than in the past.”

As a final note, Conrad offered three key considerations for companies implementing the ISO 13485 revision.

First, it’s important to “perform a thorough gap assessment comparing the revised standard to your internal controls. That will set you on the right path for the things you need to do.”

Second, compliance is the beginning, not the end, of the process. “If you’re using the standard as a minimum compliance item and that’s all you do within your company, you’re missing the bar in terms of what the standard is trying to do, which is to drive a culture of improvement within your business. Use it as a guideline, but don’t stop there. Continue to improve the systems and processes you have.”

And the third thing is to do it now, stressed Conrad. “If you have gaps, you will have time to fix them before the compliance deadline.”

https://www.plasticstoday.com/medical/iso-13485-revisionwhat-it-means-medical-device-oems-and-their-supply-chains/52691156758042/page/0/1

* * * * *

Back