ISO 13485 & MDSAP Deadlines are Fast Approaching (And You Need a Notified Body)

In less than four months, come March 2019, the transitional period for medical device companies to comply with the new ISO 13485:2016 standard will end.

With so many changes that must be implemented to comply with this rigorous standard, companies should not wait any longer to begin the transition. Lack of preparation could lead to penalties impacting an entity's ability to market their medical devices.

What’s Changing From ISO 13485:2003 to 13485:2016?

The driver behind the new version of the ISO 13485 standard is the promotion of the global harmonization of regulatory requirements as imposed by national regulators.

Changes are based on modifications in quality management systems, European and international legislation and technological progress.

Primary changes include:

• Attention to the entire life cycles of products/services: design, production, logistics, installation and maintenance

• Stricter controls throughout the supply and distribution chain

• Focus on risk management, pertaining to medical devices and applying risk-based approaches to QMS procedures

• Higher specificity of requirements during the design phase

• Attention to the post-market phase associated with the management of complaints and surveillance.

Why To Certify Your QMS According To The ISO Standard

The ISO 13485 standard applies to medical devices and specifies regulatory requirements for quality management systems. Manufacturers must develop and demonstrate production systems that ensure release of safe, high-quality medical devices.

This standard also provides companies with the ability to improve internal processes, efficiency and performance. ISO 13485 certification is evidence that a company is making medical devices or offering services that meet or exceed market standards and regulatory requirements.

Relationship Between The MDSAP And ISO 13485:2016

Global regulators routinely evaluate product designs, processes, and product records to ensure efficacy, sustainability and safety of medical devices. Their job is to ensure companies possess the ability to provide the market with the safest products possible. The primary way regulators accomplish this is through certification of a company’s quality management system.

The Medical Device Single Audit Program (MDSAP) was developed as a common requirement, which several country regulatory bodies accept as part of demonstrating quality system requirements have been addressed.

The MDSAP allows a recognized Auditing Organization (AO) to conduct a single regulatory audit of a medical device manufacturer that satisfies the relevant requirements of the regulatory authorities participating in the program. Participating countries currently include Canada, USA, Brazil, Japan and Australia.

The MDSAP program utilizes ISO 13485:2016 as the primary standard against which the company’s quality system is assess against. Additionally, specific participating country requirements will also be included in the assessment based on the customer’s request.

It’s important to note, MDSAP certification can only be provided by a recognized Auditing Organization. ISO 13485:2016 certification from a certification body which is not a MDSAP accredited AO does not fulfill the MDSAP requirements.

If your company has yet to consider ISO 13485:2016 or MDSAP certification, understand that time is running out as both deadlines are quickly approaching.

Health Canada’S MDSAP Certification Requirement in January 2019

All makers of Class II, III and IV medical products sold in Canada are expected to transition to the MDSAP. To keep medical device licenses active, manufacturers must submit documentation proving they have completed the transition by December 31, 2018.

Health Canada, which regulates medical devices in Canada, has adopted MDSAP as the only way manufacturers can demonstrate compliance with QMS requirements of the their approval requirements. The MDSAP will replace the CMDCAS program even when manufacturers intend to sell products only in Canada.

Beginning January 1, 2019, MDSAP certificates only will be accepted, and CMDCAS certification will no longer be accepted. However, in order to minimize disruption in the market, Health Canada issued an adjustment to their transition plan,

Health Canada will not take enforcement action against manufacturers that can demonstrate that they have undergone an MDSAP audit in 2018, but have not received an MDSAP certificate by December 31, 2018.

The Department recognizes that some manufacturers are facing challenges in scheduling MDSAP audits in 2018, and may not be issued their MDSAP certificate by December 31^st, 2018 (as there is often a delay between the timing of the audit and the issuance of the certificate).

To facilitate a timely transition to MDSAP, manufacturers who underwent an initial recertification audit to ISO 13485 under CMDCAS (on or after January 1, 2016), will now be allowed to transition into the MDSAP during the surveillance audit process.

Submission of proper documentation to Health Canada is necessary to show manufacturers have begun the transition. A medical device license could be suspended if makers do not demonstrate they have undertaken transition to the MDSAP. Health Canada has provided additional information regarding the transition plan.

Relationship Between Risk Management and ISO 13485:2016

Central to medical device regulations, risk management has additional importance and impact, as ISO 13485 expands on its previous application to activities associated with the entire product realization processes--design, development, and manufacturing--of a product. Now, principles of risk management involve processes beyond design and development, like training and purchasing.

Section 4.2.1 of the ISO 13485:2016 QMS states, “Organizations will apply risk-based approaches to controlling appropriate processes that are needed for quality management systems”. Essentially, this means anything affecting a quality system must be viewed from a risk perspective.

ISO 13485:2016 references the medical device industry standard for risk management, ISO 14971. ISO 14971 defines the risk management process steps involved with planning, evaluating, assessing, controlling, and mitigating product risks. ISO 13485 embraces this risk management methodology as a means to establish a risk-based QMS.

How Device Makers Can Gain QMS Certification To NeW Standard

The new version of the international quality management standard for the medical device industry replaces the previous ISO 13485. Beginning March 2019, certifications in accordance with ISO 13485:2003 will no longer be considered valid.

Companies must update their QMS through:

• Completion of specific training to help them understand important changes and acquire necessary skills

• Conducting gap analysis of processes and policies to comply with previous and new standards.

• Creating a transition plan to ensure compliance with the new requirements

• Conducting internal audits to confirm system gaps and appropriateness of procedure implementation

• Undertaking management reviews that include new inputs/outputs mandated by the new version of standards. Regular reviews are recommended during the transition so that management feedback is received and implemented, if applicable

• Companies not currently ISO 13485 certified will have to create their quality management system to meet requirements and begin the process of certification with an accredited certification body.

This article was authored by ECM (Ente Certificazione Macchine).

ECM (Ente Certificazione Macchine) is accredited by Accredia for the certification of Quality Management Systems to EN ISO 13485:2016 and is also a Notified Body (#1282) designated for the EU Medical Device Directive 93/42/EEC (MDD). ECM supports companies in the complex transition process by performing all the services required for the issuance of certification. For more information, speak to a notified body today.