Regulatory Open Forum

Hi RAPS forum,

For those of you who have completed or are in the process of completing their ISO 13485:2016 transition/implementation:

• What are your lessons learned?
• Which tricky items did the Notified Body ask you about? Did you disagree or have any surprises during the audit? 
• Did they provide you any tool/checklist prior to the audit? If so, are you willing to share?
• What were your biggest hurdles in implementing the ISO 13485:2016 ? Which solutions did you find to overcome them? Can you provide some practical examples?
• What helped you in a practical way to transition/implement ISO 13485:2016 ?

Thank you very much in advance for sharing your experience/examples/tools/checklists.

Hi RAPS forum,

For those of you who have completed or are in the process of completing their ISO 13485:2016 transition/implementation:

• What are your lessons learned?
• Which tricky items did the Notified Body ask you about? Did you disagree or have any surprises during the audit? 
• Did they provide you any tool/checklist prior to the audit? If so, are you willing to share?
• What were your biggest hurdles in implementing the ISO 13485:2016 ? Which solutions did you find to overcome them? Can you provide some practical examples?
• What helped you in a practical way to transition/implement ISO 13485:2016 ?

Thank you very much in advance for sharing your experience/examples/tools/checklists.

http://my.aami.org/store/detail.aspx?id=13485-ISO-PDF

Hi RAPS forum,

For those of you who have completed or are in the process of completing their ISO 13485:2016 transition/implementation:

• What are your lessons learned?
• Which tricky items did the Notified Body ask you about? Did you disagree or have any surprises during the audit? 
• Did they provide you any tool/checklist prior to the audit? If so, are you willing to share?
• What were your biggest hurdles in implementing the ISO 13485:2016 ? Which solutions did you find to overcome them? Can you provide some practical examples?
• What helped you in a practical way to transition/implement ISO 13485:2016 ?

Thank you very much in advance for sharing your experience/examples/tools/checklists.

This "Practical Guide" is helpful for understanding the basis for ISO 13485:2016 requirements and getting clues to ensure conformity.

It costs only 88 CHF (about USD 90) if purchased directly from ISO (no affiliation) and It includes the full content of the standard itself, together with Intent and Guidance information.

Some people (including me) have been confused about Medical Device File (MDF) requirements per clause 4.2.3. I think this is because the contents listing (4.2.3.a through f) appears to be more narrow than what the first sentence of 4.2.3 specifies.

At first glance (especially if you skip over the first sentence), the contents listing (4.2.3.a through f) appears to be equivalent to what FDA calls the "Device Master Record" (DMR). This interpretation is supported by the fact that device Instructions For Use (IFU) typically include a general description of the device and <g class="gr_ gr_1218 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling multiReplace" id="1218" data-gr-id="1218">its</g> intended use as required per 4.2.3.a.

However, the first sentence of clause 4.2.3 indicates that the MDF contains/references all documents needed to show conformity and compliance with ISO 13485 and regulatory requirements, respectively. That is very broad indeed!

This has become such a broad concept that it leads me to believe that all QMS documents (including records) are what comprises the MDF.
From my perspective, all of the QMS documents combined are needed to demonstrate conformity with ISO 13485 and compliance with regulatory requirements (what the first sentence of 4.2.3 requires).

Can anybody add anything to help clarify the derivation and meaning of the MDF requirements?

 

http://my.aami.org/store/detail.aspx?id=13485-ISO-PDF

Hi RAPS forum,

For those of you who have completed or are in the process of completing their ISO 13485:2016 transition/implementation:

• What are your lessons learned?
• Which tricky items did the Notified Body ask you about? Did you disagree or have any surprises during the audit? 
• Did they provide you any tool/checklist prior to the audit? If so, are you willing to share?
• What were your biggest hurdles in implementing the ISO 13485:2016 ? Which solutions did you find to overcome them? Can you provide some practical examples?
• What helped you in a practical way to transition/implement ISO 13485:2016 ?

Thank you very much in advance for sharing your experience/examples/tools/checklists.

This "Practical Guide" is helpful for understanding the basis for ISO 13485:2016 requirements and getting clues to ensure conformity.

It costs only 88 CHF (about USD 90) if purchased directly from ISO (no affiliation) and It includes the full content of the standard itself, together with Intent and Guidance information.

Some people (including me) have been confused about Medical Device File (MDF) requirements per clause 4.2.3. I think this is because the contents listing (4.2.3.a through f) appears to be more narrow than what the first sentence of 4.2.3 specifies.

At first glance (especially if you skip over the first sentence), the contents listing (4.2.3.a through f) appears to be equivalent to what FDA calls the "Device Master Record" (DMR). This interpretation is supported by the fact that device Instructions For Use (IFU) typically include a general description of the device and <g class="gr_ gr_1218 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling multiReplace" id="1218" data-gr-id="1218">its</g> intended use as required per 4.2.3.a.

However, the first sentence of clause 4.2.3 indicates that the MDF contains/references all documents needed to show conformity and compliance with ISO 13485 and regulatory requirements, respectively. That is very broad indeed!

This has become such a broad concept that it leads me to believe that all QMS documents (including records) are what comprises the MDF.
From my perspective, all of the QMS documents combined are needed to demonstrate conformity with ISO 13485 and compliance with regulatory requirements (what the first sentence of 4.2.3 requires).

Can anybody add anything to help clarify the derivation and meaning of the MDF requirements?

 

http://my.aami.org/store/detail.aspx?id=13485-ISO-PDF

Hi RAPS forum,

For those of you who have completed or are in the process of completing their ISO 13485:2016 transition/implementation:

• What are your lessons learned?
• Which tricky items did the Notified Body ask you about? Did you disagree or have any surprises during the audit? 
• Did they provide you any tool/checklist prior to the audit? If so, are you willing to share?
• What were your biggest hurdles in implementing the ISO 13485:2016 ? Which solutions did you find to overcome them? Can you provide some practical examples?
• What helped you in a practical way to transition/implement ISO 13485:2016 ?

Thank you very much in advance for sharing your experience/examples/tools/checklists.

Hi RAPS forum,

For those of you who have completed or are in the process of completing their ISO 13485:2016 transition/implementation:

• What are your lessons learned?
• Which tricky items did the Notified Body ask you about? Did you disagree or have any surprises during the audit? 
• Did they provide you any tool/checklist prior to the audit? If so, are you willing to share?
• What were your biggest hurdles in implementing the ISO 13485:2016 ? Which solutions did you find to overcome them? Can you provide some practical examples?
• What helped you in a practical way to transition/implement ISO 13485:2016 ?

Thank you very much in advance for sharing your experience/examples/tools/checklists.

Hi RAPS forum,

For those of you who have completed or are in the process of completing their ISO 13485:2016 transition/implementation:

• What are your lessons learned?
• Which tricky items did the Notified Body ask you about? Did you disagree or have any surprises during the audit? 
• Did they provide you any tool/checklist prior to the audit? If so, are you willing to share?
• What were your biggest hurdles in implementing the ISO 13485:2016 ? Which solutions did you find to overcome them? Can you provide some practical examples?
• What helped you in a practical way to transition/implement ISO 13485:2016 ?

Thank you very much in advance for sharing your experience/examples/tools/checklists.

We successfully passed our "upgrade audit" early September 2017.

I've written a few things about this issue in a related Forum thread ("Cost of transition to ISO 13485:2016")  (https://connect.raps.org/communities/community-home/digestviewer/viewthread?GroupId=97&MessageKey=adc850d2-66fc-491d-8561-43bf0165dd45&CommunityKey=5af348a7-851e-4594-b467-d4d0983b6d89&tab=digestviewer ).

Yet, see our below answer to the issues raised in your five bullet points. Beware that we are based in Europe and that we are a medium sized research and development oriented company (i.e., not a large multi-site manufacturing and marketing/sales oriented company). For almost all our certification needs, we have been working for over 25 years with one of the leading Notified Bodies (TüV SüD Product Service of Munich, Germany).

1.  Major lessons learned

(a) we have always made significant efforts to pro-actively keep our QMS up-to-date and we've always aimed at compliance with both European and USA regulations (including 21 CFR 820). So, subjects for which norms were first published or revised after the publication of ISO 13485:2003 were already firmly in place at the time of transitioning to the 2016-revision (e.g., software life cycle, usability, devices for home use, and risk management). Likewise for subjects that were known to receive a lot of attention from FDA, but much less from European regulators, and that are now finally implemented in ISO 13485:2016 (e.g., design transfer, validation of non-product software, and rational for sample sizes in design verification and validation).

(b) we started early based on available draft texts of the standard, free webinars, and a paid one day training for our QMS manager. 

2. Our Notified Body does not ask us trick(y) questions and does not have a "gotcha" attitude toward us.
    
3. For some time now, TüV does not provide their checklists anymore. Yet, you can easily find sample checklists from other sources (see the examples mentioned in the thread).
    
4. Our biggest hurdle was understanding what was meant by risk management for the QMS processes. We found a plausible answer early on in one of the free webinars we attended, had this confirmed at the abovementioned training day for our QMS manager, and then implemented this.
    
5. Our company size and structure facilitated the expeditious implementation of the required changes to our QMS. We could keep the number of staff involved with the transition effort (e.g., for updating the corresponding SOPs and WIs) to the minimum without the need for large working groups or committees.

With kindest regards and best of luck with your transition !

Hi RAPS forum,

For those of you who have completed or are in the process of completing their ISO 13485:2016 transition/implementation:

• What are your lessons learned?
• Which tricky items did the Notified Body ask you about? Did you disagree or have any surprises during the audit? 
• Did they provide you any tool/checklist prior to the audit? If so, are you willing to share?
• What were your biggest hurdles in implementing the ISO 13485:2016 ? Which solutions did you find to overcome them? Can you provide some practical examples?
• What helped you in a practical way to transition/implement ISO 13485:2016 ?

Thank you very much in advance for sharing your experience/examples/tools/checklists.

We successfully passed our "upgrade audit" early September 2017.

I've written a few things about this issue in a related Forum thread ("Cost of transition to ISO 13485:2016")  (https://connect.raps.org/communities/community-home/digestviewer/viewthread?GroupId=97&MessageKey=adc850d2-66fc-491d-8561-43bf0165dd45&CommunityKey=5af348a7-851e-4594-b467-d4d0983b6d89&tab=digestviewer ).

Yet, see our below answer to the issues raised in your five bullet points. Beware that we are based in Europe and that we are a medium sized research and development oriented company (i.e., not a large multi-site manufacturing and marketing/sales oriented company). For almost all our certification needs, we have been working for over 25 years with one of the leading Notified Bodies (TüV SüD Product Service of Munich, Germany).

1.  Major lessons learned

(a) we have always made significant efforts to pro-actively keep our QMS up-to-date and we've always aimed at compliance with both European and USA regulations (including 21 CFR 820). So, subjects for which norms were first published or revised after the publication of ISO 13485:2003 were already firmly in place at the time of transitioning to the 2016-revision (e.g., software life cycle, usability, devices for home use, and risk management). Likewise for subjects that were known to receive a lot of attention from FDA, but much less from European regulators, and that are now finally implemented in ISO 13485:2016 (e.g., design transfer, validation of non-product software, and rational for sample sizes in design verification and validation).

(b) we started early based on available draft texts of the standard, free webinars, and a paid one day training for our QMS manager. 

2. Our Notified Body does not ask us trick(y) questions and does not have a "gotcha" attitude toward us.
    
3. For some time now, TüV does not provide their checklists anymore. Yet, you can easily find sample checklists from other sources (see the examples mentioned in the thread).
    
4. Our biggest hurdle was understanding what was meant by risk management for the QMS processes. We found a plausible answer early on in one of the free webinars we attended, had this confirmed at the abovementioned training day for our QMS manager, and then implemented this.
    
5. Our company size and structure facilitated the expeditious implementation of the required changes to our QMS. We could keep the number of staff involved with the transition effort (e.g., for updating the corresponding SOPs and WIs) to the minimum without the need for large working groups or committees.

With kindest regards and best of luck with your transition !

Hi RAPS forum,

For those of you who have completed or are in the process of completing their ISO 13485:2016 transition/implementation:

• What are your lessons learned?
• Which tricky items did the Notified Body ask you about? Did you disagree or have any surprises during the audit? 
• Did they provide you any tool/checklist prior to the audit? If so, are you willing to share?
• What were your biggest hurdles in implementing the ISO 13485:2016 ? Which solutions did you find to overcome them? Can you provide some practical examples?
• What helped you in a practical way to transition/implement ISO 13485:2016 ?

Thank you very much in advance for sharing your experience/examples/tools/checklists.

Hi RAPS forum,

For those of you who have completed or are in the process of completing their ISO 13485:2016 transition/implementation:

• What are your lessons learned?
• Which tricky items did the Notified Body ask you about? Did you disagree or have any surprises during the audit? 
• Did they provide you any tool/checklist prior to the audit? If so, are you willing to share?
• What were your biggest hurdles in implementing the ISO 13485:2016 ? Which solutions did you find to overcome them? Can you provide some practical examples?
• What helped you in a practical way to transition/implement ISO 13485:2016 ?

Thank you very much in advance for sharing your experience/examples/tools/checklists.

Thank you all, in particular Carrie and Mark, for your contributions to this thread. It seems we hit an interesting point of discussion, where we need to do "the right thing" when it comes to our QMS, i.e., not too little (compliance is not an option, it is mandatory) and not too much either (no waste of our valuable resources). 

Regarding the (free) webinar that mentioned the notion of "risk management for the QMS processes", I believe this was a November 2016 webinar by Pilgrim entitled "ISO 13485:2016 – Will it be a marathon or a sprint ?". Risk relates to not meeting regulatory requirements. One of the presenters was Mr. Dan O'Leary, who is a regular contributor to this RAPS Regulatory Forum, and if he reads this thread he could maybe speak to this. We have a copy of the webinar slides on file and we are willing to share it with you (please, provide your e-mail address and we will send them to you). 

The one day training that confirmed our intent to implement a form of (regulatory) Risk Management for the QMS processes was given by a Notified Body other than our own Notified Body (which is TüV SüD Product Service of Munich, Germany). We specifically asked the trainer whether we were on the right track with this and her answer was affirmative. 

As a side note : of course and like most of you, within our QMS we had already implemented many risk management activities as per ISO 14971, including performing risk assessments of our manufacturing processes, and the same for risk-based decision making (which already goes back to the preamble of 21 CFR 820 of 1996).

To further the discussion and to arrive at the "right" understanding of the intent of ISO 13485:2016, clause 4.1.2b, may I recommend that you have a look at : 

• ISO 13485:2016, clause 4.1.2b (of course) – it talks about "a risk based approach to the control of the appropriate processes needed for the quality management system" 
• ISO 13485:2016, clause 0.2 "where the term "risk" is used …. or meeting applicable regulatory requirements" "the term "regulatory requirements" is limited to requirements for the quality management system and the safety and performance of the medical device". 
• Guidance provided by ISO in their Handbook entitled "ISO 13485:2016 Medical devices – A practical guide", pp. 31-38. This Handbook was issued a few weeks ago, well after we started our transition to rev2016 and a few weeks after we already successfully passed our "upgrade audit". On p. 35 it is written "In addition, 4.1.2 requires that the risk-based approach is also applied to and within the appropriate processes in your QMS. " Note that at least the wording is somewhat different from the wording in the norm.

Thereafter, please share in this forum how you feel about the notion (or not) of managing regulatory risks of your QMS processes.

To be continued … Have a great weekend and with kindest regards,