Have you started implementing ISO 13485:2016 yet?
If not, I’m afraid I have to tell you that you’re lagging behind at this point. You have one year to go before compliance is an absolute requirement.
Did you just break out in a cold sweat? Not to worry. You do have time to act, but you need to do so now. Here’s what you need to know with one year left to go…
The Time to Act on ISO 13485:2016 Is Now
ISO 13485 was revised back in March 2016 and has a three-year adoption period. If you were certified under the previous version, you must be recertified by March 2019.
Many people still seem to think that they have plenty of time to get this sorted out, but I’m here to present the case that you really do not. The time to get moving is now.
A lot will be dependent on your registrar, the ISO-authorized auditor that comes in to inspect your company. Expect them to have a heavy workload and busy timelines with the changes happening. It may take them six to nine months before they can come in to do a recertification.
For your business, this means you only really have about three months to get some important things rolling that need to be done to prepare for certification. If you don’t yet have a copy of the ISO 13485:2016 standard, please make that your first order of business. There are quite a number of differences between it and the old standard, all of which you’ll need to familiarize yourself with.
These are not trivial changes. Once you get a copy, read the standard, but I’d encourage you to go to Annex A, near the end of the document, first. This compares the clauses of the 2003 version to the 2016 version to help paint a picture for you of what is different. Some might seem trivial or just a simple re-wording, but there are plenty of changes that are actually significant. Get the lay of the land by turning to Annex A first to understand what you’re up against.
Assess Your Current State
Now, assuming you have a quality system in place, you’re going to need to dive in, assess your current quality system and conduct a GAP analysis, a form of audit that helps you to analyze the differences between what you have and the 2016 standard. We have a checklist to make a full comparison. You can download that free from the box link in this article.
Procrastination: Could it Pay Off?
There is a caveat you should know about. At this point, your procrastination over preparing for ISO 13485:2016 may not have been without merit. There’s another new international initiative coming in to affect companies, particularly those looking to go into Canada or other markets, and that’s the Medical Device Single Audit Program (MDSAP). This is mandatory for Health Canada and effective about a year from now also.
What does this mean? If you’re conducting a GAP analysis for the 2016 version of the 13485 standard, I’d encourage you to look at MDSAP at the same time if it will impact your company. Look for the gaps that you need to fix in order to meet both.
Document a Plan
Once you go through the GAP analysis, it will identify the processes and procedures that need updating. You’ll then know how big a job you have ahead of you, and it’s a good idea to prepare a plan to take you through these quality system updates. Somewhere along the way, you should be in communication with your registrar and have a timeline for when you can expect to be audited, so that you know what you need to have done and by when to meet expectations.
Your documented plan to meet the requirements of the new standard is an excellent thing to have to serve as a body of evidence for an auditor. It shows that you’ve done your homework and put some thought into how your company will comply. I’ve heard of plenty of companies that already went through the 2016 update followed this exact approach and commented that the ISO auditor actually spent a lot of time reviewing their GAP analysis and quality plans. These went a long way toward the successful outcome of their 2016 certification process.
Prioritize the Key Things
As you start to identify gaps and capture this information in a quality plan, there will be things that you need to update. You probably don’t have infinite resources available, so you’re going to need to prioritize. Put the high time, effort, and attention items at the top of the pile and allocate resources to them.
You need to elevate the priority of preparing for ISO 13485:2016. This is now an imminent need. Even if this means you need to put some development on hold, it’s important that you do what is required to get it done. If you do not, you may not get your certification on time and this will preclude you from participating in certain markets. You got your certification to begin with in order to gain market entry, right? This could have a serious bottom-line impact on your business.
Set up a schedule, be realistic, but be as aggressive with it as possible. Ideally, you want to be able to verify that any changes you make are effective prior to having your ISO certification visit.
There are a couple of areas I encourage you to dive into in more detail, largely because (as you will probably recognize) these often get a lot of focus at audits. One of those is supplier management. This is especially as it relates to identifying risk-based processes with your suppliers.
Another area is CAPA. These are consistently the number one reason why companies registered with FDA get warning letters or observations. Spend some time looking at your complaints and customer feedback because these are often a focus. Do you have good, sound risk-based processes?
The time to prepare for implementation of ISO 13485:2016 is now. Further delays will risk that you don’t have recertification on time (by March 2019).
Take the following key steps if you haven’t yet started:
- Get a copy of ISO 13485:2016 and familiarize yourself with it
- Pay particular attention to Annex A where key differences are outlined
- Look also at the new MDSAP if you’re planning on being in the Canadian market
- Make contact with your ISO registrar and establish a timeline
- Conduct a GAP analysis of your quality systems
- Write a quality plan for making any required updates
- Prioritize tasks—devote resources to getting these things done so that you can obtain your certification on time
Remember, your ISO registrar can also be a good source of information. Try to work with them and develop a clear understanding of what they’ll be looking for. You’re more likely to do well with a well-documented, clearly structured plan rather than trying to scramble through at the last minute!