Speaking at RAPS' 2016 Regulatory Convergence, leading medical device quality systems expert and former FDA official, Kim Trautman, urged attendees to begin their transition to the recently released ISO 13485:2016 as soon as possible.

Trautman, who left her position as associate director for international affairs at FDA's Center for Devices and Radiological Health (CDRH) for a position at NSF International earlier this year, was instrumental in writing FDA's 1996 Quality System Regulation and has worked on the revision of ISO 13485.

"You might not want to do this project, but if you're marketing pretty much anywhere in the major countries or jurisdictions of the world, [ISO] 13485 is—in some way, shape or form—a requirement, and we have to learn how to deal with it," Trautman said.

ISO 13485:2016

In February, the International Organization for Standardization (ISO) released its long-awaited revision to ISO 13485, the global standard for medical device quality management systems (QMS), replacing the previous version from 2003.

In order to give companies time to adjust, ISO has instituted a phased three-year transition period to the new standard. During the first two years of the transition period, companies can get accredited for either ISO 13485:2003 or ISO 13485:2016; during the third year accreditation will only be given for ISO 13485:2016.

After the transition period ends, any existing certifications under ISO 13485 will no longer be valid.

The Time is Now

However, Trautman says that companies cannot rely on having a full three years to switch over to the new version.

According to Trautman, "it's discouraged to have any new certifications or recertification to the old version. So, in the ISO world, as of six months from now, they're expecting you to already be changed."

"So, when you think you have three years, you don't have three years," Trautman said. "You really need to look at each and every one of your certificates and find out when [it] ends."

Furthermore, Trautman warns that the culmination of new medical device regimes, such as the Medical Device Single Audit Program and new EU medical device and in vitro diagnostics regulations, will put strain on the companies doing ISO 13485 audits and certifications.

"This is the calm before the storm…go for that 2016 version as soon as you can," Trautman said.

"If you think, 'well, I'm really not quite ready now and I've got my audit that's coming up in January, so I'm just going to go ahead and stick with the old version, and I think I'm just going to…spend the money and get a new certification at the end of 2018.' That's not going to happen. Look at what's lining up here…The people who are doing these audits and certifications are not going to have the manpower and the resources to add in a whole heck of a lot of people that are putting in additional certification or recertification audits," Trautman said.

Changes to Look Out For

Trautman also advised the audience to be wary of some of the changes in ISO 13485:2016 from the previous version.

One issue Trautman said companies need to be aware of is that ISO 13485 requires companies to conform to country-level regulatory requirements for each country in which they market a product in order to be certified or recertified under ISO 13485:2016.

For example, Trautman said, a device company in Europe that hires a Notified Body to certify them for 13485 must be in compliance with the regulatory requirements of all the countries they market products to.

"You market all over the place, not just Europe…this standard now says that any place you market your product, all those regulatory requirements are part and parcel of the standard. If you are noncompliant with any one of those jurisdictions' regulatory requirements, you are now not in compliance with 13485. So even though you hired that Notified Body to come in and audit you for Europe, they have the obligation under 13485, if you have a nonconformance related to labeling in China, they have to write that up and it's a nonconformance against 13485 and your assessment for that purpose," Trautman said.

According to Trautman, companies must pay attention to the scope of the certification issued to other companies they work with.

"The scope of this standard now is not just to finished device manufacturers, but to any organization that does any production or service in the lifespan of the medical device. Now, that's why the applicability aspect has changed. Before what was applicable or not applicable was pretty straightforward…now a manufacturer or organization can exclude a heck of a lot more," Trautman said.

This means that companies must be fully aware of the scope of the certification held by anyone they do business with, she explained. "You have to really know who is issuing that [certification] and under what scheme, as well as the scope of that QMS. All for you to really be able to depend upon what that certificate means to you and how you're utilizing it within your risk-based system within the new 13485," she said.

Additionally, Trautman said that the requirements for employee training will be stricter under ISO 13485.

"Long gone are the days that you can have a training course and someone can sign their name and say, 'Yup, I put my butt in the chair and I attended the course,' [or] give somebody a slide deck of PowerPoints and say 'okay, go through the PowerPoints.' All over the standard…the word competence is seen. You have to assess the competence. You cannot just train. You have to train and assess the competence," Trautman said.