New changes to ISO 13485, published this spring as EN ISO 13485:2016, mean U.S. medical device companies that sell in Europe will need to integrate risk-based approaches throughout their quality management systems. The emphasis on risk management is the biggest of several changes in the third version  of ISO 13485.

The new European standard aligns closely with regulations in FDA 21 CFR 820, meaning for medical device makers already doing business in this country, many of the changes should be familiar. Unlike updates to several ISO standards this year, the structure of EN ISO 13485:2016 is not aligned with ISO 9001:2015, because the two standards were developed in parallel. Its alignment instead follows ISO 9001:2008.

For insight into how the changes will affect organizations learning a risk-based approach, Quality spoke with Katherine Cox, senior director of quality assurance of Procyrion, Inc., a Houston-based medical device firm developing a next-generation circulatory pump for the underserved NYHA Class III heart failure patients; and Anne Holland, CEO of QA Consulting.

Quality: what do you think of the increased focus on risk management?

KATHERINE COX: It makes a lot of sense, and actually this is the second small startup company that I’ve worked with, and we have been doing this, it’s already been a part of our system. So to see that it’s something that can be pushed out broader, it makes a lot of sense. It makes a lot of business sense, not only from the safety of the user and the patient, but it makes a lot of business sense (for start-ups), because you just don’t have the financial resources, or the people resources to not be doing things smartly. And to me this helps you make smart decisions.

What quality management aspects will now need to focus on risk?

COX: Rather than only applying risk assessment to the use of your device and its design, it’s requiring you to take that assessment and implement risk-based decision making throughout your organization. It could be through your receiving inspection, your supplier selection, your corrective and preventive action, your decision making on when to issue a corrective action, or when not to. It’s saying to always reflect back on the safety and the user of your device and that risk assessment, which provides you with “what are the key critical, highest-risk items,” as well as those that are not as high of a risk. So that when an issue comes up, or you’re looking at a component and you go back to your risk assessment and you use that to be able to select your sampling plan, or the key trigger that would require you to issue a corrective and preventative action, or to maybe even determine that your supplier might need to be disqualified because he cannot meet your requirement.

When choosing suppliers, how would a risk-based approach differ from previous methods a manufacturer might have used?

COX: If I didn’t have some way to truly, specifically justify why I’m not going to require suppliers to do an online survey of their capabilities, that they need to be 13485 certified, etc., I could start imposing a lot of requirements on suppliers that will never need it, and there’s usually not a need for them to meet those requirements. As well as when those components come in-house, and I need to do a receiving inspection, or have them provide me data, what justification am I basing the sampling plan on?

Conversely, if I have a supplier who is supplying me a key critical component that is an implant … now that is definitely a higher risk. I can go back to my risk assessment and say yes, you’re a level two. And in my purchasing and supplier-control SOP, I say that if a supplier is a level two I at least need to have an ISO 13485 certification or equivalent, or I need to do a supplier survey of them or audit them.

ANNE HOLLAND: A lot of times people would just pick their suppliers based on, “Is it local, is it a friend of a friend.” They wouldn’t think, “Is this specifically the best producer for my component or device and is this a high risk?”

We had a client, they had a very simple class two sterile device, and they picked a molder for the device. Well, they picked a good injection molder and said, “Oh by the way, why don’t you do assembly and packaging? They didn’t think of the risks associated with the assembly and packing. They got delayed and spent probably, I can’t tell you how many hundreds of thousands of dollars, because the packaging was insufficient to fit their needs. So you have to think of the risk component by component, and always think through the device, not just one component, or not just one aspect of the device.

Is this a case of regulations catching up to standard business practices that are already in place?

COX: For a lot of the medical device companies, I think it will be. Now maybe, for some of the sub-contractors, as they see this flow down to them, maybe not so much. But I think your larger, and some of your smaller, medical device companies have been operating this way. Now there are new start-ups that aren’t very familiar or don’t have a professional that is knowledgeable of the standards or the experience of implementing a risk based approach throughout their quality systems, and those are the ones who are having to play catch up. But I think in the long run they’ll definitely see the advantage.

HOLLAND: For start-ups, it’s really hard to grasp the depths of the concept. For larger firms, it’s hard to implement. I think that ideally it would be standard business practice, but because it wasn’t a regulatory requirement, it was not consistently performed. But it’s also an alignment of the FDA and international requirements, and one of the goals with the new standard was to clarify requirements for auditors. I think that’s a big deal. Because I do a lot of auditing, and my group does, and now it’s clear, much clearer, it’s much more prescribed what the regulations are requiring and less a judgement call from the auditors. That was one of the explicit goals, was to have clarity for regulatory auditors, for the new standard.

How difficult will it be to implement for companies that don’t already have a risk-based-thinking approach?

COX: It’s going to make them to go back and do a gap analysis of their quality system elements. And then to of course revise those to incorporate a risk-based approach into the decision making process. Again it could be for suppliers or design, your receiving and inspection, the sampling you may be doing into production. You know, some of them are probably already half-way there, or part of the way there. But I think taking it through all levels of the quality systems process is what is going to be where the gap analysis has to occur. Then the implementation, which I think can easily be done within the three-year-time frame for compliance for the CE marking of the devices.