1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

ISO 13485 Revision

Discussion in 'ISO 13485 and ISO 14969 – Medical Devices QMS' started by Marcelo Antunes, Aug 25, 2015.

  1. JCIC49

    JCIC49 Member

    Joined:
    Jul 31, 2015
    Messages:
    42
    Likes Received:
    27
    Trophy Points:
    17
    Location:
    United Kingdom
    Thanks for the update, I look forward to it being published. Does any one know if it has changed much from the version published in February?

    I have also seen that it is expected to be submitted for a formal vote in January, with the plan for it to be ratified in April, is this correct.

    Thanks for the help
     
  2. Marcelo Antunes

    Marcelo Antunes Active Member

    Joined:
    Jul 31, 2015
    Messages:
    55
    Likes Received:
    65
    Trophy Points:
    17
    The FDIS has several changes from the DIS. From the ISO project portal, the FDIS is expected to begin ballot at October 29th, and close at December 30th.

    I have no idea what you are talking about when you mention a formal vote in January and ratification in April.
     
  3. JCIC49

    JCIC49 Member

    Joined:
    Jul 31, 2015
    Messages:
    42
    Likes Received:
    27
    Trophy Points:
    17
    Location:
    United Kingdom
    Marcelo,

    Thanks for the feedback the January and April dates are what I had heard but I wasn't sure if this was correct.

    Jon
     
  4. Steve Kent

    Steve Kent Member

    Joined:
    Aug 3, 2015
    Messages:
    25
    Likes Received:
    25
    Trophy Points:
    12
    Location:
    UK
    As Marcelo indicated noted on the ISO site today:

    Proof sent to secretariat.
    FDIS ballot initiated: 2 months.

    Steve
     
    Sidney Vianna likes this.
  5. Steve Kent

    Steve Kent Member

    Joined:
    Aug 3, 2015
    Messages:
    25
    Likes Received:
    25
    Trophy Points:
    12
    Location:
    UK
    I have now got my official ISO/FDIS copy (emailed pdf) from BSI (my company is a member – so ordered it). We will get the final ISO 13485:2016 sometime in Spring 2016.

    To quote the BSI site (http://shop.bsigroup.com/ProductDetail/?pid=000000000030331463):

    ISO 13485 Advanced Access is now available
    Before the official release of ISO 13485 Medical devices - Quality management systems - Requirements for regulatory purposes next year, you can get early sight of this standard through Advanced Access.
    ISO 13485 Advanced Access will provide you with:

    · Access to the final draft standard (FDIS)
    · Delivery of the final standard as soon as it’s published

    Steve
     
    Somashekar likes this.
  6. JCIC49

    JCIC49 Member

    Joined:
    Jul 31, 2015
    Messages:
    42
    Likes Received:
    27
    Trophy Points:
    17
    Location:
    United Kingdom
    Hi Steve,

    I have done the same and I am still currently reviewing it. it would be good to share your thoughts abut what is in it and the impact of these changes.

    One of the things that I have spotted from my brief look through is the term usability occurring several sections, while it isn't mentioned in ISO 13482:2012. This links into what we have found in the most recent review of a product for CE marking where the NB wanted to see evidence that we had considered device usability in the design process.

    Jon
     
  7. Steve Kent

    Steve Kent Member

    Joined:
    Aug 3, 2015
    Messages:
    25
    Likes Received:
    25
    Trophy Points:
    12
    Location:
    UK
    Hi Jon,
    I am still going through the FDIS I received yesterday as well. As to usability I already have a section in my Technical Files (TF) based on Annex H (Usability Specification and its inputs) of EN 62366:2008 using this as a template. I have submitted a number of TFs for annual review to our NB and they have not raised any issues with this format – so I assume this route is acceptable. I am happy to share further thoughts as to the future impact as they crop up. One thing I have raised elsewhere is that the final ISO 13485:2016 will be so divergent from ISO 9001:2015 that in future it will be difficult; if not impossible, to have a QMS certified to both standards (as we currently do).
    Steve
     
    Somashekar likes this.
  8. JCIC49

    JCIC49 Member

    Joined:
    Jul 31, 2015
    Messages:
    42
    Likes Received:
    27
    Trophy Points:
    17
    Location:
    United Kingdom
    Hi Steve,

    I have done exactly the same on usability on our technical files. I just mentioned it as this seems to be one of the new areas that is being looked at in more detail, potentially due to the perceived issues around user errors.

    With regards to diverging from ISO 9001:2015 I agree it will be difficult to have both certifications in place and maintain them without having to do a lot of extra work, without any benefit to the company. We only currently have certification ISO 13485:2012, but this is not the norm for medical device companies.

    Jon
     
  9. Steve Kent

    Steve Kent Member

    Joined:
    Aug 3, 2015
    Messages:
    25
    Likes Received:
    25
    Trophy Points:
    12
    Location:
    UK
    Hi Jon,
    Clause 4.1.6 is interesting to say the least i.e. the requirement to validate software used in the QMS. So you shall have a procedure! What this should look like I’m not too sure, though I have a passing familiarity with GAMP. Now I assume MS Office stuff would not fall under this – so long as you are not using macros or formulae that somehow influence the QMS. But what about packages such as SAGE 200, Autocad, Adobe Acrobat etc? Certainly packages such as SAGE; in our case, has all the product and component details (batch numbers etc.) associated with traceability – which is just one example of use in the QMS. Even if you had a procedure how do you validate such packages? Any initial thoughts?
    Steve
     
  10. JCIC49

    JCIC49 Member

    Joined:
    Jul 31, 2015
    Messages:
    42
    Likes Received:
    27
    Trophy Points:
    17
    Location:
    United Kingdom
    Hi Steve,

    It does raise some questions. I agree that standard MS Office packages won't require validation, unless as you say they have macros or calculations in them that could affect product quality, if that is the case you don't validate the whole package you would just validate your particular use of it.

    I think the same principle can be used for the other off the shelf packages you mention, you just need to validate the particular use you have for them. I haven't used sage as a package, but I would go about validating your inputs against outputs, confirming that your outputs are what you would expect in all cases. As part of the validation I would expect you to confirm that you controlled access to the system, to prevent unauthorised changes being made.

    The key aspect of 4.1.6 is the second paragraph that validation and revalidation shall be proportionate to risks associated from using the software. How you will go about doing this and demonstrating that the risk level is appropriate is again going to be a challenge.

    My initial thoughts would be that you need to consider the consequences of it not working as expected on product quality. As you have already got these systems in place you should be able to do retrospective validation to demonstrate through 'X' time period of use you have not had any issues related to a failure in the software as set up.

    These are my initial thoughts.

    Jon
     
    Steve Kent likes this.
  11. Marcelo Antunes

    Marcelo Antunes Active Member

    Joined:
    Jul 31, 2015
    Messages:
    55
    Likes Received:
    65
    Trophy Points:
    17
    An ISO TR is being drafted to provide guidance on software validation fo the QMS -
    ISO TR 80002-2 - Medical device software -- Part 2: Validation of software for regulated processes (we are going to change the name of it).

    Regarding retrospective validation, saying that you had not had any problem in the past does not mean that you won't have any problem in the future (meaning, the absence of failure does not mean that the software won't fail).
     
    Monica and Steve Kent like this.
  12. JCIC49

    JCIC49 Member

    Joined:
    Jul 31, 2015
    Messages:
    42
    Likes Received:
    27
    Trophy Points:
    17
    Location:
    United Kingdom
    Marcelo,

    Thanks for the information. A question in relation to ISO TR 80002-2, is it going to cover software used to support the QMS and in manufacturing processes as well as software used in a medical device.

    I agree retrospective validation is no always ideal, but at times it is the only option. It needs to be based upon good accumulated data. The problem comes if you don't have this robust level of data

    Jon
     
  13. Marcelo Antunes

    Marcelo Antunes Active Member

    Joined:
    Jul 31, 2015
    Messages:
    55
    Likes Received:
    65
    Trophy Points:
    17
    Jon

    ISO TR 80002-2 will be for QMS software (including manufacturing). Software used in a medical device is covered by the medical device product standards and standards such as IEC IEC 62304.

    Regarding retrospective validation, I did not mean that retrospective validation is a problem, in fact, if you did not validate the application of your software before, you would have to perform retrospective validation now. My comment was related to how to retrospect validate. You mentioned tht onw way would be to "demonstrate through 'X' time period of use you have not had any issues related to a failure in the software as set up". This is not retrospective validation in fact, because it does not make technical sense. As I mentioned before, the absence of failure does not mean that the software won't fail, meaning, the absence of failure does not mean that it is validated. You would need to perform other actions to really perform a retrospect validation.

    This is the same problem with the thinking of some people that "because my device did not harm in the past, it tit's safe". This is also untrue from a technical standpoint, because, if you do not have a guarantee that it's safe, the only conclusion that could be made is that the device rarely harms people, not that it's safe. The absence of harm does not make the device safe.
     
    JohnMacd and JCIC49 like this.
  14. JCIC49

    JCIC49 Member

    Joined:
    Jul 31, 2015
    Messages:
    42
    Likes Received:
    27
    Trophy Points:
    17
    Location:
    United Kingdom
    Hi Marcelo,

    Thanks for the clarification, as I new device software was covered by IEC 62304 and I thought I had missed something. Do you have any time scales for availability of ISO TR 80002-2

    I should have been clearer on retrospective validation, in that a start point is through a period of time you have not had any issues, but you then need to build on this with robust data to demonstrate that the software works as you intended it to. Also during the period of time you are using as your start point you have robust controls in place so that you would have identified any issues.

    I don't personally like retrospective validation but, at times you don't have any other options.

    I agree with the problem of people thinking that because my device hasn't caused harm in the past that it is safe. I have come across many similar statements along these lines and what normally seems to occur is as soon as someone makes this type of statement, some occurs to disprove what they have said. But this is a whole different topic of what you should and shouldn't say in writing etc.

    Jon
     
  15. Marcelo Antunes

    Marcelo Antunes Active Member

    Joined:
    Jul 31, 2015
    Messages:
    55
    Likes Received:
    65
    Trophy Points:
    17
    ISO TR 80002-2 just passed the CD stage, we had a meeting some weeks ago to discuss the comments and I will begin revising the document in a while. But the final publication will still take some time, probably at the end of 2016 or sometime later.
     
    JCIC49 likes this.
  16. Ronen E

    Ronen E Well-Known Member

    Joined:
    Jul 31, 2015
    Messages:
    133
    Likes Received:
    70
    Trophy Points:
    27
    As far as I understand "safe" means "free of unacceptable risk". The term "unacceptable" brings about the question "unacceptable to who?" which shows that "safe" is not an absolute characteristic but a relative one. Moreover, risk is composed of two elements - severity of potential harm and probability of occurrence. If the probability is extremely low the risk can't be very high and will likely be considered acceptable by most stakeholders. Given a long-enough and wide-enough use history, actual occurrence rate will approach the true probability of occurrence, so if that rate is extremely low (as in "never failed so far", assuming - as Jon noted - that our channels are open and effective) we could reasonably argue that the related risk is acceptable and the device is safe from that given aspect.

    The real weakness is in situations were people make inferences based on a sample (field usage) not big/long enough.
     
  17. Marcelo Antunes

    Marcelo Antunes Active Member

    Joined:
    Jul 31, 2015
    Messages:
    55
    Likes Received:
    65
    Trophy Points:
    17
    I still feel uncomfortable when you need to construct a very specific rationale for something not existing (the harm), to prove that something do exist (the safety).
     
  18. Ronen E

    Ronen E Well-Known Member

    Joined:
    Jul 31, 2015
    Messages:
    133
    Likes Received:
    70
    Trophy Points:
    27
    What I wrote above is a logical, straightforward combination of widely accepted definitions and a very basic concept of statistics/probability. It's not "constructing a very specific rationale" more than any other way of establishing safety (e.g. testing) is, IMO. On the contrary, there's nothing specific about it.
     
  19. Somashekar

    Somashekar Well-Known Member

    Joined:
    Jul 30, 2015
    Messages:
    114
    Likes Received:
    98
    Trophy Points:
    27
    The terms like lifetime, vigilance, post market surveillance are all intended to focus on the risk management that is applied throughout the device life cycle. It is the manufacturer that has to establish acceptability or otherwise based on risk assessment at design and followed through the life cycle. There is nothing absolute about "safe". Statistical means of establishment along with post market information will stand the test of regulations
     
    Ronen E likes this.
  20. Marcelo Antunes

    Marcelo Antunes Active Member

    Joined:
    Jul 31, 2015
    Messages:
    55
    Likes Received:
    65
    Trophy Points:
    17
    Sorry Ronen, I did not mean to say what you said was a problem, I was in fact commenting about the application of the concept in the real world. I've never seen a case where people had a compelling argument about something being safe due to a historical lack of harm, because everytime I've heard this argument, some simple questions always debunked the argument, and the person would always begin to make very specific rationales to try to prove their point. And most of the time, it would be really easier to perform a real analysis of the safety, instead of trying to prove that exists because of the lack of harm.