MedCity Influencers

A timeline to adopt medical device QMS (and why you need to act now)

March 31, 2019, is the date by which all companies that are currently 13485 certified need to have transitioned to the 2016 regulations. Here’s a checklist of what medical device companies need to do to comply.

To be blunt, if your company has put off doing anything about ISO 13485:2016, you need to act immediately.

We’re in the window where there is less than a year until you need to be ISO 13485:2016 certified. There is no extension. ISO won’t accept any excuses – this has been published for at least two years now.

I know you’re busy and there’s a lot going on, but I’ve heard some anecdotal evidence to suggest that perhaps as little as only 2 percent of U.S. medical device companies have their certification done already. This came from an auditor at one of the largest notified bodies. That implies that a lot of companies are in the same position – they might be ISO certified right now, but they haven’t made the switch to get updated.

If your company is only just waking up to the need to get going on ISO 13485:2016, then you’re probably going to have to get in line. It may be too late to meet the deadline on time, depending on what you have left to do.

ISO 13485:2016 Timeline

March 31, 2019, is the date by which all companies that are currently 13485 certified need to have transitioned to the 2016 regulations. The clock is ticking now.

I’ve heard that it easily takes 90 days and in some cases 120 days to have a scheduled ISO audit right now. Take that four months off what you have left until the deadline, and you have a mere few months to get ready. I suggest you treat this like a project and create a set of deliverables across that timeline.

To give an overview (some of which I’ll go further into), here is what you might be looking at in terms of time:

  • 1 – 4 months registrar queue
  • 1 – 2 months GAP analysis
  • 1- 3 months to review processes and get them up to speed
  • 30 – 60 days for stage one audit
  • 60 – 90 days for stage two audit

This is 10 months at a minimum to get through so you need to get a move on.

Best practices

First of all, you’re going to need to conduct a GAP analysis. There are changes you will need to make with your quality system in order to transition to the 2016 requirement. Your registrar will ask to see this analysis as they like to use it as a guide. You can either do it yourself or hire a consultant to do it for you.

You should treat a GAP analysis as an internal audit and look holistically at your overall quality management system. With an aggressive timeline, you might get through it in six weeks, but realistically, a small company will need a couple of months. The only way you might do it quicker is if you are willing to devote full-time resources to get the analysis done. One to two months is a very aggressive timeline.

After your GAP analysis, you will have actions that you need to take. For example, risk is a huge component of 13485:2016, with the term “risk-based” being applied to many sections. This includes things like dealing with complaints by taking a risk-based approach. You’ll be touching at least 50 percent to 75 percent of your QMS in some way, with some changes being more substantial than others.

Most changes will be relatively minor, but some will take a lot more to revise, involving several stakeholders in your company. Regardless of the nature of the change, it takes time to redo procedures. I would estimate around one month for minor changes and around three to five months for more substantial changes.

Now we’re building a picture. If you’ve taken around two months to get through your GAP analysis, then another three or more months to revise procedures, followed by a four-month wait for audit, then you can see your timeline is very tight as of right now. I would suggest that you talk to your registrar now and find out exactly what they require to go through the certification process with you. At the very least, you need to be in their queue.

Once booked, go through your stage one audit, and if additional changes need to be made, you have to do this ahead of stage two. Keep in mind that you need enough time to make any changes. At stage one, they’re looking to ensure you have compliant procedures, while at stage two, they want to see evidence of you actually following your processes.

Another key thing among all of this is training. This is HUGE. You’re touching up to 75 percent of your quality system, and with lots of moving pieces, you need to be able to train team members on the changes. Add some more time to the little that you have for this.

What if you’re not certified on time?

If you don’t get certified on time, then you fall outside of the scope of ISO and you are no longer current. This means you might have to exit the EU market as your quality system is no longer compliant with their requirements. This will potentially be a huge impact on revenue.

In another twist, Canada is requiring ISO 13485:2016 and the Medical Device Single Audit Program by January 2019. This adds another couple of months to your timeline if you’re entering the Canadian market. If you don’t do it, you’re exiting that market until those are addressed and losing revenue over the time that you’re out. That’s the bottom line, really. For some companies, loss of revenue from the EU and Canadian markets would have a severe impact.

Image: Dmitrii_Guzhanin, Getty Images