Organizations claiming compliance with ISO 13485 or possessing certification to this standard must have documented and effectively maintained a Quality Management System (QMS) in accordance with ISO 13485 and applicable regulatory requirements. Despite the most recent version of this standard having been published eight years ago, some organizations continue to not effectively maintain their QMS, particularly when it comes to the management of changes.
QMS Concerns Under ISO 13485
Are you a manufacturer trying to maintain compliance to your QMS? MedEnvoy can assist you. Click here, for more information.
This article covers two specific elements of an effective QMS change control management process with which manufacturers continue to have compliance concerns (based upon our observations):
(1) Change Identification / Awareness
(2) Change Impact Assessment
1. Change Identification / Awareness: External Sources Impacting QMS
Changes that may impact the continued suitability, adequacy, and effectiveness of a QMS (including the processes realized within the scope of the system) or medical device safety and performance can be either of internal or external origin. While manufacturers typically have a strong awareness of changes generated internally, this is not always the case for external changes. External sources of change can include (but are not limited to):
-
- Governmental bodies (e.g., EU Commission)
- Regulatory agencies (e.g., US FDA, Health Canada, UK MHRA)
- Notified Bodies (e.g., BSI, TÜV SÜD, DEKRA, etc.)
- Organizations responsible for the development of standards (e.g. ISO, ASTM, CEN)
- Regulated bodies (e.g., MDCG)
- Suppliers (e.g., OEMs, service providers, SaaS providers, critical suppliers)
To be aware of changes originating from such external sources, organizations must ensure that they have established effective processes within their QMS framework for the identification of such changes. This can be partly addressed by establishing what is commonly referred to as a “regulatory intelligence” process, whereby the organization routinely monitors sources through which regulatory changes are communicated.
When establishing a regulatory intelligence process, organizations should be mindful of the sources utilized. For example, direct or primary sources (e.g. regulatory agency update/change communication resources, where available) should be prioritized over indirect or secondary sources (e.g. third-party tools/resources), particularly where indirect/secondary sources are utilized on a contractual basis as the provider of such sources would be a supplier and subject to purchasing controls under ISO 13485.
There may be limits to organizations’ ability to use direct/primary sources, particularly where there are language barriers. In such cases, the most used approach is for organizations to establish (contractual) requirements for relevant economic operators (e.g. authorized representative, importer, and/or distributor) to inform them of relevant regulatory changes so that their impact(s) can be assessed in a timely manner.
2. Change Impact Assessment: Impacts of Regulatory QMS Changes
While many external changes, especially significant external changes, provide transition periods to allow organizations sufficient time for compliance, this is not always the case. Therefore, an organization’s regulatory intelligence process must be easily initiated and efficient, allowing for a swift, yet effective assessment of the impacts of the change, and permitting the appropriate actions to be implemented to address these impacts. The impacts of such regulatory changes should be assessed for:
-
- Resources (e.g. infrastructure, human resources, work environment)
- Processes (e.g. QMS processes, including product realization processes)
- Product (e.g. pre-delivery product, post-delivery product)
Across all three of these areas, the regulatory changes may themselves also have a regulatory impact which in turn may require actions to be taken with relevant external parties. For example:
-
- New licensing or certification requirements for establishments (e.g. a type of establishment that did not previously require GMP certification now requires such certification)
- New sterilization process validation requirements (e.g. a previously validated sterilization process must now be validated using biological/chemical indicators that have obtained marketing authorization from a specific regulatory agency)
- New labeling requirements for devices (e.g. a regulatory agency now requires electronic copies of all device IFUs to be uploaded to a publicly available database)
- New product change notification requirements (e.g. a regulatory agency now requires specific types of product changes to be notified to the agency prior to placing the changed device on the relevant market (subject to its approval))
Therefore, organizations must ensure that change impact assessments are of sufficient breadth/scope to ensure that all necessary actions are identified and implemented effectively.
Understanding QMS Requirements and Stay ISO 13485 Compliant with MedEnvoy
This article provides an overview of considerations related to change identification/awareness and impact assessment within a QMS framework while staying compliant with ISO 13485. Should you have any questions regarding QMS requirements or require QMS consulting support, get in touch.
Related resources:
Related Guidance
We share our expertise because we believe in removing barriers to global commercialization.
The Business Impact of EUDAMED on Market Access
The European Database on Medical Devices (EUDAMED) is often viewed by manufacturers purely as a compliance burden when…
MedEnvoy at RAPS Euro Convergence 2026
We are excited to share that MedEnvoy will be participating in RAPS Euro Convergence 2026 as an exhibitor! This year’s…
Key FDA Changes MedTech Manufacturers Need to Know
The FDA has issued an update for MedTech Manufacturers to its List of FDA-Recognized Consensus Standards, published as …