Post Market Surveillance and Annual Product Review in ISO 13485

[Schkund]

ISO 13485:2016 states the following:

8.5.1 General
The organization shall identify and implement any changes necessary to ensure and maintain the
continued suitability, adequacy and effectiveness of the quality management system as well as medical
device safety and performance through the use of the quality policy, quality objectives, audit results, postmarket
surveillance, analysis of data, corrective actions, preventive actions and management review.

I work for a contract manufacturer of FDA Class I medical devices. We don't hold any CE marks, although a few of our customers do maintain CE marks for the products we manufacture. No pharma is involved in our facility. So what does ISO 13485 expect out of postmarket surveillance in the context of a company like ours? Does it involve anything beyond the maintenance of a complaint system, like clinical evaluations and/or annual product reviews? Sometimes I see postmarket surveillance referred to as something fairly simple, like a complaint system, but in other discussions it seems implied that postmarket surveillance also includes a manufacturer actively reaching out to the market and pulling data through surveys, clinical reviews, etc. and not just managing the complaints that come from the market.

So I guess, in essence, how does ISO define postmarket surveillance? Does it always include both the "passive" management of incoming complaints AND actively reaching out to the market to collect data, or can it ever simply be an actively managed complaint system for certain medical device industries?

I apologize if this seems like a question with an obvious answer, but I just can't clearly decipher the requirements based on one brief mention in ISO 13485 as part of a list!

 

[Ronen E]

Hi,

Your confusion is a symptom of a general conceptual flaw in the application of ISO 13485.

Initially ISO 13485 was intended only for what we refer to as "legal manufacturers" of finished medical devices, i.e. manufacturers who place finished medical devices on the market under their own name (regardless of whether they physically made them or not). Then, in the years following 2003, there was a creeping process where more and more business entities in the medical devices supply chain coveted, or thought they needed, some more prestigious certification than e.g. ISO 9001, and started seeking certification to ISO 13485, even though the standard's original intent and some of its elements were obviously N/A to them. Gradually it became so widespread that a lot of companies started looking for / expecting ISO 13485 certificates from their potential suppliers, where such certification didn't exist and wasn't expected only several years earlier, and was actually never quite intended.

Naturally, people noticed that something was wrong and so when the standard was revised in 2016 it was supposedly made all-encompassing and applicable to whoever had anything to do with medical devices. But IMO it wasn't really achieved because the standard wasn't really modularised and structured to allow orderly partial application in line with the nature of any specific implementing org.

If you ask me, it's a little ridiculous to expect a contract manufacturer who has no direct connection with the market to conduct postmarket surveillance, although it's definitely not impossible. It's simply redundant with what legal manufacturers do and these are much better positioned to do so, so it adds very little value. But no one asks me...

In the most general sense, postmarket surveillance covers everything that happens in the post-design-transfer phase. So you can focus on what happens in your own product realization processes (including logistics up until the next entity takes possession of the devices) and on your own customers, i.e. the legal manufacturer. Then supplement it with as much information you can get from your customers, or better still downstream from there, and you should be fine. PMS is supposed to be proactive, yes. For more refined definitions and guidance on PMS just search online for guidance documents - there are plenty.

Cheers,
Ronen.

 

[Schkund]

Hi,

Your confusion is a symptom of a general conceptual flaw in the application of ISO 13485.

Initially ISO 13485 was intended only for what we refer to as "legal manufacturers" of finished medical devices, i.e. manufacturers who place finished medical devices on the market under their own name (regardless of whether they physically made them or not). Then, in the years following 2003, there was a creeping process where more and more business entities in the medical devices supply chain coveted, or thought they needed, some more prestigious certification than e.g. ISO 9001, and started seeking certification to ISO 13485, even though the standard's original intent and some of its elements were obviously N/A to them. Gradually it became so widespread that a lot of companies started looking for / expecting ISO 13485 certificates from their potential suppliers, where such certification didn't exist and wasn't expected only several years earlier, and was actually never quite intended.

Naturally, people noticed that something was wrong and so when the standard was revised in 2016 it was supposedly made all-encompassing and applicable to whoever had anything to do with medical devices. But IMO it wasn't really achieved because the standard wasn't really modularised and structured to allow orderly partial application in line with the nature of any specific implementing org.

If you ask me, it's a little ridiculous to expect a contract manufacturer who has no direct connection with the market to conduct postmarket surveillance, although it's definitely not impossible. It's simply redundant with what legal manufacturers do and these are much better positioned to do so, so it adds very little value. But no one asks me...

In the most general sense, postmarket surveillance covers everything that happens in the post-design-transfer phase. So you can focus on what happens in your own product realization processes (including logistics up until the next entity takes possession of the devices) and on your own customers, i.e. the legal manufacturer. Then supplement it with as much information you can get from your customers, or better still downstream from there, and you should be fine. PMS is supposed to be proactive, yes. For more refined definitions and guidance on PMS just search online for guidance documents - there are plenty.

Cheers,
Ronen.

Thank you so much for your response, Ronen. What you say makes a lot of sense and reflects what partially-formed conclusions I made based on what information I had. I certainly want our processes and procedures to be proactive (otherwise, what value is truly added to the company?), but like you said, at what point is it simply a copy of our customer's/design owner's own responsibilities? I suppose at this point it makes the most sense to develop a PMS that works for our facility functions (as you recommended) and, should an auditor or inspector grumble, defend its context to our company and our relationship with the customer.