10 min reading time

As originally asked by Graham Ball.

The company I am working with supply a part which is built into monitoring and control devices used in the medical field. None of the devices are implanted in any way. Our customer supplies the final product to the end customer. We are now going for ISO13485. The company already has ISO9001. I have been told for our type of business a DHR (Device History Record) and DHF (Device History File) are an important part of the assessment. Is this true? Looking at ISO13485, it appears the main emphasis over ISO9001 is on maintenance of the QMS system and regulatory awareness. Am I missing anything else really important?
Is anything prescribed as to what the contents should be for DHR or DHF items? We already construct technical construction files (TCF’s) for our approvals and maintain manufacturing traceability for all products which we build. I can’t find details on the net for DHR or DHF, so does anyone know if the documents we currently produce will meet these requirements please?

---

Kanwal Jit Singh
Public Actions in Sustainability, Finance, Law etc
MDD is the law in the EU – however, if you follow Annex 2 as the conformity route then the harmonized standard is EN ISO 13485:2012 (not ISO 13485:2003 – please note).

Yes it is not mandatory to follow the harmonized standard, and if you chose not to then you have to prove in depth that the alternate QMS followed meets the requirements of MDD.

It is therefore important to understand the difference between ISO 13485:2003 and EN ISO 13485:2012 and so also for ISO 14971: 2007 and EN ISO 14971:2012.

It is better to follow the EN ISO standard to prove compliance to MDD requirements in Annex 2 and Annex 1 of MDD. However, If one follows an alternate route for conformity (depending the classification of the product) , then the appropriate route prescribed by MDD has to be complied with.

The role of harmonised standardiseds cannot be relegated to the background, since they provide the easier route to evidencing conformity with the MDD.

Jim Bloedau BSMT, RRT, CPHIMS
Founder Information Advantage Group
Anil: Excellent clarity and guidance. Thanks so much.

Anil Bhalani
Consultant – Regulatory Affairs/Quality Assurance
ISO 13485, MEDICAL DEVICES – QUALITY MANAGEMENT SYSTEMS – REQUIREMENTS FOR REGULATORY PURPOSES is a quality system for medical devices. This International Standard specifies requirements for a quality management system that can be used by an organization for the design and development, production, installation and servicing of medical devices, and the design, development, and provision of related services.

If you manufacture components, ISO 13485 does not apply. ISO 9008 is more appropriate. And as a component manufacturer, having ISO 9001 certification is also not mandatory. Your customers may mandate this if you want their business. Your customer is required to assure that you have systems and procedures to assure that you will supply a good product/service.

Also to make the conversation interesting, I will say this, which consultants and notified bodies will not tell you for the fear of losing revenue, I guess: ISO 13485 is not a mandatory requirement for a company selling medical devices in the USA or Europe or even if you want to obtain a CE Mark for your medical device. In the USA compliance to QSR is mandatory. In the EU, complying to Medical Device Directive (MDD) is mandatory. MDD states that the manufacturer will maintain a quality system. FDA’s QSR is a quality system or you can create a custom one too. However, if you sell medical devices in Canada, you are mandated to have an ISO 13485 system certified by a CMDCAS certified notified body (not registrar)

Hope this helps…..Go with ISO 9001 until you start to make a medical device or start an activity listed in the first paragraph directly related with the design and development or manufacture of a medical device. As a battery manufacturer, you should be concerned with RoHS and WEEE and REACH. ISO 9001 is icing or I guess expected today. You should also think of ISO 14001 for a good environment. MDD, RoHS and WEEE are mandatory….they are not standards but EU Directives….equivalent to what we call laws in the USA. You can be penalized for non-compliance although there is no history of such for non-compliance to WEEE and RoHS that I know off.

Tell the person who is asking you to get ISO 13485 that he is nuts! If it makes it easy, tell him that I said that he should leave the quality and regulatory business to professionals.

Joseph Wilson
Medical Device Manufacturing Professional
Like I said, are you sure you want to do this?

Locke Bailey
Consultant – DHF Remediation Quality Engineer at Baxter International Inc.
Back up a minute…. You can have any of those documents (DMR,DHF, DHR) until you’ve developed a “Medical Device”. To develop a medical device look up the requirements of developing a medical device and follow the “Design Control” protocols.

Graham Ball
Quality & Approvals Consultant
Hi David
I see where you are coming from – the device is actually an intelligent battery which our customer integrates and installs into the medical equipment (non invasive). The customers we have are saying they want us to be ISO13485 certified, hence the reason we have started on this path. We do already do CE marking, UL etc., so with you there.

We won’t be doing medical trials ourselves, but if we adopt the other enhancements of ISO13485 over ISO9001 into our Quality System as a better practice together with the exclusions people have been mentioning mean we would be certified to ISO13485?

David Gray
CTO at innovative combined gene therapy/device biotech company
Graham, as mentioned above, it is primordial that you determine whether your “part” is a medical device or not. The term “medical device” is very specific, both for FDA and CE Mark. If it is a part which is used to make a medical device, but on its own does nothing, then you should rethink your strategy about ISO 13485 certification. As a manufacturer, I want parts that are compliant with their respective function (e.g. power supply, tube, etc.) and are certified to the relevant standard (for that particular function). If I buy a component from you I don’t really care if you have ISO 13485 certification. I want to know that you meet that particular component’s applicable standards, along with the general company ISO9000 QS.

If I buy in a certified Medical Device ‘A’ and buy in a certified Medical Device ‘B’, and then couple them together to make a brand new Medical Device ‘C’ with me as the new “Manufacturer”, I do not automatically have a new certified device.

J. Floyd Sauvé – CQE, CQA
Retired and loving it!
Because of the wording in ISO 13485 section 1.2 (second and third paragraphs), it is very common for medical device companies to do exactly as Chris and Robert describe above; i.e., exclude section 7.3 in their Quality Manual and justify as “not applicable” any other requirements in section 7 that do not apply. For what it’s worth, my discussions on this matter with two different ISO 13485 registrar auditors confirmed that this is what they expect to see. Again, it appears to be a common registrar interpretation of the wording in section 1.2..

Audie Margrave
Principal Consultant at Effective Compliance Solutions L.L.C.
Great discussion folks. It would be nice to know a bit more about the “part” Graham referenced at the beginning of this chain though. I recently had a client that believed their “part” was not a device when in fact it was. Said client was just getting into the device biz and very much misunderstood the significance and true function of the “part” in the finished device. Also to be considered Graham, may be what documentation requirements your customer may have for your organization, relative to their supplier controls.

Dan O’Leary
President at Ombu Enterprises, LLC
I don’t believe Chris Boon’s comment about “exclusions” is correct. Section 1.2 does not restrict exclusions to clause 7.3. Instead, it says, “If regulatory requirements permit exclusions of design and development controls (see 7.3), this can be used as a justification for their exclusion from the quality management system.” It provides a justification for the exclusion, not a limitation.

As a case in point, consider EN ISO 13485:2012. The Forward to the EN addition says, “In seeking compliance with the quality systems requirements of the Medical Devices Directives, organizations may exclude specific requirements from EN ISO 13485. The table below shows the exclusions that are permitted.” For the MDD, for example, the table says, “For Annex VI, exclusion of 7.3, 7.5.1, and 7.5.2 from EN ISO 13485 are permitted”.

Regards,
Dan

Rob Packard
510(k), CE Marking & Quality System Consultant
Jim Bloedau asked about comparison/overlap with RoHS2. Many medical devices use the medical device exemption for RoHS/WEEE requirements, but these exemptions will not last forever. RoHS/WEEE compliance interacts with the ISO 13485 requirements in several places:
1. Clause 4.2.1f) – any other documentation specified by national or regional regulations,
2. Clause 4.2.3f) – to ensure that documents of external origin are identified and their distribution controlled,
3. Clause 5.6.2h) – new or revised regulatory requirements,
4. Clause 7.2.1a) – requirements specified by the customer, including the requirements for delivery and post-delivery activities,
5. Clause 7.3.2b) – applicable statutory and regulatory requirements,
6. Clause 7.5.1.1f) – the implementation of release, delivery, and post-delivery activities,
7. Clause 7.5.1.2.3 – Servicing activities
8. ISO 14971 also has requirements for risk management throughout the total product lifecycle–including obsolescence. ISO 14971 is briefly mentioned in Clause 7.1 of ISO 13485, but it is considered “State of the Art” for Canadian Medical Device Licensing and CE Marking in Europe.
If your company is developing a Quality Plan (Clause 5.4.2 & Clause 7.1) for compliance with RoHS2/WEEE, the above sub-clauses should be considered in your plan.

Rob Packard
510(k), CE Marking & Quality System Consultant
Chris Boon’s comment about “exclusions” is correct. Section 1.2 of ISO 13485 indicates that 7.3 is the only clause that can be excluded. The other clauses of Section 7 may be defined as “not applicable” depending up on the nature of the products or services provided. This gets confusing for companies with both ISO 9001 and ISO 13485, because ISO 9001 uses the term “excluded” in the same way that ISO 13485 is using the term “not applicable.”

You may not claim “non-applicability” for clauses outside of Section 7. However, service companies sometimes have difficulty with certain clauses. For example, Clause 8.3 doesn’t make a lot of sense for a purely service-based company. For example, what would a CRO have a “non-conforming”? Their clinical study report? Wouldn’t that make more sense under Control of Documents or Records?

In these situations, the Quality Manual should explain how this Quality System addresses the intent of these requirements.

Best practices for addressing non-applicability and exclusions is two-fold:
1. include a table at the beginning of the Quality Manual that describes the clauses of non-applicability and the rationale for each
2. indicate in the appropriate location of the Quality Manual that the section is not-applicable–instead of just skipping the section

The seven most common areas of non-applicability are: 1) 7.5.1.2.2 – installation, 2) 7.5.1.2.3 – servicing, 3) 7.5.1.3 – sterilization records, 4) 7.5.2.2 – sterilization validation, 5) 7.5.3.2.2 – traceability of implants, 6) 7.5.4 – customer-owned property, and 7) 8.2.4.2 – recording the identity of implant inspectors. #7 does not follow the rules for non-applicability outlined in Clause 1.2, but it is consistent with the intent of the Clause if your company doesn’t not make medical implants.

The nuances of these two terms may seem silly, but the Canadian Medical Device Regulations use this terminology as well, and most 3rd party medical device auditors will follow this interpretation–instead of the ISO 9001 interpretation.

You can explain your company’s approach in Scope of the Quality Manual.

Kanwal Jit Singh
Public Actions in Sustainability, Finance, Law etc
The product being produced at the organisation is part of monitoring and control component of a device that is used in the medical field.

Apparently it is not a medical device – please check the definition of a medical device in ISO 13485 and MDD. Hence …..?????

Jim Bloedau
Founder Information Advantage Group
This is a very informative discussion – great experience here. How do all the above ISO rules compare or overlap to the RoHS2? Is there reciprocity??

Chris Boon
RETIRED
Dan & Graham,

Technically, I believe the only element that can be an “exclusion”, would be design & development controls (7.3) , anything else that is not applicable needs to be documented as such (“not applicable”).
Regards,
Chris

Graham Ball
Quality & Approvals Consultant
Dan

many thanks – all the comments received have been really helpful and I
think I now know what I need to do.

Regards, Graham

Rob Packard
510(k), CE Marking & Quality System Consultant
Great advice from all parties. Sounds like Graham will fair better than most.

Dan O’Leary
President at Ombu Enterprises, LLC
The DHR is what I expected it to be, so many thanks.

The DMR and the DHF are not all that similar. They have different content with some potential overlap.

The DHF is the history of the design project. It has meeting minutes from design reviews, project plans, etc. When the design project is done and the product transfer to production, the DHF closes. It is the historical record from which one could reconstruct the design project. FDA QSR requires that you “assemble” all of these records together into the DHF. ISO 13485 only requires that you have the records.

The DMR is the “recipe” for making the product. It has all the current purchasing specifications, production process specification, quality assurance specification, etc. The overlap between DHF and DMR is the specifications. They are design output, so could be in both places. However, updated specifications would be in the DMR, but not in the DHF; the design project would have closed before the update. {I’m avoiding design change issues for simplicity.}

The DHR is the objective evidence that you followed the DMR. You will make a DHR for every unit, lot, or batch, but would there be only one DMR. For example, if you have a final acceptance test it would have been developed in design, so one version would be in the DHF. Perhaps you updated it, creating a different version in the current DMR. The test data, a quality record, showing the product passed the test is part of the DHR.

Regards,
Dan

Scott Tatro, PMP
VP Operations/Manufacturing | Executive | Business Strategist | Startups to Scaling Organizations | Lean Six Sigma
Hi Graham,

Here is some additional guidance for you. The Design History file contains all of the meeting notes, design drafts, risk management reports, and thought processes for the design of the device. The Device Master Record is the master documents to be able to manufacture a device. The Device History Record are the individual records when you produce the device. Here are some examples:

Design History File (DHF) Content Examples:
• Design Planning (Concepts, project charter, project schedule)
• Design Input (Requirements)
• Design Output (Specifications)
• Design Reviews (Formal Meetings)
• Design Verification (Meets Specifications)
• Design Validation (Meets clinical/user needs)
• Design Transfer- (Moves from Design to Manufacturing)
• Design Changes (Formal Process)

Device Master Record (DMR) Content Examples:
•Device Specifications: (Bill of Materials; master design drawings; formulations; intended uses; user safety characteristics; performance characteristics; physical characteristics; software specifications)

•Manufacturing Process Specifications: (process flow charts; process/assembly lines diagrams; equipment, tools, molds; manufacturing environment specifications; operator and equipment Work Instructions (WI) setup procedures; equipment maintenance procedures; blank work orders, nonconforming product/process forms, and other reporting; quality system operational procedures (SOP); quality system forms (FM); process control specifications/charts; control plans, instructions and acceptance criteria for incoming, in-process, and finished device inspection and testing; procedures and acceptance criteria for the verification of packaging, labeling, installation, and servicing activities; blank work order forms for recording inspection/testing activities, traceability, and other data for device history records; device release review/evaluation checklists.

•Packaging and labeling specifications: package drawings and specifications; filling/packaging procedures; label/labeling drawings; device instruction manuals.
Installation, maintenance and servicing specifications (IMS): installation, specifications and instructions; maintenance instructions; servicing specifications and manuals.

Device History Record (DHR) Content Examples:
All of the DMR forms that are filed out (by individual, batch/lot) and are now records. The compilation of the DHR records should allow you to trace back to raw materials in case of a customer complaint, quality issue and/or recall.

Graham Ball
Quality & Approvals Consultant
Dan

many thanks for taking the time to reply.

For DHF we are Ok and understand. It is typically what we have as a
technical construction (TCF) file with a few extras. I think the DMR
sounds very similar to the DHF with all the manufacturing process documents
included. Does this sound right?

The DHR is what I expected it to be, so many thanks.

Best wishes and thanks again, Graham