Control of Records – Updating Your Procedure for ISO 13485:2016
The Article reviews changes recommended for your control of records procedure to ensure compliance with ISO 13485:2016 and applicable regulatory requirements.
Nine months have already passed since the release of the 2016 version of ISO 13485. In 2015, you were told to update your quality system procedures early before the new European Regulations were released. There is a three year transition period, and you decided to do it next year. Now it’s 2017. It’s time to update your procedures.
Quality Plan for Revising Procedures to ISO 13485:2016
I plan to update one procedure each week from the 2003 version of ISO 13485 to the 2016 version. Some of the procedures were already updated last year, but just like you, I decided to finish the work next year. For the next six months, we will be busy revising procedures.
Training on the requirements for Control of Records
In addition to a procedure for control of records, you also need to train employees on good documentation practices. Initially, I created a webinar called “GDP 101” that combined control of documents, control of records, and training. Several people recommended that the webinar be revised to focus on the control of records. New webinars will be recorded each week to explain the updates to each procedure and to ensure that there is a training webinar for each procedure.
Three Generic Updates to Control of Records Procedure (SYS-002)
When you update a procedure, you need to do more than change the reference to the version of ISO 13485. For all procedures I recommend that you make three general improvements:
- identify a risk-based approach for that procedure,
- identify methods for documenting training effectiveness and competency, and
- verify that you have updated the procedure to address regulatory requirements.
In the case of control of records, the most important records should have more rigorous controls and more frequent monitoring of record control to ensure it is effective. For example, the following critical records are frequently sampled by FDA inspectors and should be carefully stored, organized, and monitored:
- Adverse Event Reports
- Nonconforming Material Records
- Design History Files
- Training Records
FDA inspectors are not permitted to review records of your management reviews, internal audit records, and supplier records. However, all three records will be sampled by certification bodies, and therefore these three records exempt from the requirements of 21 CFR 820.180 should also be a priority for risk-based control of records.
To address the third of the generic procedural updates, you should be aware that the new EU Medical Device Regulations are expected to increase the required record retention period for non-implant devices from 5 years to 10 years. Implants are expected to remain at 15 years.
Three Procedure-Specific Updates to Control of Records Procedure (SYS-002)
In addition to the generic procedural updates, three changes in the Standard are specific to control of records. First, in the section for control of documents (renumbered as Clause 4.2.4), there is now a requirement to prevent the deterioration and loss of documents.
Second, there is now a requirement in Clause 7.3.10 for maintaining design and development files for devices. This may have previously been addressed as a requirement to meet the FDA requirements for maintaining a Design History File (DHF), but not all ISO 13485 certified companies sell a product in the USA.
Third, there is a new requirement related to the protection of confidential health information, such as the information gathered during complaint investigations and clinical studies. Many companies refer to this as HIPAA compliance.
Updated Procedure & Webinar Bundle
If you need to update your control of records procedure and train your employees, you might consider our new procedure and webinar bundle.
Posted in: ISO 13485:2016, ISO CertificationLeave a Comment (2) ↓
Hi Rob, thank you very much for the blog post. The risk-based approach will help most manufacturers to handle retention times in general or to focus on types/groups of documents and records to distinguish to increase and decrease relevant retention times also for electronic data. There is also a new standard available which was developed by the german DIN committee
Guideline for development of a concept for data deletion with derivation of deletion periods for personal identifiable information.
This is also relevant to the european General Data Protection Regulation (EU) 2016/679 http://gdpr-info.eu/
To be honest, the most manufacturer have no Records Disposition Authorization Form as a record and objective evidence to document the request, approval and confirmation, that the specified documents and records are disposed and destroyed. Maybe this hint helps.
Thank you for the additional references.