How to comply with the latest changes in ISO 13485 clause 7.2.3 Communication

Communication is considered to be one of the crucial factors in compliance with ISO 13485. Poor communication practices, such as relying on verbal agreements and failing to document changes, could lead to high costs in terms of operational losses. A 2016 survey by the Society for Human Management (SHRM) asked 400 companies worldwide about the cost of poor communication practices. According to the companies surveyed, poor communication was estimated to cost each company, on average, $62.4 million per year; among smaller companies with 100 or fewer employees, the average cost was estimated at $420,000.

What does clause 7.2.3 include, and how has it changed with ISO 13485:2016?

In the old version of the standard, ISO 13485:2003, clause 7.2.3 (Communication) states that the organization shall determine and implement effective arrangements for communicating with customers in relation to the following:

  1. Product information
  2. Inquiries, contracts, or order handling, including amendments
  3. Customer feedback, including customer complaints
  4. Advisory notices

Most companies are able to fulfill all of the requirements mentioned above. The most common methods are usually through telephone and email. So, what’s the latest update in ISO 13485:2016? There is an added requirement in the current version, which states: “The organization shall communicate with regulatory authorities in accordance with applicable regulatory requirements.” What does this actually mean?

This indicates that we keep the authorities informed in the event of any significant complaints (as defined by the country’s regulations), adverse events, or field safety notices, and issue notifications regarding any updates to the technical files that might affect the safety, quality, or efficacy of our product. The reporting guidelines follow those of the local authorities. For more information about the differences between ISO 13485:2003 and ISO 13485:2016, check the Infographic: What’s new in the 2016 revision of ISO 13485?


Understand clause 7.2.3. through real case studies

These are some of the common scenarios in which we communicate with the regulatory authority. There is an example of ABC Medical Corporation, which manufactures a diagnostic test kit for urinary tract infection for sale in Singapore. The company has received a report from QC internally, concerning a technical fault that will affect the reading of the diagnostic kit. In the local context, ABC Medical Corporation should inform the Health Science Authority of Singapore within 24 hours using the MDRR-1 form, before issuance of the field safety notice to its distributors. Upon receipt of the field safety notice, the distributors collaboratively inform ABC Medical Corporation as to whether or not they have the affected batch, and provide a list of customers that have bought the device. ABC Medical Corporation would then prepare a follow-up report using the MDRR-2 form along with the investigational report to submit to the authority within 21 days.

The second example would be the filing of technical updates to the regulatory authority so as to be in compliance with post-approval conditions. A software company dealing with an imaging program decides to do a system upgrade from 3.0 to 3.2 to include the feature of toggling between windows for comparison purposes. The software company should communicate this change to the regulatory authority by filing a technical change to ensure that the specifications registered are up to date both internally and externally.

Another example of incorporating the regulatory requirements into current work processes could be the incorporation of the timeline and criteria for reporting complaints to the authority into the current complaint procedure. One such process to look at would be adverse event reporting.

Customer service can also play a part in the communication process with the regulatory authority. This can be in the form of documenting important details of adverse events and complaints. The documented information could be passed to the appropriate department for processing with the local authority. In the event of any regulatory call, customer service can also assist to answer basic questions such as the status of faxed information from the authority to the company. Check out this article: List of mandatory documents required by ISO 13485:2016 to see what documentation you need to fully comply with the standard.

Good practices for communications in ISO 13485:2016

To have a robust communication process, a company should evaluate existing communication tools and make improvements periodically. Also, the company should look at more than one method of communication in case of any failure of the established communication medium. In transition to the current version, the company should update the Quality Manual or relevant standard working procedures to include practices relating to communication with the regulatory authority. The process owner should work closely with the regulatory department to ensure that updated information, such as criteria of reporting, timeline, and contacts, are included in the Quality Manual or the appropriate standard working procedures.

To find out what else has changed in the ISO 13485:2016 revision, besides communication, and what you need to know about the transition process, see this free white paper: Twelve-step transition process from ISO 13485:2003 to the 2016 revision.