ISO 13485 is an International Organization for Standardization (ISO) standard originally developed in the 1990’s, that consists of requirements for a Quality Management System (QMS) for designing and manufacturing medical devices. ISO 13485 is derived from the ISO 9001 quality management standard, and modifies its process-based approach for the regulation of medical device manufacturing. It is designed to help organizations develop, establish, and maintain quality management systems that facilitate consistent and effective development, design, production, etc. of medical devices. Overall, the standard is tailored to meet both the industry standards for medical device quality management, as well as, customer and regulatory requirements . An updated version was published in February 2016 that overrides earlier versions that were previously published: ISO 13485: 1996 and 2003.
Certification to this standard can be beneficial for many organizations, as it can enhance efficiency and marketability. Regulators from various countries, such as, Canada, Australia, EU, and Japan, have harmonized ISO 13485 into their own regulatory systems . For example, in order for a medical device to be sold in Canada, the Health Canada Canadian Medical Device Regulations Program requires that manufactures provide evidence that their medical devices are produced under a quality system that is compliant with their quality system requirements. ISO 13485 meets these required standards . The European Commission recognizes ISO 13485 as a harmonized standard , so that becoming ISO 13485 certified conforms with the requirements of European medical device directives. This includes: Directive for In Vitro Diagnostic Medical Devices (98/79/EC), Medical Device Directive (93/42/EEC), and the Directive for Active Implantable Medical Devices (90/385/EEC) . Furthermore, in the U.S., medical device manufacturers can use ISO 13485 audits as evidence of compliance with the Food and Drug Administration’s (FDA’s) Quality System Regulation (QSR) .
ISO 13485: 2016 General Changes: Many new additions, some sections are expanded and/or clarified, some new requirements, the interrelationship between clauses and requirements is presented with greater clarity .
The new edition has several areas with increased emphasis [6,7]:
- Alignment with regulatory requirements
- Incorporation of risk management and risk-based decision making
- Validation, verification & design transfer is expanded and clarified
- Supplier control & outsourced processes are more robust
- Increased focus on feedback
- More detailed requirements for software validation
To give manufacturers, accreditation/certification bodies, and regulators time to transition, the next three years will be a period where ISO 13485:2003 and ISO 13485:2016 will coexist . February 2019 will mark the end of this 3-year transition period . Furthermore, for the next two years (until February 2018), organizations will be able to gain accreditation for either the 2003 or 2016 version of ISO 13485. However, according to a draft guidance, after the second year, no new ISO 13485: 2003 certificates will be issued . At the conclusion of the third year, any existing ISO 13485:2003 certification will be invalid .
Overview of Changes to ISO 14385:2016 Compared with ISO 13845:2003
- There is more detail related to the types of organizations covered by ISO 13485:2016’s requirements and the life-cycle stages of the medical device covered.
- Life-cycle stages include: design and development, production, storage and distribution, instillation, servicing and final decommissioning and disposal of medical devices, or provision of associated activities (e.g. technical support).
- Explains that the requirements can be used by suppliers or other external parties providing product either voluntarily or as required by contract.
- Examples of the types of product provided by external parties include: raw materials, components, subassemblies, medical devices, sterilization services, calibration services, distribution services, maintenance services, etc.
- Reminds organizations that their QMS should conform with regulatory requirements.
- Reminds organizations that regulation definitions differ based on location, and that it is their obligation to understand how the definitions will affect their QMS.
- Adds that organizations are also obligated to meet their own QMS requirements.
- Specifically addresses the need to meet both customer requirements and applicable regulatory requirements for safety and performance.
- Adds two factors that can influence the design and implementation of an organization’s QMS that were not in the previous version: organizational environment and regulatory requirements.
- Clarifies that organizations do not need to have uniformity in the structure of different quality management systems and documentation. Nor does the documentation need to align with the clause structure of ISO 13485: 2016.
0.2 Clarification of concepts
- Two new criteria have been added to the list that describes the definition of “appropriate requirements”.
- This list has added that the requirement is appropriate if it is necessary for: a) compliance with applicable regulatory requirements, and b) the organization to manage risks.
- Limits application of the term “risk” to the safety or performance requirements of the medical device, or meeting applicable regulatory requirements.
- Clarifies that when a requirement must be “documented”, this includes the need to establish, implement, and maintain.
- Clarifies that the term “product” can also mean “service”, and applies to output that is intended for/required by customers. Or applies to any intended output that results from a product realization process.
0.3 Process approach
- Extends the explanation of process approach to quality management. Also discusses the fact that when used within a QMS, process approach emphasizes:
- Understanding and meeting requirements
- Considering processes in terms of added value
- Obtaining results of processes performance and effectiveness
- Improving processes based on objective measurement
0.4 Relationship with ISO 9001
- States the relationship between ISO 13485:2016 and ISO 9001.
- ISO 13485:2016 is based on ISO 9001:2008 (which has been superseded by ISO 9001:2015).
- Indicates that the structural relationship between ISO 13485:2016 and ISO 9001:2015 are outlined in Annex B of the standard.
- Notes that italic text within the standard indicate changes from ISO 9001:2008 that have been eliminated.
- Underlines that ISO 13485:2016 is applicable to organizations involved in one or many of the various life-cycle stages of a medical device (e.g. organizations involved with design, repair, installation, storage, or development, etc.).
- Includes suppliers or external parties that provide product or QMS-related services to medical device companies.
- Addresses the responsibility that medical device organizations have to monitor, maintain, and control outsourced processes.
- Clarifies that the requirements of the standard are applicable to the organization regardless of size or type (except where explicitly stated).
- Explains that requirements in Clauses 6, 7, or 8 may not be applicable based on the role of the organization or the nature of the medical device covered by the QMS.
- Normative References
- ISO 13485:2016 has one normative reference and that is ISO 9000:2015, Quality management systems- Fundamentals and vocabulary. This differs from the 2003 edition which referenced ISO 9000:2000, Quality management systems- Fundamentals and vocabulary.
- Terms and Definitions
Some definitions have been modified and there are several new definitions added.
- Quality Management System
4.1 General Requirements
- Organizations are required to document their role(s) undertaken under applicable regulatory requirements.
- Indicates that a risk-based approach must be applied to the control of appropriate QMS processes.
- There are additional requirements related to changes to QMS processes: These changes should be managed in accordance with ISO 13485:2016 standards and applicable regulatory requirements. In addition, any changes should be evaluated for their impact on the QMS, and medical device produced.
- One requirement has been expanded to state that organizations must “establish, implement, and maintain any requirement, procedure, activity or arrangement required by this international standard or applicable regulatory requirements” (ISO 13485, 2016, p. 6). This differs from the 2003 version which only mandated that such actions be in accordance with the current standard, with no mention of applicable regulatory requirements.
- The Subclause 4.1.5 regarding outsourcing has been modified to emphasize that organizations ultimately retain the responsibility to monitor and control outsourced processes while ensuring that said processes conform to the standard, customer requirements, and applicable regulatory requirements. The controls should be proportionate to the risks associated with the outsourced processes, conform to purchasing requirements (Subclause 7.4), and include written quality agreements.
- The last general requirements change involves validating the application of computer software used in the QMS. This differs from the previous edition. Before, there were no explicit requirements for QMS software validation, even though this was expected by regulatory authorities .
4.2 Documentation Requirements
- Addition of Subclause 4.2.3 (Medical device file), which details how organizations should establish and maintain a file for each medical device type or device family, that contains/references documents that demonstrate their compliance with ISO 13485:2016 and applicable regulatory requirements. The subclause also lists specific documents that should be included in the medical device file.
- Additional requirement to prevent the deterioration or loss of documents under the Control of Documents subclause (4.2.4).
- Additional requirement under the Control of Records section (Subclause 4.2.5) pertaining to the protection of confidential health information.
- Management Responsibility
The bulk of the changes within section 5 occur under clause 5.6, Management Review.
- Organizations are now required to use documented procedures for management review. This review of the organization’s QMS should occur at documented planned intervals.
The list of management review inputs and outputs have been expanded.
5.6.2. Review Input
- The review inputs list has added information regarding complaint handling and reporting to regulatory authorities.
5.6.3 Review Output
- Any output from management review must now be recorded.
- The review outputs section has been modified to reference any decisions or actions related to improvements needed to maintain the suitability, adequacy, and effectiveness of the QMS.
- In addition, the review outputs have been expanded to include any actions or decisions that involve changes in the QMS that are needed to respond to applicable new/revised regulatory requirements.
- Resource Management
This section on resource management covers human resources, work environment and contamination control, and infrastructure.
6.2 Human Resources
- Additional requirement for documenting the processes for establishing competence, providing training, and ensuring personnel awareness.
- New note that states that the methodology used to inspect effectiveness should be proportionate to the risk associated with the work for which the training/other action is being provided.
- For example, for low risk tasks, one method for evaluating effectiveness might be something as simple as a signature indicating that the procedure has been thoroughly read and understood. Meanwhile, a high risk activity might require a method of evaluation that is more complex; including some method of testing understanding and performance .
- There is a new requirement that states that the infrastructure must prevent product mix-up and ensure orderly handling of product.
- Additionally, information system has been included under the supporting services branch of infrastructure.
6.4 Work environment and contamination control
- There are added documentation requirements for the work environment.
- There is also an added requirement for sterile medical devices that details how organizations must document requirements for control of contamination with microorganisms/particulate matter, as well as, maintaining the required cleanliness during the assembly and packaging processes.
- Product Realization
7.1 Planning of product realization
- Certain requirements of the list regarding planning product realization have been modified.
7.2 Customer-related processes
- There are additional requirements added to the list. These include ensuring that applicable regulatory requirements are met and that the organization has the ability to meet the defined requirements.
- Organizations are also required to determine if any user training is needed to ensure correct performance and safe use of the medical device.
- There is a new requirement related to communicating with regulatory authorities.
7.3 Design and development
7.3.2 Design and development planning
- Multiple requirements have been added to the list. This includes the need for organizations to document the methods to ensure traceability of design and development outputs to design and development inputs, as well as, the resources needed (including necessary competence of personnel).
- The requirement in the previous edition related to the management of the interfaces between different groups involved in design and development has been eliminated.
7.3.3 Design and development inputs
- There are added requirements to the list. One being that the product requirements be able to be verified or validated.
7.3.5 Design and development review
- Details regarding the contents of records have been added. Specifically, in addition to the previous requirement, that records also contain the identification of the design under review, participants involved, and the date of the review.
7.3.6 Design and development verification
- Two new requirements have been added to the design and development verification section.
- One requiring that organizations document verification plans that include methods, acceptance criteria, and statistical techniques with rationale for sample size (as appropriate).
- The next requirement states that if the medical device requires to be connected to/have interface with other medical device(s), that verification includes confirmation that the design outputs meet design inputs when connect/interfaced.
7.3.7 Design and development validation
- This section has several added requirements. One details how organizations must document validation plans that include methods, acceptance criteria, and statistical techniques with rationale for sample size (as appropriate).
- Design validation must be conducted on representative products.
- This includes initial production units, batches or their equivalence.
- The rationale for choosing the product used for validation must be recorded.
- The validation process is required to be completed prior to release to the customer.
7.3.8 Design and development transfer
- 7.3.8 is a new subclause that requires documentation of procedures for the transfer of design and development outputs to manufacturing. In addition, results and conclusions of the transfer must be recorded.
7.3.9 Control of design and development changes
- There is a new addition that requires that the review of design and development changes include evaluation of the impact of the changes on products in process or already delivered, and on the inputs/outputs of risk management and product realization processes.
- Details were added that discuss factors organizations must consider when determining the significance of design and development changes.
- These include changes to: function, usability, performance, safety, as well as, applicable regulatory requirements for the medical device and its intended use.
7.3.10 Design and development files
- This subclause is a new addition. It requires that organizations maintain a design and development file for each medical device type or device family. The file must include/reference records that demonstrate conformity to the requirements for design and development. The file should also include records for design and development changes.
7.4.1 Purchasing process
- This subclause has added requirements that focus the criteria for selecting suppliers on the effect of supplier performance on the quality of the medical device, the risk associated with the medical device, and the ability of the product to meet applicable regulatory requirements.
- There are added requirements related to monitoring and re-evaluation of suppliers, and the actions that should be taken if purchasing requirements are not met.
- There is additional detail related to the content of records of the results of evaluation, selection, monitoring, and re-evaluation of supplier capability or performance.
7.4.2 Purchasing information
- A new requirement has been added which states that purchasing information should include a written agreement that suppliers notify the organization of changes in the purchased product (prior to the implementation of said changes), that affect the ability of the product to meet specified purchase requirements.
7.4.3 Verification of purchased product
- New requirements were added on the extent of verification activities and actions that should be taken when the organization becomes aware of any changes to the purchased product.
7.5 Production and service provision
7.5.1 Control of production and service provision
- Details related to controls for production and service provision have been modified or added.
- Production controls should include documentation of procedures and methods for the control of production.
- Production controls must include qualification of infrastructure.
7.5.2 Cleanliness of product
- This section has one additional requirement.
- Organizations must now document requirements for cleanliness of product or contamination control of product if: a) the product cannot be cleaned prior to sterilization or its use; and b) if its cleanliness is of significance in use.
7.5.4 Servicing activities
- New requirement for analysis of records for servicing activities.
- An organization or its supplier must carry out this analysis to: a) determine if the information is to be handled as a complaint; b) be used for input to the improvement process (as appropriate).
7.5.6 Validation of processes for production and service provision
- Added requirements to the list of what procedures organizations must document for validation of processes.
- New additions to this list include: a) statistical techniques with rationale for sample size (as appropriate); b) approval of changes to the processes.
- The section discussing situations requiring procedures has been expanded to be more detailed.
- There are modifications that relate the specific approach to software validation to the risk associated with the use of the software.
- Added requirements related to records of the results/conclusion of validation and necessary actions from the validation.
7.5.7 Particular requirements for validation of processes for sterilization and sterile barrier systems
- There is an added requirement for sterile barrier systems.
- New requirement for documenting a system that assigns unique device identification to the medical device (if required by applicable regulatory requirements).
- Added requirement for establishing a documented procedure for product identification and maintaining identification of product status through the various stages of production.
7.5.11 Preservation of product
- This section has added detail on how product preservation can be accomplished. This includes: a) designing and constructing suitable packaging and shipping containers; b) documenting requirements for special conditions needed if packaging alone cannot provide preservation.
- Measurement, analysis and improvement
- This section has been modified to indicate that feedback should be gathered from production and post-production activities.
- Adds a requirement that feedback be utilized in risk-management processes for monitoring and maintaining the product requirements, product realization, or improvement processes.
8.2.2 Complaint handling
- Subclause 8.2.2 is a new subclause that details requirements for timely complaint handling in accordance with applicable regulatory requirements. The requirements for this section include information regarding:
- The minimum requirements and responsibilities of these complaint handling procedures.
- The need to document justification if a complaint is not investigated, or documenting corrective action resulting from the complaint handling process.
- If an external party is found to be responsible, or contributed to the complaint, the relevant information shall be exchanged between parties.
8.2.3 Reporting to regulatory authorities
- Subclause 8.2.3 is a new subclause that details how organizations must document procedures for providing notification to the appropriate regulatory authorities if applicable regulatory requirements require notification of complaints that meet specific reporting criteria.
8.2.6. Monitoring and measurement of product
- New requirement that records identify the test equipment used to perform measurement activities.
8.3 Control of nonconforming product
- Additional detail regarding what kinds of controls should be documented.
- Organizations must document a procedure that defines the controls, related responsibilities, and authorities for: identifying, documenting, segregating, and evaluating nonconforming products.
- The requirement to include any investigation and the rationale for decisions has been generalized.
- Actions in response to nonconforming product detected before delivery, and nonconformities detected after delivery, have been separated into their own subclauses (8.3.2 and 8.3.3 respectively).
- New requirement that records of actions relating to the issuance of advisory notices be maintained.
- There are additional requirements related to concessions and maintaining a record of said concessions.
8.4 Analysis of data
- Adds the requirement that the procedures include determination of appropriate methods, statistical techniques, and the extent of their use.
- The list regarding inputs has been modified. The changes include information from audits and service reports (as appropriate).
- This section has also been revised to include information regarding what should be done if the analysis of data shows that the QMS is not suitable, adequate, or effective.
8.5.2 Corrective action
- Added requirement that any corrective action must be taken without undue delay.
- Added requirement that corrective action does not adversely affect the medical device’s performance, safety, or ability to meet applicable regulatory requirements.
8.5.3 Preventative action
- New requirement that states that organizations must verify that preventative actions do not have any adverse effects on medical device safety, performance, and ability to meet applicable regulatory requirements.
- The British Standards Institution. (2016). Quality Management System (QMS) ISO 13485 Certification. Retrieved from: http://www.bsigroup.com/en-GB/medical-devices/our-services/iso-13485/.
- Mezher, M. (2016). New ISO 13485: Device Companies Have Three Years to Transition. Retrieved from: http://www.raps.org/Regulatory-Focus/News/2016/03/01/24443/New-ISO-13485-Device-Companies-Have-Three-Years-to-Transition/#sthash.QDmD3AUW.dpuf
- Health Canada. (2000). Policy on the Canadian Medical Devices Conformity Assessment System (CMDCAS) Quality. Retrieved from: http://www.hc-sc.gc.ca/dhp-mps/md-im/qualsys/cmdcas_scecim_syst_pol-eng.php.
- TÜV SÜD. (n.d.). ISO 13485 Quality Management System for Medical Devices. Retrieved from: http://www.tuv-sud.com/industry/healthcare-medical-device/quality-management-quality-control-for-medical-devices/iso-13485-quality-management-system-for-medical-devices#tab_1397654991942659403714.
- U.S. Food and Drug Administration. (2014). Quality System (QS) Regulation/Medical Device Good Manufacturing Practices. Retrieved from: http://www.fda.gov/medicaldevices/deviceregulationandguidance/postmarketrequirements/qualitysystemsregulations/.
- The British Standards Institution. (2016). ISO 13485:2016 [PowerPoint slides]. Retrieved from: http://www.bsigroup.com/meddev/LocalFiles/en-GB/Webinars/BSI-md-iso-13485-2016-transition-webinar-presentation-9-march-2016.pdf.
- The British Standards Institution. (2016). The new ISO 13485:2016 standard is published. Retrieved from: http://www.bsigroup.com/en-GB/medical-devices/our-services/ISO-13485-Revision/.
- International Organization for Standardization. (2016). ISO 13485: 2015 Medical devices – Quality management systems – Requirements for regulatory purposes. Geneva, Switzerland: ISO.
- Hoxey, E. (2016). Expert Commentary on BS EN ISO 13485:2016, Medical devices – Quality management systems – Requirements for regulatory purposes. Retrieved from: http://www.bsigroup.com/en-GB/medical-devices/our-services/ISO-13485-Revision/ISO-134852016-Expert-Commentary/.