A Review of the Changes in ISO 13485:2013 and the Impact on Current ISO 13485:2003

On February 25, 2016, the International Organization for Standardization (ISO) published its updated ISO 13485 guidance. The guidance, which has not been updated for 12 years and originally published in 2003, is the global standard for medical device quality management systems. Specifically, the guidance includes “requirements for a quality management system where an organization needs to demonstrate its ability to provide medical devices related to services that consistently meet customer and applicable regulatory requirements.”

The ISO 13485 standard was updated for two key reasons: to keep up with changes in the industry and to address changes in the underlying ISO 9001 standard. While the old ISO 13485 2003 standard was based on the old ISO 9001:2000 standard, the new one is based on ISO9001: 2008.

In general, the “new” ISO 13485 standard is more flexible than the old. In the past, organizations could only exclude section 7 requirements (on product realization) and then only if they could justify their decision. Now, they can exclude any requirement in sections 6, 7, or 8 if they can justify doing so because of the nature of their activities or products.

An ISO Transition Planning Guidance (http://www.iso.org/iso/white_paper_-_iso_transition_planning_guidance_for_iso_13485-2016.pdf) has been provided to current users of ISO 13485:2003 to provide recommendations for transition to the new requirements of the standard. A few industries impacted by these changes are;

Medical device manufacturers

Accreditation bodies

Certification bodies


Regulatory authorities responsible for implementation and surveillance of medical device regulatory requirements that will include the use of ISO 13485:2016

International and national standards bodies.

A transition period of 3 years has been defined to allow users to update their Quality Management Systems (QMS) to meet the requirements of ISO 13485:2016. This will allow for both ISO 13485:2003 and ISO 13485:2016 to coexist until the 2003 version is withdrawn in February 2019.

What Updates Have Been Made In The “New” 2016 Standard?

The revised guidance highlights the importance of having a quality management system (QMS) in place throughout the supply chain. Furthermore, ISO 13485:2016 draws particular attention to requirements regarding device usability and post-market surveillance.

Although the new standard is a revision to the original guidance, there are areas in which the standard had significant updates. Below is a summary of those areas;

Regulatory Requirements – Must comply with all applicable regulatory requirements is emphasized throughout the new standard. It is expected that objectives are set for meeting regulatory requirements in addition to product requirements.

Risk-based approaches must be in place beyond product realization. Risk of safety and performance of the medical device must be considered and assessed as part of the regulatory requirements;

Risk Management – Application of a “risk based approach” to your organizations QMS processes. In the previous standard, risk was applied during product realization. In the new standard, you are expected to apply risk management methods to all QMS processes, including outsourced processes.

Medical device file – While both old and new standards expect you to establish a special file for each type of medical device, the new standard defines this to include a description of the medical device(s) which will include specifications, procedures and records

Record keeping – The new standard now expects you to establish and document supplier monitoring and re-evaluation activities.   Privacy regulations must be considered when necessary to protect confidential health information.

Product realization – In addition to the previous requirements of product verification, validation, monitoring, inspection, and testing requirements, the new standard also requires you establish your product handling, storage, measuring, revalidation, and traceability requirements as well.

User training – The new standard sets an expectation that you must evaluate safety and performance of your products and any training needs of the end user prior to supplying product to the customers. You must verify that regulatory requirements are met and user training is performed. The old standard only required you to identify product requirements specified by the customer and regulations.

Design and development inputs – You must consider risk management outputs to clarify product usability and safety requirements and to ensure that the input requirements can be verified and validated.

Design and development verification and validation – You must document your verification and validation plans, and to verify and validate medical devices that connect to or interface with other medical devices. Design inputs and outputs must be verified when your devices are connected or interfaced and to validate that intended use or application requirements are met when devices are connected or interfaced.

Design and development changes – The new standard addresses a few gaps with the old standard around how to control design and development changes.  The new standard expects you to maintain a file for each medical device or family of medical devices which documents the changes.

Design and development transfer – The new standard has established a section specific to Design and Development Transfer. It is expected that you will ensure that outputs are suitable for manufacturing before the specifications are finalized and are moved to production.

Purchasing – Significant changes in purchasing requirements were defined in the new standard. IN the old standard it was required that you establish supplier selection and evaluation criteria, but details were not provided/defined. In the new standards you must consider your medical device and the risks associated with the purchased products and the impact on safety and performance. You must ensure that your suppliers are capable of meeting the product, organization and relevant regulatory requirements.

Supplier monitoring – As part of your supplier selection process you not only must monitor the supplier performance, you now must also consider the risk associated when those suppliers don’t perform. The response and actions of supplier performance concerns must be proportional to the risk associated with the supplier’s services and/or processes. The old and new standard both had requirements to establish records of the supplier’s evaluation, but in the new standard you are also expected to record monitoring and re-evaluation activities

Purchased product risks – The old and new standards required that you verify that purchased product meet purchase requirements. In the new standard you are also required to consider risk associated with products/services. You must also consider how unanticipated changes which may occur and how these changes may affect your medical device or your product realization process

Process validation – The old and new standards expect you to establish procedures to validate production and service delivery processes that generate outputs that can’t be verified until the product is in use or the service has been delivered. In the new standard, you must establish validation plans and to revalidate processes whenever necessary.

Servicing – In addition to documenting your organization’s servicing procedures and reference materials, you’re must now analyze servicing records in order to identify servicing complaints and improvement opportunities.

Complaints – The old standard established complaint processing, handling over several sections of the standard. In the new standard this requirement has been defined in one section. The new standard includes requirements to include all kinds of complaints (not just customer complaints). You must develop and document complaint handling procedures that comply with all applicable regulatory requirements. The old standard merely asked you to establish arrangements, not procedures.

Delivery of nonconforming product – The new standard now expects you to investigate nonconforming products that have been delivered. You must determine corrective action and to consider if notification must be provided to external parties (i.e., end-users, suppliers).

Improvement – Requirements for maintaining a suitable and effective QMS were required of both the old and new standard, but it is now required that you also maintain the safety and performance of your products whenever improvements are being considered. Prior to implementing any corrective and preventative actions, you must verify that those actions comply with all applicable regulatory requirements and that those action don’t compromise the safety and performance of your medical devices.


Safis Solutions can assist in the entire process of establishing a QMS system to meet the standards if ISO 13485:2016.   This includes the development, training, and effective implementation of your QMS to ensure successful certification to the standards of ISO 13485:2016. You can reach a consultant at info@safis-solutions.com.

Share this:

Leave a comment..