ISO 13485:2016 Changes
Understanding the Changes
Avoiding Compliance Gaps
when updating a
Quality Management System (QMS)
Safis Solutions, LLC
It is currently a requirement for most companies involved in one or more stages of the life-cycle of a medical device (design, development, production, installation and servicing) to comply with ISO 13485:2003, an international standard titled “Medical devices — Quality management systems — Requirements for regulatory purposes”. In October 2015 a revision of this standard reached the ISO FDIS stage. FDIS stands for “final draft international standard” however minor changes (format and grammar, not substance) are still possible before it’s probable early 2016 release as ISO 13485:2016. Once released, it will supersede the 2003 version. The anticipated transition period for compliance is 3 years. Many companies are already in the process of planning updates to their company’s quality management system (QMS).
Many people, seasoned professionals and newcomers in the medical device compliance world have been involved in creating or revising a QMS in whole or in part in the past. Yet, despite the efforts of experiences professionals, third party assessors often find compliance gaps in that QMS. These gaps are typically not the result of lack of honest effort. In fact, it is usually those who are involved in defining the QMS that are the most surprised and disappointed when these gaps are found. Why is this? The answer is rather simple. Most often when one reads a new / revised regulation or standard we make assumptions about how to interpret it which in turn results in assumptions about how to comply with it, finally resulting in errors in how to define the QMS.
The best solution is the easiest in concept. Take the time and effort to understand the requirements. Of course doing what is easy in concept is not always easy in practice. For that reason, this white paper is being written to help you understand ISO 13485:2016 requirements. This is accomplished by clarifying the reasons for the changes, the format, the terminology used and especially the new sub-clauses and requirements in the 2016 version.
UNDERSTANDING ISO 13485:2016:
This section of the paper outlines 1) why the standard’s revision is being made, 2) the approach taken and 3) the thought process to use to best understand the approach to ensure compliance.
Both the old (2003) and new (2016 draft) versions of ISO 13485 cover essentially the same topics however when one looks at the level of detail, the terminology and the location of the requirements, there are numerous differences.
Why the revision? The addition or expansion of requirements, clarification of terminology, merging or separation of already existing elements result in a standard that is easier to read and more in line with other regulatory requirements. Key motivating forces for this revision are 1) the opportunity to improve the convergence of US, Japanese and Brazilian requirements, 2) align better with the EU Medical Device Directive (MDD), 3) incorporate risk based decisions and principles throughout the standard in order to ensure incorporation in the resulting quality management systems (QMS) and 4) ensure the standard covers all aspects of the product life cycle, including the entire supply chain.
This paper does not discuss every change in every clause for a number of reasons. There are a large number of changes that will become effective with ISO 13485:2016. Many are minor and associated with format, grouping of requirements and addition of terminology for consistency. In addition, a large number of changes include adding requirements and clarifying existing requirements.
NOTE: the references to the ISO 13485:2016 sections below are based on the published “ISO / FDIS 13485:2015” standard, representing the Final Draft subject to clerical changes which will not change content but may result in format, including section numbering changes.
Examples of minor changes include, but are not limited to the following.
- “customer complaint” is changing to “complaint”. (refer to section 7.5.4)
- “control and monitoring of measuring devices” is changing to “control and monitoring of measuring equipment”. (refer to section 7.6)
- “Design and development planning” is being was split into “General” and “Design and development planning”. (refer to section 7.3.1 & 7.3.2)
- The Scope section was changed from having “General” and “Application” subsections to a single “Scope” section. (refer to section 1)
Examples of more significant changes include, but are not limited to the following:
- Expands the required use of a risk based approach. In addition to the stated expectations in 2003 for this approach in Product Realization, 2016 requires this for “appropriate processes” in the entire QMS. For example, risk management outputs are required to be considered when clarifying product usability and safety requirements. (refer to section 4.1.2 b)
- Added option for companies to be able to exclude, with justification, aspects of sections 6 (Resource Management) and 8 (Measurement, Analysis and Improvement) in addition to what was already allowed for exclusion in section 7 (Product Realization). (refer to section 1, last paragraph)
- Clarified / emphasized requirement for a company to incorporate other applicable regulatory requirements into the QMS, not just ISO 13485 requirements. (refer to section 1, paragraph 2)
- Medical Device File contents are defined in greater detail. (refer to section 4.2.3)
- Measurement, handling, storage, distribution and traceability requirements were added to the Planning of Product Realization section. (refer to section 7.1 c)
- The “establish processes and documents and to provide resources specific to the product, including infrastructure and work environment” statement was revised. It does not include the “including infrastructure and work environment” ending in the current 2003 version. (refer to section 7.1 b)
- Added the requirement that design and development inputs are able to be verified or validated. (refer to section 7.3.3)
- “usability” requirements were added as a Design and Development Inputs requirement. (refer to section 7.3.3 a)
- The planning and documenting of supplier monitoring has been added as a requirement as well as the incorporation of monitoring results into the supplier re-evaluation process. (refer to section 7.4.1)
- Added requirements to have documented design and development verification plans as well as documented arrangements to ensure that design and development outputs have met the input requirements. (refer to section 7.3.6)
- Added requirements to have documented design and development validation plans as well as documented arrangements to ensure that design and development outputs have met the specified application or intended use requirements. (refer to section 7.3.7)
- Added requirements for both design and development verification and validation to confirm that when a medical device is connected to, or have interface with other medical devices that the design outputs meet design inputs when the devices are connected or interfacing. (refer to sections 7.3.6 & 7.3.7)
- Added requirements associated with design and development changes. These requirements include having documented procedures to control change, determine significance of the change to function, performance, usability, safety and regulatory requirements. (refer to section 7.3.9)
- Design Transfer is changing from being mentioned in Design Planning to having a dedicated sub-section where emphasis is put on ensuring manufacturability of outputs. (refer to section 7.3.8)
- Additional requirements added to the Purchasing section including evaluation of suppliers factoring in risk, supplier monitoring and written agreements with suppliers. (refer to section 7.4)
- Added requirements to the Validation of Processes for Production and Service Provisions including establishing documented procedures for validations that include acceptance criteria, statistical techniques with rationale for sampling plans as appropriate, criteria for revalidation and the use of risk criteria for software validation. (refer to section 7.5.4)
- Added requirements for Servicing Activities include analysis of records to determine if the information is to be handled as a complaint or for input to the improvement process. (refer to section 7.5.4)
- Added a sub-section for Complaint Handling. 13485:2003 made references to customer complaints in various sections but did not have the same level of detail that exists in this dedicated section. (refer to section 8.2.2)
Numerous changes are taking place to ISO 13485 which will result in a probable early 2016 release. Because of the number of changes ranging in scope from reorganization to addition of new or redefined requirements, it is critical that any company preparing to update its QMS make sure they do not overlook the seemingly minor changes.
This White paper has been written to provide insight into the changes by highlighting the most significant changes as well as the types of relatively minor changes. This in no way is meant to minimize the need to understand and react to all changes in the standard as appropriate to your specific company’sQMS needs. It is important to make sure exclusion of complying to requirements of the standard are justified and not the result of assumptions and misunderstanding.