ISO 13485 Revised – Requirements for Medical Device Quality Management Systems

On February 25, 2016, the International Organization for Standardization (ISO) published its updated ISO 13485 guidance. The guidance, which was originally published in 2003, is the global standard for medical device quality management systems. Specifically, the guidance includes “requirements for a quality management system where an organization needs to demonstrate its ability to provide medical devices related to services that consistently meet customer and applicable regulatory requirements.”

According to the ISO Transition Planning Guidance, the updated document “is intended for current users of ISO 13485:2003, those who are intending to use ISO 13485:2016, as well as other interested parties” including, but not limited to:

Medical device manufacturers
Accreditation bodies
Certification bodies
Registrars
Regulatory authorities responsible for implementation and surveillance of medical device regulatory requirements that will include the use of ISO 13485:2016
International and national standards bodies.

In addition, ISO has stated that the “requirements of ISO 13485:2016 are applicable to organizations regardless of their size and regardless of their type except where explicitly stated. Wherever requirements are specified as applying to medical devices, the requirements apply equally to associated services as supplied by the organization.”

ISO 13485:2003 vs. ISO 13485:2016

The revised guidance highlights the importance of having a quality management system (QMS) in place throughout the supply chain. Furthermore, ISO 13485:2016 draws particular attention to requirements regarding device usability and post-market surveillance.

Although the new document is simply a revision to the original guidance, there are a number of fairly significant differences between the two. According to the Regulatory Affairs Professional Society (RAPS), the largest differences between the 2003 and 2016 versions of the guidance include the following:

“Incorporation of risk-based approaches beyond product realization. Risk is considered in the context of the safety and performance of the medical device and in meeting regulatory requirements;
Increased linkage with regulatory requirements, particularly for regulatory documentation;
Application to organizations throughout the life cycle and supply chain for medical devices;
Harmonization of the requirements for software validation for different software applications (QMS software, process control software, software for monitoring and measurement) in different clauses of the standard;
Emphasis on appropriate infrastructure, particularly for production of sterile medical devices, and addition of requirements for validation of sterile barrier properties;
Additional requirements in design and development on consideration of usability, use of standards, verification and validation planning, design transfer and design records;
Emphasis on complaint handling and reporting to regulatory authorities in accordance with regulatory requirements, and consideration of post-market surveillance; and
Planning and documenting corrective action and preventive action, and implementing corrective action without undue delay.”

Transitioning to Updated Regulations

Manufacturers, regulators, certification bodies, and any other applicable parties will have three years to transition from ISO 13485:2003 to ISO 13485:2016. As such, both versions of the guidance will exist during that time.