ISO 13485:2016: What are the differences?
ISO 13485:2016 introduces changes in comparison to the previous versions of the standard. Thereby ISO 13485 became even closer to the requirements under 21 CFR part 820 (Quality System Regulations).
Unfortunately, it will be harder for medical device manufacturers to simultaneously comply with ISO 9001:2015 as the high-level structure of both standards diverges.
Differences between ISO 13485:2016 and previous versions
First off: ISO 13485:2016 is an evolution of the previous versions having barely been altered since ISO13485:2003 – not a revolution. However, a variety of small changes even affecting chapter structure makes it necessary to deal with this latest version of the standard intensely.
The new standard specifies that it explicitly also applies to outsourced processes. There must not be a black hole within the value-added chain.
It is also explicitly included that regulatory requirements shall additionally be regarded as well as risk management. The demand of meeting regulatory requirements was already existent in Chapter 7.1. This no longer exclusively applies to development.
A new term, namely the medical device family, allows for providing evidence not only on the level of a product but also on the level of a medical device family. For example, risk management could be carried out only once for very similar devices belonging to one family instead of carrying it out redundantly for each individual family member.
Software validation: What used to be rather ensconced in Chapter 8 is now explicitly expressed in Chapter 4.1 of ISO 13485:2016: Software used in quality management systems must be validated. An example would be software to manage customer feedback. This requirement is no longer limited to production and service provision.
From now on, the management review (chapter 5.6) must additionally consider:
- Input: complaint handling, notifications to authorities, and measurement of products and processes
- Output: suitability and adequacy of the QM-system
Risk management can, but must not be compliant with ISO 14971.
Chapter 7.3’s structure has been revised in ISO 13485:2016. New are the demands for documenting “procedures for design and development”, including design transfer. Here, again, the FDA’s influence becomes noticeable.
According to chapter 7.3.8, this design transfer would ideally be carried out after verification, but prior to validation, for example, to validate products of the pilot series.
Also new is chapter 7.3.10, design and development files, corresponding to the FDA’s Design History File.
Chapter 7.5.6 on process validation requires more precisely that relevant process’ software shall be validated.
Two new subchapters have been incorporated into the new version of ISO 13485:
- chapter 8.2.2 addresses complaint handling in more detailed
- Chapter 8.2.3 addresses the communication with authorities and notified bodies
The analysis of data (chapter 8.4) now must explicitly consider the results of audits and service reports (as appropriate).
ISO 13485:2016: Good or bad? A Conclusion
Things are getting easier
Better interplay with 21 CFR part 820: ISO 13485:2016 now better covers requirements of 21 CFR part 820. Companies exporting to the USA should therefore already partly meet the requirements.
Better coverage of MDD: ISO 13485 only partly covered requirements for a quality management system by directives such as the MDD. With the new version of 2016, the coverage ratio is increasing, for example regarding communication with authorities. Annexes ZA to ZC illustrates that mapping.
Divergence 9001 and 13485: the two standards ISO 13485 and ISO 9001 diverge regarding their 2015 and 2016 version respectively. Mapping becomes increasingly difficult; also, because the high-level chapter structures are no longer congruent. A mapping table in the annex to ISO 13485:2016 is not estimated to be error-free.
ISO 13485:2016 was submitted as FDIS in October 2015. The standard was issued in March 2016. DIN EN 13485:2016 followed in August 2016.
The transition period of the old ISO 13485 is terminating in November 2019. However, EN ISO 13485:2016 names March 2019. Though relevant is the DaKKS’s estimation: it refers to 31 March 2019 (updated January 2018).
A harmonization of ISO 13485:2016 regarding the Medical Device Directive (MDD) and In-Vitro Diagnostic Directive took place in December 2017. It is still open until when the standard will be harmonized to the Medical Device Regulation (MDR).
The accreditation of notified bodies has partly happened as late as mid of 2017.
If ISO 13485 will follow the structure of ISO 9001 in the long term is not yet clear and still lies ahead, anyway.
Tips on Transitioning to the 2016 Version of ISO 13485
The following tips are useful for a successful transition to the new version of ISO 13485:
- Talk to your notified body about when you will transition to the new standard.
- Make a gap analysis and assess the efforts to upgrade your QM system. Johner Institute can help you fast and effectively (contact)
- Draw up a plan on when you will implement which (new) requirement.
- Do not make use of some freedoms ISO 9001:2015 would offer you, such as foregoing a QM manual.
- Watch out for suppliers only “certified” according to ISO 9001 to operate in compliance with the rules of your(!) QM system, if required.
- Plan a mock-up audit to assess the readiness for your next certification audit and to avoid any unforeseen problems.