ISO 13485 is the international standard medical device companies follow to demonstrate their ability to consistently meet both customer and regulatory requirements with their devices and related services. Regulators worldwide, including the EU, Canada, Australia and Japan, have integrated ISO 13485 into their regulatory requirements. The standard is designed to be used by organizations throughout the lifecycle of a medical device, from conception to production and post-production, including final decommission and disposal. It also covers storage, distribution, installation and servicing and the provision of associated services.1
This standard has created a common understanding between regulators and the industry as to what is required for a quality management system, although many countries will have their own regulatory requirements in addition to ISO. If you are marketing only in the US, compliance to ISO 13485 is not required; however, it does provide your company with a marketing advantage by showing your company’s commitment to quality, continual improvement and bringing safe and effective products to market.
Coexisting Standards
In March 2016, the third edition of ISO 13485 was released, which was the first major revision in 13 years. Because many countries had either revised or added regulations, ISO determined that an update was necessary to ensure quality management system requirements aligned with regulatory requirements. Ultimately, ISO 13485:2016 will replace ISO 13485:2003; however, over the course of the next three years, the standards will coexist. This will give manufacturers, notified bodies and regulators time to transition to the new standard. According to a transition planning guidance by ISO, organizations will be accredited for either edition for the first two years of the transition period. After the second year, new accreditation will only be given for ISO 13485:2016. After year three, any existing certification for ISO 13485:2003 will no longer be valid. In reality, this does not give you time to procrastinate. When you see the level of requirements you will have to account for, you will realize that taking necessary action should be a top concern.
Biggest Changes between ISO 13485:2016 and 2003
One of the biggest changes seen in ISO 13485:2016 is its risk-based approach to control the appropriate processes needed for the QMS. This means risk must be considered in the context of the safety and performance of the medical device, as well as for meeting regulatory requirements. The risk-based approach, which adds risk analysis and risk management, adds complexity to the previous versions’ process approach. Organizations may find this to be one of the most significant and challenging changes, as they will now need to make risk-based decisions in addition to the traditional process approach, which may be a new way of thinking and operating.
A high-level review of additional major changes in ISO 13485:2016 includes:
- Increased alignment of the standard to regulatory requirements applicable to the organization, particularly for regulatory documentation (The word “regulatory” actually appears twice as much in 2016 as it did in 2003.);
- Expansion of the standard’s applicability to all organizations involved in the product’s lifecycle; such organizations can be involved in one or more stages of the life-cycle, including design and development, production, storage and distribution, installation, or servicing of a medical device and design and development or provision of associated activities;
- Harmonization of the requirements for software validation for the different software applications used in the quality management system (QMS software, process control software, software for monitoring and measurement); Each application must be validated prior to initial use and after changes are made to the software in accordance to the level of risk associated with its use;
- Emphasis on infrastructure, including buildings, workspaces, process equipment and supporting services to prevent mix-ups and ensure product quality;
- Additional requirements in design and development regarding usability, use of standards, verification and validation planning, including additional sub-clauses for design and development transfer and design and development records;
- Increased focus on feedback mechanisms, such as complaint handling, reporting to regulatory authorities and post-market surveillance, as a means to serve as input into risk management;
- Planning and documenting risk-based corrective actions and preventive actions, and implementing corrective actions without undue delay;
- Verifying that corrective actions do not adversely affect the ability to meet applicable regulatory requirements or the safety and performance of the medical device; and
- Additional requirement of a medical device file, similar to the EU’s Technical File, to demonstrate conformity to ISO 13485:2016.
What Does this Mean for Medical Device Companies?
Organizations have until March 1, 2019 to transition from ISO 13485:2003 to ISO 13485:2016. The differences between the two standards are significant enough that a transition plan may need to be implemented. MethodSense will provide the necessary quality support to ensure you are prepared for a successful transition, including Document Review, SOP Creation, Internal Audits and preparation for ISO 13485:2016 certification. Keep in mind that many other companies will be waiting until year three to transition. This could potentially lead to delays in technical file reviews and certification audits. Be sure you don’t wait too long – you wouldn’t want to be faced with a lapse in your certification.
1ISO 13485 Quality Management for Medical Devices, International Organization for Standardization, 2016
2ISO 13485: 2003 Medical devices – Quality management systems – Requirements for regulatory purposes
3 ISO 13485:2016 Medical devices – Quality management systems – Requirements for regulatory purposes