Issues Driving the ISO 13485:2016 Revision

July 27, 2016

Standards are not revised in a vacuum. Industry changes, regulatory challenges, and feedback from medical device manufacturers, regulators, and auditors are all considered.

In this two-part series, we discuss key changes to ISO 13485:2016 with Ed Kimmelman, an Oriel STAT A MATRIX Executive Management Consultant who recently retired as the Convenor of the ISO/TC 210, Working Group 1 on quality systems – the ISO working group responsible for developing ISO 13485:2016.

For ISO 13485:2016, there were several issues that led both regulators and the industry to agree it was an appropriate time to revise the standard.

Make implicit requirements explicit.

A number of requirements in ISO 13485:2003 were implicit. For example, handling of customer feedback, handling of corrective actions and preventive actions, determination of personnel competency requirements, and many more requirements implicitly involved risk-based decision making as part of relevant activities conducted to meet those requirements. ISO 13485:2016 now explicitly calls for risk-based decision making and clearly expects risk to be considered for product performance (safety and effectiveness) and compliance with regulatory requirements.

There are multiple requirements areas in ISO 13485:2016 that demand risk-based decision making:

  • Introduction: Explains the concept of a risk-based approach.
  • Clause 4: Addresses applying a risk-based approach to control the organization’s QMS processes, external party processes, and validation of QMS software.
  • Clause 5: While risk-based decision making is not directly referenced in this clause, meeting the responsibilities of top management requires the use of a risk-based approach.
  • Clause 6: This clause ensures that the training effectiveness methodology is proportionate to risk.
  • Clauses 7.1 to 7.3: These clauses apply risk management to product design and development.
  • Clause 7.4 This clause ensures that criteria for supplier evaluation, selection, and control (verification of product) are proportionate to risk.
  • Clauses 7.5 and 7.6 The clauses discuss validating software proportionate to risk.
  • Clause 7.5: This clause addresses monitoring, measuring, analyzing, and evaluating to ensure conformity of product; taking actions necessary to ensure valid results; and taking appropriate actions for the equipment or product affected if the measurement results are found not to conform to requirements.
  • Clause 8: This clause discusses correcting, preventing, or reducing undesired effects and improving the QMS and updating risk documentation.

In addition, risk is implicit whenever “suitable” or “appropriate” is mentioned (Clauses 7 and 8). Organizations will need to create strong risk management programs to serve as the foundation for meeting these new risk requirements. In addition, employees will need to learn how to select and apply appropriate risk analysis tools throughout the different stages of product development.

Clarify the application of the standard’s requirements.

Regulators from around the world identified the need to extend the requirements beyond medical device manufacturers, the focus of the 2003 version of the standard. For example, in marketplaces around the globe where the predominant suppliers of medical devices are importers and distributors, the regulators wanted increased clarity related to the application of the QMS requirements for those types of suppliers.

The Scope statement in the revised standard now clarifies that the requirements apply to any organization that participates in any stage in the life cycle of the medical device. ISO 13485:2016 recognizes harmonization guidance efforts of the Global Harmonization Task Force (GHTF) and the International Medical Device Regulators Forum (IMDRF). Representatives of QMS auditors also identified a number of requirements that needed to be clarified to make them auditable.

Strengthen the requirements.

Those involved in the European Union (EU) regulation of medical devices called for more robust QMS requirements in order to ensure that conformity with the standard would provide a presumption of conformity with the EU medical device regulatory requirements. The EU version of the revised standard contains detailed Annexes (Annex Zs) that provide an explanation of how the standard requirements align with the EU regulatory requirements.

Challenges Faced By Smaller Medical Device Organizations

Providing Input into Standards Development

As noted earlier, regulators, auditors, and the industry all participated in the development of ISO 13485:2016. However, the medical device industry is made up primarily of small manufacturers that lack the resources to actively participate in the development and periodic revision of QMS standards. As a result, the content of QMS standards reflects the input of relevant regulatory agencies, certifying bodies, and larger manufacturers.

When possible, smaller industry organizations should assign the responsibility for keeping abreast of the QMS standards activities of international technical committees (e.g., ISO/TC210 and ISO/TC212) to an internal staff member, such as their management representative. If necessary, that person should employ external consultative help to identify in real time any relevant activity pertaining to international standards. At the very least, these small organizations should take the opportunity to participate in the notice and comment process administered by the standards organizations during the development of a standard.

Complying with ISO 13485:2016

Smaller medical device manufacturers have identified specific issues impacting their ability to transition to ISO 13485:2016, including:

  • Meeting more explicit risk requirements. Smaller companies find it overwhelming to document their risk-related processes and do not know where to start.
  • Developing the necessary documented procedures. For ISO 13485:2016, organizations need to have 32 documented procedures (23 in prior standard),10 documented requirements (7 in prior standard), 7 documented arrangements (1 in prior standard), and 2 documented processes (1 in prior standard).
  • Addressing ISO 13485:2016’s more explicit requirements to comply with regulatory requirements. These requirements are mentioned 37 times in the new standard as compared to just 9 times in the previous version of the standard.

Oriel STAT A MATRIX is available to assist organizations of all sizes in addressing the risk requirements, needed documentation, and regulatory compliance necessary for transitioning to the revised standard.

To learn more about ISO 13485:2016, read Part II in this series, ISO 13485:2016 — Applying the Updates and our Market Update: Impacts and Opportunities Presented by the Major Changes in ISO 13485:2016.

We are also offering a new 2-day course, Transition to ISO 13485:2016.

Contact us to learn more.

Our team is here to help. Call 1.800.472.6477 or contact us online ›