Changes to ISO 13485: What to Expect

By Rob Packard

A summary of the new and revised changes in ISO 13485, the second Draft International Standard (DIS2), which is planned for release this fall.

ANSI released the second draft international standard for ISO 13485 on February 5, 2015. I expect there will be few comments of significance related to this second draft, and the ISO Technical Committee 210 Working Group 1 (ISO TC 210 WG1) should release the final version of ISO 13485:2015 prior to the release of ISO 9001:2015 in October.

As with most standards, the overall weight is somewhat intimidating (i.e., 113 pages), but the Standard itself is only 32 pages in length. The DIS2 also includes a side-by-side comparison of each clause on pages 37-90. Pages 91-111 are harmonization annexes (Annex ZA-ZC), but I would not even bother reading this section because harmonization of the Standard will need to be completely redone when the new European Medical Device Regulation (EMDR) is released in 2016.

Major Changes in ISO 13485:2015 DIS2

Unlike the ISO 9001:2015 Standard, ISO 13485:2015 retains the requirement for a quality manual. Clause 0.1 identifies seven expectations of your quality system, and Clause 0.2 has four new goals. You will need to update your quality manual to address both of these issues. Clause 1.2 was also expanded to include the option for non-applicability to Clauses 6 and 8. Therefore, you may need to add some sections for non-applicability with rationale for each clause you determine is not applicable.

There are a number of definitions that were added to Clause 3 of ISO 13485. If you include definitions in your procedures or the quality manual, you may need to make some updates. Alternatively, you might consider using this opportunity to create a corporate glossary where all your definitions reside.

There were only a few changes to Clause 4. Clause 4.1.5 now requires written supplier agreements, and control of outsourced processes must be risk-based. Clause requires you to create and maintain a technical file for products and product families, and Clause 4.2.4 requires that patient records are maintained as confidential records.

Changes to Clause 5 are minor and isolated to the management review process. The revised Standard requires documenting a rationale for the frequency of your management reviews. You must include complaint-handling trends as an input to your management review inputs, and your outputs must include changes needed to the quality system in order to address new and revised regulatory requirements.

Clause 6.3 and 6.4 changed significantly in this revision, and therefore you should review these two sections carefully. I typically verify compliance with these sections in every process by using the process approach to auditing. I expect that more auditors will do this in the future due to the significant changes that were made to these sections. It is much easier to verify compliance with clauses 6.3 and 6.4 if you use the process approach than to conduct an audit using the element approach or by auditing procedures.

Throughout Clause 7 there are references to software, while the previous version of ISO 13485 focused on product realization of physical medical devices instead of including software devices. Section 7.1 retained the requirement to include risk management throughout product realization, but now the word “risk” appears 19 times throughout the standard. The incorporation of risk through the standard parallels the changes being made to the ISO 9001 standard, but the structure of ISO 13485 has not been changed as ISO 9001 has been.

The section of the Standard about Design controls, section 7.3, was revised by adding Design Transfer as Clause 7.3.8 and the requirement for a Design and Development File (i.e., DHF) as Clause 7.3.10. There were also new requirements added to Clause 7.4 in order to strengthen supplier controls and make them risk-based. Finally, requirements for UDI labeling were added as Clause

In the last section of the standard, there were four changes. First, Clause 8.2.1 related to “Feedback” is now a formal input to the risk management process. Second, the requirement for complaint handling was added as Clause Third, the section with requirements for control of nonconforming product (i.e., Clause 8.3) was split into four subsections with new requirements for nonconforming product that has already been shipped. Finally, the fourth change was to add two new data analysis requirements for audits and service reports.


If your company is already compliant with 21 CFR 820, you are already compliant with most of the changes to ISO 13485:2015. However, if you are not currently compliant with 21 CFR 820, you may need to make some significant changes to your quality system. I also recommend early implementation of these changes, because if your company needs to implement changes related to ISO 13485:2015 and the new EMDR at the same time, the overall project may be overwhelming.

Related Articles

About The Author

Rob Packard