ISO 13485:2016 – What Are the Changes About?

By Linda M. Chatwin, Esq, RAC, Walt Murray

How to prepare for a successful transition.

ISO published the final draft of the latest ISO 13485 quality management standard for medical devices and placed it out for voting on October 29, 2015. Accordingly, publication of the 2016 version of ISO 13485 occurred on March 1 2016. There is to be a three-year transition period. Of note, there is now somewhat of a difference between ISO 13485 and the newly published ISO 9001:2015 standard, of which companies that are certifying to both will need to take into account. According to the Introduction of ISO 13485:2016:

This International Standard is intended to facilitate global alignment of appropriate regulatory requirements for quality management systems applicable to organizations involved in one or more stages of the life-cycle of a medical device.

This International Standard includes some particular requirements for organizations involved in the life-cycle of medical devices and excludes some of the requirements of ISO 9001 that are not appropriate as regulatory requirements. Because of these exclusions, organizations whose quality management systems conform to this International Standard cannot claim conformity to ISO 9001 unless their quality management system meets all the requirements of ISO 9001.

The ISO 13485 standard specifies risk-based applications, importantly based on these three points:

  1. Actions taken by a business in its operational and management areas must contain measures for controlling risk
  2. Critical factors in decisions driving the operations and management of the company must be evaluated as risk and opportunistic (or risk/benefit) driven outcomes
  3. Planning becomes an imperative and tangible, documented activity with appropriate actions and review at specified intervals at executive level decision-making

Changes in the Standard

Risk is mentioned some 15 times throughout the standard, to be considered in outsourcing and supplier controls, with respect to software validations, and in the training of personnel commensurate with risks inherent in the processes they perform. Risk is to be taken into account in product planning processes. Risk management activities should also be incorporated during the processes of:

  • Verification, validation and revalidation
  • Documentation of risk management in product realization
  • Monitoring, testing and traceability
  • Corrective actions and preventive actions

In this context, management of risk is an explicit part of executive decision-making about company (quality) objectives. Executive management reviews must specifically address how risk management is incorporated into the areas presented at the reviews. The following model needs to be applied in actions and reviews.

One will recognize alignment with familiar FDA terms, such as establish, implement and maintain documented processes. There is also a requirement to meet the regulations, statutes, ordinances and directives regarding safety and performance of the medical device. In fact, there is also a statement that unique identification, when required, shall be incorporated. In order to comply with ISO 13485:2016, the company must now maintain a medical device file much like the European requirements. The elements of the file are to demonstrate conformity with the standard, and essentially constitute the technical file of the product.

What and Who Do the Changes Affect?

Functions and Facilities

  • Leadership. Top management responsibilities are clarified, with emphasis on results of activities and effectiveness of the quality system and measurable quality objectives.
  • Human Resources. The standard specifies that the organization shall determine any user training needed to ensure specified performance and safe use of the medical device.
  • Facilities must be arranged in order to prevent mix-ups. The work environment is to be documented, and control of contamination and particulate matter where needed for aseptic and sterile products.

Processes and Records

  • Design and development planning requirements are stated to more closely reflect regulatory expectations of design control planning. The company must produce verification and validation plans, and records of verification and validation must be maintained.
  • A design history file must be documented and maintained, and changed product must include an evaluation of the change effect on products, processes and activities.
  • Purchasing process focuses on the supplier sourcing and selection criteria, taking into account supplier performance and the risk involved with respect to the medical device specifications, including notification of changes in purchased materials.
  • An analysis of installation and servicing activities must be made to determine where procedures are required. This now aligns with the new process validation guidance.
  • Corrective and preventive actions must verify that the actions do not have an adverse effect on product, and that corrective actions are taken without undue delay.
  • Design and development transfer sub-clause was added.
  • Complaint handling is added as a completely new sub-clause to the standard. The requirement to report to the appropriate authorities is also expanded.


  • Status identification of product is required throughout the stages of production and storage.
  • Requirement to identify the test equipment used to perform measurement activities and details related to kinds of controls that are to be documented, and to include the rationale for investigations, as well as documenting and justifying concessions. Specific rework issues are also addressed.
  • The organization must determine the appropriate verification, validation, monitoring, measurement, inspection and test, handling, storage, distribution and traceability activities for its products.
  • Cleanliness of product requirements is enhanced for non-sterile product whose use depends on cleanliness.

Final Step: Prepare for a Successful Transition

  1. Plan the transition: What will be needed? From whom? When? Risks?
  2. Consider ISO 9001: Does the company also need to maintain that certification?
    1. How to reconcile the requirements of the two standards
    2. How to meet the requirements of each
    3. Is some division in the quality system needed?
  3. What paradigm shifts will the company need? Are they aligned and what is the significance?
  4. Review related procedures: What changes will be needed?
  5. What and when should training be considered?

Related Articles

About The Author

Linda Chatwin, UL

About The Author

Walt Murray, MasterControl