There are many differences between the 2003 and 2016 versions of the ISO 13485 standard. Listed below are some of the key differences:
1) Risk Management
As mentioned in an earlier section of this paper, risk management plays a central role in the ISO 13485 standard. However, the 2016 version takes risk management standards to an entirely new level. Where in the past, ISO 13485 required the assessment of risk in relation to the medical device itself, risk assessment, analysis and management should now be applied to all QMS processes, especially design control deployment toward the completion of the product. The formality of technical design transfer has become a critical component of this process.
To emphasize the importance of risk management in the new version of the standard even more clearly, a recent white paper states, “Risk is mentioned some 15 times throughout the standard, to account for the specific issues being addressed. Risk is to be considered in outsourcing and supplier controls, along with software qualifications related to risk, and in the training of personnel commensurate with risks inherent in the processes they perform. Risk is to be taken into account in all product planning processes. Risk management activities should also be incorporated during the reviews within the processes for:
-Verification, validation, revalidation
-Documentation of design in product realization
-Monitoring, testing, and traceability
-Risk and opportunity in corrective actions and preventive actions”7
2) Software Qualification
The ISO 13485:2016 standard was greatly influenced by the U.S. Food and Drug Administration which places a great deal of emphasis on validation processes and procedures and includes language and definitions similar to those used by the U.S. agency.8 This influence can be seen in more than one area of the 2016 standard, one of which is the validation of software systems. The new standard requires medical device companies to thoroughly validate all software systems utilized (directly or indirectly) throughout the conceptualization and manufacture of a device. FDA currently has a guidance entitled, Software as Medical Device (SaMD), which is a compulsory document. Other standards such as ISO 62304 – Design and Maintenance Lifecycle of Software – has stipulated the basis of Level of Concern (LOC) as a risk rating. Medical device companies seeking to comply with the 2016 standard should begin planning their validation process (VMP) now (if they haven’t already) so that software(s) can be validated by March 2019 if not sooner based upon the LOC designation. In a technology-driven business environment where real-time decision making is now the norm it is competitively demanding on companies at any size to use software based applications for quality-based performance.
3) Purchasing/Outsourcing
Although many medical devices already require criteria, it is now required per ISO 13485:2016 standard to base the criteria
on supplier performance to the level of risk of the device components being manufactured for assembly of the product. The
purchasing information also needs to include qualified specifications and a quality agreement with the supplier to provide
notification of any changes, or events through formal, documented communication. Again, this is not new to many device
companies but is now an explicit (vs. implicit) requirement.
Also related to purchasing, the 2016 standard requires that verification activities — such as purchasing criteria — be based on
supplier evaluations and proportional to the risk of a given device as it was qualified during design control. What this means
in reality is that for many Class II & III medical devices (high risk) it is likely that 100% of the parts being purchased from a
supplier must be verified, if not formally validated. And finally, if a purchased part is changed, a medical device company is now
required to determine the effects (risk) of the change on the manufacturing process. Change control is explicitly risk-based and
requires phased reviews throughout the development lifecycle of the product.
4) Usability Within the Scope of Design Control
Usability is a new requirement (not new to the medical device industry) that has been added to the design control section (7.3)
in the ISO 13485:2016 standard. The concept of usability is not new to medical device companies that already have to meet
FDA regulations or to those that implement ISO standard 62366 (a standard for usability within the scope of design control).10
However, usability is now a requirement of the new ISO 13485 standard. The standard stipulates that companies shall create a
usability assessment and plan document, address usability as early in the design control as possible, create usability standards
documentation, test products in simulated user environments and anticipate expected user scenarios be validated.
In addition to the differences already mentioned, a recently published white paper11 also describes additional differences
between the two standards:
5) Leadership
“The responsibilities of top management are clarified [in the 2016 standard], with explicit requirements for reviews at
documented, planned intervals. More emphasis is put on results of activities and effectiveness of the quality system and
measurable quality objectives.” The relationship of management with higher risk-based conditions of the system may even
require direct influence, input and active oversight. It is conceivable, for example, that top management may be the owner of a
significant CAPA if an issue were to merit it.
6) Human Resources
“There is more emphasis [in the 2016 standard] on training to quality processes, establishing competence and awareness of
personnel duties. The standard now specifies that the organization shall determine any user training needed to ensure specified
performance and safe use of the medical device (e.g., use of software in realization). This is much like the qualified persons
required in the EU.”
7) Facilities
“Facilities must be designed and arranged in order to prevent mix-ups. Manufacturers must ensure control of contamination and
particulate matter where needed for aseptic and sterile products, and requirements for documenting the work environment are
added.”