ISO 13485:2016 - The Next Revision: Richard (Rick) Burgess Medical Program Manager 30 March 2016

ISO 13485:2016 –
The Next Revision
Richard (Rick) Burgess

Medical Program Manager
30 March 2016
© DQS Group April 6, 2016 1

ISO 13485:2016 – The Next Revision
 Agenda and Scope
 Relationship to ISO 9001
 New requirements
 Transition Timing
 Questions

ISO 13485:2016 - Putting the pieces together
 Structure

 Structure
 Based on ISO 9001:2008

 Structure
 Does not follow the new high level

structure of ISO 9001:2015

 Structure
 Does not follow the new high level

structure of ISO 9001:2015
 Annex B shows the corresponding sections

of ISO 9001:2015

 Considerations for the changes:
 Regulatory requirements

 Risk Management

 Risk Management
 Supplier controls

 Risk Management
 Feedback

 Risk Management
 Feedback
 Verification, Validation and Design Transfer

 Risk Management
 Feedback
 Verification, Validation and Design Transfer
 Clarifications

ISO 13485:2003 vs ISO 13485:2016
0.1 General
2003 2016
• Requirements for QMS that can be used by an • Requirements for QMS that can be used by an
organization for: organization involved in one or more stages of the life-
• design and development cycle of a medical device:
• production • design and development
• installation and servicing of medical devices • production
• design, development, and provision of related services. • storage and distribution
• installation
• Can also be used by internal and external parties, • servicing
including certification bodies, to assess the organization’s • final decommissioning and disposal of medical devices
ability to meet customer and regulatory requirements. • and design and development, or provision of associated
activities (e.g. technical support).
• Can also be used by suppliers or other external parties

providing product (e.g. raw materials, components,
subassemblies, medical devices, sterilization services,
calibration services, distribution services, maintenance
services) to such organizations. The supplier or external
party can voluntarily choose to conform to the
requirements of this International Standard or can be
required by contract to conform.

ISO 13485:2003 vs ISO 13485:2016
0.2 Clarification of concepts
2016
• When a requirement is qualified by the phrase

“as appropriate”, it is deemed to be
appropriate unless the organization can justify
otherwise. A requirement is considered
appropriate if it is necessary for:
• product to meet requirements;
• compliance with applicable regulatory
requirements;
• the organization to carry out corrective
action;
• the organization to manage risks.

ISO 13485:2003 vs ISO 13485:2016
2016
• When the term “risk” is used, the application of the

term within the scope of this International
• Standard pertains to safety or performance
requirements of the medical device or meeting
applicable regulatory requirements.
• — When a requirement is required to be
“documented”, it is also required to be established,
implemented and maintained.
• — When the term “product” is used, it can also
mean “service”. Product applies to output that is
intended for, or required by, a customer, or any
intended output resulting from a product
realization process.

ISO 13485:2003 vs ISO 13485:2016
2016
• In this International Standard, the following verbal

forms are used:
• “shall” indicates a requirement;
• “should” indicates a recommendation;
• “may” indicates a permission;
• “can” indicates a possibility or a capability.
• “Regulatory requirements” encompasses
requirements contained laws applicable to the user
of this standard. The application of “regulatory
requirements” is limited to requirements for the
QMS and the safety or performance of the medical
device.

ISO 13485:2003 vs ISO 13485:2016
0.3 Process Approach
2016
• a) understanding and meeting requirements;

• b) considering processes in terms of added value;
• c) obtaining results of process performance and
effectiveness;
• d) improving processes based on objective
measurement.

ISO 13485:2003 vs ISO 13485:2016
1 Scope
2016
• Applicability to organizations that are involved in
one or more stages of the life-cycle of a medical
device.
• Use by suppliers or external parties that provide
product, including quality management system-
related services to medical device organizations.
• Identifies responsibilities for monitoring,
maintaining, and controlling outsourced processes.
• Allows for clauses 6, 7 and 8 to be not applicable.
• Clarifies that the term “regulatory requirements”

ISO 13485:2003 vs ISO 13485:2016
3 Terms and Definitions Several new definitions added and some existing
definitions refined
• Customer complaint - complaint
• Distributor
• Importer
• Labeling – redefined
• Life-cycle
• Manufacturer
• Medical Device Family
• Performance Evaluation
• Post-market surveillance
• Product
• Purchased Product
• Risk
• Risk management
• Sterile Barrier System
ISO 13485:2003 vs ISO 13485:2016
4.1 General Requirements
• Requirements to document the role(s) of the

organization based on applicable regulatory
requirements
• Determine the processes needed and application of
those processes – taking into account the roles of
the organization
• Apply risk based approach to control of appropriate
processes needed for QMS
• Processes changes to be evaluated for impact on
QMS and products produced
• Validation of computer software utilized in the QMS

ISO 13485:2003 vs ISO 13485:2016
4.2 Documentation Requirements
• Defines contents of medical device file

• Description, purpose, labeling, IFU
• Product specifications
• Manufacturing procedures
• Monitoring and measuring procedures
• Requirements/Procedures for installation and
servicing as applicable
• Requirements for the protection of confidential
health information
• Prevention of deterioration or loss of documents

ISO 13485:2003 vs ISO 13485:2016
5 Management Responsibility
• No significant changes to sections:

• 5.1 Management Commitment
• 5.2 Customer Focus
• applicable regulatory requirements
• 5.3 Quality Policy
• 5.4.1 Quality Objectives
• 5.4.2 Quality Management System Planning
• 5.5.1 Responsibility and authority
• 5.5.2 Management Representative
• 5.5.3 Internal Communication

ISO 13485:2003 vs ISO 13485:2016
5.6 Management Review
• Documented procedure required

• Inputs expanded
• Complaint Handling
• Reporting to regulatory authorities
• Monitoring and measurement of processes
• Monitoring and measurement of product
• Corrective action
• Preventive action
• Applicable new or revised regulatory requirements
• Outputs to be recorded and include the input
reviewed and decisions/actions related to:
• Improvement needed for QMS and processes
• Improvement of product related to customr reqs
• Changes needed to response to regulatory requirements
• Resource needs

ISO 13485:2003 vs ISO 13485:2016
6.2 Human Resources
• Requirements for documented processes for

establishing competence, providing needed training
and ensuring awareness of personnel
• Application of risk based approach for determining

the methodology used to check effectiveness of
training

ISO 13485:2003 vs ISO 13485:2016
6.3 Infrastucture
• Documented requirements for infrastructure needs to

achieve:
• Product conformity
• Prevent product mix-up
• Ensure orderly handling of product
• Maintenance activities to apply (as appropriate) to

equipment used in:
• Production
• Control of work environment
• Monitoring and measurement

ISO 13485:2003 vs ISO 13485:2016
6.4 Work Environment and contamination control
• 6.4.1 Work Environment

• Must document requirements for work
environments needed to meet product conformity
• 6.4.2 Contamination Control

• Sterile medical devices -
• Documented requirements for control of
microorganisms or particulate matter
• Maintain cleanliness during assembly or
packaging process

ISO 13485:2003 vs ISO 13485:2016
7.1 Planning of Product Realization
• Added to requirements to product realization list:

• Inclusion of infrastructure and work environment
considerations
• required verification, validation, monitoring,
measurement, inspection and test, handling,
storage, distribution and traceability activities
specific to the product together with the criteria for
product acceptance;

ISO 13485:2003 vs ISO 13485:2016
7.2 Customer Related Processes
• 7.2.1 Determination of requirements related to product

• Determining if any user training is needed to ensure
performance and safe use of medical device
• 7.2.2 Review of requirements related to product

• Applicable regulatory requirements are met
• any user training identified is available or planned
• 7.2.3 Communication
• Communication with customers shall be planned and
documented
• Shall communicate with regulatory agencies

ISO 13485:2003 vs ISO 13485:2016
7.3 Design and Development
• 7.3.1 General – new/unchanged

• 7.3.2 Design and Development Planning
• D&D planning documents shall be maintained and
updated
• Shall document:
• Reviews needed at each D&D stage
• Methods to ensure traceability of outputs to inputs
• Resources needed

ISO 13485:2003 vs ISO 13485:2016
• 7.3.3 Design and Development Inputs

• Addition of “usability and safety requirements”
• 7.3.4 Design and Development Outputs

• No significant changes
• 7.3.5 Design and Development Review

• No significant changes

ISO 13485:2003 vs ISO 13485:2016
• 7.3.6 Design and Development Verification

• Documented verification plans
• Methods
• acceptance criteria
• As appropriate
• Statistical techniques
• Sample size rationale
• Connection or interface to other medical devices
• Confirm Outputs meet inputs when connected

ISO 13485:2003 vs ISO 13485:2016
• 7.3.7 Design and Development Validation

• Documented validation plans
• Methods
• Acceptance criteria
• As appropriate
• Statistical techniques
• Sample size rationale
• Conducted with representative product
• Rationale for choice documented
• Connection or interface to other medical devices
• Confirm requirements met when connected

ISO 13485:2003 vs ISO 13485:2016
• 7.3.8 Design and Development Transfer

• New section
• Documented procedures for transfer to manufacturing
• Verify:
• Outputs suitable for manufacturing
• Production capability can meet requirements
• Record of results of conclusions of transfer

ISO 13485:2003 vs ISO 13485:2016
• 7.3.9 Control Design and Development Changes

• Determine significance of change to:
• Function
• Performance
• Usability
• Safety
• Applicable regulatory requirements

ISO 13485:2003 vs ISO 13485:2016
• 7.3.10 Design and Development Files

• New section
• File shall be maintained for each device or device family
• Shall include:
• Records of conformity to D&D requirements
• Records for D&D changes

ISO 13485:2003 vs ISO 13485:2016
7.4 Purchasing
• 7.4.1 Purchasing Process

• Establishment of criteria for evaluation and selection of
suppliers
• Supplier’s ability to provide product that meets reqs
• Performance
• Effect of purchased product on quality of device
• Risk associated with device
• Monitoring and re-evaluation of suppliers
• Non-fulfillment addressed based on:
• Risk associated with purchased product
• Compliance with applicable regulatory requirements

ISO 13485:2003 vs ISO 13485:2016
7.4 Purchasing
• 7.4.2 Purchasing Information

• Shall describe or reference product to be purchased
• Product specifications
• Written agreements (as applicable)
• Notification of changes prior to implementation
• Changes that affect ability to meet specified
requirements

ISO 13485:2003 vs ISO 13485:2016
7.4 Purchasing
• 7.4.3 Verification of Purchased Product

• Based on:
• Supplier evaluation results
• Risks associated with purchased product
• Notification of changes:
• Determine if changes affect product realization or
device

ISO 13485:2003 vs ISO 13485:2016
7.5 Production and Service Provision
• 7.5.1 Control of Production and Service provision

• Minor changes
• Production and service provision shall be planned, carried
out, monitored and controlled to ensure that product
conforms to specification.
• Production controls to also include:
• Qualification of infrastructure

ISO 13485:2003 vs ISO 13485:2016
• 7.5.2 Cleanliness of Product

• Minor changes
• Additional requirement for cleanliness/contamination
control:
• c) product cannot be cleaned prior to sterilization or its
use, and its cleanliness is of significance in use

ISO 13485:2003 vs ISO 13485:2016
• 7.5.3 Installation Activities

• No changes
• 7.5.4 Servicing Activities

• Service records to be analyzed by organization or supplier:
• a) To determine if the information is to be handled as a
complaint
• b) As appropriate, for input to the improvement process
• 7.5.5 Particular Requirements for sterile medical devices

• No change

ISO 13485:2003 vs ISO 13485:2016
• 7.5.6 Validation of processes for production and service

• Documented procedure to include:
• Approval of changes to the processes
• Software validations
• Approach proportionate to risk in use of software
• Effect on product conformity to specifications
• Validation records to include:

• Results
• Conclusions of validation
• Necessary actions

ISO 13485:2003 vs ISO 13485:2016
• 7.5.7 Particular Requirements for validation of processes for

sterilization and sterile barrier systems
• Addition of sterile barrier system validations
• Validation records to include:

• Results
• Conclusions of validation
• Necessary actions

ISO 13485:2003 vs ISO 13485:2016
• 7.5.8 Identification
• Requires documented procedure

• Requirement that was in 7.5.3.3 of 2003 version
• Unique Device Identification (UDI)

• As applicable by regulatory requirements
• Shall be a documented system

ISO 13485:2003 vs ISO 13485:2016
• 7.5.9 Traceability
• No changes
• 7.5.10 Customer Property

• No changes
• 7.5.11 Preservation of product

• Additional requirements on protection from expected
conditions and hazards:
• Design and construct of packaging and shipping
containers
• Documentation of special conditions if packaging is not
enough

ISO 13485:2003 vs ISO 13485:2016
• 7.6 Control of monitoring and measuring equipment

• No changes
• 8 Measurement, analysis and improvement

• 8.1 General
• No changes

ISO 13485:2003 vs ISO 13485:2016
8 Measurement, analysis and improvement
• 8.2 Monitoring and Measurement

• 8.2.1 Feedback
• Emphasis on feedback coming from both production and

post-production activities
• Utilization of feedback as input to risk management for

monitoring and maintaining product requirements

ISO 13485:2003 vs ISO 13485:2016
• 8.2.2 Complaint Handling

• New section
• Requirements for procedure and timely handling of
complaints
• Procedure to include:
• Receiving and recording information
• Evaluating information to determine if the feedback
constitutes a complaint;
• Investigating complaints;
• Determining the need to report the information to the
appropriate regulatory authorities;
• Handling of complaint-related product;
• Determining the need to initiate corrections or
corrective actions

ISO 13485:2003 vs ISO 13485:2016
• 8.2.3 Reporting to Regulatory Authorities

• New section
• Procedure required if applicable by regulatory
requirements
• Complaints that result in need for:
• Adverse event reporting
• Advisory Notices
• Records of reporting required

ISO 13485:2003 vs ISO 13485:2016
• 8.2.4 Internal Audit

• No changes
• 8.2.5 Monitoring and measurement of processes

• No changes
• 8.2.6 Monitoring and measurement of product

• Minor change
• Records to identify test equipment used

ISO 13485:2003 vs ISO 13485:2016
• 8.3 Control of Nonconforming Product

• 8.3.1 General
• New section
• Clarification of procedure requirements to define controls
and related responsibilities and authorities
• Identification
• Documentation
• Segregation
• Evaluation
• Disposition
• Inclusion of determination for investigation and
notification of any external party

ISO 13485:2003 vs ISO 13485:2016

• 8.3.2 Actions in Response to nonconforming product
detected before delivery
• Acceptance by concession only if:
• Justification provided
• Approval is obtained
• Applicable regulatory requirements met

ISO 13485:2003 vs ISO 13485:2016

• 8.3.3 Actions in Response to nonconforming product
detected after delivery
• Minor change
• Expanded section on 2003 requirements
• Addition of records requirement for Advisory Notices
• 8.3.4 Rework
• No changes

ISO 13485:2003 vs ISO 13485:2016
• 8.4 Analysis of Data

• New requirements for:
• Determination of appropriate methods
• To include statistical techniques and use
• Data to now include:
• Audits
• Service reports (as applicable)
• If analysis shows QMS is not sutiable, adequate or
effective, analysis is to be used as input for improvements.

ISO 13485:2003 vs ISO 13485:2016
• 8.5 Improvement
• 8.5.1 General
• No changes
• 8.5.2 Corrective Action

• Minor change
• CA’s to be taken without undue delay
• Verify CA has no adverse affect
• 8.5.3 Preventive Action

• Minor change
• Verify PA has no adverse affect

ISO 13485:2016 Transition
 When do we have to make the change?

 Depends on your organization.

 Depends on your organization.
 Depends on other standards that your

organization is registered to.

 TC Recommendation
 ISO TC 210 has recommended a co-

existence period of 3 years


 Recommending that:
 2 years after publication (1 March 2018), all
accredited certificates be to ISO 13485:2016


 Recommending that:
accredited certificates be to ISO 13485:2016

ISO 13485:2003 certificates will not be valid

 What if I have ISO 9001 as well?

 All ISO 9001:2008 certificates will expire September 2018

 All ISO 9001:2008 certificates will expire September 2018
 Upgrade audits for ISO 9001:2015 must occur by 1 July

2018

ISO 13485:2016 – The Next Revision

DQS Inc Contact Information
DQS Inc
1-800-285-4476
customerservice@dqsus.com
www.dqsus.com
Medical Program
Rick Burgess
Medical Program Manager
Richard.Burgess@dqsus.com
763-229-9833

ISO 13485:2016 - The Next Revision: Richard (Rick) Burgess Medical Program Manager 30 March 2016

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

ISO 13485:2016 - The Next Revision: Richard (Rick) Burgess Medical Program Manager 30 March 2016

Încărcat de

Drepturi de autor:

Formate disponibile

ISO 13485:2016 –

The Next Revision

Richard (Rick) Burgess

© DQS Group April 6, 2016 1

 Agenda and Scope

 Relationship to ISO 9001

© DQS Group April 6, 2016 2

© DQS Group April 6, 2016 3

 Based on ISO 9001:2008

© DQS Group April 6, 2016 4

 Based on ISO 9001:2008

 Does not follow the new high level

© DQS Group April 6, 2016 5

 Based on ISO 9001:2008

 Does not follow the new high level

 Annex B shows the corresponding sections

© DQS Group April 6, 2016 6

 Considerations for the changes:

© DQS Group April 6, 2016 7

 Considerations for the changes:

© DQS Group April 6, 2016 8

 Considerations for the changes:

© DQS Group April 6, 2016 9

 Considerations for the changes:

© DQS Group April 6, 2016 10

 Considerations for the changes:

 Verification, Validation and Design Transfer

© DQS Group April 6, 2016 11

 Considerations for the changes:

 Verification, Validation and Design Transfer

© DQS Group April 6, 2016 12

• Can also be used by suppliers or other external parties

© DQS Group April 6, 2016 13

0.2 Clarification of concepts

• When a requirement is qualified by the phrase

© DQS Group April 6, 2016 14

0.2 Clarification of concepts

• When the term “risk” is used, the application of the

© DQS Group April 6, 2016 15

0.2 Clarification of concepts

• In this International Standard, the following verbal

© DQS Group April 6, 2016 16

0.3 Process Approach

• a) understanding and meeting requirements;

© DQS Group April 6, 2016 17

© DQS Group April 6, 2016 18

4.1 General Requirements

• Requirements to document the role(s) of the

© DQS Group April 6, 2016 20

4.2 Documentation Requirements

• Defines contents of medical device file

© DQS Group April 6, 2016 21

• No significant changes to sections:

© DQS Group April 6, 2016 22

5.6 Management Review

• Documented procedure required

© DQS Group April 6, 2016 23

6.2 Human Resources

• Requirements for documented processes for

• Application of risk based approach for determining

© DQS Group April 6, 2016 24

• Documented requirements for infrastructure needs to

• Maintenance activities to apply (as appropriate) to