ISO 13485:2016 vs ISO 13485:2003
Both old and new medical device standards cover essentially the same topics. However, there are some important differences. Some of these are discussed below.
The ISO 13485 standard was updated for two main reasons: to keep up with changes in the industry and to address changes in the underlying ISO 9001 standard. While the old ISO 13485 2003 standard was based on the old ISO 9001 2000 standard, the new one is based on ISO 9001 2008. While some people expected the new ISO 13485 standard to use the latest ISO 9001 2015 standard, ISO TC 210 evidently feels that the older ISO 9001 standard better serves the needs of medical device suppliers, regulators, and customers.
In general, the new ISO 13485 standard is more flexible than the old. In the past, organizations could only exclude section 7 requirements (on product realization) and then only if they could justify their decision. Now, they can exclude any requirement in sections 6, 7, or 8 if they can justify doing so because of the nature of their activities or products.
While the old standard expected you to establish a QMS that complies with ISO 13485, the new one now explicitly expects you to also comply with all applicable regulatory requirements. This need to comply with regulatory requirements is given greater emphasis now and is repeated throughout the new standard. In fact, you're now also expected to set objectives for meeting regulatory requirements (in addition to setting objectives for meeting product requirements).
As you may have noticed, the peculiar redundancy in the phrase “statutory and regulatory requirements” has been removed. Now we can simply refer to “regulatory requirements” (which, of course, include statutory and other legal requirements).
Risk based approach
The new standard expects you to apply a “risk based approach” to your organization's QMS processes. The old standard also expected you to think about risk, but only during product realization (in section 7). Now, you're expected to apply risk management methods and techniques to all QMS processes, including outsourced processes.
Medical device file
While both old and new standards expect you to establish a special file for each type of medical device, the new one clarifies exactly what this means. You're now expected to include a description of each medical device or family of devices and to include all associated specifications, procedures, and records.
Record keeping requirements have also changed. The new standard now expects you to record supplier monitoring and re-evaluation activities and to consider privacy regulations when you develop methods for protecting confidential health information.
While the section on product realization still covers the same basic topics, a few noteworthy items have been added. While the old standard expected you to identify your product verification, validation, monitoring, inspection, and testing requirements, the new one has added a few more to this list. It now also expects you to establish your product handling, storage, measuring, revalidation, and traceability requirements as well.
While the old standard focused on the need to identify product requirements specified by customers and regulatory bodies, the new one wants you also to think about the safety and performance of your products and the associated training needs of product users and to verify that regulatory requirements will be met and user training will be available before you agree to supply products to customers.
Design and development inputs
The section on design and development inputs has also been expanded. In addition to all the old requirements, the new standard now also wants you to consider risk management outputs, to clarify product usability and safety requirements, and to make sure that input requirements can be verified or validated.
Design and development verification and validation
This section has also been expanded. The new standard not only expects you to document your verification and validation plans and arrangements (something the old standard overlooked) it now also wants you to think about how to verify and validate medical devices that connect to or interface with other medical devices. It now expects you to verify that design outputs meet input requirements when these devices are connected or interfaced and to validate that intended use or application requirements are met when devices are connected or interfaced.
Design and development changes
While the old ISO 13485 2003 standard expected you to control design and development changes, it didn't really talk much about how this should be done. The new ISO 13485 2016 standard fills in some of the gaps. It not only asks you to establish processes to control changes and to evaluate their significance and impact, it now also expects you to maintain a file for each medical device or family of medical devices that documents these changes.
Design and development transfer
This topic has been elevated in importance and has now received its own subsection. The old standard devoted only a single line and two notes. Now special emphasis is given to the need to ensure that outputs are suitable for manufacturing before they become official production specifications.
Purchasing has also changed. The old section on purchasing has been subdivided into four new sections and new requirements have been added. While the old standard expected you to establish supplier selection and evaluation criteria, it didn't provide any details. Now it does. You now need to consider your medical device and the risk you're taking in addition to the effect purchased products have on the safety and performance of your medical device. And in addition to making sure that your suppliers are capable of meeting your organization's requirements, you now also need to worry about whether they can meet all relevant statutory requirements.
Now that you've selected a supplier, you not only need to monitor the supplier's performance, you now also need to consider your risk whenever suppliers underperform, and you need to respond in a way that is proportional to the risk that you're taking. And while both old and new standards want you to establish a record of supplier evaluations, now you're also expected to record your supplier monitoring and re-evaluation activities.
Purchased product risks
Like the old ISO 13485 standard, the new one expects you to verify that purchased products meet purchase requirements. But now you're also expected to consider the risk associated with the product you've purchased and to worry about what to do when unanticipated changes are made to purchase products and to determine whether or not these changes affect your medical device or your product realization process.
Both old and new standards expect you to establish procedures to validate production and service delivery processes that generate outputs that can't be verified until the product is in use or the service has been delivered. Now you're also expected to establish validation plans and to revalidate processes whenever necessary.
The servicing section has also changed. In addition to having to document your organization's servicing procedures and reference materials, you're now also expected to analyze servicing records in order to identify servicing complaints and improvement opportunities.
While the old ISO 13485 standard discussed the need to handle complaints, this important material was spread over several sections. The new standard brings most of it together in one new section and broadens and expands it to include all kinds of complaints (not just customer complaints). It now also expects you to develop and document complaint handling procedures that comply with all applicable regulatory requirements. The old standard merely asked you to establish arrangements, not procedures.
Delivery of nonconforming product
The section on the unintended delivery of nonconforming product has also been reorganized and reworded and new subsections and new detail has been added. The result is a much more useful section. The new standard now expects you to investigate nonconforming products that have been delivered, to determine if corrective action is needed, and to consider whether or not responsible external parties need to be notified.
The section on improvement has also been enhanced. In addition to having to maintain the suitability and effectiveness of your QMS, you're now also expected to maintain the safety and performance of your products whenever improvements are being considered. In addition, before you implement corrective and preventive actions, you're now expected to verify that they comply with all applicable regulatory requirements and that they do not compromise the safety and performance of your medical devices.
Crescent Industries QMS has been reviewed and revised according to the revised standard and it will be fully incorporated by the end of 2018.
Written by - Víctor A. Gurany - Manager, QA & Regulatory Compliance for Crescent Industries