Transitioning to the new ISO 13485:2016 Quality Management System Requirements

So, there’s a transition period.  What do I do?

On March 1, 2016, the Organization for International Standardization, (ISO) published ISO 13485: 2016.  The introduction to ISO 13485:2016 states the following in paragraph 0.4 - Relationship with ISO 9001: While this is a stand-alone standard, is it based on ISO 9001:2008, which has been superseded by ISO 9001:2015.” Now, if you’re like me, you’re probably wondering exactly what that little diddy means, right?  According to Kim Trautman, former FDA Associate Director for International Affairs at the Center for Devices and Radiological Health (CDRH), ISO had intended to issue 13485:2016 before ISO 9001:2015 was published in October, 2015, (i.e., while ISO 9001:2008 was still the most current version).  Unfortunately, as so often happens, due to a number of unforeseen delays, the 13485:2016 project was delayed and 9001:2015 was published before the ISO 13485:2016 standard.  Hence, the addition of the statement, “…which has been superseded by ISO 9001:2015.”  That’s their story, and believe me, they’re sticking to it.

A break with the past

Previous editions of ISO 13485 established a normative relationship with the ISO 9001 requirements.  In other words, ISO 9001 served as the foundation for the 13485 standard.  Additional medical device related requirements were presented in italics, and depending on the source of your standard, even a different color font.  In other words, to be compliant with ISO 13485 was to be compliant to ISO 9001 by association. 

This is no longer the case.

As a matter of fact, the only normative reference given for ISO 13485:2016 now is ISO 9000:2015, Quality management systems – Fundamentals and Vocabulary.  The ISO 9001-based requirements that form the foundation of ISO 13485 have changed significantly with the 9001:2015 revision.  Subsequently, and as stated above, ISO 13485:2016 is clearly based on ISO 9001:2008. And now, with the publication of ISO 9001:2015, there is the following clarifying verbiage in paragraph 0.4 of the introduction of 13485:2016:

“This international standard, [13485:2016] . . . excludes some of the requirements of ISO 9001 that are not appropriate as regulatory requirements.  Because of these exclusions, organizations whose quality management systems conform to this International Standard cannot claim conformity to ISO 9001 unless their quality management system meets all the requirements of ISO 9001.” 

With the publication of ISO 9001:2015, a new day has arrived.  From this day forward, ISO 13485 shall stand on its own.  So let it be written – so let it be done.  (Or, at least until something changes again!)

Major revisions to ISO 13485:2016

Since 2003, a number of jurisdictions around the world, have either revised or introduced regulations for medical devices.  With this activity in mind, the International Organization for Standardization wanted to make sure that the new quality management standard was as closely aligned with these new/revised global regulatory requirements as they could be.

The following is a high-level summary of some major changes to ISO 13485:2016:

·        Application of risk-based approaches in the 2016 standard now extend beyond product realization processes alone.

In ISO 13485:2016, risk is expected to be considered in the context of the safety and performance of the medical device and is also expected to be considered in meeting regulatory requirements.  Like you, my analytical mind immediately jumps to the term “considered”.  Now, without getting too prescriptive in this blog entry, allow me, from my 20+ years as a registrar and compliance auditor, to offer some friendly guidance here.  Objective evidence of “consideration” can be as simple as an entry on a design project plan, or a check box on a form.  I’m not, by any means, offering this as a way out of a requirement, but let’s be clear that when an international quality management standard uses words like “shall consider”, the terrain can get a little slippery.  By the same token, there are many ways to show evidence that your organization has considered something without completely re-inventing the wheel.

When considering risk in the “context of safety and performance”, design responsible manufacturers should look at design planning as well as design inputs as the initial sources of these considerations. Designing quality into devices is the most effective method of preventing downstream functional issues and adverse events.   Paragraph 0.2 in the introduction of ISO 13485, makes it clear that the term “risk” when used in the standard, also pertains to “…meeting applicable regulatory requirements.”  One question an organization can ask in this regard is, “What sort of mechanisms in our organization are, or could be working overtly or worse, behind the scenes, to prevent our organization from meeting regulatory requirements?”  Another question might be, “What aspects of our processes, (especially administrative processes), can or do get in the way of meeting our regulatory requirements?

·        Increased mention of regulatory requirements, particularly for regulatory documentation;

My cursory analysis of the standard verbiage found no less than 14 occurrences in ISO 13485:2016 of doing things in accordance with regulatory requirements.  There may be more, but the point being is that compliance to regulatory requirements has found increased importance in this standard.  But there is some good news, here.  Paragraph 0.2 in the introduction explains that where the term “regulatory requirements” is used, it … “is limited to requirements for the quality management system and the safety or performance of the medical device.”  There has been a significant amount of work between the jurisdictional groups responsible for revising the ISO 13485 standard to limit its scope to “activities related to the QMS”, as opposed to the more administrative type activities related to “pre-market” regulatory workflow(s).  This is a welcome clarification.

·        Consideration of organizations throughout the lifecycle and supply chain for medical devices;

ISO 13485 now emphasizes the whole lifecycle of a medical device - from design and development, through manufacture, transport, installation, support, and on to the end of life. The definitions in the new standard now define the “lifecycle” of a medical device as “all phases in the life of a medical device, from the initial conception to final decommissioning and disposal.”  This clarification drives home one of the improved elements of the new 13485 standard – to use clearer, more actionable language.  In my opinion, this is an excellent example of this type of actionable language.

·        Requirements for QMS software, process control software, and software used for monitoring and measurement have been harmonized.

In previous versions of ISO 13485, this has not been as clear as it needed to be.  Software validation and on-going functional verification of software are now equally importance across the standard.

·        The standard now places more emphasis on appropriate infrastructure, with a focus on production of sterile medical devices, and additional requirements for validation of sterile barrier properties;

·        Additional design and development consideration of usability, use of standards, verification and validation planning, design transfer and design records;

There has been considerable discussion around exactly where medical device “usability” should be considered in the product lifecycle.  The best advice I’ve heard is to consider usability in the earliest phases of a project’s design planning and input phases.  However, the backdoor to the concept of usability could be found in complaint management as well.  Where the previous version of ISO 13485 required consideration of applicable statutory and regulatory requirements in design phases, ISO 13485:2016 has added “standards” as an input to the design and development process.

·        Emphasis on complaint handling and reporting to regulatory authorities in accordance with regulatory requirements, and consideration of post-market surveillance; and

·        Planning and documenting corrective action and preventive action, and implementing corrective action without undue delay.  This timing aspect was previously associated with internal audit corrective actions alone, but has now been applied to all corrective and preventive action implementations.  “Undue delay” is one of those things that an organization will do well to define for themselves, as opposed to leaving the door open for someone else to define.  I have more to say about ownership of the management system further down.

What should I do during the transition period?

Let’s take a look at some things your organization can start doing now to help ease the strain of transition.  One item of interest is the proverbial “three year transition period”. 

I recently attended a medical device industry training event for MDSAP (Medical Device Single Audit Program) and ISO 13485:2016 Implementation and Transition, sponsored by NSF Medical Sciences and was led by Kim Trautman.  During the training event, Ms. Trautman, repeatedly emphasized that organizations should not be lulled into thinking that they can wait three years before they start moving on this transition.  Two words:

Start.     Now.

The first thing your organization might want to do during the transition period, is to determine which “user group” your organization belongs to.  According to my research, there are basically two possibilities for users of ISO 13485:

Current User

Current users have either completed or are in the process of implementing ISO 13485:2003, regardless of whether they are certified or not. (Some organizations choose to seek compliance with a standard and yet not be formally registered or certified to it.)  If your organization is already certified to ISO 13485:2003, it is highly recommended to contact your certification or registration body and determine if there are any clarifications necessary for upgrading the certificate(s) for your QMS under ISO 13485:2016. Some certification/registration bodies maintain certain program rules, (and perhaps even interpretations), relative to the requirements in the standards.  The smart ISO program manager will find out what these are, if any, and obtain clarification early in the process of upgrading to the new standard.

Organizations in the process of certification to ISO 13485:2003 should change to using ISO 13485:2016 now, and apply for certification to this revision.

New User

New users are organizations that are either beginning to use ISO 13485:2003 or ISO 13485:2016 for the first time or are a potential user of the standard in the future.  New users should start now using ISO 13485:2016. 

With the pending introductions of 1) the new MDSAP (Medical Device Single Audit Program), 2) transitions to ISO 9001:2015, and 3) transitions to ISO 13485:2016, over the next three years, certification bodies and regulators (both domestic and international), will be experiencing tremendous burdens for allocating certification resources, both registrar-based (mostly commercial 13485 implementations), and inspectorate-based (regulatory or notified body implementations), between now and the termination of the transition period in 2019.

Organizations will still be able to be accredited for either ISO 13485:2003 or ISO 13485:2016 for the first two years of the transition period.  A white paper published by ISO WG1N233 – ISO Transition Planning and Guidance for ISO 13485:2016 states, “Two years after the publication of ISO 13485: 2016, [March 1, 2018], all accredited certifications issued (new certifications or re-certifications) will be to ISO 13485: 2016.”    The white paper goes on to say that, “Three years after publication by ISO of ISO 13485:2016, [March 1, 2019], any existing certification issued to ISO 13485:2003 will not be valid."

Without a doubt, the preferred approach would be to start now using ISO 13485:2016 as your goal for either certification or re-certification.

Users should make wise use of the transition period to update their quality management systems to meet the requirements of ISO 13485:2016.  The wise organization will begin earlier than later working closely with their certification bodies or registrars and schedule an “upgrade audit” for a time during the transition period.

Own your own

Lastly, a bit of advice regarding your certification authority:  Don’t forget that YOU are the customer. 

If your registrar or notified body maintains requirements or interpretations of requirements as part of their certification program that do not support your organization’s strategic direction or the intent of the standard as you interpret it, you may need to consider your options during this transitional period.  Be very mindful of who you allow to “speak into” your organization’s policies.  For many years I have encouraged organizations to “own their own”.  I other words, you should own your own management system.  If you have reservations about an auditor’s approach to a requirement, even during the course of an audit, don’t hesitate to open your standard and ask the auditor to show you the specific requirement of interest and then either explain to them how your organization satisfies that requirement, or if in doubt, have them explain to you exactly how your system fails to satisfy the requirement.  Be sure that you own your management system.

Start thinking about your transition process today. Collaborate within your organization.  Involve your company’s leadership and your compliance authority’s advice and guidance.  You’ll be ready for certification to the new standard before you know it.

Happy transitioning!

Connect with Tom at:  tom.middleton@spartasystems.com

Subscribe to the Sparta Systems Blog. Enter your email address:

Delivered by FeedBurner