Transition Of ISO 13485 2003 To 2016 - Rx-360
Transition of ISO13485 2003 to 2016The information contained herein is provided as a service to Rx-360 Members and industry representatives with theunderstanding that Rx-360 makes no warranties, either expressed or implied, concerning the accuracy, completeness,reliability, or suitability of the information. Nor does Rx-360 warrant that the use of this information as a mandatedstandard.
Authors:Rick Calabrese, SartoriusJudith Svarczkopf, GenentechSandra Boyd, BiogenJeff Heiland, MilliporeSigmaSusan Bremer, Proctor & GambleBill Parkinson, UnisysJanet Mas, MerckThe information contained herein is provided as a service to Rx-360 Members and industry representatives with theunderstanding that Rx-360 makes no warranties, either expressed or implied, concerning the accuracy, completeness,reliability, or suitability of the information. Nor does Rx-360 warrant that the use of this information as a mandatedstandard.Page 2 of 60
Contents1. Introductiona. Purposeb. Scope2. Background on Changes3. Why is it important?4. Explanation of Changes5. Required Steps to make changesa. Gap Assessment – Check Listb. Risk Assessmentc. Time needed to enactd. Change control with action plan6. Conclusion7. ReferencesThe information contained herein is provided as a service to Rx-360 Members and industry representatives with theunderstanding that Rx-360 makes no warranties, either expressed or implied, concerning the accuracy, completeness,reliability, or suitability of the information. Nor does Rx-360 warrant that the use of this information as a mandatedstandard.Page 3 of 60
1. Introductiona. PurposeThe purpose of this paper is to describe the recent changes between ISO 13485:2003 & ISO13485:2016. What the changes entail and recommendations for addressing them. This doesnot compare the new ISO 13485:2016 Industry Standard to Country Regulatory BodyRegulations (e.g., US FDA Code of Federal Regulations Title 21 Part 820).b. ScopeThis paper only covers the changes to ISO 13485:2003 to ISO 13485:2016. It does not covercomparisons or changes between any other standards related to medical device regulatorystandards or country specific versions of ISO 13485.2. Background on ChangesISO 13485 is an internationally recognized quality management standard for organizationsinvolved in the development, manufacture and distribution of medical devices. The standardwas first published in 1996. It was updated in 2003 and again recently in 2016.Manufacturers of medical devices and other organizations that hold an ISO 13485 certificateare required to address the requirements of the new standard. This should be done as soonas it is possible as delays in transitioning over can lead to interruption or even cancellationof their registration. Organizations must allow time so they can assess the extent of thechanges that they need to implement in their existing Quality Management System (QMS) tobe compliant with the new standard.The ISO 13485 standard was revised for a number of reasons: The Standard had not been updated in more than 10 years.To stay current with changes rapidly changing requirements in the medical deviceindustry while addressing the increased risks.Globalization-a need to have a harmonized model as the industry becomes moreinternational.The information contained herein is provided as a service to Rx-360 Members and industry representatives with theunderstanding that Rx-360 makes no warranties, either expressed or implied, concerning the accuracy, completeness,reliability, or suitability of the information. Nor does Rx-360 warrant that the use of this information as a mandatedstandard.Page 4 of 60
ISO 13485:2016 is now better in sync with the existing 21CFR820. Also, this versionof the standard supports FDA terms, such as establish, documented processes andalso clarifies regulatory requirements relative to device safety and performance.The 2016 version’s release addresses changes due to the release of the new ISO9001:2015 standard. ISO 13485:2003 was based on the old ISO 9001:2000 standardwhile the ISO 13485:2016 is structured on the ISO 9001:2008. The governing body,ISO TC 210 decided the former ISO 9001:2008 is structured to better align with theneeds of medical device suppliers, regulators, and customers.3. Why is it important? The 2016 version requires a risk-based approach for the entire quality managementsystem, including the processes of:o Design and developmento Verification, validation and revalidationo Product planning (i.e., input manufacturing into design considerations)o Documentation of risk management in product realizationo Monitoring, testing and traceabilityo Corrective actions and preventive actions (CAPA)This risk-based approach must also apply to outsourced processes and suppliers.Furthermore, device manufacturers must ensure that the training third-parties receive iscommensurate with the inherent risk of the processes contracted to them to perform.The impact of the revised standard will be significant on organization leadership: Management reviews must specifically address how risk management isincorporated into all of the areas presented in the reviews.The responsibilities of top management, emphasizing the effectiveness of the QMSand measurable quality objectives are clarified.All personnel will also be impacted. Specifies that the organization will have todetermine any user training needed to ensure specified performance and safe use ofthe medical device. Quality is everyone’s responsibility, including organizationleadership and not just those functions that have quality in the name.The information contained herein is provided as a service to Rx-360 Members and industry representatives with theunderstanding that Rx-360 makes no warranties, either expressed or implied, concerning the accuracy, completeness,reliability, or suitability of the information. Nor does Rx-360 warrant that the use of this information as a mandatedstandard.Page 5 of 60
4. Key ChangesListed below are the key changes 13485:2003 to 2016: ISO 13485 2016 incorporates a risk management approach for productrealization as well as post market surveillance. Risk is considered in the contextof the safety and performance of the medical device.Increased emphasis of regulatory requirements, especially for regulatorydocumentation.Harmonization of the requirements for software validation for different softwareapplications.Emphasis on appropriate manufacturing infrastructure, particularly forproduction of sterile medical devices. This includes validation of processesespecially for sterilization.Additional requirements for design and development.Additional requirements on complaint handling and reporting to regulatoryauthorities.Increased requirements for planning and documenting corrective action andpreventive action. For a detailed explanation of all the changes see section 5a.It is up to every ISO 13485 system owner to analyze all the changes from 2003 to 2016 fortheir own organization.5. Required Steps to make changesBelow is a table of the recommended steps to assess changes:Step122ActionObtain a licensed copy of both ISO 13485:2003 and ISO 13485:2016.Compare each section of ISO 13485:2003 with the correspondingsection of ISO 13485:2016.NOTE: It is also recommended to compare corresponding sections of 21CFR 820 to ISO13485:2016, as some of the changes from ISO 13485:2003to ISO 13485:2016 resulted in greater similarity with 21 CFR Part 820.Highlight or notate the differences in text that are potentiallysignificant differences.The information contained herein is provided as a service to Rx-360 Members and industry representatives with theunderstanding that Rx-360 makes no warranties, either expressed or implied, concerning the accuracy, completeness,reliability, or suitability of the information. Nor does Rx-360 warrant that the use of this information as a mandatedstandard.Page 6 of 60
Step345ActionCreate a checklist with the following columns (reference section 5a ofthis paper): Section Reference (reference to the section of ISO 13485:2016 beingassessed) Use the highlighted text differences and the Appendix A of ISO13485:2016 to develop a description of differences in text betweenISO 13485:2003 and ISO 13485:2016 at a detailed level Gaps in Internal Processes and/or Quality System – indicate whethergaps exist for your organization (Yes/No) Remediation Activities for Gaps / Evidence for No Gaps – detail theremediation activities needed with specific reference to individualquality system documents, processes, IT systems and the changesrequired to address the gaps; if no gaps exist, include the evidencesupporting this conclusion Owner – indicate who is responsible to completing each remediationactivity; note that there may be more than one remediation activity;therefore, there may be more than one owner; if no gaps exist,indicate N/A in this column Risk – assess the risk of the gap using your organization’s riskcriteria (reference section 5b of this paper)NOTE: If no gaps exist, indicate N/A in this column Estimated Completion Date – use the required work/effort needed tocomplete each remediation action and the assessed risk to developan estimated completion date for each remediation action; if no gapsexist, indicate N/A in this column (reference section 5c of this paper)Communicate the assessed risk and the action plan(s) to seniormanagement.NOTE: Ensuring the health of the QMS is a management responsibilitydetailed in ISO 13485.Incorporate the remediation actions into the appropriate qualitysystem record(s): e.g., change control record, quality plan, CAPA, etc. toensure that the remediation actions are monitored and closed on time.(Reference section 5d of this paper)The information contained herein is provided as a service to Rx-360 Members and industry representatives with theunderstanding that Rx-360 makes no warranties, either expressed or implied, concerning the accuracy, completeness,reliability, or suitability of the information. Nor does Rx-360 warrant that the use of this information as a mandatedstandard.Page 7 of 60
a. Gap Assessment – Check ListNote: Only the first few rows contain a full example for each column; subsequent rows provide a guide on the likelihood the changewill result in a gap requiring remediation (No – Unlikely and Yes - Likely) and examples of what to consider when assessing for gapsare contained in the “Evidence for No Gap / Remediation Action(s) for Gaps” column.ClauseForwardIntroduction 0.1General, firstparagraphDescription of TextDifferencesNo significant changesRevised text speaks tothe life-cycle stages ofa medical device andadded the stages ofstorage anddistribution, and finaldecommissioning anddisposal of medicaldevicesProcess orQMS Gaps(Yes/No)N/AYes - LikelyEvidence for No Gap / RemediationAction(s) for GapsRiskAssessmentOwnerN/AEvidence for No Gap Life-cycle approach embedded in QMS asnoted in SOP-QM, the organization’s QualityManual Storage and distribution requirementsincluded in SOP01, section X.X Final decommissioning requirementsdetailed in SOP01, section Y.YN/AAssess perorganization’sriskmanagementdefinitions ofseverityN/A1. Diego Sanchez2. Sharon Cantor3. Deja WilliamsEstimatedCompletion DateN/A1. 31-Dec-20182. 31-Dec-20183. 19-Mar-2019Remediation Action(s) RequiredIncorporate “disposal of medical devices” intoQMS as follows:1. SOP-RM – incorporate severity criteria forenvironmental impact2. SOP-DI – incorporate that design inputsmust address the environmental impactof the disposal of the medical device3. SOP-DP/SOP-RM -- incorporate, asappropriate, Environmental, Health andSafety experts into design/ riskmanagement planning and processesThe information contained herein is provided as a service to Rx-360 Members and industry representatives with the understanding that Rx-360 makes no warranties,either expressed or implied, concerning the accuracy, completeness, reliability, or suitability of the information. Nor does Rx-360 warrant that the use of this informationas a mandated standard.Page 8 of 60
ClauseDescription of TextDifferences0.1 General,second paragraphNew paragraphindicating suppliers orother parties canvoluntarily choose toconform to therequirements of thestandardNew paragraph thathighlights theobligations oforganizations,specifically includingrequirementsregarding theidentification of theorganization’s rolewith respect toregulations,identification of whatrequirements areapplicable to theorganization basedupon those identifiedroles and therequirement for theorganization toincorporate theserequirements into thequality system0.1 General, thirdparagraphProcess orQMS Gaps(Yes/No)No –UnlikelyNo –UnlikelyEvidence for No Gap / RemediationAction(s) for GapsRiskAssessmentOwnerEstimatedCompletion DateEvidence for No Gap Text speaks to voluntary use of thestandard No requirements contained in this sectionof the standardN/AN/AN/AEvidence for No Gap Organization’s role with respect to specificregulations is identified and documented inthe Quality Manual, SOP-QM, section X.X The requirements within the organization’sroles that do NOT apply are documented inSOP-QM, section Y.Y Organization has a tool, which maps keyregulations, standards and guidancedocuments directly to the contents of QMSdocumentsN/AN/AN/AThe information contained herein is provided as a service to Rx-360 Members and industry representatives with the understanding that Rx-360 makes no warranties,either expressed or implied, concerning the accuracy, completeness, reliability, or suitability of the information. Nor does Rx-360 warrant that the use of this informationas a mandated standard.Page 9 of 60
ClauseDescription of TextDifferences0.1 General, thirdparagraph, firstbulletNew paragraph notingthat the definitions ofterms within thestandard may varyfrom the definition ofthose same termswithin regulation andthat the organizationneeds to understandthese differences forproper interpretationRevised textspecifically highlightsthat the organization’squality managementsystem should reflectcustomer andregulationrequirementsapplicable to theorganization andemphasizes that ISO13485 iscomplementary totechnicalrequirements for theproduct to ensuresafety andperformance.0.1 General,fourth paragraphProcess orQMS Gaps(Yes/No)No –UnlikelyYes –LikelyEvidence for No Gap / RemediationAction(s) for GapsRiskAssessmentOwnerEstimatedCompletion DateEvidence for No GapOrganization maintains a glossary that hasreviewed all applicable regulations anddeveloped definitions for terms based uponthe use of a term within the QMSN/AN/AN/ARemediation Action(s) RequiredIncorporate clear definitions for the termssafety and performance into the organization’sglossary to ensure consistent interpretationacross the organizationAssess perorganization’sriskmanagementdefinitions ofseverityChin Lu31-Mar-2019The information contained herein is provided as a service to Rx-360 Members and industry representatives with the understanding that Rx-360 makes no warranties,either expressed or implied, concerning the accuracy, completeness, reliability, or suitability of the information. Nor does Rx-360 warrant that the use of this informationas a mandated standard.Page 10 of 60
Clause0.1 General, fifthparagraph0.1 General, sixthparagraph0.1 General,seventhparagraphDescription of TextDifferencesRevised text adds thatboth organizationalenvironment andregulatoryrequirements impactthe design andimplementation of anorganization’s qualitymanagement systemRevised text clarifies itis not the intent of thestandard to imply thatthe structure of anorganization’s QMSmust conform to thestructure of thestandardNo significant changesProcess orQMS Gaps(Yes/No)No –UnlikelyNo –UnlikelyN/AEvidence for No Gap / RemediationAction(s) for GapsRiskAssessmentOwnerEstimatedCompletion DateEvidence for No Gap Organization’s QMS reflects applicableregulations as evidenced by mapping ofQMS to health authority requirements andvice versa Organization’s business processes for QMSupdates and continuous improvementincorporates the organizational structureand needsEvidence for No Gap Clarification for interpretation of thestandard No actual change in expectationsN/AThe information contained herein is provided as a service to Rx-360 Members and industry representatives with the understanding that Rx-360 makes no warranties,either expressed or implied, concerning the accuracy, completeness, reliability, or suitability of the information. Nor does Rx-360 warrant that the use of this informationas a mandated standard.Page 11 of 60
Clause0.2 Clarificationof concepts, firstparagraphDescription of TextDifferencesNew clause; this newparagraph providesclarity on the use ofthe term “asappropriate” in thestandard and whenthe standard wouldconsider arequirement to beappropriateProcess orQMS Gaps(Yes/No)Yes –LikelyEvidence for No Gap / RemediationAction(s) for GapsRiskAssessmentOwnerEstimatedCompletion DateRemediation Action(s) Required1. Review each “as appropriate”requirement in ISO 13485:2016 toconfirm that organization’s qualitymanual provides justification for whycertain requirements in ISO 13485:2016are not appropriate and that theorganization has not considered arequirement “not appropriate” when it isnecessary for meeting productrequirements, compliance withregulations, addressing corrective actionsor managing risk per the standard2. Organization’s QMS defines the phrases“as appropriate”, “as applicable”, etc.when used within the organization’s QMSThe information contained herein is provided as a service to Rx-360 Members and industry representatives with the understanding that Rx-360 makes no warranties,either expressed or implied, concerning the accuracy, completeness, reliability, or suitability of the information. Nor does Rx-360 warrant that the use of this informationas a mandated standard.Page 12 of 60
Clause0.2 Clarificationof concepts,second throughseventhparagraphs0.3 Processapproach, allparagraphs0.4 Relationshipwith ISO 9001Description of TextDifferencesEntirely new clause;this paragraphprovides clarity on theuse of the terms “risk”,“documented”,“product”, “regulatoryrequirements”, “shall”,“should”, “may” and“can” within thestandard and wheninformation in thestandard is precededby the word NOTE.Revised text providesadditional detail onthe process-basedapproach to qualitymanagement utilizedwithin the standardNo significant changesProcess orQMS Gaps(Yes/No)No –UnlikelyEvidence for No Gap / RemediationAction(s) for GapsRiskAssessmentOwnerEstimatedCompletion DateEvidence of No GapNew clause provides clarification forinterpretation of the standard.HOWEVER, in order for the standard to beappropriately interpreted and incorporatedinto the organization’s QMS it is important forinterpreters of ISO 13485 to understand theuse of this term within the standard.No –UnlikelyN/AThis is especially important for The term “documented” as 21 CFR 820.3(k)states “Establish means define, document(in writing or electronically), andimplement” whereas, ISO 13485 has theterm “establish” and “maintain” as part ofthe definition of “document” The term “regulatory requirements” in thatthe term includes “any law applicable to theuser” of ISO 13485, but for the purposes ofinterpretation of ISO 13485 it is specific torequirements for the QMS and the safetyand performance of the deviceEvidence of No GapProvides background on the approach utilizedwithin the standard; however, norequirements contained in this clause of thestandardN/AThe information contained herein is provided as a service to Rx-360 Members and industry representatives with the understanding that Rx-360 makes no warranties,either expressed or implied, concerning the accuracy, completeness, reliability, or suitability of the information. Nor does Rx-360 warrant that the use of this informationas a mandated standard.Page 13 of 60
ClauseDescription of TextDifferences0.5 Compatibilitywith othermanagementsystems
ISO 13485:2016 is now better in sync with the existing 21CFR820. Also, this version of the standard supports FDA terms, such as establish, documented processes and also clarifies regulator
The primary international version is ISO 13485:2003. The variant EN ISO 13485:2012 is the latest European harmonized version of ISO 13485; it replaces the prior harmonized version, EN ISO 13485:2003, which is now considered to be obsolete. EN ISO 13485:2012 is applicable only to manufacturers placing devices on the market in Europe.
ISO 13485 clauses 4.2.1, 5.4.1 Annex IX (Chapter I) 03 Quality Manual 9 03 Quality Manual ISO 13485 clauses 4.2.1, 4.2.2 04 Human Resources 10 04 Procedure for Human Resources ISO 13485 clause 6.2 11 04.1 Appendix 1 -Training Program ISO 13485 clause 6.2 12 04.2 Appendix 2 - Training Record ISO 13485 clause 6.2 13 04.3
resulting in the standard now having 10 clauses, where previously there were 8. The 3rd edition of ISO 13485 will keep the current clause structure and a new Annex is proposed for ISO 13485 to provide a clause by clause correlation between the new revisions of ISO 9001 and ISO 13485. The new revisions of both ISO 9001 and ISO 13485 have anFile Size: 375KB
ISO 13485:2016 Annexes Annex A Comparison of content between ISO 13485:2003 and ISO 13485:2016 – comments on changes Annex B Correspondence between ISO 13485:2016 and ISO 9001:2015 – top level clause mapping European Annexes - ZA (AIMD), ZB (MDD) and ZC (IVD) Identifies relationship between the European StandardFile Size: 855KB
ISO 13485:2016 did NOT follow ISO 9001:2015 into the Higher Level Structure format ISO 9001:2015 now has 7* QS core “Processes” ISO 13485:2016 retains 5* QS core “Processes” Annex B of ISO 13485:2016 provides a handy cross-reference between ISO
ISO 13485 OPPOSED TO ISO 9001 _ As mentioned above, ISO 13485 is based on the structure of ISO 9001, even though it is a stand-alone standard. Despite that both standards are organized in the same way, ISO 13485 excludes ISO 9001 requirements related to continual improvement and customer s
ISO 9001:2008 –3 instances of the word “risk” ISO 9001:2015 –43 instances of the word “risk” ISO 13485:2003 –4 instances of the word “risk” ISO 13485:2016 –32 instances of the word “risk” “13485 Plus” is a guidance document that was publishe
compliance with ISO 13485:2003. They will have to spelle d out clearly any exclusions. Correspondence between ISO 9001:2000 and ISO 13485:2003 and the US Quality System Regulation Prepared by: Ed Kimmelman, Consultant E:mail --- GPA_ED@msn.com Rev: 5 Aug. 2003 PH: 1-302-762-0947 Page 5 .
