The publication and release of ISO 13485:2016 earlier this year is a significant movement for the medical device industry. The last major revision of this quality management system standard happened back in 2003.
Why is this new version of ISO 13485 so significant?
And what does this mean for your quest to have a quality management system to meet all of the major global medical device quality system regulatory requirements?
Maybe most importantly, how does ISO 13485:2016 align with FDA 21 CFR Part 820?
Without going through an entire history lesson of the evolution of ISO 13485, know this:
- ISO 13485 evolved out of the general quality management system standard ISO 9001 and is specific to medical device industry.
- ISO 13485 is internationally agreed upon and defines a way to address common regulatory concepts.
- ISO 13485 is a voluntary standard and technically is not a required structure for a quality management system.
- ISO 13485 is not law.
- ISO 13485 does not define specific requirements for a company’s products and services.
- ISO 13485 does not define business requirements (such as financial requirements).
While adherence to ISO 13485 is not explicitly required, there are several benefits of doing so. Adhering to ISO 13485 improves the likelihood that a medical device company will meet customer and regulatory requirements.
The premise of ISO 13485 is that of continuous process improvements. Doing so helps a company address medical device product safety and overall effectiveness.
Yes, ISO 13485 is a voluntary standard. And remember that this standard has been authored and influenced by the major medical device regulatory bodies across the world. Because of this, adhering to ISO 13485 is an accepted approach with regulators. Achieving ISO 13485 certification is assurance that a company meets certain quality management system expectations defined within the standard.
There are several reasons for why ISO 13485 was finally revised earlier in 2016. Let me simply summarize why by providing two basic reasons:
- The medical device regulatory environment has evolved quite a bit since 2003.
- Risk management and risk-based decision making processes have become a focal point of the entire medical device industry (at both the QMS and product levels).
In contrast to ISO 13485:2016, FDA 21 CFR Part 820 Quality System Regulations is the law for medical device companies manufacturing and selling products for the U.S. market.
In other words, a medical device company focused on U.S. must have a QMS in place that must meet FDA 21 CFR Part 820.
Yes, there are some differences between FDA 21 CFR Part 820 and ISO 13485. Yet prior to the publishing of ISO 13485:2016, it has been a very common practice for medical device companies to establish a QMS to address both FDA 21 CFR Part 820 and ISO 13485:2003.
How does ISO 13485:2016 compare to FDA 21 CFR Part 820?
I would like to share eleven clauses that have significantly changed in ISO 13485:2016 from ISO 13485:2003 and how these changes relate to FDA 21 CFR Part 820.
1. ISO 13485:2016 CLAUSE 4 QUALITY MANAGEMENT SYSTEM & 4.1 GENERAL REQUIREMENTS
The biggest change of these clauses against ISO 13485:2003 is the 2016 version requires application of a risk based approach in establishing and maintaining a QMS.
Note that FDA 21 CFR Part 820 does not explicitly define risk-based requirements for a quality system in the regulations. However, the interpretation and application of risk-based approaches is consistent with FDA expectations.
2. ISO 13485:2016 CLAUSE 4.2 DOCUMENTATION REQUIREMENTS
There are two major changes of this clause in ISO 13485:2016 when compared to 2003 version. Those changes relate to protecting confidential health information and requirements to address deterioration and loss of documents.
Documentation control and records management are foundational requirements of FDA 21 CFR Part 820. These updated ISO 13485 requirements are more in line with expectations as defined in FDA 21 CFR 820.5 Quality System, 820.40 Document Controls, and 820.180 Records.
3. ISO 13485:2016 CLAUSE 6.2 HUMAN RESOURCES
ISO 13485:2016 expands on 2003 by requiring processes for establishing competence, providing needed training, and ensuring awareness of personnel be defined and documented.
FDA defines regulations for personnel and training in 820.25.
The ISO 13485:2016 addition is above and beyond FDA 21 CFR Part 820 and a great inclusion.
(Prediction: Training effectiveness will be a big regulatory focus within the next 3 years.)
4. ISO 13485:2016 CLAUSE 7.2 CUSTOMER-RELATED PROCESSES
ISO 13485:2016 adds language regarding communication with regulatory authorities as it relates to product information, customer feedback, complaints, and advisory notices.
This addition relates to a couple parts of FDA CFR. First, 820.198 defines regulations for complaint files.
FDA also has two other areas of the CFR (technically not in FDA 21 CFR Part 820) which relate and applicable: 21 CFR Part 803 Medical Device Reporting and 21 CFR Part 806 Reports of Corrections and Removals.
5. ISO 13485:2016 CLAUSE 7.3 DESIGN AND DEVELOPMENT
Historically, ISO 13485:2003 Clause 7.3 Design and Development has generally aligned very well with FDA 21 CFR 820.30 Design Controls.
The 2016 version goes a step or two further in strengthening this tie and correlation. Nearly every sub-clause under 7.3 Design and Development has been updated to better align with FDA. A couple new items have been added to ISO 13485:2016, as explained below.
6. ISO 13485:2016 CLAUSE 7.3.8 DESIGN AND DEVELOPMENT TRANSFER
ISO 13485:2003 has no explicit criteria to describe requirements of transferring a product from design and development to production. ISO 13485:2016 corrects this and includes explicit requirements.
The design and development transfer addition actually strengthens the similarities with FDA with respect to design controls / design and development. Refer to FDA 21 CFR 820.30(h) Design Transfer.
7. ISO 13485:2016 CLAUSE 7.3.10 DESIGN AND DEVELOPMENT FILES
ISO 13485:2003 has no explicit criteria to define requirements for maintaining design and development files. ISO 13485:2016 now defines these requirements.
Again, this addition strengthen the correlation to FDA design controls. Reference FDA 21 CFR 820.30(j) Design History File.
8. ISO 13485:2016 CLAUSE 7.4 PURCHASING
There are several new requirements added to ISO 13485:2016 with respect to purchasing versus ISO 13485:2003.
ISO 13485:2016 now explicitly requires:
- Requirements for monitoring and re-evaluating suppliers
- Actions to be taken when purchasing requirements are not met
- Notifications of changes in purchased products
- Purchasing verification activities and requirements
ISO 13485:2016 also requires an increased focus on supplier selection criteria, including assessment of risks and regulatory requirements.
The corresponding FDA regulations regarding purchasing and supplier-related requirements is found in 21 CFR Part 820.50.
Note, that supplier management has been a big focus area of FDA for the past several years. These additions to ISO 13485:2016 are again in alignment with FDA expectations and practices.
9. ISO 13485:2016 CLAUSE 7.5.8 IDENTIFICATION
ISO 13485:2016 now requires documented procedures as it relates to production identification and status throughout all stages of product realization.
Also, the 2016 version references use of unique device identification, where applicable.
This aligns very well with FDA 21 CFR Part 820.60, as well as subpart B of Part 801 pertaining to UDI.
10. ISO 13485:2016 CLAUSE 8.2.2 COMPLAINT HANDLING
ISO 13485:2003 has no clause pertaining to complaint handling. ISO 13485:2016 adds these requirements.
Again, this strengthens the connection between ISO 13485:2016 and FDA Part 820. Refer to 820.198 Complaint Files.
11. ISO 13485:2016 CLAUSE 8.2.3 REPORTING TO REGULATORY AUTHORITIES
ISO 13485:2003 has no clause pertaining to reporting product issues to regulatory authorities. ISO 13485:2016 adds these requirements.
This is covered in FDA regulations as part of 21 CFR Part 803 Medical Device Reporting.
The changes and improvements in these eleven clauses in ISO 13485:2016 is a movement to ensure greater alignment with FDA 21 CFR Part 820 quality system regulations.
FDA 21 CFR Part 820 vs. ISO 13485:2016
FDA QSR (21 CFR PART 820) |
ISO 13485:2016 |
| 820.1 Scope | 1 Scope 2 Normative References |
| 820.3 Definitions | 3 Terms and Definitions |
| 820.5 Quality System | 4 Quality Management System 4.1 General Requirements 4.2 Documentation Requirements |
| 820.20 Management Responsibility | 5.0 Management Responsibility |
| 820.20(a) Quality Policy | 5.3 Quality Policy |
| 820.20(b) Organization | 4.1 Management Responsibility – General |
| 820.20(b)(1) Responsibility & Authority | 5.5 Responsibility & Authority |
| 820.20(b)(2) Resources | 5.1e Management Commitment |
| 820.20(b)(3) Management Representative | 5.5.2 Management Representative |
| 820.20(c) Management Review | 5.6 Management Review |
| 820.20(d) Quality Planning | 5.4 Quality Planning |
| 820.20(e) Quality System Procedures | 4.2.1 General 4.2.2 Quality Manual |
| 820.22 Quality Audit | 8.2.4 Internal Quality Audits |
| 820.25 Personnel | 6 Resource Management |
| 820.25(a) General | 6.1 Provision of Resources 6.2 Human Resources |
| 820.25(b) Training | 6.2 Human Resources |
| 820.30 Design Controls | 7.3 Design and Development |
| 820.30(a) General | 7.3 Design and Development |
| 820.30(b) Design and Development Planning | 7.1 Planning of Product Realization 7.3.2 Design and Development Planning |
| 820.30(c) Design Input | 7.2.1 Customer Related Processes 7.2.2 Review of Requirements Related to Product 7.3.3 Design and Development Inputs |
| 820.30(d) Design Output | 7.3.4 Design and Development Outputs |
| 820.30(e) Design Review | 7.3.5 Design and Development Review |
| 820.30(f) Design Verification | 7.3.6 Design and Development Verification |
| 820.30(g) Design Validation | 7.3.7 Design and Development Validation |
| 820.30(h) Design Transfer | 7.3.8 Design and Development Transfer |
| 820.30(i) Design Changes | 7.3.9 Control of Design and Development Changes |
| 820.30(j) Design History File | 7.3.10 Design and Development Files |
| 820.40 Document Controls | 4.2.4 Control of Documents |
| 820.40(a) Document Approval and Distribution | 4.2.4 Control of Documents |
| 820.40(b) Document Changes | 4.2.4 Control of Documents |
| 820.50 Purchasing Controls | 7.4.1 Purchasing Process |
| 820.50(a) Evaluation of Suppliers, Contractors, and Consultants | 7.4.1 Purchasing Process |
| 820.50(b) Purchasing Data | 7.4.2 Purchasing Information 7.4.3 Verification of Purchased Product |
| 820.60 Identification | 7.5.8 Identification |
| 820.65 Traceability | 7.5.9 Traceability |
| 820.70(a) Production and Process Controls | 7.5.1 Control of Production and Service Provision 7.5.6 Validation of Processes for Production and Service Provision |
| 820.70(b) Production and Process Changes | 6.3 Infrastructure 6.4 Work Environment and Contamination Control 7.5.1 Control of Production and Service Provision 7.5.6 Validation of Processes for Production and Service Provision |
| 820.70(c) Environmental Control | 6.4 Work Environment and Contamination Control |
| 820.70(d) Personnel | 6.2 Human Resources |
| 820.70(e) Contamination Control | 6.4.2 Contamination Control |
| 820.70(f) Buildings | 6.3 Infrastructure |
| 820.70(g) Equipment | 6.3 Infrastructure 7.5.1 Control of Production and Service Provision 7.5.6 Validation of Production and Service Provision |
| 820.70(h) Manufacturing Material | 7.5.11 Preservation of Product |
| 820.70(i) Automated Processes | 6.3.b Infrastructure 7.5.6 Validation of Production and Service Provision |
| 820.72 Inspection, Measuring, and Test Equipment | 7.6 Control of Monitoring and Measurement Equipment |
| 820.75 Process Validation | 7.5.6 Validation of Production and Service Provision |
| 820.80(a) Receiving, In-process, and Finished Device Acceptance – General | 7.1 Planning of Product Realization 7.4.3 Verification of Purchased Product 7.5.1 Control of Production and Service Provision |
| 820.80(b) Receiving Acceptance | 7.4.3 Verification of Purchased Product |
| 820.80(c) In-Process Acceptance | 7.1 Planning of Product Realization |
| 820.80(d) Final Acceptance Activities | 7.1 Planning of Product Realization |
| 820.80(e) Final Acceptance Records | 7.1 Planning of Product Realization |
| 820.86 Acceptance Status | 7.5.8 Identification |
| 820.90(a) Non-Conforming Product | 8.3 Control of Nonconforming Product |
| 820.90(b) Nonconformity Review and Disposition | 8.3 Control of Nonconforming Product |
| 820.100 Corrective and Preventative Action | 8.5.2 Corrective Action 8.5.3 Preventative Action |
| 820.120 Device Labeling | 4.2.3 Medical Device File 7.5.8 Identification 7.5.11 Preservation of Product |
| 820.130 Device Packaging | 4.2.3 Medical Device File 7.5.8 Identification 7.5.11 Preservation of Product |
| 820.140 Handling | 4.2.3 Medical Device File 7.1 Planning of Product Realization 7.5.8 Identification 7.5.11 Preservation of Product |
| 820.150 Storage | 4.2.3 Medical Device File 7.1 Planning of Product Realization 7.5.8 Identification 7.5.11 Preservation of Product |
| 820.160 Distribution | 4.2.3 Medical Device File 7.1 Planning of Product Realization 7.5.8 Identification 7.5.11 Preservation of Product |
| 820.170 Installation | 4.2.3 Medical Device File 7.5.3 Installation Activities 7.5.8 Identification 7.5.11 Preservation of Product |
| 820.180 Records | 4.2 Documentation Requirements 4.2.3 Medical Device File 7.1 Planning of Product Realization |
| 820.181 Device Master Record | 4.2.3 Medical Device File |
| 820.184 Device History Record | 4.2.5 Control Records 7.1 Planning of Product Realization 7.5.8 Identification |
| 820.186 Quality System Record | 4.2 Documentation Requirements 7.1 Planning of Product Realization |
| 820.170 Installation | 4.2.3 Medical Device File 7.5.3 Installation Activities 7.5.8 Identification 7.5.11 Preservation of Product |
| 820.198 Complaint Files | 7.2.3 Communication 8.2.1 Feedback 8.2.2 Complaint Handling 8.2.3 Reporting to Regulatory Authorities |
| 820.200 Servicing | 4.2.3 Medical Device File 7.1 Planning of Product Realization 7.5.4 Servicing 7.5.8 Identification |
| 820.250 Statistical Techniques | 8.1 General 8.4 Analysis of Data |
Looking for an all-in-one QMS solution to advance the success of your in-market devices and integrates your quality processes with product development efforts? Click here to take a quick tour of Greenlight Guru's Medical Device QMS software →
The Ultimate Guide To ISO 13485:2016
