The publication and release of ISO 13485:2016 earlier this year is a significant movement for the medical device industry. The last major revision of this quality management system standard happened back in 2003.
Why is this new version of ISO 13485 so significant?
And what does this mean for your quest to have a quality management system to meet all of the major global medical device quality system regulatory requirements?
Maybe most importantly, how does ISO 13485:2016 align with FDA 21 CFR Part 820?
Without going through an entire history lesson of the evolution of ISO 13485, know this:
- ISO 13485 evolved out of the general quality management system standard ISO 9001 and is specific to medical device industry.
- ISO 13485 is internationally agreed upon and defines a way to address common regulatory concepts.
- ISO 13485 is a voluntary standard and technically is not a required structure for a quality management system.
- ISO 13485 is not law.
- ISO 13485 does not define specific requirements for a company’s products and services.
- ISO 13485 does not define business requirements (such as financial requirements).
While adherence to ISO 13485 is not explicitly required, there are several benefits of doing so. Adhering to ISO 13485 improves the likelihood that a medical device company will meet customer and regulatory requirements.
The premise of ISO 13485 is that of continuous process improvements. Doing so helps a company address medical device product safety and overall effectiveness.
Yes, ISO 13485 is a voluntary standard. And remember that this standard has been authored and influenced by the major medical device regulatory bodies across the world. Because of this, adhering to ISO 13485 is an accepted approach with regulators. Achieving ISO 13485 certification is assurance that a company meets certain quality management system expectations defined within the standard.
There are several reasons for why ISO 13485 was finally revised earlier in 2016. Let me simply summarize why by providing two basic reasons:
- The medical device regulatory environment has evolved quite a bit since 2003.
- Risk management and risk-based decision making processes have become a focal point of the entire medical device industry (at both the QMS and product levels).
In contrast to ISO 13485:2016, FDA 21 CFR Part 820 Quality System Regulations is the law for medical device companies manufacturing and selling products for the U.S. market.
In other words, a medical device company focused on U.S. must have a QMS in place that must meet Part 820.
Yes, there are some differences between Part 820 and ISO 13485. Yet prior to the publishing of ISO 13485:2016, it has been a very common practice for medical device companies to establish a QMS to address both FDA 21 CFR Part 820 and ISO 13485:2003.
How does ISO 13485:2016 compare to FDA 21 CFR Part 820?
I would like to share eleven clauses that have significantly changed in ISO 13485:2016 from ISO 13485:2003 and how these changes relate to FDA 21 CFR Part 820.
1. ISO 13485:2016 Clause 4 Quality Management System & 4.1 General Requirements
The biggest change of these clauses against ISO 13485:2003 is the 2016 version requires application of a risk based approach in establishing and maintaining a QMS.
Note that FDA 21 CFR Part 820 does not explicitly define risk-based requirements for a quality system in the regulations. However, the interpretation and application of risk-based approaches is consistent with FDA expectations.
2. ISO 13485:2016 Clause 4.2 Documentation Requirements
There are two major changes of this clause in ISO 13485:2016 when compared to 2003 version. Those changes relate to protecting confidential health information and requirements to address deterioration and loss of documents.
Documentation control and records management are foundational requirements of FDA Part 820. These updated ISO 13485 requirements are more in line with expectations as defined in FDA 21 CFR 820.5 Quality System, 820.40 Document Controls, and 820.180 Records.
3. ISO 13485:2016 Clause 6.2 Human Resources
ISO 13485:2016 expands on 2003 by requiring processes for establishing competence, providing needed training, and ensuring awareness of personnel be defined and documented.
FDA defines regulations for personnel and training in 820.25.
The ISO 13485:2016 addition is above and beyond FDA Part 820 and a great inclusion.
(Prediction: Training effectiveness will be a big regulatory focus within the next 3 years.)
4. ISO 13485:2016 Clause 7.2 Customer-Related Processes
ISO 13485:2016 adds language regarding communication with regulatory authorities as it relates to product information, customer feedback, complaints, and advisory notices.
This addition relates to a couple parts of FDA CFR. First, 820.198 defines regulations for complaint files.
FDA also has two other areas of the CFR (technically not in Part 820) which relate and applicable: 21 CFR Part 803 Medical Device Reporting and 21 CFR Part 806 Reports of Corrections and Removals.
5. ISO 13485:2016 Clause 7.3 Design and Development
Historically, ISO 13485:2003 Clause 7.3 Design and Development has generally aligned very well with FDA 21 CFR 820.30 Design Controls.
The 2016 version goes a step or two further in strengthening this tie and correlation. Nearly every sub-clause under 7.3 Design and Development has been updated to better align with FDA. A couple new items have been added to ISO 13485:2016, as explained below.
6. ISO 13485:2016 Clause 7.3.8 Design and Development Transfer
ISO 13485:2003 has no explicit criteria to describe requirements of transferring a product from design and development to production. ISO 13485:2016 corrects this and includes explicit requirements.
The design and development transfer addition actually strengthens the similarities with FDA with respect to design controls / design and development. Refer to FDA 21 CFR 820.30(h) Design Transfer.
7. ISO 13485:2016 Clause 7.3.10 Design and Development Files
ISO 13485:2003 has no explicit criteria to define requirements for maintaining design and development files. ISO 13485:2016 now defines these requirements.
Again, this addition strengthen the correlation to FDA design controls. Reference FDA 21 CFR 820.30(j) Design History File.
8. ISO 13485:2016 Clause 7.4 Purchasing
There are several new requirements added to ISO 13485:2016 with respect to purchasing versus ISO 13485:2003.
ISO 13485:2016 now explicitly requires:
- Requirements for monitoring and re-evaluating suppliers
- Actions to be taken when purchasing requirements are not met
- Notifications of changes in purchased products
- Purchasing verification activities and requirements
ISO 13485:2016 also requires an increased focus on supplier selection criteria, including assessment of risks and regulatory requirements.
The corresponding FDA regulations regarding purchasing and supplier-related requirements is found in 21 CFR Part 820.50.
Note, that supplier management has been a big focus area of FDA for the past several years. These additions to ISO 13485:2016 are again in alignment with FDA expectations and practices.
9. ISO 13485:2016 Clause 7.5.8 Identification
ISO 13485:2016 now requires documented procedures as it relates to production identification and status throughout all stages of product realization.
Also, the 2016 version references use of unique device identification, where applicable.
This aligns very well with FDA 21 CFR Part 820.60, as well as subpart B of Part 801 pertaining to UDI.
10. ISO 13485:2016 Clause 8.2.2 Complaint Handling
ISO 13485:2003 has no clause pertaining to complaint handling. ISO 13485:2016 adds these requirements.
Again, this strengthens the connection between ISO 13485:2016 and FDA Part 820. Refer to 820.198 Complaint Files.
11. ISO 13485:2016 Clause 8.2.3 Reporting to Regulatory Authorities
ISO 13485:2003 has no clause pertaining to reporting product issues to regulatory authorities. ISO 13485:2016 adds these requirements.
This is covered in FDA regulations as part of 21 CFR Part 803 Medical Device Reporting.
The changes and improvements in these eleven clauses in ISO 13485:2016 is a movement to ensure greater alignment with FDA 21 CFR Part 820 quality system regulations.
Written By Jon Speer
Jon is the founder and VP of QA/RA at Greenlight Guru (quality management software exclusively for medical devices) & a medical device guru with over 18+ years industry experience. Jon knows bringing a device to market is hard, so he built Greenlight Guru to make it easier. Click here to get our actionable medical device content delivered right to your inbox 1x per week.