3 option (3)

The publication and release of ISO 13485:2016 earlier this year is a significant movement for the medical device industry. The last major revision of this quality management system standard happened back in 2003.

Why is this new version of ISO 13485 so significant?

And what does this mean for your quest to have a quality management system to meet all of the major global medical device quality system regulatory requirements?

Maybe most importantly, how does ISO 13485:2016 align with FDA 21 CFR Part 820?

Without going through an entire history lesson of the evolution of ISO 13485, know this:

  • ISO 13485 evolved out of the general quality management system standard ISO 9001 and is specific to medical device industry.
  • ISO 13485 is internationally agreed upon and defines a way to address common regulatory concepts.
  • ISO 13485 is a voluntary standard and technically is not a required structure for a quality management system.
  • ISO 13485 is not law.
  • ISO 13485 does not define specific requirements for a company’s products and services.
  • ISO 13485 does not define business requirements (such as financial requirements).

While adherence to ISO 13485 is not explicitly required, there are several benefits of doing so. Adhering to ISO 13485 improves the likelihood that a medical device company will meet customer and regulatory requirements.

The premise of ISO 13485 is that of continuous process improvements. Doing so helps a company address medical device product safety and overall effectiveness.

Yes, ISO 13485 is a voluntary standard. And remember that this standard has been authored and influenced by the major medical device regulatory bodies across the world. Because of this, adhering to ISO 13485 is an accepted approach with regulators. Achieving ISO 13485 certification is assurance that a company meets certain quality management system expectations defined within the standard.

There are several reasons for why ISO 13485 was finally revised earlier in 2016. Let me simply summarize why by providing two basic reasons:

  1. The medical device regulatory environment has evolved quite a bit since 2003.
  2. Risk management and risk-based decision making processes have become a focal point of the entire medical device industry (at both the QMS and product levels).

In contrast to ISO 13485:2016, FDA 21 CFR Part 820 Quality System Regulations is the law for medical device companies manufacturing and selling products for the U.S. market.

In other words, a medical device company focused on U.S. must have a QMS in place that must meet FDA 21 CFR Part 820.

Yes, there are some differences between FDA 21 CFR Part 820 and ISO 13485. Yet prior to the publishing of ISO 13485:2016, it has been a very common practice for medical device companies to establish a QMS to address both FDA 21 CFR Part 820 and ISO 13485:2003.

How does ISO 13485:2016 compare to FDA 21 CFR Part 820?

I would like to share eleven clauses that have significantly changed in ISO 13485:2016 from ISO 13485:2003 and how these changes relate to FDA 21 CFR Part 820.

 

1. ISO 13485:2016 CLAUSE 4 QUALITY MANAGEMENT SYSTEM & 4.1 GENERAL REQUIREMENTS

The biggest change of these clauses against ISO 13485:2003 is the 2016 version requires application of a risk based approach in establishing and maintaining a QMS.

Note that FDA 21 CFR Part 820 does not explicitly define risk-based requirements for a quality system in the regulations. However, the interpretation and application of risk-based approaches is consistent with FDA expectations.


2. ISO 13485:2016 CLAUSE 4.2 DOCUMENTATION REQUIREMENTS

There are two major changes of this clause in ISO 13485:2016 when compared to 2003 version. Those changes relate to protecting confidential health information and requirements to address deterioration and loss of documents.

Documentation control and records management are foundational requirements of FDA 21 CFR Part 820. These updated ISO 13485 requirements are more in line with expectations as defined in FDA 21 CFR 820.5 Quality System, 820.40 Document Controls, and 820.180 Records.


3. ISO 13485:2016 CLAUSE 6.2 HUMAN RESOURCES

ISO 13485:2016 expands on 2003 by requiring processes for establishing competence, providing needed training, and ensuring awareness of personnel be defined and documented.

FDA defines regulations for personnel and training in 820.25.

The ISO 13485:2016 addition is above and beyond FDA 21 CFR Part 820 and a great inclusion.

(Prediction: Training effectiveness will be a big regulatory focus within the next 3 years.)


4. ISO 13485:2016 CLAUSE 7.2 CUSTOMER-RELATED PROCESSES

ISO 13485:2016 adds language regarding communication with regulatory authorities as it relates to product information, customer feedback, complaints, and advisory notices.

This addition relates to a couple parts of FDA CFR. First, 820.198 defines regulations for complaint files.

FDA also has two other areas of the CFR (technically not in FDA 21 CFR Part 820) which relate and applicable: 21 CFR Part 803 Medical Device Reporting and 21 CFR Part 806 Reports of Corrections and Removals.


5. ISO 13485:2016 CLAUSE 7.3 DESIGN AND DEVELOPMENT

Historically, ISO 13485:2003 Clause 7.3 Design and Development has generally aligned very well with FDA 21 CFR 820.30 Design Controls.

The 2016 version goes a step or two further in strengthening this tie and correlation. Nearly every sub-clause under 7.3 Design and Development has been updated to better align with FDA. A couple new items have been added to ISO 13485:2016, as explained below.

6. ISO 13485:2016 CLAUSE 7.3.8 DESIGN AND DEVELOPMENT TRANSFER

ISO 13485:2003 has no explicit criteria to describe requirements of transferring a product from design and development to production. ISO 13485:2016 corrects this and includes explicit requirements.

The design and development transfer addition actually strengthens the similarities with FDA with respect to design controls / design and development. Refer to FDA 21 CFR 820.30(h) Design Transfer.


7. ISO 13485:2016 CLAUSE 7.3.10 DESIGN AND DEVELOPMENT FILES

ISO 13485:2003 has no explicit criteria to define requirements for maintaining design and development files. ISO 13485:2016 now defines these requirements.

Again, this addition strengthen the correlation to FDA design controls. Reference FDA 21 CFR 820.30(j) Design History File.


8. ISO 13485:2016 CLAUSE 7.4 PURCHASING

There are several new requirements added to ISO 13485:2016 with respect to purchasing versus ISO 13485:2003.

ISO 13485:2016 now explicitly requires:

  • Requirements for monitoring and re-evaluating suppliers
  • Actions to be taken when purchasing requirements are not met
  • Notifications of changes in purchased products
  • Purchasing verification activities and requirements

ISO 13485:2016 also requires an increased focus on supplier selection criteria, including assessment of risks and regulatory requirements.

The corresponding FDA regulations regarding purchasing and supplier-related requirements is found in 21 CFR Part 820.50.

Note, that supplier management has been a big focus area of FDA for the past several years. These additions to ISO 13485:2016 are again in alignment with FDA expectations and practices.

9. ISO 13485:2016 CLAUSE 7.5.8 IDENTIFICATION

ISO 13485:2016 now requires documented procedures as it relates to production identification and status throughout all stages of product realization.

Also, the 2016 version references use of unique device identification, where applicable.

This aligns very well with FDA 21 CFR Part 820.60, as well as subpart B of Part 801 pertaining to UDI.


10. ISO 13485:2016 CLAUSE 8.2.2 COMPLAINT HANDLING

ISO 13485:2003 has no clause pertaining to complaint handling. ISO 13485:2016 adds these requirements.

Again, this strengthens the connection between ISO 13485:2016 and FDA Part 820. Refer to 820.198 Complaint Files.


11. ISO 13485:2016 CLAUSE 8.2.3 REPORTING TO REGULATORY AUTHORITIES

ISO 13485:2003 has no clause pertaining to reporting product issues to regulatory authorities. ISO 13485:2016 adds these requirements.

This is covered in FDA regulations as part of 21 CFR Part 803 Medical Device Reporting.

The changes and improvements in these eleven clauses in ISO 13485:2016 is a movement to ensure greater alignment with FDA 21 CFR Part 820 quality system regulations. 

 

FDA 21 CFR Part 820 vs. ISO 13485:2016

FDA QSR (21 CFR PART 820)

ISO 13485:2016

820.1 Scope 1 Scope
2 Normative References
820.3 Definitions 3 Terms and Definitions
820.5 Quality System 4 Quality Management System
4.1 General Requirements
4.2 Documentation Requirements
820.20 Management Responsibility 5.0 Management Responsibility
820.20(a) Quality Policy 5.3 Quality Policy
820.20(b) Organization 4.1 Management Responsibility – General
820.20(b)(1) Responsibility & Authority 5.5 Responsibility & Authority
820.20(b)(2) Resources 5.1e Management Commitment
820.20(b)(3) Management Representative 5.5.2 Management Representative
820.20(c) Management Review 5.6 Management Review
820.20(d) Quality Planning 5.4 Quality Planning
820.20(e) Quality System Procedures 4.2.1 General
4.2.2 Quality Manual
820.22 Quality Audit 8.2.4 Internal Quality Audits
820.25 Personnel 6 Resource Management
820.25(a) General 6.1 Provision of Resources
6.2 Human Resources
820.25(b) Training 6.2 Human Resources
820.30 Design Controls 7.3 Design and Development
820.30(a) General 7.3 Design and Development
820.30(b) Design and Development Planning 7.1 Planning of Product Realization
7.3.2 Design and Development Planning
820.30(c) Design Input 7.2.1 Customer Related Processes
7.2.2 Review of Requirements Related to Product
7.3.3 Design and Development Inputs
820.30(d) Design Output 7.3.4 Design and Development Outputs
820.30(e) Design Review 7.3.5 Design and Development Review
820.30(f) Design Verification 7.3.6 Design and Development Verification
820.30(g) Design Validation 7.3.7 Design and Development Validation
820.30(h) Design Transfer 7.3.8 Design and Development Transfer
820.30(i) Design Changes 7.3.9 Control of Design and Development Changes
820.30(j) Design History File 7.3.10 Design and Development Files
820.40 Document Controls 4.2.4 Control of Documents
820.40(a) Document Approval and Distribution 4.2.4 Control of Documents
820.40(b) Document Changes 4.2.4 Control of Documents
820.50 Purchasing Controls 7.4.1 Purchasing Process
820.50(a) Evaluation of Suppliers, Contractors, and Consultants 7.4.1 Purchasing Process
820.50(b) Purchasing Data 7.4.2 Purchasing Information
7.4.3 Verification of Purchased Product
820.60 Identification 7.5.8 Identification
820.65 Traceability 7.5.9 Traceability
820.70(a) Production and Process Controls 7.5.1 Control of Production and Service Provision
7.5.6 Validation of Processes for Production and Service Provision
820.70(a) Production and Process Controls 6.3 Infrastructure
6.4 Work Environment and Contamination Control
7.5.1 Control of Production and Service Provision
7.5.6 Validation of Processes for Production and Service Provision
820.70(c) Environmental Control 6.4 Work Environment and Contamination Control
820.70(d) Personnel 6.2 Human Resources
820.70(e) Contamination Control 6.4.2 Contamination Control
820.70(f) Buildings 6.3 Infrastructure
820.70(g) Equipment 6.3 Infrastructure
7.5.1 Control of Production and Service Provision
7.5.6 Validation of Production and Service Provision
820.70(h) Manufacturing Material 7.5.11 Preservation of Product
820.70(i) Automated Processes 6.3.b Infrastructure
7.5.6 Validation of Production and Service Provision
820.72 Inspection, Measuring, and Test Equipment 7.6 Control of Monitoring and Measurement Equipment
820.75 Process Validation 7.5.6 Validation of Production and Service Provision
820.80(a) Receiving, In-process, and Finished Device Acceptance – General 7.1 Planning of Product Realization
7.4.3 Verification of Purchased Product
7.5.1 Control of Production and Service Provision
820.80(b) Receiving Acceptance 7.4.3 Verification of Purchased Product
820.80(c) In-Process Acceptance 7.1 Planning of Product Realization
820.80(d) Final Acceptance Activities 7.1 Planning of Product Realization
820.80(e) Final Acceptance Records 7.1 Planning of Product Realization
820.86 Acceptance Status 7.5.8 Identification
820.90(a) Non-Conforming Product 8.3 Control of Nonconforming Product
820.90(b) Nonconformity Review and Disposition 8.3 Control of Nonconforming Product
820.100 Corrective and Preventative Action 8.5.2 Corrective Action
8.5.3 Preventative Action
820.120 Device Labeling 4.2.3 Medical Device File
7.5.8 Identification
7.5.11 Preservation of Product
820.130 Device Packaging 4.2.3 Medical Device File
7.5.8 Identification
7.5.11 Preservation of Product
820.140 Handling 4.2.3 Medical Device File
7.1 Planning of Product Realization
7.5.8 Identification
7.5.11 Preservation of Product
820.150 Storage 4.2.3 Medical Device File
7.1 Planning of Product Realization
7.5.8 Identification
7.5.11 Preservation of Product
820.160 Distribution 4.2.3 Medical Device File
7.1 Planning of Product Realization
7.5.8 Identification
7.5.11 Preservation of Product
820.170 Installation 4.2.3 Medical Device File
7.5.3 Installation Activities
7.5.8 Identification
7.5.11 Preservation of Product
820.180 Records 4.2 Documentation Requirements
4.2.3 Medical Device File
7.1 Planning of Product Realization
820.181 Device Master Record 4.2.3 Medical Device File
820.184 Device History Record 4.2.5 Control Records
7.1 Planning of Product Realization
7.5.8 Identification
820.186 Quality System Record 4.2 Documentation Requirements
7.1 Planning of Product Realization
820.170 Installation 4.2.3 Medical Device File
7.5.3 Installation Activities
7.5.8 Identification
7.5.11 Preservation of Product
820.198 Complaint Files 7.2.3 Communication
8.2.1 Feedback
8.2.2 Complaint Handling
8.2.3 Reporting to Regulatory Authorities
820.200 Servicing 4.2.3 Medical Device File
7.1 Planning of Product Realization
7.5.4 Servicing
7.5.8 Identification
820.250 Statistical Techniques 8.1 General 8.4 Analysis of Data


 


Jon Speer, founder greenlight.guru

Written By Jon Speer


Jon is the founder and VP of QA/RA at Greenlight Guru (quality management software exclusively for medical devices) & a medical device guru with over 18+ years industry experience. Jon knows bringing a device to market is hard, so he built Greenlight Guru to make it easier. Click here to get our actionable medical device content delivered right to your inbox 1x per week.


 P.S. You can learn more about our eQMS software + services here →