A Guide to ISO 13485
Product conformity is important across all industries, but it's especially crucial when it comes to the design and manufacturing of medical devices.
Product conformity is important across all industries, but it's especially crucial when it comes to the design and manufacturing of medical devices. Consistent product quality is an issue of patient safety, regulatory compliance and a company's ability to succeed in the industry. To ensure the appropriate level of quality control, it's essential to comply with the relevant standards.
One of these standards is ISO 13485, a quality management system (QMS) standard designed specifically for medical device manufacturers. At NQA, we have extensive experience with ISO 13485 and other standards relevant to the medical device manufacturing sector.
Table of Contents:
- What is ISO 13485?
- Benefits of Implementing ISO 13485
- Applications of ISO 13485
- About the 2016 Update
- Key Differences between ISO 13485 and ISO 9001
- How to Implement ISO 13485
- How to Get Certified with NQA
- Revisions in the Update
- Introduction to ISO 13485
- Clause 1: Scope
- Clause 2: Normative References
- Clause 3: Definitions
- Clause 4: QMS
- Clause 5: Management Responsibility
- Clause 6: Resource Management
- Clause 7: Product Realisation
- Clause 8: Measurement, Analysis & Improvement
- Get ISO 13485 Certified
What is ISO 13485?
The ISO 13485 standard governs quality management systems for medical devices and related services. It's published by the International Organization for Standardization. ISO 13485 addresses:
- Quality control
- Risk management
- Legal compliance
- Operational efficiency
- Ability to trace and recall products and devices
- Process and product improvement
The most recent update to the standard was published in February of 2016, overriding previously published versions from 2003 and 1996. ISO 13485 derived from ISO 9001, a quality management system certification that's available to businesses in a wide variety of industries. However, medical device and pharmaceutical companies have specialized requirements that made some of the requirements of ISO 9001 difficult to apply. ISO 13485 was developed to address these needs.
ISO 13485 provides a great advantage for organizations producing medical devices and related services. It assures a commitment to quality and increases efficiencies within the organization. Becoming ISO 13485 certified can increase your client base and reduce barriers to entry of foreign markets, product liabilities and production down-time.
The three-year transition period from ISO 13485:2003 to ISO 13485:2016 ended in March 2019. Many organizations that needed to keep an active ISO 13485 certification have already adopted the 2016 standards. Those that haven't have had to pull out of European Union (EU) and Canadian markets. If your company was once certified to ISO 13485:2003, and you want to reenter markets that require certification to ISO 13485, you may seek a first-time certification to ISO 13485:2016. It is important for these organizations to understand the advantages of becoming ISO certified, identify the key differences between the 2003 publication and the 2016 publication and begin the work for first-time certification.
The auditing process can appear overwhelming, but it does not have to be. For those seeking their first ISO 13485 certification, the following information can serve as a starting place for implementation.
The Benefits of ISO 13485:2016
Businesses that have implemented ISO 13485 cite numerous benefits. Many companies seek the certification because of the financial benefits to their business. The certification demonstrates their commitment to building high-quality medical devices. That allows businesses to attract more clients than before.
Some of the most desirable benefits include the abilities to:
1. Contract with Larger Companies
Many large medical device businesses prefer to work with vendors who are ISO 13485 certified. The 2016 update has made certification even more desirable. The revisions mean that large companies are responsible for ensuring that any subcontractors conform to ISO 13485 standards — subcontractors who already have the certification are likely to be prioritized.
2. Demonstrate Commitment to High Quality
Both ISO 13485 and ISO 9001 are seen as indicators of an organization’s commitment to quality. Achieving a quality management certification demonstrates to customers and regulators that your company values quality.
3. Expand Potential Market
International medical device standards like ISO 13485 are created to ensure that medical devices in different places demonstrate the same reliability and quality. If you’re considering exporting products, ISO 13485 certification can lend an advantage. It is the first step to regulatory approval in major markets like the EU and Canada, and it also demonstrates the quality of the product to potential buyers.
4. Help Personnel Access Relevant Information
The documentation requirements in this standard are designed to ensure that all members of a development team have access to the information they need at all times, which can reduce the time and expense associated with product development.
5. Expand and Consolidate Business Knowledge
We also hear from clients that documenting the processes associated with their medical device helps the business develop a consolidated knowledge base. This knowledge can help to identify problems, improve the product and streamline the manufacturing process. It also makes the process of on-boarding new employees easier.
6. Enhance Customer Satisfaction
A medical device QMS helps you provide more consistent quality in your products and services, making your products more reliable and better able to meet customers' needs. This enhanced quality increases customer satisfaction.
7. Win More Business
Many businesses prefer to work with medical device organizations that have ISO 13485 certification, and some require all the companies they partner with have it. This is due in part to the fact that, under the latest version of ISO 13485, companies are responsible for ensuring any subcontractors they work with conform to ISO 13485 requirements. Because of these preferences and requirements, ISO 13485 certification enables you to win more business.
8. Make Achieving ISO 9001 Certification Easier
Many businesses hold both ISO 13485 and ISO 9001 certifications. If your business is ISO 13485 certified, achieving ISO 9001 certification is significantly easier. The requirements of these two standards are generally harmonized. While ISO 9001 contains a few requirements related to business clauses that ISO 13485 doesn’t cover, you'll already have done most of the work.
Applications of ISO 13485
ISO 13485 specifies quality management for medical device manufacturers and related organizations. This means a variety of companies in the medical device industry and pharmaceutical supply chain use ISO 13485 standards. Organizations that use this standard include:
- Manufacturers of medical devices.
- Organizations that supply products or raw materials to medical device manufacturers.
- Quality management organizations that contract to medical device manufacturers.
- Organizations that provide services to medical device manufacturers.
- Makers of sterile medical devices.
- Manufacturers of surgical medical devices.
A significant change in the 2016 update addresses outsourcing. This update requires an organization to ensure that companies it contracts with meet ISO 13485 standards when outsourcing the development, design or servicing of a medical device.
ISO standards are voluntary, so being certified to ISO 13485 isn’t always necessary. Europe and Japan offer alternative national standards. On the other hand, Canada requires class I, II and III medical device manufacturers to achieve ISO 13485 certification.
Although certification isn’t required, it can provide an advantage. Many countries base their regulatory standards for medical devices on this standard. Achieving either ISO 13485 or ISO 9001 certification is seen as the first step to approval for a medical device in Europe. Beyond earning regulatory approvals, following the ISO 13485 standard can produce higher quality medical devices. They'll be more trusted in the marketplace, and your manufacturing processes will produce fewer errors, scraps and reworks.
About the 2016 Update
The deadline to transition to the 2016 version was March 31, 2019. ISO 13485:2016 is now the sole version of the standard that any organization can hold an active certification for.
All ISO standards undergo review every five to ten years to determine if the standards need revisions to remain relevant in the current market.
Before 2016, the most recent version of the standard had been released in 2003. Over the next 13 years, multiple jurisdictions revised or introduced regulations for medical devices, leading to dramatic changes in the medical device industry. In 2016, ISO staff reviewed the 2003 standard with various regulatory bodies and came to the consensus that revisions were necessary to reflect current quality management needs.
Since the 2016 revision arrived, the requirements within ISO 13485 have been adopted into a number of different countries' regulatory programs. Regulators in Australia, Canada, the European Union, Japan and the United States use it. It is used with modifications in the United Kingdom and by the Medical Device Single Audit Program.
Many of the revisions made to ISO 13485 reflect its importance to regulatory bodies. Among these revisions are:
- Increased alignment with regulatory requirements.
- Adjustment of software standards for measurement and reporting.
- Additional requirements for verification and validation planning.
- Increased emphasis on addressing consumer complaints.
- Additional requirements for reporting to regulatory authorities.
- Greater emphasis on risk-based decision-making and risk management.
These revisions ensured that ISO 13485 aligned more fully with regulatory requirements for medical devices while still incorporating the quality management requirements from the ISO 9001 standard.
Key Differences between ISO 13485 and ISO 9001
ISO 9001 outlines a quality management system for general industry, so it shares similarities with ISO 13485. Companies that manufacture both medical devices and other products, such as some contract manufacturers, may want to maintain both certifications.
Since the two certifications speak to different types of manufacturing and align with different regulatory standards, each has some key elements that the other lacks. For example, ISO 9001 is mostly geared toward customer satisfaction through high standards for quality management systems. Meanwhile, ISO 13485 focuses more heavily on the safety and efficacy of medical devices and is closely linked to many regulatory requirements. As such, its documentation requirements are more extensive.
Components and requirements unique to ISO 13485 include:
- Additional requirements for preventing contamination
- Monitoring focused on meeting customer requirements rather than on subjective customer satisfaction measures
- Multiple documentation requirements at all stages of product development
- Focus on maintaining the quality management system's effectiveness instead of continuous improvement, as required for ISO 9001
- Risk management during design and production
- Additional requirements for regulatory reporting, advisory notices and recalls
How to Implement ISO 13485
This section will serve as a step-by-step ISO 13485 guide to walk you through becoming certified with the help of the experts at NQA.
Step 1: Obtain the Documents and Study the Requirements
Once you've determined that ISO 13485 is right for your organization, familiarize yourself with its requirements. Start by obtaining a copy of the standard and any supporting documents. You'll need to refer to these documents when creating your implementation plan, and the auditor will refer to them when assessing your QMS.
Make sure you purchase the 2016 version of the standard, as it contains several important changes. For example, the latest version requires organizations to ensure that every organization with which it contracts also complies with ISO 13485 requirements.
Step 2: Conduct a Gap Analysis
One of the most important steps when implementing ISO 13485 is performing a gap analysis. To conduct a gap analysis, or pre-audit, you assess your company's existing processes and compare them to the ISO 13485 requirements. Doing so will reveal the gaps between your company's current system and the system you will need to establish to reach compliance.
The information you gather in your gap analysis will inform your implementation plan. If the gaps you find are wider, reaching compliance will require more extensive changes. If they are smaller, the changes you have to make will be relatively minimal.
When performing a gap analysis, you will typically:
- Compare the requirements of ISO 13485 to your current QMS
- Document how your current system complies and does not comply with ISO 13485 requirements
- Based on your results, determine what to include in your implementation plan
Once you complete a gap analysis, you typically produce a report that includes:
- The areas in which your company meets the standard's requirements
- The areas in which your company is not complying with the standard's requirements
- Recommendations of what to include in your implementation plan
Step 3: Develop an Implementation Plan
The next step is to create a plan to address the gaps you discovered through your gap analysis. This plan will lay out how you will implement ISO 13485 and should include clearly defined, quantifiable objectives with realistic deadlines.
Developing your plan will include designing your quality manual and policy, which involves examining your current processes and updating them as necessary to meet the standard's requirements. You will also need to establish methods for controlling the processes you create, including documentation.
Under the requirements of ISO 13485, there are certain procedures that must be part of your QMS. Note which items ISO 13485 focuses on and ensure they're part of your plan while keeping your organization's unique needs in mind.
Part of developing your plan is defining its scope, as this will help you see what you need to do and what the boundaries of your implementation are. Properly defining your scope will help you avoid applying your QMS to irrelevant parts of your business while also avoiding applying it too narrowly, which can limit its effectiveness. Your quality policy and manual will help you define your scope.
When creating your implementation plan, you should include details about each task you must complete to reach full compliance with ISO 13485. For every task, note the following:
- Relevant section of ISO 13485
- Who is responsible
- Necessary documentation
- Required approvals
- Required training
- Necessary resources
- Expected completion date
Your implementation plan should also include information about the costs of ISO 13485 certification and implementation, the benefits of implementation and the business case for certification. This information will help you account for the costs involved in the process and get buy-in from managers and employees across your organization.
Step 4: Design the Documentation
To effectively implement ISO 13485, you need to control your processes through documentation. After you have created or modified the necessary processes, you will need to develop documentation for them. This documentation will help you prove your compliance and guide your processes. You have some flexibility in designing your documentation, and you don't necessarily have to document every process, but you need to ensure your documentation meets all ISO 13485 requirements.
It's often best to begin with the minimum requirements under ISO 13485, which include a quality manual and various documented procedures, and add further documentation as needed. Be sure to include all documentation requirements in your implementation plan.
Step 5: Provide Training
Inform all employees that your organization will implement ISO 13485 far enough in advance that they can adequately prepare with minimal disruption to their daily work. Provide information to employees about how implementation will affect them, how it will benefit them and what their responsibilities are. Remembering to include information about the benefits can help to win buy-in.
All team members who will be part of the implementation process should receive the necessary training. Ensure employees have sufficient time to complete training and answer any questions they may have before they take action to enable implementation.
Step 6: Carry Out Your Plan
Next, you can start implementing your plan as you designed it. Of course, implementing ISO 13485 will look different for each company depending on its existing processes and the details of its implementation plan.
Monitor the implementation process carefully and make changes as needed. Just be sure to document any changes and keep the relevant employees informed. Operate your QMS for several months, making adjustments as needed and documenting the process thoroughly.
Step 7: Perform Internal Audits and Reviews
Before you can undergo the third-party audits needed for certification, you must conduct internal audits and a management review. These processes will help you evaluate how your system is working and ensure it complies with the requirements within ISO 13485.
To conduct internal audits, create an internal ISO 13485 audit checklist and use it to thoroughly examine how your QMS is operating. Be sure to carefully document your findings. This documentation will provide evidence that your processes are working correctly and meeting the necessary requirements.
You also need to conduct a management review. During this review, management should evaluate data from your QMS processes and check that these processes have the resources they need to remain effective and continually improve.
Conducting these audits and reviews will help reveal areas in which your processes are not working adequately. You can then make changes to correct these issues before scheduling audits with a third-party certification body.
Step 8: Select a Certification Body
When you have completed the required audits and reviews and you believe your QMS is ready, you can start researching what third-party certification bodies you can work with. Choosing the right auditor can speed up the auditing process and reduce problems that arise from language or cultural barriers.
Since an audit is fundamentally an on-site verification of your quality management processes, look for auditors with a local presence. Look into each option's qualifications, including:
- Background and training
- Accreditation status
- Knowledge and experience of ISO 13485
- Experience with other medical device standards
Selecting an auditor with the right characteristics can help the certification process go smoothly, maximizing the value you'll get from the audits. For instance, NQA has conducted more than 35,000 certifications in 70 different countries. This means that, when questions about logistics or the audit process arise, our experienced auditors can help you find the answer.
Step 9: Complete the Third-Party Audit and Certification Process
Once you've selected the auditor you want to work with, you can begin the audit process, where the certification body verifies that you meet ISO 13485 requirements. If you pass the audits, you will become certified to ISO 13485.
To get started, submit an application with the auditor you selected, including the following:
- Background information about your organization
- Which standard you want certification for
- Relevant details about your implementation process
At NQA, we have a quick quote form and a formal quote request form you can use to submit your application. We use this information to define the scope of the audits and put together a certification proposal.
Once you agree to the proposal, you can get started with the assessment phase, provided that you have operated your QMS for at least three months and have completed a full cycle of internal audits as well as a management review. The initial certification audit includes two visits from an auditor.
During the first visit, the auditor will conduct the stage one assessment, which verifies that your organization is ready for the full assessment. The stage one assessment includes a documentation review held at your management system center.
During this first assessment, the auditor will:
- Confirm that application details are accurate
- Verify that your QMS meets ISO 13485 requirements
- Check that your QMS has been running for at least three months
- Confirm the scope of your certification
- Verify legislative compliance
At the end of this assessment, the auditor will provide you with a report describing any non-compliance or potential improvements found during the visit. If they find significant issues, you must create a corrective action plan. If your QMS passes the audit, you can schedule your next assessment visit.
During the next visit, the auditor will complete the stage two audit, which verifies whether your QMS meets the full requirements of ISO 13458. This audit includes all of the locations that fall under the scope of your certification.
When completing this assessment, the auditor will do the following:
- Document whether your QMS complies with ISO 13485 requirements using objective evidence
- Take sample audits of relevant processes and activities
- Visit any remote sites and other additional locations to assess how the QMS operates off-site
- Document any areas of non-compliance and potential improvements
If the audit reveals any substantial non-conformances, your organization will need to take corrective action, which an auditor must verify, before issuing the certification. If the necessary corrective action doesn't occur within six months, you'll need to complete another stage two assessment before you can receive certification.
If you pass the stage two audit, the certification body will issue a certification that is valid for three years.
Step 10: Maintain Your Certification
To maintain your certification during the three-year certification cycle, you must complete an annual surveillance audit. A surveillance audit is a partial audit that verifies your organization's compliance with the standard and improvements to the QMS.
If your business changes during the certification cycle, such as by increasing or decreasing staff size or adding or removing locations, inform your certification body as soon as you can. Then, you can modify your QMS, the scope of your certification or other things as needed.
How to Get Certified with NQA
NQA is an accredited certification body for ISO 13485 and many other ISO standards. When you apply for certification through NQA, we give you added value for your money. As auditors, we can help you improve your organization through the auditing process, with recommendations tailored to your business in addition to corrective action for compliance with the standard. To get certified to ISO 13485 through NQA, fill out your application or contact us with any questions about our process.
To find out if you're ready, check out the ISO 13485 medical device certification guide below to learn about the standards and key differences from the earlier versions.
Major Revisions in the ISO 13485:2016 Update
If your organization's most recent certification is under the 2003 version of ISO 13485, transitioning will be a challenge. No matter what your certification expiration date says, a certification to ISO 13485:2003 is now null and void.
If your organization needs an active ISO 13485 certification to enter or return to certain medical device markets, you must now undergo the full certification process rather than a transition certification. You'll need a complete audit from an accredited external auditor like NQA as though you were receiving certification for the first time. After a full ISO 13485 implementation, you can conduct your audit and receive certification.
While the process will be the same as obtaining a first-time certification, it may be a little easier if you're already familiar with and using the 2003 standards. To help you get started, we’ve outlined the changes made in the 2016 update below. You’ll find a brief ISO 13485 overview below, followed by a list of any major changes made to the section in question.
The introduction to ISO 13485 provides additional understanding and clarification of terms. Major changes in the introduction include expanded definitions of product life cycles, organizations that this standard applies to, and an understanding of the process approach used by organizations certified under this standard.
0.1 – General
- Provides more detail about what types of organizations ISO 13485 applies to and what stages of the product life cycle this standard applies to.
- Expands the list of organizations that this standard can apply to, including suppliers of medical devices; third-party organizations providing raw materials, subassemblies, components and medical devices for the manufacture of these products; and organizations offering sterilization services, calibration services, distribution services and maintenance services for medical device companies.
- Reminds organizations to identify applicable regulatory requirements.
- Clarifies that quality management systems need to meet regulatory requirements as well as those of ISO 13485.
- Expands upon the factors that can influence the development of quality management programs within organizations.
0.2 – Clarification of Concepts
- Adds the following to the conditions needed to define “appropriate requirements.” The new definition of appropriate requirements includes those that are necessary for the product to meet requirements, compliance with applicable regulatory standards (new requirement), the organization to carry out corrective action and the organization to manage risks (new requirement).
- Explains that “risk” for medical products applies to safety, performance standards or the necessity to meet regulatory requirements.
- Clarifies that documented requirements also need to be established, implemented and maintained.
0.3 – Process Approach
- Expands upon the definition of a process approach for medical devices.
- A process approach emphasizes understanding and meeting requirements, considering the added value of processes, obtaining results of process performance and improving processes based on objective measurements.
0.4 – Relationship with ISO 9001
- Clarifies that sections of this standard based on ISO 9001 refer to the new ISO 9001:2015 and not the previous versions.
1 - Scope
This section clarifies the organizations and processes that ISO 13485 applies to:
- Clarifies that ISO 13485 applies to organizations involved in different stages of the life cycle of medical products, including the design, repair, installation, maintenance and storage of medical devices.
- Expands the standard to include organizations that provide technical support, quality management services and product support for medical devices.
- Clarifies responsibility for third-party vendors and supplies. States those services and products that are not created by the organization, but are used in its products, are the responsibility of the organization. The certified organization is liable for maintaining, monitoring and controlling these processes.
- Explains that the standards in clauses 6, 7 and 8 that are not applicable to the organization can be excluded. This change may be applicable to some suppliers, support organizations and quality management service suppliers. During certification, the reasons for these exclusions still need to be documented.
2 – Normative References
Clause 2 clarifies that any references to ISO 9000 refer to ISO 9000:2015, and not to ISO 9000:2000 (used by the 2003 version).
3 – Definitions
Clause 3 defines terms used throughout this update to ISO 13485.
- Modifies certain definitions to focus on defining medical devices and products. This definition is significantly more detailed than that found in the previous version of this standard. Implantable medical devices and sterile medical devices both get new definitions as well.
- Adds additional definitions that focus on defining roles within the life cycle of product development, including defining distributors, importers and manufacturers. Adds definitions of risk, risk management, performance evaluation and post-market surveillance.
4 – Quality Management System
Clause 4 addresses the requirement to document procedures relating to the quality management process. Documentation requirements have been expanded and clarified in the 2016 update. There is additional language that clarifies that quality management processes required by ISO 13485 do not exempt an organization from meeting any additional quality management requirements mandated by regulatory authorities. A primary change here states that quality management requirements now apply to any outsourced products as well as those produced by the organization itself.
4.1 – General Requirements
- States that the organization is responsible for establishing, implementing and maintaining any quality management processes required by this standard.
- Explains that ISO 13485 certification does not exempt the organization from other applicable regulations. The organization is also required to establish, implement and maintain processes required by other regulatory bodies. The requirement to meet other applicable regulatory requirements is emphasized throughout this version.
- Clarifies that organizations must use a risk-based approach in their quality management processes.
- Explains that an organization is responsible for monitoring any outsourced processes. This is a considerable change from the 2003 version of this standard. Any outsourced processes still need to conform to the quality management standards of the medical device organization and written quality agreements with the third party must be in place.
4.2 – Documentation Requirements
- Documentation requirements have been considerably expanded. With the exception of the medical device file, all documents were required by the previous standard. However, the additional details of what this documentation must include have been clarified.
- The Quality Manual now requires an explanation of the scope of the project management system, as well as justifications for any exclusions from it.
- Requires the development of a medical device file for each product, which must include specifications, labeling, use instructions and any requirements for installation and servicing.
- Many of the requirements for document control remain the same. Documents are required to be reviewed and approved before publication. Records and documents applicable to medical devices still need to be kept for at least the lifetime of the medical device.
5 – Management Responsibility
Clause 5 addresses the management responsibilities for maintaining, documenting and reviewing procedures. This section has undergone relatively minor changes in the 2016 update. Most of the changes in this section focus on management review.
5.6 – Management Review
- Organizations are required to have and use documented procedures for reviews.
- Management review has been expanded to include complaint handling and reports to regulatory authorities.
- Organizations must now record any output from management reviews.
- The list of review outputs has been expanded. It now includes decisions and actions related to resource needs and to improvements needed to maintain the quality and suitability of the QMS system.
6 – Resource Management
This section covers requirements for a variety of types of resource management: human resources, infrastructure, work environment and contamination control. This section, or clauses within it, may not be applicable to all organizations that are seeking ISO 13485 certification. Organizations that believe components of this section are not relevant can also submit an explanation that justifies their exclusion.
6.2 – Human Resources
- Changes in this section focus on requirements for additional documentation of the processes for establishing competency
- The updates include the ability to use processes proportional to the risk level of the action. Low-risk tasks may require very little documentation to prove competency, while high-risk actions require considerably more.
6.3 – Infrastructure
- Language has been added to state that it is important to ensure the proper handling of product and that protocols must be in place to prevent product mix-up.
- Required documentation for maintenance activities has been expanded. Maintenance requirements must now be documented for maintenance activities, equipment used in production, work environment controls and monitoring and measurement systems.
6.4 – Work Environment
- An additional clause has been added to state that documentation of protocols for maintaining the work environment is required when the state of the work environment could have an impact on the quality of the product.
- An additional section (6.4.2) has been added to address contamination controls.
- If product contamination is a concern, the organization must plan and document the procedure for controlling contaminated products.
7 – Product Realisation
This section addresses the processes the organization uses during product development. The bulk of changes in the 2016 update occur within Clause 7. Many of the changes in this section specifically address quality management when parts of the product development are contracted to a third party. Other changes in this section expand and clarify the types of documentation required during design, development and production phases.
7.1 – Planning of Product Realisation
- Organizations must plan and develop the processes for product realization in a way that is consistent with the quality management system.
- Risk management policies for product realization must be documented.
- The documentation requirement for policies relating to product acceptance has been expanded. Organizations are now required to document their policies for verifying, validating, monitoring, measuring (new), inspection and testing, handling (new), storage (new), distribution (new) and traceability activities (new).
7.2 – Customer-Related Processes
- Organizations must determine the customer requirements for the product. These requirements include those stated by the customer and those unstated but required for the product to function as intended.
- Organizations are also required to ensure that the product conforms to applicable regulatory standards.
- An additional requirement that the organization must determine any training needed by the user for the product to function has been added.
- Before committing to supply the product, the organization must review product requirements to ensure they are documented, defined and meet applicable regulatory standards.
- During the review of product requirements, the organization must also ensure that any training needed for the product is either currently available or is planned to be made available.
- The section on communication has been expanded to state that the organization must communicate with regulatory authorities when this communication is required by applicable regulations.
7.3 – Design and Development
This section addresses requirements for the design and development of products. There are sizable changes to the ISO 13485:2016 update in this section.
7.3.2 – Design and Development Planning
- Additional requirements for documentation during the planning stage have been added. The first requirement is that design and development outputs must be traced to design and development inputs. Next, the company must document the resources needed in the design and development planning stage, including the competency of personnel.
7.3.3 – Design and Development Inputs
- Records of design and development inputs must be maintained and must be able to be verified and validated.
- Design and development inputs now include usability requirements, as well as the functional, safety and performance requirements that were previously required.
7.3.4 – Design and Development Outputs
- There are no changes to the design and development outputs requirements.
7.3.5 – Design and Development Review
- Reviews are still required to ensure that the product design and development meets requirements.
- In addition to documenting reviews and necessary actions, the organization is now required to identify the product being reviewed, the date of the review and the reviewers participating.
7.3.6 – Design and Development Verification
- This section has been expanded to clarify what must be contained within a design and development verification. These requirements include methods, acceptance criteria and statistical methods with justification for sample size, if applicable.
- If the medical device will be connected to another medical device, the organization must verify that the inputs and outputs work as intended when connected to the device in question.
7.3.7 – Design and Development Validation
- The organization is required to perform design and development validation in accordance with its documented procedures.
- A new requirement to perform validation on representative products, such as initial production units, must be added. Whatever the product used for validation, an explanation that justifies this choice is required.
- An additional statement has been added that when clinical trials or evaluations are used to validate a product, the product is not considered to be released for consumer use.
7.3.8 – Design and Development Transfer
- This is a new section to ISO 13485.
- This section requires the organization to follow documented procedures for transferring design outputs to manufacturing. The organization is now required to confirm that the manufacturing outputs match those of the design phase.
7.3.9 – Control of Design and Development Changes
- Additional requirements have been added to control design and development changes according to an organization’s documented procedures.
- Potential changes to the design must be reviewed to determine how they will affect the performance, safety and usability of any device.
7.3.10 – Design and Development Files
- An additional requirement to maintain design and development files has been added. These files must include records of any changes to the design.
In line with earlier updates to address outsourcing product parts, the purchasing requirements have been updated. Most of these updates clarify expectations of what type of processes and documentation of purchasing decisions is required.
7.4 – Purchasing
7.4.1 – Purchasing Processes
- The criteria for selecting and evaluating potential suppliers has been clarified.
- An additional requirement to evaluate suppliers based on their performance has been added.
- This section includes a statement that suppliers must be evaluated with respect to risk. Products that would have a bigger impact on the quality of the device must be evaluated more strictly.
7.4.2 – Purchasing Information
- Purchasing information is still required to include product specifications, criteria for product acceptance, requirements for the competency of personnel with the supplying organization and quality management system requirements.
- An additional requirement that suppliers notify the organization of any changes in the purchased product prior to implementing the change has been added.
7.4.3 – Verification of Purchased Product
- An additional requirement has been added for when organizations become aware of changes in the purchased product. The organization is now required to review whether the changes in the supplied product will have an impact on their product or its performance.
7.5 – Production and Service Provision
7.5.1 – Control of Production and Service Provision
- Adds new language stating that production and service provision must be monitored.
- The list of criteria for production and service provision has been expanded to include documented procedures for production controls.
7.5.2 – Cleanliness of Product
- An additional requirement regarding product cleanliness has been added.
- Organizations are now required to document procedures when a supplied product cannot be cleaned and its cleanliness affects the quality of the final product.
7.5.4 – Servicing Activities
- When a medical device is required to be serviced, the organization is required to review any activities relating to servicing.
- Servicing activities must be evaluated to determine whether it’s a customer complaint or whether the issue must be considered for future improvements.
7.5.6 – Validation of Processes for Production and Service Provision
- When the output can’t be monitored or measured, the organization is required to validate the process that leads to this output.
- The list of documentation for validating procedures has been expanded to include the approval of changes to the process and the use of statistical techniques with rationales for the sample size (as appropriate).
- The section discussing the need to validate computer software has been expanded and clarified.
- Reminds organizations to use validation processes that are proportional to the risk associated with the software.
7.5.7 – Particular Requirements for Validation of Processes for Sterilisation and Sterile Barrier Systems
- Adds a requirement for sterile barrier systems
7.5.8 - Identification
- Maintains the previous requirement to identify the product throughout the product realisation, and to document the procedures by which products are identified.
- A new requirement to document the system the organization uses to assign unique identification numbers to devices has been added. This requirement is only applicable when unique device identification numbers are assigned.
- An additional requirement to identify product status has been added. Organizations are now required to identify product status throughout production.
7.5.11 – Preservation of Product
- Updates to this section expand upon the requirement to protect products from alteration and damage.
- Clarifies that protection must include designing appropriate packaging and documenting any special conditions for storage, if applicable.
8 – Measurement, Analysis and Improvement
This section addresses the need to monitor products to ensure that they meet the required quality standards. These processes are used to ensure that the quality management system is working as intended, and to make any changes needed.
8.2.1 – Feedback
- The requirement to collect feedback has been expanded to include collecting feedback from post-production activities, as well as from the production process.
- A new requirement to use this feedback as input into risk management processes has been added.
- Organizations are still required to use this feedback as input into the production and improvement processes.
- Regulatory requirements regarding feedback from post-production processes must be incorporated into this process.
8.2.2 – Complaint Handling
- This sub-clause is new to the 2016 update.
- Requires the organization to document their procedures for timely complaint handling, which must be in line with any regulatory requirements.
- Provides a list of items that must be documented within the complaint handling procedures.
- Organizations must maintain a record of complaint handling activities.
8.2.3 – Reporting to Regulatory Authorities
- This sub-clause is new to the 2016 update.
- If regulatory requirements require any complaints to be reported to a regulatory authority, the organization must document their procedures for providing notification.
8.2.6 – Monitoring and Measurement of Product
- An addition to this section states that the organization needs to identify the test equipment used to measure products, when applicable.
8.3 – Control of Nonconforming Product
- This section addresses the need to identify products that don’t meet quality standards and to ensure that they’re not delivered along with conforming products.
- The list of controls for segregating nonconforming products has been expanded. It now includes identification, documentation, segregation, evaluation and disposal.
- New sub-clauses address actions taken when nonconforming product is detected before delivery and actions taken when it’s detected after delivery.
- Additional information has been added to address the acceptance of a nonconforming product. When nonconforming products are accepted, the organization must document the event and include a justification for the acceptance.
- A new requirement has been added to state that organizations must document the procedures for issuing advisory notices.
- A new requirement to maintain records of any advisory notices released has been added.
8.4 – Analysis of Data
- Adds a new requirement to document how statistical techniques and measurement methods were determined to be appropriate.
8.5 – Improvement
- This section requires organizations to implement any changes that help to maintain the suitability of the quality management system.
8.5.2 – Corrective Action
- A new requirement that any corrective action must be taken without unnecessary delay has been added.
- A new requirement regarding preventative action has been added. The preventative action must not adversely affect the product's safety, performance and ability to meet regulatory requirements.
8.5.3 – Preventative Action
- A new requirement has been added.
- Organizations are required to verify that any preventative changes will not affect the safety, performance or ability to meet regulatory requirements of the device.
Get Certified with NQAGetting certified for an ISO standard can be a difficult process. Preparation and good organization can make it less stressful.
When NQA audits a business, we work with your processes and procedures. That means you won’t need to add processes that don’t work for your business. Dedicated Customer Service representatives will provide feedback throughout the registration process — should any questions arise during your audits, you'll have what you need to address them quickly and return to work.