Your Top 10 Questions About ISO 13485:2016—Answered!

It’s been five years since the International Organization for Standardization (ISO) published the ISO 13485:2016 standard. The guidelines provide medical device manufacturers with a framework for establishing a quality management system (QMS) relevant to their industry and products.¹ Since then, the U.S. Food and Drug Administration (FDA) has announced intentions to harmonize the Quality System Regulation (QSR) for medical devices to align more with the 13485 standard. This post addresses some of the most frequently asked questions about ISO 13485:2016.

1. What is the status of the FDA’s QSR/ISO 13485:2016 Harmonization Effort?

Since 2018, the FDA has endeavored to retool its QSR to harmonize with the ISO 13485:2016 standard. Facing an April 2020 publishing deadline, the project was once again delayed due to the agency’s all-hands priority given to coronavirus-related activities. Still, the organization remains optimistic about publishing an updated regulation. According to Jeff Shuren, director of the Center for Devices and Radiological Health (CDRH), “the FDA staff are moving forward and making great progress.” Shuren went on to say that the actual time frame is uncertain, but “our goal is that it will happen this year.”²

2. Is ISO 13485  mandatory for EU MDR?

The ISO 13485 standard is not required for medical device development. However, the European Union’s (EU) Medical Device Regulation (MDR) requires medicaldevice companies to have a quality management system (QMS) in place. The MDR defines the requirements for producing or importing medical devices into the EU, and the QMS items required for MDR compliance include:

• Documentation.
• Change management.
• Risk management.
• Supplier management.
• Incident reporting.
• Corrective / preventive action (CAPA).

The ISO 13485 standard is the medical device industry’s most widely used international standard for quality management. Therefore, compliance with ISO 13485 standard will help with MDR compliance.³

3. What risk management concepts should I understand for ISO 13485:2016 compliance?

ISO 13485:2003 implies the need to incorporate risk management principals in design controls. The 2016 version requires a risk-based approach for the entire quality management system throughout the product’s life cycle — including design controls. The standard also requires you to consider a risk-based approach for outsourced processes and suppliers.

For example, software suppliers are required to perform a risk-based assessment at every stage of the software development life cycle (SDLC). As the sponsor organization, you must ensure that third-party organizations comply with the standard’s risk management guidelines. Companies are encouraged to apply an iterative approach to identifying and mitigating risks:⁴

• Continuous code reviews.
• Continuous testing.
• Continuous deployment.
• Continuous monitoring and maintenance.
• Continuous audit and disposal.

Risk management should not be a quality-only responsibility, it needs to be an all-hands endeavor integrated into all areas of the organization.

4. What would an ISO 13485 revision look like?

It’s difficult to speculate what will be in the next version of the ISO 13485 Standard, but the update will most likely include high-level structure and Annex L. 

High-Level Structure (HLS)

One of the main changes introduced in the ISO 9001:2015 upgrade is the high-level structure (HLS). The high-level structure consists of 10 clauses that push for more uniformity and integration among various management systems. Essentially, it is a principle that all standards are structured the same way and can work together.

The current version of ISO 13485 doesn’t comply with the HLS because the 2016 revision was already underway before the HLS became mandatory. However, the ISO has since designated ISO 13485 as a management system standard (MSS). An MSS is a way organizations can improve their performance by specifying repeatable steps they can implement to create an organizational culture that reflexively engages in a continuous cycle of self-evaluation, correction, and improvement. If the ISO determines that a revision to the standard is necessary, the new version will need to comply with the HLS unless the organization can modify the HLS guidelines to make ISO 13485 exempt. Some of the options the ISO is considering include:⁵

• Avoid revising ISO 13485.
• Modify the HLS, making it no longer unacceptable to regulators.
• Remove ISO 13485 from the list of MSSs.

Annex L

Formerly called Annex SL, Annex L specifies how the ISO’s MSSs should be written using a high-level structure common core text, common terms, and core definitions. The updated Annex L structure uses a simplified language, making it more user friendly for service- and knowledge-based organizations.

The next revision of ISO 13485 will likely adopt Annex L requirements. Companies will benefit by setting up work instructions, templates, and forms to align with the structure, which will help them more easily achieve and demonstrate compliance.⁶

According to ISO, the Annex L structure will help companies:⁷

• Eliminate conflicts in MSS platforms.
• Establish faster development of standards.
• Reduce duplication of concepts, terms, and potentially shared text.
• Need fewer low-value revisions to common or shared areas.
• Integrate high-level, common business management goals, issues, and needs.
• Elevate CAPA into a more encompassing risk assessment process.

5. ISO 13485 vs. ISO 9001: Should I certify to both?

ISO 13485:2016 specifies the requirements for a medical device company’s QMS. The system is necessary to ensure the organization can consistently provide medical devices and related services that meet customer and applicable regulatory requirements.

Similar to ISO 13485, ISO 9001:2015 specifies the requirements for a QMS. It also aims to enhance customer satisfaction through the effective application of the system, including processes for improvement of the system and the assurance of conformity to customer and applicable statutory and regulatory requirements. The requirements are generic and intended to be applicable to any organization, regardless of its type, size, or the products and services it provides.

The current versions of both standards put more emphasis on risk-based thinking, training, and documentation. Still, it’s important to note that the ISO 13485:2016 standard excludes some of the requirements for ISO 9001compliance. Your quality system cannot qualify for dual certification unless it meets all the requirements of both standards. Therefore, it’s more feasible to certify to only one or the other depending on your company’s focus area.⁸

6. What should our company leadership understand about ISO 13485:2016?

The success of a medical device company’s QMS relies on the support and involvement of organization’s leadership. Aside from making sure the necessary resources are available and the quality objectives of the QMS align with the company’s strategic goals, top management should:⁹

• Assess the effectiveness of the QMS.
• Demonstrate that the QMS is an important part of business processes.
• Encourage the pursuit of continuous improvement.
• Address how the organization needs to incorporate risk management into all areas of the products’ life cycles.
• Ensure processes are in place for staff to understand and meet applicable requirements from customers and regulators.

7. What is an ISO 13485 audit checklist?

Clause 8 of the ISO 13485:2016 Standard addresses the importance of internal audits, citing that a manufacturer must plan, perform, and document these audits on a regular basis. Audits of any type can be complex and challenging, so preparation is key. You can simplify QMS audits and elevate your chances for success by setting up an audit checklist.

An ISO 13485 auditchecklist within your QMS solution is useful for all types of audits. It helps you prepare for and complete all audit tasks, ensuring there are no gaps, missing materials, or overlooked procedures that could prevent you from achieving compliance. Some of the items on the checklist might include:

• Planning and scheduling – Ensure all auditors and company personnel are available and aware of the type of audit. This avoids confusion and rescheduling hassles in the event your organization is involved in multiple audits.
• Materials – Identify all audit-related data, documents, training records, and other materials to ensure they are complete and accessible during the audit.
• Organization – Are all departments and company personnel informed of the audit and trained on how to participate in the audit processes.

References:

1. “ISO 13485:2016 Medical Devices — Quality Management Systems — Requirements for Regulatory Purposes,” International Organization for Standardization
2. “FDA Update Transition to ISO 13485:2016,” U.S. Food and Drug Administration (FDA), Dec. 5, 2018.
3. “How Can ISO 13485 Help With MDR Compliance?,” Kristina Zvonar Brkic, ISO 13485 & MDR Blog, 13485 Academy, Mar. 9, 2020.
4. “What Do Artificial Intelligence and Continuous Validation Have in Common?,” Kathleen Warner, Med Device Online, June 2, 2021.
5. “Will ISO 13485 Remain Useful for its Regulatory Purpose?,” ISO/TC 210 Quality Management and Corresponding General Aspects for Medical Devices, June 20, 2019.
6. “What Happens to ISO 13485 When Annex L Is Adopted?,” Mark Durivage, Med Device Online, Sept. 16, 2019.
7. “IATF 16949:2016 in Detail: What Is the Annex L Platform?,” 16949 Store (article).
8. “Similarities and Differences Between ISO 9001:2015 and ISO 13485:2016,” Mark Hammar, ISO 9001 Blog, 9001 Academy, Jan. 21, 2015.
9. “How to Fulfill Management Responsibilities in ISO 13485:2016,” Waqas Imam, ISO 13485 & MDR Knowledge Base, 13485 Academy, March 9, 2020.