On February 25, 2016, the International Organization for Standardization (ISO) published its updated ISO 13485 guidance. The guidance, which was originally published in 2003, is the global standard for medical device quality management systems. Specifically, the guidance includes “requirements for a quality management system where an organization needs to demonstrate its ability to provide medical devices related to services that consistently meet customer and applicable regulatory requirements.”
The requirements for a medical device quality management system are comprehensive, and adoption of the ISO 13485 standard provides a way for organizations to meet these strict requirements.
ISO 13485 certification is not legally required, as organizations can create a quality management system suited to their own unique needs so long as it meets the regulatory requirements for medical devices where they will be made and sold. Organizations may choose to implement the ISO 13485 standard without seeking certification. However, ISO 13485 certification is an extra step that can show regulators you’ve met the requirements of the standard.
If organizations choose to adopt the ISO 13485 standard and/or seek certifications, it’s important to have an understanding of its requirements. ISO 13485 has several requirements to ensure the medical device meets all regulatory requirements. These requirements apply to all organizations regardless of size unless specifically noted.
ISO 13485 is split up into eight sections. The first three sections of ISO 13485 are an introduction, while the remaining five sections provide mandatory requirements for the quality management system. Here is an overview of each section:
For more information, you can view the full ISO 13485 documentation.
According to the ISO Transition Planning Guidance, the updated document “is intended for current users of ISO 13485:2003, those who are intending to use ISO 13485:2016, as well as other interested parties” including, but not limited to:
In addition, ISO has stated that the “requirements of ISO 13485:2016 are applicable to organizations regardless of their size and regardless of their type except where explicitly stated. Wherever requirements are specified as applying to medical devices, the requirements apply equally to associated services as supplied by the organization.”
The revised guidance highlights the importance of having a quality management system (QMS) in place throughout the supply chain. Furthermore, ISO 13485:2016 draws particular attention to requirements regarding device usability and post-market surveillance.
Although the new document is simply a revision to the original guidance, there are a number of fairly significant differences between the two. According to the Regulatory Affairs Professional Society (RAPS), the largest differences between the 2003 and 2016 versions of the guidance include the following:
While ISO 13485 is an internationally recognized standard set of requirements for medical devices, it also has a European counterpart (EN ISO 13485) which is issued in the EU with one key addition. ISO 13485 and EN ISO 13485 have the same main text, but EN ISO 13485 includes additional Z annexes regarding compliance with MDD (directives 90/385/EEC, 93/42/EEC, and 98/79/EC).
Manufacturers, regulators, certification bodies, and any other applicable parties were given three years to transition from ISO 13485:2003 to ISO 13485:2016. As of 2/28/2019, any existing ISO 13485:2003 certificates are expired.
Do you manufacture a medical device or any other type of FDA-regulated product?
We can help ensure that your product is compliant with all regulatory requirements. Do not hesitate to contact us with questions about preparing for these or any other regulatory standards. For additional information on our services and how we can help you, contact us today.
June 22, 2021
The threat of cyber-attacks against medical devices is real. Medical devices capable of connecting, wirelessly, wired, or to portable media such as a USB drive, are more vulnerable to cybersecurity...
January 20, 2016
On January 15, 2016, FDA published a draft guidance providing medical device manufacturers with a number of recommendations to protect patients from cybersecurity vulnerabilities in their devices....
February 28, 2019
On Tuesday, February 19th, FDA published a draft guidance for medical device makers which identifies a process for companies to request nonbinding feedback on certain FDA Form 483 deficiencies noted...