ISO 13485 2016 vs ISO 13485 2003

Both old and new medical device standards cover essentially the same
topics. However, there are some important differences. Some of these
are discussed below.

The ISO 13485 standard was updated for two main reasons: to keep up
with changes in the industry and to address changes in the underlying
ISO 9001 standard. While the old ISO 13485 2003 standard was based on
the old ISO 9001 2000 standard, the new one is based on ISO 9001 2008.
While some people expected the new ISO 13485 standard to use the latest
ISO 9001 2015 standard, ISO TC 210 evidently feels that the older ISO 9001
standard better serves the needs of medical device suppliers, regulators,
and customers.


In general, the new ISO 13485 standard is more flexible than the old.
In the past, organizations could only exclude section 7 requirements
(on product realization) and then only if they could justify their decision.
Now, they can exclude any requirement in sections 6, 7, or 8 if they can
justify doing so because of the nature of their activities or products.

Regulatory requirements

While the old standard expected you to establish a QMS that complies
with ISO 13485, the new one now explicitly expects you to also comply
with all applicable regulatory requirements. This need to comply with
regulatory requirements is given greater emphasis now and is repeated
throughout the new standard. In fact, you're now also expected to set
objectives for meeting regulatory requirements (in addition to setting
objectives for meeting product requirements).

As you may have noticed, the peculiar redundancy in the phrase
statutory and regulatory requirements” has been removed. Now
we can simply refer to “regulatory requirements” (which, of course,
include statutory and other legal requirements).

Risk based approach

The new standard expects you to apply a “risk based approach”
to your organization's QMS processes. The old standard also expected
you to think about risk, but only during product realization (in section 7).
Now, you're expected to apply risk management methods and techniques
to all QMS processes, including outsourced processes.

Medical device file

While both old and new standards expect you to establish a special file
for each type of medical device, the new one clarifies exactly what this
means. You're now expected to include a description of each medical
device or family of devices and to include all associated specifications,
procedures, and records.

Record keeping

Record keeping requirements have also changed. The new standard now
expects you to record supplier monitoring and re-evaluation activities and
to consider privacy regulations when you develop methods for protecting
confidential health information.

Product realization

While the section on product realization still covers the same basic
topics, a few noteworthy items have been added. While the old standard
expected you to identify your product verification, validation, monitoring,
inspection, and testing requirements, the new one has added a few more
to this list. It now also expects you to establish your product handling,
storage, measuring, revalidation, and traceability requirements as well.

User training

While the old standard focused on the need to identify product
requirements specified by customers and regulatory bodies, the
new one wants you also to think about the safety and performance
of your products and the associated training needs of product users
and to verify that regulatory requirements will be met and user training
will be available before you agree to supply products to customers.

Design and development inputs

The section on design and development inputs has also been
expanded. In addition to all the old requirements, the new standard
now also wants you to consider risk management outputs, to clarify
product usability and safety requirements, and to make sure that
input requirements can be verified or validated.

Design and development verification and validation

This section has also been expanded. The new standard not only
expects you to document your verification and validation plans and
arrangements (something the old standard overlooked) it now also
wants you to think about how to verify and validate medical devices
that connect to or interface with other medical devices. It now expects
you to verify that design outputs meet input requirements when these
devices are connected or interfaced and to validate that intended
use or application requirements are met when devices are
connected or interfaced.

Design and development changes

While the old ISO 13485 2003 standard expected you to control
design and development changes, it didn't really talk much about how
this should be done. The new ISO 13485 2016 standard fills in some of
the gaps. It not only asks you to establish processes to control changes
and to evaluate their significance and impact, it now also expects you to
maintain a file for each medical device or family of medical devices that
documents these changes.

Design and development transfer

This topic has been elevated in importance and has now received
its own subsection. The old standard devoted only a single line and
two notes. Now special emphasis is given to the need to ensure that
outputs are suitable for manufacturing before they become official
production specifications.


Purchasing has also changed. The old section on purchasing has
been subdivided into four new sections and new requirements have
been added. While the old standard expected you to establish supplier
selection and evaluation criteria, it didn't provide any details. Now it does.
You now need to consider your medical device and the risk you're taking
in addition to the effect purchased products have on the safety and
performance of your medical device. And in addition to making sure that
your suppliers are capable of meeting your organization's requirements,
you now also need to worry about whether they can meet all relevant statutory requirements.

Supplier monitoring

But you're not done yet. Now that you've selected a supplier, you
not only need to monitor the supplier's performance, you now also
need to consider your risk whenever suppliers underperform, and
you need to respond in a way that is proportional to the risk that
you're taking. And while both old and new standards want you to
establish a record of supplier evaluations, now you're also expected
to record your supplier monitoring and re-evaluation activities.

Purchased product risks

Like the old ISO 13485 standard, the new one expects you to verify that
purchased products meet purchase requirements. But now you're also
expected to consider the risk associated with the product you've
purchased and to worry about what to do when unanticipated changes
are made to purchased products and to determine whether or not these
changes affect your medical device or your product realization process.

Process validation

Both old and new standards expect you to establish procedures to
validate production and service delivery processes that generate outputs
that can't be verified until the product is in use or the service has been
delivered. Now you're also expected to establish validation plans and to
revalidate processes whenever necessary.


The servicing section has also changed. In addition to having to
document your organization's servicing procedures and reference
materials, you're now also expected to analyze servicing records in
order to identify servicing complaints and improvement opportunities.


While the old ISO 13485 standard discussed the need to handle
complaints, this important material was spread over several sections.
The new standard brings most of it together in one new section and
broadens and expands it to include all kinds of complaints (not just
customer complaints). It now also expects you to develop and
document complaint handling procedures that comply with all
applicable regulatory requirements. The old standard merely
asked you to establish arrangements, not procedures.

Delivery of nonconforming product

The section on the unintended delivery of nonconforming product
has also been reorganized and reworded and new subsections and
new detail has been added. The result is a much more useful section.
The new standard now expects you to investigate nonconforming
products that have been delivered, to determine if corrective action
is needed, and to consider whether or not responsible external
parties need to be notified.


The section on improvement has also been enhanced. In addition
to having to maintain the suitability and effectiveness of your QMS,
you're now also expected to maintain the safety and performance
of your products whenever improvements are being considered.
In addition, before you implement corrective and preventive actions,
you're now expected to verify that they comply with all applicable
regulatory requirements and that they do not compromise the
safety and performance of your medical devices.

MORE ISO 13485 2016 PAGES

Introduction to ISO 13485 2016

Outline of ISO 13485 2016 Standard

Overview of ISO 13485 2016 Standard

Plain English ISO 13485 2016 Definitions

ISO 13485 2016 Translated into Plain English

ISO 13485 2016 Quality Management Checklist

ISO 13485 2016 Quality Management Gap Analysis

Also see: ISO 9001 2015 vs ISO 9001 2008 and ISO 14001 2015 vs ISO 14001 2004.

Home Page

Our Library

A to Z Index

Our Customers

How to Order

Our Products

Our Prices

Our Guarantee

Praxiom Research Group Limited        780-461-4514

Updated on April 17, 2021. First published on June 30, 2015.

Legal Restrictions on the Use of this Page
Thank you for visiting this webpage. You are welcome to view our material as often as
you wish, free of charge. And as long as you keep intact all copyright notices, you are also
welcome to print or make one copy of this page for your own personal, noncommercial,
home use. But, you are not legally authorized to print or produce additional copies or to
copy and paste any of our material onto another web site or to republish it in any way.

Copyright © 2015 - 2021 by Praxiom Research Group Limited. All Rights Reserved.

Praxiom Research Group Limited