Currently, there are two versions of ISO 13485 or the Medical Device Management System (MDMS) standard: ISO 13485:2016 and EN ISO 13485:2016.
What’s their significance, if any, for medical device manufacturers and for component manufacturers, logistic suppliers and other organizations servicing the sector? In this post, we will explore the situation and provide the answers.
Table of Contents
- Similarities and differences between ISO 13485:2016 and EN ISO 13485:2016?
- New ISO 13485 Version in the Pipeline
- How do ISO 13485:2016 and EN ISO 13485:2016 compare with ISO 9001:2015?
- There's Greater Emphasis on Risk in the ISO 13485:2016 Versions
- Additional Regulatory Requirements in the ISO 13485:2016 Versions
- Clause-by-clause Comparison with Previous ISO 13485 Version
- Other Significant Updates in the ISO 13485:2016 Version
- Forgot to Transition to the New ISO 13485 Standard?
- Which ISO 13485 Version Should You Get?
Similarities and differences between ISO 13485:2016 and EN ISO 13485:2016.
The harmonized EN edition is identical word-for-word with the international edition. However, it contains three additional annexes identifying where compliance with the Standard does not adequately address requirements in EU Directives.
These three ISO 13485 Annex Z's provide greater clarity on the applicability and alignment of the current AIMDD (active implantable medical device directive), MDD (medical device directive), and IVDD (in vitro medical device directive) with the Standard.
New ISO 13485 Version in the Pipeline?
A new version of ISO 13485 has been initiated, but after a delay of 12 months plus, no Committee Draft (CD) has as yet been published.
COVID-19, regulatory changes globally, and the recent request by the EU for the Annexes of the next EN Version to address MDR, AIMDR, and IVDR requirements will not have helped. Not even a tentative publication date has appeared in the media. Our guess: 2026.
For the sake of clarity, we shall refer here only to ISO 13485:2016.
How do ISO 13485:2016 and EN ISO 13485:2016 compare with ISO 9001:2015?
It is safe to say that a comparison between the two ISO 13485:2016 versions and ISO 9001:2015 is more relevant than a comparison between ISO 13485:2016 and EN ISO 13485:2016.
In practical terms, in the day-to-day practicalities of implementing a Quality Management (QMS) that complies with ISO 13485:2016, it doesn’t matter which you choose – there’s no practical difference.
What for some will be more problematic is the difference vis-à-vis ISO 9001:2015, which many organizations will already have implemented before turning their attention to ISO 13485:2016.
There's Greater Emphasis on Risk in the ISO 13485:2016 Versions
This version, like its predecessor, requires the application and documentation of risk management to the control of the appropriate processes. This is not to be confused with the ‘risk-based approach’ of ISO 9001:2015.
The focus is on risks associated with the safety and performance of medical devices and compliance with regulatory requirements. In addition, the Standard asks organizations to be more stringent when it comes to outsourcing processes by putting into place controls (e.g., written agreements) for assessing their suppliers, again based on risk.
Additional Regulatory Requirements in the ISO 13485:2016 Versions
There is also more frequent mention of regulatory requirements. These were mentioned 16 times in the 2003 version and 72 times in the 2016 version.
While the new ISO 13485 Standard remains compatible with ISO 9001:2015, it retains the familiar structure of the earlier 2008 Standard. Even though published after the new ISO 9001 Standard, it does not follow Annex SL – the new high-level structure (HLS).
This common framework intended for all ISO management systems - helping to keep consistency, aligning different management system standards, offering matching sub-clauses, and applying a common language across all standards – has been ignored. No doubt this is because of the imprecise nature and ambiguous wording of the HLS-based Standards.
Clause-by-clause Comparison with Previous ISO 13485 Version
Table A.1 of Annex A provides a clause-by-clause comparison of the new 2016 edition of the Standard versus the previous edition and details the specific changes relating to each clause. This is a great asset for those transitioning to the new edition from an old MDMS, as it can be readily converted into an audit checklist.
Changed Relationship Between ISO 13485 and ISO 9001
The structural relationship between ISO 13485:2016 and ISO 9001:2015 is outlined in Annex B.
The mismatch between the two Standards is clearly to be seen, and those manufacturers and suppliers who require certification to both Standards are advised to have two Quality Manuals, one for each Standard, to show how quality policy will address the differing requirements. An integrated set of procedures can then implement the policies across the common processes.
Other Significant Updates in the ISO 13485:2016 Version
ISO 13485:2016 incorporates significant changes to quality management systems requirements for medical devices, including…
- Application to organizations throughout the life cycle and supply chain for medical devices;
- Expanded requirements for…
- document management,
- management review, and
- human resources;
- Emphasis on appropriate infrastructure, work environment, and contamination control, particularly for the production of sterile medical devices, and addition of requirements for validation of sterile barrier properties;
- Additional requirements for…
- planning, and
- record keeping;
- Increased linkage and communication with regulatory requirements, particularly for regulatory documentation;
- Additional requirements in design and development on consideration of usability, use of standards, verification and validation planning, design transfer, and design records;
- Harmonization of the requirements for software validation for different software applications (QMS software, process control software, software for monitoring and measurement) in different clauses of the standard;
- Emphasis on complaint handling and reporting to regulatory authorities in accordance with regulatory requirements, consideration of post-market surveillance, and
- Planning and documenting corrective action and preventive action and implementing corrective action without undue delay.
Other changes include more explicit detail related to the nature of the organization and the life-cycle stages covered by ISO 13485 QMS.
It contains requirements related to the control of changes to processes. The standard also addresses new requirements to protect confidential health information.
Forgot to Transition to the New ISO 13485 Standard?
All organizations previously certified to EN ISO 13485:2012 (or ISO 13485:2003) needed to transition to the new requirements by 30th March 2019. The IAF has stipulated this transition period.
Component manufacturers and those providing logistics and other services to the sector may have forgotten to migrate to the 2016 Standard.
If you are in this position, your previous certificate is worthless. From 31st March 2019, all accredited certifications to EN ISO 13485:2012 ceased to be valid.
Which ISO 13485 Version Should You Get?
In reality, the question should be which version your customers want. Once you’ve decided which suits you best, discuss it with your Certification Body.
Even if you are in the middle of a 3-year contract cycle with them, there should be no difficulty or significant cost in having your chosen version. It is even possible to get two Certificates (one for each edition) or one Certificate referencing both versions.
ISO 13485 available courses image map. Click on any course to learn more about it, including content, scope, learning materials, etc.
Note: First published in March 2019:revised and updated in May 2022.
deGRANDSON Global is an ISO Certified Educational Organization
In October 2021, we secured certification to three education-related ISO Standards. We now have a university-grade management system in place conforming to the requirements of …
We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which in our opinion are commercially compromised), it is based on independent third-party assessment. It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.