Common Questions about ISO 13485:2016

By Linda Chatwin

  • Published 04.08.16
Time To Read 3 minutes

The latest version of ISO 13485, Medical devices – Quality management systems – Requirements for regulatory purposes, was published in early 2016, the first major revision in over 10 years. With ISO citing 27,791 ISO 13485 Certifications globally in 2014I , the revision will cause a major impact to the medical industry. In May 2016, UL Business Manager, Linda Chatwin, RAC, JD and  MasterControl Lead Auditor Walt Murray presented a live webinar “ISO 13485:2016 Updates – What is the Fall Out?” live to over 500 attendees.

The following are responses to the questions asked by the audience during that webinar. You can view it and other recorded webinars online at: Webinar Recording: ISO 13485:2016 – Change? Do I Have To?

1. We are now ISO 9001:2008 and EN ISO 13485:2012. With the introduction of 13485:2016 can we drop our ISO 9001 certification?
A: Each company needs to assess their needs with respect to this question. ISO 9001 certification is relevant to general or industrial products; EN ISO 13485 is relevant to medical devices. So, if a company markets both, the 13485 would be required for marketing medical devices in several countries; however usually a customer requirement for general/industrial products is the reason for the 9001 certification.

2. For the EN ISO 13485, I understand Risk Management must be included in all processes in the Quality Management System (QMS). When would my QMS be updated to include Risk Management in all business process?
A: The notified bodies are planning for a 3-year transition with the EN blessing for change to the 2016 standard. Therefore, the QMS should be updated during this transition period. You would want to work your transition schedule with your notified body.

3. Risk Management has been referenced in ISO 13485 and indeed “risk-based” thinking has been encouraged by the current both ISO 9001 and ISO 13485. Does the standard outline how frequent Risk Management Review on a product should be conducted? Or is it down to the classification of the device and to the discretion of the manufacturer?
A: There is no prescribed timeline for risk reviews. It may vary in a number of processes; and of course a summary of risk management activities would be included in Management Reviews during the regularly scheduled times. It should be with sufficient frequency that allows the risk process to remain robust for the company needs.

4. Please help to define a critical job/task.
A: This is dependent on each company’s products and processes. Therefore, it would be necessary to engage with the company to assist in helping define these items.

5. Talking about risk based supplier control, many organizations have approved vendor lists. How have MasterControl / UL seen companies distinguish between vendors who may impact quality (supplying parts/services related to the product)
versus those who may not (suppliers of office supplies, janitorial services, catering, etc.)? Would anything change with the 13485 update?
A: The distinguishing factor is handled through risk management activities, and therefore usually companies will categorize their vendors with a rating system such as 1-5, with 1 being those which are critical to quality and 5 being those not bearing on quality, and fit the others in depending on the level of impact they have to quality.

6. My company wants to get ISO 13485 Certification next year 2017 – can we still get ISO 13485:2003 certify or we have to get ISO 13485:2016?
A: That would be something to work out with your notified body. Since there is a 3 year transition period, if you get a certification next year to the 2003 version, you will be required for a full re-assessment for transition to the 2016 version by March, 2019.

7. Will the new standard satisfy the requirements of the MDD?
A: This is a broad question, so difficult to respond fully. The MDD will be replaced by the Medical Device Regulation (MDR), presumably during this year. It will be necessary to determine what the MDR requirements will be, and map them to the 13485 requirements. I am going to venture that there will be complementary requirements, but not necessarily satisfied.

8. What are the key changes/requirements to be looked at by service providers who don’t own any product?
A: If, for instance, you are talking about software as a service, which is a medical device, then most requirements will apply with the exception of production and process controls. Each service company would need to evaluate the requirements that apply to their business. Of course, we can help with that during an engagement.

9. If the SOUP or COTS is part of the system software, do we still need to perform a validation prior to the initial use?
A: Yes, but only for your own use. So, for instance, you are not expected to fully validate Excel, but if you create a spreadsheet specifically for your internal purposes, that spreadsheet needs to be validated.

10. What are the major differences between ISO 13485:2003, 2012 and the latest 2016?
A: The 2012 version mainly involved EN bringing risk management to as low as possible standard. You can read the major changes in our article: Click Here.

Please complete the form to download the full Q&A which includes answers to 28 questions asked live during the webinar.