Big Changes in ISO 13485:2015?

Big changes expected from ISO 13485: 2015? The short answer is, no. But, you need to familiarize yourself with the changes. This article summarizes the 113 page draft to 3 pages.

On February 5, 2015, a second draft of ISO 13485 was released to the world for comment. The expectation is that there will be very few comments of significance for this second draft. If the comments can be resolved quickly, the technical committee is expected to release the final version of ISO 13485:2015 this fall prior to the release of ISO 9001:2015.

I read through the 113 pages of the draft and was surprised to see fewer significant changes than I expected. The draft’s first four pages are a forward and table of contents. The Standard itself actually begins on page five and ends on page 36. I understand that the technical committee is not convinced that there is a need for a guidance document for this new revision (i.e., there is no need for ISO 14969 to be updated). I agree that the changes are minor and there is little advantage to creating a new guidance document. At most, I would make minor revisions to the existing ISO 14969 guidance, but I seriously doubt that the committee will take the time to do this.

Organization of the Draft Standard
Originally I planned to perform a side-by-side comparison of the two versions, but this draft already includes a side-by-side comparison of every clause in pages 37-90 of the draft. Pages 91-111 are harmonization annexes (Annex ZA-ZC), which explain how the Standard is harmonized with the three medical device directives in Europe. I suspect that these Annexes will need to be completely re-written when the new European Medical Device Regulations are released in 2016. Page 112 is a bibliography, and page 113 is blank.

What's New with ISO 13485:2015 DIS2
The following section of the article is divided into the Clauses of the Standard.

Clause 0
Clause 0.1 identified seven expectations of your quality system, and Clause 0.2 has four new goals for your quality system. These two subsections should be specifically addressed in your revised quality manual.

Clause 1
The most significant change here is that Clause 1.2 now expands the possible clauses for non-applicability from just Clause 7 to now include Clauses 6 and 8. I always felt that this was needed—especially for service organizations that do not have physical products that are manufactured. However, the changes made to clause 6 and 8 necessitate this change.

Clause 2
The only change associated with this clause is specific to referencing the updated version of standards (e.g., ISO 9000:2005).

OMTEC transparent 2016

Mr. Greg Howard will provide an update on ISO 13485 and how companies can implement changes at OMTEC 2016. 

Get a jump start on the revised risk management standards, the scope of the revisions, and more during Mr. Howard's session, "How to Implement ISO 13485 Updates".

     Clause 3
     There were a number of definitions that were added to this draft. How exciting.

     Clause 4
     There are very few changes to this Clause, but the three most significant changes are:
             •   Clause 4.1.5 includes a specific requirement for controls of outsourced
                 processes to be risk-based and to have written agreements with suppliers,
             •   Clause requires creating and maintaining technical files, and
             •   Clause 4.2.4 requires defining methods for maintaining confidential
                 patient records.

     Clause 5
     The changes to this clause are quite minor. The changes are primarily isolated to
     management review requirements. Specifically, rationale for the frequency of
     management reviews must now be documented. The management review inputs must
     now include more information related to complaint handling to reflect the addition of

Finally, the management review output must now include changes needed to the quality system in order to address new and revised regulatory requirements. Most companies already do this, but now it is a specific requirement to be documented in the meeting outputs.

Clause 6
There is a minor change in Clause 6.2.2 that suggests a change in the emphasis of the overall standard: “product quality” was changed to “product safety or performance.” You should also note that now there is a requirement for addressing competency. This has been specifically emphasized by registrars in recent years, but now it is part of the standard as well. Sections 6.3 and 6.4 were changed significantly.

I recommend reviewing these two sections carefully. Most companies have inadequate procedures and processes for maintenance and control of the work environment and infrastructure. The changes go far beyond controlled environments. This would also be a good time to adopt the process approach to auditing, if you are not already doing so. It is much easier to verify compliance with clauses 6.3 and 6.4 if you use the process approach than to conduct an audit using the element approach or by auditing procedures.

Clause 7
You will notice that there are many more references to software now throughout Clause 7. This should significantly help companies that are developing standalone software products instead of physical products. This Standard now incorporates the word risk 19 times throughout the Standard, whereas the previous version only had mention of risk in section 7.1.

However, this is not nearly as significant as the changes related to risk that were incorporated in ISO 9001:2015. Section 7.2 was expanded to include user training as part of customer communication. Section 7.3 only has minor changes, with the exception of the additional Clause 7.3.8 for Design Transfer and Clause 7.3.10 for a Design and Development File (i.e., DHF). These additions obviously harmonize the ISO 13485 Standard further with 21 CFR 820.30.

Clause 7.4 was significantly expanded with new prescriptive requirements related to supplier controls. Most companies will already be compliant with these requirements, but if your supplier controls are weak, this will be an immediate area for focused improvement in your quality system. You will also need to do a good job of integrating a risk-based approach to your supplier controls.

Changes to Clause 7.5 are minor, but there is now a requirement for addressing UDI regulations in Clause

Clause 8
There are essentially four changes to Clause 8:
     1.  Clause 8.2.1 now identifies feedback as a formal input into risk management;
     2.  Clause was added as a prescriptive complaint handling section to harmonize the ISO 13485 with 21 CFR 820.198;
     3.  Clause 8.3 for control of nonconforming product was split into four subsections with additional requirements for control of
          nonconforming product after delivery, including advisor notices; and
     4.  Clause 8.4 for data analysis now describes opportunities for preventive action as “opportunities for improvement.” In
          addition, there are two new data analysis requirements (i.e., audits and service reports).

What’s NOT New?
Unlike ISO 9001:2015, there is still a requirement for a quality manual in ISO 13485:2015. In addition, the numbering of the clauses and the overall structure remains unchanged in the 2015 draft. Clauses 1, 2, 4 and 5 and 8 remain almost unchanged in the draft version of ISO 13485. Clause 0 of the Standard is clearly more verbose than the previous version, but the big message is that this clause now does a better job of explaining what the expectations should be for your quality system.

My biggest surprise is what appears to be missing
I was most surprised by the lack of incorporating regulatory requirements from the European Directives. Specifically, I did not see significant changes to the post-market surveillance requirements that specified a requirement for post-market clinical follow-up (PCMF) or the requirement to justify what PMCF is not required. This is a requirement of Annex X, 1.1c in the MDD, but the requirement is still not included in ISO 13485.

I also did not see a specific requirement for essential principles of design for safety, efficacy and performance. This is a requirement in Australia, Canada and Europe—but not in ISO 13485. We have a GHTF guidance document for this, but there does not seem to be any effort to incorporate this concept into design controls. I was expecting it to be included in the new section 7.3.3 for Design Inputs. Instead, there is only an addition of the requirement for design verification and validation and a reference to IEC/ISO 62366 (Usability).

Finally, I was surprised that ISO 13485 continues to neglect the discussion of clinical studies and investigational devices. The 2003 version of the standard only mentions clinical studies under Clause 7.3.6, Design and Development Validation. The 2015 draft now has the definition of a clinical evaluation as Clause 3.3 and the reference to clinical studies remains in the Design and Development Validation section.

What’s the Expected Impact?
For companies that already have a quality system that is compliant with both ISO 13485 and 21 CFR 820, I expect the impact to be minor. Therefore, I recommend that companies “fast-track” their transition to ISO 13485:2015. Other consultants and quality managers may recommend waiting to make all the changes at one time, but I feel that this will make the changes associated with the European Regulations even more difficult to implement without errors and more difficult for registrars to verify compliance.

For companies that do not have a quality system that is compliant with 21 CFR 820, this is the ideal time to overhaul your quality system for compliance with the U.S. FDA. The changes are minor and you may find that the 2015 version of ISO 13485 actually facilitates your own transition to compliance with 21 CFR 820.

I think this version of the Standard will help companies implement ISO 14971 in a more integrated way throughout the quality system, but the integration of risk management falls short of the ambitious changes presented by ISO 9001:2015. If your company already has ISO 9001:2008 certification, you may want to complete your transition to ISO 13485:2015 prior to tackling the changes required by ISO 9001:2015. My rationale is similar to the rationale for implementing ISO 13485:2015 prior to the release of the European Medical Device Regulations.

Rob Packard is a regulatory consultant with 20 years of experience in the medical device, pharmaceutical and biotechnology industries. Mr. Packard served in senior management at several medical device companies, including President and CEO of a laparoscopic imaging company. His Quality Management System expertise covers all aspects of developing, training, implementing and maintaining ISO 13485 and ISO 14971 certification. From 2009 to 2012, he was a lead auditor and instructor for one of the largest Notified Bodies. His specialty is regulatory submissions for high-risk medical devices for CE Marking applications, Canadian medical device applications and 510(k) submissions. The most favorite part of his job is training others. He can be reached at This email address is being protected from spambots. You need JavaScript enabled to view it..

Medical Device Academy