ISO 13485:2016With the March 1, 2016 release of ISO 13485:2016, medical device developers and manufacturers have been given a three year grace period to implement changes from the previous 2003 version. During those three years both the 2016 and 2003 versions will be valid to operate under; however after the three year grace period, compliance with the 2016 version will be mandatory.
So what are the major changes and how are organizations to address them? This blog will cover sections 4, 5 and 6 of ISO 13485:2016 and the major changes from the 2003 version while Part 2 will go over sections 7 & 8.

Section 4 – Quality Management System

ISO 13485:2016 places heavy emphasis on a risk-based approach throughout the quality management system following the current process approach in ISO 13485:2003, which only required risk management for product realization. This ‘new’ risk approach will also be mandatory for any outsourced processes.

An example of risk-based approach can be seen in the major change for the validation of software. All software used in the quality management system will require documentation of the procedures for validation. “The specific approach and activities associated with software validation and revalidation shall be proportionate to the risk associated with the use of the software.”

Also within section 4 is the additional requirement of a Medical Device File, similar to a technical file.

“The content of the file(s) shall include, but is not limited to:

  1. a) general description of the medical device, intended use/purpose, and labelling, including any instructions for use;
  2. b) specifications for product;
  3. c) specifications or procedures for manufacturing, packaging, storage, handling and distribution;
  4. d) procedures for measuring and monitoring;
  5. e) as appropriate, requirements for installation;
  6. f) as appropriate, procedures for servicing.”

Section 5 – Management Responsibility

Changes to section 5 are fairly minimal. Responsibilities and authority must now be documented for the interrelation of all personnel that manage, perform and verify work affecting quality. There is also the additional requirement of documenting procedures for management review, which essentially means that there needs to be documented justification for the frequency at which management reviews are held.

Section 6 – Resource Management

There are several larger changes within section 6. First, within “Human Resources” the organization will now be required to document the processes used to establish competence, provide training and ensure awareness of personnel.  Furthermore, there is accentuated value in maintaining, updating and evaluating competence of those working within the organization’s quality management system. This means that organizations must be able to provide continuous retraining when required and be able to provide a means of evaluating the effectiveness of said training.

Within the subsection of “Infrastructure” there is a new requirement stating that the organization must document the requirements of their infrastructure in order to achieve conformity to product requirements and prevent product mix-ups ensuring orderly product handling.

Section 6 also includes updates to the previous “Work Environment” section as well as a new sub-section dedicated to “Contamination Control”. The additions to work environment state once again that the requirements of the work environment needed to achieve conformity to product requirements, must be documented. On top of this, organizations are expected to control their work environment by documenting requirements for health, cleanliness and clothing of personnel if they can have any effect on medical device safety or performance. There is also a “note” referencing ISO 14644 – “Classification of air cleanliness in terms of concentrate of airborne particles in cleanrooms and clean zones”, and ISO 14698 – “Standard on Bio-contamination control for cleanrooms”.

The new subsection “Contamination Control” includes requirements for a plan and documentation in order to control contaminated product and prevent contamination of the work environment, personnel, or product. It is also addresses sterile medical devices. The subsection states that the organization must document the requirements for control of contamination with microorganisms or particulate matter and maintain the required cleanliness during assembly or packaging process. This means that any work involving sterile medical devices will now require validation of control methods in place.

Key Take-aways

The main things to take away from changes made in Sections 4, 5, and 6 are the following:

  • Risk-based approach for all things related to the Quality Management System, including external processes.
  • Software Validation
  • Addition of a Medical Device File
  • Documentation of the justification as to the frequency at which management reviews are held
  • Means of evaluating the effectiveness of training provided
  • Validation of Work Place Environment procedures
  • Validation of sterility control methods

Overall, many of the changes can be summarized as “everything must now be documented in one way or another”. Part 2 of my review of changes in ISO 13485 will cover Section 7 – Product Realization and Section 8 – Measurement, analysis and improvement.  In the meantime, I look forward to hearing from readers on questions they may have on the new requirements.

Michael May is a Jr. QA/RA Specialist st StarFish Medical.  He uses his background in biomaterials engineering to help clients with QA/RA challenges. Mike also uses his Pokemon Go skills to fill time when hockey season is over.


Share on Facebook8Share on LinkedIn52Tweet about this on Twitter

4 responses to “How ISO 13485:2016 changes will impact your QMS (sections 4-6)”

  1. Steve Jackson says:

    Hi Michael

    What are your experiences correlating ISO 14644 with the new ISO 13485 standard? How do you go about documenting requirements for a work environment? I have a special room in my basement that I use to repair electronics in that I keep clean but I’m not sure what the requirements are. I’m curious to hear about what you’ve heard or what your experiences are.

    Also, what level have you made it to in Pokémon Go? 🙂

  2. Michael May says:

    Hi Steve,

    Thanks for reading and for your response. The requirements for your work environment depend on what you are working with in your controlled environment. In the medical device industry a risk based approach is taken to identify possible hazards (say from dirt particles) and then mitigations are put in place. The extent of those mitigations is up to you; whatever you feel is appropriate to control the level of particles in your room for the work that you are doing. In your case you might just create a document which lists all of the things you do/have in your room to keep it clean (e.g. mop floor once a week, turn on ventilation while working, etc.). Here at StarFish we also have a special clean room in our basement. We have a whole procedure that outlines the required activities to keep it clean but we make medical devices so that might be a bit different from what you are doing in your basement. I hope this helps and good luck with your project!

    Oh, and just yesterday I made it to Level 12!

  3. Yair Penias says:

    Hi Michael
    I am adjusting the Technical File procedure to the new 4.2.3 requirement for Medical Device File. Why do we need the “procedures for measuring and monitoring” as part of the technical file? The intention was probably to the outcome of those procedures to be part of the technical file, meaning PMS summary report and/or Clinical Evaluation Report.

  4. Michael May says:

    Hi Yair

    Thank you for your question and sorry for the delayed response. I doubt the requirement means SOPs but rather is referring to any product specific procedures for measuring or monitoring if they exist (e.g. a procedure to measure the output of a laser as a check before it is used). Either that or it means they expect you to include the procedures used for measuring and monitoring (e.g. verification/validation procedures). I doubt they’d actually want you to include an SOP in the file but they would want you to reference it.

Leave a Reply

Your email address will not be published. Required fields are marked *