ISO 13485:2016With the March 1, 2016 release of ISO 13485:2016, medical device developers and manufacturers have been given a three year grace period to implement changes from the previous 2003 version. During those three years both the 2016 and 2003 versions will be valid to operate under; however after the three year grace period, compliance with the 2016 version will be mandatory.
So what are the major changes and how are organizations to address them? This blog will cover sections 4, 5 and 6 of ISO 13485:2016 and the major changes from the 2003 version while Part 2 will go over sections 7 & 8.

Section 4 – Quality Management System

ISO 13485:2016 places heavy emphasis on a risk-based approach throughout the quality management system following the current process approach in ISO 13485:2003, which only required risk management for product realization. This ‘new’ risk approach will also be mandatory for any outsourced processes.

An example of risk-based approach can be seen in the major change for the validation of software. All software used in the quality management system will require documentation of the procedures for validation. “The specific approach and activities associated with software validation and revalidation shall be proportionate to the risk associated with the use of the software.”

Also within section 4 is the additional requirement of a Medical Device File, similar to a technical file.

“The content of the file(s) shall include, but is not limited to:

  1. a) general description of the medical device, intended use/purpose, and labelling, including any instructions for use;
  2. b) specifications for product;
  3. c) specifications or procedures for manufacturing, packaging, storage, handling and distribution;
  4. d) procedures for measuring and monitoring;
  5. e) as appropriate, requirements for installation;
  6. f) as appropriate, procedures for servicing.”

Section 5 – Management Responsibility

Changes to section 5 are fairly minimal. Responsibilities and authority must now be documented for the interrelation of all personnel that manage, perform and verify work affecting quality. There is also the additional requirement of documenting procedures for management review, which essentially means that there needs to be documented justification for the frequency at which management reviews are held.

Section 6 – Resource Management

There are several larger changes within section 6. First, within “Human Resources” the organization will now be required to document the processes used to establish competence, provide training and ensure awareness of personnel.  Furthermore, there is accentuated value in maintaining, updating and evaluating competence of those working within the organization’s quality management system. This means that organizations must be able to provide continuous retraining when required and be able to provide a means of evaluating the effectiveness of said training.

Within the subsection of “Infrastructure” there is a new requirement stating that the organization must document the requirements of their infrastructure in order to achieve conformity to product requirements and prevent product mix-ups ensuring orderly product handling.

Section 6 also includes updates to the previous “Work Environment” section as well as a new sub-section dedicated to “Contamination Control”. The additions to work environment state once again that the requirements of the work environment needed to achieve conformity to product requirements, must be documented. On top of this, organizations are expected to control their work environment by documenting requirements for health, cleanliness and clothing of personnel if they can have any effect on medical device safety or performance. There is also a “note” referencing ISO 14644 – “Classification of air cleanliness in terms of concentrate of airborne particles in cleanrooms and clean zones”, and ISO 14698 – “Standard on Bio-contamination control for cleanrooms”.

The new subsection “Contamination Control” includes requirements for a plan and documentation in order to control contaminated product and prevent contamination of the work environment, personnel, or product. It is also addresses sterile medical devices. The subsection states that the organization must document the requirements for control of contamination with microorganisms or particulate matter and maintain the required cleanliness during assembly or packaging process. This means that any work involving sterile medical devices will now require validation of control methods in place.

Key Take-aways

The main things to take away from changes made in Sections 4, 5, and 6 are the following:

  • Risk-based approach for all things related to the Quality Management System, including external processes.
  • Software Validation
  • Addition of a Medical Device File
  • Documentation of the justification as to the frequency at which management reviews are held
  • Means of evaluating the effectiveness of training provided
  • Validation of Work Place Environment procedures
  • Validation of sterility control methods

Overall, many of the changes can be summarized as “everything must now be documented in one way or another”. Part 2 of my review of changes in ISO 13485 will cover Section 7 – Product Realization and Section 8 – Measurement, analysis and improvement.  In the meantime, I look forward to hearing from readers on questions they may have on the new requirements.

Michael May is a Jr. QA/RA Specialist st StarFish Medical.  He uses his background in biomaterials engineering to help clients with QA/RA challenges. Mike also uses his Pokemon Go skills to fill time when hockey season is over.

14 responses to “How ISO 13485:2016 changes will impact your QMS (sections 4-6)”

  1. Steve Jackson says:

    Hi Michael

    What are your experiences correlating ISO 14644 with the new ISO 13485 standard? How do you go about documenting requirements for a work environment? I have a special room in my basement that I use to repair electronics in that I keep clean but I’m not sure what the requirements are. I’m curious to hear about what you’ve heard or what your experiences are.

    Also, what level have you made it to in Pokémon Go? 🙂

  2. Hi Steve,

    Thanks for reading and for your response. The requirements for your work environment depend on what you are working with in your controlled environment. In the medical device industry a risk based approach is taken to identify possible hazards (say from dirt particles) and then mitigations are put in place. The extent of those mitigations is up to you; whatever you feel is appropriate to control the level of particles in your room for the work that you are doing. In your case you might just create a document which lists all of the things you do/have in your room to keep it clean (e.g. mop floor once a week, turn on ventilation while working, etc.). Here at StarFish we also have a special clean room in our basement. We have a whole procedure that outlines the required activities to keep it clean but we make medical devices so that might be a bit different from what you are doing in your basement. I hope this helps and good luck with your project!

    Oh, and just yesterday I made it to Level 12!

  3. Yair Penias says:

    Hi Michael
    I am adjusting the Technical File procedure to the new 4.2.3 requirement for Medical Device File. Why do we need the “procedures for measuring and monitoring” as part of the technical file? The intention was probably to the outcome of those procedures to be part of the technical file, meaning PMS summary report and/or Clinical Evaluation Report.

  4. Hi Yair

    Thank you for your question and sorry for the delayed response. I doubt the requirement means SOPs but rather is referring to any product specific procedures for measuring or monitoring if they exist (e.g. a procedure to measure the output of a laser as a check before it is used). Either that or it means they expect you to include the procedures used for measuring and monitoring (e.g. verification/validation procedures). I doubt they’d actually want you to include an SOP in the file but they would want you to reference it.

  5. Dayou Yang says:

    Hi Michael:
    Where to find your review of changes in ISO 13485 for Section 7 – Product Realization and Section 8 – Measurement, analysis and improvement? Thanks in advance if to advise.

  6. Meveille says:

    Hi Michael,
    I am new at this , I might ask silly questions, sorry in advance,
    we have ISO 9001: 2016 implemented already, we are in the process of implementing ISO 13485: 2016 for the first time, please advise what are the appropriate measures to follow and how do they relate to another.
    thank you!

  7. Hi Dayou,

    Sorry I missed these questions. Next blog is scheduled for October.


  8. Hi Meveille,

    If you already have ISO 9001: 2015 then you are on a good track. Annex B of ISO 13485: 2016 shows the correspondence between the two standards. Hopefully the annex can help you identify and address any gaps.


  9. kumar says:


    I need some information on Risk management related to ISO 13485:2016-Product life Cycle. do we need to Cover the Environmental risk Category too(Ex Single use device-Impact on the environment)?

  10. Mike Camplin says:

    While FDA provides access to their 510(k) database and information on cleared devices can also be obtained via the Freedom of Information rout, the same option unfortunately does not exist in Europe. Information on CE marked devices can be obtained from the public domain only. For example Instructions for Use are often available on Internet or clinical study information is published in scientific journals.

  11. Hi Kumar,

    Apologies for the delay, ISO 13485:2016 does not address environmental management with respect to risks to the environment. It does however require that a risk management process be executed during the design stage of the product life-cycle. This process is done in accordance with ISO 14971 which does require risks to the environment to be addressed but this is with respect to use of the device being designed. The “risk based approach” for processes outlined in ISO 13485 does not have to adhere to the specific requirements of ISO 14971 so environmental impact does not have to be assessed for these processes, only during device specific risk management in the design stage of the product life-cycle.

  12. Janeth Narag says:

    Hi Mike,
    Thanks for a very informative description of changes on ISO13485:2015. I would like to clarify on Clause 4 QMS requirement “All software used in the quality management system will require documentation of the procedures for validation”. Does this requirement also applicable to the “software” we used in our design and development stage? Meaning, software used in the design and development needs to be validated?

    Thanks, Janeth

  13. Hi Janeth,

    Generally software used in production is under more scrutiny, but yes, software used for Design & Development should also be validated. The level of validation required is dependent on the risk associated with the use of the software.

    For guidance on validation of the application of software used in your QMS, you can find additional information in ISO/TR 80002 2 as per ISO 13485 –Medical Devices A practical guide. Also, the guide specifically lists D&D SW:
    “Computer software can be used to implement, monitor, measure or analyze the QMS. Software applications can be used for design and development of product, testing, production, labelling, distribution, inventory control, document management, data management, complaint handling, equipment calibration and maintenance, corrective action or preventive action.”

    Also note that the standard doesn’t dictate how you validate the software and as I mentioned it is risk based. So companies can make up their own tests and acceptance criteria.

    Hope this answers your question.


  14. Hello

    I read your article and that is nice, great, informative and helpful.

    ISO 13485:2016 Standard clauses and requirement for a quality management system and Risk management principles are applicable to all types of organizations irrespective of size or nature and applicable to all like Hospital, Health Care, Medical Devices in India.

Leave a Reply

Your email address will not be published. Required fields are marked *