Twelve-step transition process from

ISO 13485:2003 to the 2016 revision

WHITE PAPER

Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved. 1
Table of Contents

Purpose ......................................................................................................................................................... 3
Other useful resources ................................................................................................................................. 3
Timing of the transition ................................................................................................................................ 3
Twelve-step transition process ..................................................................................................................... 4
Sample documentation ................................................................................................................................ 8

Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved. 2

Purpose
This white paper is intended for companies that have implemented ISO 13485:2003, and are planning to
transition to the 2016 revision. The transition should be focused on key improvement areas such as better
alignment with regulatory requirements, post-market surveillance including complaints, emphasized risk
management, robust infrastructure (especially for sterilization requirements), etc. This document
describes the suggested steps in the transition process.

Other useful resources

For more information about the ISO 13485:2016 revision, see these articles:

Infographic: Whats new in the 2016 revision of ISO 13485

List of mandatory documents required by ISO 13485:2016
How to fulfill management responsibilities in ISO 13485:2016

Timing of the transition

The ISO (International Organization of Standards) has granted a three-year transition period for
organizations to change over to the new version of the standard, so organizations should update their
Quality Management System (QMS) to conform to ISO 13485:2016 by February 28, 2019. Though this is
a very realistic timeframe, many organizations will attempt to implement the modifications and transition
to the new version of the standard much earlier to prove their commitment to the quality standard, and
to obtain a competitive advantage. If you got certified before March 1, 2016, you will have your
surveillance audits according to the 2003 revision, but your recertification audit will be conducted
according to the 2016 revision. If you get your certificate according to the 2003 revision after March 1,
2016, you will have to upgrade to the new version by February 28, 2019.

Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved. 3

Twelve-step transition process

The easiest way to make the upgrade to the 2016 revision is by following these steps:

1) Identification of regulatory requirements and document

organizational roles
ISO 13485:2016 focuses on identifying and meeting regulatory requirements, and in this revision of the
standard, it further clarifies that by regulatory requirements, it is referring to applicable requirements
of any law by the user of this standard for, e.g., statutes, regulations, ordinances or directives. This
standard expects an organization to do the following:

identify its role(s) under applicable regulatory requirements

identify the regulatory requirements that apply to its activities under these roles
incorporate these applicable regulatory requirements within its Quality Management System

Special focus has been given to obligations to meet regulatory requirements in the Quality Management
System. Moreover, the differences in local regulations and their impact to the system have to be
addressed and incorporated. An organization can develop a procedure listing all applicable regulatory
concerns that apply to its activities; moreover, it can also state its roles to meet these requirements. The
organization can then define roles and responsibilities for meeting specific requirements under these
roles. Within this procedure, the organization should give reference to documents (for example,
procedures, work instructions, records) included in the Quality Management System in order to comply
with these regulatory requirements.

Read more here: How to determine regulatory requirements according to ISO 13485:2016.

2) Reviewing the scope of the QMS

ISO 13485:2016 extends the scope of the Quality Management System to outsourced processes, and
requires the organization to accept responsibility for monitoring, maintenance, and control of the
outsourced processes. Moreover, the applicability of this standard has broadened, and it can also be used
by suppliers and external parties involved in any stage of the product life cycle. Therefore, companies
involved in any stage or supply chain of medical products can become certified according to the standard.
Medical product suppliers and manufacturers can add ISO 13485 certification as a rating factor for vendor
performance. The scope of the Quality Management System must be included in the Quality Manual.

Read more here: How to manage a Quality Manual according to ISO 13485:2016 requirements.

Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved. 4

3) Control of processes and related changes
There are additional requirements stating that the organization should determine its processes and define
a risk-based approach to control these processes. There are also additional requirements to control the
changes in the processes. Therefore, the organization needs to document how the changes are controlled
in their processes, as well as how a risk-based approach is used to control these processes. You can
manage these changes with a set of records used for engineering change requests and controls. These
records should contain a change request, review (should include risk assessment), authorization from
concerned stakeholders, and a notice issuance for the change.

4) Medical device files

Medical device files are to be maintained in the old version, as well, but this revision states a specific
requirement, which includes the number of articles to include in medical device files. Documents such as
medical device design, medical device family description, medical device conformity certificate, etc.
included in medical device files should be listed, and these files should be maintained by the complying
organization. So, the organization needs to review the existing structure of medical device files and,
accordingly, upgrade the structure to meet the new requirements.

Read more at: How to meet ISO 13485:2016 requirements for medical device files.

5) Documentation Requirements
Along with medical device files, organizations are now required to define methods to protect confidential
health information. Moreover, the organizations are also required to prevent loss of documentation and
deterioration of any document. This requirement can be managed with the help of a robust software
application that protects the access of health information from unauthorized use, and all records to be
managed in the software. Backups of the information should be maintained according to a defined
frequency to prevent loss of documentation.

6) Addressing risks
According to the new version, the risks of medical products are only related to product safety or their
inability to meet regulatory requirements. All those risks must be addressed and managed. This definition
in ISO 13485:2016 is different from that of ISO 9001:2015. Therefore, product risk assessment should be
considered during the design and development phase, and it should be maintained in medical device files.
Any change in product design should constitute a new risk assessment request.

Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved. 5

7) Infrastructure to prevent product mix-ups
The new standard mandates that organizations must maintain an infrastructure that prevents product
mix-ups and ensures orderly handling of products. Under clause 6.3c Supporting services in infrastructure,
information systems are included, along with transport and communications. Therefore, each production
lot should be properly identified with product codes, lot numbers, and traceability numbers, and the
product physically needs to be tagged and placed on separate production carriers, which are also marked.
Thus, there are no chances of mixing up one lot with similar lots.

Read more at: Managing medical device infrastructure requirements according to ISO 13485:2016.

8) Work environment and contamination control

The new version requires better control of the work environment, including control of contamination with
microorganisms or particulate matter, for sterile medical devices. Along with better controls of
contamination and the work environment, an organization is also required to maintain sterile barrier
systems for sterilized medical products to prevent them from biological burden in the environment after
being sterilized.

Read more at: Managing medical device infrastructure requirements according to ISO 13485:2016.

9) Identification of medical products

The organization must provide unique device identification for medical devices and a documented
procedure for product identification. Moreover, the procedure of identification should also identify
product status identification during production. One way to comply with this request is to implement
production cards that are integrated with the ERP system and display lot number, device identifier
numbers, and process codes. At each production stage, the lot number should contain the suffixes of the
processes to identify the production status of the lot physically on the production card. Bar code systems
can also be used for unique device identification of medical devices.

10) Control of non-conforming product

Control of non-conforming product is given extraordinary importance in the new standard. The standard
includes requirements related to concessions. It also states separate requirements for nonconformities
detected before delivery, after delivery, and rework. The standard also states requirements for records
related to the issuance of advisory notices. Medical device manufacturing and supplying companies have
to control non-conforming product with proper documentation, and usually, the control includes

Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved. 6

correction and corrective actions. Correction includes reworks, concession, advisory notices, etc.,
whereas corrective action includes actions against the root cause of the non-conformity to prevent such
non-conformity from happening in the future.

Read more at: ISO 13485:2016 nonconforming product How to approach the post-delivery actions.

11) Sterile Barrier Systems

The new standard also mandates that organizations sterilize medical products to maintain a barrier
system for sterile products that are being packed. In this way, after sterilization, the product will be
protected from biological contamination. The sterile barrier system can be maintained within processes
after sterilization by thorough cleaning, utilizing pre-defined air quality tests to ensure that the
environment is free from biological contaminants, and ensuring that personnel interacting with medical
devices in post-sterilization processes are controlled with proper clothing. Moreover, the area under
which these post-sterilization processes are being performed must be accessed by authorized personnel
only.

Read more at: How to manage the medical device sterilization process according to ISO 13485:2016.

12) Corrective and Preventive Actions

The new version of the standard strongly emphasizes the importance of taking corrective actions within
the due date. If there is a delay in making a corrective measure, it must be justified. Moreover, the adverse
effects of corrective and preventive actions must be verified and mitigated before the action is taken. You
can track these actions with the help of the CAPA (Corrective action preventive action) system provision
in the ERP or any ISO cloud software.

Click here to see Conformio, an online software platform for managing ISO projects, through which you
can handle corrective and preventive actions.

Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved. 7

Sample documentation

You can download the ISO 13485:2016 Documentation Toolkit. The free version of this toolkit will allow
you to see a sample of policies and procedures required by the ISO 13485:2016 standard.

Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved. 8

 Advisera Expert Solutions Ltd
for electronic business and business consulting
Zavizanska 12, 10000 Zagreb
Croatia, European Union
Email: support@advisera.com
Phone: +1 (646) 759 9933
Toll-Free (U.S. and Canada): 1-888-553-2256
Toll-Free (United Kingdom): 0800 808 5485
United Kingdom (international): +44 1502 449001
Australia: +61 3 4000 0020

Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved. 9