ISO 13485:2016 vs.

ISO 13485:2003 matrix

Copyright ©2017 Advisera Expert Solutions Ltd. All rights reserved.

Copyright © 2017 Advisera Expert Solutions Ltd. All rights reserved. 1
 ISO 13485:2016
Introduction
0.1 General
0.2 Clarification of concepts
0.3 Process approach
0.4 Relationship with ISO 9001
0.5 Compatibility with other
management systems
Quality Management System
Requirements
1 Scope
2 Normative references
3 Terms and definitions
ISO 13485:2003 Explanation
Introduction
Both the 2003 and 2016 versions of the ISO 13485 standard cover
fundamentally the same topics. However, there are some important
differences.
0.1 General
Now the standard can be used by any organization that is involved in any
stage of the product life cycle, which means that external parties or
suppliers can also certify themselves on standard requirements.
This is a new addition in the latest version of the standard; it clarifies the
concepts of some of the terminology used in the standard. For example,
“risk” is being used for safety or performance requirements of medical
devices and devices meeting the regulatory requirements.
The description of the clause is almost the same; however, in the new
version of the standard it emphasizes the importance of using a process
0.2 Process approach
approach in meeting requirements, value, process performance and
effectiveness, and improving the process by setting objectives.
Both versions of the ISO 13485 standard are based on ISO 9001; ISO
0.3 Relationship with other
13485:2016 is based on ISO 9001:2008, whereas ISO 13485:2003 is based
standards
on ISO 9001:2000.
0.4 Compatibility with other Both versions of the standard allow integration with other management
management systems systems.
Quality Management System
Requirements
1 Scope Scope in the latest version of the standard defines other organizations,
such as suppliers or external parties, as eligible to implement the ISO
2 Normative references 13485 standard. All the other points in this clause are almost the same for
both versions of the standard.
Some new terms are introduced in the newest version of the standard,
3 Terms and definitions
such as “sterile barrier system,” “medical device family,” etc.
Copyright © 2017 Advisera Expert Solutions Ltd. All rights reserved. 2
 ISO 13485:2016
4 Quality Management System
4.1 General requirements
4.2 Documentation
requirements
5 Management responsibility
5.1 Management commitment
5.2 Customer focus
5.3 Quality policy
5.4 Planning
5.4.1 Quality objectives
5.4.2 Quality management
system planning
ISO 13485:2003
4 Quality Management System
4.1 General requirements
4.2 Documentation requirements
5 Management responsibility
5.1 Management commitment
5.2 Customer focus
5.3 Quality policy
5.4 Planning
5.4.1 Quality objectives
5.4.2 Quality management
system planning
Copyright © 2017 Advisera Expert Solutions Ltd. All rights reserved.
Explanation
In the latest version of the standard, more focus has been given to
applicable regulatory requirements and the controls associated to meet
these requirements. Moreover, controls also encompass “risk” of external
parties to meet applicable regulatory requirements, and written quality
agreements to ensure that external parties meet those requirements.
Almost all the requirements are the same, except that the new version of
the standard identifies and explains the requirements of medical device
files. For more information, read: How to meet ISO 13485:2016
requirements for medical device files.
All clauses are the same in both versions of the standard, except in some
subclauses where the new version of the standard demands management
commitment to applicable regulatory requirements, which need to be
identified and met.
All requirements are almost the same, except a few modifications to the
terms are included in the new version of the standard; for example, in the
old version of the standard the term “statutory” has been removed and
covered in applicable regulatory requirements.
In the old version it was mandatory to understand, identify, and meet
only customer requirements, while in the new version, along with
customer requirements, it is mandatory to identify and meet regulatory
requirements as well.
There are no changes in the requirements. See the sample document
here: Quality Policy.
The requirements are similar except that in the new version the
organization is required to set quality objectives for meeting applicable
regulatory requirements.
No significant changes have been implemented in this clause.
3
 ISO 13485:2016
5.5.1 Responsibility and
authority
5.5.2 Management
representative
5.5.3 Internal communication
5.6 Management review
5.6.1 General
5.6.2 Review input
5.6.3 Review output
6 Resource management
6.1 Provision of resources
6.2 Human resources
6.3 Infrastructure
ISO 13485:2003 Explanation
There are no changes in this clause.
5.5.1 Responsibility and authority
All requirements for management representative are the same in both
5.5.2 Management representative
versions of the standard.
Requirements for internal communication are the same in both versions
5.5.3 Internal communication
of the standard.
5.6 Management review
The organization is now required to document a procedure for
5.6.1 General management review. All other requirements were not modified. See the
sample document here: Procedure for Management Review.
Reporting to regulatory requirements and customer complaints have
5.6.2 Review input
been added as review inputs in the new version of the standard.
In the latest version, the review output is adapted to support the
5.6.3 Review output
modifications included in the review input.
6 Resource management
6.1 Provision of resources No significant changes have been implemented in this clause.
In the new version of the standard it is mandatory for the organization to
6.2 Human resources document the processes for establishing competence, providing required
trainings, and ensuring awareness of employees.
There is a new requirement for infrastructure, which should prevent
product mix-ups and ensure orderly handling. Moreover, information
technology has been added as an infrastructure requirement in
supporting services. For more information, read: Managing medical
6.3 Infrastructure
device infrastructure requirements according to ISO 13485:2016.
See the sample document here: Procedure for Infrastructure and Work
Environment.
Copyright © 2017 Advisera Expert Solutions Ltd. All rights reserved. 4
 ISO 13485:2016
6.4 Work environment and
contamination control
6.4.1 Work environment
6.4.2 Contamination control
7 Product realization
7.1 Planning of product
realization
7.2 Customer-related processes
7.2.1 Determination of
requirements related to product
7.2.2 Review of requirements
related to product
7.2.3 Communication
ISO 13485:2003 Explanation
This clause has been split in two in the new standard.
6.4 Work environment
In the new version of the standard the organization is required to
document the requirements of the work environment, rather than just
determining and managing it. Unlike the previous version of the standard,
in the new version, a procedure to monitor and control the work
environment should be established.
Contamination control has been separated as a subclause; it adds a
mandatory requirement for sterile medical devices, in which
requirements for control of contamination with microorganism or
particulate matter should be documented.
7 Product realization
There are no significant changes to this clause, except in the need to
7.1 Planning of product realization establish processes and documentation, resources for maintaining
infrastructure and work environment have to be provided.
7.2 Customer-related processes
The new version of the standard includes a requirement for the
7.2.1 Determination of
organization to determine if users need to be trained in order to ensure
requirements related to product
specified performance and safe use of medical devices.
The new version of the standard includes a requirement for the
7.2.2 Review of requirements
organization to review whether they need to train the users in order to
related to product
ensure specified performance and safe use of medical devices.
All requirements regarding the communication with customers are the
7.2.3 Communication same; however, the new standard also mandates that the organization
communicate with regulatory bodies when needed.
Copyright © 2017 Advisera Expert Solutions Ltd. All rights reserved. 5
 ISO 13485:2016 ISO 13485:2003 Explanation
7.3 Design and development 7.3 Design and development
A new clause has been added as “General” in the “Design and
Development” section. It mandates the organization to establish a
7.3.1 General
procedure for design and development as per the new requirements. See
the sample document here: Procedure for design and development.
The new version of the standard includes requirements related to
development of a method to ensure traceability for design and
7.3.2 Design and development 7.3.1 Design and development
development outputs against design and development inputs. Also, the
planning planning
new version of the standard states adequate resources to be identified in
the planning phase.
In the new version of the standard, design and development inputs should
7.3.3 Design and development 7.3.2 Design and development
incorporate usability requirements for the product; moreover, output of
inputs inputs
risk management has to be included in design and development inputs.
7.3.4 Design and development 7.3.3 Design and development The requirements are the same in both versions.
outputs outputs
With the earlier requirements, the new standard also mandates records
7.3.5 Design and development 7.3.4 Design and development for personnel involved in the process of review. Those designs under
review review review should be identified with the status “under review.” See the
following sample document: Design Review Minutes.
The new version of the standard includes mandatory documents and
procedures to ensure that the design and development outputs have met
7.3.6 Design and development 7.3.5 Design and development the input requirements. Verification plans, which include acceptance
verification verification criteria and statistical techniques with rationale for sample size, should be
documented.
See the sample document: Verification Report.

Copyright © 2017 Advisera Expert Solutions Ltd. All rights reserved. 6

 ISO 13485:2016
7.3.7 Design and development
validation
7.3.8 Design and development
transfer
7.3.9 Control of design and
development changes
7.3.10 Design and development
files
7.4 Purchasing
7.4.1 Purchasing process
ISO 13485:2003 Explanation
In the new version of the standard, the organization is required to
maintain documented records for design validation as well. Design
7.3.6 Design and development
validation should be done on representative product, which can be initial
validation
production units, batches, etc. Records of validation conclusion should
also be maintained. See the sample document: Validation Report.
This is a new requirement in the latest version; an organization is now
required to document a procedure to transfer design and development
outputs to manufacturing. These outputs should be verified before
becoming final specifications. Moreover, production capability should
meet product requirements. See the sample document here: Design and
Development Transfer Record.
The procedure for design and development in the new standard should
7.3.7 Control of design and include protocols to control design and development changes. Before
development changes implementation, the change should be reviewed, verified, validated, and
approved. See the sample document here: Change Review Record.
This is a new requirement. The organization should maintain a design and
development file for each medical device type or family. This file has to
include reference records of conformity to design and development
requirements and records for changes. See the sample document here:
Design and Development File.
7.4 Purchasing
The purchasing process has also been modified in the new version. The
old section on purchasing has been subdivided into four new
requirements. While the old standard expected the organization to
establish supplier selection and evaluation criteria, it didn’t provide any
details. The new version of the standard includes criteria for the
7.4.1 Purchasing process
supplier—for example, supplier’s impact on quality of medical product,
supplier’s ability to meet organization’s requirements, performance of
supplier in terms of timely delivery, and supplier’s impact on risk for
medical device performance and safety. See the sample document here:
Procedure for Purchasing and Evaluation of Suppliers.
Copyright © 2017 Advisera Expert Solutions Ltd. All rights reserved. 7
 ISO 13485:2016
7.4.2 Purchasing information
7.4.3 Verification of purchased
product
7.5 Production and service
provision
7.5.1 Control of production and
service provision
7.5.2 Cleanliness of product
7.5.3 Installation activities
7.5.4 Servicing activities
7.5.5 Particular requirements
for sterile medical devices
ISO 13485:2003
7.4.2 Purchasing information
7.4.3 Verification of purchased
product
7.5 Production and service
provision.
7.5.1 Control of production and
service provision
7.5.1.2.1 Cleanliness of product and
contamination control
7.5.1.2.2 Installation activities
7.5.1.2.3 Servicing activities
7.5.1.3 Particular requirements for
sterile medical devices
Copyright © 2017 Advisera Expert Solutions Ltd. All rights reserved.
Explanation
The new version of the standard mandates that product specifications
should be shared with the supplier as well. See the sample document
here: Request and Order for Purchasing.
In the new version of the standard, this clause extends risk analyses to
suppliers. The organization must consider the risk whenever suppliers
underperform and should have documented adequate risk treatments.
When unplanned changes are embedded in purchased products, the
organization is required to determine whether or not these changes affect
the medical device or product realization process. See the sample
document here: Purchasing Verification Record.
In the new version of the standard, this clause is extended and the
organizations are required to identify products that cannot be cleaned
prior to sterilization or use. For more information, read the following
article: Managing cleanliness of a product and contamination control
according to ISO 13485:2016.
Requirements are the same in both of the standards.
Requirements are almost the same, except the new standard requests
that the organization analyze service records either as complaints or as
input for any improvement activity. See the sample document here:
Record of Servicing Activities.
Both versions have the same requirements for sterile medical devices. For
more information, check the following article: How to manage the
medical device sterilization process according to ISO 13485:2016.
8
 ISO 13485:2016
7.5.6 Validation of processes for
production and service
provision
7.5.7 Particular requirements
for validation of processes for
sterilization and sterile barrier
systems
7.5.8 Identification
7.5.9 Traceability
7.5.10 Customer property
7.5.11 Preservation of product
ISO 13485:2003
7.5.2 Validation of processes for
production and service provision
7.5.3 Identification and traceability
7.5.4 Customer property
7.5.5 Preservation of product
Copyright © 2017 Advisera Expert Solutions Ltd. All rights reserved.
Explanation
Both versions of the standard require companies to establish procedures
to validate production and delivery processes that generate outputs that
can't be verified until the product is placed in use or the service has been
provided. With the modifications included in the new version, the
organization is also required to establish validation plans and to revalidate
processes whenever necessary. See sample documentation here: Record
of Production Process Validation.
This is a new requirement. Process validation is required for sterilization
and sterile barrier systems. The organizations are required to develop
validation procedures, which will be used to establish, implement, and
maintain validation for sterilization and sterile barrier systems.
With the modifications in the new standard, it is required from the
organization to document a procedure for the identification of product by
suitable means through product realization. The identification procedure
shall encompass all stages of the product life cycle, and will provide a way
for monitoring and measurement of product. If mandated by regulatory
laws, the organization shall maintain unique device identification.
The organization is now required to develop a procedure for traceability.
For implantable medical devices, traceability records for components and
materials should be maintained. For more information, read the following
article: How to use ISO 13485:2016 to manage implantable medical
devices.
Requirements are the same in both versions of the standard.
The new standard clarifies the meaning of preservation by mandating that
the organization prevent medical device damage, alteration, and
contamination. Also, the organization is required to protect products
when exposed to hazards.
9
 ISO 13485:2016
7.6 Control of monitoring and
measuring equipment
8 Measurement analysis and
improvement
8.1 General
8.2 Monitoring and
measurement
8.2.1 Feedback
8.2.2 Complaint handling
8.2.3 Reporting to regulatory
authorities
8.2.4 Internal audit
8.2.5 Monitoring and
measurement of processes
8.2.6 Monitoring and
measurement of product
8.3 Control of nonconforming
product
ISO 13485:2003 Explanation
Requirements are almost the same, except in the new version the
7.6 Control of monitoring and organization is required to develop monitoring and measurement
measuring devices software validation procedures. See the following sample document:
Procedure for Documentation and Validation of Computer Software.
8 Measurement analysis and
improvement
8.1 General Requirements are the same in both versions of the standard.
8.2 Monitoring and measurement
In the new standard, the feedback process should include provisions to
gather data from production, as well as post-production activities. The
information gathered in the feedback process serves as a potential input
8.2.1 Feedback
into risk management for monitoring and maintaining the product
requirements, as well as the product realization or improvement
processes.
This is a new requirement; the organization is required to establish,
document, implement, and maintain complaint-handling procedures.
For more information, read the following article: How to comply with ISO
13485:2016 requirements for handling complaints.
This is a new requirement; the organization is required to establish,
document, implement, and maintain reporting procedures when
regulators expect the organization to report to them. See this sample
document: Procedure for Adverse Event Investigation and Reporting.
8.2.2 Internal audit Requirements are the same in both versions of the standard.
8.2.3 Monitoring and measurement There are no significant differences in the requirements between the two
of processes versions of the standard.
In the new standard, the identity of the person authorizing the release of
8.2.4 Monitoring and measurement
product shall be recorded, and records of test equipment used for release
of product
should be maintained.
8.3 Control of nonconforming
product
Copyright © 2017 Advisera Expert Solutions Ltd. All rights reserved. 10
 ISO 13485:2016
8.3.1 General
8.3.2 Actions in response to
nonconforming product
detected before delivery
8.3.3 Actions in response to
nonconforming product
detected after delivery
8.3.4 Rework
8.4 Analysis of data
ISO 13485:2003 Explanation
In the new standard, a procedure is required to define controls and
related responsibilities and authorities for the identification,
documentation, segregation, evaluation, and disposition of
nonconforming product. The evaluation of nonconformity should include
a determination of the need for an investigation and notification of any
external party responsible for the nonconformity. See this sample
document: Procedure for Control of Non-Conforming Products.
This requirement has been added in a subclause in the new standard to
emphasize it separately. Requirements include dealing with
nonconforming products prior to delivery, taking actions to eliminate
detected nonconformities, preventing the product's unintended use or
application and, if needed, authorizing nonconforming product use and
release.
This requirement has been added in a subclause in the new standard to
emphasize it separately. Requirements include identification of
nonconforming products after delivery or after use, actions to be taken
against the effects that have been identified, record keeping of the
actions taken, issuances and management of advisory notices, and record
keeping of actions taken against issued advisory notices. For more
information, read the following article: ISO 13485:2016 nonconforming
product – How to approach the post-delivery actions.
This is a new requirement that mandates that the organization clarify how
product rework should be performed, verified, reviewed, approved, and
recorded.
Requirements of analysis of data are the same; however, in the new
version of the standard, analysis should also be performed on audits and
8.4 Analysis of data
service reports. See the following sample document: Procedure for Data
Analysis.
Copyright © 2017 Advisera Expert Solutions Ltd. All rights reserved. 11
 ISO 13485:2016 ISO 13485:2003 Explanation
8.5 Improvement 8.5 Improvement
Requirements are almost the same, except that in the new version of the
8.5.1 General 8.5.1 General standard, medical device safety and performance must be taken into
consideration during improvement activities.
Both versions of the standard have the same requirements for corrective
8.5.2 Corrective action 8.5.2 Corrective action
actions.
Both versions of the standard have the same requirements for preventive
8.5.3 Preventive action 8.5.3 Preventive action
actions.

Copyright © 2017 Advisera Expert Solutions Ltd. All rights reserved. 12

 Advisera Expert Solutions Ltd
for electronic business and business consulting
Zavizanska 12, 10000 Zagreb
Croatia, European Union
Email: support@advisera.com
U.S. (international): +1 (646) 759 9933
United Kingdom (international): +44 1502 449001
Toll-Free (U.S. and Canada): 1-888-553-2256
Toll-Free (United Kingdom): 0800 808 5485
Australia: +61 3 4000 0020

Copyright © 2017 Advisera Expert Solutions Ltd. All rights reserved. 13