ISO 13485:2016 Medical Devices - Quality Management Systems Standard Released

The International Organization for Standardization (ISO) published the updated ISO 13485 medical devices quality management s ystems standard on March 1,
2016.
ISO 13485:2016 identifies the requirements for a quality management system (QMS) in which an organization needs to demonstrate its ability to provide
medical devices and related services that consistently meet both customer and regulatory requirements. Organizations seeking certification may be involved in
any portion of the medical device product lifecycle, which includes design and development, production, storage and distribution, installation, or servicing of a
medical device or provision of associated activities (e.g. technical support). ISO 13485:2016 can also be used by suppliers or external parties that provide
product, materials or service, including quality management system-related services to such organizations.
NSF International Strategic Registrations (NSF-ISR) will be working to ensure a smooth transition to the new international standard for medical device quality
management systems. We are committed to developing useful tools, webinars and publications to assist your organization with the transition process. Similar
publications were produced by NSF-ISR for the ISO 9001:2015 transition and can be viewed on our ISO 9001 webpage.
Key improvements in the 2016 version include:

• Expansion of the standard's applicability to include all organizations involved in the lifecycle of the product, from inception to end of life
• Greater focus on post-market surveillance (including complaint handling)
• Improved alignment with regulatory requirements
• Increased focus on risk management
• More emphasis on implementing the appropriate infrastructure, particularly for the production of sterile medical devices

There will be a 3-year period for current NSF-ISR clients registered to ISO 13485:2003 to transition to the 2016 version of the standard. NSF-ISR will be working
with ANAB to determine the transition requirements in order to provide your organization with detailed information relating to the new version of the standard
and how to best create a positive, seamless transition experience to ISO 13485:2016.
The updated standard can be purchased through the NSF Bookstore.
For more information, please email NSF-ISR at [email protected] and check our website, www.nsf-isr.org, for regular updates about the standard,
including webinars, transition guides and more

AESOP 17477; ISSUE 1; STATUS-PUBLISHED; EFFECTIVE 01 FEB 2017; AUTHORITY MARTIN WILLEM
This is a confidential document and may be reproduced only with the permission of NSF-ISR. Page 1 of 11
 ISO 13485: 2016 Planner and Delta Checklist
Annex A (Informative) Comparison of content between
ISO 13485:2003 and ISO 13485:2016
Instructions:
1. Highlighted areas are to be completed by the Client Organization prior to the off-site review, or on-site Gap Analysis or Upgrade Audit, and submitted to the NSF-ISR Lead Auditor for review.
2. The Annex A - ISO 13485: 2016 vs. ISO 13485: 2003 Comparison Table has been provided at the end of this document for information and reference purposes only.
3. Completion by the Client Organization should include the final statement of readiness for Upgrade by the Top Management of th e Client Organization.
4. The columns for “Planned Completion Date” and Responsibility” may be used by the Client Organization to develop their plan fo r upgrading their QMS to the requirements of ISO 13485: 2016.
5. All other areas of the Checklist are required to be completed by the NSF-ISR Lead Auditor to confirm the effective implementation of th e Client Organization’s ISO 13485: 2016 Quality
Management System.
6. The Lead Auditor shall sign the appropriate sections at the end of the Checklist to indicate: whether the Client Organization is Ready/Not Ready for Upgrade Audit (Off-site review), AND the final
approval of the QMS in meeting the requirements of ISO 13485: 2016 (during the on -site Upgrade Audit)
7. This checklist shall be submitted by the NSF-ISR Lead Auditor as on e of the records of the ISO 13485: 2016 Upgrade for the Client Organization.

Organization Name:
Organization Address:
1st Shift :
Number of Personnel: 2nd Shift :
3rd Shift :
Temp. / Part-time :
Other locations included in this registration:
Management Contact:
Name and Revision Status of QMS
documentation:
FRS Number:
Off-site Review Date (Desk Audit):
Audit Dates (on-site):
Lead Auditor / Audit Team:
Scope of Registration:
ISO 13485: 2016 Clauses that are Not Applicable
to the scope of the QMS :Reference ISO 13485:
2016 (E) Medical devices — Quality management
systems —
Requirements for regulatory purposes: Scope,
Section 1
The interval between the client Delta Review and the Upgrade Audit should not exceed 90 days.

AESOP 17477; ISSUE 1; STATUS-PUBLISHED; EFFECTIVE 01 FEB 2017; AUTHORITY MARTIN WILLEM
This is a confidential document and may be reproduced only with the permission of NSF-ISR. Page 2 of 11
NOTE: Please ensure that your Organization’s registered ISO 13485:2003 QMS remains compliant with that version of the Standard until the Transition
to ISO 13485: 2016 is complete and verified by the NSF-ISR Lead Auditor.
Level of QMS Reference Document
Completion Process Planned
(Name / Rev. Level)
Question / Requirement 0=Not Started Related to Completion Responsibility NSF-ISR Lead Auditor Review Comments
OR
10=Completed & Requirement Date
Implemented (Process Name)
Records
QMS Documentation
Clause 4.1 – General requirements
Updates required:
• Documentation
• Increased regulatory and risk based ALL
approach;
• Outsourced processes;
• Change management;
• Validation of software.

Clause 4.2 – Documentation

requirements
Updates required:
• Clauses 6, 7 and 8;
• Medical device file;
• Controls related to document and
record amendment, security and integrity

Clause 5 – Management Responsibility

• Increased focus on regulatory
requirements;
• Documented procedures for
management review; documented planned
intervals
Evidence of : Clause 6.2 – Human
resources
Updates required:
• Documented processes for
competence, awareness and training
• Risk based training effectiveness
Evidence of : Clause 6.3 –
Infrastructure
Updates required:
• Processes for preventing product mix-
up;
• Information systems infrastructure;
• Maintenance intervals for production or
monitoring equipment.

Evidence of: Clause 6.4 – Work

environment
Updates required:
• Documentation requirements for work
environment;

AESOP 17477; ISSUE 1; STATUS-PUBLISHED; EFFECTIVE 01 FEB 2017; AUTHORITY MARTIN WILLEM
This is a confidential document and may be reproduced only with the permission of NSF-ISR. Page 3 of 11
 • Contamination controls for sterile
medical devices.

Evidence of : Clause 7.1 – Planning of

product realization
Updates required;
• Processes for risk management;
• Requirements for storage, handling,
distribution and traceability.

Evidence of : Clause 7.2 – Customer

related processes
Updates required:
• Requirement and availability for any
user training;
• Documented processes for
communicating with stakeholders,
including regulatory authorities.

Clause 7.3 – Design and development

Updates required:
• Traceability of design inputs to outputs;
• Required resources, including
competence of personnel involved in
design projects;
• Additional details and documentation
for verification and validation plans,
including statistical techniques, sampling
rationale and representative product and
records;
• Documented procedures for design
transfer and design change;
• Design and development files.

Clause 7.4 – Purchasing

Updates required:
• Increased focus on supplier monitoring
and risk;
• Documented agreements for prior
notification of changes to supplied
product;
• Linkage between verification of
purchased product and change control.

Evidence of: Clause 7.5 – Production

and service provision
Updates required:
• Qualification of infrastructure;
• Analysis of service records;

AESOP 17477; ISSUE 1; STATUS-PUBLISHED; EFFECTIVE 01 FEB 2017; AUTHORITY MARTIN WILLEM
This is a confidential document and may be reproduced only with the permission of NSF-ISR. Page 4 of 11
 • Documented procedures for validation
including statistical techniques, sampling
rationale, revalidation;
• Validation requirements for processes
that cannot or are not subsequently
monitored;
• Procedures for risk based software
validation;
• Documented procedure for product
identification/status during production;
this may be Unique Device Identification
(UDI),
• Validation of sterile barrier systems;
• Suitability of packaging systems;
• Recording of measuring equipment
adjustments.

Evidence of:: Clause 8 – Measurement,

analysis and improvement
Clause 8.2 – Monitoring and measuring
Updates required:
• Linkages from customer feedback into
risk management;
• Documented processes for ascertaining
whether customer requirements have
been met;
• Procedures for complaint handling;
• Processes for informing third parties of
complaints;
• Plans for internal audits at defined
intervals;
• Processes for the identification of test
equipment.

Clause 8.3 – Control of non-conforming

product
Updates required:
• Processes for communication with
external parties regarding non-
conforming product;
• Controls for managing concessions;
• Linkages between rework and
regulatory requirements.

AESOP 17477; ISSUE 1; STATUS-PUBLISHED; EFFECTIVE 01 FEB 2017; AUTHORITY MARTIN WILLEM
This is a confidential document and may be reproduced only with the permission of NSF-ISR. Page 5 of 11
 Level of QMS Reference Document
Completion Process Planned
(Name / Rev. Level)
Question / Requirement 0=Not Started Related to Completion Responsibility NSF-ISR Lead Auditor Review Comments
OR
10=Completed & Requirement Date
Implemented (Process Name) Records
: Clause 8.4 – Analysis of data
Updates required:
• Sources of data for analysis, such as
service records and audits;
• Procedures that cover the application
of statistical techniques;
• Linkages between the analysis and
improvement processes.

:Clause 8.5 – Improvement

Updates required:
• Actions are taken without undue delay;
• Evaluation of actions for adverse effects
on regulatory requirements and product
safety and performance.

Organization confirmation that the

QMS now complies with all
requirements of ISO 13485: 2016
(refer to Annex A).
(e.g. Quality Manual or Documented
Information addresses all clauses of
the Standard).
Other Client Organization-specific
information about the QMS (as
determined by the Client
Organization)

Note: This section is optional, and

may be completed if there are unique
aspects of the QMS that the Client
deems important in demonstrating
compliance to the ISO 13485: 2016
Standard.

Approval Name / Title Signature Date

NSF-ISR Lead Auditor confirmation of
Readiness (Pre-planning).
NSF-ISR Lead Auditor Approval of
Compliance to ISO 134485: 2016 at On-site
Upgrade Audit.
The completed Checklist shall be submitted by the NSF-ISR Lead Auditor as a supplement to the ISO 13485:2016 Audit Report

AESOP 17477; ISSUE 1; STATUS-PUBLISHED; EFFECTIVE 01 FEB 2017; AUTHORITY MARTIN WILLEM
This is a confidential document and may be reproduced only with the permission of NSF-ISR. Page 6 of 11
 Table A.1 — Comparison of content between ISO 13485:2003 and ISO
13485:2016
Table A.1 — Continue:

Clause in ISO 13485:2016 Clause in ISO 13485:2016 Comment on change compared with
ISO 13485:2003
Foreword — Clarifies the effect of the third edition of this
Foreword
International Standard
— Includes substantially more detail related to the nature of the
organization covered by this
International Standard’s requirements and the life-cycle stages
covered.
— Explains that the requirements can be used by suppliers or
other external parties either
voluntarily or as a result of contract arrangements.
— Alerts organizations about their obligations related to
regulatory requirements focused
on quality management systems.
— Alerts organizations about differences in local regulation
definitions and their obligation
to understand how these definitions will affect their quality
Introduction
management system.
0.1 General
— Adds the obligation to meet the organization’s own quality
management system requirements.
— Specifically calls out the focus on the necessity to “meet
customer and applicable regulatory
requirements for safety and performance.”
— Emphasizes that the product requirements that are important
are those related to safety
and performance.
— Adds two influences on the nature of the quality management
system that were not in the
original listing (organizational environment and regulatory
requirements).
— Clarifies that the organization does
— Adds two additional criteria associated with the description of
appropriate requirements:
— compliance with regulatory requirements;
— the requirement is necessary for the organization to manage
risks.
— Limits application of risk to the safety or performance
requirements of the medical device
0.2 Clarification of concepts or meeting applicable regulatory requirements.
— Clarifies that the term “documented” includes the need to
establish, implement and
maintain.
— Clarifies that the term “product” applies to outputs that are
intended for, or required by, a
customer, or any intended output resulting from a product
realization process
0.3 Process approach Explanation of process approach extended
AESOP 17477; ISSUE 1; STATUS-PUBLISHED; EFFECTIVE 01 FEB 2017; AUTHORITY MARTIN WILLEM
This is a confidential document and may be reproduced only with the permission of NSF-ISR. Page 7 of 11
 Table A.1 — Continue:

— States the relationship between ISO 13485:2016 and ISO

9001.
— Indicates the structural relationship between ISO
13485:2016 and ISO 9001:2015 will be
0.4 Relationship with ISO 9001 outlined in Annex B.
— The use of italic text within standard to indicate changes
from ISO 9001:2008 has been
eliminated.

— Indicates the applicability of this International Standard to

organizations that are involved
in one or more stages of the life-cycle of a medical device.
— Indicates that this International Standard can also be used by
suppliers or external parties
that provide product, including quality management system-
related services to medical
device organizations.
— Specifically calls out the responsibilities for monitoring,
maintaining, and controlling
1. Scope
outsourced processes.
— Expands requirements that can be not applicable to those in
Clauses 6 and 8.
— Clarifies that the term “regulatory requirements” includes
statutes, regulations, ordinances
or directives and limits the scope of the “applicable regulatory
requirements” to
those requirements for the quality management system and the
safety or performance of the
medical device.
— Several new definitions added and some existing definitions
3 Terms and definitions
refined.
— Added requirement to document the role(s) of the
organization.
— Requires the determination of processes “taking into
account the roles undertaken by the
organization.”
4 Quality management system — Requires the application of a “risk based approach to the
4.1 General requirements control of the appropriate processes
needed for the quality management system.”
— Adds requirements related to changes to processes.
— Added requirements related to validation of the
application of computer software used in
the quality management system.
Includes control of records within the document control
requirements.
Lists the documents that would be included in the medical
4.2 Documentation requirements
device file.
New requirement related to protection of confidential health
information.

AESOP 17477; ISSUE 1; STATUS-PUBLISHED; EFFECTIVE 01 FEB 2017; AUTHORITY MARTIN WILLEM
This is a confidential document and may be reproduced only with the permission of NSF-ISR. Page 8 of 11
 Table A.1 — Continue:
5.6 Management review
6.2 Human resources
6.3 Infrastructure
6.4 Work environment and contamination
control
7.1 Planning of product realization
7.2 Customer-related processes
7.3.2 Design and development planning
7.3.3 Design and development inputs
7.3.5 Design and development review
7.3.6 Design and development verification
7.3.7 Design and development validation
7.3.8 Design and development transfer
7.3.9 Control of design and development
changes
AESOP 17477; ISSUE 1; STATUS-PUBLISHED; EFFECTIVE 01 FEB 2017; AUTHORITY MARTIN WILLEM
This is a confidential document and may be reproduced only with the permission of NSF-ISR.
New requirement related to deterioration and loss of
documents
— Includes requirement for the documentation of one or
more procedures for management
review and the requirement for management reviews at
“documented planned intervals”.
— Lists of inputs and outputs of management review have
been expanded.
— New requirement for documentation processes of
establishing competence, providing
needed training and ensuring awareness of personnel.
— Adds requirement that infrastructure prevents product
mix-up and ensure orderly handling
of product.
— Adds information system to the listing of supporting
services.
— Added documentation requirements for work
environment.
— Added requirement related to control of contamination
with microorganism or particulate
matter for sterile medical devices.
— Added requirements to list.
— Added requirements to list.
— New requirement related to communication with
regulatory authorities.
— Added requirements to list.
— Eliminated the requirement related to the management of
the interfaces between different
groups involved in design and development.
— Added requirements to list.
— Added requirement that the requirements shall be able to
be verified or validated.
— Added details of the contents of records.
— Added requirement for documentation of verification
plans and interface considerations.
— Requirement added for records of verification.
— Added requirement for documentation of validation plans,
product to be used for validation
and interface considerations. Requirement added for records
of validation.
— New sub-clause added.
— Adds the requirement that the evaluation of the change
effect should be made on products
in process and on the outputs of risk management and
product realization processes
— Added detail to consider in the determination of the
significance of a design and development
Page 9 of 11
 Table A.1 — Continue:

changes.
7.3.10 Design and development files — New sub-clause added.
— Focuses the supplier selection criteria on the effect of the
supplier performance on the
quality of the medical device, the risk associated with the
medical device, and the product
meeting applicable regulatory requirements.
7.4.1 Purchasing process
— New requirements added related to monitoring and re-
evaluation of suppliers, and action
to be taken when purchasing requirements are not met.
— Provides addition details related to the content of the
records.
— New requirement added to include notification of changes
7.4.2 Purchasing information
in purchased product.
— New requirements added on the extent of verification
activities and action to be taken
7.4.3 Verification of purchased product
when the organization becomes aware of any changes to the
purchased product.
7.5.1 Control of production and service — Adds details related to the controls for carrying out
provision production and service provision.
7.5.2 Cleanliness of product — Added a requirement to the list.
— New requirement for analysis of records for servicing
7.5.4 Servicing activities
activities.
— Added requirements to the list
— Adds details related to situations requiring procedures.
7.5.6 Validation of processes for production — Relates the specific approach to software validation to the
and service provision risk associated with the use of
the software.
— Adds requirements related to the validation records.
7.5.7 Particular requirements for validation
of processes for sterilization and — Added requirements for sterile barrier systems.
sterile barrier systems
7.5.8 Identification — Added requirement for unique device
identification.
7.5.8 Identification — New requirement for a documented procedure for
product identification and regarding
identification and product status during production
7.5.11 Preservation of product — Adds details as to how preservation can be accomplished.
— Indicates that feedback should come from production and
post-production activities.
8.2.1 Feedback — Adds a requirement to utilize feedback in risk
management processes in order to monitor
and maintain product requirements.
8.2.2 Complaint handling — New sub-clause.
8.2.3 Reporting to regulatory authorities — New sub-clause.
8.2.6 Monitoring and measurement of — Adds requirement to identify the test equipment used to
product perform measurement activities.

AESOP 17477; ISSUE 1; STATUS-PUBLISHED; EFFECTIVE 01 FEB 2017; AUTHORITY MARTIN WILLEM
This is a confidential document and may be reproduced only with the permission of NSF-ISR. Page 10 of 11
 Table A.1 — Continue:

— Added details related to kinds of controls that shall be

documented.
— Generalized the requirement to include any investigation
and the rationale for decisions.
— Adds requirements related to concessions.
8.3 Control of nonconforming product
— Separated requirements for nonconformities detected
before delivery, detected after
delivery and rework.
— Adds requirements for records related to the issuance of
advisory notices.
— Adds the requirement to include determination of
appropriate methods, including statistical
8.4 Analysis of data
techniques and the extent of their use.
— Adds detail to list of inputs.
— Adds the requirement to verify that the corrective action
does not have an adverse effect.
8.5.2 Corrective action
— Added requirement for corrective action to be taken
without undue delay.
— Adds the requirement to verify that the preventive action
8.5.3 Preventive action
does not have an adverse effect.

Appendix A
ISO 13485: 2016 vs. ISO 13485: 2003 Comparison Table

Amendment Record

Version # Submitted Date Summary of Changes

1 10/2016 Initial issue
2
3

AESOP 17477; ISSUE 1; STATUS-PUBLISHED; EFFECTIVE 01 FEB 2017; AUTHORITY MARTIN WILLEM
This is a confidential document and may be reproduced only with the permission of NSF-ISR. Page 11 of 11