Complete Regulatory Services for the Medical Device Industry

ISO 13485:2016 Blog

An Analysis of ISO 13485:2016 and the Impact on Medical Device Organizations

We Have to Start Somewhere...

Introductions - Section 0

We start with the introduction section.  Why?  Just to be thorough.  Nothing too earth-shaking here.  Mainly, we have clarifications.  

What's the Same

  • Introductory concepts.
  • Discussion of the process approach.
  • Discussion of how ISO 13485:2016 relates to other standards.

New Requirements

  • None


  • Our first clarification comes in the first paragraph, section 0.1.  The standard clarifies that it can be used "in one or more stages of the life-cycle" of a device.  Examples include design, production, storage, installation, servicing, and provision of technical services.  This has always been the case. In ISO 13485:2016, this concept is clarified.
  • We see the rationale for why, later in section 4.1.1, the regulatory role of the organization must be defined.  Namely, since regulatory requirements differ from region to region, clear definitions must be used to ensure that the standard is appropriately applied.  Examples of this?  How similar/dissimilar are recalls, advisory notices, and corrections and removal?.  What about vigilance reporting, mandatory problem reporting, and medical device reporting?  These must be clearly defined and integrated into the Quality Management System based on national requirements.
  • In section 0.2, concepts are clarified.  We see...
    • an enhancement of when "as appropriate" is deemed appropriate,
    • a clarification of the use of the term "risk", 
    • clarification that product can also mean a service provided by the organization, 
    • boundaries for the term "regulatory" and explaining that the use of the term is limited to the QMS and safety or performance requirements of the device.  So, if your auditor says that regulatory requirements can apply to any regulation (accounting, health and safety), you now have grounds to push back, and
    • definitions for shall (requirement), should (recommendation), may (permission), and can (possibility or capability).
  • In sections 0.4 and 0.5 we're reminded that ISO 13485:2016 is now, even more, a stand-alone standard.  It does not follow the high level structure and the difference from ISO 9001:2015 are so significant (think preventive action) that implementing ISO 13485:2016 can no longer result in a presumption of conformity to ISO 9001:2015.

Implementation Tips / Pitfalls

  • Take the opportunity to see if "regulatory requirements" and "risk" are defined properly in your Quality Management System.

Summary - Conclusion

  • No new requirements, several clarifications, some of which are quite helpful.  We know that "regulatory" and "risk" are now precisely defined and ISO 13485:2016 has diverged significantly from ISO 9001:2015.  The stage is set for clauses to come.