您好,欢迎来到南京高诚企业管理有限公司官方网站!
ISO13485:2016医疗器械管理体系认证
发布时间:2018-4-18 12:55:59  阅读:2665

 

INTERNATIONAL

STANDARD

ISO 13485 Third edition

2016-03-01

Medical devices — Quality

management systems —

Requirements for regulatory purposes

Dispositifs médicaux — Systèmes de management de la qualité —

Exigences à des fins réglementaires

Reference number

ISO 13485:2016(E)

© ISO 2016



 

ISO 13485:2016(E)

COPYRIGHT PROTECTED DOCUMENT

©  ISO 2016, Published in Switzerland

All rights reserved. Unless otherwise specified, no  part of this publication may be reproduced or utilized otherwise in  any form

or by  any  means, electronic  or mechanical,  including photocopying,  or posting  on the  internet  or an  intranet, without  prior

written permission. Permission can be  requested from either ISO at the address below  or ISO’s member body in the country  of

the requester.

ISO copyright office

Ch. de Blandonnet 8 • CP 401

CH-1214 Vernier, Geneva, Switzerland

Tel. +41 22 749 01 11

Fax +41 22 749 09 47

copyright@iso.org

www.iso.org

ii

© ISO 2016 – All rights reserved

  


 

ISO 13485:2016(E)

Contents

Page

Foreword..........................................................................................................................................................................................................................................v

Introduction................................................................................................................................................................................................................................vi

1

2

3

4

Scope.................................................................................................................................................................................................................................1

Normative references......................................................................................................................................................................................1

Terms and definitions.....................................................................................................................................................................................1

Quality management system....................................................................................................................................................................6

4.1

4.2

General requirements.......................................................................................................................................................................  6

Documentation requirements....................................................................................................................................................  7

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

General......................................................................................................................................................................................  7

Quality manual ..................................................................................................................................................................  7

Medical device file ..........................................................................................................................................................  7

Control of documents ..................................................................................................................................................  8

Control of records ...........................................................................................................................................................  8

5

Management responsibility......................................................................................................................................................................9

5.1

5.2

5.3

5.4

Management commitment............................................................................................................................................................  9

Customer focus .......................................................................................................................................................................................  9

Quality policy............................................................................................................................................................................................  9

Planning ........................................................................................................................................................................................................  9

5.4.1

5.4.2

Quality objectives............................................................................................................................................................  9

Quality management system planning .........................................................................................................  9

5.5

Responsibility, authority and communication..........................................................................................................10

5.5.1

5.5.2

5.5.3

Responsibility and authority..............................................................................................................................10

Management representative...............................................................................................................................10

Internal communication.........................................................................................................................................10

5.6

Management review........................................................................................................................................................................10

5.6.1

5.6.2

5.6.3

General...................................................................................................................................................................................10

Review input.....................................................................................................................................................................10

Review output.................................................................................................................................................................11

6

7

Resource management................................................................................................................................................................................11

6.1

6.2

6.3

6.4

Provision of resources...................................................................................................................................................................11

Human resources...............................................................................................................................................................................11

Infrastructure........................................................................................................................................................................................12

Work environment and contamination control.......................................................................................................12

6.4.1

6.4.2

Work environment......................................................................................................................................................12

Contamination control.............................................................................................................................................12

Product realization .........................................................................................................................................................................................12

7.1

7.2

Planning of product realization.............................................................................................................................................12

Customer-related processes.....................................................................................................................................................13

7.2.1

7.2.2

7.2.3

Determination of requirements related to product........................................................................13

Review of requirements related to product ..........................................................................................13

Communication..............................................................................................................................................................14

7.3

Design and development.............................................................................................................................................................14

7.3.1

7.3.2

7.3.3

7.3.4

7.3.5

7.3.6

7.3.7

7.3.8

7.3.9

7.3.10

General...................................................................................................................................................................................14

Design and development planning................................................................................................................14

Design and development inputs......................................................................................................................14

Design and development outputs ..................................................................................................................15

Design and development review.....................................................................................................................15

Design and development verification.........................................................................................................15

Design and development validation.............................................................................................................15

Design and development transfer..................................................................................................................16

Control of design and development changes........................................................................................16

Design and development files............................................................................................................................16

© ISO 2016 – All rights reserved

iii

  


 

ISO 13485:2016(E)

7.4

7.5

Purchasing ...............................................................................................................................................................................................17

7.4.1

7.4.2

7.4.3

Purchasing process.....................................................................................................................................................17

Purchasing information..........................................................................................................................................17

Verification of purchased product .................................................................................................................17

Production and service provision........................................................................................................................................18

7.5.1

7.5.2

7.5.3

7.5.4

7.5.5

7.5.6

7.5.7

Control of production and service provision........................................................................................18

Cleanliness of product..............................................................................................................................................18

Installation activities.................................................................................................................................................18

Servicing activities ......................................................................................................................................................19

Particular requirements for sterile medical devices......................................................................19

Validation of processes for production and service provision..............................................19

Particular requirements for validation of processes for sterilization and

sterile barrier systems.............................................................................................................................................19

Identification....................................................................................................................................................................20

Traceability........................................................................................................................................................................20

7.5.10    Customer property......................................................................................................................................................20

7.5.11    Preservation of product..........................................................................................................................................20

Control of monitoring and measuring equipment ................................................................................................21

7.5.8

7.5.9

7.6

8

Measurement, analysis and improvement .............................................................................................................................22

8.1

8.2

General........................................................................................................................................................................................................22

Monitoring and measurement................................................................................................................................................22

8.2.1

8.2.2

8.2.3

8.2.4

8.2.5

8.2.6

Feedback..............................................................................................................................................................................22

Complaint handling....................................................................................................................................................22

Reporting to regulatory authorities.............................................................................................................23

Internal audit ...................................................................................................................................................................23

Monitoring and measurement of processes..........................................................................................23

Monitoring and measurement of product...............................................................................................23

8.3

Control of nonconforming product ....................................................................................................................................24

8.3.1

8.3.2

8.3.3

8.3.4

General...................................................................................................................................................................................24

Actions in response to nonconforming product detected before delivery .................24

Actions in response to nonconforming product detected after delivery......................24

Rework ..................................................................................................................................................................................24

8.4

8.5

Analysis of data....................................................................................................................................................................................24

Improvement.........................................................................................................................................................................................25

8.5.1

8.5.2

8.5.3

General...................................................................................................................................................................................25

Corrective action...........................................................................................................................................................25

Preventive action..........................................................................................................................................................25

Annex A (informative) Comparison of content between ISO 13485:2003 and ISO 13485:2016 ........27

Annex B (informative) Correspondence between ISO 13485:2016 and ISO 9001:2015.............................30

Bibliography.............................................................................................................................................................................................................................36

iv

© ISO 2016 – All rights reserved

  


 

ISO 13485:2016(E)

Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO  member  bodies). The  work of  preparing International  Standards  is  normally carried  out

through  ISO  technical  committees.  Each  member body  interested  in  a subject  for  which a  technical

committee  has  been  established   has  the  right  to  be  represented  on  that  committee.  International

organizations,  governmental  and  non-governmental,  in liaison  with  ISO,  also take  part  in  the  work.

ISO  collaborates  closely with  the  International  Electrotechnical   Commission (IEC)  on  all  matters  of

electrotechnical  standardization.

The  procedures  used to  develop  this  document  and those  intended  for  its further   maintenance  are

described in  the ISO/IEC Directives,  Part 1. In particular  the  different approval criteria  needed for the

different types  of ISO  documents should be  noted. in accordance  with the

editorial rules  of the ISO/IEC Directives, Part 2 (see www.iso.org/directive

Attention is  drawn to the  possibility that some  of the elements of  this document may be  the subject of

patent rights.  ISO shall  not be held  responsible for identifying  any  or all such  patent rights.  Details  of

any patent rights identified  during the development be in the Introduction and/or

on the ISO list of patent declarations  received (see www.iso.org/patent

Any trade  name used in  this document is  information given  for the convenience of  users and does  not

constitute an endorsement.

For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment,

as well  as information about  ISO’s adherence to  the World in the

Technical Barriers to Trade (TBT) see the following URL: www.iso.org/iso/foreword.html.

The committee  responsible for this document is Technical Committee  ISO/TC 210, Quality management

and corresponding general aspects for medical devices.

This  third   edition   of  ISO  13485   cancels  and   replaces  the  second   edition  (ISO   13485:2003)  and

ISO/TR   14969:2004,   which   have   been   technically    revised.   It   also    incorporates   the   Technical

Corrigendum  ISO  13485:2003/Cor.1:2009. A  summary  of  the  changes incorporated  into  this  edition

compared with the previous  edition is given in Annex A.

© ISO 2016 – All rights reserved

v

  


 

ISO 13485:2016(E)

Introduction

0.1   General

This International Standard specifies requirements for a quality management system that can be used by

an organization involved in one or more stages of the life-cycle of a medical device, including design and

development, production,  storage  and distribution,  installation,  servicing  and  final  decommissioning

and disposal of  medical devices, and design  and development, or provision of associated  activities  (e.g.

technical  support). The  requirements in  this International  Standard  can  also be  used by  suppliers or

other  external   parties  providing  product  (e.g.   raw  materials,  components,  subassemblies,  medical

devices, sterilization  services, calibration services,  distribution services, maintenance services)  to such

organizations.  The supplier or external party  can voluntarily choose to conform  to the requirements of

this International  Standard or can be required by contract  to conform.

Several jurisdictions  have regulatory  requirements for the application  of quality management systems

by  organizations  with  a variety   of roles  in  the supply  chain  for  medical devices.  Consequently,  this

International Standard  expects that the organization:

—    identifies its role(s) under applicable regulatory  requirements;

—    identifies the regulatory  requirements that apply to its activities  under these roles;

—    incorporates these applicable regulatory  requirements within its  quality management system.

The definitions in applicable regulatory  requirements differ from nation  to nation and region to region.

The  organization   needs  to  understand  how  the  definitions   in  this  International   Standard  will   be

interpreted in light  of regulatory definitions  in the jurisdictions in which  the medical devices are made

available.

This  International Standard  can  also be  used by internal  and  external parties,  including  certification

bodies, to  assess  the organization’s  ability to  meet customer  and regulatory  requirements  applicable

to the quality  management system and  the organization’s own requirements.  It is emphasized  that the

quality management  system requirements specified  in this International  Standard are complementary

to  the   technical   requirements  for   product  that   are   necessary  to   meet  customer   and  applicable

regulatory requirements  for safety and performance.

The adoption of a quality management system  is a strategic decision of an organization.  The design and

implementation of an organization’s quality  management system is influenced by the:

a)

organizational environment, changes in that environment, and the influence that the organizational

environment has on the conformity  of the medical devices;

b)

c)

d)

e)

organization’s varying  needs;

organization’s particular  objectives;

product the organization  provides;

processes the organization  employs;

f)     organization’s size and organizational  structure;

regulatory requirements  applicable to the organization’s activities.

g)

It is  not the intent  of this  International  Standard to  imply the  need for uniformity  in  the structure  of

different quality  management systems, uniformity  of documentation or alignment of documentation  to

the clause structure  of this International  Standard.

There is a wide variety of medical devices and some of the particular  requirements of this International

Standard only apply to named  groups of medical devices. These groups are  defined in Clause 3.

vi

© ISO 2016 – All rights reserved

  


 

ISO 13485:2016(E)

0.2  Clarification of concepts

In this International  Standard, the following terms  or phrases are used in the context described  below.

—    When a requirement is qualified by the phrase “as appropriate”, it is deemed to be appropriate unless

the organization can justify otherwise. A requirement is considered appropriate if it is necessary for:

—    product to meet requirements;

—    compliance with applicable regulatory  requirements;

—    the organization to carry  out corrective action;

—    the organization to manage risks.

—    When the  term  “risk”  is used,  the  application of  the  term within  the  scope  of this  International

Standard   pertains  to   safety  or   performance  requirements   of  the   medical  device  or   meeting

applicable regulatory requirements.

—    When  a   requirement  is  required   to   be  “documented”,  it   is  also   required  to   be  established,

implemented and maintained.

—    When  the term  “product”  is  used,  it  can  also  mean  “service”. Product  applies  to  output  that  is

intended for, or required by, a customer, or any intended output resulting from a product realization

process.

—    When the term  “regulatory  requirements” is used,  it encompasses requirements  contained in  any

law applicable  to the user  of this  International  Standard (e.g.  statutes, regulations,  ordinances  or

directives). The application of the term “regulatory requirements” is limited to requirements for the

quality management system  and the safety or performance  of the medical device.

In this International  Standard, the following verbal forms  are used:

—    “shall” indicates a requirement;

—    “should” indicates a recommendation;

—    “may” indicates a permission;

—    “can” indicates a possibility or a capability.

Information   marked   as   “NOTE”   is   for  guidance   in   understanding    or  clarifying    the   associated

requirement.

0.3   Process approach

This International  Standard  is based  on a process  approach to quality  management. Any  activity  that

receives  input and  converts  it to  output  can  be considered  as  a process.  Often  the  output  from one

process directly  forms the input to the next process.

For an organization to  function effectively, it needs to identify  and manage numerous linked processes.

The application  of a  system of  processes within  an organization,  together  with the  identification  and

interactions of these processes,  and their management to produce the desired outcome, can be referred

to as the “process approach.”

When used within  a quality management system, such an approach emphasizes  the importance of:

a)

b)

c)

understanding and meeting  requirements;

considering processes in terms  of added value;

obtaining results  of process performance and effectiveness;

improving processes based on objective  measurement.

d)

© ISO 2016 – All rights reserved

vii

  


 

ISO 13485:2016(E)

0.4   Relationship with ISO 9001

While  this  is  a stand-alone  standard,   it is  based  on  ISO  9001:2008, which  has  been  superseded  by

ISO  9001:2015.   For  the  convenience   of  users,   Annex  B  shows   the  correspondence   between  this

International Standard  and ISO 9001:2015.

This   International  Standard   is   intended  to   facilitate   global  alignment   of  appropriate   regulatory

requirements  for  quality  management systems  applicable  to  organizations  involved  in  one or  more

stages  of  the   life-cycle  of  a  medical  device.   This  International  Standard   includes  some  particular

requirements   for  organizations   involved  in   the  life-cycle   of  medical   devices   and  excludes   some

of  the  requirements  of  ISO  9001  that  are  not  appropriate  as  regulatory  requirements.   Because  of

these  exclusions,  organizations   whose  quality  management  systems   conform  to  this  International

Standard  cannot claim  conformity to  ISO 9001 unless  their quality  management system  meets all  the

requirements of ISO 9001.

0.5   Compatibility with  other management systems

This  International  Standard  does  not  include  requirements  specific  to  other  management  systems,

such as  those particular  to environmental  management,  occupational health  and safety  management,

or  financial  management.  However,  this  International  Standard  enables  an organization   to  align  or

integrate  its  own  quality  management system  with  related  management  system  requirements.  It is

possible for an organization  to adapt its  existing management  system(s) in order to establish  a quality

management system that complies with  the requirements of this International  Standard.

viii

© ISO 2016 – All rights reserved

  


 

INTERNATIONAL STANDARD

ISO 13485:2016(E)

Medical devices — Quality management systems —

Requirements for regulatory purposes

1    Scope

This   International  Standard   specifies   requirements   for  a  quality   management   system  where   an

organization  needs  to  demonstrate  its  ability  to  provide  medical  devices  and  related  services  that

consistently meet customer and applicable regulatory requirements. Such organizations can be involved

in  one  or more  stages  of  the  life-cycle,  including  design  and  development,  production,  storage  and

distribution,  installation,  or servicing of  a medical device  and design and  development or provision  of

associated activities  (e.g. technical  support). This International  Standard can also be  used by suppliers

or external parties  that provide product, including quality management system-related services to such

organizations.

Requirements  of this  International  Standard  are  applicable  to organizations  regardless  of  their  size

and regardless  of  their  type except  where  explicitly stated.  Wherever  requirements  are specified  as

applying to  medical devices,  the requirements  apply equally to  associated  services as  supplied by the

organization.

The  processes  required  by  this  International  Standard  that  are  applicable  to  the  organization,  but

are  not performed  by the  organization,  are  the responsibility  of  the organization  and  are accounted

for in  the organization’s  quality management  system by  monitoring, maintaining,   and controlling  the

processes.

If applicable  regulatory  requirements permit  exclusions of  design and  development controls, this  can

be used  as  a justification  for  their exclusion  from the  quality  management system.  These  regulatory

requirements can  provide alternative  approaches that are  to be addressed in  the quality  management

system.   It  is  the   responsibility   of  the   organization   to  ensure   that  claims   of  conformity   to  this

International Standard  reflect any exclusion of design and development controls.

If  any  requirement  in Clauses  6,  7  or  8  of  this  International  Standard  is  not  applicable  due to  the

activities  undertaken  by  the organization   or the  nature  of the  medical  device  for which  the  quality

management  system is  applied,  the organization  does  not  need to  include  such a  requirement in  its

quality  management system.  For any  clause that  is determined  to be  not applicable,  the organization

records the justification  as described in 4.2.2.

2    Normative references

The  following documents,  in  whole or  in part,  are  normatively  referenced in  this  document  and are

indispensable  for  its  application.  For  dated  references,  only  the  edition  cited   applies.  For  undated

references, the latest edition  of the referenced document (including any amendments) applies.

ISO 9000:20151), Quality management systems — Fundamentals and vocabulary

3   Terms and definitions

For  the  purposes   of  this   document,   the  terms   and  definitions   given   in  ISO  9000:2015   and  the

following  apply.

1)

Supersedes ISO 9000:2005.

© ISO 2016 – All rights reserved

1

  


 

ISO 13485:2016(E)

3.1

advisory notice

notice issued by the organization, subsequent to delivery of the medical device, to provide supplementary

information or to advise  on action to be taken in the:

—    use of a medical device,

—    modification of a medical device,

—    return of the medical device  to the organization that supplied it,  or

—    destruction of a medical device

Note 1 to entry: Issuance of an advisory notice can be required to comply with applicable regulatory requirements.

3.2

authorized representative

natural or legal person established within a country  or jurisdiction who has received a written mandate

from  the manufacturer  to  act on  his behalf  for specified  tasks  with  regard to  the latter’s  obligations

under that country or jurisdiction’s  legislation

[SOURCE: GHTF/SG1/N055:2009, 5.2]

3.3

clinical evaluation

assessment and analysis  of clinical  data pertaining  to a medical device  to verify the  clinical safety  and

performance of the device when used  as intended by the manufacturer

[SOURCE: GHTF/SG5/N4:2010, Clause 4]

3.4

complaint

written,  electronic   or  oral  communication  that  alleges  deficiencies  related   to  the  identity,  quality,

durability, reliability,  usability, safety  or performance of  a medical device  that has been  released from

the organization’s control or related to  a service that affects  the performance of such medical devices

Note 1 to entry:  This definition of “complaint”  differs from the definition  given in ISO 9000:2015.

3.5

distributor

natural or legal person in the  supply chain who, on his own behalf, furthers  the availability of a medical

device to the end user

Note 1 to entry:  More than one distributor  may be involved in the supply chain.

Note 2 to entry:  Persons in the  supply chain involved  in activities  such as storage and  transport  on behalf of the

manufacturer, importer  or distributor, are not distributors  under this definition.

[SOURCE: GHTF/SG1/N055:2009, 5.3]

3.6

implantable medical device

medical device which can only be removed by medical or surgical intervention and which is intended to:

—    be totally or partially  introduced into the human body or a natural  orifice, or

—    replace an epithelial surface or the surface  of the eye, and

—    remain after the procedure  for at least 30 days

Note 1 to entry:  This definition of implantable  medical device includes active  implantable medical device

2

© ISO 2016 – All rights reserved

  


 

ISO 13485:2016(E)

3.7

importer

natural or  legal person in the  supply chain who is  the first in  a supply chain to  make a medical device,

manufactured  in another country  or jurisdiction,  available in the  country or jurisdiction  where it is  to

be marketed

[SOURCE: GHTF/SG1/N055:2009, 5.4]

3.8

labelling

label,  instructions   for   use,  and   any  other  information   that  is   related  to   identification,   technical

description, intended purpose and proper use  of the medical device, but excluding shipping documents

[SOURCE: GHTF/SG1/N70:2011, Clause 4]

3.9

life-cycle

all  phases  in the  life  of  a  medical device,  from  the  initial  conception  to  final  decommissioning  and

disposal

[SOURCE: ISO 14971:2007, 2.7]

3.10

manufacturer

natural or legal  person with responsibility  for design and/or manufacture  of a medical device  with the

intention of making the medical device  available for use, under his name; whether or not such a medical

device is designed and/or manufactured  by that person himself or on his  behalf by another person(s)

Note 1  to  entry: This  “natural  or  legal  person” has  ultimate  legal  responsibility  for ensuring  compliance  with

all  applicable  regulatory   requirements  for  the  medical   devices  in  the  countries  or  jurisdictions   where  it  is

intended to be made available  or sold, unless this responsibility  is specifically  imposed on  another person by the

Regulatory  Authority (RA) within  that jurisdiction.

Note 2  to entry:  The  manufacturer’s  responsibilities  are  described  in other  GHTF  guidance  documents.  These

responsibilities  include meeting  both pre-market  requirements and  post-market requirements,  such as  adverse

event reporting and  notification of corrective  actions.

Note 3  to entry:  “Design  and/or manufacture”,  as referred  to in  the above  definition, may  include specification

development,   production,  fabrication,    assembly,  processing,   packaging,    repackaging,   labelling,   relabelling,

sterilization,  installation,  or remanufacturing  of a medical device; or putting  a collection of  devices, and possibly

other products,  together for a medical purpose.

Note 4 to entry: Any  person who assembles or adapts a medical device  that has already been supplied by another

person for  an individual  patient, in  accordance with  the instructions  for  use, is  not the manufacturer,  provided

the assembly or adaptation  does not change the intended use of the  medical device.

Note 5  to entry:  Any  person who  changes the  intended use  of, or  modifies, a  medical  device without  acting  on

behalf of the original  manufacturer and who makes it available  for use under his own name, should be considered

the manufacturer  of the modified medical  device.

Note  6  to  entry:  An  authorized  representative,   distributor  or  importer  who  only  adds  its  own  address  and

contact details  to the medical device  or the packaging,  without covering or changing  the existing  labelling, is not

considered a manufacturer.

Note 7 to entry: To the  extent that an accessory  is subject to the regulatory  requirements of a medical  device, the

person responsible for the  design and/or manufacture  of that accessory is considered  to be a manufacturer.

[SOURCE: GHTF/SG1/N055:2009, 5.1]

© ISO 2016 – All rights reserved

3

  


 

ISO 13485:2016(E)

3.11

medical device

instrument,  apparatus,   implement,  machine,  appliance,  implant,  reagent  for  in  vitro  use,   software,

material  or  other  similar  or  related  article,  intended  by  the  manufacturer   to  be  used,  alone  or  in

combination, for human beings, for one or more of the specific  medical purpose(s) of:

—    diagnosis, prevention, monitoring, treatment  or alleviation of disease;

—    diagnosis, monitoring, treatment,  alleviation of or compensation for an injury;

—    investigation, replacement, modification,  or support of the anatomy or of a physiological process;

—    supporting or sustaining  life;

—    control of conception;

—    disinfection of medical devices;

—    providing information by means of in vitro examination of specimens derived from the human body;

and  does  not achieve  its  primary   intended action  by  pharmacological,   immunological  or  metabolic

means, in or on the human body, but which may be assisted  in its intended function  by such means

Note 1 to entry:  Products which  may be considered to  be medical devices  in some jurisdictions  but not in others

include:

—   disinfection  substances;

—   aids for persons with  disabilities;

—   devices incorporating  animal and/or human tissues;

—   devices for in vitro fertilization  or assisted  reproduction technologies.

[SOURCE: GHTF/SG1/N071:2012, 5.1]

3.12

medical device family

group  of medical  devices  manufactured  by  or for  the  same organization  and  having  the  same basic

design and performance characteristics  related to  safety, intended use and function

3.13

performance evaluation

assessment and analysis of data  to establish or verify the ability  of an in vitro diagnostic medical device

to achieve its intended use

3.14

post-market surveillance

systematic process to collect and analyse experience gained from medical  devices that have been placed

on the market

3.15

product

result of a process

Note 1 to entry:  There are four generic product categories,  as follows:

—   services (e.g. transport);

—   software  (e.g. computer program, dictionary);

—   hardware (e.g. engine  mechanical part);

—   processed materials  (e.g. lubricant).

4

© ISO 2016 – All rights reserved

  


 

ISO 13485:2016(E)

Many  products  comprise  elements belonging  to  different  generic  product  categories.  Whether  the  product  is

then called  service,  software,  hardware  or processed  material depends  on the dominant  element. For  example,

the offered  product “automobile” consists  of hardware (e.g. tyres),  processed materials  (e.g. fuel, cooling  liquid),

software  (e.g. engine  control  software,  driver’s  manual), and  service  (e.g. operating  explanations  given  by the

salesman).

Note 2 to  entry: Service  is the  result of  at least one  activity  necessarily performed  at the  interface between  the

supplier and customer and  is generally intangible.  Provision of a service can  involve, for example, the following:

—   an activity  performed on a customer-supplied  tangible product (e.g. automobile to be  repaired);

an  activity  performed   on a  customer-supplied  intangible   product  (e.g.  the  income statement   needed  to

prepare a tax  return);

the  delivery   of  an   intangible  product   (e.g.  the   delivery  of   information  in   the  context   of  knowledge

transmission);

—   the creation of ambience  for the customer (e.g. in hotels and restaurants).

Software  consists  of information and  is generally  intangible and  can be in  the form of approaches,  transactions

or procedures.

Hardware  is generally  tangible  and its amount  is a  countable characteristic.   Processed  materials are  generally

tangible  and their amount  is a continuous  characteristic.  Hardware  and processed  materials  often are  referred

to as goods.

Note 3 to entry:  This definition of “product”  differs from the  definition given in ISO 9000:2015.

[SOURCE: ISO 9000:20052), 3.4.2, modified]

3.16

purchased product

product provided by a party  outside the organization’s quality management system

Note 1 to entry:  The provision of product does not necessarily  infer a commercial  or financial arrangement.

3.17

risk

combination of the probability of occurrence  of harm and the severity of that  harm

Note 1 to entry:  This definition of “risk”  differs from the  definition given in ISO 9000:2015.

[SOURCE: ISO 14971:2007, 2.16]

3.18

risk management

systematic  application  of  management  policies, procedures  and  practices  to  the  tasks  of  analysing,

evaluating, controlling  and monitoring risk

[SOURCE: ISO 14971:2007, 2.22]

3.19

sterile barrier system

minimum  package  that  prevents  ingress  of  microorganisms  and  allows  aseptic  presentation  of  the

product at the point of use

[SOURCE: ISO 11607-1:2006, 3.22]

2)

Superseded by ISO 9000:2015.

© ISO 2016 – All rights reserved

5

  


 

ISO 13485:2016(E)

3.20

sterile medical device

medical device intended to meet the  requirements for sterility

Note  1  to  entry:  The  requirements  for  sterility   of  a  medical  device  can  be  subject  to  applicable  regulatory

requirements or standards.

4    Quality management system

4.1

General requirements

4.1.1

The organization shall document a quality management system and  maintain its effectiveness in

accordance with the requirements of this International Standard and applicable regulatory requirements.

The  organization  shall  establish,   implement  and  maintain  any  requirement,  procedure,  activity   or

arrangement  required   to  be  documented   by  this  International   Standard  or  applicable   regulatory

requirements.

The  organization  shall   document  the  role(s)  undertaken  by  the  organization   under  the  applicable

regulatory requirements.

NOTE          Roles  undertaken by the organization  can include manufacturer,  authorized representative,  importer

or distributor.

4.1.2

The organization shall:

a)

determine  the   processes  needed   for  the   quality  management   system  and   the  application   of

these  processes  throughout  the  organization   taking  into  account  the  roles  undertaken   by  the

organization;

b)

apply  a risk  based  approach  to the  control  of  the appropriate  processes  needed  for the  quality

management system;

c)

determine the sequence and interaction  of these processes.

4.1.3

For each quality management system process, the organization shall:

a)

b)

c)

determine  criteria  and  methods needed  to  ensure  that  both the  operation  and  control  of these

processes are effective;

ensure  the  availability   of  resources   and  information  necessary   to  support  the  operation  and

monitoring of these processes;

implement actions  necessary  to  achieve planned  results  and  maintain the  effectiveness  of  these

processes;

d)

monitor, measure as appropriate, and analyse  these processes;

e)

establish and maintain  records needed to demonstrate conformance to this  International Standard

and compliance with applicable regulatory  requirements (see 4.2.5).

4.1.4

The organization shall  manage these quality management system  processes in accordance with

the requirements of  this International Standard and  applicable regulatory requirements. Changes  to be

made to these processes shall be:

a)

b)

evaluated for their impact on the  quality management system;

evaluated for their impact on the medical devices produced under this quality management system;

6

© ISO 2016 – All rights reserved

  


 

ISO 13485:2016(E)

c)

controlled  in  accordance  with   the  requirements  of  this  International   Standard  and  applicable

regulatory requirements.

4.1.5

When  the  organization chooses  to  outsource  any  process  that  affects product  conformity  to

requirements,  it shall  monitor  and ensure  control  over such  processes.  The organization  shall  retain

responsibility of  conformity to  this International  Standard and  to customer  and applicable  regulatory

requirements for outsourced processes. The controls  shall be proportionate to the risk involved and the

ability of the external party  to meet the requirements in accordance with  7.4. The controls shall include

written quality agreements.

4.1.6

The organization  shall document  procedures for  the validation  of the  application of  computer

software used in the  quality management system. Such software applications  shall be validated prior to

initial use and, as appropriate, after changes to such software or its application.

The  specific  approach  and  activities  associated   with  software  validation  and  revalidation   shall  be

proportionate to the risk  associated with the use of the software.

Records of such activities  shall be maintained (see 4.2.5).

4.2

Documentation requirements

General

4.2.1

The quality management system  documentation (see 4.2.4) shall include:

a)

b)

c)

documented statements of a quality  policy and quality objectives;

a quality manual;

documented procedures and records  required by this International  Standard;

d)

documents,  including  records,   determined  by  the  organization   to  be  necessary  to   ensure  the

effective planning,  operation, and control of its processes;

e)

other documentation specified  by applicable regulatory requirements.

4.2.2

Quality manual

The organization shall  document a quality manual that includes:

a)

the scope of the quality management system,  including details of and justification  for any exclusion

or non-application;

b)

c)

the documented procedures for the  quality management system, or reference to them;

a description of the interaction  between the processes of the quality  management system.

The quality  manual shall  outline the  structure  of the  documentation used  in the quality  management

system.

4.2.3

Medical device file

For each medical device type or medical device family, the organization shall establish and maintain one

or more files  either containing  or referencing  documents generated to  demonstrate conformity  to the

requirement of this International  Standard and compliance with  applicable regulatory requirements.

The content of the file(s) shall include, but is not limited  to:

a)

general  description  of  the   medical  device,  intended  use/purpose,  and   labelling,  including  any

instructions  for use;

© ISO 2016 – All rights reserved

7

  


 

ISO 13485:2016(E)

b)

c)

d)

e)

specifications  for product;

specifications  or procedures for manufacturing,  packaging, storage, handling  and distribution;

procedures for measuring  and monitoring;

as appropriate, requirements for installation;

f)     as appropriate, procedures  for servicing.

4.2.4

Control of documents

Documents required  by the quality management system  shall be controlled. Records  are a special type

of document and shall be controlled according  to the requirements given in 4.2.5.

A documented procedure shall define  the controls needed to:

a)

b)

c)

d)

e)

review and approve documents for adequacy  prior to issue;

review, update as necessary and  re-approve documents;

ensure that the current  revision status of and changes  to documents are identified;

ensure that relevant versions of applicable documents  are available at points of use;

ensure that documents  remain legible and readily identifiable;

f)     ensure  that documents of  external origin,  determined by  the organization  to be necessary  for the

planning  and operation  of  the quality  management  system,  are  identified and  their  distribution

controlled;

g)

h)

prevent deterioration or loss of documents;

prevent the unintended use of obsolete documents  and apply suitable identification to them.

The  organization  shall  ensure that  changes  to  documents  are reviewed  and  approved  either by  the

original  approving function  or  another  designated function  that  has  access to  pertinent  background

information upon which to base its  decisions.

The  organization  shall define  the  period for  which  at least  one copy  of  obsolete documents  shall  be

retained.  This period  shall ensure  that documents  to which medical  devices have  been manufactured

and tested  are available  for at  least the  lifetime of  the medical  device as  defined by the  organization,

but not less  than the  retention period of  any resulting  record (see 4.2.5),  or as specified  by applicable

regulatory requirements.

4.2.5

Control of records

Records  shall be  maintained  to provide  evidence  of conformity  to  requirements  and of  the effective

operation of the quality management  system.

The  organization   shall  document  procedures  to   define  the  controls  needed  for  the   identification,

storage, security  and integrity, retrieval,  retention time and disposition of records.

The organization  shall  define  and implement  methods for  protecting  confidential health  information

contained in records in accordance  with the applicable regulatory  requirements.

Records  shall  remain  legible, readily  identifiable  and  retrievable.  Changes  to  a  record  shall  remain

identifiable.

The organization shall  retain the records for at least the lifetime of the  medical device as defined by the

organization,  or as specified  by applicable  regulatory  requirements, but  not less than  two years  from

the medical device release  by the organization.

8

© ISO 2016 – All rights reserved

  


 

ISO 13485:2016(E)

5    Management responsibility

5.1

Management commitment

Top management shall  provide evidence of its  commitment to the  development and implementation of

the quality management system  and maintenance of its effectiveness  by:

a)

communicating  to  the  organization   the  importance  of  meeting  customer  as  well  as  applicable

regulatory requirements;

b)

c)

d)

e)

establishing the quality  policy;

ensuring that quality  objectives are established;

conducting management reviews;

ensuring the availability  of resources.

5.2

Customer focus

Top management shall ensure that  customer requirements and applicable regulatory  requirements are

determined and met.

5.3

Quality policy

Top management shall ensure that  the quality policy:

a)

b)

is applicable to the purpose of the organization;

includes  a  commitment  to  comply with   requirements  and  to  maintain  the  effectiveness  of  the

quality management system;

c)

d)

e)

provides a framework for establishing  and reviewing quality  objectives;

is communicated and understood  within the organization;

is reviewed for continuing suitability.

5.4

Planning

5.4.1

Quality objectives

Top  management   shall  ensure   that  quality   objectives,  including  those   needed  to  meet   applicable

regulatory requirements and  requirements for product, are established  at relevant functions and levels

within the organization. The quality objectives shall be measurable and consistent with the quality policy.

5.4.2

Quality management system planning

Top management shall ensure that:

a)

b)

the planning  of the  quality management  system  is carried  out in order  to meet  the requirements

given in 4.1, as well as the quality  objectives;

the  integrity   of  the   quality  management   system  is  maintained   when  changes   to  the  quality

management system are planned  and implemented.

© ISO 2016 – All rights reserved

9

  


 

ISO 13485:2016(E)

5.5

Responsibility, authority and communication

5.5.1

Responsibility and authority

Top  management  shall   ensure  that   responsibilities  and   authorities  are   defined,  documented  and

communicated within  the organization.

Top management shall document the interrelation of all personnel who manage, perform and verify work

affecting quality  and shall ensure the independence and authority necessary to perform these tasks.

5.5.2

Management representative

Top management  shall  appoint a  member of  management who,  irrespective  of other  responsibilities,

has responsibility  and authority that includes:

a)

b)

ensuring that processes  needed for the quality management system  are documented;

reporting to top management on the  effectiveness of the quality  management system and any need

for improvement;

c)

ensuring   the    promotion   of   awareness   of   applicable   regulatory    requirements   and    quality

management system requirements  throughout the organization.

5.5.3

Internal communication

Top  management   shall  ensure   that  appropriate  communication   processes  are   established  within

the  organization   and  that   communication   takes  place  regarding   the   effectiveness  of   the  quality

management system.

5.6

Management review

General

5.6.1

The organization  shall  document  procedures  for management  review. Top  management shall  review

the   organization’s   quality   management  system   at   documented   planned   intervals   to   ensure   its

continuing suitability, adequacy  and effectiveness. The review shall  include assessing opportunities for

improvement and the need for  changes to the quality  management system, including the  quality policy

and quality objectives.

Records from management reviews  shall be maintained (see 4.2.5).

5.6.2

Review input

The input to management review shall  include, but is not limited to, information arising  from:

a)

b)

c)

d)

e)

feedback;

complaint handling;

reporting to regulatory  authorities;

audits;

monitoring and measurement of processes;

f)     monitoring and measurement  of product;

g)

h)

corrective action;

preventive action;

10

© ISO 2016 – All rights reserved

  


 

ISO 13485:2016(E)

i)

j)

k)

l)

follow-up actions from previous  management reviews;

changes that could affect  the quality management system;

recommendations for improvement;

applicable new or revised regulatory  requirements.

5.6.3

Review output

The output from  management review shall  be recorded (see 4.2.5)  and include the input reviewed  and

any decisions and actions related  to:

a)

improvement  needed   to  maintain   the   suitability,   adequacy,  and   effectiveness   of  the   quality

management system and its processes;

b)

c)

improvement of product related to customer requirements;

changes needed to respond to applicable new or revised  regulatory requirements;

resource needs.

d)

6    Resource management

6.1

Provision of resources

The organization shall  determine and provide the resources needed to:

a)

b)

implement the quality management system  and to maintain its effectiveness;

meet applicable regulatory  and customer requirements.

6.2

Human resources

Personnel performing  work  affecting  product quality  shall  be competent  on the  basis  of appropriate

education, training,  skills and experience.

The  organization   shall   document  the   process(es)  for  establishing   competence,   providing  needed

training,  and ensuring awareness of personnel.

The organization shall:

a)

b)

c)

determine the necessary  competence for personnel performing work affecting  product quality;

provide training or take  other actions to achieve or maintain  the necessary competence;

evaluate the effectiveness  of the actions taken;

d)

ensure  that its  personnel are  aware  of the  relevance and  importance  of their  activities  and how

they contribute to the achievement of the  quality objectives;

e)

maintain appropriate records  of education, training, skills  and experience (see 4.2.5).

NOTE

The methodology used to check effectiveness  is proportionate  to the risk associated with  the work for

which the training  or other action is being provided.

© ISO 2016 – All rights reserved

11

  


 

ISO 13485:2016(E)

6.3

Infrastructure

The   organization   shall    document   the   requirements   for   the   infrastructure     needed   to   achieve

conformity  to product requirements,  prevent product mix-up  and ensure orderly  handling of product.

Infrastructure  includes, as appropriate:

a)

b)

c)

buildings, workspace and associated  utilities;

process equipment (both hardware  and software);

supporting services  (such as transport, communication,  or information systems).

The organization  shall  document  requirements  for the  maintenance activities,   including the  interval

of performing  the maintenance activities,  when such maintenance  activities, or  lack thereof, can affect

product  quality. As  appropriate,  the  requirements  shall  apply to  equipment  used in  production,  the

control of the work environment and monitoring  and measurement.

Records of such maintenance shall  be maintained (see 4.2.5).

6.4

Work environment and contamination control

Work environment

6.4.1

The  organization   shall  document  the   requirements  for  the   work  environment  needed  to   achieve

conformity to product  requirements.

If  the   conditions  for   the  work  environment   can  have   an  adverse   effect  on   product  quality,   the

organization shall document the requirements for the work environment and the procedures to monitor

and control the work environment.

The organization shall:

a)

document requirements  for health,  cleanliness  and clothing  of personnel if  contact between  such

personnel and the product or work environment could affect medical device safety or performance;

b)

ensure  that  all  personnel  who  are  required  to  work  temporarily  under  special  environmental

conditions within the  work environment are competent or supervised by a competent person.

NOTE

Further information  can be found in ISO 14644 and  ISO 14698.

6.4.2

Contamination control

As appropriate, the organization shall plan and document arrangements for the control of contaminated

or  potentially  contaminated   product  in  order  to  prevent  contamination  of  the  work  environment,

personnel, or product.

For sterile medical devices,  the organization shall document requirements  for control of contamination

with microorganisms  or particulate  matter  and maintain  the required cleanliness  during assembly  or

packaging processes.

7    Product realization

7.1

Planning of product realization

The  organization  shall  plan  and  develop  the  processes  needed for  product  realization.   Planning  of

product  realization  shall  be  consistent with  the  requirements  of  the  other  processes  of the  quality

management system.

The organization  shall  document one  or more  processes for  risk management  in product  realization.

Records of risk management activities  shall be maintained  (see 4.2.5).

12

© ISO 2016 – All rights reserved

  


 

ISO 13485:2016(E)

In planning product realization,  the organization shall  determine the following, as appropriate:

a)

quality objectives  and requirements for the product;

b)

the need to establish  processes and documents  (see 4.2.4) and to provide  resources specific to  the

product, including infrastructure  and work environment;

c)

required verification,  validation, monitoring,  measurement, inspection and test,  handling, storage,

distribution and traceability  activities specific  to the product together with the criteria  for product

acceptance;

d)

records  needed  to  provide  evidence that  the  realization   processes  and resulting   product  meet

requirements (see 4.2.5).

The output  of  this planning  shall  be documented  in a  form  suitable for  the organization’s  method  of

operations.

NOTE

7.2

Further information  can be found in ISO 14971.

Customer-related processes

7.2.1

Determination of requirements related to product

The organization shall  determine:

a)

requirements specified  by the customer, including the requirements  for delivery and post-delivery

activities;

b)

c)

d)

e)

requirements not stated  by the customer but necessary for specified  or intended use, as known;

applicable regulatory requirements  related to the product;

any user training needed  to ensure specified performance  and safe use of the medical device;

any additional requirements determined  by the organization.

7.2.2

Review of requirements related to product

The  organization  shall  review the  requirements  related  to  product.  This  review shall  be  conducted

prior to the  organization’s commitment to  supply product to  the customer (e.g.  submission of tenders,

acceptance of contracts  or orders, acceptance of changes to contracts  or orders) and shall ensure that:

a)

b)

c)

d)

e)

product requirements are defined  and documented;

contract or order requirements  differing from those previously expressed  are resolved;

applicable regulatory requirements  are met;

any user training identified  in accordance with 7.2.1 is available  or planned to be available;

the organization has  the ability to meet the defined requirements.

Records of the results of the review  and actions arising from the review shall  be maintained (see 4.2.5).

When  the customer  provides  no documented  statement  of  requirement, the  customer  requirements

shall be confirmed  by the organization before acceptance.

When product  requirements  are changed,  the organization  shall  ensure  that relevant  documents are

amended and that relevant personnel are made aware  of the changed requirements.

© ISO 2016 – All rights reserved

13

  


 

ISO 13485:2016(E)

7.2.3

Communication

The  organization   shall   plan  and   document  arrangements   for   communicating  with   customers   in

relation to:

a)

b)

c)

product information;

enquiries, contracts  or order handling, including amendments;

customer feedback, including complaints;

advisory notices.

d)

The   organization   shall   communicate  with   regulatory   authorities   in   accordance   with   applicable

regulatory requirements.

7.3

Design and development

General

7.3.1

The organization shall  document procedures for design and development.

7.3.2

Design and development planning

The organization  shall plan and control the  design and development of product. As  appropriate, design

and development planning documents  shall be maintained and updated  as the design and development

progresses.

During design and development planning,  the organization shall  document:

a)

b)

c)

the design and development stages;

the review(s) needed at each design and development stage;

the verification,  validation,  and design  transfer activities  that  are appropriate  at each design  and

development stage;

d)

e)

the responsibilities and authorities  for design and development;

the   methods    to   ensure    traceability    of   design    and   development   outputs    to   design    and

development inputs;

f)     the resources needed,  including necessary competence of personnel.

7.3.3

Design and development inputs

Inputs relating to product requirements  shall be determined and records  maintained (see 4.2.5). These

inputs shall include:

a)

b)

c)

d)

e)

functional, performance,  usability and safety  requirements, according to the intended use;

applicable regulatory requirements  and standards;

applicable output(s) of risk management;

as appropriate, information derived  from previous similar designs;

other requirements essential  for design and development of the product and processes.

These inputs shall be reviewed  for adequacy and approved.

14

© ISO 2016 – All rights reserved

  


 

ISO 13485:2016(E)

Requirements shall be  complete, unambiguous, able to be verified  or validated, and not in conflict  with

each other.

NOTE

Further information  can be found in IEC 62366–1.

7.3.4

Design and development outputs

Design and development outputs shall:

a)

b)

c)

meet the input requirements for design  and development;

provide appropriate information for purchasing,  production and service provision;

contain or reference product acceptance  criteria;

d)

specify the characteristics  of the product  that are essential for its safe and proper use.

The outputs  of design  and development  shall be  in a  form suitable  for verification  against  the design

and development inputs and shall be approved prior to release.

Records of the design and development outputs  shall be maintained (see 4.2.5).

7.3.5

Design and development review

At  suitable stages,  systematic  reviews  of  design  and development  shall  be performed  in  accordance

with planned and documented  arrangements to:

a)

b)

evaluate the ability  of the results of design and development to meet requirements;

identify and propose necessary  actions.

Participants  in such reviews  shall include representatives  of functions  concerned with  the design and

development stage being reviewed, as  well as other specialist personnel.

Records  of the  results of  the reviews  and  any necessary  actions  shall be  maintained  and include  the

identification of the design under review, the participants involved and the date of the review (see 4.2.5).

7.3.6

Design and development verification

Design and  development verification  shall be performed  in accordance with  planned and documented

arrangements to ensure that the design and development outputs have met the design and development

input requirements.

The organization  shall  document verification  plans  that  include methods,  acceptance criteria  and,  as

appropriate, statistical  techniques with rationale  for sample size.

If the  intended use requires  that  the medical device  be connected  to, or  have an interface  with, other

medical  device(s), verification  shall  include confirmation  that  the design  outputs  meet design  inputs

when so connected or interfaced.

Records  of the  results and  conclusions  of the  verification  and necessary  actions  shall be  maintained

(see 4.2.4 and 4.2.5).

7.3.7

Design and development validation

Design  and development  validation shall  be  performed in  accordance with  planned  and documented

arrangements  to  ensure  that  the  resulting  product  is  capable  of  meeting  the  requirements  for  the

specified application or intended  use.

The  organization  shall  document validation  plans  that  include  methods,  acceptance  criteria  and,  as

appropriate, statistical  techniques with rationale  for sample size.

© ISO 2016 – All rights reserved

15

  


 

ISO 13485:2016(E)

Design  validation   shall  be  conducted   on  representative  product.   Representative  product   includes

initial  production units,  batches or  their equivalents.  The rationale  for the  choice of  product used for

validation shall be recorded  (see 4.2.5).

As  part of  design  and development  validation,  the organization  shall  perform  clinical  evaluations or

performance evaluations  of the medical device in accordance with  applicable regulatory requirements.

A medical device used for clinical evaluation or performance evaluation  is not considered to be released

for use to the customer.

If the  intended use requires  that  the medical device  be connected  to, or  have an interface  with, other

medical   device(s),  validation   shall   include  confirmation   that   the  requirements   for   the  specified

application or intended use have been met when so connected or interfaced.

Validation shall be completed prior to release for use  of the product to the customer.

Records of the results and conclusion of validation  and necessary actions shall  be maintained (see  4.2.4

and 4.2.5).

7.3.8

Design and development transfer

The  organization   shall   document  procedures  for   transfer  of   design  and  development   outputs  to

manufacturing.   These  procedures   shall  ensure  that   design  and  development  outputs   are  verified

as  suitable  for  manufacturing  before  becoming  final  production  specifications  and  that  production

capability can meet  product requirements.

Results and conclusions of the transfer  shall be recorded (see 4.2.5).

7.3.9

Control of design and development changes

The   organization   shall   document  procedures   to   control   design   and  development   changes.   The

organization  shall determine  the significance  of the change  to function,  performance, usability,  safety

and applicable regulatory  requirements for the medical device and its  intended use.

Design and development changes shall  be identified. Before implementation, the changes shall  be:

a)

b)

c)

reviewed;

verified;

validated, as appropriate;

approved.

d)

The review  of design and development changes  shall include evaluation  of the effect  of the changes  on

constituent  parts and  product in  process or  already delivered,  inputs or  outputs of  risk management

and product realization  processes.

Records of changes, their review  and any necessary actions shall  be maintained (see 4.2.5).

7.3.10  Design and development files

The organization  shall maintain a  design and development file for each  medical device type  or medical

device family.  This file  shall include or  reference records  generated to demonstrate  conformity  to the

requirements for design and development and records  for design and development changes.

16

© ISO 2016 – All rights reserved

  


 

ISO 13485:2016(E)

7.4

Purchasing

7.4.1

Purchasing process

The organization  shall document procedures (see  4.2.4) to ensure that purchased  product conforms to

specified purchasing  information.

The organization shall establish criteria for the evaluation and selection of suppliers. The criteria shall be:

a)

b)

c)

based on the supplier’s ability to  provide product that meets the organization’s requirements;

based on the performance of the  supplier;

based on the effect  of the purchased product on the quality of the  medical device;

proportionate to the risk  associated with the medical  device.

d)

The  organization  shall  plan  the monitoring  and  re-evaluation  of  suppliers.  Supplier performance  in

meeting  requirements  for the  purchased  product  shall  be monitored.  The  results  of  the monitoring

shall provide an input into the supplier re-evaluation  process.

Non-fulfilment  of purchasing  requirements shall  be addressed  with the  supplier proportionate  to the

risk associated with  the purchased product and compliance with  applicable regulatory requirements.

Records of  the results  of  evaluation, selection,  monitoring  and re-evaluation  of supplier  capability or

performance and any necessary  actions arising from  these activities shall be maintained  (see 4.2.5).

7.4.2

Purchasing information

Purchasing   information   shall   describe   or  reference   the   product   to  be   purchased,   including   as

appropriate:

a)

b)

c)

product specifications;

requirements for product acceptance,  procedures, processes and equipment;

requirements for qualification  of supplier personnel;

quality management system  requirements.

d)

The  organization   shall  ensure   the  adequacy   of  specified   purchasing  requirements   prior  to  their

communication to the supplier.

Purchasing  information  shall include,  as applicable,  a written  agreement  that  the supplier  notify  the

organization  of changes  in the  purchased product  prior to  implementation of any  changes that  affect

the ability of the purchased  product to meet specified purchase  requirements.

To the extent required for traceability given in 7.5.9, the organization shall maintain relevant purchasing

information in the form of documents  (see 4.2.4) and records (see 4.2.5).

7.4.3

Verification of purchased product

The organization shall establish and implement the inspection or other activities necessary  for ensuring

that purchased  product meets specified  purchasing  requirements. The  extent of verification  activities

shall  be based  on the  supplier evaluation  results  and  proportionate  to the  risks  associated with  the

purchased product.

When the organization  becomes aware of any changes to the purchased  product, the organization shall

determine whether these changes  affect the product realization  process or the medical device.

© ISO 2016 – All rights reserved

17

  


 

ISO 13485:2016(E)

When  the  organization  or  its  customer   intends  to  perform  verification  at  the  supplier’s  premises,

the organization  shall  state  the intended  verification  activities  and method  of product  release in  the

purchasing information.

Records of the verification  shall be maintained (see 4.2.5).

7.5

Production and service provision

7.5.1

Control of production and service provision

Production and service provision shall  be planned, carried out, monitored and  controlled to ensure that

product conforms to specification. As appropriate, production controls shall include but are not limited to:

a)

b)

c)

d)

e)

documentation of procedures and methods  for the control of production (see 4.2.4);

qualification of infrastructure;

implementation of monitoring and measurement of process parameters and product characteristics;

availability and use  of monitoring and measuring equipment;

implementation of defined operations for labelling  and packaging;

f)     implementation of product release, delivery  and post-delivery activities.

The organization  shall establish  and maintain  a record  (see 4.2.5)  for each medical  device or batch  of

medical  devices  that provides  traceability  to  the  extent  specified  in 7.5.9  and  identifies  the amount

manufactured  and amount approved for distribution. The record shall  be verified and approved.

7.5.2

Cleanliness of product

The organization  shall  document requirements  for cleanliness of  product or contamination  control  of

product if:

a)

b)

product is cleaned by the organization  prior to sterilization or its  use;

product is supplied non-sterile  and is to be subjected  to a cleaning process  prior to sterilization  or

its use;

c)

d)

e)

product cannot be cleaned prior to sterilization or its use, and its cleanliness is of significance in use;

product is supplied to be used non-sterile, and  its cleanliness is of significance  in use;

process agents are to be removed from  product during manufacture.

If product is cleaned in accordance with a) or b) above, the requirements  contained in 6.4.1 do not apply

prior to the cleaning process.

7.5.3

Installation activities

The organization  shall document requirements  for medical  device installation  and acceptance criteria

for verification of installation,  as appropriate.

If the  agreed  customer  requirements allow  installation  of  the medical  device to  be performed  by  an

external  party other  than the  organization or  its supplier, the  organization shall  provide documented

requirements for medical device  installation and verification  of installation.

Records of medical device installation  and verification  of installation performed by the  organization or

its supplier shall be maintained  (see 4.2.5).

18

© ISO 2016 – All rights reserved

  


 

ISO 13485:2016(E)

7.5.4

Servicing activities

If servicing  of the medical device is a specified  requirement, the organization  shall document servicing

procedures, reference  materials,  and reference measurements,  as necessary,  for performing  servicing

activities and  verifying that product requirements  are met.

The  organization  shall  analyse  records of  servicing  activities  carried   out by  the  organization  or its

supplier:

a)

to determine if the information  is to be handled as a complaint;

b)

as appropriate, for input to the improvement process.

Records  of  servicing  activities   carried  out  by  the organization   or  its  supplier  shall  be maintained

(see 4.2.5).

7.5.5

Particular requirements for sterile medical devices

The   organization   shall  maintain   records   of   the  sterilization   process   parameters   used   for  each

sterilization  batch  (see  4.2.5).   Sterilization  records  shall  be  traceable   to  each  production  batch  of

medical devices.

7.5.6

Validation of processes for production and service provision

The organization shall  validate any processes for production and service  provision where the resulting

output cannot  be or is  not verified  by subsequent monitoring  or measurement  and, as a  consequence,

deficiencies become apparent only after  the product is in use or the service has  been delivered.

Validation shall demonstrate the  ability of these processes to achieve planned results  consistently.

The organization shall  document procedures for validation of processes, including:

a)

b)

c)

d)

e)

defined criteria  for review and approval of the processes;

equipment qualification and qualification  of personnel;

use of specific methods,  procedures and acceptance criteria;

as appropriate, statistical  techniques with rationale  for sample sizes;

requirements for records (see 4.2.5);

f)     revalidation, including  criteria for revalidation;

approval of changes to the processes.

g)

The organization  shall document procedures for the validation  of the application of computer software

used in production  and service provision.  Such software  applications shall be  validated prior to  initial

use and,  as appropriate,  after  changes to  such software  or  its application.  The  specific approach  and

activities   associated  with  software   validation  and   revalidation  shall  be  proportionate   to  the  risk

associated with  the use of the  software, including the  effect on the ability  of the product to  conform to

specifications.

Records of  the results  and conclusion of validation  and necessary  actions from  the validation  shall be

maintained (see 4.2.4  and 4.2.5).

7.5.7

Particular  requirements for  validation of  processes for  sterilization  and sterile

barrier systems

The organization  shall document procedures (see 4.2.4)  for the validation of processes for  sterilization

and sterile barrier  systems.

© ISO 2016 – All rights reserved

19

  


 

ISO 13485:2016(E)

Processes  for sterilization  and sterile  barrier systems  shall  be validated  prior to implementation  and

following product or process changes,  as appropriate.

Records of the  results and,  conclusion of validation and  necessary actions  from the validation  shall be

maintained (see 4.2.4  and 4.2.5).

NOTE

Further information  can be found in ISO 11607-1 and ISO  11607-2.

7.5.8

Identification

The organization shall  document procedures for product identification and identify product by suitable

means throughout product realization.

The   organization   shall   identify    product   status   with   respect    to   monitoring   and   measurement

requirements  throughout  product   realization.  Identification  of  product   status  shall  be  maintained

throughout production,  storage, installation  and servicing  of product  to ensure that  only product that

has passed the required inspections and tests or released under an authorized concession is dispatched,

used or installed.

If required by  applicable regulatory requirements,  the organization  shall document a system  to assign

unique device identification to  the medical device.

The   organization   shall   document   procedures   to   ensure   that   medical   devices   returned   to   the

organization are  identified and distinguished  from conforming product.

7.5.9

Traceability

General

7.5.9.1

The organization  shall document procedures  for traceability. These  procedures shall define  the extent

of traceability in accordance with  applicable regulatory requirements and the records to be maintained

(see 4.2.5).

7.5.9.2

Particular requirements for implantable medical devices

The records required for traceability  shall include records of components, materials,  and conditions for

the work  environment used,  if these  could cause the  medical device  not to  satisfy  its specified  safety

and performance requirements.

The organization  shall require  that suppliers of distribution  services  or distributors  maintain records

of  the distribution   of medical  devices  to  allow  traceability  and  that  these  records are  available  for

inspection.

Records of the name and address of the  shipping package consignee shall be maintained  (see 4.2.5).

7.5.10   Customer property

The  organization  shall  identify,  verify,  protect,  and  safeguard   customer  property  provided  for  use

or  incorporation  into the  product  while  it  is  under the  organization’s  control  or  being  used by  the

organization. If any customer property  is lost, damaged or otherwise found to be unsuitable  for use, the

organization shall  report this to the customer and maintain  records (see 4.2.5).

7.5.11   Preservation of product

The organization shall  document procedures for preserving the  conformity of product to requirements

during processing, storage, handling,  and distribution. Preservation  shall apply to the constituent parts

of a medical device.

20

© ISO 2016 – All rights reserved

  


 

ISO 13485:2016(E)

The  organization  shall  protect  product from  alteration,  contamination  or  damage  when  exposed  to

expected conditions  and hazards during processing,  storage, handling, and distribution  by:

a)

designing and constructing  suitable packaging  and shipping containers;

b)

documenting   requirements  for   special  conditions   needed   if  packaging   alone  cannot   provide

preservation.

If special conditions are  required, they shall be controlled and  recorded (see 4.2.5).

7.6

Control of monitoring and measuring equipment

The   organization   shall  determine   the   monitoring   and  measurement   to   be  undertaken   and   the

monitoring   and  measuring   equipment   needed  to   provide  evidence   of  conformity   of   product   to

determined requirements.

The  organization  shall   document  procedures  to  ensure  that  monitoring   and  measurement  can  be

carried  out and are  carried  out in a  manner that  is consistent  with the  monitoring and measurement

requirements.

As necessary to  ensure valid results, measuring  equipment shall:

a)

b)

be  calibrated  or  verified,  or  both,  at  specified  intervals,   or prior  to  use,  against  measurement

standards  traceable to international  or national measurement standards:  when no such standards

exist, the basis  used for calibration or verification shall  be recorded (see 4.2.5);

be  adjusted or  re-adjusted  as  necessary:  such  adjustments  or re-adjustments  shall  be  recorded

(see 4.2.5);

c)

d)

e)

have identification in order to determine  its calibration status;

be safeguarded from  adjustments that would invalidate the measurement  result;

be protected from damage  and deterioration during handling,  maintenance and storage.

The organization shall  perform calibration or verification  in accordance with documented procedures.

In  addition, the  organization  shall  assess  and  record the  validity  of  the  previous measuring  results

when the equipment is  found not to conform to  requirements. The organization  shall take  appropriate

action in regard to  the equipment and any product affected.

Records of the results  of calibration and verification shall  be maintained (see 4.2.5).

The organization  shall document procedures for the validation  of the application of computer software

used  for   the  monitoring  and   measurement  of  requirements.   Such  software   applications   shall  be

validated  prior  to initial   use and,  as  appropriate,  after  changes  to such  software  or  its  application.

The  specific  approach  and  activities  associated   with  software  validation  and  revalidation   shall  be

proportionate to  the risk associated  with  the use of the  software, including  the effect  on the ability  of

the product to conform to specifications.

Records of  the results  and conclusion of validation  and necessary  actions from  the validation  shall be

maintained (see 4.2.4  and 4.2.5).

NOTE

Further information  can be found in ISO 10012.

© ISO 2016 – All rights reserved

21

  


 

ISO 13485:2016(E)

8    Measurement, analysis and improvement

8.1

General

The organization  shall  plan and  implement the  monitoring, measurement,  analysis  and improvement

processes needed to:

a)

b)

c)

demonstrate conformity  of product;

ensure conformity  of the quality management system;

maintain the effectiveness  of the quality management system.

This  shall  include  determination   of  appropriate  methods,  including  statistical   techniques,  and  the

extent of their use.

8.2

Monitoring and measurement

Feedback

8.2.1

As one  of the measurements  of the  effectiveness  of the quality  management system,  the  organization

shall   gather   and  monitor   information   relating   to   whether   the  organization    has  met   customer

requirements. The methods  for obtaining and using this information  shall be documented.

The  organization  shall  document  procedures  for  the feedback  process.  This  feedback  process  shall

include provisions to gather data  from production as well as post-production activities.

The information  gathered in the  feedback process shall  serve as potential  input into risk  management

for  monitoring   and  maintaining   the  product   requirements  as   well  as  the   product  realization   or

improvement processes.

If applicable  regulatory  requirements require  the organization  to  gain specific  experience from  post-

production activities,  the review of this experience shall  form part of the feedback process.

8.2.2

Complaint handling

The  organization   shall   document   procedures  for   timely  complaint   handling   in  accordance   with

applicable regulatory requirements.

These procedures shall include at a minimum  requirements and responsibilities for:

a)

b)

c)

d)

e)

receiving and recording  information;

evaluating information  to determine if the feedback constitutes  a complaint;

investigating complaints;

determining the need to  report the information to the appropriate regulatory  authorities;

handling of complaint-related product;

f)     determining  the need to initiate corrections  or corrective actions.

If  any complaint  is  not investigated,  justification  shall  be  documented.  Any correction  or  corrective

action resulting  from the complaint handling process shall be  documented.

If an investigation determines activities  outside the organization contributed  to the complaint, relevant

information shall be exchanged  between the organization and  the external party  involved.

Complaint handling records shall  be maintained (see 4.2.5).

22

© ISO 2016 – All rights reserved

  


 

ISO 13485:2016(E)

8.2.3

Reporting to regulatory authorities

If applicable regulatory  requirements  require notification  of complaints that  meet specified  reporting

criteria of  adverse events or issuance  of advisory notices,  the organization shall  document procedures

for providing notification  to the appropriate regulatory authorities.

Records of reporting to  regulatory authorities shall  be maintained (see 4.2.5).

8.2.4

Internal audit

The organization  shall  conduct internal  audits at  planned intervals  to determine  whether the  quality

management system:

a)

conforms to planned  and documented arrangements,  requirements of this  International Standard,

quality   management   system   requirements    established   by   the   organization,   and   applicable

regulatory requirements;

b)

is effectively implemented and maintained.

The  organization  shall  document a  procedure  to  describe  the responsibilities  and  requirements  for

planning and conducting audits  and recording and reporting audit results.

An audit program shall be planned, taking into consideration the status and importance of the processes

and area  to be audited, as  well as the results  of previous  audits. The audit  criteria, scope, interval  and

methods shall be defined  and recorded (see 4.2.5). The selection  of auditors and conduct of audits shall

ensure objectivity  and impartiality  of the audit process. Auditors shall not audit their own work.

Records of the  audits and their results,  including identification  of the processes  and areas audited and

the conclusions, shall be maintained  (see 4.2.5).

The management  responsible  for the  area being  audited shall  ensure  that any  necessary  corrections

and corrective  actions are taken  without undue delay to  eliminate detected  nonconformities and their

causes.  Follow-up  activities  shall  include  the  verification  of  the  actions  taken  and  the  reporting  of

verification results.

NOTE

Further information  can be found in ISO 19011.

8.2.5

Monitoring and measurement of processes

The organization  shall apply suitable methods  for monitoring and, as appropriate,  measurement of the

quality management system processes.  These methods shall demonstrate the ability of the processes  to

achieve planned results.  When planned results  are not achieved, correction  and corrective action  shall

be taken, as appropriate.

8.2.6

Monitoring and measurement of product

The organization  shall  monitor and measure  the  characteristics  of the product  to verify  that  product

requirements  have been met.  This  shall be  carried out  at applicable stages  of  the product realization

process in accordance with  the planned and documented arrangements and  documented procedures.

Evidence  of  conformity  to  the  acceptance  criteria   shall  be  maintained.  The  identity  of  the  person

authorizing  release of product  shall be recorded  (see 4.2.5).  As appropriate, records  shall identify  the

test equipment used to perform measurement  activities.

Product release and service delivery shall not proceed until the planned and documented arrangements

have been satisfactorily  completed.

For implantable medical devices, the organization  shall record the identity of personnel performing any

inspection or testing.

© ISO 2016 – All rights reserved

23

  


 

ISO 13485:2016(E)

8.3

Control of nonconforming product

8.3.1

General

The  organization   shall  ensure   that  product  which   does  not  conform   to  product  requirements   is

identified  and controlled  to prevent  its unintended  use  or delivery. The  organization  shall  document

a procedure  to  define the  controls  and related  responsibilities  and  authorities  for the  identification,

documentation, segregation,  evaluation and disposition of nonconforming product.

The  evaluation of  nonconformity  shall  include  a determination  of  the  need for  an  investigation  and

notification of any external  party responsible  for the nonconformity.

Records of the nature of the nonconformities and any subsequent action taken, including the evaluation,

any investigation and the  rationale for decisions shall be maintained  (see 4.2.5)

8.3.2

Actions in response to nonconforming product detected before delivery

The organization shall  deal with nonconforming product by one or more of the following  ways:

a)

b)

c)

taking action  to eliminate the detected nonconformity;

taking action  to preclude its original intended use or application;

authorizing its use, release  or acceptance under concession.

The  organization   shall  ensure  that   nonconforming  product  is   accepted  by  concession  only  if   the

justification  is provided, approval is obtained and applicable regulatory requirements  are met. Records

of  the acceptance  by  concession  and  the  identity  of the  person  authorizing  the  concession  shall  be

maintained (see 4.2.5).

8.3.3

Actions in response to nonconforming product detected after delivery

When nonconforming product  is detected after  delivery or use has  started, the organization  shall take

action  appropriate to  the effects,  or potential  effects,  of  the nonconformity.  Records of  actions taken

shall be maintained  (see 4.2.5).

The organization shall  document procedures for issuing advisory notices in accordance with  applicable

regulatory requirements.  These procedures shall be capable of being put into effect at any time. Records

of actions relating to  the issuance of advisory notices shall  be maintained (see 4.2.5).

8.3.4

Rework

The  organization  shall  perform  rework in  accordance  with  documented  procedures  that  takes  into

account the potential  adverse effect of  the rework on the product.  These procedures shall  undergo the

same review and approval as the  original procedure.

After the  completion of rework, product shall  be verified to  ensure that it meets  applicable acceptance

criteria and regulatory  requirements.

Records of rework shall be maintained  (see 4.2.5).

8.4

Analysis of data

The  organization   shall  document   procedures  to   determine,  collect   and  analyse   appropriate  data

to  demonstrate  the  suitability,  adequacy  and  effectiveness  of  the  quality  management  system.  The

procedures  shall include  determination  of appropriate  methods,  including  statistical  techniques  and

the extent of their use.

24

© ISO 2016 – All rights reserved

  


 

ISO 13485:2016(E)

The analysis  of data shall include  data generated as a  result of monitoring and  measurement and from

other relevant sources and include, at a minimum,  input from:

a)

b)

c)

d)

e)

feedback;

conformity to product  requirements;

characteristics  and trends of processes and product, including  opportunities for improvement;

suppliers;

audits;

f)     service reports,  as appropriate.

If the analysis  of data shows that the quality  management system is  not suitable, adequate or effective,

the organization shall  use this analysis as input for improvement as  required in 8.5.

Records of the results  of analyses shall be maintained  (see 4.2.5).

8.5

Improvement

General

8.5.1

The  organization  shall  identify  and  implement  any  changes  necessary   to  ensure  and  maintain  the

continued suitability, adequacy  and effectiveness of the  quality management system  as well as  medical

device safety and performance through the use of the quality policy, quality objectives, audit results, post-

market surveillance, analysis of data, corrective actions, preventive actions and management review.

8.5.2

Corrective action

The  organization   shall  take  action  to  eliminate   the  cause  of  nonconformities   in  order  to  prevent

recurrence.  Any necessary  corrective  actions  shall  be taken  without  undue delay.  Corrective  actions

shall be proportionate to the  effects of the nonconformities encountered.

The organization shall  document a procedure to define requirements for:

a)

b)

c)

reviewing nonconformities  (including complaints);

determining the causes  of nonconformities;

evaluating the need for action  to ensure that nonconformities do not recur;

d)

planning and documenting  action needed and implementing such action,  including, as appropriate,

updating documentation;

e)

verifying   that  the   corrective   action  does  not   adversely  affect   the  ability   to  meet   applicable

regulatory requirements  or the safety and performance  of the medical device;

f)     reviewing  the effectiveness of corrective  action taken.

Records of the results  of any investigation and of action taken shall  be maintained (see 4.2.5).

8.5.3

Preventive action

The organization  shall determine  action to  eliminate the  causes of potential  nonconformities in  order

to prevent  their  occurrence.  Preventive actions  shall  be proportionate  to  the effects  of  the potential

problems.

The organization shall  document a procedure to describe requirements for:

a)

determining potential  nonconformities and their causes;

© ISO 2016 – All rights reserved

25

  


 

ISO 13485:2016(E)

b)

evaluating the need for action  to prevent occurrence of nonconformities;

c)

planning and documenting  action needed and implementing such action,  including, as appropriate,

updating documentation;

d)

verifying   that  the   action  does  not   adversely  affect   the  ability  to   meet  applicable  regulatory

requirements or the safety  and performance of the medical device;

e)

reviewing the effectiveness  of the preventive action taken, as  appropriate.

Records of the results  of any investigations and of action taken  shall be maintained (see 4.2.5).

26

© ISO 2016 – All rights reserved

  


 

ISO 13485:2016(E)

Annex A

(informative)

Comparison of content between ISO 13485:2003 and

ISO 13485:2016

Table A.1 outlines the changes in this edition of this International Standard  (ISO 13485:2016) compared

with the previous edition  (ISO 13485:2003).

Table A.1 — Comparison of content between ISO 13485:2003 and ISO  13485:2016

Clause in ISO  13485:2016

Comment on change  compared with  ISO 13485:2003

Clarifies  the effect  of the third  edition of this  International  Standard.

Foreword

Introduction

0.1 General

Includes substantially   more detail related  to the nature  of the organization  covered  by this

International  Standard’s  requirements  and the life-cycle  stages  covered.

Explains  that the requirements  can  be used by suppliers  or other external  parties  either

voluntarily  or as a result  of contract arrangements.

Alerts  organizations  about their obligations  related  to regulatory  requirements  focused

on quality  management systems.

Alerts  organizations  about differences  in local  regulation definitions  and  their obligation

to understand  how these definitions  will  affect  their quality  management system.

Adds the  obligation  to  meet the  organization’s   own quality  management   system  re-

quirements.

Specifically  calls  out the focus on the  necessity  to “meet customer  and applicable regulato -

ry requirements  for safety  and performance.”

Emphasizes  that the product  requirements  that are important  are those  related to safety

and performance.

Adds two influences  on the  nature of the quality  management  system that  were not in the

original  listing (organizational   environment and  regulatory  requirements).

Clarifies  that the organization   does not have to align  its documentation  to the clause

structure  of this  International  Standard.

0.2 Clarification   of concepts

Adds two additional  criteria  associated  with the  description of appropriate  requirements:

compliance  with regulatory  requirements;

the requirement  is necessary  for the organization  to manage  risks.

Limits  application of risk  to the safety  or performance  requirements  of the medical device

or meeting  applicable regulatory  requirements.

Clarifies  that  the term “documented”   includes the need  to establish,  implement  and

maintain.

Clarifies  that the term  “product”  applies to outputs  that are intended  for, or required by, a

customer, or any  intended output resulting  from  a product realization  process.

0.3 Process  approach

Explanation  of process approach  extended.

0.4 Relationship  with ISO 9001

States the  relationship  between ISO 13485:2016  and ISO 9001.

Indicates  the structural  relationship  between  ISO 13485:2016 and ISO 9001:2015  will be

outlined  in Annex B.

The use of italic  text within  standard  to indicate  changes from  ISO 9001:2008 has been

eliminated.

© ISO 2016 – All rights reserved

27

  


 

ISO 13485:2016(E)

Table A.1  (continued)

Clause in ISO  13485:2016

Comment on change  compared with  ISO 13485:2003

—   Indicates  the applicability  of this International  Standard  to organizations   that are in-

volved in one or more stages  of the life-cycle  of a medical  device.

1  Scope

Indicates  that this International   Standard can  also be used by suppliers  or external  parties

that provide  product, including  quality  management system-related  services  to medical

device organizations.

Specifically  calls  out the responsibilities  for monitoring,  maintaining,   and controlling

outsourced  processes.

Expands  requirements  that can be not applicable  to those in  Clauses 6 and 8.

Clarifies  that the term  “regulatory  requirements”  includes statutes,  regulations,   ordi-

nances or directives  and  limits the scope  of the “applicable regulatory  requirements”   to

those requirements  for the  quality management  system and  the safety  or performance of  the

medical device.

3 Terms and definitions

Several new definitions  added  and some existing  definitions  refined.

Added requirement  to document the  role(s) of the organization.

4 Quality  management system

4.1 General requirements

Requires  the determination  of processes  “taking into  account the roles  undertaken  by the

organization.”

Requires  the application of  a “risk based approach  to the control  of the appropriate  pro-

cesses needed  for the quality  management system.”

Adds requirements  related  to changes to processes.

Added requirements  related  to validation  of the application  of computer software  used in

the quality  management system.

4.2 Documentation  requirements

5.6 Management  review

Includes control  of records within  the document  control requirements.

Lists  the documents that  would be included in  the medical device  file.

New requirement  related to protection  of confidential  health  information.

New requirement  related to deterioration  and  loss of documents

Includes requirement  for the documentation  of one or more  procedures for  management

review and  the requirement  for management reviews  at “documented  planned intervals”.

Lists  of inputs and outputs  of management review  have been expanded.

6.2 Human  resources

6.3  Infrastructure

New requirement  for documentation  processes  of establishing  competence, providing

needed training  and ensuring  awareness  of personnel.

dling of product.

Adds requirement  that infrastructure   prevents  product mix-up and  ensure orderly han-

Adds information  system  to the listing  of supporting  services.

6.4 Work environment  and contamina-

tion control

Added documentation  requirements  for work environment.

Added requirement  related to  control of contamination  with  microorganism  or particulate

matter for  sterile medical  devices.

7.1 Planning  of product realization

7.2 Customer-related  processes

Added requirements  to list.

Added requirements  to list.

New requirement  related to communication  with  regulatory  authorities.

Added requirements  to list.

7.3.2 Design  and development planning

Eliminated  the requirement  related to  the management of the  interfaces between  different

groups involved  in design and development.

7.3.3 Design  and development inputs

7.3.5 Design  and development review

Added requirements  to list.

Added requirement  that the requirements  shall  be able to be verified  or validated.

Added details  of the contents  of records.

7.3.6 Design and development verification   —   Added  requirement for documentation  of verification  plans  and interface  considerations.

Requirement  added for records of  verification.

7.3.7 Design and  development validation

7.3.8 Design  and development transfer

Added requirement  for documentation  of validation  plans, product  to be used for valida-

tion and interface  considerations.  Requirement  added for records  of validation.

in process  and on the outputs  of risk management and  product realization  processes

New sub-clause  added.

7.3.9 Control  of  design  and develop-

ment changes

Adds the requirement  that the  evaluation of the  change effect  should be made on products

Added detail  to consider in the  determination  of the significance  of a design  and develop-

ment changes.

28

© ISO 2016 – All rights reserved

  


 

ISO 13485:2016(E)

Table A.1  (continued)

Clause in ISO  13485:2016

7.3.10 Design and  development files

7.4.1 Purchasing  process

Comment on change  compared with  ISO 13485:2003

New sub-clause  added.

Focuses the  supplier selection  criteria on  the effect of the  supplier performance  on the

quality  of the medical device,  the risk  associated with  the medical  device, and the  product

meeting  applicable regulatory  requirements.

New requirements  added related  to monitoring  and re-evaluation  of suppliers,  and action

to be taken  when purchasing  requirements  are not met.

Provides  addition details  related to the  content of the records.

7.4.2 Purchasing  information

New requirement  added to include notification  of  changes in purchased  product.

7.4.3 Verification  of purchased  product

New requirements  added on the extent  of verification  activities  and action  to be taken

when the organization  becomes  aware of any changes  to the purchased  product.

7.5.1 Control of production  and service

provision

Adds details  related to  the controls for carrying   out production and  service provision.

7.5.2 Cleanliness  of product

7.5.4 Servicing  activities

Added a requirement  to the list.

New requirement  for analysis  of records for servicing  activities.

Added requirements  to the list

7.5.6 Validation  of processes for produc-

tion and service  provision

Adds details  related to  situations requiring  procedures.

Relates the  specific approach  to software  validation  to the risk associated  with  the use of

the software.

Adds requirements  related  to the validation  records.

7.5.7 Particular  requirements  for vali-

dation of processes  for sterilization  and

sterile  barrier systems

Added requirements  for sterile  barrier systems.

7.5.8  Identification

Added requirement  for unique device  identification.

New requirement  for a documented  procedure for product  identification  and regarding

identification  and product  status during  production

7.5.11 Preservation  of product

8.2.1  Feedback

Adds details  as to how preservation  can be  accomplished.

Indicates  that feedback  should come from production  and post-production  activities.

Adds a requirement  to utilize  feedback in risk  management processes  in order to monitor

and maintain  product requirements.

8.2.2  Complaint handling

New sub-clause.

8.2.3  Reporting to regulatory   authorities

New sub-clause.

8.2.6 Monitoring  and measurement  of

product

Adds requirement  to identify  the test equipment  used to perform  measurement activities.

8.3 Control  of nonconforming  product

Added details  related to  kinds of controls  that shall be documented.

Generalized  the requirement  to include any investigation   and the rationale  for decisions.

Adds requirements  related  to concessions.

Separated  requirements  for nonconformities  detected  before delivery, detected  after

delivery and  rework.

Adds requirements  for records  related to the  issuance of advisory  notices.

8.4 Analysis  of data

Adds the requirement  to include  determination  of appropriate methods,  including  statisti-

cal techniques  and the extent  of their use.

Adds detail  to list of inputs.

8.5.2 Corrective  action

8.5.3 Preventive  action

Adds the requirement  to verify  that the corrective  action  does not have an adverse  effect.

Added requirement  for corrective  action to  be taken without  undue delay.

Adds the requirement  to verify  that the preventive  action  does not have an adverse  effect.

© ISO 2016 – All rights reserved

29

  


 

ISO 13485:2016(E)

Annex B

(informative)

Correspondence between ISO 13485:2016 and ISO 9001:2015

Tables B.1 and B.2 show the correspondence between  ISO 13485:2016 and ISO 9001:2015.

Table B.1 — Correspondence between ISO 13485:2016 and ISO 9001:2015

Clause in ISO  13485:2016

Clause in ISO  9001:2015

1  Scope

1 Scope

4.1.1 (no title)

4.3 Determining  the scope  of the quality  management system

4 Context of  the organization

4 Quality  management system

4.1 Understanding  the organization  and  its context

4.2 Understanding  the needs  and expectations  of interested  parties

4.4 Quality  management system  and its processes

4.4 Quality  management system  and its processes

8.4 Control  of externally  provided processes,  products  and services

7.5 Documented  information

4.1 General requirements

4.2 Documentation  requirements

4.2.1  General

7.5.1 General

4.2.2 Quality  manual

4.3 Determining  the scope  of the quality  management system

4.4 Quality  management system  and its processes

7.5.1 General

4.2.3 Medical  device file

No equivalent clause

4.2.4 Control  of documents

7.5.2 Creating  and updating

7.5.3 Control  of documented information

7.5.2 Creating  and updating

4.2.5 Control  of records

7.5.3 Control  of documented information

5 Leadership

5 Management responsibility

5.1 Management  commitment

5.1 Leadership  and commitment

5.1.1 General

5.2 Customer  focus

5.1.2 Customer  focus

5.3 Quality  policy

5.2 Policy

5.2.1 Establishing  the  quality policy

5.2.2 Communicating   the quality  policy

6 Planning

5.4  Planning

5.4.1 Quality  objectives

6.2 Quality  objectives  and planning  to achieve them

6 Planning

5.4.2 Quality  management  system planning

6.1 Actions  to address risks  and opportunities

6.3 Planning  of changes

5.5 Responsibility,  authority  and communication

5.5.1 Responsibility  and  authority

5.5.2 Management  representative

5.5.3 Internal  communication

5.6 Management  review

5 Leadership

5.3 Organizational   roles, responsibilities  and  authorities

5.3 Organizational   roles, responsibilities  and  authorities

7.4 Communication

9.3 Management  review

5.6.1  General

9.3.1 General

5.6.2 Review  input

9.3.2 Management  review inputs

9.3.3 Management  review outputs

5.6.3 Review  output

30

© ISO 2016 – All rights reserved

  


 

ISO 13485:2016(E)

Table B.1  (continued)

Clause in ISO  13485:2016

6 Resource  management

Clause in ISO  9001:2015

7.1 Resources

7.1.1 General

6.1 Provision  of resources

7.1.2 People

6.2 Human  resources

7.2 Competence

7.3 Awareness

7.1.3 Infrastructure

6.3  Infrastructure

6.4 Work environment  and contamination  control

7 Product realization

7.1.4 Environment  for the operation  of processes

8 Operation

7.1 Planning  of product realization

7.2 Customer-related  processes

8.1 Operational  planning  and control

8.2 Requirements  for products  and services

8.2.2  Determining  the requirements  for products  and services

8.2.3  Review of the requirements  for products  and services

8.2.4 Changes  to requirements  for products  and services

8.2.1 Customer  communication

7.2.1 Determination  of requirements  related  to product

7.2.2 Review  of requirements  related to product

7.2.3  Communication

7.3 Design and  development

8.3 Design  and development of products  and services

8.3.1 General

7.3.1  General

7.3.2 Design  and development planning

7.3.3 Design  and development inputs

7.3.4 Design and  development outputs

7.3.5 Design  and development review

7.3.6 Design  and development verification

7.3.7 Design and  development validation

7.3.8 Design  and development transfer

7.3.9 Control of design  and development changes

8.3.2 Design  and development  planning

8.3.3 Design  and development  inputs

8.3.5 Design  and development  outputs

8.3.4 Design  and development controls

8.3.4 Design  and development controls

8.3.4 Design  and development controls

8.3.4 Design  and development controls

8.3.6 Design  and development changes

8.5.6 Control  of changes

7.3.10 Design and  development files

7.4  Purchasing

7.5.3 Control  of documented information

8.4 Control  of externally  provided processes,  products  and services

8.4 Control  of externally  provided processes,  products  and services

8.4.1 General

7.4.1 Purchasing  process

8.4.2 Type and  extent of control

7.4.2 Purchasing  information

8.4.3 Information  for external  providers

8.4.2 Type and  extent of control

7.4.3 Verification  of purchased  product

8.4.3 Information  for external  providers

8.6 Release  of products and services

8.5 Production  and service  provision

8.5.1 Control  of production  and service provision

No equivalent clause

7.5 Production  and service  provision

7.5.1 Control of production  and service  provision

7.5.2 Cleanliness  of product

7.5.3 Installation  activities

No equivalent clause

7.5.4 Servicing  activities

No equivalent clause

7.5.5 Particular  requirements  for sterile  medical  devices

7.5.6 Validation  of processes for production  and service  provision

No equivalent clause

8.5.1 Control  of production  and service provision

7.5.7 Particular  requirements  for validation  of processes  for sterili-    No equivalent  clause

zation and  sterile barrier  system

7.5.8  Identification

8.5.2 Identification   and traceability

7.5.9  Traceability

8.5.2 Identification   and traceability

7.5.10 Customer property

8.5.3 Property  belonging  to customers  or external  providers

8.5.4 Preservation

7.5.11 Preservation  of product

7.6 Control of monitoring  and measuring  equipment

7.1.5 Monitoring  and measuring  resources

© ISO 2016 – All rights reserved

31

  


 

ISO 13485:2016(E)

Table B.1  (continued)

Clause in ISO  13485:2016

Clause in ISO  9001:2015

9 Performance  evaluation

8 Measurement,  analysis  and improvement

9.1 Monitoring,  measurement,  analysis  and evaluation

9.1.1 General

8.1  General

8.2 Monitoring  and measurement

8.2.1  Feedback

9.1 Monitoring,  measurement,  analysis  and evaluation

8.5.5 Post-delivery  activities

9.1.2 Customer  satisfaction

8.2.2  Complaint handling

9.1.2 Customer  satisfaction

8.2.3  Reporting to regulatory   authorities

8.2.4 Internal  audit

8.5.5 Post-delivery  activities

9.2 Internal  audit

8.2.5  Monitoring and measurement  of processes

8.2.6 Monitoring  and measurement  of product

8.3 Control  of nonconforming  product

8.3.1  General

9.1.1 General

8.6 Release  of products and services

8.7 Control  of nonconforming outputs

10.2 Nonconformity  and corrective  action

8.7 Control  of nonconforming outputs

8.3.2 Actions  in response  to nonconforming  product detected

before delivery

8.3.3 Actions  in response  to nonconforming  product detected  after     8.7 Control  of nonconforming  outputs

delivery

8.4 Analysis  of data

8.5  Improvement

8.5.1  General

9.1.3 Analysis  and evaluation

10 Improvement

10.1 General

10.3 Continual  improvement

10.2 Nonconformity  and corrective  action

0.3.3 Risk-based  thinking

6.1 Actions  to address risks  and opportunities

10.1 General

8.5.2 Corrective  action

8.5.3 Preventive  action

10.3 Continual  improvement

32

© ISO 2016 – All rights reserved

  


 

ISO 13485:2016(E)

Table B.2 — Correspondence between ISO  9001:2015 and ISO 13485:2016

Clause in ISO  9001:2015

Clause in ISO  13485:2016

1 Scope

1  Scope

4 Context of  the organization

4 Quality  management system

4.1 Understanding  the organization  and  its context

4.1 General requirements

4.2 Understanding  the needs  and expectations  of interested  parties    4.1 General  requirements

4.3 Determining  the scope  of the quality  management system

4.1 General requirements

4.2.2 Quality  manual

4.4 Quality  management system  and its processes

5 Leadership

4.1 General requirements

5 Management responsibility

5.1 Management  commitment

5.1 Management  commitment

5.2 Customer  focus

5.1 Leadership  and commitment

5.1.1 General

5.1.2 Customer  focus

5.2 Policy

5.3 Quality  policy

5.2.1 Establishing  the  quality policy

5.2.2 Communicating   the quality  policy

5.3 Organizational   roles, responsibilities  and  authorities

5.3 Quality  policy

5.3 Quality  policy

5.4.2 Quality  management  system planning

5.5.1 Responsibility  and  authority

5.5.2 Management  representative

5.4.2 Quality  management  system planning

5.4.2 Quality  management  system planning

8.5.3 Preventive  action

6 Planning

6.1 Actions  to address risks  and opportunities

6.2 Quality  objectives  and planning  to achieve them

6.3 Planning  of changes

7 Support

5.4.1 Quality  objectives

5.4.2 Quality  management  system planning

6 Resource  management

7.1 Resources

6 Resource  management

7.1.1 General

6.1 Provision  of resources

7.1.2 People

6.2 Human  resources

7.1.3 Infrastructure

6.3  Infrastructure

7.1.4 Environment  for the operation  of processes

7.1.5 Monitoring  and measuring  resources

7.1.5.1 General

6.4.1 Work environment

7.6 Control of monitoring  and measuring  equipment

7.6 Control of monitoring  and measuring  equipment

7.6 Control of monitoring  and measuring  equipment

6.2 Human  resources

7.1.5.2 Measurement  traceability

7.1.6 Organizational  knowledge

7.2 Competence

6.2 Human  resources

7.3 Awareness

6.2 Human  resources

7.4 Communication

5.5.3 Internal  communication

4.2 Documentation  requirements

4.2.1  General

7.5 Documented  information

7.5.1 General

7.5.2 Creating  and updating

4.2.4 Control  of documents

4.2.5 Control  of records

7.5.3 Control  of documented Information

4.2.3 Medical  device file

4.2.4 Control  of documents

4.2.5 Control  of records

7.3.10 Design and  development files

7 Product realization

8 Operation

8.1 Operational  planning  and control

8.2 Requirements  for products  and services

8.2.1 Customer  communication

7.1 Planning  of product realization

7.2 Customer-related  processes

7.2.3  Communication

8.2.2  Determining  the requirements  for products  and services

7.2.1 Determination  of requirements  related  to product

© ISO 2016 – All rights reserved

33

  


 

ISO 13485:2016(E)

Table B.2  (continued)

Clause in ISO  9001:2015

Clause in ISO  13485:2016

7.2.2 Review  of requirements  related to product

7.2.2 Review  of requirements  related to product

7.3 Design and  development

8.2.3  Review of the requirements  for products  and services

8.2.4 Changes  to requirements  for products  and services

8.3 Design  and development of products  and services

8.3.1 General

7.3.1  General

8.3.2 Design  and development  planning

8.3.3 Design  and development  inputs

7.3.2 Design  and development planning

7.3.3 Design  and development inputs

7.3.5 Design  and development review

7.3.6 Design  and development verification

7.3.7 Design and  development validation

7.3.8 Design  and development transfer

7.3.4 Design and  development outputs

7.3.9 Control of design  and development changes

8.3.4 Design  and development controls

8.3.5 Design  and development  outputs

8.3.6 Design  and development changes

8.4 Control  of externally  provided processes,  products  and services    4.1 General  requirements  (see 4.1.5)

7.4.1 Purchasing  process

8.4.1 General

7.4.1 Purchasing  process

8.4.2 Type and  extent of control

4.1 General requirements  (see 4.1.5)

7.4.1 Purchasing  process

7.4.3 Verification  of purchased  product

7.4.2 Purchasing  information

8.4.3 Information  for external  providers

7.4.3 Verification  of purchased  product

7.5 Production  and service  provision

7.5.1 Control of production  and service  provision

7.5.6 Validation  of processes for production  and service  provision

7.5.8  Identification

8.5 Production  and service  provision

8.5.1 Control  of production  and service provision

8.5.2 Identification   and traceability

7.5.9  Traceability

8.5.3 Property  belonging  to customers  or external  providers

8.5.4 Preservation

7.5.10 Customer property

7.5.11 Preservation  of product

8.5.5 Post-delivery  activities

7.5.1 Control of production  and service  provision

7.5.3 Installation  activities

7.5.4 Servicing  activities

8.2.2  Complaint handling

8.2.3  Reporting to regulatory   authorities

8.3.3 Actions  in response  to nonconforming  product detected  after

delivery

8.5.6 Control  of changes

7.3.9 Control of design  and development changes

7.4.3 Verification  of purchased  product

8.2.6 Monitoring  and measurement  of product

8.3 Control  of nonconforming  product

8 Measurement,  analysis  and improvement

8 Measurement,  analysis  and improvement

8.1  General

8.6 Release  of products and services

8.7 Control  of nonconforming outputs

9 Performance  evaluation

9.1 Monitoring,  measurement,  analysis  and evaluation

9.1.1 General

8.2.5  Monitoring and measurement  of processes

8.2.6 Monitoring  and measurement  of product

7.2.3  Communication

9.1.2 Customer  satisfaction

8.2.1  Feedback

8.2.2  Complaint handling

9.1.3 Analysis  and evaluation

8.4 Analysis  of data

9.2 Internal  audit

8.2.4 Internal  audit

34

© ISO 2016 – All rights reserved

  


 

ISO 13485:2016(E)

Table B.2  (continued)

Clause in ISO  9001:2015

9.3 Management  review

Clause in ISO  13485:2016

5.6 Management  review

9.3.1 General

5.6.1  General

9.3.2 Management  review inputs

9.3.3 Management  review outputs

10 Improvement

5.6.2 Review  input

5.6.3 Review  output

8.5  Improvement

8.5.1  General

10.1 General

10.2 Nonconformity  and corrective  action

8.3 Control  of nonconforming  product

8.5.2 Corrective  action

5.6.1  General

10.3 Continual  improvement

8.5  Improvement

© ISO 2016 – All rights reserved

35

  


 

ISO 13485:2016(E)

Bibliography

[1]

[2]

ISO 9001:20153), Quality management systems — Requirements

ISO 10012,  Measurement management  systems  — Requirements  for measurement  processes and

measuring equipment

[3]

[4]

ISO 11607-1:2006, Packaging  for terminally sterilized medical devices  — Part 1: Requirements  for

materials, sterile barrier systems  and packaging systems

ISO 11607-2, Packaging for terminally sterilized medical devices — Part 2: Validation requirements

for forming, sealing and assembly processes

[5]

[6]

ISO 14644 (all parts), Cleanrooms and associated controlled environments

ISO  14698 (all  parts),  Cleanrooms and  associated controlled  environments  — Biocontamination

control

[7]

[8]

ISO 14971:2007, Medical devices — Application of risk management to medical devices

ISO 19011, Guidelines for auditing management systems

[9]

IEC 62366-1, Medical devices — Part 1: Application of usability engineering to medical devices

[10]

GHTF/SG1/N055:20094),  Definition  of   the  Terms  “Manufacturer”,  “Authorised   Representative”,

“Distributor” and “Importer”

[11]

[12]

[13]

GHTF/SG5/N4:20105), Post-Market Clinical Follow-Up Studies

GHTF/SG1/N70:20116), Label and Instructions for Use for Medical Devices

GHTF/SG1/N071:20127),  Definition of the  Terms “Medical  Device” and  “In Vitro  Diagnostic (IVD)

Medical Device”

3)

4)

5)

6)

7)

Supersedes ISO

Available from website:  http://www.imdrf.org/documents/doc-ghtf-sg1.asp

Available from website:  http://www.imdrf.org/documents/doc-ghtf-sg5.asp

Available from website:  http://www.imdrf.org/documents/doc-ghtf-sg1.asp

Available from website:  http://www.imdrf.org/documents/doc-ghtf-sg1.asp

36

© ISO 2016 – All rights reserved

  

联系人:   陈军华 13814135518   18014716677  地址:南京市溧水区珍珠南路99号广成2幢112室
版权所有:南京高诚企业管理咨询有限公司 备案号:苏ICP备18017693号-1