2016 Changes Aimed
at Reducing Risk
By Matt Lowe,
Executive Vice President, MasterControl
Earlier this year, ISO published the final draft of the latest revision to the ISO 13485 standard, which
is the quality management standard for
medical devices. The 2016 version of ISO
13485, published in -March, provides a
framework for companies to meet their
customer and regulatory requirements.
The main objectives of the new standard
are to reduce risk in the industry and to
provide a harmonized model for Quality
Management System (QMS) requirements in the international market.
Medical device manufacturers that sell
their products in the global market benefit from ISO 13485:2016 certification
because ISO standards are recognized
worldwide and certain countries actually
require it. Furthermore, many customers
also prefer medical devices that are ISO
certified due to the trust it engenders for
following quality management processes.
There are a number of reasons why
this standard has been changed. The
new standard, down to many of its line
items, is different. This evolution is a
reflection of the global changes in the
industry. The new standard was primarily created with good intent to improve
risk management. The changes are also
intended to create a globally consistent quality system; to incorporate risk
management concepts—not just to design
controls, but to the entire quality system;
and to be relevant to suppliers of device
components and services.
Some of the key changes to ISO
13485:2016 include how risk and opportunity are addressed.
• Requires a risk-based approach
for QMS, meaning risk is presented
if your QMS is NOT fully integrated.
Now all internal QMS processes must
• Requires a risk-based approach
for outsourced processes for
external parties. Some organizations
just do design-house activities, some
just do the manufacturing, and some
just do testing. The new standard
calls for someone to be responsible
for the final product. The responsi-
ble party has to be defined within
the context of the organization and
the control of those processes both
internally and externally.
• Requires a risk-based approach to
design controls for critical product
characteristics. Organizations need to
better understand how the product’s
characteristics present risk and how
they are controlled based on risk.
• Increases in expectations -from
implicit to explicit requirements
for how processes should be executed.
This is primarily due to how processes
contain risk and opportunity analysis.
• Organizations must reference and
comply with all applicable ISO
standards—not just ISO 13485:2016,
but also ISO 62304 (software life
cycle), ISO 14971 and so on. This
allows for a more holistic approach to
• An increased structure for validation, verification and design transfer. Software systems control has
become much more important to how
risk is seen for process design, operational qualification and performance
for product and process control.
• Corrective And Preventive Action
has been updated. A new clause
was added to the CAPA section. This
change was enacted to help ensure
that the corrective or preventive
actions do not adversely affect the
product’s ability to meet applicable
regulatory requi;rements, or affect the
safety and performance of the product.
Corrective action plans also must be
adequately designed with risk in mind.
CAPAs should take into consideration