Important Changes to ISO 13485 2016 for Medical Device Manufacturers, Designers

In 2016 new ISO 13485:2016 Medical devices — Quality management systems — Requirements for regulatory purposes were published. This set into play a new international framework for requirements in an effort to mitigate risk in the production of compliant, reliable medical devices. Companies are granted a 3-year transition period. Are you ready? 

As with the previous 2003 version, compliance to the Quality Management Systems (QMS) standard is often required for market entry in ports around the globe. Though companies are provided three years to transition their QMS and attain compliance to the updated version, there are many reasons to do so much sooner. For starters, those who wait too long may face certification bottlenecks and, as a result, market-entry roadblocks. Remember, medical device companies and service providers around the world will all be vying for ISO 13485:2016 certification from a limited number of Notified Bodies and their auditors. Plus, after the first 24 months, certification will only be given to the revised standard. Considering iso13485.jpgeverything, a lack of planning and/or misalignment with existing certificates could cause great burden on all parties involved, particularly in 2018-2019.

To help you get started with the new ISO 13485 requirements, we will outline some of the most important quality assurance changes to consider for medical devices to comply. If you haven’t already reviewed it, a copy of the new standard from ISO is available for download here.    

The good news: if your company is already an FDA-registered establishment, the gap from your existing quality assurance procedures to comply with the new ISO 13485 standard should not be overwhelming, especially if you had assistance from the FDA to enhance your QMS in recent years. That said, careful planning, consideration, and detailed implementation are required when making the leap. A good first step is to perform a gap analysis of the current QMS to understand what areas may require either minor quality assurance adjustments — or major updates. For many, significant effort will be spent ensuring new processes are well “documented” –or  “established,” two activities that are  essential with both the ISO and FDA.


For years, the mantra about medical device quality control has been, “If it isn’t documented, it didn’t happen.” This still holds true, as proper documentation is a requirement of the updated standard. However, this time around,  ISO clarified in section 2.0 that “documented” means established, implemented, and maintained — not just written down. This may sound familiar to mature companies, already registered with the FDA, as the agency requires many aspects of its Quality System Regulation (21 CFR 820) to be “established,” which is specified as being documented, implemented, and maintained.

Aside from the overall need to effectively document quality assurance processes and records, there are three other prevailing concepts to consider when doing your gap analysis: sources of quality data, competence, and overall QMS effectiveness.   

Sources of Quality Data

In an effort to strengthen an organization’s ability to measure process conformance and potential improvements, Clause 8.2.1 now specifies that “feedback” shall come from production, versus just from customers and other post-market communicators. As such, this eliminates the need to wait for post-production feedback and enables a responsive action in a timelier manner. 


A simple training record is no longer adequate. ISO 13485:2016 establishes in Clause 6.2 that a firm must document its process for establishing competence of its employees, contractors, and agents. It goes on to describe how a firm shall also maintain required competence levels in the workforce, as well as evaluate the effectiveness of any action taken to achieve or reach the required competency.

Overall QMS Effectiveness

As the new standard now clarifies that a company’s QMS “shall meet customer and applicable regulatory requirements for safety and performance,” the time is now to revise the QMS in a way that demonstrates compliance to all standards, specific to your device and market-entry plans. For example, it’s necessary to show all regulatory documentation, for each device that you design, manufacture and bring to market.

You will also need to explicitly describe your company’s role in the product and/or service lifecycle, as newly specified in Clause 4. Clause 4.1 also adds the application of taking a risk-based approach, not only to product risk, but compliance risk as it pertains to the organization’s QMS.

Controlling outsourced quality assurance processes is also more detailed, with Clause 7.4.1 adding Supplier Performance as a measure to Supplier Selection, as well as added provisions to ensure appropriate action is taken when a supplier’s performance is poor.

Starting From Scratch

If you are a start-up company — new to all QMS regulations — keep in mind what Stephen Covey once said, “Start with the end in mind.” Keeping that outlook, leverage your company’s vision and mission by first outlining your quality objectives and quality policy. Once done, these guiding principles act as your north star. If you have any doubts, enlist the help of a qualified process management expert that understands the various requirements.

Quality systems needn’t be over engineered or complex. Firms are given the flexibility to establish systems that are effective for their line of businesses, workforce, and product mix. Oftentimes, firms run into trouble if the QMS is too ridged, easily creating noncompliance situations because the established process was too hard to execute from the beginning. Instead, it’s key to find the right balance of requirement interpretation and robust, easy-to-follow processes.

Remember, you are not alone in the quest for compliance to ISO 13485:2016. Suppliers from every stage of product lifecycles are also updating their processes and systems. As a contract service organization, KMC Systems has processes in place to adopt all aspects of the revised standard as quickly as possible so our customers can benefit from competitive advantages of early conformance through their entire supply chain.

Click here to view more KMC Systems blog posts on Quality Assurance

About the Author

Christine Berard, KMC SystemsChristine Berard is the global head of Quality and Regulatory at KMC Systems. KMC is an industry leader in the area of specialized contract design, development and manufacturing of sophisticated IVD and other medical instrumentation platforms. She holds an MBA from Southern New Hampshire University and a BS from Castleton State College in Vermont. Ms. Berard is a certified Six Sigma Black-Belt, is certified in Quality Management Systems from AAMI, and Process Management from Boston University.

To learn more about KMC Systems and our medical device engineering, design and manufacturing capabilities, please download our brochure

KMC Systems Brochure


Topics: quality assurance, regulatory control, ISO 13485