ISO 13485:2016 vs ISO 13485:2003 conversion tool



Both the 2003 and 2016 versions of the ISO 13485 standard cover fundamentally the same topics. However, there are some important differences.

Now the standard can be used by any organization that is involved in any stage of the product life cycle, which means that external parties or suppliers can also certify themselves on standard requirements. 

Both versions of the ISO 13485 standard are based on ISO 9001; ISO 13485:2016 is based on ISO 9001:2008, whereas ISO 13485:2003 is based on ISO 9001:2000.

The description of the clause is almost the same; however, in the new version of the standard it emphasizes the importance of using a process approach in meeting requirements, value, process performance and effectiveness, and improving the process by setting objectives. 

Both versions of the standard allow integration with other management systems.

This is a new addition in the latest version of the standard; it clarifies the concepts of some of the terminology used in the standard. For example, “risk” is being used for safety or performance requirements of medical devices and devices meeting the regulatory requirements. 

Scope in the latest version of the standard defines other organizations, such as suppliers or external parties, as eligible to implement the ISO 13485 standard. All the other points in this clause are almost the same for both versions of the standard.

Scope in the latest version of the standard defines other organizations, such as suppliers or external parties, as eligible to implement the ISO 13485 standard. All the other points in this clause are almost the same for both versions of the standard.

Some new terms are introduced in the newest version of the standard, such as “sterile barrier system,” “medical device family,” etc. 

In the latest version of the standard, more focus has been given to applicable regulatory requirements and the controls associated to meet these requirements. Moreover, controls also encompass “risk” of external parties to meet applicable regulatory requirements, and written quality agreements to ensure that external parties meet those requirements.

Almost all the requirements are the same, except that the new version of the standard identifies and explains the requirements of medical device files. For more information, read: How to meet ISO 13485:2016 requirements for medical device files

All clauses are the same in both versions of the standard, except in some subclauses where the new version of the standard demands management commitment to applicable regulatory requirements, which need to be identified and met. 

All requirements are almost the same, except a few modifications to the terms are included in the new version of the standard; for example, in the old version of the standard the term “statutory” has been removed and covered in applicable regulatory requirements.  

In the old version it was mandatory to understand, identify, and meet only customer requirements, while in the new version, along with customer requirements, it is mandatory to identify and meet regulatory requirements as well. 

There are no changes in the requirements. See the sample document here: Quality Policy.

The requirements are similar except that in the new version the organization is required to set quality objectives for meeting applicable regulatory requirements. 

No significant changes have been implemented in this clause.

There are no changes in this clause.

All requirements for management representative are the same in both versions of the standard.

Requirements for internal communication are the same in both versions of the standard.

The organization is now required to document a procedure for management review. All other requirements were not modified. See the sample document here: Procedure for Management Review

Reporting to regulatory requirements and customer complaints have been added as review inputs in the new version of the standard. 

In the latest version, the review output is adapted to support the modifications included in the review input. 

No significant changes have been implemented in this clause.

In the new version of the standard it is mandatory for the organization to document the processes for establishing competence, providing required training, and ensuring awareness of employees.

There is a new requirement for infrastructure, which should prevent product mix-ups and ensure orderly handling. Moreover, information technology has been added as an infrastructure requirement in supporting services. For more information, read: Managing medical device infrastructure requirements according to ISO 13485:2016.

 

See the sample document here: Procedure for infrastructure and work environment

This clause has been split in two in the new standard. 

In the new version of the standard the organization is required to document the requirements of the work environment, rather than just determining and managing it. Unlike the previous version of the standard, in the new version, a procedure to monitor and control the work environment should be established. 

Contamination control has been separated as a subclause; it adds a mandatory requirement for sterile medical devices, in which requirements for control of contamination with microorganism or particulate matter should be documented. 

There are no significant changes to this clause, except in the need to establish processes and documentation, resources for maintaining infrastructure and work environment have to be provided. 

The new version of the standard includes a requirement for the organization to determine if users need to be trained in order to ensure specified performance and safe use of medical devices. 

The new version of the standard includes a requirement for the organization to review whether they need to train the users in order to ensure specified performance and safe use of medical devices. 

All requirements regarding the communication with customers are the same; however, the new standard also mandates that the organization communicate with regulatory bodies when needed.

A new clause has been added as “General” in the “Design and Development” section. It mandates the organization to establish a procedure for design and development as per the new requirements. See the sample document here: Procedure for design and development.  

The new version of the standard includes requirements related to development of a method to ensure traceability for design and development outputs against design and development inputs. Also, the new version of the standard states adequate resources to be identified in the planning phase. 

In the new version of the standard, design and development inputs should incorporate usability requirements for the product; moreover, output of risk management has to be included in design and development inputs. 

The requirements are the same in both versions. 

With the earlier requirements, the new standard also mandates records for personnel involved in the process of review. Those designs under review should be identified with the status “under review.” See the following sample document: Design review minutes

The new version of the standard includes mandatory documents and procedures to ensure that the design and development outputs have met the input requirements. Verification plans, which include acceptance criteria and statistical techniques with rationale for sample size, should be documented.

See the sample document: Verification report

In the new version of the standard, the organization is required to maintain documented records for design validation as well. Design validation should be done on representative product, which can be initial production units, batches, etc. Records of validation conclusion should also be maintained. See the sample document: Validation report

This is a new requirement in the latest version; an organization is now required to document a procedure to transfer design and development outputs to manufacturing. These outputs should be verified before becoming final specifications. Moreover, production capability should meet product requirements. See the sample document here: Design and development transfer record

The procedure for design and development in the new standard should include protocols to control design and development changes. Before implementation, the change should be reviewed, verified, validated, and approved. See the sample document here: Change review record

This is a new requirement. The organization should maintain a design and development file for each medical device type or family. This file has to include reference records of conformity to design and development requirements and records for changes. See the sample document here: Design and development file

The purchasing process has also been modified in the new version. The old section on purchasing has been subdivided into four new requirements. While the old standard expected the organization to establish supplier selection and evaluation criteria, it didn’t provide any details. The new version of the standard includes criteria for the supplier—for example, supplier’s impact on quality of medical product, supplier’s ability to meet organization’s requirements, performance of supplier in terms of timely delivery, and supplier’s impact on risk for medical device performance and safety. See the sample document here: Procedure for purchasing and evaluation of suppliers

The new version of the standard mandates that product specifications should be shared with the supplier as well. See the sample document here: Request and order for purchasing

In the new version of the standard, this clause extends risk analyses to suppliers. The organization must consider the risk whenever suppliers underperform and should have documented adequate risk treatments. When unplanned changes are embedded in purchased products, the organization is required to determine whether or not these changes affect the medical device or product realization process. See the sample document here: Purchasing verification record

In the new version of the standard, this clause is extended and the organizations are required to identify products that cannot be cleaned prior to sterilization or use. For more information, read the following article: Managing cleanliness of product and contamination control according to ISO 13485:2016

Requirements are the same in both of the standards.

Requirements are almost the same, except the new standard requests that the organization analyze service records either as complaints or as input for any improvement activity. See the sample document here: Record of servicing activities

Both versions have the same requirements for sterile medical devices. For more information, check the following article: How to manage the medical device sterilization process according to ISO 13485:2016.

Both versions of the standard require companies to establish procedures to validate production and delivery processes that generate outputs that can't be verified until the product is placed in use or the service has been provided. With the modifications included in the new version, the organization is also required to establish validation plans and to revalidate processes whenever necessary. See sample documentation here: Record of production process validation.

This is a new requirement. Process validation is required for sterilization and sterile barrier systems. The organizations are required to develop validation procedures, which will be used to establish, implement, and maintain validation for sterilization and sterile barrier systems.

With the modifications in the new standard, it is required from the organization to document a procedure for the identification of product by suitable means through product realization. The identification procedure shall encompass all stages of the product life cycle, and will provide a way for monitoring and measurement of product. If mandated by regulatory laws, the organization shall maintain unique device identification. 

The organization is now required to develop a procedure for traceability. For implantable medical devices, traceability records for components and materials should be maintained. For more information, read the following article: How to use ISO 13485:2016 to manage implantable medical devices

Requirements are the same in both versions of the standard.

The new standard clarifies the meaning of preservation by mandating that the organization prevent medical device damage, alteration, and contamination. Also, the organization is required to protect products when exposed to hazards.

Requirements are almost the same, except in the new version the organization is required to develop monitoring and measurement software validation procedures. See the following sample document: Procedure for documentation and validation of computer software

Requirements are the same in both versions of the standard.

In the new standard, the feedback process should include provisions to gather data from production, as well as post-production activities. The information gathered in the feedback process serves as a potential input into risk management for monitoring and maintaining the product requirements, as well as the product realization or improvement processes.

This is a new requirement; the organization is required to establish, document, implement, and maintain complaint-handling procedures.

For more information, read the following article: How to comply with ISO 13485:2016 requirements for handling complaints

This is a new requirement; the organization is required to establish, document, implement, and maintain reporting procedures when regulators expect the organization to report to them. See this sample document: Procedure for adverse event investigation and reporting


Requirements are the same in both versions of the standard.


There are no significant differences in the requirements between the two versions of the standard.


In the new standard, the identity of the person authorizing the release of product shall be recorded, and records of test equipment used for release should be maintained.


In the new standard, a procedure is required to define controls and related responsibilities and authorities for the identification, documentation, segregation, evaluation, and disposition of nonconforming product. The evaluation of nonconformity should include a determination of the need for an investigation and notification of any external party responsible for the nonconformity. See this sample document: Procedure for control of non-conforming products


This requirement has been added in a subclause in the new standard to emphasize it separately. Requirements include dealing with nonconforming products prior to delivery, taking actions to eliminate detected nonconformities, preventing the product's unintended use or application and, if needed, authorizing nonconforming product use and release. 


This requirement has been added in a subclause in the new standard to emphasize it separately. Requirements include identification of nonconforming products after delivery or after use, actions to be taken against the effects that have been identified, record keeping of the actions taken, issuances and management of advisory notices, and record keeping of actions taken against issued advisory notices. For more information, read the following article: ISO 13485:2016 nonconforming product – How to approach the post-delivery actions


This is a new requirement that mandates that the organization clarify how product rework should be performed, verified, reviewed, approved, and recorded.


Requirements of analysis of data are the same; however, in the new version of the standard, analysis should also be performed on audits and service reports. See the following sample document: Procedure for data analysis


Requirements are almost the same, except that in the new version of the standard, medical device safety and performance must be taken into consideration during improvement activities.


Both versions of the standard have the same requirements for corrective actions.


Both versions of the standard have the same requirements for preventive actions. 

Contact Information