ISO 13485:2003 vs ISO 13485:2016 conversion tool



Both the 2003 and 2016 versions of the ISO 13485 standard cover fundamentally the same topics. However, there are some important differences.

Now the standard can be used by any organization that is involved in any stage of the product life cycle, which means that external parties or suppliers can also certify themselves on standard requirements. 

Both versions of the ISO 13485 standard are based on ISO 9001; ISO 13485:2016 is based on ISO 9001:2008, whereas ISO 13485:2003 is based on ISO 9001:2000.

The description of the clause is almost the same; however, in the new version of the standard it emphasizes the importance of using a process approach in meeting requirements, value, process performance and effectiveness, and improving the process by setting objectives. 

Both versions of the standard allow integration with other management systems.

Scope in the latest version of the standard defines other organizations, such as suppliers or external parties, as eligible to implement the ISO 13485 standard. All the other points in this clause are almost the same for both versions of the standard.

Scope in the latest version of the standard defines other organizations, such as suppliers or external parties, as eligible to implement the ISO 13485 standard. All the other points in this clause are almost the same for both versions of the standard.

Some new terms are introduced in the newest version of the standard, such as “sterile barrier system,” “medical device family,” etc. 

In the latest version of the standard, more focus has been given to applicable regulatory requirements and the controls associated to meet these requirements. Moreover, controls also encompass “risk” of external parties to meet applicable regulatory requirements, and written quality agreements to ensure that external parties meet those requirements.

Almost all the requirements are the same, except that the new version of the standard identifies and explains the requirements of medical device files. For more information, read: How to meet ISO 13485:2016 requirements for medical device files

All clauses are the same in both versions of the standard, except in some subclauses where the new version of the standard demands management commitment to applicable regulatory requirements, which need to be identified and met. 

All requirements are almost the same, except a few modifications to the terms are included in the new version of the standard; for example, in the old version of the standard the term “statutory” has been removed and covered in applicable regulatory requirements.  

In the old version it was mandatory to understand, identify, and meet only customer requirements, while in the new version, along with customer requirements, it is mandatory to identify and meet regulatory requirements as well. 

There are no changes in the requirements. See the sample document here: Quality Policy.

The requirements are similar except that in the new version the organization is required to set quality objectives for meeting applicable regulatory requirements. 

No significant changes have been implemented in this clause.

There are no changes in this clause.

All requirements for management representative are the same in both versions of the standard.

Requirements for internal communication are the same in both versions of the standard.

The organization is now required to document a procedure for management review. All other requirements were not modified. See the sample document here: Procedure for Management Review

Reporting to regulatory requirements and customer complaints have been added as review inputs in the new version of the standard. 

In the latest version, the review output is adapted to support the modifications included in the review input. 

No significant changes have been implemented in this clause.

In the new version of the standard it is mandatory for the organization to document the processes for establishing competence, providing required training, and ensuring awareness of employees.

There is a new requirement for infrastructure, which should prevent product mix-ups and ensure orderly handling. Moreover, information technology has been added as an infrastructure requirement in supporting services. For more information, read: Managing medical device infrastructure requirements according to ISO 13485:2016.

 

See the sample document here: Procedure for infrastructure and work environment

This clause has been split in two in the new standard. 

There are no significant changes to this clause, except in the need to establish processes and documentation, resources for maintaining infrastructure and work environment have to be provided. 

The new version of the standard includes a requirement for the organization to determine if users need to be trained in order to ensure specified performance and safe use of medical devices. 

The new version of the standard includes a requirement for the organization to review whether they need to train the users in order to ensure specified performance and safe use of medical devices. 

All requirements regarding the communication with customers are the same; however, the new standard also mandates that the organization communicate with regulatory bodies when needed.

The new version of the standard includes requirements related to development of a method to ensure traceability for design and development outputs against design and development inputs. Also, the new version of the standard states adequate resources to be identified in the planning phase. 

In the new version of the standard, design and development inputs should incorporate usability requirements for the product; moreover, output of risk management has to be included in design and development inputs. 

The requirements are the same in both versions. 

With the earlier requirements, the new standard also mandates records for personnel involved in the process of review. Those designs under review should be identified with the status “under review.” See the following sample document: Design review minutes

The new version of the standard includes mandatory documents and procedures to ensure that the design and development outputs have met the input requirements. Verification plans, which include acceptance criteria and statistical techniques with rationale for sample size, should be documented.

See the sample document: Verification report

In the new version of the standard, the organization is required to maintain documented records for design validation as well. Design validation should be done on representative product, which can be initial production units, batches, etc. Records of validation conclusion should also be maintained. See the sample document: Validation report

The procedure for design and development in the new standard should include protocols to control design and development changes. Before implementation, the change should be reviewed, verified, validated, and approved. See the sample document here: Change review record

The purchasing process has also been modified in the new version. The old section on purchasing has been subdivided into four new requirements. While the old standard expected the organization to establish supplier selection and evaluation criteria, it didn’t provide any details. The new version of the standard includes criteria for the supplier—for example, supplier’s impact on quality of medical product, supplier’s ability to meet organization’s requirements, performance of supplier in terms of timely delivery, and supplier’s impact on risk for medical device performance and safety. See the sample document here: Procedure for purchasing and evaluation of suppliers

The new version of the standard mandates that product specifications should be shared with the supplier as well. See the sample document here: Request and order for purchasing

In the new version of the standard, this clause extends risk analyses to suppliers. The organization must consider the risk whenever suppliers underperform and should have documented adequate risk treatments. When unplanned changes are embedded in purchased products, the organization is required to determine whether or not these changes affect the medical device or product realization process. See the sample document here: Purchasing verification record

In the new version of the standard, this clause is extended and the organizations are required to identify products that cannot be cleaned prior to sterilization or use. For more information, read the following article: Managing cleanliness of product and contamination control according to ISO 13485:2016

Requirements are the same in both of the standards.

Requirements are almost the same, except the new standard requests that the organization analyze service records either as complaints or as input for any improvement activity. See the sample document here: Record of servicing activities

Both versions have the same requirements for sterile medical devices. For more information, check the following article: How to manage the medical device sterilization process according to ISO 13485:2016.

Both versions of the standard require companies to establish procedures to validate production and delivery processes that generate outputs that can't be verified until the product is placed in use or the service has been provided. With the modifications included in the new version, the organization is also required to establish validation plans and to revalidate processes whenever necessary. See sample documentation here: Record of production process validation.

With the modifications in the new standard, it is required from the organization to document a procedure for the identification of product by suitable means through product realization. The identification procedure shall encompass all stages of the product life cycle, and will provide a way for monitoring and measurement of product. If mandated by regulatory laws, the organization shall maintain unique device identification. 

Requirements are the same in both versions of the standard.

The new standard clarifies the meaning of preservation by mandating that the organization prevent medical device damage, alteration, and contamination. Also, the organization is required to protect products when exposed to hazards.

Requirements are almost the same, except in the new version the organization is required to develop monitoring and measurement software validation procedures. See the following sample document: Procedure for documentation and validation of computer software

Requirements are the same in both versions of the standard.

In the new standard, the feedback process should include provisions to gather data from production, as well as post-production activities. The information gathered in the feedback process serves as a potential input into risk management for monitoring and maintaining the product requirements, as well as the product realization or improvement processes.

Requirements are the same in both versions of the standard.


There are no significant differences in the requirements between the two versions of the standard.


In the new standard, the identity of the person authorizing the release of product shall be recorded, and records of test equipment used for release should be maintained.


Requirements of analysis of data are the same; however, in the new version of the standard, analysis should also be performed on audits and service reports. See the following sample document: Procedure for data analysis


Requirements are almost the same, except that in the new version of the standard, medical device safety and performance must be taken into consideration during improvement activities.


Both versions of the standard have the same requirements for corrective actions.


Both versions of the standard have the same requirements for preventive actions.