Printer Friendly, PDF & Email

Healthcare regulatory changes for medical device manufacturers in 2019

Christine L. Stanley ( is an Associate in the Lexington, KY office of Quintairos, Prieto, Wood & Boyer, PA.

International Organization for Standardization (ISO) is an independent, non-governmental, international organization with a membership of 163 national bodies (including the United States) that set class specifications for products, services, and systems to ensure quality, safety, and efficiency.[1]

ISO 13485 represents the requirements for comprehensive organizational goals and aspirations, policies, processes, documented information, and resources needed to implement and maintain this standard or a quality management system for the design and manufacture of medical devices, from simple devices (e.g., tongue depressors, thermometers, stethoscopes, blood pressure cuffs, latex gloves) to complex devices (e.g., computer-assisted medical testing, cochlear ear implants, prostheses).[2]

The global medical device market is expected to reach an estimated $409.5 billion by 2023 and the main drivers for the growth of this market are healthcare expenditure, technological development, aging population, and chronic diseases.[3] The ISO standards are considered instrumental in facilitating international trade[4] ; however, ISO 13485 is voluntary and is not law. The major suppliers of medical devices around the world include Medtronic Public Limited Company, Johnson & Johnson, General Electric Company, Siemens AG, and Cardinal Health Inc.[5]

In March 2019, the 2016 revision to ISO 13485 required the incorporation of risk management into every aspect of the quality management system.[6] The U.S. Food and Drug Administration (FDA) also released more than a dozen new medical device guidance documents in 2016 and 2017 that set expectations for how these risk assessments should look with an emphasis on cybersecurity.[7] Fortunately, for U.S. suppliers of medical devices, ISO 13486:2016 comports more closely with FDA quality system regulations.

Although certification is not a requirement of ISO 13485, third-party certification is a common way to show stakeholders and regulatory authorities that you meet the requirements.[8] Organizations certified to ISO 13485:2003 were granted a three-year transition period to migrate to the new edition of the standard.[9] For those companies that hoped to achieve ISO 13485:2016 certification but missed the March 2019 deadline, they can still certify, but their 2003 certificates are invalid and can no longer be modified or revised.

The most significant changes in the revised standard include using a risk-based approach for all Quality Management System (QMS) processes, medical device descriptions, training end users, and servicing records.