ISO 9001 2015 and ISO 13485 2016 Differences and Similarities PDF
ISO 9001 2015 and ISO 13485 2016 Differences and Similarities PDF
ISO 9001 2015 and ISO 13485 2016 Differences and Similarities PDF
Preface
Given the recent revisions of two of the most used quality management system standards, there have been many
questions about what this means for organizations who have had certification to either or both standards. This is
particularly true with the move of ISO 9001:2015 (and other management system standards) to the new ISO/IEC
high level structure (HLS) that comes from Annex SL of the ISO/IEC Directives, Part 1.
The intent of this document is to provide insight into some of the differences and similarities between ISO 9001:2015
and ISO 13485:2016, to allow organizations to understand how they can work together for those that are part of the
medical device supply chain, without undue burden to their systems.
Background
ISO 9001 was first published in 1987 and then revised to a second edition in 1994. The first edition of ISO 13485
followed in 1996. In 2000, the third edition of ISO 9001 was published and ISO 13485 was revised in 2003 to align with
that revision. In 2008, ISO 9001 was again revised and brought in many of the requirements of ISO 13485:2003. It was
decided (by international ballot) in the periodic review that no corresponding revision of ISO 13485 was to be done.
Now, both ISO 9001 and ISO 13485 have been revised, with publication of the fifth edition of ISO 9001 in September
2015 and publication of the third edition of ISO 13485 in March 2016. These two standards have always been very
closely aligned, as the 1996 and 2003 versions of ISO 13485 were directly based on ISO 9001 (1994/2000). This
was readily apparent in ISO 13485:2003 as much of the text is identical to the text from ISO 9001:2000. In this
second edition of ISO 13485, the identical text was shown in black standard font and different text was provided
in black italic font (blue italic font in electronic versions). In addition, ISO 9001:2008 took on more similarities to
ISO13485:2003.
The fifth revision of ISO 9001 was originally behind the third revision of ISO 13485, but due to some delays in the
approval of the draft version of ISO 13485, the revision of ISO 9001 was published first (September 2015). As with
all revision work, some of the latest changes published in ISO 9001:2015 were not available to be incorporated
into the revision of ISO 13485. In addition, after much deliberation on the design specification for ISO 13485,
ISOTechnical Committee 210, Working Group 1 (ISO/TC 210, WG 1), the working group responsible for the revision of
ISO13485:2003, decided it was not appropriate during this revision cycle to adopt the formatting and text changes
mandated by Annex SL of the ISO/IEC Directives, Part 1 for the HLS for management system standards. Also, being
aware of the change in structure and content of ISO 9001, ISO/TC 210, WG 1 decided not to maintain the different
font or provide the comparison back to ISO 9001:2008, however a clause structure comparison to ISO9001:2015
(Annex B) is provided. Furthermore, ISO/TC 210, WG 1 has informed the ISO Technical Management Board (TMB), via
resolutions, that it intends to do two things in the short term. Firstly, it has adopted a resolution to initiate discussions
with the relevant interested parties (e.g. medical device regulators, manufacturers and certification bodies) to enable
future alignment with the HLS outlined in Annex SL of the ISO/IEC Directives, Part1. This will likely result in a mapping
of this third revision into the HLS in the ISO/IEC Directives to understand the differences. Secondly, it will accelerate
the next systematic review to the end of the outlined transition period (3years) instead of the normal 5-year cycle. At
that point in time, the working group will again consider the adoption of the HLS for management system standards.
Introduction
With the change of ISO 9001 to the new HLS, the content of the two standards has diverged. While this divergence
may cause some concern in organizations where both standards are relevant, the knowledge of the differences (and
similarities) will hopefully help you better understand how your organization may react to these new revisions and
mitigate these concerns.
While many people may focus on the differences between the two standards, it is the similarities that are more
prevalent and the value in how these two standards can be used together that will provide industry with the greatest
insight and corresponding strategic direction. Outlined below are the differences followed by the similarities
between the two standards. Much of the content of the standards may be in both sections since while there are
2 BSI BSI/UK/804/ST/0316/EN
bsigroup.com
several differences in the terminology and structure, there are no direct conflicts between the requirements of the
two standards. ISO 9001:2015 and ISO 13485:2016 work together to outline a quality management system for
organizations concerned with providing products within the supply chain of medical devices.
Structure
While there are obvious differences in the structures of the two revised standards, this does not lead to distinct
differences in the requirements. ISO 9001:2015 uses the new structure specified in Annex SL of the ISO/IEC
Directives, Part 1, while ISO 13485:2016 continues with the structure developed in the previous versions. This new
HLS was developed by ISO to implement a common structure and terminology with simplified language, to help
organizations that are implementing multiple management systems (such as those for environment, health and safety
or business continuity) to integrate those systems. The main reason the exemption was granted by the ISO TMB for
ISO 13485:2016 was to allow the working group to keep the standard well aligned with the regulations in most of the
member countries. While this difference may cause some difficulties, most organizations that have a connection to
the medical device sector will appreciate the continued consistency of the structure of ISO 13485,especially as the
difference in structure has little effect on the requirements of the two standards. As mentioned in the background
section, users of the standard may refer to Annex B in ISO 13485:2016, which compares the structures of the two
standards, to identify the particular differences for cross-reference.
Scope
One of the biggest differences between the two standards begins with the scope statements. The scope of ISO9001
defines it as a general and generic standard for all quality management systems while the scope of ISO 13485 is specific
to the medical device sector and those related services. Specifically, ISO 13485:2016 is aimed at including those quality
management system requirements for organizations that provide medical devices and helping organizations concerned
BSI BSI/UK/804/ST/0316/EN 3
The differences and similarities between ISO 9001:2015 and ISO 13485:2016
with medical devices ensure they meet not only the customer requirements but also the applicable regulatory
requirements for the countries and regions where the medical devices are provided. This difference is further
emphasized in the documentation requirements in ISO 13485:2016 for the design history, management review,
medical device files, complaint handling, regulatory reporting and other regulatory focused documentation.
Focus
Another big difference between the standards that is driven by the difference in scope is the primary focus of
the results. The general nature of and the industries that use ISO 9001:2015 are driven by customer focus and
making the correct risk-based decisions to minimize the risk of customer dissatisfaction. Meanwhile, the focus of
ISO13485:2016 is primarily driven by the need for regulators to ensure that the medical devices placed on the market
by organizations are safe and effective. This could be a challenge for organizations which are part of the medical
device supply chain that choose certification to both standards. However, the standards do not have requirements
that conflict and therefore can be implemented together with proper management focus.
Required processes
While ISO 13485:2016 maintains the requirements to document key processes and the related documentation in
a quality manual and other processes, ISO 9001:2015 has taken a distinctly more flexible approach of allowing
an organization to determine the documented information required to be maintained to ensure consistent results
without directly stating the required documented information. However, organizations should be cautious of taking
action to eliminate these documents, as outlined below in the sections on required documentation and risk (in
similarities), so that they dont take any actions that could increase risk or cause issues in meeting requirements on
retaining documented information.
Personnel identification
The flexibility of ISO 9001:2015 allows top management to assign responsibilities and authorities without defining
any required roles. In ISO 13485:2016, the requirement to specifically identify a management representative is retained.
4 BSI BSI/UK/804/ST/0316/EN
bsigroup.com
Product realization
ISO 13485:2016 continues the strong emphasis on design and development as a key process within product
realization. However, ISO 9001:2015 shifts this emphasis to the identification of operational processes to deliver
products. This slight change encourages organizations to be more focused on their operations to get products or
services to meet the customer needs rather than the documentation of the design and development of the products.
Continual improvement
ISO 9001:2015 continues an emphasis on continual improvement to both enhance customer satisfaction and
improve the processes of the organization. Meanwhile, ISO 13485:2016 maintains the need for organizations to focus
improvement activities on the continuing suitability, adequacy and effectiveness of the quality management system
and the safety and performance of the medical device. These differences drive the differing focus and could cause the
organizations goals to be slightly different.
Terminology
Process approach ISO 9001:2015 has added risk-based thinking directly into the Plan-Do-Check-Act (PDCA)
concept. This has resulted in a new diagram of a process in ISO 9001:2015 and the new structure has also resulted
in an update to the process approach model. By incorporating risk-based thinking in this area, the application
automatically integrates preventive action into all processes as the organization is required to take action to reduce
risk within the processes and prevent occurrence of any potential nonconformities through continual improvement.
Required documentation In ISO 9001:2015, the terminology used for documentation has changed to documented
information. In ISO 9001:2008 and in ISO 13485:2016, documentation includes documents and records. This
change was driven by the use of the new HLS outlined in Annex SL of the ISO/IEC Directives, Part 1, and the
desire to provide a common term across management system standards. While this term has been changed in
ISO9001:2015, there is distinct common usage outlined by the word preceding the term documented information.
When documented information correlates to documents, the word maintain is used, i.e. maintain documented
information; when it correlates to records, the word retain is used, i.e. retain documented information.
Note: Detailed guidance on documented information is provided by ISO/TC 176/SC 2 on their website:
http://isotc.iso.org/livelink/livelink/open/tc176SC2public
Relationships Traditionally within a quality management system, relationships are identified between the organization
and its customers, and the organization and its suppliers. These relationships have been identified with a more generic
term of interested parties within ISO 9001:2015. This is due to the desire for more simplified language (not having to
distinguish the roles within the standard) for an organization. However, ISO 13485:2016 retains the previous terms to
identify these roles consistently with the way they are designated in many of the medical device sector regulations.
Purchasing ISO 13485:2016 retains the subclause on purchasing (7.4) with some clarifications on supplier
evaluation, selection and monitoring. Meanwhile, ISO 9001:2015 changes the identification of these processes and
the associated controls to the use of externally provided processes, products and services (8.4). This change of
language may allow a more generic look at who the organization considers to be its suppliers.
Top management The identification of top management within ISO 9001:2015 has led to a change in the name
of Clause 5 from Management to Leadership, to outline the roles of this important group. This change will likely
put greater emphasis on the need for leadership engagement in the management of the requirements. Meanwhile,
ISO13485:2016 keeps much of the previous language with some updates to the content of management reviews.
While this alignment of the information provided in management review with the improvement outlined in Clause 8
will likely increase management understanding of the improvement actions, it doesnt go as far as ISO 9001:2015 in
the engagement of management in those actions.
Definitions The definitions of the terms complaint, product and risk are different in the two standards.
ISO13485:2016 has aligned the definitions with those provided by the Global Harmonization Task Force and the
regulatory requirements. These differ slightly from those provided in ISO 9000:2015 (Note: ISO 9001:2015 refers to
ISO9000:2015 for all definitions). This is stated in a note to entry for each of these definitions within ISO13485:2016.
BSI BSI/UK/804/ST/0316/EN 5
The differences and similarities between ISO 9001:2015 and ISO 13485:2016
Customer focus
Both revised standards start the product realization process with determining customer needs to drive the
requirements for the organizations products or services. While there is a small difference in how this is measured, as
ISO 9001:2015 seeks customer satisfaction and ISO 13485:2016 asks organizations to demonstrate that customer
requirements have been met, this minor difference is still the motivation for organizations to focus on the needs of
the customer.
Methodology
Both revised standards have maintained the use of the process approach with the Plan-Do-Check-Act (PDCA) cycle as
the core methodology that follows from the quality principles outlined in ISO 9000.
Risk-based
Both revised standards advocate the use of risk assessments as the basis of making decisions and the application
of risk management to quality management system processes, however ISO 9001:2015 takes this a step further by
integrating risk-based thinking as a key concept within the process approach and eliminating the separate subclause
on preventive action.
Competency
The updates to each of these standards has reflected a shift from the identification of training needs to ensuring
the competency of employees. This is likely to result in organizations having to determine a way to show that their
employees are able to do the job they are assigned.
Infrastructure
Both revised standards have a renewed emphasis on the determination of the necessary buildings, equipment
and other resources (including information technology) that are needed for processes and for ensuring product
6 BSI BSI/UK/804/ST/0316/EN
bsigroup.com
conformity. This is further emphasized in ISO 13485:2016 with regard to cleanliness of environment and
contamination control required in assembly or packaging of product.
Analysis of data
Another key concept emphasized in both revised standards is the need to use the appropriate statistical techniques in
data analysis to drive the actions of the organization.
Final summary
As organizations seek to make strategic decisions on the implementation of a quality management system they need
to understand how the similarities and differences between ISO 9001:2015 and ISO 13485:2016 can affect those
decisions. Top management of organizations should seek to recognize how each of these two revised standards
can work separately or together within their quality management system to achieve the goals and objectives of
theirorganization.
BSI BSI/UK/804/ST/0316/EN 7
The differences and similarities between ISO 9001:2015 and ISO 13485:2016
BSI is grateful for the help of the following people in the development of the white paper series.
Author
Mark Swanson, President and Lead Consultant of H&M Consulting Group
The H&M Consulting Group is focused on helping small to mid-sized companies have the same regulatory and quality systems
knowledge as the large medical device companies. In addition to this, Mark is also the Director of the Medical Technology Quality
graduate programme at St. Cloud State University. Mark has spent the last three years as an active member of ISO Technical
Committee 210, Working Group 1 (ISO/TC210, WG 1) working on the revision of ISO 13485:2003 and has also participated
with ISO/TC 176, WG24 on ISO 9001:2015. This work includes discussions regarding the impact of changes in the ISO quality
management system standards, the integration of various standards and how to effectively integrate the different management
system standards and other regulations into a single quality management system.
Expert Reviewers
Edward R. (Ed) Kimmelman, Regulatory Affairs/Quality Systems Consultant
Since 1998 Ed has provided consultancy services in the areas of regulatory compliance and quality management systems.
During a 35-year career in industry he has served in engineering, product management and senior quality systems management
positions. Ed is a former President of the NCCLS (currently CLSI) and has served as Chairman of the HIMA (currently AdvaMed)
Standards Section and Science & Technology Section. He is currently the convenor of the ISO/TC 210, WG 1 on quality systems. He
has co-authored a reference book, The FDA and Worldwide Quality System Requirements Guidebook for Medical Devices, 2nd edition,
ASQ:Quality Press, 2008. Ed received a BS degree in Mechanical Engineering from Cornell University and a JD degree from the
Seton Hall University School of Law.
Advisory Panel
Jane Edwards, Global Product Manager, BSI
Jane holds a BSc in Chemistry and an MBA from Durham University. She has over 10 years experience in the medical device
industry, having previously worked for Coloplast in their ostomy and continence business. Janes experience includes working
within the pharmaceutical, chemical and telecoms industries for Glaxo Wellcome, ICI and Ericsson, allowing her to bring depth
of knowledge from across many industries and technologies. Her current role at BSI allows her to work with technical reviewers
across all disciplines ensuring that all BSI communications are accurate and relevant. She is a member of the European Medical
Writers Association.
8 BSI BSI/UK/804/ST/0316/EN
bsigroup.com
anaesthetic and respiratory industry. He also represents several individual companies at ISO and CEN meetings. Terry is on several
UK, European and international standards committees, the following as Chairman: CEN/TC 215, CH/121, CH/121/1, CH/121/5,
CH/121/9 and CH/210/5.
BSI BSI/UK/804/ST/0316/EN 9
The differences and similarities between ISO 9001:2015 and ISO 13485:2016
10 BSI BSI/UK/804/ST/0316/EN
bsigroup.com
BSI is keen to hear your views on this paper, or for further information please contact us here:
[email protected]
Disclaimer This white paper is issued for information only. It does not constitute an official or agreed position
of BSI Standards Ltd. The views expressed are entirely those of the authors. All rights reserved. Except as permitted
under the Copyright, Designs and Patents Act 1988, no part of this publication may be reproduced without prior
permission in writing from the publisher. Whilst every care has been taken in developing and compiling this
publication, BSI accepts no liability for any loss or damage caused, arising directly or indirectly in connection with
reliance on its contents except to the extent that such liability may not be excluded in law. Whilst every effort has
been made to trace all copyright holders, anyone claiming copyright should get in touch with BSI at any of the
addresses below.
BSI BSI/UK/804/ST/0316/EN 11