ISO 13485 will continue to mandate quality for MedTech products to 2030, but firms should not get too comfortable

There was some relief in October for some in the Medtech community that the international quality standard ISO 13485 remains in place until April 2030. ISO 13485:2016 defines a Quality Management System (QMS) for the design, manufacture, and distribution of medical devices — including combination products and drug-device integrations. It provides the foundation needed to scale up “the right way” and meet EU MDR/IVDR, FDA QSR, or MDSAP requirements for both traditional device manufacturers and digital health tech firms.

Whilst the confirmation of existing standards adds continuity and alignment, some people could wonder how are old standards from 2016 or before still relevant in the AI age – regulatory experts believe the answer to be in core evergreen principles of risk management, ethical data validation and quality assessments embedded in these standards that still make them valuable frameworks. ISO 13485 doesn't include specific AI rules since it was last updated in 2016 but it forces companies to govern AI/ML as a highly complex form of Software as a Medical Device (SaMD).

The standard is often used in correlation to ISO 14971:2019 (a systematic approach to risk management across the whole device product lifecycle) and the risk-based decision making framework required by these standards can still well address new specific AI risks such as algorithmic bias (it forces providers to ensure data is fair and representative) or data validation.

Keeping the standard in place adds regulatory continuity and lower immediate costs for firms, but there is a risk of false comfort for some more traditional firms that could fall behind if they just rely on older standards. However there may be future updates in terms of cybersecurity or AI. Overall and if applied well, standards like ISO 13485 can really represent strategic assets that offer not just credibility but also internal rigour for MedTech companies, especially small ones that often do not have time, money or expertise to develop their own internal governance processes. But starting from questions raised by such existing frameworks MedTech players should think in perspective and do additional research and testing to identify new market trends, patient needs and above all - risks, including complex ethical ones – that cannot be all spelled out in older standards.

There is recognition at international level and for sure in the EU that innovation in the MedTech and overall Life Sciences space is accelerating and risks are becoming more complex. However sometimes it is helpful to not reinvent the wheel and maintain some consistency with previous (still relevant) standards and frameworks, in order to avoid regulatory fatigue among companies, especially small players and entrepreneurs that can struggle with the cost of regulation.

Sources:

(1) https://www.linkedin.com/feed/update/urn:li:activity:7391348122972643328/

(2) https://medium.com/@aarkay0923/iso-13485-iso-14971-anchoring-compliance-and-risk-in-pharma-serialization-and-medtech-01976d16e3dd

(3) https://www.elexes.com/the-harmonized-iso-13485-a-brief-insight/

(4) https://www.iso.org/iso-13485-medical-devices.html