Differences Between the Revised QMS Ordinance and ISO 13485

Background: Why Was the Revised QMS Ordinance Necessary?

The medical device industry continuously undergoes regulatory reform to advance international harmonization and accommodate the unique characteristics of the Japanese market. The Revised Medical Device Quality Management System (QMS) Ordinance, which took effect in April 2023, aims to align with the international standard ISO 13485:2016 while incorporating Japan-specific requirements. This means that even organizations that have already built their QMS based on ISO 13485:2016 must conduct a thorough review to ensure complete compliance with the revised ordinance.

Why the Revised QMS Ordinance is More Specific Than ISO 13485

A key characteristic of the revised QMS ordinance is that it translates the abstract, principle-based language of ISO 13485 into more concrete and actionable forms. While this might initially appear to reduce organizational burden, this concretization carries the risk of creating overly restrictive interpretations. ISO 13485, as an international standard, intentionally employs abstract language to accommodate the diverse business models of medical device manufacturers worldwide. When the revised ordinance concretizes this language, there is a possibility that narrower interpretations may emerge—narrower than what ISO 13485 originally intended. This is an important consideration that organizations should be aware of.

Detailed Analysis of Key Differences in Specific Clauses

Process Monitoring and Measurement/Analysis (Clause 5-3, Section 1, Item 4)

ISO 13485:2016 stipulates that for process control, organizations must “monitor these processes and, where appropriate, measure and analyze them.” The phrase “where appropriate” allows organizations to make comprehensive judgments about process characteristics and product impact, implementing quantitative measurement and analysis as needed.

In contrast, the revised QMS ordinance states: “The organization shall monitor the process, and where it is necessary to quantitatively understand the process, it shall measure and analyze the process accordingly.” The revised ordinance effectively replaces “where appropriate” with “where it is necessary to quantitatively understand,” providing a clearer judgment criterion. However, this substitution has the potential to limit the flexibility that ISO 13485 allows for cases where qualitative monitoring alone may constitute sufficient process management.

Impact Assessment in Change Management (Clause 5-4, Section 2, Item 2)

ISO 13485:2016 stipulates in its change management provisions that organizations shall “evaluate the effect of the change on the finished device.” The concept of “effect” expects organizations to comprehensively evaluate both direct and indirect impacts of changes on the safety, performance, and effectiveness of medical devices.

The revised QMS ordinance defines this more concretely as “the impact of the change on the function, performance, and safety of the medical device according to its intended use.” This more specific definition clarifies the scope of evaluation and enhances practical applicability. However, it simultaneously narrows the potential for broader perspectives in assessment, such as impacts on the QMS as a whole or long-term risk considerations.

Management Approach in Change Management (Clause 5-4, Section 2, Item 3)

ISO 13485:2016 stipulates that changes shall be “managed in accordance with this standard and applicable regulatory requirements,” encouraging organizational ingenuity in developing management approaches.

The revised QMS ordinance states this more concretely as: “necessary procedures including applications, notifications, reports, submissions, and other procedures related to the change shall be followed.” This explicitly requires organizations to incorporate procedures involving the regulatory authorities that oversee medical devices. This represents a requirement that reflects the characteristics of Japan’s regulatory operations, and organizations must incorporate these administrative procedures into their change management processes.

Software Validation (Clause 5-6, Section 2)

ISO 13485:2016 states that “the application of such software shall be validated prior to initial use. Where appropriate, validation shall be performed following changes to the software or its application.” The phrase “where appropriate” allows organizations flexibility in determining the timing of validation based on the extent of the change.

The revised QMS ordinance provides more detailed provisions. It requires that “manufacturers/distributors shall conduct validation before initial use of such software in the quality management supervision system and when such software or its application is changed,” but provides an exception: “However, where the manufacturer/distributor can demonstrate justified reasons for not requiring validation before changing such software or its application, validation after the change shall suffice.”

While this provision appears to provide flexible options to organizations, the phrase “justified reasons” introduces ambiguity in practical interpretation. Whether Notified Bodies (in Europe) or regulatory authorities will apply identical criteria in future assessments remains uncertain. Organizations should carefully document the risk-based rationale for their decisions regarding validation timing to maintain compliance defensibility.

Protection of Confidential Health Information and Personal Information Management (Clause 9, Section 3)

ISO 13485:2016 stipulates that “the organization shall define and implement a method to protect confidential health information contained in records in accordance with applicable regulatory requirements.” “Confidential health information” encompasses all information related to medical device use, including patient medical history, treatment progress, and personally identifiable information.

The revised QMS ordinance states: “Manufacturers/distributors shall establish a method for appropriately managing personal information (limited to information obtained from the use of medical devices, etc.), and shall manage personal information according to such method.” Importantly, the revised ordinance adds a limitation that personal information must be “information obtained from the use of medical devices.” This restriction means that manufacturers are limited to managing information directly derived from actual device use, rather than all personal information they possess.

Whether this specific limitation aligns completely with the scope of “confidential health information” protection that ISO 13485 envisions remains subject to industry discussion. Organizations must carefully balance compliance with Japan’s statutory requirements with alignment to international standards.

Japan-Specific Classifications and Requirements

Specified Maintenance Medical Devices

Japan has a unique classification system that includes “Specified Maintenance Medical Devices” (特定保守管理医療機器), a category that does not exist in ISO 13485. These are medical devices for which maintenance during the use phase is particularly critical. For products approved or certified as Specified Maintenance Medical Devices, manufacturers must maintain related documentation for the longer of two periods: 15 years or the device’s validity period plus one year. This requirement strengthens risk management related to long-term use of medical devices.

Limited Class III Medical Devices and Limited General Medical Devices

The revised QMS ordinance provides exemptions from certain requirements for limited Class III medical devices and limited general medical devices. These devices receive simplified QMS requirements based on their lower design and manufacturing process complexity or limited risk profiles. Organizations must accurately understand their product classifications and appropriately apply applicable exemptions.

Other Important Differences

Terminology and Conceptual Differences

The revised QMS ordinance and ISO 13485:2016 employ different terminology for many concepts. For example, ISO 13485’s “quality management system” is rendered as “quality management supervision system” (品質管理監督システム) in the revised ordinance, reflecting the characteristics of Japanese administrative terminology—often referred to as “Kasumigaseki terminology” (官庁用語). Similarly, “management review” is expressed as “management supervision review” (管理監督者照査). These terminological differences are not merely linguistic variations; they reflect the administrative background of Japan’s medical device regulatory system, making them important for proper understanding.

Distinction Between Manufacturers/Distributors and Manufacturers (Registered Manufacturing Sites)

The revised QMS ordinance clearly distinguishes between “manufacturers/distributors” and “manufacturers (registered manufacturing sites),” with different QMS requirements applied to each. Since ISO 13485 does not contain the concept of “registered manufacturing sites,” organizations that outsource manufacturing within Japan must establish quality oversight and audit systems based on Japan’s specific regulatory requirements, including quality agreements with contract manufacturers.

Placement of Notes and Explanatory Comments

In ISO 13485:2016, notes and explanatory comments are integrated into the standard text and carry normative guidance equivalent to the main provisions. Conversely, in the revised QMS ordinance, much of the content corresponding to ISO 13485 notes is placed in the clause-by-clause explanation. While the explanatory clauses differ in legal binding force, they serve as important reference materials for administrative guidance and regulatory inspections. Organizations must thoroughly understand these explanations and reflect them in their QMS design.

Deletion of Document Management Provisions

ISO 13485:2016’s clause 4.2.4 contains an explicit statement that “records are a type of document but shall be managed in accordance with the requirements specified in 4.2.5.” This provision has been deleted in the revised QMS ordinance, simplifying the explicit distinction between the management of documents and records.

Practical Impact on Organizations and Implementation Guidance

Even for organizations that have already built their QMS based on ISO 13485:2016, the enforcement of the revised QMS ordinance requires confirmation of the following points and necessary system review:

First, re-evaluate whether your current operational methods for process monitoring, change management, software validation, and information protection meet the specific requirements of the revised ordinance. Second, confirm the applicability of requirements based on your target product classifications, such as Specified Maintenance Medical Devices or limited medical devices. Third, in light of terminological and conceptual differences, organize your QMS documents and standard operating procedures according to the revised ordinance’s terminology to prevent discrepancies with inspection bodies and regulatory authorities.

Finally, as the revised QMS ordinance continues to evolve, it is essential to regularly review the latest industry developments and notifications from the PMDA (Pharmaceuticals and Medical Devices Agency) and implement necessary continuous improvements to your QMS.

For Further Understanding

For deeper learning about the specific content and implementation methods of the revised QMS ordinance, it is recommended to consult official guidance documents published by the Ministry of Health, Labour and Welfare and the PMDA, as well as explanatory materials provided by industry associations. Additionally, online platforms such as YouTube offer multiple video explanations of the key points of the revised ordinance, which can be valuable for visual and step-by-step understanding.