Getting Ready for ISO 13485:201X (Part 1)

The quality management standard for med devices is changing.
As most of you know, ISO 13485–Quality Management Systems—Requirements for Regulatory Purposes is being revised. ISO 13485: 201X, as the final revision is being referred to, is expected to be available in late 2015 or early 2016. Understandably, this is causing anxiety for medical device manufacturers, many of whom are still struggling to conform to the current version of the standard. With this in mind, let’s review the basics of the ISO: 13485. In future posts, we’ll examine why the standard is being updated, and the most significant changes you can expect to see. 

What is ISO 13485?

ISO 13485 is a series of requirements that help medical device manufacturers develop a quality management system. According to the official ISO 13485 standard, these requirements “can be used by an organization for the design and development, production, installation and servicing of medical devices, and the design, development, and provision of related services.”(1)

Although ISO 13485 is a stand-alone document, it is often harmonized with ISO 9001, the world’s leading quality management standard, which, as of this writing, is also under revision.

This article is related to:
Understanding ISO 13485: A Brief, Yet Comprehensive, Overview
To get the full details, please download your free copy
How Does ISO 13485 Differ from ISO 9001?

The most fundamental difference between the two standards is that ISO 13845 is tailored specifically to medical device companies, whereas ISO 9001 can be used by any company, of any size, within any industry sector. Additionally, ISO 9001 requires the certified company or organization to demonstrate continual improvement. By contrast, ISO 13485 requires only that the organization demonstrate that its quality system is effectively implemented and maintained.

Another principal difference is that ISO 13485 excludes the ISO 9001 requirements regarding customer satisfaction, focusing instead on regulatory requirements as a management responsibility. Finally, unlike ISO 9001, 13485 places great emphasis on the importance of risk. It requires device manufacturers, as well as their sub-tier suppliers and contractors, to apply risk management and risk analysis from product development through product realization.

It is not uncommon for non-medical device companies to upgrade or migrate from 9001 to ISO 13485 (or to maintain both certifications) in order to introduce their existing products for use in medical applications.

How Does ISO 13485:2003 Differ from EN ISO 13485:2012?

Good question, and one that confuses many. There are three current and common versions of ISO 13485. The primary international version is ISO 13485:2003; it is also the version that I am discussing in this post. The variant EN ISO 13485:2012 is the latest European harmonized version of ISO 13485; it replaces the prior harmonized version, EN ISO 13485:2003, which is now considered to be obsolete. EN ISO 13485:2012 is applicable only to manufacturers placing devices on the market in Europe. Manufacturers can employ ISO 13485 to meet the quality system requirements of the European directives, including European Medical Device Directive (93/42/EEC).

Confusion frequently occurs when people use the abbreviated ISO 13485 to refer to both ISO 13485:2003 and EN ISO 13485: 2012. This leads some to assume that there is a 2012 version of the primary (2003) standard, which there isn't.

The third version is CAN/CSA-ISO 13485:03. Conformance to this standard is necessary in order to secure a Canadian Medical Device License for a Canadian class II, III or IV medical device. Health Canada considers this variant to be the equivalent to ISO 133485:2003.

How is the Standard Organized?

ISO 13485 comprises eight sections, which are preceded by an introduction. Sections one through three describe the purpose for and use of the standard. Sections four through eight contain the “meat” of the standard, i.e., the requirements necessary for compliance, so they will be examine individually.
  • Section Four (Systemic Requirements): This section defines the general requirements for compliance. It explains how to implement and maintain a QMS for devices; prepare a quality manual, quality policy, and quality objectives; control QMS documents; and maintain document integrity.
  • Section Five (Management Requirements): This section defines management’s role in the establishment and maintenance of an ISO 13485 QMS. It requires upper management to actively participate in quality planning, and to ensure that the quality policy is understood throughout the organization. Specific requirements for carrying out periodic management reviews of the QMS, including how often reviews should take place; what to cover; and expected outputs, are also covered in section five.
  • Section Six (Resource Requirements): This section defines the requirements for the provision of three types of resources: physical, environmental and human. Key topics covered in section six include the importance of defining employee job requirements and how to keep good training records.
  • Section Seven (Product Realization Requirements): This extensive section covers everything that is required in order to produce a product, from customer requirements to creating (designing and manufacturing), installing, and supporting a medical device. Requirements are given for how to correctly perform the most basic tasks (e.g., processing catalog orders), as well as the most complex tasks (e.g., designing from a design concept). Validation; equipment maintenance; and risk management, including risk assessment, risk analysis and risk reduction), are also covered in section seven.
  • Section Eight (Remedial Requirements): This final section defines the remedial processes necessary in order to maintain the effectiveness of the QMS. Key topics covered in section eight include handling adverse events and customer complaints; conducting internal audits; monitoring and measuring processes and product, including nonconforming product; analyzing data; and taking corrective and preventive actions.
ISO/TR 14969:2004 is a guidance document for the application of ISO 13485. Additional guidance for implementing a medical device QMS can be obtained from the Global Harmonization Taskforce and the FDA guidance documents and compliance manual.

Is ISO 13485 Required?

ISO 13485 is required in Canada (CAN/CSA-ISO 13485:03). Japanese Ministry of Health, Labour and Welfare (MHLW) Ordinance #169 is based on ISO 13485: 2003 and is required in Japan. Although EN ISO 13485 is considered to be the de facto standard for the device industry in Europe, it is not technically a requirement. It is, however, the expectation for two reasons: certification to EN ISO 13485 presumes compliance with applicable European Directives (making it easier to obtain CE Marking, which is mandatory if you want to place a device on the market in the European Union) and it’s considered good practice. In the United States, the FDA Quality System Regulation (QS Reg.), also known as cGMP, is required. Of course, if a U.S.-based company wishes to market its medical device products internationally, it must comply with both cGMP and ISO 13485.

Even in countries where adherence to the standard isn’t required by law, ISO 13485 is becoming increasingly required by investors, partners and customers. A 2011 Covidien-commissioned survey of 900 device manufacturers showed that 37% of respondents had become 13485 certified to meet regulatory requirements, 31% had become compliant to support regulatory approval of products or services, and 28% had become compliant to meet customer requirements.(2) Third-party certification to a particular standard or regulation assures both potential and existing consumers, as well as suppliers and foreign trade officials, that your business operations are safe and efficient. This assurance can lead to tremendous marketing and business advantages.

What Are the Operational & Financial Benefits of ISO 13485 Certification?

Many device companies fail to realize how much money they could save (or even generate) by developing and implementing a quality management system that adheres to ISO 13485.
  • Increases customer confidence: Certification establishes a company’s commitment to quality, which often leads to increased customer confidence;
  • Enhances marketing and promotional opportunities: Once a company has been deemed compliant by a certified ISO13485 registrar, it will receive a certificate. The company’s marketing team will be able to display this certificate on all corporate marketing materials to enhance its credibility in the eyes of customers, employees and other stakeholders;
  • Promotes better communication/fewer deviations: ISO 13485 promotes harmonization of regulatory requirements on an international scale. Harmonization allows device manufacturers and other quality experts to communicate using a familiar/standardized vocabulary. This reduces communication gaps and misunderstandings that often result in deviations, nonconformances and other quality events that can cause patient harm, regulatory sanctions and significant revenue loss;
  • Improves performance and supplier relationships: Using a uniform, widely-accepted system of process control leads to improved products and processes. This, in turn, often leads to increased customer satisfaction and better relationships with suppliers and partners;
  • Enhances brand equity: Improved products and processes help device manufacturers sustain their delivery of high-quality products, and minimize or avoid embarrassing product recalls and costly regulatory sanctions. Ultimately, this leads to increased brand equity, which is an important competitive advantage;
  • Increases Speed to Market: ISO 13485 certification allows an organization to meet the quality system requirements of the European Medical Device Directive (93/42/EEC), In Vitro Medical Device Directive (98/79/EEC) and Active Implantable Medication Device Directive (90/385/EEC) with less difficulty, which expedites market entry.
In today’s global medical device industry, it’s no longer enough to merely comply with FDA requirements. Manufacturers must address the demands of regulators from countries around the world. Achieving ISO 13485 certification is a worthy endeavor since maintaining ISO standards promotes customer, investor, and employee confidence, and builds a system that is ideal for automation and increased productivity.

Editor’s Note: This post was taken from the white paper: Understanding ISO 13485: A Brief, Yet Comprehensive, Overview, which you can download here.

1. ISO 13485–Quality Management Systems—Requirements for Regulatory Purposes (official standard),
2. Raus, Jodi, "Medtech Manufacturers Rev Up ISO 13485 Certifications." 24 April, 2015.

Lisa Weeks, a marketing communications specialist at MasterControl Inc., writes extensively about technology, the life sciences industry, and other regulated environments. Her two decades of marketing and advertising experience include work with McNeil Pharmaceuticals, SAP AG, SCA Mölnlycke Health Care, Crozer-Keystone Health Systems, and NovaCare Rehabilitation/Select Med.