ISO 13485 Requirements: FAQ About the Top Medical Device Quality Management Standard

A medical device can be as basic as a bedpan or as intricate as a personalized sensor that remotely monitors the performance of organs in living humans. Yet all medical devices share one commonality: when produced by companies that follow the medical device quality management standard ISO 13485, they're aiming for the highest globally recognized standard of quality. With the impending harmonization of ISO 13485 and 21 CFR Part 820 just around the corner, the standard is further cementing its global importance and ubiquity.

If your organization plays a role in the development of a medical device, a quality management system (QMS) that meets ISO 13485 requirements doesn't just happen. It takes a concerted organizational effort, thoughtful planning, and a thorough understanding of the work required for compliance. Below you'll find answers to some of the questions commonly asked by companies striving for compliance with ISO 13485 requirements.

What Are the ISO 13485 Requirements?

The ISO 13485 medical device guidelines for maintaining an effective QMS are all geared toward the safe design, manufacture, and distribution of effective medical device products. The standard outlines expectations for the foundational aspects of quality management, specifically:

• The general and documentation requirements for the QMS.
• Management responsibility (in terms of commitment, customer focus, quality policy, planning, responsibility, authority, communication, reviews, etc.).
• Resource management (i.e., infrastructure, involvement of human resources, and provision of other resources).
• Product realization (i.e., planning, design/development, purchasing, production, equipment controls, etc.).
• Measurement, analysis, and improvement.

Device manufacturers that meet the ISO 13485 quality system requirements for medical devices reap an array of production benefits, such as minimized variation. Adherence to the standard also provides economic benefits that come from reducing scrap and making quality processes more efficient in general.

Play

What Markets/Geographies Does ISO 13485 Compliance Affect?

The medical device quality management systems used in the production of most types of medtech products by companies in Australia, Canada, European Union member nations, and Japan are beholden to ISO 13485 requirements. All 165 member countries of the International Organization for Standardization (ISO) follow the standard as well.¹

Does the FDA Recognize Compliance With ISO 13485 Requirements?

The U.S. Food and Drug Administration's (FDA) quality system requirements for medical devices are based on the guidelines set forth in the 21 CFR Part 820 - Quality System Regulation (QSR). However, the agency recently issued a proposed rule that would harmonize Part 820 with ISO 13485 requirements.²

Separate regulatory guidance remains in effect for the time being, so device makers intending to distribute products in regions and markets subject to FDA oversight must still adhere to the QSR guidelines. Device companies planning to market products internationally should comply with both Part 820 and ISO 13485 requirements.

What Changed With the 2016 Updates to ISO 13485 Requirements?

The updated standard contains many minor adjustments, but the most notable changes involve an elevated emphasis on risk and risk management. Since the revised ISO 13485 requirements went into effect, device makers are expected to apply a risk-based approach to the control of their medical device quality management processes. Also, the executives of medical device companies should explicitly incorporate risk management into decisions that guide not only their organizations' quality objectives but their business goals as well.

The updated ISO 13485:2016 requirements call for an increased focus on risk as it pertains to critical quality-related areas, such as:

• Corrective action/preventive action (CAPA) management.
• Documentation of risk management in product realization.
• Monitoring, testing, and traceability.
• Software validation.
• Supplier and outsourcing controls.
• Training of personnel commensurate with the risks inherent in the processes they perform.³

How Do ISO 13485 Requirements Differ From ISO 9001?

The ISO 13485 requirements were based on ISO 9001, the international gold standard for quality management systems. However, ISO 9001 offers a general set of requirements geared toward customer satisfaction and continual improvement that can be too subjective and/or difficult to measure for many medtech companies. ISO 13485, therefore, focuses on meeting specific metrics that measure medical device quality management performance and are aimed at maintaining QMS effectiveness.

There are two other notable differences between ISO 13485 requirements and those set forth in ISO 9001:

1. As mentioned above, ISO 13485 places greater emphasis on managing risk.
2. ISO 13485 includes additional requirements for documenting procedures.

Who Enforces ISO 13485 Standards?

ISO itself is not an enforcement agency; it exclusively establishes and maintains ISO standards. Adherence to ISO 13485 requirements is confirmed through QMS audits performed by authorized third-party certification bodies. Following the completion of a successful audit, those agencies certify that the audited medical device quality management system meets the standard. That certification stands for three years.

You can learn more about ISO 13485 quality system requirements for medical devicesby watching the first installment of the three-part “ISO 13485:2016: Getting Ready for Changes” video series here.

References:

1. ISO Members, ISO website.
2. Proposed Rule: Medical Devices; Quality System Regulation Amendments, U.S. Federal Register, Feb. 23, 2022.
3. ISO 13485:2016 - Medical Devices - Quality Management Systems - Requirements for regulatory purposes, March 2016, ISO.