Some medical devices are as complex as a remote, personalized heart failure sensor. Others are as simple as a tongue depressor. But all medical devices have one thing in common: they benefit immensely from being designed and manufactured in alignment with ISO 13485. The ISO 13485 international standard is the world’s most widely used means of measuring the effectiveness of a medical device manufacturer’s quality management system (QMS).
The aim of this article is to answer frequently asked questions about ISO 13485 manufacturing and the related regulatory requirements that apply to medical device companies’ use of QMS.
ISO 13485 is the most common medical device QMS regulatory standard in the world. It is focused on maintaining QMS effectiveness and meeting regulatory and customer requirements. Since different countries often have different standards, ISO 13485 is intended to provide a globally harmonized model of QMS requirements for international markets.
The guidelines for maintaining effective quality management processes outlined in ISO 13485 are all geared toward the safe design, manufacture and distribution of effective medical devices. In addition to being a regulatory requirement, an ISO 13485-compliant QMS makes good business sense because it helps device manufacturers minimize variation. This in turn provides economic benefits in the form of reduced scrap and general process efficiencies.
For most medical devices, compliance to ISO 13485 is required by all European Union members, Canada, Japan, Australia and many other nations. The standard applies to all 165 member countries of the International Organization for Standardization (ISO).(1)
Enjoying this article? You may also enjoy this White Paper:
ISO 13485 - Change? Do I Have To?Download Free White Paper
ISO 13485 is a stand-alone document, but it was based on and is directly related to ISO 9001, the world’s leading quality management standard. Although both are in the same QMS family of standards, ISO 9001 is a general set of requirements that necessitates greater focus on continual improvement and customer satisfaction. Although these are critical concerns for all manufacturers, they pose unique challenges for medical device makers because they tend to be too subjective and are therefore difficult to measure.
Rather than requiring medical device companies to meet the potentially subjective aspects of the ISO 9001 requirements, ISO 13485 is targeted toward meeting metrics that more accurately gauge quality performance. These include metrics related to meeting customer requirements and maintaining the effectiveness of the QMS.
ISO 13485 differs from ISO 9001 in two other significant ways:
Device manufacturers can obtain certifications to both standards but may opt not to do so based on the intent of the two standards. Additionally, while the two standards were once more harmonized, variations in their formats have occurred since ISO 9001 was restructured in 2015. If conformance to both standards is necessary, the company must plan strategies for meeting each set of requirements.
For device manufacturers eyeing American markets, the requirements of ISO 13485 standard can often seem blurred with those set forth in the 21 CFR Part 820 – Quality System Regulation (QSR). The QSR, also commonly called Current Good Manufacturing Practice (CGMP) regulations, was established and is maintained by the U.S. Food and Drug Administration (FDA).
The FDA is in the process of harmonizing U.S. quality system requirements with ISO 13485, and plans to issue a notice of proposed rulemaking in October 2020. For the time being, separate guidance remains in effect.(2) Until the QSR’s shift to ISO 13485 requirements is fully completed, compliance with the QSR is required for manufacturers planning to distribute medical devices in the U.S. Additionally, if a device maker based in the U.S. wishes to market its products internationally, it must comply with both the QSR and ISO 13485 manufacturing standards.
The QSR is structured differently than ISO 13485 but they have no conflicting requirements. And because the QSR is a regulation, it is often more specific than ISO 13485. For instance, the QSR has more detailed requirements in the areas of complaint handling and reporting requirements. Therefore, conformity to ISO 13485 does not sufficiently demonstrate to the FDA that a manufacturer is in full compliance with the QSR.
There is plenty of overlap between the two sets of guidelines, however, and it’s estimated that the majority of medical device manufacturers comply with both.(3) Accordingly, there are many reasons for device manufacturers to seek a QMS that helps them meet both sets of requirements.
The reasons for the differences between ISO 13485, ISO 9001 and the QSR are best understood by examining the motivation for establishing each set of guidelines.
The third and most current edition of the standard was published by ISO in 2016.(4) Since the March 2019 expiration of the three-year grace period that followed the unveiling of ISO 13485:2016, device companies have been required to be in full compliance with current standards.
While there are many minor revisions within the updated standard, the most widespread and prominent change is the increased emphasis on risk. The 2016 edition places an expectation on device manufacturers to apply a risk-based approach to controlling QMS processes. It specifies a greater consideration of risk as it applies to a variety of critical areas, including:
The updates to ISO 13485 make risk management an explicit part of executive decision-making as it affects a device manufacturer’s business and quality objectives.
ISO establishes and maintains standards, but it is not an enforcement agency. Certification to the standard is evaluated by third party agencies. Once an organization has established a QMS it believes is in alignment with the standard, an independent certification body or registrar audits the performance of the QMS against the latest version of the ISO 13485 requirements. The certification body must be a member of the International Accreditation Forum (IAF) in order to grant valid certification and should employ the relevant certification standards established by ISO’s Committee on Conformity Assessment (CASCO).(5)
When an organization passes an ISO 13485 audit, the authorized certification body issues a certificate demonstrating that the organization is registered to the standard for a three-year period. Manufacturers must be recertified every three years to maintain certification status.
The ISO 13485 standard is organized into the following eight sections.
To learn more about how the latest version of the ISO 13485 standard may affect your company, you can start watching the first installment of the three-part “ISO 13485:2016: Getting Ready for Changes” video series here.
James Jardine is a marketing content writer at MasterControl, Inc., a leading provider of cloud-based quality and compliance software solutions. He has covered life sciences, technology and regulatory matters for MasterControl and various industry publications since 2007. He has a bachelor’s degree in communications with an emphasis in journalism from the University of Utah. Prior to joining MasterControl, James held several senior communications, operations and development positions. Working for more than a decade in the non-profit sector, he served as the Utah/Idaho director of communications for the American Cancer Society and as the Utah Food Bank’s grants and contracts manager.