ISO standards are some of the most recognized global harmonized standards currently at work, along with the standards issued by IEC.
ISO standards are issued by the International Standards Organization (ISO), founded in 1947 by a global team of delegates to ensure safe, high-quality products. The Organization publishes standards that describe requirements, specifications, guidelines, and other instructions in various categories, such as quality management, length measurements, corporate reliability, and information security systems.
The medical device industry is represented through ISO 13485:2016 Quality Management Systems – Requirements for Regulatory Purposes, which specifies requirements for the quality management systems (QMS) of manufacturers involved in medical device production and related services. In a similar vein, ISO 9001 also details criteria for quality management systems. But what is the difference between the two? And do you need one or the other or both?
Don’t fret – we got you! Here, we review the specific differences between ISO 13485 and ISO 9001. We also review when an organization should comply with one standard versus the other and whether compliance to both is ever a good idea.
ISO 9001
ISO 9001 was first issued in 1987; the latest version was released in 2015. It is a series of standards that describe the requirements for quality management systems in businesses in any industry and sector and of any size. Organizations can be certified to ISO 9001 to demonstrate that they can consistently provide products and services that meet customer and regulatory requirements.
The goal of ISO 9001 is to provide processes for documenting and evaluating the aspects required in an effective quality management system, such as organizational structure, responsibilities, and procedure. The standard includes information and instruction on a variety of QMS facets, such as:
- General requirements for quality management systems, such as documenting and planning.
- Management responsibilities and leadership engagement.
- Human resources, work environment, and management of resources.
- Product lifecycles, from design to delivery.
- Evaluation and improvement of the quality management system, including audits and corrective and preventive actions.
ISO 13485
ISO 13485 was first issued in 1996 and was last updated in 2016. It was based on the quality requirements of ISO 9001 but has since evolved into its own increasingly different standard, which does not reference ISO 9001. ISO 13485 describes the requirements and procedures for quality management systems in the medical device industry. Of note is the focus on patient safety by ensuring consistent medical device development and manufacturing processes and implementing the processes to adhere to applicable regulatory requirements.
Certification to ISO 13485:2016 is a surefire way of demonstrating the quality of your QMS if you are considering CE marking in the European Union. Likewise, ISO 13485 certification is accepted as proof of a high-quality QMS in most markets worldwide.
ISO 9001 vs ISO 13485
So, both standards describe adherence to quality management requirements. But what is the difference between the two?
Because of its specificity to the medical device industry, ISO 13485 includes several unique features, such as medical device terminology, requirements for clinical and performance evaluations, procedures for collecting customer feedback, and records of corrective and preventive actions, among others.
Likewise, ISO 13485 emphasizes a risk-based approach to quality management by including requirements for risk management. All the major medical device regulations are shifting towards risk management as a critical part of the regulation, so the quality management standard also includes a risk management focus. While ISO 9001 is also focused on risk management strategies to minimize risks to users, ISO 13485 provides a fundamental framework infused with risk management to ensure patient safety.
Lastly, ISO 13485 delves deep into document control related to the medical device industry and the elaboration of regulatory documentation. The standard has higher demands for document control and records than ISO 9001.
As we can see, ISO 13485 focuses on the regulatory requirements of medical device development and manufacturing. ISO 9001 is not. ISO 9001 describes requirements for various industries, some regulated and others not. Therefore, ISO 9001 does not emphasize regulatory requirements and compliance for a particular sector, which ISO 13485 heavily does.
Which standard should I comply with?
Even though the two standards deal with quality management systems, they cannot be substituted.
As a medical device manufacturer, you should comply with ISO 13485, regardless of company size or device risk classification. ISO 13485 applies to medical device manufacturers of all levels, whether you manufacture ankle braces or 3D-printed orbital implants. While the EU Medical Device Regulation does not directly require compliance with ISO 13485 – it only requires a quality management system that lives up to the regulation – most medical device manufacturers choose to obtain ISO 13485 certification before starting on the path to the CE mark. Most significant markets worldwide also do not directly require compliance with ISO 13485 but accept the ISO 13485 certificate as proof of a quality QMS.
A note: the American Food and Drug Administration, FDA, does not require ISO 13485 for the US market. The FDA quality management regulation, 21 CFR 820, is currently undergoing harmonization with ISO 13485, but they still require compliance with the 21 CFR 820 first and foremost. Even so, ISO 13485 lays a beautiful groundwork for manufacturers looking to place products on the US market and is not wasted.
ISO 9001 cannot be used to demonstrate QMS compliance as a medical device manufacturer. Only companies outside the medical device industry should comply with ISO 9001 as an assurance of the quality of their QMS.
Many larger companies choose to comply with both standards. For example, a global multinational medical device manufacturer can choose to comply with ISO 9001 on a corporate level and with ISO 13485 on a manufacturing level. It ensures the company’s quality management system on both a corporate and administrative level, as well as a manufacturer of medical devices.
Establishing and maintaining a quality management system is vital for the well-being of a company’s employees and the safety and performance of its products. Deciding which QMS standard to comply with is not a choice, per se – it depends entirely on the company’s focus. Medical device manufacturers should always comply with ISO 13485, while manufacturers outside the medical device industry should comply with ISO 9001.
While most manufacturers obtain ISO certification for regulatory or marketing purposes, it is worth noting that having a well-established and certified quality management system significantly enhances the quality of your products and the well-being of your employees. In the case of ISO 13485, compliance also goes a great way toward ensuring the safety of patients and users and minimizing risk.
Make sure you comply with all legal requirements for Medical Devices with Scilife Smart QMS!
