What is ISO 13485 for Medical Devices, and how is it different from ISO 9001?

Apart from meeting rigorous safety requirements, medical device manufacturers need to comply with strict quality standards. A compliant Quality Management System (QMS) is therefore absolutely fundamental for any medical device company, or any Life Science company operating in the tightly regulated healthcare space for that matter. 

QMS compliance is controlled by regulations, based on certain international standards. These standards are issued by The International Organization for Standardization (ISO). Regarding QMS, there are two primary standards that are important, ISO 13485 and ISO 9001. Medical device companies need their QMS to adhere to the ISO 13485 standard, which is specific to the medical device industry.

Why is ISO 13485 so important?

ISO 13485 enables organizations to integrate their own QMS with medical device industry regulations. It prepares manufacturers to address the requirements under EU Medical Device Directive (MDD), the EU Medical Device Regulation (MDR), and other important regulations.

Compliance with ISO 13485 demonstrates an organization's commitment to maintaining high quality and safety standards of medical devices, which consistently meet customer and regulatory requirements.

What’s the difference between
ISO 9001 and ISO 13485?

In short, the main difference lies in the scope of these two standards. ISO 9001 is the international standard for quality management systems (QMS) across all industries. 

In order to obtain ISO 9001 certification, a company needs to follow all the requirements in the ISO 9001 Standard. This standard is used by organizations to show their ability to consistently provide products and services that meet customer and regulatory requirements and to demonstrate continuous improvement. There are several documents in the ISO 9000 family of standards, but ISO 9001 is the sole standard in the 9000 series that requires certification. The current version used today is ISO 9001:2015, which was published in 2015 (hence the: 2015).

ISO 13485, on the other hand, is the standard that’s specific to medical devices. It’s the medical device industry’s most widely used international standard for quality management. The current version is ISO 13485:2016. In essence, the two standards serve much the same purpose, just that ISO 13485 is more refined with additional requirements. So ISO 13485 is built upon ISO 9001, with extra conditions that must be met. 

The additional requirements of ISO 13485 for medical devices include:

• Documentation requirements for medical device files
  
• Work environment requirements
  
• Contamination control requirements
  
• Production requirements for cleanliness of products
  
• Production requirements for sterile medical devices
  
• Requirements for reporting to regulatory authorities

Medical device companies only need to concern themselves with ISO 13485:2016 when manufacturing and distributing medical devices, not ISO 9001.

Why is ISO 13485:2016 based on an older version of ISO 9001?

Although the last revision of ISO 9001 was made in 2015, and the ISO 9001:2015 standard supersedes the ISO 9001:2008 standard, ISO 13485 is still based on ISO 9001:2008. The ISO 9001:2015 update included many new requirements for identifying an organization's context, identifying internal and external issues, identifying interested parties, and their needs and expectations. However, as the changes were not relevant for the medical device industry, the ISO 13485 standard was not updated in alignment with these new ISO 9001:2015 requirements. It therefore remains based on the  ISO 9001:2008 standard.

Key requirements of ISO 13485

The requirements of ISO 13485 are applicable to organizations no matter their size or type, except where explicitly stated. Wherever requirements are specified as applying to medical devices, the requirements apply equally to associated services supplied by the organization.

The ISO 13485 structure is divided into eight sections, with the first three being introductory (introducing scope, normative references and terms & definitions of the standard), and the last five containing the crucial mandatory requirements for the QMS. In the later sections, requirements are based on a Plan-Do-Check-Act cycle to drive and maintain improvements within the processes. Let's take a look at those sections now.

The eight parts of ISO 13485

1. Scope:

Describes the standard’s purpose and use.

2. Normative References:

Some introductory information and common nomenclature.

3. Terms and Definitions:

A description of the terminology used throughout the standard.

4. Quality Management System:

highlights the general medical device QMS requirements and the documentation requirements to meet the standard, as well as the requirements for the quality manual.

5. Management Responsibility:

Requires management to be involved at the level of the one that makes finance and policy decisions. Ensures that the quality policy, objectives, support, company-wide understanding, overview of the QMS, and delegation of resources are under direct responsibility of upper management.

6. Resource Management:

Requires management to ensure and uphold adequate facilities, including space, tools, equipment and tech. The QMS must include processes that guarantee required maintenance activities are performed.

7. Product Realization:

Requires everything that is needed to realize the product, from planning to creation (designing and manufacturing), implementation, and support of medical devices. Defines product design and development and their controls. The criteria for risk management (assessment, analysis, and reduction) are laid out as well.

8. Measurement, Analysis and Improvement:

Offers instructions on how to incorporate feedback and other associated information that will enable management to maintain the effectiveness of the QMS, including:

• • Customer complaints and the handling of adverse events
    
  • Internal audits
  • Monitoring and measuring of processes
  • Monitoring and measuring products, including nonconformities
  • CAPAs.
  • Data analytics

Spotlight on medical device QMS requirements to meet ISO 13485

For those that want to drill down into section 4 of ISO 13485:2016, and discover the exact requirements a medical device QMS must meet, the following lists are helpful to you. If that’s too much detail, skip right ahead!

Remember that Scilife helps you meet all of the requirements needed for ISO 13485  through intuitive and compliant Document Control and KPI modules. Additionally, 95% of the validation process is taken care of on our end with all the documented evidence being made available to you.

ISO 13485:2016
QMS General requirements:

• Document a quality management system and maintain its effectiveness.
  
  
• Establish, implement and maintain any requirement, procedure, activity, or arrangement required to be documented by the ISO 13485 Standard or applicable regulatory requirements.
  
  
• Determine the processes needed for the quality management system and the application of these processes throughout the organization, taking into account the organization's roles.
  
  
• Apply a risk-based approach to the control of the appropriate processes required for the QMS.
  
  
• Determine the sequence and interaction of these processes.
  
  
• Determine the criteria and applicable methods needed to ensure that both the operation and control of these processes are effective.
  
  
• Ensure the availability of resources and information necessary to support the operation and monitoring of these processes.
  
  
• Implement actions necessary to achieve planned results and maintain the effectiveness of these processes.
  
  
• Monitor, measure as appropriate and analyse these processes.
  
  
• Establish and maintain records to demonstrate conformance.
  
  
• Any changes to be made will be evaluated for their impact on the quality management system.
  
  
• Any changes to be made will be evaluated for their impact on the medical devices produced under this quality management system.
  
  
• Any changes to be made will be controlled by the requirements of the standard and applicable regulations.
  
  
• When the organization chooses to outsource any process that affects product conformity to requirements, it must monitor and ensure control over such processes. The organization is required to retain the responsibility of conformity to this International Standard and customer and applicable regulatory requirements for outsourced processes. The controls are required to be proportionate to the risk involved and the external party's ability to meet the requirements under ISO 13485. The controls shall include written quality agreements.
  
  
• The organization is required to document procedures for the validation of the application of software used in the quality management system. Such software applications are required to be validated before initial use and, as appropriate, after changes to such software or its application. The specific approach and activities associated with software validation and revalidation are required to be proportional to the risk associated with the use of the software.

ISO 13485:2016
QMS Documentation requirements:

To meet the ISO 13485:2016 standard, QMS documentation must include:

• Documented statements of a quality policy and quality objectives
• A quality manual
• Documented procedures and records required by ISO 13485
• Documents, including records, determined by the organization to be necessary to ensure the effective planning, operation, and control of its processes
• Other documentation specified by applicable regulatory requirements

ISO 13485:2016
QMS Quality Manual requirements:

The ISO 13485:2016 standard requires the organization to document a quality manual. This manual is expected to outline the structure of the documentation used in the QMS. It needs to include the following aspects:

• The scope of the quality management system, including details of and justification for any exclusion or non-application.
• The documented procedures for the quality management system, or reference to them.
• A description of the interaction between the processes of the quality management system.

ISO 13485:2016
QMS Medical File requirements:

For each medical device type or medical device family, the ISO 13485:2016 standard requires the organization to establish and maintain one or more files either containing or referencing documents generated to demonstrate conformity to this standard, and compliance with applicable regulatory requirements.

The content of the file(s) is expected to include, but is not limited to:

• A general description of the medical device, intended use/purpose, and labeling, including any instructions for use;
• Specifications for product;
• Specifications or procedures for manufacturing, packaging, storage, handling, and distribution;
• Procedures for measuring and monitoring;
• As appropriate, requirements for installation;
• As appropriate, procedures for servicing.

Scilife helps you meet both
ISO 13485 and ISO 9001

Although medical device manufacturers only need to worry about meeting ISO 13485, Scilife makes it possible to have an efficient QMS that’s fully compliant with both standards. Scilife is a modular platform, built to address exact medical device regulatory requirements. To discover what Scilife can do for your company, whether you’re in the medical device space or in any other life science industry, get in touch with our experts who are waiting to show you around.

More about Scilife for Medical Devices