A Guide to ISO 13485
*Updated March 2021
Table of Contents:
- What is ISO 13485?
- Benefits of Implementing ISO 13485
- Applications of ISO 13485
- About the 2016 Update
- Key Differences in ISO 13485 from ISO 9001
- How to Get Certified with NQA
- Revisions in the Update
- Introduction to ISO 13485
- Clause 1: Scope
- Clause 2: Normative References
- Clause 3: Definitions
- Clause 4: QMS
- Clause 5: Management Responsibility
- Clause 6: Resource Management
- Clause 7: Product Realization
- Clause 8: Measurement, Analysis & Improvement
- Get ISO 13485 Certified
What is ISO 13485?
The ISO 13485 standard governs quality management systems for medical devices and related services. It's published by the International Organization for Standardization. ISO 13485 addresses:
- Quality control
- Risk management
- Legal compliance
- Operational efficiency
- Ability to trace and recall products and devices
- Process and product improvement
The most recent update to the standard was published in February of 2016, overriding previously published versions from 2003 and 1996. ISO 13485 derived from ISO 9001, a quality management system certification that's available to businesses in a wide variety of industries. However, medical device and pharmaceutical companies have specialized requirements that made some of the requirements of ISO 9001 difficult to apply. ISO 13485 was developed to address these needs.
ISO 13485 provides a great advantage for organizations producing medical devices and related services. It assures a commitment to quality and increases efficiencies within the organization. Becoming ISO 13485 certified can increase your client base and reduce barriers to entry of foreign markets, product liabilities and production down-time.
The three-year transition period from ISO 13485:2003 to ISO 13485:2016 ended in March 2019. Many organizations that needed to keep an active ISO 13485 certification have already adopted the 2016 standards. Those that haven't have had to pull out of European Union (EU) and Canadian markets. If your company was once certified to ISO 13485:2003, and you want to reenter markets that require certification to ISO 13485, you may seek a first-time certification to ISO 13485:2016. It is important for these organizations to understand the advantages of becoming ISO certified, identify the key differences between the 2003 publication and the 2016 publication and begin the work for first-time certification.
The auditing process can appear overwhelming, but it does not have to be. For those seeking their first ISO 13485 certification, the following information can serve as a starting place for implementation.
The Benefits of Implementing ISO 13485:2016
Businesses that have implemented ISO 13485 cite numerous benefits. Many companies seek the certification because of the financial benefits to their business. The certification demonstrates their commitment to building high-quality medical devices. That allows businesses to attract more clients than before.
Some of the most desirable benefits include the abilities to:
1. Contract with Larger Companies
Many large medical device businesses prefer to work with vendors who are ISO 13485 certified. The 2016 update to this standard has made this even more desirable. The revisions mean that large companies are responsible for ensuring that any subcontractors conform to ISO 13485 standards. That means subcontractors who already have the certification are likely to be prioritized.
2. Demonstrate Commitment to High Quality
Both ISO 13485 and ISO 9001 are seen as indicators of an organization’s commitment to quality. Achieving a quality management certification demonstrates to customers and regulators that your company values quality.
3. Expand Potential Market
International medical device standards like ISO 13485 are created to ensure that medical devices in different places demonstrate the same reliability and quality. If you’re considering exporting products, ISO 13485 certification can lend an advantage. It is the first step to regulatory approval in major markets like the EU and Canada, and it also demonstrates the quality of the product to potential buyers.
4. Help Personnel Access Relevant Information
The documentation requirements in this standard are designed to ensure that all members of a development team have access to the information they need, when they need it. Having access to the right information can reduce the time and expense associated with product development.
5. Expand and Consolidate Business Knowledge
We also hear from clients that documenting the processes associated with their medical device helps the business develop a consolidated knowledge base. This knowledge can help to identify problems, improve the product and streamline the manufacturing process. It also makes the process of on-boarding new employees easier.
6. Make Achieving ISO 9001 Certification Easier
Many businesses hold both ISO 13485 and ISO 9001 certifications. If your business is ISO 13485 certified, achieving ISO 9001 certification is significantly easier. The requirements of these two standards are generally harmonized. While ISO 9001 contains a few requirements related to business clauses that ISO 13485 doesn’t cover, you'll already have done most of the work.
Applications of ISO 13485
ISO 13485 specifies quality management for medical device manufacturers and related organizations. This means a variety of companies in the medical device industry and pharmaceutical supply chain use ISO 13485 standards. Organizations that use this standard include:
- Manufacturers of medical devices.
- Organizations that supply products or raw materials to medical device manufacturers.
- Quality management organizations that contract to medical device manufacturers.
- Organizations that provide services to medical device manufacturers.
- Makers of sterile medical devices.
- Manufacturers of surgical medical devices.
A significant change in the 2016 update addresses outsourcing. This update requires an organization to ensure that companies it contracts with meet ISO 13485 standards when outsourcing the development, design or servicing of a medical device.
ISO standards are voluntary, so being certified to ISO 13485 isn’t always necessary. Europe and Japan offer alternative national standards. On the other hand, Canada requires class I, II and III medical device manufacturers to achieve ISO 13485 certification.
Although certification isn’t required, it can provide an advantage. Many countries base their regulatory standards for medical devices on this standard. Achieving either ISO 13485 or ISO 9001 certification is seen as the first step to approval for a medical device in Europe. Beyond earning regulatory approvals, following the ISO 13485 standard can produce higher quality medical devices. They'll be more trusted in the marketplace, and your manufacturing processes will produce fewer errors, scraps and reworks.
About the 2016 Update
The deadline to transition to the 2016 version was March 31, 2019. ISO 13485:2016 is now the sole version of the standards that any organization can hold an active certification for.
All ISO standards undergo review every five to ten years to determine if the standards need revisions to retain their relevance in the current market. Before 2016, the most recent version of the standard had been released in 2003. After 13 years, the medical device industry and national and international regulations had evolved dramatically. When reviewing the 2003 standard, ISO staff discussed potential revisions with a variety of regulatory bodies. The consensus was that the old standard no longer reflected current quality management needs.
According to Eamonn Hoxey, former chair of ISO's technical committee for quality management:
"When we did the last review, we had discussions with the regulatory authorities and we — both industry and the authorities — felt that it was time to revise the standard. […] Since 2003, a number of jurisdictions have either revised or introduced regulations for medical devices, so we want to make sure the quality management system requirements align fully with those regulatory requirements."
Since the 2016 revision arrived, the requirements within ISO 13485 have been adopted into a number of different countries' regulatory programs. Regulators in Australia, Canada, the European Union, Japan and the United States use it. It is used with modifications in the United Kingdom and by the Medical Device Single Audit Program.
Many of the revisions made to ISO 13485 reflect its importance to regulatory bodies. Among these revisions are:
- Increased alignment with regulatory requirements.
- Adjustment of software standards for measurement and reporting.
- Additional requirements for verification and validation planning.
- Increased emphasis on addressing consumer complaints.
- Additional requirements for reporting to regulatory authorities.
- Greater emphasis on risk-based decision-making and risk management.
These revisions ensured that ISO 13485 aligned more fully with regulatory requirements for medical devices while still incorporating the quality management requirements from the ISO 9001 standard.
Key Differences in ISO 13485 from ISO 9001
ISO 9001 is similar to ISO 13485 in many ways, as it outlines a quality management system for general industry. Companies that manufacture both medical devices and other products, such as some contract manufacturers, may want to maintain both certifications.
Since the two certifications speak to different types of manufacturing and align with different regulatory standards, each has some key elements that the other does not. For example, ISO 9001 is mostly geared toward customer satisfaction through high standards for quality management systems. Meanwhile, ISO 13485 focuses more heavily on the safety and efficacy of medical devices and is closely linked to many regulatory requirements. As such, it also has more extensive documentation requirements.
ISO 13485 contains some unique components and requirements, including:
- Additional requirements for preventing contamination.
- Monitoring focused on meeting customer requirements rather than on subjective customer satisfaction measures.
- Multiple documentation requirements at all stages of product development.
- Focus on maintaining the effectiveness of the quality management system instead of continuous improvement, as required for ISO 9001.
- Risk management during design and production.
- Additional requirements for regulatory reporting, advisory notices and recalls.
How to Get Certified with NQA
NQA is an accredited certification body for ISO 13485 and many other ISO standards. When you apply for certification through NQA, we give you added value for your money. As auditors, we can help you improve your organization through the auditing process, with recommendations tailored to your business in addition to corrective action for compliance with the standard. To get certified to ISO 13485 through NQA, fill out your application or contact us with any questions about our process.
To find out if you're ready, check out the ISO 13485 guide below to learn about the standards and key differences from the earlier versions.
Major Revisions in the ISO 13485:2016 Update
If your organization's most recent certification is under the 2003 version of ISO 13485, transitioning will be a challenge. No matter what your certification expiration date says, a certification to ISO 13485:2003 is now null and void.
If your organization needs an active ISO 13485 certification to enter or return to certain medical device markets, you must now undergo the full certification process rather than a transition certification. You'll need a complete audit from an accredited external auditor like NQA as though you were receiving certification for the first time. After a full ISO 13485 implementation, you can conduct your audit and receive certification.
While the process will be the same as obtaining a first-time certification, it may be a little easier if you're already familiar with and using the 2003 standards. To help you get started, we’ve outlined the changes made in the 2016 update below. You’ll find a brief ISO 13485 overview below, followed by a list of any major changes made to the section in question.
The introduction to ISO 13485 provides additional understanding and clarification of terms. Major changes in the introduction include expanded definitions of product life cycles, organizations that this standard applies to, and an understanding of the process approach used by organizations certified under this standard.
0.1 – General
- Provides more detail about what types of organizations ISO 13485 applies to and what stages of the product life cycle this standard applies to.
- Expands the list of organizations that this standard can apply to, including suppliers of medical devices; third-party organizations providing raw materials, subassemblies, components and medical devices for the manufacture of these products; and organizations offering sterilization services, calibration services, distribution services and maintenance services for medical device companies.
- Reminds organizations to identify applicable regulatory requirements.
- Clarifies that quality management systems need to meet regulatory requirements as well as those of ISO 13485.
- Expands upon the factors that can influence the development of quality management programs within organizations.
0.2 – Clarification of Concepts
- Adds the following to the conditions needed to define “appropriate requirements.” The new definition of appropriate requirements includes those that are necessary for the product to meet requirements, compliance with applicable regulatory standards (new requirement), the organization to carry out corrective action and the organization to manage risks (new requirement).
- Explains that “risk” for medical products applies to safety, performance standards or the necessity to meet regulatory requirements.
- Clarifies that documented requirements also need to be established, implemented and maintained.
0.3 – Process Approach
- Expands upon the definition of a process approach for medical devices.
- A process approach emphasizes understanding and meeting requirements, considering the added value of processes, obtaining results of process performance and improving processes based on objective measurements.
0.4 – Relationship with ISO 9001
- Clarifies that sections of this standard based on ISO 9001 refer to the new ISO 9001:2015 and not the previous versions.
1 - Scope
This section clarifies the organizations and processes that ISO 13485 applies to:
- Clarifies that ISO 13485 applies to organizations involved in different stages of the life cycle of medical products, including the design, repair, installation, maintenance and storage of medical devices.
- Expands the standard to include organizations that provide technical support, quality management services and product support for medical devices.
- Clarifies responsibility for third-party vendors and supplies. States those services and products that are not created by the organization, but are used in its products, are the responsibility of the organization. The certified organization is liable for maintaining, monitoring and controlling these processes.
- Explains that the standards in clauses 6, 7 and 8 that are not applicable to the organization can be excluded. This change may be applicable to some suppliers, support organizations and quality management service suppliers. During certification, the reasons for these exclusions still need to be documented.
2 – Normative References
Clause 2 clarifies that any references to ISO 9000 refer to ISO 9000:2015, and not to ISO 9000:2000 (used by the 2003 version).
3 – Definitions
Clause 3 defines terms used throughout this update to ISO 13485.
- Modifies certain definitions to focus on defining medical devices and products. This definition is significantly more detailed than that found in the previous version of this standard. Implantable medical devices and sterile medical devices both get new definitions as well.
- Adds additional definitions that focus on defining roles within the life cycle of product development, including defining distributors, importers and manufacturers. Adds definitions of risk, risk management, performance evaluation and post-market surveillance.
4 – Quality Management System
Clause 4 addresses the requirement to document procedures relating to the quality management process. Documentation requirements have been expanded and clarified in the 2016 update. There is additional language that clarifies that quality management processes required by ISO 13485 do not exempt an organization from meeting any additional quality management requirements mandated by regulatory authorities. A primary change here states that quality management requirements now apply to any outsourced products as well as those produced by the organization itself.
4.1 – General Requirements
- States that the organization is responsible for establishing, implementing and maintaining any quality management processes required by this standard.
- Explains that ISO 13485 certification does not exempt the organization from other applicable regulations. The organization is also required to establish, implement and maintain processes required by other regulatory bodies. The requirement to meet other applicable regulatory requirements is emphasized throughout this version.
- Clarifies that organizations must use a risk-based approach in their quality management processes.
- Explains that an organization is responsible for monitoring any outsourced processes. This is a considerable change from the 2003 version of this standard. Any outsourced processes still need to conform to the quality management standards of the medical device organization and written quality agreements with the third party must be in place.
4.2 – Documentation Requirements
- Documentation requirements have been considerably expanded. With the exception of the medical device file, all documents were required by the previous standard. However, the additional details of what this documentation must include have been clarified.
- The Quality Manual now requires an explanation of the scope of the project management system, as well as justifications for any exclusions from it.
- Requires the development of a medical device file for each product, which must include specifications, labeling, use instructions and any requirements for installation and servicing.
- Many of the requirements for document control remain the same. Documents are required to be reviewed and approved before publication. Records and documents applicable to medical devices still need to be kept for at least the lifetime of the medical device.
5 – Management Responsibility
Clause 5 addresses the management responsibilities for maintaining, documenting and reviewing procedures. This section has undergone relatively minor changes in the 2016 update. Most of the changes in this section focus on management review.
5.6 – Management Review
- Organizations are required to have and use documented procedures for reviews.
- Management review has been expanded to include complaint handling and reports to regulatory authorities.
- Organizations must now record any output from management reviews.
- The list of review outputs has been expanded. It now includes decisions and actions related to resource needs and to improvements needed to maintain the quality and suitability of the QMS system.
6 – Resource Management
This section covers requirements for a variety of types of resource management: human resources, infrastructure, work environment and contamination control. This section, or clauses within it, may not be applicable to all organizations that are seeking ISO 13485 certification. Organizations that believe components of this section are not relevant can also submit an explanation that justifies their exclusion.
6.2 – Human Resources
- Changes in this section focus on requirements for additional documentation of the processes for establishing competency
- The updates include the ability to use processes proportional to the risk level of the action. Low-risk tasks may require very little documentation to prove competency, while high-risk actions require considerably more.
6.3 – Infrastructure
- Language has been added to state that it is important to ensure the proper handling of product and that protocols must be in place to prevent product mix-up.
- Required documentation for maintenance activities has been expanded. Maintenance requirements must now be documented for maintenance activities, equipment used in production, work environment controls and monitoring and measurement systems.
6.4 – Work Environment
- An additional clause has been added to state that documentation of protocols for maintaining the work environment is required when the state of the work environment could have an impact on the quality of the product.
- An additional section (6.4.2) has been added to address contamination controls.
- If product contamination is a concern, the organization must plan and document the procedure for controlling contaminated products.
7 – Product Realization
This section addresses the processes the organization uses during product development. The bulk of changes in the 2016 update occur within Clause 7. Many of the changes in this section specifically address quality management when parts of the product development are contracted to a third party. Other changes in this section expand and clarify the types of documentation required during design, development and production phases.
7.1 – Planning of Product Realization
- Organizations must plan and develop the processes for product realization in a way that is consistent with the quality management system.
- Risk management policies for product realization must be documented.
- The documentation requirement for policies relating to product acceptance has been expanded. Organizations are now required to document their policies for verifying, validating, monitoring, measuring (new), inspection and testing, handling (new), storage (new), distribution (new) and traceability activities (new).
7.2 – Customer-Related Processes
- Organizations must determine the customer requirements for the product. These requirements include those stated by the customer and those unstated but required for the product to function as intended.
- Organizations are also required to ensure that the product conforms to applicable regulatory standards.
- An additional requirement that the organization must determine any training needed by the user for the product to function has been added.
- Before committing to supply the product, the organization must review product requirements to ensure they are documented, defined and meet applicable regulatory standards.
- During the review of product requirements, the organization must also ensure that any training needed for the product is either currently available or is planned to be made available.
- The section on communication has been expanded to state that the organization must communicate with regulatory authorities when this communication is required by applicable regulations.
7.3 – Design and Development
This section addresses requirements for the design and development of products. There are sizable changes to the ISO 13485:2016 update in this section.
7.3.2 – Design and Development Planning
- Additional requirements for documentation during the planning stage have been added. The first requirement is that design and development outputs must be traced to design and development inputs. Next, the company must document the resources needed in the design and development planning stage, including the competency of personnel.
7.3.3 – Design and Development Inputs
- Records of design and development inputs must be maintained and must be able to be verified and validated.
- Design and development inputs now include usability requirements, as well as the functional, safety and performance requirements that were previously required.
7.3.4 – Design and Development Outputs
- There are no changes to the design and development outputs requirements.
7.3.5 – Design and Development Review
- Reviews are still required to ensure that the product design and development meets requirements.
- In addition to documenting reviews and necessary actions, the organization is now required to identify the product being reviewed, the date of the review and the reviewers participating.
7.3.6 – Design and Development Verification
- This section has been expanded to clarify what must be contained within a design and development verification. These requirements include methods, acceptance criteria and statistical methods with justification for sample size, if applicable.
- If the medical device will be connected to another medical device, the organization must verify that the inputs and outputs work as intended when connected to the device in question.
7.3.7 – Design and Development Validation
- The organization is required to perform design and development validation in accordance with its documented procedures.
- A new requirement to perform validation on representative products, such as initial production units, must be added. Whatever the product used for validation, an explanation that justifies this choice is required.
- An additional statement has been added that when clinical trials or evaluations are used to validate a product, the product is not considered to be released for consumer use.
7.3.8 – Design and Development Transfer
- This is a new section to ISO 13485.
- This section requires the organization to follow documented procedures for transferring design outputs to manufacturing. The organization is now required to confirm that the manufacturing outputs match those of the design phase.
7.3.9 – Control of Design and Development Changes
- Additional requirements have been added to control design and development changes according to an organization’s documented procedures.
- Potential changes to the design must be reviewed to determine how they will affect the performance, safety and usability of any device.
7.3.10 – Design and Development Files
- An additional requirement to maintain design and development files has been added. These files must include records of any changes to the design.
In line with earlier updates to address outsourcing product parts, the purchasing requirements have been updated. Most of these updates clarify expectations of what type of processes and documentation of purchasing decisions is required.
7.4 – Purchasing
7.4.1 – Purchasing Processes
- The criteria for selecting and evaluating potential suppliers has been clarified.
- An additional requirement to evaluate suppliers based on their performance has been added.
- This section includes a statement that suppliers must be evaluated with respect to risk. Products that would have a bigger impact on the quality of the device must be evaluated more strictly.
7.4.2 – Purchasing Information
- Purchasing information is still required to include product specifications, criteria for product acceptance, requirements for the competency of personnel with the supplying organization and quality management system requirements.
- An additional requirement that suppliers notify the organization of any changes in the purchased product prior to implementing the change has been added.
7.4.3 – Verification of Purchased Product
- An additional requirement has been added for when organizations become aware of changes in the purchased product. The organization is now required to review whether the changes in the supplied product will have an impact on their product or its performance.
7.5 – Production and Service Provision
7.5.1 – Control of Production and Service Provision
- Adds new language stating that production and service provision must be monitored.
- The list of criteria for production and service provision has been expanded to include documented procedures for production controls.
7.5.2 – Cleanliness of Product
- An additional requirement regarding product cleanliness has been added.
- Organizations are now required to document procedures when a supplied product cannot be cleaned and its cleanliness affects the quality of the final product.
7.5.4 – Servicing Activities
- When a medical device is required to be serviced, the organization is required to review any activities relating to servicing.
- Servicing activities must be evaluated to determine whether it’s a customer complaint or whether the issue must be considered for future improvements.
7.5.6 – Validation of Processes for Production and Service Provision
- When the output can’t be monitored or measured, the organization is required to validate the process that leads to this output.
- The list of documentation for validating procedures has been expanded to include the approval of changes to the process and the use of statistical techniques with rationales for the sample size (as appropriate).
- The section discussing the need to validate computer software has been expanded and clarified.
- Reminds organizations to use validation processes that are proportional to the risk associated with the software.
7.5.7 – Particular Requirements for Validation of Processes for Sterilization and Sterile Barrier Systems
- Adds a requirement for sterile barrier systems
7.5.8 - Identification
- Maintains the previous requirement to identify the product throughout the product realization, and to document the procedures by which products are identified.
- A new requirement to document the system the organization uses to assign unique identification numbers to devices has been added. This requirement is only applicable when unique device identification numbers are assigned.
- An additional requirement to identify product status has been added. Organizations are now required to identify product status throughout production.
7.5.11 – Preservation of Product
- Updates to this section expand upon the requirement to protect products from alteration and damage.
- Clarifies that protection must include designing appropriate packaging and documenting any special conditions for storage, if applicable.
8 – Measurement, Analysis and Improvement
This section addresses the need to monitor products to ensure that they meet the required quality standards. These processes are used to ensure that the quality management system is working as intended, and to make any changes needed.
8.2.1 – Feedback
- The requirement to collect feedback has been expanded to include collecting feedback from post-production activities, as well as from the production process.
- A new requirement to use this feedback as input into risk management processes has been added.
- Organizations are still required to use this feedback as input into the production and improvement processes.
- Regulatory requirements regarding feedback from post-production processes must be incorporated into this process.
8.2.2 – Complaint Handling
- This sub-clause is new to the 2016 update.
- Requires the organization to document their procedures for timely complaint handling, which must be in line with any regulatory requirements.
- Provides a list of items that must be documented within the complaint handling procedures.
- Organizations must maintain a record of complaint handling activities.
8.2.3 – Reporting to Regulatory Authorities
- This sub-clause is new to the 2016 update.
- If regulatory requirements require any complaints to be reported to a regulatory authority, the organization must document their procedures for providing notification.
8.2.6 – Monitoring and Measurement of Product
- An addition to this section states that the organization needs to identify the test equipment used to measure products, when applicable.
8.3 – Control of Nonconforming Product
- This section addresses the need to identify products that don’t meet quality standards and to ensure that they’re not delivered along with conforming products.
- The list of controls for segregating nonconforming products has been expanded. It now includes identification, documentation, segregation, evaluation and disposal.
- New sub-clauses address actions taken when nonconforming product is detected before delivery and actions taken when it’s detected after delivery.
- Additional information has been added to address the acceptance of a nonconforming product. When nonconforming products are accepted, the organization must document the event and include a justification for the acceptance.
- A new requirement has been added to state that organizations must document the procedures for issuing advisory notices.
- A new requirement to maintain records of any advisory notices released has been added.
8.4 – Analysis of Data
- Adds a new requirement to document how statistical techniques and measurement methods were determined to be appropriate.
8.5 – Improvement
- This section requires organizations to implement any changes that help to maintain the suitability of the quality management system.
8.5.2 – Corrective Action
- A new requirement that any corrective action must be taken without unnecessary delay has been added.
- A new requirement regarding preventative action has been added. The preventative action must not adversely affect the product's safety, performance and ability to meet regulatory requirements.
8.5.3 – Preventative Action
- A new requirement has been added.
- Organizations are required to verify that any preventative changes will not affect the safety, performance or ability to meet regulatory requirements of the device.
Get Certified with NQA
Getting certified for an ISO standard can be a difficult process. Preparation and good organization can make it less stressful.
Understanding the requirements of ISO 13485 is a good place to start. Your auditor will be referring to these standards as they evaluate your organization. Documenting and organizing your quality management procedures is another important step.
Next, make sure employees, as well as management, know the organization’s quality management processes. Keeping everybody on the same page will help the audit process go smoothly.
It is often required to conduct an internal audit before conducting the external audit for certification. An internal audit can help you determine whether any changes need to be made to your quality management system before certification.
It’s also important to choose the right auditor to conduct the audit. Since an audit is fundamentally an on-site verification of your quality management processes, look for an auditor with a local presence. This can speed up the auditing process and reduce problems that arise from language or cultural barriers.
Your auditor should also be experienced. For instance, NQA has conducted more than 35,000 certifications in 70 different countries. This means that, when questions about logistics or the audit process arise, our experienced auditors can help you find the answer.
When NQA audits a business, we work with your processes and procedures. That means you won’t be required to add processes that don’t work for your business. Dedicated Customer Service representatives will ensure that you have feedback throughout the registration process so that you can address questions that arise during the auditing process quickly and get back to work sooner.