A Guide to ISO 13485
Table of Contents:
- What is ISO 13485?
- Benefits of Implementing ISO 13485
- Key Differences from ISO 9001
- Applications of ISO 13485
- Reasons for the 2016 Update
- Revisions in the Update
- Introduction to ISO 13485
- Clause 1: Scope
- Clause 2: Normative References
- Clause 3: Definitions
- Clause 4: QMS
- Clause 5: Management Responsibility
- Clause 6: Resource Management
- Clause 7: Product Realisation
- Clause 8: Measurement, Analysis & Improvement
- Getting ISO 13485 Certified
What is ISO 13485?
The ISO 13485 standard governs quality management for medical devices and related services. It’s published by the International Organization for Standardization. ISO 13485 addresses:
- Quality control
- Risk management
- Legal compliance
- Operational efficiency
- Ability to trace and recall products and devices
- Process and product improvement
The most recent update to the standard was published in February of 2016, overriding previously published versions from 2003 and 1996. ISO 13485 derived from ISO 9001, a quality management certification that’s available to businesses in a wide variety of industries. However, medical device and pharmaceutical companies have specialized requirements that made some of the requirements of ISO 9001 difficult to apply. ISO 13485 was developed to address these needs.ISO 13485 provides a great advantage for organizations producing medical devices and related services. It assures a commitment to quality and increases efficiencies within the organization. Becoming ISO 13485 certified can increase client base and reduce barriers to entry of foreign markets, product liabilities, and production down-time.
As the transition period from ISO 13485:2003 to ISO 13485:2016 has begun, it is important for organizations to understand the advantages of becoming ISO certified, identify the key differences between the 2003 publication and the 2016 publication, and begin the work for either transition or first time certification.
The auditing process can appear overwhelming, but it does not have to be. For those seeking their first ISO 13485 certification or those transitioning from the 2003 publication to the 2016 update, the following information can serve as a starting place for implementation.
The Benefits of Implementing ISO 13485:2016
Businesses that have implemented ISO 13485 cite numerous benefits. Many companies seek the certification because of the financial benefits to their business. The certification demonstrates their commitment to building high-quality medical devices. That allows businesses to attract more clients than before.
Additional of the other benefits include:
1. Ability to Contract with Larger Companies
Many large medical device businesses prefer to work with vendors who are ISO 13485 certified. The 2016 update to this standard may make this even more desirable. The revisions mean that large companies are responsible for ensuring that any subcontractors conform to ISO 13485 standards. That means subcontractors who already have the certification are likely to be prioritized.
2. Demonstrate Commitment to High Quality
Both ISO 13485 and ISO 9001 are seen as indicators of an organization’s commitment to quality. Achieving a quality management certification demonstrates to customers and regulators that your company values quality.
3. Expand Potential Market
Standards like ISO 13485 are created to ensure that medical devices in different places demonstrate the same reliability and quality. If you’re considering exporting products, ISO 13485 certification can lend an advantage. Not only is it the first step to regulatory approval in major markets like the European Union and Canada, but it also demonstrates the quality of the product to potential buyers.
4. Help Personnel Access Relevant Information
The documentation requirements in this standard are designed to ensure that all members of a development team have access to the information they need, when they need it. Having access to the right information can reduce the time and expense associated with product development.
5. Expand and Consolidate Business Knowledge
We also hear from clients that documenting the processes associated with their medical device helps the business develop a consolidated knowledge base. This knowledge can help to identify problems, improve the product, and streamline the manufacturing process. It also makes the process of on-boarding new employees easier.
6. Make Achieving ISO 9001 Certification Easier
Many businesses hold both ISO 13485 and ISO 9001 certifications. If your business is ISO 13485 certified, achieving ISO 9001 certification is significantly easier. The requirements of these two standards are generally harmonised. ISO 9001 does contain a few requirements related to business clauses that ISO 13485 doesn’t cover.
Key differences in ISO 13485 (from ISO 9001)
- Additional requirements for preventing contamination
- Monitoring focuses on meeting customer requirements, rather than on subjective customer satisfaction measures
- Multiple documentation requirements at all stages of product development
- Focus on maintaining the effectiveness of the quality management system instead of continuous improvement (as required for ISO 9001)
- Risk management during design and production
- Additional requirements for regulatory reporting, advisory notices, and recalls
Applications of ISO 13485
ISO 13485 specifies quality management for medical device manufacturers and related organizations. This means a variety of companies in the medical device industry and pharmaceutical supply chain use ISO 13485 standards. Organizations that use this standard include:
- Manufacturers of medical devices
- Organizations that supply products or raw materials to medical device manufacturers
- Quality management organizations that contract to medical device manufacturers
- Organizations that provide services to medical device manufacturers
- Makers of sterile medical devices
- Manufacturers of surgical medical devices
A significant change in the 2016 update addresses outsourcing. This update organization requires the organization to ensure that companies it contracts with meet ISO 13485 standards when outsourcing the development, design, or servicing of a medical device.
ISO standards are voluntary, so being certified as ISO 13485 compliant isn’t always necessary. Europe and Japan offer alternative national standards. On the other hand, Canada requires class I, II and III medical device manufacturers to achieve ISO 13485 certification.
Although certification isn’t required, it can provide an advantage. Many countries base their regulatory standards for medical devices on this standard. Achieving either ISO 13485 or ISO 9001 certification is seen as the first step to approval for a medical device in Europe.
Reasons for the 2016 Update
When the 2003 standard was reviewed, ISO staff discussed potential revisions with a variety of regulatory bodies. The consensus was that the old standard no longer reflected current quality management needs.
According to Eamonn Hoxey, former chair of ISO’s technical committee for quality management:
"When we did the last review, we had discussions with the regulatory authorities and we — both industry and the authorities — felt that it was time to revise the standard … Since 2003, a number of jurisdictions have either revised or introduced regulations for medical devices, so we want to make sure the quality management system requirements align fully with those regulatory requirements."
The requirements within ISO 13485 have been adopted into a number of different countries’ regulatory programs. Regulators in Australia, Canada, the European Union, Japan, and the United States use it. It is used with modifications in the United Kingdom and by the Medical Device Single Audit Program.
Many of the revisions made to ISO 13485 reflect its importance to regulatory bodies. Among these revisions are:
- Increased alignment with regulatory requirements
- Adjustment of software standards for measurement and reporting
- Additional requirements for verification and validation planning
- Increased emphasis on addressing consumer complaints
- Additional requirements for reporting to regulatory authorities
These revisions are expected to ensure that ISO 13485:2016 aligns more fully with regulatory requirements for medical devices while still making certain that ISO 13485 includes quality management requirements from the ISO 9001 standard.
Major Revisions in the ISO 13485:2016 Update
What if your organization is already certified under the 2003 version of ISO 13485? What changes will you need to make in the next few years? To help you get started, we’ve outlined the changes made in the 2016 update below. You’ll find a brief overview of each component of ISO 13485 below, followed by a list of any major changes made to the section in question.
The introduction to ISO 13485 provides additional understanding and clarification of terms. Major changes in the introduction include expanded definitions of product life cycles, organizations that this standard applies to, and an understanding of the process approach used by organizations certified under this standard.
0.1 – General
- Provides more detail about what types of organizations ISO 13485 applies to and what stages of the product life cycle this standard applies to
- Expands the list of organizations that this standard can apply to:
- Suppliers of medical devices
- Third-party organizations providing raw materials, subassemblies, components, and medical devices for the manufacture of these products
- Organizations offering sterilisation services, calibration services, distribution services and maintenance services for medical device companies
- Reminds organizations to identify applicable regulatory requirements
- Clarifies that quality management systems need to meet regulatory requirements as well as those of ISO 13485
- Expands upon the factors that can influence the development of quality management programs within organizations
0.2 – Clarification of Concepts
- Adds the following to the conditions needed to define “appropriate requirements.” The new definition of appropriate requirements includes those that are necessary for:
- The product to meet requirements
- Compliance with applicable regulatory standards (new requirement)
- The organization to carry out corrective action
- The organization to manage risks (new requirement)
- Explains that “risk” for medical products applies to safety, performance standards, or the necessity to meet regulatory requirements
- Clarifies that documented requirements also need to be established, implemented, and maintained
0.3 – Process Approach
- Expands upon the definition of a process approach for medical devices
- A process approach emphasises:
- Understanding and meeting requirements
- Considering the added value of processes
- Obtaining results of process performance
- Improving processes based on objective measurements
0.4 – Relationship with ISO 9001
- Clarifies that sections of this standard based on ISO 9001 refer to the new ISO 9001:2015, and not the previous versions
1 - Scope
This section clarifies the organizations and processes that ISO 13485 applies to:
- Clarifies that ISO 13485 applies to organizations involved in different stages of the life cycle of medical products, including the design, repair, installation, maintenance, and storage of medical devices
- Expands the standard to include organizations that provide technical support, quality management services, and product support for medical devices
- Clarifies responsibility for third-party vendors and supplies. States those services and products that are not created by the organization, but are used in its products, are the responsibility of the organization. The certified organization is liable for maintaining, monitoring, and controlling these processes.
- Explains that the standards in clauses 6, 7, and 8 that are not applicable to the organization can be excluded. This change may be applicable to some suppliers, support organizations, and quality management service suppliers. During certification, the reasons for these exclusions still need to be documented.
2 – Normative References
Clause 2 clarifies that any references to ISO 9000 refer to ISO 9000:2015, and not to ISO 9000:2000 (used by the 2003 version).
3 – Definitions
Clause 3 defines terms used throughout this update to ISO 13485.
- Modifies certain definitions
- Modified definitions focus on defining medical devices and products. This definition is significantly more detailed than that found in the previous version of this standard. Implantable medical devices and sterile medical devices both get new definitions as well.
- Adds additional definitions
- Added definitions focus on defining roles within the life cycle of product development, including defining distributors, importers and manufacturers. Adds definitions of risk, risk management, performance evaluation, and post-market surveillance.
4 – Quality Management System
Clause 4 addresses the requirement to document procedures relating to the quality management process. Documentation requirements have been expanded and clarified in the 2016 update. There is additional language that clarifies that quality management processes required by ISO 13485 do not exempt an organization from meeting any additional quality management requirements mandated by regulatory authorities. A primary change here states that quality management requirements now apply to any outsourced products as well as those produced by the organization itself.
4.1 – General Requirements
- States that the organization is responsible for establishing, implementing and maintaining any quality management processes required by this standard
- Explains that ISO 13485 certification does not exempt the organization from other applicable regulations. The organization is also required to establish, implement and maintain processes required by other regulatory bodies. The requirement to meet other applicable regulatory requirements is emphasised throughout this version.
- Clarifies that organizations must use a risk-based approach in their quality management processes
- Explains that an organization is responsible for monitoring any outsourced processes. This is a considerable change from the 2003 version of this standard. Any outsourced processes still need to conform to the quality management standards of the medical device organization, and written quality agreements with the third party must be in place.
4.2 – Documentation Requirements
- Documentation requirements have been considerably expanded. With the exception of the medical device file, all documents were required by the previous standard. However, the additional details of what this documentation must include have been clarified.
- The Quality Manual now requires an explanation of the scope of the project management system, as well as justifications for any exclusions from it
- Requires the development of a medical device file for each product, which must include specifications, labelling, use instructions, and any requirements for installation and servicing
- Many of the requirements for document control remain the same. Documents are required to be reviewed and approved before publication. Records and documents applicable to medical devices still need to be kept for at least the lifetime of the medical device.
5 – Management Responsibility
Clause 5 addresses the management responsibilities for maintaining, documenting, and reviewing procedures. This section has undergone relatively minor changes in the 2016 update. Most of the changes in this section focus on management review.
5.6 – Management Review
- Organizations are required to have and use documented procedures for reviews
- Management review has been expanded to include complaint handling and reports to regulatory authorities
- Organizations must now record any output from management reviews
- The list of review outputs has been expanded. It now includes decisions and actions related to resource needs and to improvements needed to maintain the quality and suitability of the QMS system.
6 – Resource Management
This section covers requirements for a variety of types of resource management: human resources, infrastructure, work environment, and contamination control. This section, or clauses within it, may not be applicable to all organizations that are seeking ISO 13485 certification. Organizations that believe components of this section are not relevant can also submit an explanation that justifies their exclusion.
6.2 – Human Resources
- Changes in this section focus on requirements for additional documentation of the processes for establishing competency
- The updates include the ability to use processes proportional to the risk level of the action. Low-risk tasks may require very little documentation to prove competency, while high-risk actions require considerably more.
6.3 – Infrastructure
- Language has been added to state that it is important to ensure the proper handling of product and that protocols must be in place to prevent product mix-up
- Required documentation for maintenance activities has been expanded. Maintenance requirements must now be documented for maintenance activities, equipment used in production, work environment controls, and monitoring and measurement systems.
6.4 – Work Environment
- An additional clause has been added to state that documentation of protocols for maintaining the work environment is required when the state of the work environment could have an impact on the quality of the product.
- An additional section (6.4.2) has been added to address contamination controls.
- If product contamination is a concern, the organization must plan and document the procedure for controlling contaminated products.
7 – Product Realisation
This section addresses the processes the organization uses during product development. The bulk of changes in the 2016 update occur within Clause 7. Many of the changes in this section specifically address quality management when parts of the product development are contracted to a third party. Other changes in this section expand and clarify the types of documentation required during design, development and production phases.
7.1 – Planning of Product Realisation
- Organizations must plan and develop the processes for product realisation, in a way that is consistent with the quality management system
- Risk management policies for product realisation must be documented
- The documentation requirement for policies relating to product acceptance has been expanded. Organizations are now required to document their policies for:
- Measuring (New)
- Inspection and testing
- Handling (New)
- Storage (New)
- Distribution (New)
- Traceability activities (New)
7.2 – Customer-Related Processes
- Organizations must determine the customer requirements for the product. These requirements include those stated by the customer and those unstated but required for the product to function as intended.
- Organizations are also required to ensure that the product conforms to applicable regulatory standards.
- An additional requirement that the organization must determine any training needed by the user for the product to function has been added.
- Before committing to supply the product, the organization must review product requirements to ensure they are documented, defined, and meet applicable regulatory standards.
- During the review of product requirements, the organization must also ensure that any training needed for the product is either currently available or is planned to be made available.
- The section on communication has been expanded to state that the organization must communicate with regulatory authorities, when this communication is required by applicable regulations.
7.3 – Design and Development
This section addresses requirements for the design and development of products. There are sizable changes to the ISO 13485:2016 update in this section.
7.3.2 – Design and Development Planning
- Additional requirements for documentation during the planning stage have been added. They include:
- The requirement to ensure that design and development outputs can be traced to design and development inputs
- A new requirement to document the resources needed in the design and development planning stage, including the competency of personnel
7.3.3 – Design and Development Inputs
- Records of design and development inputs must be maintained, and must be able to be verified and validated.
- Design and development inputs now include usability requirements, as well as, the functional, safety, and performance requirements that were previously required.
7.3.4 – Design and Development Outputs
- There are no changes to the design and development outputs requirements.
7.3.5 – Design and Development Review
- Reviews are still required to ensure that the product design and development meets requirements.
- In addition to documenting reviews and necessary actions, the organization is now required to identify the product being reviewed, the date of the review and the reviewers participating.
7.3.6 – Design and Development Verification
- This section has been expanded to clarify what must be contained within a design and development verification. These requirements include:
- Acceptance criteria
- Statistical methods with justification for sample size (if applicable)
- If the medical device will be connected to another medical device, the organization must verify that the inputs and outputs work as intended when connected to the device in question.
7.3.7 – Design and Development Validation
- The organization is required to perform design and development validation in accordance with its documented procedures.
- A new requirement to perform validation on representative products, such as initial production units, must be added. Whatever the product used for validation, an explanation that justifies this choice is required.
- An additional statement has been added that when clinical trials or evaluations are used to validate a product, the product is not considered to be released for consumer use.
7.3.8 – Design and Development Transfer
- This is a new section to ISO 13485.
- This section requires the organization to follow documented procedures for transferring design outputs to manufacturing. The organization is now required to confirm that the manufacturing outputs match those of the design phase.
7.3.9 – Control of Design and Development Changes
- Additional requirements have been added to control design and development changes, in accordance with an organization’s documented procedures.
- Potential changes to the design must be reviewed to determine how they will affect the performance, safety, and usability of any device.
7.3.10 – Design and Development Files
- An additional requirement to maintain design and development files has been added. These files must include records of any changes to the design.
In line with earlier updates to address outsourcing product parts, the purchasing requirements have been updated. Most of these updates clarify expectations of what type of processes and documentation of purchasing decisions is required.
7.4 – Purchasing
7.4.1 – Purchasing Processes
- The criteria for selecting and evaluating potential suppliers has been clarified
- An additional requirement to evaluate suppliers based on their performance has been added
- This section includes a statement that suppliers must be evaluated with respect to risk. Products that would have a bigger impact on the quality of the device must be evaluated more strictly.
7.4.2 – Purchasing Information
- Purchasing information is still required to include product specifications, criteria for product acceptance, requirements for the competency of personnel with the supplying organization, and quality management system requirements.
- An additional requirement that suppliers notify the organization of any changes in the purchased product prior to implementing the change has been added
7.4.3 – Verification of Purchased Product
- An additional requirement has been added for when organizations become aware of changes in the purchased product. The organization is now required to review whether the changes in the supplied product will have an impact on their product or its performance.
7.5 – Production and Service Provision
7.5.1 – Control of Production and Service Provision
- Adds new language stating that production and service provision must be monitored
- The list of criteria for production and service provision has been expanded to include documented procedures for production controls
7.5.2 – Cleanliness of Product
- An additional requirement regarding product cleanliness has been added
- Organizations are now required to document procedures when a supplied product cannot be cleaned, and its cleanliness affects the quality of the final product.
7.5.4 – Servicing Activities
- When a medical device is required to be serviced, the organization is required to review any activities relating to servicing
- Servicing activities must be evaluated to determine whether it’s a customer complaint or whether the issue must be considered for future improvements
7.5.6 – Validation of Processes for Production and Service Provision
- When the output can’t be monitored or measured, the organization is required to validate the process that leads to this output
- The list of documentation for validating procedures has been expanded to include:
- The approval of changes to the process
- The use of statistical techniques with rationales for the sample size (as appropriate)
- The section discussing the need to validate computer software has been expanded and clarified
- Reminds organizations to use validation processes that are proportional to the risk associated with the software
7.5.7 – Particular Requirements for Validation of Processes for Sterilisation and Sterile Barrier Systems
- Adds a requirement for sterile barrier systems
7.5.8 - Identification
- Maintains the previous requirement to identify the product throughout the product realisation, and to document the procedures by which products are identified
- A new requirement to document the system the organization uses to assign unique identification numbers to devices has been added. This requirement is only applicable when unique device identification numbers are assigned.
- An additional requirement to identify product status has been added. Organizations are now required to identify product status throughout production.
7.5.11 – Preservation of Product
- Updates to this section expand upon the requirement to protect products from alteration and damage.
- Clarifies that protection must include:
- Designing appropriate packaging
- Documenting any special conditions for storage, if applicable
8 – Measurement, Analysis and Improvement
This section addresses the need to monitor products to ensure that they meet the required quality standards. These processes are used to ensure that the quality management system is working as intended, and to make any changes needed.
8.2.1 – Feedback
- The requirement to collect feedback has been expanded to include collecting feedback from post-production activities, as well as, from the production process
- A new requirement to use this feedback as input into risk management processes has been added
- Organizations are still required to use this feedback as input into the production and improvement processes
- Regulatory requirements regarding feedback from post-production processes must be incorporated into this process
8.2.2 – Complaint Handling
- This sub-clause is new to the 2016 update
- Requires the organization to document their procedures for timely complaint handling, which must be in line with any regulatory requirements
- Provides a list of items that must be documented within the complaint handling procedures
- Organizations must maintain a record of complaint handling activities
8.2.3 – Reporting to Regulatory Authorities
- This sub-clause is new to the 2016 update
- If regulatory requirements require any complaints to be reported to a regulatory authority, the organization must document their procedures for providing notification
8.2.6 – Monitoring and Measurement of Product
- An addition to this section states that the organization needs to identify the test equipment used to measure products, when applicable
8.3 – Control of Nonconforming Product
- This section addresses the need to identify products that don’t meet quality standards and to ensure that they’re not delivered along with conforming products
- The list of controls for segregating nonconforming products has been expanded. It now includes:
- New sub-clauses address actions taken when nonconforming product is detected before delivery, and actions taken when it’s detected after delivery
- Additional information has been added to address the acceptance of a nonconforming product. When nonconforming products are accepted, the organization must document the event and include a justification for the acceptance.
- A new requirement has been added to state that organizations must document the procedures for issuing advisory notices
- A new requirement to maintain records of any advisory notices released has been added
8.4 – Analysis of Data
- Adds a new requirement to document how statistical techniques and measurement methods were determined to be appropriate.
8.5 – Improvement
- This section requires organizations to implement any changes that help to maintain the suitability of the quality management system.
8.5.2 – Corrective Action
- A new requirement that any corrective action must be taken without unnecessary delay has been added
- A new requirement regarding preventative action has been added. The preventative action must not adversely affect the product’s:
- Ability to meet regulatory requirements
8.5.3 – Preventative Action
- A new requirement has been added
- Organizations are required to verify that any preventative changes will not affect the safety, performance or ability to meet regulatory requirements of the device