How to Implement ISO 13485 (Medical Devices)
Product conformity is important across all industries, but it's especially crucial when it comes to the design and manufacturing of medical devices. Consistent product quality is an issue of patient safety, regulatory compliance and a company's ability to succeed in the industry. To ensure the appropriate level of quality control, it's essential to comply with the relevant standards.
One of these standards is ISO 13485, a quality management system (QMS) standard designed specifically for medical device manufacturers. At NQA, we have extensive experience with ISO 13485 and other standards relevant to the medical device manufacturing sector. The following step-by-step guide to implementing ISO 13485 will walk you through how to become certified with the help of the experts at NQA.
What Is ISO 13485?
ISO 13485 is a quality management standard that is designed specifically for the manufacturing of medical devices. The standard is based on ISO 9001 but contains additional requirements that relate specifically to manufacturing, installing and servicing medical devices. ISO 13485 calls for:
- Implementing a quality management system
- Taking a risk management approach to product development
- Validating processes
- Complying with regulatory and statutory requirements
- Establishing effective methods for product traceability and recall
ISO 13485 also helps companies that manufacture, install and service medical devices with process improvement, operational efficiency and product improvement.
The latest version of ISO 13485 is ISO 13485:2016, which replaced ISO 13485:2012, and was published on March 1, 2016. The International Organization for Standardization (ISO) publishes the standard, and the ISO technical committee 210 managed the changes. ISO 13485:2016 is aligned with ISO 9001:2008. For organizations with certifications to older versions of ISO 13485, the deadline to transition to the most recent version was February 28, 2019.
Although ISO 13485 is based on ISO 9001, achieving certification does not mean you are automatically compliant with the other, and both require auditing. ISO 9001 and ISO 13485 have many similarities, but ISO 13485 contains requirements and terms that are unique to the medical device industry. For example, ISO 13485 has a stronger role for a quality representative to top management than ISO 9001 does.
Benefits Of ISO 13485
Complying with ISO 13485 and achieving certification to it can provide numerous benefits to medical device companies. Some of the benefits of ISO 13485 certification include:
- Legal Compliance: ISO 13485 certification requires compliance with all legal and regulatory requirements. It also helps you to improve your understanding of how these requirements impact your organization and your customers.
- Enhanced Risk Management: Certification to ISO 13485 also helps you to manage risks by increasing the traceability and consistency of your products and services.
- Reduced Operating Costs: ISO 13485 helps you to continually improve your processes and make them more efficient over time, saving your organization money.
- Improved Customer Satisfaction: A medical device QMS helps you to provide more consistent quality in your products and services, making your products more reliable and better able to meet customers' needs. This enhanced quality increases customer satisfaction.
- Better Access To Information: The documentation that ISO 13485 requires can assist your organization in creating a consolidated knowledge base, which can help you to identify issues and improve your products and processes. Documentation also helps you to ensure that team members have access to accurate information whenever they need it.
- Improved Business Reputation: Certification to ISO 13485 is recognized internationally as a sign of a reputable business and high-quality products, so it can improve your business's reputation among current and potential customers, investors, partners, suppliers and other stakeholders.
- Ability To Win More Business: Many businesses prefer to work with medical device organizations that have ISO 13485 certification, and some require that all the companies they partner with have it. This is due in part to the fact that, under the latest version of ISO 13485, companies are responsible for ensuring any subcontractors they work with conform to ISO 13485 requirements. Because of these preferences and requirements, ISO 13485 certification enables you to win more business.
- International Expansion Opportunities: ISO 13485 is internationally recognized as a sign of product quality and is the first step to regulatory approval in many major markets. These qualities mean ISO 13485 certification can help you to expand your business into new markets.
- Assistance With ISO 9001 Certification: Achieving ISO 13485 certification can make it easier to earn certification to ISO 9001, as the two standards share many requirements. Keep in mind that there are some differences in requirements that you will need to account for.
How To Become ISO 13485 Certified
ISO 13485 contains requirements that are beneficial for various types of organizations operating as part of medical device and pharmaceutical supply chains. It's especially vital for organizations that manufacture medical devices or provide services that support medical device manufacturers. Some examples of organizations that use this standard include:
- Medical device manufacturers, including makers of sterile and surgical medical devices
- Companies that provide products, components or raw materials to medical device manufacturers
- Quality management organizations that work with medical device manufacturers
- Organizations that provide services to manufacturers of medical devices
Certification to ISO 13485 is typically voluntary, although some countries require certain medical device manufacturers to comply with ISO 13485. In Canada, for example, class I, II and III medical device manufacturers are required to achieve ISO 13485 certification. Japan and Europe, on the other hand, offer alternative national standards. In many countries, the regulatory standards for medical devices are based on ISO 13485.
Even if you are not required to earn certification to ISO 13485, it may be beneficial to your organization if it falls into one of the categories listed above. If you believe ISO 13485 may be right for your organization, keep reading to learn about the steps to implementing ISO 13485 and how to get certified.
Step 1: Obtain The Documents And Study The Requirements
Once you've determined that ISO 13485 is the right standard for your organization, take some time to learn about its requirements. Start by obtaining a copy of the standard itself, along with any supporting documents. You'll need to refer to these documents when creating your implementation plan, and the auditor will refer to them when assessing your QMS.
Make sure you have the most recent version of the standard, as the update contains several important changes. For example, the latest version requires organizations to ensure that all the organizations with which it contracts comply with ISO 13485 requirements. Once you have the correct documents, look through them and learn about the requirements of the ISO 13485 standard. Getting familiar with these requirements will help the implementation process go more smoothly.
Step 2: Conduct A Gap Analysis
One of the most important steps when implementing ISO 13485 is performing a gap analysis. To conduct a gap analysis, or pre-audit, you asses your company's existing processes and compare them to the requirements of the standard you're seeking certification to. Doing so will reveal the gaps between your company's current system and the system you will need to establish to reach compliance.
The information you gather when performing your gap analysis will inform your ISO 13485 implementation plan. If the gaps you find are wider, reaching compliance will require more extensive changes. If they are smaller, the changes you have to make will be relatively minimal.
When performing a gap analysis, you will typically:
- Compare the requirements of ISO 13485 to your current QMS
- Document how your current system complies and does not comply with ISO 13485 requirements
- Based on the results of your gap analysis, determine what to include in your implementation plan
Once you complete a gap analysis, you typically produce a report that includes:
- The areas in which your company meets the standard's requirements
- The areas in which your company is not complying with the standard's requirements
- Recommendations of what to include in your implementation plan
Step 3: Develop An Implementation Plan
The next step is to start creating a plan to address the gaps you discovered through your gap analysis. This plan will lay out how you will implement ISO 13485 and should include clearly defined, quantifiable objectives with realistic deadlines.
Developing your plan will include designing your quality manual and policy, which involves examining your current processes and updating them as necessary to meet the standard's requirements. You will also need to establish methods for controlling the processes you create, including documentation.
Under the requirements of ISO 13485, there are certain procedures that must be part of your QMS. Note which items ISO 13485 focuses on and ensure they're part of your plan while keeping the unique needs of your organization in mind.
Part of developing your plan is defining its scope, as this will help you see what you need to do and what the boundaries of your implementation are. Properly defining your scope will help you avoid applying your QMS to parts of your business that don't relate to quality while also avoiding applying it too narrowly, which can limit its effectiveness. Your quality policy and manual will help you in defining your scope.
When creating your implementation plan, you should include details about each task you must complete to reach full compliance with ISO 13485. For every task, write down the relevant section of ISO 13485, who is responsible, the necessary documentation, the required approvals, the training required, the necessary resources and the expected completion date.
Your implementation plan should also include information about the costs of ISO 13485 certification and implementation. Also, include information about its benefits and the business case for ISO 13485 certification. This information will help you to account for the costs involved in implementation and certification and get buy-in from managers and employees across your organization.
Step 4: Design The Documentation
To effectively implement ISO 13485, you need to use documentation to control your processes. After you have created or modified the necessary processes, you will need to develop documentation for them. This documentation will help you to prove your compliance and will help guide your processes. You have some flexibility in how you design your documentation, and you don't necessarily have to document every process, but you need to ensure your documentation meets all ISO 13485 requirements.
It's often best to begin with the minimum requirements under ISO 13485, which include a quality manual and various documented procedures, and add further documentation as needed. Be sure to include all documentation requirements in your implementation plan.
Step 5: Provide Training
Another essential step to ISO 13485 implementation is providing the necessary employee training. Make sure all employees are aware that your organization is going to implement ISO 13485 far enough in advance that they can adequately prepare with minimal disruption to their daily work. Provide information to employees about how the implementation process will affect them, what their responsibilities are and how implementation will benefit them. Remembering to include information about the benefits can help to win buy-in.
All team members who will be part of the implementation process should receive the necessary training. Ensure employees have sufficient time to complete training and clear up any questions they may have before they need to take action to enable the implementation.
Step 6: Carry Out Your Plan
Next, you can start implementing your plan as you designed it. Of course, implementing ISO 13485 will look different for each company depending on its existing processes and the details of its implementation plan. Monitor the implementation process carefully, and if issues arise, make changes as needed. Just be sure to document all of the changes and inform the relevant employees of any adjustments. Operate your quality management system for several months, making adjustments as needed and documenting the process thoroughly.
Step 7: Perform Internal Audits and Reviews
Before you can undergo the third-party audits needed for certification, you must conduct internal audits and a management review. These processes will help you evaluate how your system is working and ensure it complies with the requirements within ISO 13485.
To conduct internal audits, create an internal ISO 13485 audit checklist and use it to thoroughly examine how your QMS is operating. Be sure to carefully document your findings. This documentation will provide evidence that your processes are working correctly and meeting the necessary requirements.
You also need to conduct a management review. During this review, management should evaluate data from your QMS processes and check that these processes have the resources they need to remain effective and continually improve.
Conducting these audits and reviews will help reveal areas in which your processes are not working adequately. You can then make changes to correct these issues before scheduling audits with a third-party certification body.
Step 8: Select A Certification Body
When you have completed the required audits and reviews and you believe your QMS is ready, you can start researching what third-party certification bodies you can work with. Explore the qualifications and experience of each option and choose one that has the necessary accreditations, experience with ISO 13485 and other medical device standards and strives to help you enhance your organization's processes through the audit. Selecting an auditor with the right characteristics can help the certification process go smoothly and maximize the value you get out of the audits.
Step 9: Complete The Third-Party Audit And Certification Process
Once you've selected the auditor you want to work with, you can begin undergoing third-party audits. Through the audit process, the certification body verifies that you meet the requirements of ISO 13485. If you pass the audits, you will become certified to ISO 13485.
To get started, fill out an application with the auditor you selected and give them information about your organization, the standard you're aiming to be certified to and other relevant details about your implementation process. At NQA, we have a quick quote form and a formal quote request form you can use to submit your application. With the information you provide us with, we define the scope of the audits and put together a certification proposal.
Once you agree to the proposal, you can get started with the assessment phase, provided that you have operated your QMS for at least three months and have completed a full cycle of internal audits as well as a management review. The initial certification audit includes two visits from an auditor.
During the first visit, the auditor will conduct the stage one assessment, which verifies that your organization is ready for the full assessment. The stage one assessment includes a documentation review held at your management system center.
During this first assessment, the auditor will:
- Confirm that the details your organization submitted in its application process are accurate
- Verify that your QMS meets the requirements of ISO 13485
- Check that your QMS has been running for at least three months
- Confirm the scope of your certification
- Verify legislative compliance
At the end of this assessment, the auditor will provide you with a report that describes any non-compliance or potential improvements found during the visit. If significant issues are found, you must create a corrective action plan. If your QMS passes the audit, you can schedule your next assessment visit.
During the next visit, the auditor will complete the stage two audit, which verifies whether your QMS meets the full requirements of ISO 13458. This audit includes all of the locations that fall under the scope of your certification.
When completing this assessment, the auditor will do the following:
- Document whether your QMS complies with the requirements of ISO 13485 using objective evidence
- Take sample audits of the relevant processes and activities
- Visit any remote sites and other additional locations to assess how the QMS operates off-site
- Document any areas of non-compliance and potential improvements
If the audit reveals any substantial non-conformances, your organization will need to take corrective action, which an auditor must verify, before issuing the certification. If the necessary corrective action doesn't occur within six months, you'll need to complete another stage two assessment before you can receive certification.
If you pass the stage two audit, the certification body will issue a certification that is valid for three years.
Step 10: Maintain Your Certification
To maintain your certification during the three-year certification cycle, you must complete an annual surveillance audit. A surveillance audit is a partial audit that verifies your organization is maintaining compliance with the standard and making continual improvements to the QMS.
If your business changes during the certification cycle, such as by increasing or decreasing staff size or adding or removing locations, inform your certification body as soon as you can. Then, you can modify your QMS, the scope of your certification or other things as needed.
Work With NQA
Working with a reliable, helpful certification body is essential to successfully implementing ISO 13485. At NQA, we have extensive experience with medical device standards and have a network of experts who stay up to date with the industry and participate in standards writing. We've worked with numerous clients in the medical device industry, including Pac-Dent International, New England Biolabs, GESUS New England, RR Donnelley Banta Global and Tecomet.
In addition to ISO 13485 certification, we also offer certification services for other standards, including ISO 9001, ISO 45001 and ISO 4001, and provide online, classroom and in-house training.
At NQA, we believe that our clients deserve exceptional value for their money, so we aim to help you improve your organization through our audits. We offer competitive pricing and prioritize being responsive to our clients' needs. We have numerous accreditations and will work with you to help you find the right solution for you. To learn more, contact us or request a quote today.