Overview of ISO 13485 – Medical Device QMS Requirements

This article was originally published by SeerPharma's business partner MasterControl and is republished here with their permission.

Some medical devices are as complex as a remote, personalized heart failure sensor. Others are as simple as a tongue depressor. But all medical devices have one thing in common: they benefit immensely from being designed and manufactured in alignment with ISO 13485. The ISO 13485 international standard is the world’s most widely used means of measuring the effectiveness of a medical device manufacturer’s quality management system (QMS).

ISO 13485 Overview

The aim of this article is to answer frequently asked questions about ISO 13485 manufacturing and the related regulatory requirements that apply to medical device companies’ use of QMS.

What is ISO 13485?

ISO 13485 is the most common medical device QMS regulatory standard in the world. It is focused on maintaining QMS effectiveness and meeting regulatory and customer requirements. Since different countries often have different standards, ISO 13485 is intended to provide a globally harmonized model of QMS requirements for international markets.

The guidelines for maintaining effective quality management processes outlined in ISO 13485 are all geared toward the safe design, manufacture and distribution of effective medical devices. In addition to being a regulatory requirement, an ISO 13485-compliant QMS makes good business sense because it helps device manufacturers minimize variation. This in turn provides economic benefits in the form of reduced scrap and general process efficiencies.

In Which Regions is ISO 13485 Applicable?

For most medical devices, compliance to ISO 13485 is required by all European Union members, Canada, Japan, Australia and many other nations. The standard applies to all 165 member countries of the International Organization for Standardization (ISO).(1)

How is ISO 13485 Different From ISO 9001?

ISO 13485 is a stand-alone document, but it was based on and is directly related to ISO 9001, the world’s leading quality management standard. Although both are in the same QMS family of standards, ISO 9001 is a general set of requirements that necessitates greater focus on continual improvement and customer satisfaction. Although these are critical concerns for all manufacturers, they pose unique challenges for medical device makers because they tend to be too subjective and are therefore difficult to measure.

Rather than requiring medical device companies to meet the potentially subjective aspects of the ISO 9001 requirements, ISO 13485 is targeted toward meeting metrics that more accurately gauge quality performance. These include metrics related to meeting customer requirements and maintaining the effectiveness of the QMS.

ISO 13485 differs from ISO 9001 in two other significant ways:

• It places more emphasis on risk management.
• It outlines additional requirements for documented procedures.

Device manufacturers can obtain certifications to both standards but may opt not to do so based on the intent of the two standards. Additionally, while the two standards were once more harmonized, variations in their formats have occurred since ISO 9001 was restructured in 2015. If conformance to both standards is necessary, the company must plan strategies for meeting each set of requirements.

How Does ISO 13485 Relate to the FDA’s QSR?

For device manufacturers eyeing American markets, the requirements of ISO 13485 standard can often seem blurred with those set forth in the 21 CFR Part 820 – Quality System Regulation (QSR). The QSR, also commonly called Current Good Manufacturing Practice (CGMP) regulations, was established and is maintained by the U.S. Food and Drug Administration (FDA).

The FDA is in the process of harmonizing U.S. quality system requirements with ISO 13485, and plans to issue a notice of proposed rulemaking in October 2020. For the time being, separate guidance remains in effect.(2) Until the QSR’s shift to ISO 13485 requirements is fully completed, compliance with the QSR is required for manufacturers planning to distribute medical devices in the U.S. Additionally, if a device maker based in the U.S. wishes to market its products internationally, it must comply with both the QSR and ISO 13485 manufacturing standards.

The QSR is structured differently than ISO 13485 but they have no conflicting requirements. And because the QSR is a regulation, it is often more specific than ISO 13485. For instance, the QSR has more detailed requirements in the areas of complaint handling and reporting requirements. Therefore, conformity to ISO 13485 does not sufficiently demonstrate to the FDA that a manufacturer is in full compliance with the QSR.

There is plenty of overlap between the two sets of guidelines, however, and it’s estimated that the majority of medical device manufacturers comply with both.(3) Accordingly, there are many reasons for device manufacturers to seek a QMS that helps them meet both sets of requirements.

How Do the Different Medical Device Quality Management System Requirements for Regulatory Compare?

The reasons for the differences between ISO 13485, ISO 9001 and the QSR are best understood by examining the motivation for establishing each set of guidelines.

• Objective of ISO 13485: To set universal requirements QMS that is capable of consistently meeting customer requirements, including regulatory requirements, for a medical device product.
• Objective of ISO 9001: To set requirements for a voluntary, generic QMS that is capable of meeting customer and regulatory requirements and enhancing customer satisfaction through continual improvement and other related processes.
• Objective of the QSR (CGMP): To set requirements for a QMS that is capable of consistently producing safe and effective medical devices to be distributed in U.S. markets.

What Changed When ISO 13485 Was Recently Updated?

The third and most current edition of the standard was published by ISO in 2016.(4) Since the March 2019 expiration of the three-year grace period that followed the unveiling of ISO 13485:2016, device companies have been required to be in full compliance with current standards.

While there are many minor revisions within the updated standard, the most widespread and prominent change is the increased emphasis on risk. The 2016 edition places an expectation on device manufacturers to apply a risk-based approach to controlling QMS processes. It specifies a greater consideration of risk as it applies to a variety of critical areas, including:

• Supplier and outsourcing controls.
• Training of personnel commensurate with the risks inherent in the processes they perform.
• Software validation.
• Monitoring, testing and traceability.
• Management of corrective and preventive actions (CAPA).
• Documentation of risk management in product realization.

The updates to ISO 13485 make risk management an explicit part of executive decision-making as it affects a device manufacturer’s business and quality objectives.

Who Enforces ISO 13485?

ISO establishes and maintains standards, but it is not an enforcement agency. Certification to the standard is evaluated by third party agencies. Once an organization has established a QMS it believes is in alignment with the standard, an independent certification body or registrar audits the performance of the QMS against the latest version of the ISO 13485 requirements. The certification body must be a member of the International Accreditation Forum (IAF) in order to grant valid certification and should employ the relevant certification standards established by ISO’s Committee on Conformity Assessment (CASCO).(5)

When an organization passes an ISO 13485 audit, the authorized certification body issues a certificate demonstrating that the organization is registered to the standard for a three-year period. Manufacturers must be recertified every three years to maintain certification status.

How is ISO 13485 Structured?

The ISO 13485 standard is organized into the following eight sections

1. Scope: Describes the purpose and use of the standard.
2. Normative References: Provides introductory information and confirms common nomenclature.
3. Terms and Definitions: Defines and frames the terminology used throughout the standard.
4. Quality Management System: Outlines the general and documentation requirements of a medical device manufacturer’s QMS. Makes explicit that a quality manual must be written and adhered to. Specifies the requirements for controlling documents and records. Document control includes reviewing and approving of documents before use, controlling changes and ensuring that current versions of controlled documents are available where needed for use. Requirements for control of records include maintaining their integrity and establishing procedures for how long documents and records are maintained.
5. Management Responsibility: Requires management involvement at the level of the person who makes policy and financial decisions. Establishes that the quality policy and objectives, support and oversight of the QMS and provision of resources are the direct responsibility of upper management. This includes quality planning and ensuring that the quality policy is understood at every level of the organization.
6. Resource Management: Requires management to provide the assurance of adequate facilities such as space, tools and equipment, including computer systems. For instance, the building environment must fit the devices being made (e.g., cleanrooms must be used where necessary). Buildings, tools and equipment must be sufficiently maintained to enable production of devices that meet all their requirements. Additionally, the QMS must include processes that ensure all required maintenance activities are performed.
7. Product Realization: Covers everything that is required to realize a product, from planning to creating (designing and manufacturing) to implementing and supporting a medical device. This section of the standard includes information that has the greatest impact on the day-to-day activities of company personnel. It defines all aspects of product design and development and their respective controls. The criteria for risk management (assessment, analysis and reduction) are also outlined.
8. Measurement, Analysis and Improvement: Provides instruction on incorporating feedback and other related information that will enable management to sustain the effectiveness of the QMS, including:
   • Customer complaints and adverse events handling.
   • Internal audits.
   • Monitoring and measurement of processes.
   • Monitoring and measurement of products, including nonconformances.
   • CAPA.
   • Data analysis.

To learn more about how the latest version of the ISO 13485 standard may affect your company, you can start watching the first installment of the three-part “ISO 13485:2016: Getting Ready for Changes” video series here.

References

1. ISO Members, ISO website.
2. “US FDA 2020 agenda includes ISO 13485 harmonization, De Novo classification scheme,” Emergo blog, July 21, 2020.
3. “cGMP and ISO 13485 Integrated Quality Management System,” by Mark Kaganov, Quality Works, 2019.
4. ICS>03>03.100>03.100.70: ISO 13485:2016 – Medical devices – Quality management systems – Requirements for regulatory purposes, ISO website.
5. Certification & Conformity, ISO website.

Click here to learn about typical business process workflows MasterControl can automate.

You may also be interested in the following related posts:

• Digital Tools to Streamline Supplier Management Processes
• How Digital Production Records Can Build Quality Into Production
• How Cloud Migration Has Become More Seamless for Regulated Companies
• How Digitization can Help Life Sciences Manufacturers Amplify Lean Principles
• On the Road to More Efficient Manufacturing: A Digital Solution
• Your Map to Quality Manufacturing