Certification of a Quality Management System according to ISO 13485

In this article, we give an overview on the ISO 13485 standard, who needs it, what must be considered when certifying a QMS under it, and more. Read the introduction, definitions and requirements of EN ISO 13485:2016 below.

Contents:

What is ISO 13485 standard?

ISO 13485 is a stand-alone standard published by the International Organization for Standardization (ISO) that provides requirements for quality management systems (QMS) of companies involved in the medical device industry.

This standard is based on the internationally recognized ISO 9001 QMS standard (which is not specific to any industry or type of product) and incorporates additional elements relevant to medical device processes.

Although ISO 13485 only covers QMS requirements and does not define medical device quality, some countries require ISO 13485 certification to support medical device regulatory approval. Conversely, ISO 9001 is not required to support medical device regulatory approval in any country.

ISO 13485 is meant to help medical device companies (primarily medical device manufacturers) set up a QMS that demonstrates consistent design, development, production, storage, distribution, installation, servicing, final decommissioning, and/or disposal of medical devices, as well as design and development, or provision of associated activities (e.g. technical support).

The current version of the standard is ISO 13485:2016, Medical devices – Quality management systems – Requirements for regulatory purposes. It can be purchased from the ISO website for its international version, or from a national standardization organization (e.g. SNV in Switzerland) for the recognized version in a given jurisdiction.

What is a Quality Management System (QMS)?

A QMS is a formal set of internal rules documenting the process structure & sequence, roles & responsibilities, policies, procedures, work instructions, and forms/templates that govern how a company addresses the applicable customer and regulatory requirements.

QMS standards like ISO 9001 and ISO 13485 are based on a process approach to quality management. Any activity that receives input and converts it to output is considered to be a process. The deployment of a matrix of interrelated processes, and their management to produce the desired outcome, constitutes the process approach.

A QMS has to be built upon documented evidence, based on the principle that if an activity/process is not documented, it did not happen, and, thus, proof of compliance cannot be made available to auditing organizations or competent authorities.

If properly designed, written procedures, work instructions, forms and templates help companies work consistently, and maintain process know-how dissociated from individuals, who might come and go. This does not mean that resources should be spent in writing lengthy documents that no one reads; it would defeat the purpose. To be effective, a QMS needs to be comprehensive yet lean. The scope and extent of the QMS should in all cases be appropriate to the company’s activities and proportionate to the risk for the product or service delivered (contact us to get support on how to do that).

The QMS must be continuously maintained and regularly updated, in consideration of changes to applicable standards or regulatory requirements, changes in company organization, processes or products, as well as to changes stemming from the required QMS continuous improvement.

Who needs QMS certification under ISO 13485?

ISO 13485 is intended for any organization partially or fully involved in the medical device life-cycle, and the requirements of this standard apply to organizations regardless of their size and regardless of their type, except where explicitly stated.

If any process described in ISO 13485 or affecting its requirements (e.g. packaging, servicing) is outsourced by a company holding an ISO-13485-compliant QMS, such company needs to ensure the control over the outsourced processes. To that end, written quality agreements with detailed roles and responsibilities for all relevant activities outsourced need to be established with the subcontractor (whether this is another company or an individual).

ISO 13485 can also be used by suppliers or other external parties (such as contract manufacturers or distribtuors) providing products or services to medical device organizations. Implementation of an ISO-13485-compliant QMS by a supplier or external party may be a voluntary choice (e.g. for competitive advantage) or be mandated by the regulatory requirements in a given country, or be a contractual request from a customer.

A company could choose to develop a QMS in alignment with ISO 13485 without seeking certification by an accredited body. In practice, given the sizable effort to set up a compliant medical device QMS, obtaining recognition of compliance through ISO 13485 certification should be the final objective as it represents a significant advantage to meet customer and regulatory requirements.

It is important to understand that ISO 13485 certification is a regulatory requirement in some countries, either as prerequisite for medical device regulatory approval or for certain establishments in the medical device supply chain. Overall, ISO 13485 certification of a medical device manufacturer is expected in most countries.

Specifically, for companies active in the markets of European Union (EU) member states or European Free Trade Agreement (EFTA) states (whether or not based in EU/EFTA), the following activities should have a QMS certified under ISO 13485:2016:

  • Medical device “manufacturers”, within the meaning of Regulations EU No. 2017/745 on medical devices (EU MDR) or 2017/746 on in-vitro diagnostics devices (EU IVDR), incl. manufacturers of products listed in EU MDR Annex XVI (i.e. those not primarily intended for medical purposes)
  • Medical device developers, incl. software as medical device)
  • Medical device contract manufacturers
  • Manufacturers of medical device parts or components that significantly change the performance, safety or intended purpose of the device (i.e. those that could be viewed as medical devices, per EU MDR Article 23 and EU IVDR Article 20)
  • Service providers for medical device installation, servicing, or maintenance
  • EU/EFTA distributors or importers that undertake activities corresponding to “manufacturer” obligations, per EU MDR/IVDR Article 16(1), i.e. making a medical device available under their own name/trademark, changing the intended purpose of a CE-marked device, or modifying a CE-marked device.

Other particular cases in this region are:

  • EU/EFTA distributors or importers of medical devices that undertake translations of instructions for use or repackaging under certain conditions, should obtain a certificate by a Notified Body attesting that their QMS complies with the requirements in EU MDR Article 16(3). Although ISO 13485 might seem the logical standard to follow, there is no official position on this aspect yet.
  • Companies or individuals combining CE-marked devices with other devices or products in systems or procedure packs, per EU MDR Article 22(1), must ensure that their activities are subject to appropriate methods of internal monitoring, verification and validation. Nevertheless, there is no specific obligation to have an ISO-13485-certified QMS. Conversely, companies or individuals sterilizing medical device systems or procedure packs are subject to certification regarding the sterilization activities.

    It is important to understand that ISO 13485 certification is a regulatory requirement in some countries, either as prerequisite for medical device regulatory approval or for certain establishments in the medical device supply chain.

What countries require ISO 13485 certification?

Many countries who develop their medical device regulations based on the International Medical Device Regulatory Forum (IMDRF) recommendations, rely on QMS compliance with ISO 13485 in their medical device requirements.

Some jurisdictions have made ISO 13485 certification mandatory as the means to demonstrate conformity of medical device QMS. For example:

EU & EFTA countries (CE-marking):

ISO 13485 certification is not mandatory for medical device CE marking either but the European Commission recognized the standard as a harmonized under the former EU medical device Directives, i.e. AIMDD, MDD, and IVDD. As such, compliance with EN ISO 13485:2016 provides presumption of conformity with the basic QMS requirements for CE marking under the AIMDD, MDD and IVDD. According to European rules on standardization, the following countries are bound to implement the European version of the standard, EN ISO 13485:2016:

 

Austria

Finland

Latvia

Romania

Belgium

France

Lithuania

Slovakia

Bulgaria

Germany

Luxembourg

Slovenia

Croatia

Greece

Malta

Spain

Cyprus

Hungary

Netherlands

Sweden

Czech Republic

Iceland

Norway

Switzerland

Denmark

Ireland

Poland

Turkey

Estonia

Italy

Portugal

United Kingdom

Because ISO 13485:2016 is not harmonized standard under the new EU MDR/IVDR, compliance with this standard would not be regarded as presumption of conformity with the QMS requirements in the new EU Regulations on medical devices and in-vitro diagnostic devices. Although, ISO 13485:2016 does not cover all the medical device QMS requirements of the EU MDR/IVDR, it is only a matter of time until harmonization is achieved and it is therefore recommended to maintain EN ISO 13485:2016 as the guiding principles of a medical device QMS for EU/EFTA.

Canada:

The Canadian Medical Device Regulations (SOR 98-282) require QMS certification under the Canadian version CAN/CSA-ISO 13485:2016, Medical devices — Quality management systems — Requirements for regulatory purposes. Moreover, since January 2019, all manufacturers of class II, III, and IV medical devices sold in Canada are required to transition to the Medical Device Single Audit Program (MDSAP) (find more information on MDSAP below).

Japan:

The Japanese Ministerial Ordinance on standards for manufacturing control and quality control for medical devices and in-vitro diagnostics devices (MHLW MO 169) aligned the requirements for manufacturer’s QMS with ISO 13485, with some country-specific variants.

Malaysia:

The Malaysian Medical Device Regulations 2012 require an ISO-13485-compliant QMS for medical device manufacturers.

Saudi Arabia:

In April 2019, the Saudi Food & Drug Authority (SFDA) published a guidance document (MDS-35) to help medical device manufacturers implement ISO 13485:2016 in their QMS. In January 2020, the SFDA took a step further, adopting into a new guidance document (MDS-45), the Asian Harmonization Working Party’s AHWP/WG7/F001:2016 document on ISO 13485:2016 conformity for medical device distributors, importers, and local authorized representatives.

Singapore:

Like Malaysia, Singapore requires an ISO-13485-compliant QMS for medical device manufacturers per the Health Products (Medical Device) Regulations 2010.

USA:

Although not yet implemented, the US Food & Drug Administration (FDA) has issued a proposed rule to harmonize US Quality System Regulations (21CFR820) with ISO 13485 and make ISO 13485 mandatory.

Other jurisdictions have indirectly endorsed ISO 13485 as the QMS model for meeting their regulatory requirements on medical device manufacturing. Amongst them:

Australia:

Although not mandatory, Australia formally recognized ISO 13485, as a standard for medical device manufacturers. As a result, a QMS that complies with the recognized standard is treated as complying with the relevant parts of the conformity assessment procedures for QMS in the Therapeutic Goods (Medical Devices) Regulation 2002.

What is the relationship between ISO 13485 and MDSAP?

The Medical Device Single Audit Program (MDSAP) is an initiative led by the medical device competent authorities of Australia, Brazil, Canada, Japan, and USA, where a single audit of a medical device manufacturer’s QMS conducted by an accredited Auditing Organization (AO) is accepted by multiple jurisdictions.

This program, intended for medical device manufacturers only, reduces the number of regulatory audits and inspections as the MDSAP audit report is recognized as follows:

Australia: The Therapeutics Goods Administration (TGA) uses MDSAP reports as part of the evidence in evaluating compliance with the Australian Conformity Assessment procedure, except for medical devices that contain pharmaceuticals or materials of human/animal origin.

Brazil: The Brazilian National Health Surveillance Agency (ANVISA) uses MDSAP reports/certificates as input into its pre-market and post-market assessment.

Canada: Since January 2019, Health Canada only accepts MDSAP certificates for class II, III and IV medical device manufacturers. This date was chosen to align with the transition of ISO 13485:2003 to ISO 13485:2016.

Japan: Japan’s Ministry of Health, Labor and Welfare (MHLW) Pharmaceuticals and Medical Devices Agency (PMDA) uses MDSAP audit reports to exempt foreign manufacturers from inspections, except for medical devices that contain materials of human/animal origin.

USA: The US Food and Drug Administration (FDA) accepts MDSAP audit reports as a substitute for FDA routine inspections of manufacturers (i.e. not for initial inspections or inspections stemming from an incident).

Additional jurisdictions (i.e. Argentina, South Korea) are joining the program as affiliates, i.e. while not being full members, they can use the MDSAP reports/certificates in their national regulatory processes. And the European Union, acting until now as observer in MDSAP, has expressed its interest in joining the program for QMS surveillance audits.

The audit criteria of the MDSAP program include, at a minimum, the requirements of ISO 13485:2016 as well as additional requirements of the participating regulatory authorities, as applicable to the markets where the manufacturer intends to sell its medical devices.

What does ISO 13485:2016 require?

QMS standards are based on the Plan-Do-Check-Act cycle, i.e. the iterative sequence of planning the QMS activities, deploying them, verifying their effectiveness, and taking corrective actions as needed, in order to ensure continuous improvement within the processes. 

In addition, in its current version, ISO 13485:2016 introduces a risk-based approach to the control of processes, and to determine the extent of certain QMS activities in proportion to the associated risks. Risk management is a fundamental requirement for medical devices and it is reinforced under ISO 13485:2016. No standard is cross-referenced for this approach, but companies could rely on the methods and processes described in the related ISO 14971 standard on risk management for medical devices. ISO 14971 provides the requirements to implement risk management systems throughout the entire life cycle of the medical devices. 

ISO 13485:2016 is structured in eight sections, where the first three are generic (scope, normative references, and terms/definitions) and sections 4 through 8 provide the actual QMS requirements:

Section 4 – Quality Management System:

The QMS expectations and requirements, including documentation are generally presented. It includes the requirements for the Quality Manual, Medical Device File, and the control of documents and records.

Section 5 – Management Responsibility:

Management responsibility requirements include top management commitment to the implementation and maintenance of the QMS, their focus on customer and regulatory requirements. This section also discusses the quality policy, the QMS planning and periodic management reviews as well as the responsibilities and authorities (incl. the role of the management representative), and internal communication.

Section 6 – Resource Management:

Resource management encompasses the provision and control of adequate resources for the intended activities, including personnel, infrastructure, and work environment.

Section 7 – Product Realization:

Product realization concerns all aspects of the supply chain of a medical device or related service, as applicable to the company. Any subchapters corresponding to activities that do not apply can be excluded from the QMS.

This extensive section includes requirements on realization planning, product requirements, design & development, purchasing, production, service provision, and control of any monitoring and measuring equipment. 

Section 8 – Measurement, Analysis and Improvement:

Measurement, analysis and improvement activities are necessary to ensure that the QMS remains effective. This section includes production and post-production feedback, complaint handling (incl. any mandatory reporting to regulatory authorities), internal audits, monitoring and measuring products and processes, control of nonconforming products, analysis of data collected by appropriate methods, and QMS improvement via corrective and preventive actions (CAPA).

 

The next article in our blog series gives practical guidance and explains the process of setting up a Quality Management System with the ISO 13485 standard, also describing the costs involved.

More articles