ISO 13485 Quality Management Systems for Medical Devices

In this article, we give an overview of standard ISO 13485 on quality management systems (QMS) for medical devices: when a certification is needed, what the requirements are, and how it compares with MDSAP.

Replaces the version of 16.06.2020

Key Takeaways:

  • ISO 13485 certification of the QMS is a regulatory requirement in some countries. And compliance with the EU’s harmonized version provides presumption of conformity with the QMS requirements for CE marking under the EU MDR and IVDR.
  • It is a common misconception that only medical device manufacturers need ISO 13485 certification of their QMS. Under certain situations, distributors and importers also need certification, and so do sterilizers or Procedure Packs.
  • The Medical Device Single Audit Program (MDSAP) includes the requirements of ISO 13485 as well as additional requirements from the participating regulatory authorities. Although not recognized by the EU, for now, it reduces the number of QMS audits and can be an efficient approach for manufacturers aiming at device approvals in various jurisdictions.

Contents:

What is ISO 13485 standard?

ISO 13485, Medical devices – Quality management systems – Requirements for regulatory purposes, is a stand-alone standard published by the International Organization for Standardization (ISO) that provides requirements for quality management systems (QMS) of companies involved in the medical device industry.

This standard is based on the internationally recognized ISO 9001 QMS standard (which is not specific to any industry or type of product) and incorporates additional elements relevant to medical device processes.

Although ISO 13485 only covers QMS requirements and does not define medical device quality, some countries require ISO 13485 certification to support medical device regulatory approval. Conversely, ISO 9001 is not required to support medical device regulatory approval in any country.

ISO 13485 is meant to help medical device companies (primarily medical device manufacturers) set up a QMS that demonstrates consistent design, development, production, storage, distribution, installation, servicing, final decommissioning, and/or disposal of medical devices, as well as design and development, or provision of associated activities (e.g. technical support).

The current version of the standard is ISO 13485:2016. It can be purchased from the ISO website for its international version, or from a national standardization organization (e.g. SNV in Switzerland) for the recognized version in a given jurisdiction, which usually results in somewhat adapted requirements.

What is a Quality Management System (QMS)?

A QMS is a formal set of internal rules documenting the quality policy, process structure and their sequence, roles and responsibilities, procedures, work instructions, and forms/templates that govern how a company addresses the applicable customer and regulatory requirements.

QMS standards like ISO 9001 and ISO 13485 are based on a process approach to quality management. Any activity that receives input and converts it to output is considered to be a process. The deployment of a matrix of interrelated processes, and their management to produce the desired outcome, constitutes the process approach.

Close up of three people standing around a table. One is subscribing a paper.

The QMS must be continuously maintained and regularly updated.

A QMS has to be built upon documented evidence, based on the principle that if an activity/process is not documented, it did not happen, and, thus, proof of compliance cannot be made available to auditing organizations or competent authorities.

If properly designed, written procedures, work instructions, forms and templates help companies work consistently, and maintain process know-how dissociated from individuals, who might come and go. This does not mean that resources should be spent in writing lengthy documents that no one reads; it would defeat the purpose. To be effective, a QMS needs to be comprehensive yet lean. The scope and extent of the QMS should in all cases be appropriate to the company’s activities and proportionate to the risk for the product or service delivered.

The QMS must be continuously maintained and regularly updated, in consideration of changes to applicable standards or regulatory requirements, changes in company organization, processes or products, as well as to changes stemming from the required QMS continuous improvement.

Who needs QMS certification under ISO 13485?

ISO 13485 is intended for any organization partially or fully involved in the medical device life-cycle, and the requirements of this standard apply to organizations regardless of their size and type, except where explicitly stated.

If any process described in ISO 13485 or affecting its requirements (e.g. packaging, servicing) is outsourced by a company holding an ISO-13485-compliant QMS, such company needs to ensure the control over the outsourced processes. To that end, written quality agreements with detailed roles and responsibilities for all relevant activities outsourced need to be established with the subcontractor (whether this is another company or an individual).

A company could choose to develop a QMS in alignment with ISO 13485 without seeking certification by an accredited body. In practice, given the sizable effort to set up a compliant medical device QMS, obtaining recognition of compliance through ISO 13485 certification should be the final objective as it represents a significant advantage to meet customer and regulatory requirements.

It is important to understand that ISO 13485 certification is a regulatory requirement in some countries, either as prerequisite for medical device regulatory approval or for certain actors in the supply chain. Overall, ISO 13485 certification of a medical device manufacturer is expected in most countries.

Specifically, for companies active in the markets of European Union (EU) member states or European Free Trade Agreement (EFTA) states (whether or not based in EU/EFTA), the following activities should have a QMS certified under the European version of ISO 13485:

  • Medical device “manufacturers”, within the meaning of Regulations EU No. 2017/745 on medical devices (EU MDR) or 2017/746 on in-vitro diagnostics devices (EU IVDR), incl. manufacturers of products listed in EU MDR Annex XVI (i.e. those not primarily intended for medical purposes)
  • Medical device developers, incl. software as medical device
  • Medical device contract manufacturers
  • Manufacturers of medical device parts or components that significantly change the performance, safety or intended purpose of the device (i.e. those that could be viewed as medical devices, per EU MDR Article 23 and EU IVDR Article 20)
  • Service providers for medical device installation, servicing, or maintenance
  • EU/EFTA distributors or importers that undertake activities corresponding to “manufacturer” obligations, per EU MDR/IVDR Article 16(1), i.e. making a medical device available under their own name/trademark, changing the intended purpose of a CE-marked device, or modifying a CE-marked device.

Other particular cases are:

  • EU/EFTA distributors or importers of medical devices that undertake translations of instructions for use or repackaging under certain conditions, should obtain a certificate by a Notified Body attesting that their QMS complies with the requirements in EU MDR Article 16(3). Considering guidance document MDCG 2021-23 relative to this certification, ISO 13485 is not a pre-requisite although it might seem the logical standard to follow. For more information, read our blog article on distributors of medical devices.

Companies or individuals combining CE-marked devices with other devices or products in systems or procedure packs, per EU MDR Article 22(1), must ensure that their activities are subject to appropriate methods of internal monitoring, verification and validation. Nevertheless, there is no specific obligation to have an ISO-13485-certified QMS. Conversely, companies or individuals sterilizing medical device systems or procedure packs are subject to certification regarding the sterilization activities.

It is important to understand that ISO 13485 certification is a regulatory requirement in some countries, either as prerequisite for medical device regulatory approval or for certain establishments in the medical device supply chain.

What countries require ISO 13485 certification?

Many countries who develop their medical device regulations based on the International Medical Device Regulatory Forum (IMDRF) recommendations, rely on QMS compliance with ISO 13485 in their medical device requirements. Some jurisdictions have made ISO 13485 certification mandatory as the means to demonstrate conformity of medical device QMS.

For example:

EU & EFTA countries (CE-marking)

ISO 13485 certification is not mandatory for medical device CE marking but the European Commission has recognized this standard under the EU MDR and the IVDR, in what is known as Harmonised Standards. The list of standards harmonized for a given regulation is available from the EU Commission’s Harmonised Standards webpage.

Compliance with EN ISO 13485 as Harmonised Standard provides presumption of conformity with the basic QMS requirements for CE marking under the EU MDR and IVDR. According to European rules on standardization, the following countries are bound to implement the European version of the standard, EN ISO 13485, in its current version:

Aus­tria

Fin­land

Lat­via

Roma­nia

Bel­gium

Fran­ce

Lithu­ania

Slova­kia

Bul­ga­ria

Ger­many

Luxem­bourg

Slo­venia

Croa­tia

Greece

Malta

Spain

Cyprus

Hun­gary

Nether­lands

Swe­den

Czech Repu­blic

Ice­land

Nor­way

Switz­er­land

Den­mark

Ire­land

Po­land

Tur­key

Esto­nia

Ita­ly

Portu­gal

Uni­ted King­dom

Cana­da

The Canadian Medical Device Regulations (SOR 98-282) require QMS certification under the Canadian version CAN/CSA-ISO 13485:2016, Medical devices — Quality management systems — Requirements for regulatory purposes. Moreover, since January 2019, all manufacturers of class II, III, and IV medical devices sold in Canada are required to transition to the Medical Device Single Audit Program (MDSAP) (find more information on MDSAP below).

Japan

The Japanese Ministerial Ordinance on standards for manufacturing control and quality control for medical devices and in-vitro diagnostics devices (MHLW MO 169) aligned the requirements for manufacturer’s QMS with ISO 13485, with some country-specific variants.

USA

The US Food & Drug Administration (FDA) has issued a Quality Management System Regulations (QMSR) Final Rule to align with ISO 13485:2016 requirements. It will become effective on February 2nd, 2026.
This does not mean that compliance with ISO 13485:2016 fully satisfies the requirements in the QMSR but this final rule introduces harmonized terminology in common areas between both systems, thus making alignment easier, particularly for manufacturers already familiar with or operating under ISO 13485.

What is the relationship between ISO 13485 and MDSAP?

The Medical Device Single Audit Program (MDSAP) is an initiative led by the medical device competent authorities of Australia, Brazil, Canada, Japan, and USA, where a single audit of a medical device manufacturer’s QMS conducted by an accredited Auditing Organization (AO) is accepted by multiple jurisdictions.

This program, intended for medical device manufacturers only, reduces the number of regulatory audits and inspections as the MDSAP audit report is recognized as follows:

Australia

The Therapeutics Goods Administration (TGA) uses MDSAP reports as part of the evidence in evaluating compliance with the Australian Conformity Assessment procedure, except for medical devices that contain pharmaceuticals or materials of human/animal origin.

Brazil

The Brazilian National Health Surveillance Agency (ANVISA) uses MDSAP reports/certificates as input into its pre-market and post-market assessment.

Canada

Since January 2019, Health Canada only accepts MDSAP certificates for class II, III and IV medical device manufacturers. This date was chosen to align with the transition of ISO 13485:2003 to ISO 13485:2016.

Japan

Japan’s Ministry of Health, Labor and Welfare (MHLW) Pharmaceuticals and Medical Devices Agency (PMDA) uses MDSAP audit reports to exempt foreign manufacturers from inspections, except for medical devices that contain materials of human/animal origin.

USA

The US Food and Drug Administration (FDA) accepts MDSAP audit reports as a substitute for FDA routine inspections of manufacturers (i.e. not for initial inspections or inspections stemming from an incident).

Additional jurisdictions (i.e. Argentina, South Korea) are joining the program as affiliates, i.e. while not being full members, they can use the MDSAP reports/certificates in their national regulatory processes. And the European Union, acting until now as observer in MDSAP, has expressed its interest in joining the program for QMS surveillance audits.

The audit criteria of the MDSAP program include, at a minimum, the requirements of ISO 13485 as well as additional requirements of the participating regulatory authorities, as applicable to the markets where the manufacturer intends to sell its medical devices.

What does ISO 13485:2016 require?

QMS standards are based on the Plan-Do-Check-Act cycle, i.e. the iterative sequence of planning the QMS activities, deploying them, verifying their effectiveness, and taking corrective actions as needed, in order to ensure continuous improvement within the processes. 

In addition, in its current version, ISO 13485:2016 introduces a risk-based approach to the control of processes, and to determine the extent of certain QMS activities in proportion to the associated risks. Risk management is a fundamental requirement for medical devices and it is reinforced under ISO 13485:2016. No standard is cross-referenced for this approach, but companies could rely on the methods and processes described in the related ISO 14971 standard on risk management for medical devices. ISO 14971 provides the requirements to implement risk management systems throughout the entire life cycle of the medical devices. 

ISO 13485:2016 is structured in eight sections, where the first three are generic (scope, normative references, and terms/definitions) and sections 4 through 8 provide the actual QMS requirements:

Section 4 – Quality Management System

The QMS expectations and requirements, including documentation are generally presented. It includes the requirements for the Quality Manual, Medical Device File, and the control of documents and records.

Section 5 – Management Responsibility

Management responsibility requirements include top management commitment to the implementation and maintenance of the QMS, their focus on customer and regulatory requirements. This section also discusses the quality policy, the QMS planning and periodic management reviews as well as the responsibilities and authorities (incl. the role of the management representative), and internal communication.

Section 6 – Resource Management

Resource management encompasses the provision and control of adequate resources for the intended activities, including personnel, infrastructure, and work environment.

Section 7 – Product Realization

Product realization concerns all aspects of the supply chain of a medical device or related service, as applicable to the company. Any subchapters corresponding to activities that do not apply can be excluded from the QMS.

This extensive section includes requirements on realization planning, product requirements, design & development, purchasing, production, service provision, and control of any monitoring and measuring equipment. 

Section 8 – Measurement, Analysis and Improvement

Measurement, analysis and improvement activities are necessary to ensure that the QMS remains effective. This section includes production and post-production feedback, complaint handling (incl. any mandatory reporting to regulatory authorities), internal audits, monitoring and measuring products and processes, control of nonconforming products, analysis of data collected by appropriate methods, and QMS improvement via corrective and preventive actions (CAPA).

How can Decomplix help

Decomplix offers consulting services in all regulatory and quality assurance issues related to medical devices and IVDs. Contact us if you have any questions about an effective QMS. We have in-house experts and a network of first-class partners.

You can find out more about Decomplix’s services here. If you need further information, please do not hesitate to contact us.

Further reading

Wie hilfreich war dieser Beitrag?

Bitte bewerten Sie:

 

More articles