To truly succeed at regulatory compliance and become a player in national and international markets, organizations must invest in implementing leading quality, safety, and regulatory standards such as ISO 13485.
The more your organization becomes familiar with internationally agreed-upon standards and the process of creating compliant quality management systems (QMSs), the easier it will be to receive certifications and conduct business with industry leaders.
The ISO 13485 standard is designed to improve the safety and reliability of medical devices, but that’s not all it does. Once your organization develops a thorough understanding of ISO 13485, it can be used as a jumping-off point to explore other types of global safety certifications, leading to more opportunities to expand your business goals and work internationally.
Expansion isn’t the only benefit to understanding standards like ISO 13485. Organizations that fall out of compliance risk making their manufacturing process not only more expensive but longer and filled with ongoing frustrations. If implemented correctly, ISO 13485 can increase efficiency and cut costs.
What is ISO 13485?
So, what is ISO 13485? It’s a basic international quality management standard designed to increase the safety and reliability of medical devices throughout their life cycles. Within this standard, organizations can branch off and expand, add more structure, or include other standards like 14971 for risk.
Like all ISO standards, ISO 13485 is reviewed every five years to determine if it requires revisions. The most recent version was published in 2016. It’s essential to understand the basics of the standard and how it applies to small and medium-sized manufacturers.
Who is ISO 13485 For?
The primary audience for the ISO 13485 standard is manufacturers of medical devices, including those who will import or export medical devices. Even if they’re supporting a manufacturer of medical devices, they need to have ISO 13485.
ISO 13485 is a stepping stone for global expansion. Once your organization has adapted 13485, this sets a solid foundation, allowing further expansion into global certification, such as the Medical Device Single Audit Program (MDSAP), which is based on 13485 with the regulatory compliance for five countries included.
What is a Medical Device?
A medical device is any product or software intended for use within the medical field. Although they are a type of medical device, ISO 13485 does not cover IVDs (in vitro diagnostics), which are any devices that have to do with the testing of bodily fluids, like allergen tests or COVID tests. Medical devices must be classified correctly in order to apply the appropriate regulations. There are a variety of risk-based classifications out there.
- FDA-specific classifications fall into classes 1, 2, and 3, with 1 being the lowest risk.
- The European Union (EU) has its own set of classes. They align in a similar way to the FDA, but if they aren’t evaluated correctly, they can quickly deviate and lead to a product or device being classified as higher risk than it actually is.
Once a classification is established for a product or device, it’s a challenge to reclassify.
What is a Quality Management System (QMS)?
A quality management system (QMS) is a set of documented policies, processes, and procedures used to control manufacturing execution, safety, and quality. Manufacturers should design QMSs that help them certify standards like ISO 13485, and accommodate the long-term goals of their organizations.
A QMS is ultimately about creating a system that is repeatable, measurable, and constantly improving. Any certifiable QMS requires four elements:
- Quality Manual: A top-level document that describes how a system fits together and controls the configuration
- Procedures: Documentation that describes the processes an organization follows
- Work Instructions: Documentation that describes how the organization follows the procedures in practice
- Forms: Records of how procedures were actually done
The Requirements and Structure of 13485
ISO 13485 specifies requirements for a quality management system where an organization needs to demonstrate its ability to provide medical devices and related services that consistently meet customer and applicable regulatory requirements. Such organizations can be involved in one or more stages of the life cycle including design and development, production, storage, and/or distribution.
The requirements of ISO 13485 apply to any organization, regardless of size and type. The only exception is those expressly excluded. Conditions that apply to medical devices must also apply to any associated services supplied by that company.
The current ISO 13485 structure is divided into eight sections. Three are introductory, while the last five are mandatory requirements for your quality management system. To meet the requirements for certification, Clauses 4-8 must be followed, and all their specifications met.
Clause 1: Scope
This examines the standard in detail and shows how it applies to an organization. It also covers the importance of the regulatory process.
Clause 2: Normative Reference
This clause references that ISO 9000:2015 should be used alongside the standard.
Clause 3: Terms and Definitions
This section gives all relevant definitions, many of which are additional to ISO 9001:2008, including:
- Active Implantable Medical Device
- Active Medical Device
- Advisory Notice
- Customer Complaint
- Implantable Medical Device
- Medical Device
- Sterile Medical Device
Clause 4: Quality Management System
This clause covers general and documentation requirements.
Clause 5: Responsibility Management
Management must demonstrate their commitment to the standard by showing they can be held responsible for all operations within their organization.
Clause 6: Resource Management
Company management is responsible for ensuring that their quality management system is compliant with ISO 13485 while adhering to all local regulatory requirements. This clause specifies the available resources to support the work being promised by the organization. These can include:
- Success Planning
- Risk Aversion
Clause 7: Product Realization
The journey from conceptualization to implementation is long and requires that organizations develop a process for documenting design, verification, development, and validation. They must also monitor every part of the process to ensure specific requirements are being fulfilled and the product is realized correctly.
Clause 8: Measurement, Analysis, and Improvement
Once a product has been manufactured and is ready for general use, this clause details an organization's responsibility to ensure customer satisfaction. This also includes the development of a procedure for effective monitoring and feedback.
Benefits of Being an ISO 13485 Certified Manufacturer
There are many benefits to being an ISO 13485 certified manufacturer. They include:
- Demonstrating compliance with regulatory and legal requirements
- Ensuring the establishment of QMS practices that consistently yield safe and effective medical devices
- Managing risk effectively
- Improving processes and efficiencies as necessary
- Gaining a competitive advantage
- Providing a cleaner environment for products with less foreign object debris (FOD)
How to Become ISO 13485 Certified
While it may look intimidating, becoming ISO 13485 certified is a worthwhile step for any growing business. We recommend starting with these six steps.
1. Understand the Standard’s Requirements
Once you’ve decided that ISO 13485 is the right choice for your business, the first step in the journey towards certification is taking the time to learn all the relevant requirements. Typically, this begins with reading the most up-to-date standard along with supporting documentation. These will come in handy as you create your implementation plan.
Once you have the correct documents, read them thoroughly and learn about all of the requirements of the ISO 13485 standard. The more you can familiarize yourself with these requirements, the easier the implementation process will be to develop and follow.
2. Conduct a Gap Analysis and Revise Your Processes
One of the most important steps on the journey to implementing ISO 13485 is conducting a gap analysis — also known as a pre-audit. This stage helps a company assess their existing processes and compare them to the requirements of whatever standard they’re seeking certification in. This pre-audit stage helps to show the gaps between your current system and what you need to change in order to receive your certification. A gap analysis also helps offer more accurate information about what needs to happen during your implementation plan.
Any gap analysis, regardless of industry, will have a few common goals:
- Comparing the requirements of ISO 13485 to your current QMS
- Documenting how your current system measures up
- Providing information that will help shape your implementation plan
As you start to shape your implementation plan, this will include designing your quality manual and policy, and establishing methods for controlling the processes you create (including any relevant documentation).
3. Interface with Process Owners to Create Work Instructions
Once processes have been improved or developed, the next step is producing work instructions. To do that, leadership must interface with the process owners to learn how the system works. Instead of reinventing the wheel, try to capture the blueprint.
4. Conduct an Internal Audit with a Consultant or a Pre-Audit with a Notified Body (NB)
A consultant can come in to conduct an internal audit and provide management with the results. One of the most valuable parts of this audit is the consultant’s gap analysis, where a consultant will ask questions and identify areas that need further evidence of compliance that may have been missed by internal team members.
You can also apply to get a pre-audit from a notified body (NB). This costs an additional few thousand dollars but can save time. However, you don’t need a pre-audit if you work with a good consultant who can help you through this stage without the need for a separate auditor.
5. Bring in an NB to Conduct the Official Audits
Finally, your organization must send for a notified body to come in and do the actual certification. Due to the recent rollout of the European Union Medical Device Regulation (EU MDR), scheduling an audit right now may be difficult.
We recommend that you reach out to your NB to get on their schedule as soon as the draft of your quality system is complete.
6. Gain Certification
The final step! Once you’ve done everything listed above, you should be fully certified.
How CMTC Can Help SMMs with ISO 13485 Compliance
Poor product quality can significantly impact a manufacturer’s reputation and bottom line. In almost every case, the underlying cause of quality concerns can be traced back to the processes and procedures an SMM utilizes.
At CMTC, we have programs to help SMMs with everything from training, consulting, and compliance related to ISO 13485. CMTC’s team of qualified consultants comprises diverse backgrounds and skillsets to provide the knowledge necessary to overcome almost any issue faced by California’s manufacturing community. CMTC also specializes in Production Effectiveness Solutions for both small and medium-sized manufacturers. We expand the reach of your Quality Department by helping you implement industry best practices in your factory.
Ready to get started bringing your organization into compliance? Get in touch with us today to learn more.
About the Author
Brian Olea has over 20 years of experience as a Quality Director and Quality Consultant in the medical and aerospace manufacturing industries. Brian has developed specialized training and implementation strategies that target Quality Management Systems for certification in the ISO9001, AS9100, ISO13485, MDSAP, and IVDD-IVDR industries with special emphasis on GAP completions in preparation for certifications. In addition, he has developed new procedures that simplify documentation processes and help small businesses stand out as quality leaders in their industries.