ISO 13485: Medical Devices-Quality Management System

What is ISO 13485?

To give it it’s full title, BS EN ISO 13485:2016 Medical devices – Quality management systems – Requirements for regulatory purposes (ISO 13485) is an international standard detailing the requirements for a quality management system specific to the medical device industry.  

A medical device is a product, such as an instrument, software, machine, implant or in vitro reagent, that is intended for use in the diagnosis, prevention and treatment of diseases or other human-related medical conditions.

The Standard includes annexes showing the relationship between the clauses of the Standard and the requirements of the European medical devices regulations (EU MDR) and the In Vitro Diagnostic Regulation (IVDR).

Regulators in most countries require manufacturers to have implemented a quality management system (QMS).  ISO 13485 offers a framework by which an organisation can reliably provide safe and effective medical devices and meet customer and regulatory requirements.

With ISO 13485, there is a considerable focus on risk management, particularly around product realisation and post-market feedback.  There are further regulatory requirements required by the Standard including those for compliant handling, regulatory notifications and post-market surveillance.

Where did it come from?

ISO 13485 has been around in various iterations since 1996 and is broadly based on ISO 9001, the International Standard for Quality Management.  The Standard also contains cross-reference tables to ISO 9001:2015, and many organisations hold certifications to both ISO 9001 and ISO 13485.

Applicability of ISO 13485

ISO 13485 can be adopted by medical device manufacturers, those involved in the design, production, installation and servicing of medical devices and related services.  Organisations in the supply chain for medical devices including authorised representatives, importers, distributors, and conformity assessment bodies can also adopt the Standard.

Benefits of adopting ISO 13485

As with other ISO management system standards, certification to ISO 13485 is not a requirement of the Standard and organisations can benefit from implementing and conforming to the Standard without undergoing the certification process.  While ISO 13485 is not mandatory for MDR compliance, it provides a robust framework that ensures compliance and supports systems for the design, production, support and distribution of safe and effective medical devices.  As it is recognized internationally, this can facilitate market access and trading with organisations operating in different countries.

Organisations are able to utilise ISO 13485 as a framework for reviewing and improving processes and in doing so, increase efficiency, reduce costs and monitor supply chain performance.

As organisations are required to implement a risk management system with ISO 13485, this helps organisations identify and mitigate risks associated with the design, development, and production of medical devices.

ISO 13485 reflects the increased regulatory requirements for organisations across the medical device supply chain, for example:

• A greater emphasis on appropriate infrastructure, particularly in the production of sterile medical devices
• Alignment with regulatory requirements, in particular, regulatory documentation
• Increased focus on post-market activities
• Extension of the Standard’s application to include organisations that work with manufacturers, including those providing:
  - Design and development or repair and maintenance of medical devices
  - Raw materials, components or subassemblies
  - Services such as contract manufacture, sterilisation, logistics or calibration of measurement equipment
  - Importation or distribution of medical devices.
• Supplementary requirements for the design and development of medical devices, considering usability, use of standards, and planning for the verification, validation, transfer and records maintenance of the design and development activities
• Validation requirements for different software applications, such as management systems applications, process control software and tools for monitoring and measurement.

Structure

ISO 13485 is derived from the internationally recognised and accepted ISO 9000 quality management standard series.

• Clause 4 – Quality management system - general requirements (including applicable regulatory requirements), documentation requirements, including for a medical device file
• Clause 5 – Management responsibility, management commitment, customer focus, quality policy, planning (objectives, QMS planning), responsibility, authority and communication, including requirements for an appointed management representative, management review
• Clause 6 – Resource management – resources, human resources, infrastructure, including maintenance requirements.  Work environment and contamination control
• Clause 7 Product realisation – planning, customer-related processes, design and development, purchasing, production and service provision, including specific requirements for sterilisation where this is applicable.  The validation of processes for production and service provision and traceability, including specific requirements for implantable devices, monitoring and measuring equipment
• Clause 8 – Measurement, analysis and improvement, including feedback, complaint handling, reporting to regulatory authorities, internal audit, and the monitoring and measurement of processes and products.  Control of nonconforming products, pre and post-delivery and rework.  Analysis of data, improvement, including corrective and preventive action (CAPA).

Dependencies / links

In the UK alone, there are many device-specific EN (European), ISO (international) or EN ISO designated standards, examples include:

• ISO 14971 - Medical devices - Application of risk management to medical devices.  Aligned to ISO 31000 - Risk management – Guidelines.  ISO 14971 is explicitly referred to in ISO 13485.
• IEC 62304 - Medical device software - Software life cycle processes.  The processes, activities, and tasks described in this Standard provide a common framework for medical device software life cycle processes.

Additional requirements are also defined in:

• EU MDR - Medical Device Regulation 2017/745 EU regulatory affairs
• UK MDR 2002 - The Medical Devices Regulations 2002
• UK MDR 2023 - The Medical Devices (Amendment) (Great Britain) Regulations 2023.  This amends The Medical Devices Regulations 2002
• US FDA 21 CFR Part 820 - a requirement for companies entering the United States market.  Amendments proposed in 2022 aim to align requirements for a QMS with ISO 13485.

Audit / integrated audit

An ISO 13485 aligned QMS can be audited as a standalone management system, or as part of an integrated programme due to the shared use of the common high-level Annex SL structure.  This facilitates management system integration not only with ISO 9001, but also standards such as ISO 27001 (information security) and ISO 14001 (environmental).

Audits may also include coverage of the EU MDR using ISO 13485 and the alignment detailed in annexes ZA-ZC, and the additional compliance requirements detailed by the EU MDR.

How URM can help

If your organisation is looking to conform to or achieve certification to ISO 13485:2016 – the International Standard for Quality Management for Medical Devices (ISO 13485), URM can assist with all aspects of implementation and maintenance of your medical device quality management system.  If you are at an early stage in the implementation process, one of URM’s SMEs can conduct a gap analysis through interviews and documentation review to determine the maturity and adequacy of your medical device quality framework and what is needed in order to meet the requirements of the Standard.  Following the gap analysis, URM can provide tailored support through any of the ‘Plan, Do, Check, Act’ lifecycle stages, assisting with activities such as scoping your management system, conducting risk assessments and treatment, developing processes and policies, through to auditing and management reviews.

Whilst ISO 13485 is a standalone management system, it can be integrated with other management systems, most notably ISO 9001 and ISO 27001 and it is in the area of management system integration where URM’s experience and proficiency are highly valued.