ISO 13485

Understanding ISO 13485

ISO 13485: 2003 represents the requirements that medical device manufacturers must incorporate into their management systems. The current document supersedes its 1996 incarnation as well as EN 46001, EN 46002 and ISO 13488.

Though based on ISO 9001, 13485 removes 9001’s emphasis on continual improvement and customer satisfaction. In its place is an emphasis on meeting regulatory as well as customer requirements, risk management and maintaining effective processes, namely the processes specific to the safe design, manufacture and distribution of medical devices.

13485 is designed to produce a management system that facilitates compliance to the requirements of customers and—preeminently—various global regulators. While being certified to 13485 does not fulfill the requirements of either the FDA or foreign regulators, the certification aligns an organization’s management system to the requirements of the FDA’s Quality System Regulation (QSR) requirements as well as many other regulatory requirements found throughout the world. Therefore, 13485 certification serves to create a management system that can be thought of as a framework on which to build compliance to various regulatory and customer requirements.

Christian Lupo, general manager of Ann Arbor, MI-based NSF International Strategic Registrations states, “If the proper management system framework is in place it should facilitate the identification and implementation of country-specific requirements for the management system of medical device manufacturers. ISO 13485 is not specific enough to contradict country specific requirements, and should serve as a baseline management system for all.”

13485 dictates that risk management must be thoroughly documented and conducted throughout a product’s entire lifecycle, from initial concept to delivery and post-delivery. However, the standard leaves the specifics to a related standard, ISO 14971: 2001, Application of Risk Management for Medical Devices. While 13485 states that a manufacturer’s management team is charged with the management of device-related risks and the development of risk management plans, 14971 defines a list of steps to be taken by management in order to fulfill risk-related requirements. While it is not mandatory that a manufacturer be 14971 certified in order to attain 13485 certification, being certified to the former standard can ease the attainment of certification to the latter.

“The fact that ISO 13485 counsels the application of ISO 14971 speaks to its importance for those seeking 13485 certification,” says Mairead Ridge, marketing associate for IBS America (Lexington, MA). “Compliance programs for both standards, when implemented together, can help manufacturers build an enterprise program for risk management and quality assurance.” Evidencing the consistent assessment and mitigation of risks throughout all stages of a product’s lifecycle is important for achieving certification to both 13485 and 14971.

Issues and Trends

The purpose of ISO 13485 certification is sometimes misunderstood. ISO 13485 certification does not fulfill the requirements of 9001, nor is it equivalent to or have the ability to take the place of any country-specific requirement for medical device manufacturers. As previously mentioned, the standard is in part meant to serve as a means to the creation of a management system that aligns with the requirements of various regulators.

Phillip C. Dobyns, technical manager for Wayne, PA-based HSB Registration Services, elaborating on this idea, says, “The ISO 13485 accomplishes a harmonization by writing specific medical device requirements in a generic framework that allows any specific or unique needs of local regulation to be addressed.”

Medical device manufacturers also should realize the importance that risk management bears in a 13485 management system. “A lot of places typically look at risk management only at the design and development function and they don’t carry it through the entire lifecycle of the product or process,” says Nadia Perreault, medical device technical manager for National Quality Assurance USA (NQA, Acton, MA). “People think that it is just a little snippet in time during the design and development phase.”

While Perreault points out that medical device manufacturers are not giving risk management its due gravity in their management systems, IBS’ Ridge reports that the recognition of the need for thorough enterprise-wide risk management practices is growing. “Risk assessments have become a key activity that manufacturers perform throughout the product lifecycle, whether they are designing new products, choosing suppliers, inspecting finished goods or performing corrective actions based on customer complaints,” says Ridge. A combination of increased regulation and technological advances is forcing medical device manufacturers to couple their management systems with enterprise-wide risk management programs.

ISO 13485 is no longer thought of as pertaining solely to finished medical device manufacturers. Today, such manufacturers are requiring their sub-tier suppliers to also attain 13485 certification. Of this phenomenon, Arlen Chapman, quality systems director for NQA, notes, “Medical device manufacturers want to realize better products and better services. I see it more from the financial standpoint for them—for cost savings, making sure they have good suppliers that they’re communicating with them properly and managing them properly.” This is risk management enacted to establish supplier quality, as it is difficult for a manufacturer to single-handedly regulate the quality programs of its suppliers.

Current Issues

Issues and Trends for ISO 13485 certification does not fulfill the requirements of 9001,