In an ever-shrinking world, the need for regulatory harmonization and quality assurance has become increasingly important. Consumers are becoming more educated about the safety and efficacy of medical devices. The inherent nature of these products has implications for the health and safety of the people who use them.

As the median age and the percentage of the population over 65 continues to grow, the need for medical devices will continue to increase. The medical device industry is expected to grow 4.6% through 2011, despite the worldwide financial crisis. ISO/IEC 13485: 2003 represents the management system requirements for companies that want to maintain compliance with medical device regulations. 13485 could be implemented by companies that manufacture everything from cotton swabs to pacemakers, contraceptives to examination tables or companies that provide related services, such as sterilization, packaging or labeling. Like other sector-specific standards, 13485 follows the structure and plan-do-check-act philosophy of ISO 9001: 2008. However, there are differences between these two standards.

Development and Oversight

The goal in developing 13485 was to create a management system standard that assists companies in meeting regulatory requirements for medical devices in whichever economy they choose to sell and manufacture their devices. In order to ensure that these management systems are audited in a way that meets the intent of global consistency, the Global Harmonization Task Force was developed to provide specific guidelines for certification bodies in how these assessments are to be conducted, from auditor training requirements to audit practice. Accreditation bodies and national governments enforce procedural oversight to registrars and notified bodies.

Registration to ISO 9001: 2008

Some sector-specific standards that use 9001 as the foundation for requirements allow the company to register both to the generic 9001 standard and its sector-specific relative. However, such is not the case with 13485 because the requirements associated with 9001 are not completely addressed in 13485. Annex B of the standard provides a clause-by-clause comparison of 9001 and 13485 as well as an explanation of why the wording is different. The result is that companies must register to each of these standards separately. Some of the 9001 requirements are recognized by 13485, and currently registered clients may be able to perform an upgrade audit of reduced time.

Some core differences between 13485 and 9001 follow.

1. Maintenance vs. Improvement
One of the core principles of 9001 is that a certified company must continually improve the effectiveness of its management system. These improvements can relate to processes, products or services that the company provides to its customers. In the regulatory world of medical devices, however, improvements, though well intended, can affect the safety and effectiveness of the product or services provided by the company. So, rather than require that companies continually improve, 13485 requires maintenance of the effectiveness of the quality management system’s processes. Consequently, continual improvement efforts may be limited to those areas in the management system that do not pose a significant risk to product or process safety and effectiveness.

2. Customer Satisfaction vs. Customer Feedback
Another core principle of 9001 is the requirement that certified companies must monitor customer perception and subsequently use the results to improve the system. For 13485, this requirement is replaced by the obligation to monitor whether a company has met customer requirements. There is a difference between achieving customer satisfaction and meeting customer requirements. For example, while a customer may not be satisfied because a medical device causes discomfort, the device may still be effective and safe; the emphasis in 13485 is on safety and effectiveness.

Customer perception in 9001 focuses on customer satisfaction from the customer’s point of view. It is not enough to use the absence of customer complaints as evidence of customer satisfaction; customer perception requires an organization to actively seek the customer satisfaction levels.

3. Exclusions
Section 1.2 of 13485, Application, states that a company may justifiably exclude the requirements for design and development if a regulatory requirement allows for it, regardless of whether or not the company engages in such activities. As always, a company needs to be careful how they define an exclusion. Even though the company may not have primary responsibility, it still may have activities that impact the excluded requirements. Auditors will test companies to ensure exclusions are justified.

4. Risk Management
Given the nature of the product being manufactured or service being provided, 13485 requires that companies calculate, analyze and mitigate the risks associated with the product and processes. This is not unlike the requirement in the automotive sector for companies to conduct failure mode and effects analysis (FMEAs) and develop preventive measures to prevent undesirable results. Additional guidance can be found in ISO 14971: 2007 – Application of Risk Management to Medical Devices.

5. Additional Requirements
As is the case for other sector-specific standards, 13485 has additional requirements that go beyond its 9001 foundation. Many of these requirements call for the development of additional documents and documented procedures. Additional requirements include:

  • Documenting procedures for design and development; purchasing; servicing; validation of the application of computer software and sterilization processes; identification of returned goods; traceability; control of product with a limited shelf life or requiring special storage conditions; monitoring and measurement of product, customer feedback and rework; and issuance and implementation of advisory notices, for example, as in the case of a product recall.

  • Conducting formal risk analysis in product and service planning.

  • Addressing additional controls for cleanliness of product and contamination control, work environment, and document and record control.

  • Documenting requirements for installation, service and sterilization activities and processes as well as active implantable and implantable medical devices, risk management, maintenance activities, cleanliness and installation.

    While a company seeking dual certification does not have to necessarily maintain two sets of quality management system documentation-one for 9001 and one for 13485-the company must identify and implement the unique requirements in each standard. To ease the initiative to develop a 13485-conformant system, the standard contains Annex B, which allows one to compare the requirements of 13485 with those of 9001.


  • Who Needs 13485?

    With all of this being considered, one may wonder if pursuing 13485 certification is the right decision. The following are some common questions and answers to help with this decision.

    Who can be certified to 13485?
    If an organization designs or manufactures medical devices, raw materials or provides services related to medical devices-for example, sterilization, installation, labeling, technical publication-it can be certified to 13485.

    Must a medical device manufacturer become certified?
    Part of the answer lies in what is required by the regulatory agencies of the countries in which devices are sold. For certain types of devices, companies must have their quality management system certified to 13485 to legally sell or market devices in Canada and the countries of the European Union, for example. It also can help companies in obtaining the product certification CE mark for their devices.

    Companies considering 13485 certification need to understand the regulatory requirements of the countries in which product is to be sold. It also is important for companies to choose a service provider that is recognized in the market they intend to enter. For example, only certificates accredited under the Canadian Medical Devices Conformity Assessment System (CMDCAS) by the Standards Council of Canada will be recognized by Health Canada in applying for a medical device license. For EU member countries the service provider must be a notified body.

    What if a company has the capability of manufacturing components for medical devices or providing services to medical device companies?
    This is a strategic decision. If a company intends to diversify into medical devices, 13485 would be recommended. Many companies with an existing 9001-based system have little trouble adopting the requirements of 13485.

    Is there a deadline?
    There are no mandated deadlines. However, not having 13485 certification will prove to be a barrier when attempting to sell product in economies that require it.

    In today’s globalized world, the need for regulatory harmonization is greater than ever, particularly in the growing and highly regulated medical industry. Achieving 13485 certification will help manufacturers of medical devices and providers of medical services compete today-and may prove absolutely crucial in the future.Q

    Quality Online

    For more information on ISO/IEC 13485 and ISO 9001, visit www.qualitymag.com to read these articles:

    Tech Tips

  • 13485 represents the management system requirements for companies that want to maintain compliance with medical device regulations.

  • Like other sector-specific standards, 13485 uses the general 9001 standard as a foundation, but adds many additional requirements.

  • In certain countries, a medical device manufacturer must be certified to 13485 to legally sell product.