Quality standard ISO 13485

The ISO 13485 quality standard

Quality is the degree to which a set of inherent characteristics of an object fulfils requirements.

ISO 13485 is an international standard for quality management systems that comprehensively defines such requirements for organisations that develop, manufacture and distribute medical devices.

The main objectives of ISO 13485 include

• High product safety: The standard aims to ensure that medical devices meet high quality and safety standards.
• Compliance with legal requirements: Companies must ensure that their products comply with applicable national and international regulations.
• Quality management: The standard specifies requirements for an effective management system to ensure that standardised and reproducible processes are implemented for all areas of the life-cycle of a medical device.
• Risk management: ISO 13485 requires the implementation of effective risk management to identify and mitigate potential risks associated with the development and manufacture of medical devices.
• Customer satisfaction: By implementing the standard, manufacturers of medical devices should ensure that their customers are satisfied with the quality and performance of the medical devices supplied.

The certification of an implemented quality management system in accordance with ISO 13485 opens the door to international business opportunities beyond the European economic area, as it is accepted as a quality standard in many markets around the world and is a prerequisite for market access.

The successful and efficient implementation of the ISO 13485 standard requires the fulfilment of numerous requirement interactions within the standard as well as in interaction with requirements of additional applicable legal regulations, such as the European Medical Device Regulation (MDR) or the In Vitro Diagnostics Regulation (IVDR).

In the remainder of this article, we would like to explain some specific aspects of the standard to give you a more in-depth understanding of ISO 13485.

The scope of ISO 13485:2016

ISO 13485 is systematically structured as a sequence of topics from the areas of “general requirements for a QM system”, “management responsibility” and the life-cycle of a medical device, in which requirements of various kinds are described. These enable manufacturers to set up a complete quality management system that covers all phases of a medical device from development, production, storage, distribution, installation and servicing through to the final decommissioning and disposal of a product. In addition to (stand-alone) software and active medical devices, this also covers non-active medical technology, including implantable, sterile and reprocessable products.

The current version of ISO 13485 from 2016 also includes product requirements for the security of medical IT for the first time and regulates security precautions for the storage of patient-related data.

Before they can be legally placed on the market in the EU, medical devices must undergo conformity assessment procedures in accordance with the aforementioned MDR and IVDR regulations. In order to demonstrate compliance with the regulations in accordance with Article 10 and Annex I, a quality management system is required, among other things. EN ISO 13485 is best suited for this purpose.

Important new features in ISO 13485:2016 compared to previous versions are:

• Risk-based approach:
  ISO 13485:2016 emphasises the concept of risk-based thinking. Organisations must demonstrate that they have integrated risk-based thinking into their processes and decisions, particularly in relation to product realisation.
• Extended requirements for suppliers and outsourced processes:
  Greater control of suppliers and service providers is required. Organisations must ensure that their suppliers meet the same quality standards as themselves.
• Clear requirements for software validation:
  ISO 13485:2016 contains more specific requirements for the validation of software used in conjunction with medical devices.
• The description of documentation requirements for products and consolidation in a medical device file.
• Greater emphasis on life-cycle management:
  The standard places greater emphasis on the management of the entire life-cycle of medical devices, from conception to disposal. This also includes the monitoring and control of changes during the product life-cycle.
• Compliance with regulatory requirements:
  ISO 13485:2016 requires organisations to ensure that their quality management systems ensure compliance with regulatory requirements in the countries where their products are marketed.
• Documented information: The terminology has been adapted and the term “documented information” is used instead of “documents” and “records”. This reflects a broader recognition of the different forms of documentation.

ISO 13485 versus ISO 9001

Initially, ISO 13485 was very strongly harmonised with ISO 9001. This was partially cancelled out by later versions of the standard, in particular because they contain a modified numbering convention for the high-level structure. Despite this and although ISO 13485:2016 is an independent document, it is still identical to ISO 9001 in many parts.

Differences arise primarily from the different scopes of application. While ISO 13485 is specifically geared towards the medical device market and focuses on ensuring the quality and safety of medical devices, ISO 9001 is more general and can be applied to various industries.

ISO 13485 places particular emphasis on compliance with legal requirements and the high safety and effectiveness of medical devices, while ISO 9001 focuses on the fulfilment of customer requirements in general, without specific requirements for products in certain industries.

The emphasis on risk-based thinking, particularly in connection with product realisation and application safety, is an essential part of ISO 13485, which we will focus on in the remainder of this article. ISO 9001 also contains requirements relating to risk management, but without the specific focus on risks for users or in a medical context.

ISO 13485 defines specific requirements for the documentation of processes and decisions in order to demonstrate conformity with the requirements of the standard, while ISO 9001 merely emphasises the need for appropriate documentation but formulates the requirements in more general terms.

Relationship of ISO 13485 to QSR and MDSAP

The Quality System Regulation (QSR) and the Medical Device Single Audit Program (MDSAP) are regulations that relate to quality management in the medical device industry.

While ISO 13485 is an international standard, the QSR was developed specifically for the US. Companies that manufacture and distribute medical devices in the US must comply with the QSR in order to receive FDA approval. In other countries, ISO 13485 may be sufficient, although certain markets may have additional requirements.

The QSR often contains more detailed and specific requirements compared to ISO 13485. For example, the QSR places more emphasis on design controls and production process control. On 02 February 2024, planned changes to the QSR were published as part of the Medical Device Current Good Manufacturing Practices (CGMP). The associated final rule of the new Quality Management System Regulation (QMSR) thus comes closer to ISO 13485:2016 through adjustments to the wording and various references. Its implementation will become mandatory on 02 February 2026. A fundamental adjustment of existing QM systems according to the “previous” CFR 21 part 820 status will

usually not be necessary for European manufacturers, as QSR and ISO 13485:2016 have long been very similar in terms of their implementation. More details will follow shortly here on our blog.

The MDSAP (Medical Device Single Audit Program) was developed by the IMDRF in order to harmonise the audit requirements of a group of international approval markets in various countries with corresponding economic significance and to reduce the time and effort required for individual inspections by the authorities. The group of MDSAP countries currently consists of the USA, Canada, Brazil, Australia and Japan. ISO 13485 is an integral part of the MDSAP, supplemented by respective national requirements such as the QSR, the Brazilian RDC ANVISA 665/2022 or the Japanese Ministerial Ordinance No. 169. Efficiency is the goal: The MDSAP enables manufacturers to demonstrate compliance with the regulatory requirements of the participating countries through a single audit.

Nevertheless, there is flexibility in application: companies that are already certified to ISO 13485 can extend their audits to MDSAP in order to demonstrate conformity with the specific requirements of the countries involved. In the US, for example, the FDA accepts MDSAP as valid proof of implementation and compliance with the QSR. Companies can therefore sometimes use MDSAP as an alternative to separate FDA audits.

Dealing with integrated management systems.

When integrating ISO 13485 into other, possibly already existing management systems, some important aspects must be taken into account:

ISO 13485 sets out specific requirements for documentation and records. When integrating into other management systems, organisations must ensure that these requirements are met.

ISO 13485 emphasises risk-based thinking. Its integration can help to promote coherent risk-based thinking throughout the organisation. In addition, the integration of management systems can lead to efficiency gains by reducing redundant processes and enabling a coherent approach to the fulfilment of different requirements.

When implementing integrated management systems, it is important to understand the specific requirements of each standard and ensure that all relevant aspects are integrated into the structure of the common system. Careful planning and documentation are crucial to fulfil the requirements of all standards involved.

Strong focus on risk in the QM system.

Among the many changes in the revised ISO 13485:2016 standard, the risk-based approach is certainly one of the most significant in terms of patient and user safety. Especially as this change affects all areas of the quality management system.

In ISO 13485:2003, risk management strictly speaking only referred to product realisation. At that time, risk management was only explicitly required for the design and development activities carried out by the manufacturer. Risk was such a small part of the standard that not even a formal definition was provided.

ISO 13485:2016, on the other hand, defines risks in broad agreement with ISO 14971 and also extends the term risk management as the systematic application of management policies, procedures and practices to the tasks of analysing, assessing, controlling and monitoring risks. This extends the application of risk management to a broader context. The standard also stipulates that processes that are required for quality management and are suitable for the risk-based approach must also utilise this approach.

On closer inspection, the standard explicitly requires a risk-based approach to

• outsourced processes,
• training effectiveness review,
• supplier criteria and
• purchased product review.

Manufacturers must also apply a risk-based approach to computer software used in the quality management system, production or service, and for measurement and monitoring. The standard specifies that one or more processes with a risk-based approach should be used during development and further expands the risk requirements for product realisation. With regard to risk, however, attention should not only be paid to the specific areas listed in the standard, but also to the general mission of quality management.

The stronger consideration of a risk-based approach is also evident in sections of the standard in which the term “risk” is not explicitly used. For example, more detailed requirements are specified when nonconforming material is discovered after delivery. This more instructive section aims to trigger immediate action if a manufacturer discovers a nonconforming product after delivery to a customer or end user. Similar changes throughout the standard are aimed at reducing risks to both end users and patients, as well as within the quality management system. Especially with regard to compliance with legal requirements.

 ISO 13485 and MDR (EU) Article 10

The application of ISO 13485:2016 or its harmonised European version EN ISO 13485:2021 does not automatically lead to compliance with the QM requirements from Article 10 of the MDR and IVDR. Manufacturers and other economic operators should definitely take this into account, as it represents a potential obstacle for the conformity assessment.

Although ISO 13485 is a comprehensive standard for a QMS for medical device manufacturers, the current MDR regulation contains requirements that go beyond the QMS, including detailed provisions on approval, labelling, clinical evaluation, post-market surveillance and other aspects specific to the regulation of medical devices in the EU.

ISO 13485 can serve as a basis for the fulfilment of certain MDR/IVDR requirements. However, ISO 13485 certification is not synonymous with fulfilment of all MDR and/or IVDR requirements relevant to the company or the product.

In practice, all companies that want to sell medical devices in the EU not only strive for a conformity assessment procedure in accordance with the MDR, but also underpin this in advance with an ISO 13485 certification in order to fulfil the regulatory requirements.

ISO 13485 is not the same as DIN EN ISO 13485

ISO 13485 and DIN EN ISO 13485 are essentially the same standard, but there are some differences in the way they are applied and cited.

ISO 13485 is the international standard for quality management systems for the manufacture of medical devices. “ISO” stands for the International Organisation for Standardization, and the standard is created by the ISO/TC 210 Technical Commission, which specialises in quality management for medical devices.

DIN EN ISO 13485 is the German version of ISO 13485. “DIN” stands for the German Institute for Standardisation, and the standard was adopted by this institute and translated into German. “EN” stands for European Standard, which indicates that DIN EN ISO 13485 is recognised not only in Germany, but also in other European countries.

ISO 13485 is an international standard that is recognised worldwide. DIN EN ISO 13485 is specific to Germany, although its application extends to all EU member states, as it is a harmonised standard within the framework of the European regulations for medical devices. In the international context outside of Europe, ISO 13485 or its respective national version is cited.

It is important to note that, regardless of the exact name, the requirements and provisions in both standards are essentially the same, but there may be specific national additions or adaptations. Companies can therefore choose to be certified to ISO 13485 or DIN EN ISO 13485, depending on their specific needs and geographical location.

Another (unintentional) difference lies in the content of the various language versions. Similar to other regulatory documents, translations have resulted in minor deviations in the versions, which must be taken into account accordingly. One example of this is the (missing) requirement for documented planning of management reviews.

Are you planning to set up your QM system in accordance with (DIN EN) ISO 13485? Or does your QM system urgently need some optimisation after many years of additions? Talk to us, we will provide you with competent support. Risk-based and with the necessary detailed knowledge.

Please note that all details and listings do not claim to be complete, are without guarantee and are for information purposes only.