ISO 13485: Medical Devices-Quality Management System Explained

ISO 13485 is, in many ways, similar to ISO 9001, the International Standard for Quality Management Systems (QMS’).  However instead of providing a framework for implementing a QMS in any sector (as ISO 9001 does), ISO 13485 defines the requirements specifically for a medical device QMS (MDQMS) that meets regulatory requirements, with regulators in most countries requiring medical device manufacturers to have a QMS in place.  Naturally, the medical device industry is a highly regulated sector, with patient safety at the very centre.  As such, there is a need for organisations within this sector to ensure the consistent design, development, production, storage and distribution, installation, or servicing and disposal of the products and services they provide.  ISO 13485 is the ‘gold standard’ for validating this safety and consistency.

There are numerous standards and regulations that ISO 13485 is linked to.  The Standard includes annexes showing the relationship between the clauses of the Standard and the requirements of the European medical devices regulations (EU MDR) and the In Vitro Diagnostic Regulation (IVDR).  In the UK alone, there are many device-specific EN (European), ISO (international) or EN ISO designated standards, examples include:

• ISO 14971 - Medical devices - Application of risk management to medical devices.  Aligned to ISO 31000 - Risk management – Guidelines.  ISO 14971 is explicitly referred to in ISO 13485.
• IEC 62304 - Medical device software - Software life cycle processes.  The processes, activities, and tasks described in this Standard provide a common framework for medical device software life cycle processes.

Additional requirements are also defined in:

• EU MDR - Medical Device Regulation 2017/745 EU regulatory affairs
• UK MDR 2002 - The Medical Devices Regulations 2002
• UK MDR 2023 - The Medical Devices (Amendment) (Great Britain) Regulations 2023.  This amends The Medical Devices Regulations 2002
• US FDA 21 CFR Part 820 - a requirement for companies entering the United States market.  Amendments proposed in 2022 aim to align requirements for a QMS with ISO 13485 (more on this below).

Under the UK and EU MDRs, manufacturers of medical devices are required to have a QMS in place for the products and services they provide, and ISO 13485 specifies the requirements for a QMS that meets the standard set out in the Regulation.  So, whilst ISO 13485 certification is not necessarily mandatory for compliance with the MDR, it provides a framework for addressing a number of MDR compliance requirements and is, therefore, among the most straightforward and effective means of doing so.  Certification to ISO 13485 will also help you generate the necessary evidence for compliance with relevant regulations.

US-based medical device manufacturers and suppliers/service providers have, historically, looked to ISO 13485 if they wanted to operate in the EU market.  However, in February 2024, the US Food and Drugs Administration (FDA) announced that its regulatory requirements for the manufacture of medical devices, the Code of Federal Regulations Title 21 Part 820 (21 CFR Part 820), is aligning to ISO 13485.  This alignment will be completed by 2026, and, as such, uptake of ISO 13485 in the US is set to increase significantly in the coming years.

There are a few categories of manufacturers and service providers to which ISO 13485 can apply.  The first, and perhaps the most obvious of these, is medical device manufacturers.  If your organisation makes a medical device and is going to bring it to market (particularly in the UK or EU), you will need to implement and maintain a QMS that is of at least the same standard as an ISO 13485-conformant MDQMS in order to comply with the EU MDR.  

ISO 13485 is also useful and sometimes required if you supply products/parts or provide services to medical device manufacturers, such as components used in medical devices, sterilisation services, assembly of devices, or even translating instructions for use.  Unlike manufacturers of medical devices themselves, medical device suppliers and service providers are not bound by compliance requirements to maintain an ISO 13485-conformant or equivalent MDQMS.  However, when a medical device manufacturer is certifying to ISO 13845, they will be asked about their critical suppliers; if you are one of these critical suppliers, you will either need to be ISO 13485 certified or, if you do not hold an ISO 13485 certificate, you may need to be audited for quality assurance by the manufacturer’s certification body (CB) on the manufacturer’s behalf.  As such, certification to ISO 13485 will often make suppliers/service providers a more attractive prospect to manufacturers and provide a competitive advantage, as they will not have to pay for audits of those suppliers.

Distributors and importers of medical devices can also benefit from ISO 13485 certification.  The 2017 version of the EU MDR has added new requirements for distributors and importers regarding the provision of information, complaints management, etc., and certifying to ISO 13485 is often the most straightforward way of satisfying these requirements.

Medical devices are subject to different levels of regulation depending on the ‘class’ they fall into, dictated by the level of risk associated with the device.

‍

‍

From a regulatory perspective, medical devices in Class I are able to be self-certified, however devices in Class IIa and above require notified body registration and, therefore, benefit significantly from ISO 13485 certification.

There are some discrepancies here between the EU and UK versions of the MDR.  In the UK version, software, for example, is generally included in Class I.  However, in the EU MDR, software is typically classified as Class IIa.  As such, URM has seen an increasing number of organisations (particularly providers of medical software) requiring certification to the Standard in recent years as they look to expand into EU markets, and are in scope of ISO 13485 if they want to provide medical devices to patients in the EU.  

This is not to say that, if you are only manufacturing medical devices for UK patients, you will not need to comply with the more up-to-date requirements defined by the EU MDR.  Whilst the UK Regulation is currently behind that of the EU, the UK Conformity Assessed (UKCA) marking will be updated in the coming years and will almost certainly move closer to the EU MDR, and products such as medical-related software are very likely to become Class IIa or higher as they currently are in the EU.

As ISO 13485 certification is recognised worldwide, it will be a significant help with regulatory approvals and will assist with market entry/access across the globe, facilitating trading with organisations worldwide.  ISO 13485 helps drive customer confidence, and, if your organisation is a manufacturer of Class I products that doesn’t need to certify against the Standard, holding ISO 13485 certification can provide greater assurance to potential customers of your product’s quality and safety than competitors that are not certified.

However, as discussed above, the key benefit of ISO 13485 is that it helps ensure compliance with various regulatory frameworks, making it easier to navigate complex legal requirements. The Standard reflects the increased regulatory requirements for organisations across the medical device supply chain, such as:

• A greater emphasis on appropriate infrastructure, particularly in the production of sterile medical devices
• Alignment with regulatory requirements, in particular, regulatory documentation
• Increased focus on post-market activities
• Extension of the Standard’s application to include organisations that work with manufacturers, including those providing:
  • Design and development or repair and maintenance of medical devices
  • Raw materials, components or subassemblies
  • Services such as contract manufacture, sterilisation, logistics or calibration of measurement equipment
  • Importation or distribution of medical devices
• Supplementary requirements for the design and development of medical devices, considering usability, use of standards, and planning for the verification, validation, transfer and records maintenance of the design and development activities
• Validation requirements for different software applications, such as management systems applications, process control software and tools for monitoring and measurement.

However, the value of ISO 13485 is not just in the implementation, or in the fact of holding certification to tick the ISO 13485 box; it will help your organisation on a day-to-day basis and  managing your organisation as it scales.  With the focus on risk management, process control and customer satisfaction, ISO 13485 improves effectiveness and product quality, providing a means of capturing and sharing best practice throughout your organisation, therefore leading to better and safer products.  It enhances efficiency by creating a structure for performing processes consistently to yield more consistent results, contributing to a reduction in scrap and waste, and provides a vehicle to make and communicate changes and support their implementation.  It also details a systematic way to investigate and resolve issues, and drive continuous improvement.

Due to the complexities of ISO 13485, it is always beneficial to introduce the Standard as early as possible.  It is much more straightforward to implement ISO 13485 in a smaller organisation and allow the Standard to grow with you, as opposed to introducing it further down the line when your organisation has increased in size and complexity, and whilst it is on a journey of rapid growth, at which point ISO 13485 will be much more difficult (and more expensive) to introduce.  If you know your organisation will benefit from ISO 13485 or will need to comply with the regulatory requirements it addresses, it is better to have your MDQMS in place at the earliest opportunity.

ISO 13485 is derived from the internationally recognised and accepted ISO 9000 quality management standard series.

• Clause 4 – Quality management system - general requirements (including applicable regulatory requirements), documentation requirements, including for a medical device file
• Clause 5 – Management responsibility, management commitment, customer focus, quality policy, planning (objectives, QMS planning), responsibility, authority and communication, including requirements for an appointed management representative, management review
• Clause 6 – Resource management – resources, human resources, infrastructure, including maintenance requirements.  Work environment and contamination control
• Clause 7 Product realisation – planning, customer-related processes, design and development, purchasing, production and service provision, including specific requirements for sterilisation where this is applicable.  The validation of processes for production and service provision and traceability, including specific requirements for implantable devices, monitoring and measuring equipment
• Clause 8 – Measurement, analysis and improvement, including feedback, complaint handling, reporting to regulatory authorities, internal audit, and the monitoring and measurement of processes and products. Control of nonconforming products, pre and post-delivery and rework.  Analysis of data, improvement, including corrective and preventive action (CAPA).

An ISO 13485 aligned QMS can be audited as a standalone management system, or as part of an integrated programme due to the shared use of the common high-level Annex SL structure.  This facilitates management system integration not only with ISO 9001, but also standards such as ISO 27001 (Information Security) and ISO 14001 (Environmental).

Audits may also include coverage of the EU MDR using ISO 13485 and the alignment detailed in annexes ZA-ZC, and the additional compliance requirements detailed by the EU MDR.

If you are manufacturing medical devices or supplying, importing or distributing for organisations that do, and you meet the relevant risk criteria, you will almost certainly need to implement an MDQMS and/or undergo some form of quality assurance audit to be able to operate in most countries.  ISO 13485 enables you to meet these requirements for quality assurance whilst also providing countless benefits to your organisation.  Not only will ISO 13485 enhance access to different markets, but will help you to improve efficiency and effectiveness in your organisation.