Peter Marriott  |  08/30/2008

ISO 13485--Just the Facts, Please

This quality management system standard for the medical device industry is the DNA for repeatable and continuous improvement.

In the field of medical products, devices, and components, regulatory requirements and customer expectations are demanding. Throughout the world, manufacturers and their suppliers are expected to comply with the highest standards and regulations.

ISO 13485--”Medical devices--Quality management systems--Requirements for regulatory purposes” is the standard for organizations engaged in the manufacture of medical devices. According to the most recent survey by the International Organization for Standardization ( ), there were a total of 8,175 current ISO 13485 registrations across 82 countries in 2006. Approximately 30 percent of all ISO 13485 registrations were issued in the United States, compared to only 6 to 7 percent of all ISO 9001 and ISO 14001 registrations. According to the survey, the 2006 total represents an increase of 3,110 (61%) compared to 2005, when there were 5,065 registrations across 67 countries and economies. Other major markets include Europe, Japan, Canada, Sweden, and Israel.

Although being registered does not fulfill the requirements of the various industry regulators, such as the U.S. Food and Drug Administration (FDA), ISO 13485 is now commonly used as the basis of regulatory requirements. The standard is an essential consideration not only for exporters but for the local market, global suppliers, and subcontractors to prove that their products are of the highest quality.

“It’s the foundation to set the quality system against,” says Brad Amundson, regulatory services manager for SGS Systems and Services Certification North America of Rutherford, New Jersey. “Depending on where a company’s markets are around the world, they want to have this quality system in place, because after laying the foundation they have to put in the regulatory requirements for each particular country where they want to sell medical devices.”

The 2003 version of the standard supersedes earlier documents such as EN 46001 and EN 46002 (both published in 1997), the previous version of ISO 13485, and ISO 13488 (both first published in 1996). The standard is intended to be used by an organization that needs to demonstrate its ability to provide medical devices and related services that consistently meet customer and applicable regulatory requirements.

Registration against the standard from an appropriately approved body is now a direct requirement for some markets (e.g., Australia and Taiwan), an indirect requirement for others (e.g., Europe), or it can form the basis of good manufacturing practice (GMP) compliance in the United States. The standard is also an important part of maintaining the quality of the supply chain.

“If a company is a component manufacturer, then they want ISO 13485 registration,” says Amundson. “If their customer, a finished-device manufacturer, gets audited by a notified body or a registrar, the auditor looks back on the supply chain. When auditors ask how the company controls that supplier and whether they hold a registration , that’s a good start in showing control over production of components or subassemblies.”

ISO 13485 vs. ISO 9001

ISO 13485 is based on the ISO 9001 format with additional requirements relating to design, special processes, environmental control, traceability, documentation records, and regulatory actions. This is an outcome of the primary objective for the creation of ISO 13485, which was to facilitate standardized medical device regulatory requirements for quality management systems. As a result, it includes some particular requirements for medical devices but excludes some of the requirements of ISO 9001 that are not appropriate in a regulated environment.

The process for registration against the standard follows the same approach as ISO 9001, including the requirement that auditors have appropriate training and industry expertise. Registrar accreditation for the provision of ISO 13485 registration is normally under the authority of the same accreditation bodies and against the same accreditation requirements, i.e., ISO/IEC Guide 62 or ISO/IEC 17021. In addition, some global registrars are able to simultaneously provide audit services against international regulatory requirements such as European Directive 93/42/EEC Annex II, V, VI for CE Marking; Japan’s Pharmaceutical Affairs Law (JPAL); Canadian Medical Devices Conformity Assessment System (CMDCAS); TCP Program for ROC ( Taiwan); and the FDA Accredited Persons Program.

The primary difference between ISO 13485 and ISO 9001 is that ISO 9001 requires the organization to demonstrate continuous improvement, whereas ISO 13485 requires only that the organization demonstrate that the quality system is implemented and maintained. Thus many organizations maintain dual registration against both standards.

Some other specific differences in requirement and emphasis between ISO 13485 and ISO 9001 include:

ISO 13485 sees the promotion and awareness of regulatory requirements as a management responsibility.

ISO 13485 expects controls in the work environment to ensure product safety.

ISO 13485 expects a focus on risk management activities and design transfer activities during product development.

ISO 13485 contains specific requirements for inspection and traceability for implantable devices and specific requirements for documentation and validation of processes for sterile medical devices.

ISO 13485 states that the company needs to maintain effective processes, namely the processes specific to the safe design, manufacture, and distribution of medical devices.

ISO 13485 has specific requirements for verification of the effectiveness of corrective and preventive actions.


What’s in it for me?

“The advantage [with being registered to ISO 13485] commercially, is that it is a prerequisite if you want to sell your product outside of the United States,” says Robert Dicheck, vice president of quality, regulatory, and clinical affairs at Osmetech- Molecular Diagnostics, a Pasadena, California, medical device manufacturer. “In today’s world, almost everyone is a global company, and even if your primary market is just the United States, it gives you that additional ability to advertise that your company is registered to an ISO standard or standards, and it tells potential customers, and potential investors, that your system is compliant with an international standard.”

Another reason is that registration has financial value. If the company is seeking funding from an investment firm or bank, registration to ISO 13485 will confirm that the company is operating cohesively in regard to processes and products.

“If you are going for funding, for due diligence, it is one of the documents almost always requested,” says Dicheck. “It gives an investment advisor or banker the sense that you have a real company that’s operating in a state of control.”

ISO 13485 registration alone may meet the needs of medical device subcontracting organizations and manufacturers of low-risk medical devices, but most manufacturers will also have to obtain regulatory registration to allow access to the main world markets. The standard still has no weight from a regulatory perspective, although that may be changing.

“There is no perceived advantage within the United States from an FDA standpoint in that they do not recognize ISO 13485 as being adequate to comply with the quality system regulation,” says Dicheck. “But they’re very close and there’s harmonization that occurred, particularly when they went to the 2003 [version of] ISO 13485.”

Challenges and considerations

Cost is always at the top of the list when a company seeks any type of registration. The size of the company will dictate the number of hours a registrar will quote. Recertification is an even longer process than a surveillance audit. “Your initial cost may be $25,000, then it may drop down to $15,000 plus the travel and lodging cost associated with the auditor coming to your facilities,” says Dicheck.

Scope is another big consideration. Because ISO 13485 is specific to medical devices, a company that manufactures or services other areas, such as aerospace or industrial components, is not included in the scope. The company may then have to consider registration to ISO 9001 to cover all the bases.

Something else to think about is the claim of conformity. It is important that the organization implementing the system recognizes its responsibility to ensure that its claim of conformity with ISO 13485 reflects exclusion of design and development controls. Sometimes the regulatory requirements of the market permit exclusions. This can be used as a justification for their exclusion from the quality management system. However, the regulations may also define alternative arrangements that can be addressed in the quality management system.

Going through the process

As Dicheck tells it, when Osmetech PLC took over Clinical Micro Sensors Inc. from Motorola in 2005, the trick was to change the Motorola standard operating procedures and policies to reflect Osmetech policies and procedures. This meant a complete rewrite of the quality system.

“Motorola was a much larger organization before they downsized to put the business unit on the selling block,” says Dicheck. “Initially the quality system that was in place couldn’t just be transferred; it needed to be overhauled. The challenge was to simplify the quality system that was already ISO 13485- registered, but was not at a 2003 level. Because we needed to do that anyway, we took the opportunity to reconfigure the quality system to match Osmetech’s direction.”

Osmetech upgraded to ISO 13485 through a surveillance audit. This enabled the company to show that the policies, standard operating procedures, execution, and implementation were uniform, and that its Boston sites were certified and reviewed in the same way that they were at their Pasadena location.

The main reason for seeking registration to an ISO standard is that it allows a company to prove that it is “in a state of control over their operations,” says Dicheck. “Say you’re a raw material supplier and you’re looking at a chemical supplier. The chemical supplier doesn’t need to be FDA CGMP-compliant, but if they tell me they have an ISO [quality management system] registration, even though is was not an ISO 13485 registration, but maybe ISO 9002 for manufacturing or ISO 9001, then they would provide us that registration to state that their processes are in a state of control for the product lines that they’re offering. When we put it into a medical device, the onus is on us.”

For most companies, the biggest asset to ISO 13485 registration is that it allows the company to focus its resources and understand its roles, rights, and authorities. It helps management organize in a consistent, homogeneous way that is recognized on a global scale.

“It’s a journey,” says Dicheck.


Nicolette Dalpino, news editor at Quality Digest, contributed to this article.


About The Author

Peter Marriott’s default image

Peter Marriott

Peter Marriott joined SGS as a quality systems auditor in the United Kingdom, managing the organization’s largest registration operations. In 2005, he become part of the corporate management team in Geneva, Switzerland, leading Global Systems and Accreditation Management. Since December 2007, he has held the additional responsibility of heading up the North American registrations as Director of Systems and Service Certification North America, which is headquartered in Rutherford, New Jersey.


ISO 13485

I am interested in the resonse to the above question regarding the necessity of medical device component manufacturers to have ISO 13485 certification.

ISO 13485

In your arcticle you say that Component manufactures for Medical Devices should want to get ISO 13485.

My understanding is "Medical devices are defined as articles which are intended to be used for a medical purpose. The medical purpose is assigned to a product by the manufacturer. The manufacturer determines through the label, the instruction or use and the promotional material related to a given device its specific medical purpose. As the directive aims essentially at the protection of patients and users, the medical purpose relates in general to finished products regardless of whether they are intended to be used alone or in combination. This means that the protection ensured by the directive becomes valid for products having a stage of manufacture, where they are supplied to the final user."

Following this concept, raw materials, components or intermediate products are as such normally not medical devices.

Is this true? My company was told we could not get ISO 13485 .

Thank you, Barbet

Subtitle inaccuracy

In the subtitle, you state that ISO 13485 "is the DNA for repeatable and continuous improvement." First of all, repeatable what? Additionally, ISO 13485 does not drive continuous improvement activity. This is one reason many companies maintain ISO 9001 as well.

Many may think that this is being nit picky, but in a mag that is professing quality, it should ensure that it is accurate all the time.