QUALITY MANAGEMENT SYSTEMS FOR MEDICAL DEVICE MANUFACTURERS

ISO 13485:2003
Practical Guide to Understanding
ISO 13485:2003

Quality Management Systems for Medical Device Manufacturers

INTRODUCTION
WHAT ABOUT ISO 9001:2000?
Meeting Management System
requirements and other regulations
for manufacture and sale of Medical
Devices around the world can be
complex and confusing. ISO 13485:2003
was written and is being adopted by
regulators with the hope of
harmonizing requirements and
reducing some of the conflicting and
different demands on manufacturers.

Understanding

Many manufacturers are confused

about whether they need to be
registered to ISO 9001:2000.
ISO 13485:2003 is based on ISO
9001:2000, but has had some
elements removed and the emphasis
changed. Therefore registration to
ISO 13485:2003 will meet regulatory
requirements, but registration to ISO
9001:2000 may bring further business
benefits, as it has a much stronger
commitment to:

Implementation

Customer satisfaction

Registration to ISO 13485:2003

Continuous process improvement

It has also been written for a mixture

of levels of understanding:

Strong consideration of registration

to ISO 9001:2000 should be given by
manufacturers who make a mixture
of non-medical products as well as
medical products. Companies should
also consider working to and
meeting the requirements of
ISO 9001:2000, without going as
far as getting registered.

This guide will help you identify key

issues in order to prepare yourself for:

New to ISO 13485 and all other

management systems
Already registered to ISO
13485:1996
Registered to ISO 9001:2000

I S O

1 3 4 8 5 : 2 0 0 3

10 THINGS EVERYONE NEEDS

TO KNOW ABOUT ISO 13485:2003.

1. ISO 13485:2003 is based on the

ISO 9001:2000 process model.
2. ISO 13485:2003 was written as a
model to meet the quality system
requirements of various global
regulations.
3. With the shift in emphasis to be a
model for regulatory
requirements, the writers of
ISO 13485:2003 removed the
emphasis on customer satisfaction
from ISO 9001:2000.
4. ISO 13485 has not been adopted
by the FDA, who will continue to
have separate Quality System
Regulation (QSR) requirements,
however, the FDA participated in
writing ISO 13485:2003 to make
sure their requirements and
ISO 13485:2003 are aligned.
Therefore, if a company meets the
requirements of ISO 13485:2003,
they should easily be able to meet
the FDA QSR requirements.
5. TR 14969 is a guidance document
for the use and implementation
of ISO 13485:2003.

6. ISO 13485:2003 was not written

to be a business improvement
modelit was written as a tool
for maintaining the effectiveness
of processes.
7. Unlike ISO 9001:2000,
ISO 13485:2003 will not allow
manufacturers to rationalize
documentation. In order to
ensure companies meet
regulatory requirements,
ISO 13485:2003 is more
prescriptive, and requires that
certain procedures still need
to be documented.
8. Risk management is also a very
key element of ISO 13485:2003.
9. There is no significant
relationship between
ISO 13485:2003 and
ISO 9004:2000the Quality
Management System
fundamentals standard.
10. ISO 13485:2003 is compatible
with other non-quality
management systems such as
ISO 14001, or OHSAS 18001.

A SECTION BY SECTION BREAKDOWN OF

ISO 13485:2003
The following is a review of the main changes/differences
in each section of ISO 13485:2003. This should also give a
company that has never been registered to a management
system a clear understanding of the requirements of an
ISO 13485:2003 Quality Management System. The table
below shows topics within each section of the standard
that have changed (left side column) along with details of
those changes/differences (right side column).

Note: This information is published for guidance only and should not be used as the basis for QMS implementation or
changes. Please refer to the exact text of the standard before implementing ISO 13485:2003.

SECTION 1 - SCOPE
THIS IS THE PREAMBLE TO THE REQUIREMENTS. IT SETS THE SCENE AND SCOPE OF WHAT THE
STANDARD HAS BEEN WRITTEN TO ACHIEVE.
Permissible exclusions

The new standard allows the exclusion of design where that is permissible
by the regulations.
All exclusions need to be justified and documented.
The standard differentiates between exclusions and areas of non-applicability.

SECTION 4 QUALITY MANAGEMENT SYSTEM

THIS COVERS SOME OF THE BASIC APPROACH, STRUCTURE AND KEY ELEMENTS THAT NEED TO BE
INCLUDED WITHIN A QUALITY MANAGEMENT SYSTEM (QMS).
Process approach

Requires manufacturers to establish a QMS which identifies and manages

processes.
Pictoral based process mapping recommended.

Regulatory requirements

QMS must identify and meet internal and external (regulatory) requirements.
QMS is focused on driving towards maintaining compliance rather than
improvement.
Removes emphasis on customer satisfaction.
Greater emphasis on understanding and controlling processes.
Combines process and compliance auditing.

Outsourcing

Manufacturers are responsible for controlling outsourced activities and processes.

Objectives

Clearer emphasis on documented policy and quality objectives as well as top

management support and commitment to them.
Quality Policy should be a framework of objectives.
All objectives must be measurable.

Documentation

Required documentation includes a quality manual, with a clearly identified

scope of the QMS and justification of any exclusions, including:
documented procedures or reference to them
full description of interaction of processes.
All required procedures must be implemented and maintained.
The standard requires the establishment and maintenance of device files.
Periodic reviews of procedures are required.
Generally the standard is less ambiguous about what is and is not required than
previous standards.

SECTION 5 MANAGEMENT RESPONSIBILITY

THIS OUTLINES THE ROLE MANAGEMENT MUST PLAY IN AN EFFECTIVE QUALITY MANAGEMENT SYSTEM (QMS).
Top Management

Commitment to the QMS by Top Management is given greater emphasis.

Responsible for communicating the importance of meeting statutory and regulatory
requirements.
Must establish quality policy and objectives, and ensure there are available resources
to support the QMS, and conduct management reviews.
Expect to be interviewed by the registrar.
Must ensure that regulatory (and customer) requirements are determined
and met.

Continual improvement/
customer satisfaction

This requirement has been removed, and is not included in ISO 13485:2003.

Objectives

Greater emphasis is placed on quality planning and setting quality objectives.

Not too many objectives should be set.
Objectives should be effectively cascaded to employees.
Must be achievable and measurable.
Must have top management support.

Quality planning

Must cover:
product planning, including customer requirements,
design planning,
production planning and
managerial and operational planning.
Auditors will be looking for clear evidence of changes being planned to maintain the
integrity of the QMS.

Responsibility, authority
and communications

Responsibilities and authorities must be clearly defined, documented

and communicated.
Must ensure independence and authority at all times.
Standard emphasizes need to nominate responsible person for post-market surveillance
and incident reviewing and reporting.
Management representative required.
Internal communication of processes, and improvement opportunities must
be effective.

Management review

Requires clear inputs including:

changes and recommendations for improvements,
information on process performance,
new and/or revised regulatory requirements.
Requires clear outputs including improvements and resources and evidence of required
actions.

SECTION 6 - RESOURCE MANAGEMENT

THIS SECTION ADDRESSES THE BASIC RESOURCE REQUIREMENTS AND CONTROLS FOR AN EFFECTIVE
QUALITY MANAGEMENT SYSTEM (QMS).
Resource availability

Manufacturers must provide adequate resources for an effective QMS that is capable of
meeting customer and regulatory requirements.

Staff

Competence is considered more carefully, with a requirement to evaluate if a person is

competent to do what they are doing, and not just because they have been doing it for
a long time.
Removes reliance on qualifications and experience.

Infrastructure and
work environment

Requires provision of adequate infrastructure to achieve conformity.

Management of work environment to ensure there is no adverse impact on product
quality.

SECTION 7 PRODUCT REALIZATION

THIS SECTION IS THE REAL HEART OF THE STANDARD, OUTLINING ALL THE ELEMENTS,
CONTROLS AND APPROACHES REQUIRED TO ENSURE PRODUCT OR SERVICE IS MANUFACTURED
AND DELIVERED EFFECTIVELY.
Risk management

Greater emphasis on documented risk management.

References ISO 14971 the international risk management standard.

Customer and regulatory

requirements

A much more prescriptive approach to when and how these are

established.
Proactive customer communication is required.

Design and development

New requirement for design outputs to be verified as suitable for

manufacturing, before becoming final product specifications and for
consideration of outsource processes.
Safety according to intended use has been added to design and development
inputs.
Now a requirement for validation to be completed before delivery or
implementation of product and for clinical evaluation as required by regulations.
At design review, action items must be clearly identified, and subsequently
followed up to closure.

Purchasing

A new requirement to not only qualify, but to re-evaluate suppliers.

Production and
service provisions

Sterilization processes must be validated and records maintained.

Includes particular requirements for sterile devices to maintain records of
sterilization process parameters for each sterilization batch of devices with
sterilization records traceable to each production batch.

Process validation

The new standard makes this clearer and is much more in keeping with the QSR
requirements of the US FDA.

Product identification

Required throughout product realization.

Returned products must be identified and distinguished from conforming
product.

Preserving conformity

Documented procedures or documented work instructions for preserving the

conformity of the product during internal processing and delivery to the
intended destination.

Control of monitoring
and measuring devices

Streamlining of the requirements found in the previous standards.

Confidential health
information

This must be treated as customer property and requires appropriate protection.

SECTION 8 - MEASUREMENT, ANALYSIS AND IMPROVEMENT

HERE THE REQUIREMENTS FOR ENSURING CONSISTENCY, CORRECTION AND
TRACEABILITY ARE SET OUT.
Monitoring and
measurement

New requirement monitoring information relating to whether the organization

has met the customers requirement.
Post-market surveillance is highlighted.

Internal audit

Criteria, scope, frequency and

methods must be defined.
Clearer that auditors shall not audit
their own work.
Need to define responsibilities.
Requirements for planning,
conducting, reporting and
recording audits.

Correction and
corrective action

Requirement that when planned

results are not achieved correction
and corrective action is taken.
Not to be confused with
preventative action.

Monitor and measure

processes

Output of clause 7.
Must identify Product Realization
processes, and define the metrics
that are to be measured.
Measures need to be consistent
with quality policy and objectives.

Monitor and measure

products

No release of product allowed until

planned arrangements have been
satisfactorily completed i.e. tested
for conformance with requirements.
Additional requirements have been added for implantable devices.

Control of
non-conforming product

Corrected product shall be subject to re-verification to demonstrate

conformity to the requirements.

Improvement

All about maintaining the continued suitability and effectiveness

of the QMS.
There must be procedures for:
advisory notices
records of customer complaints.
Complaints resulting from activities outside of the manufacturer (e.g. outsource
activities) are required to be investigated.

Corrective action
requirements

Greater emphasis on getting to the root of problems and taking

appropriate corrective action to stop recurrence.
Must investigate problems to understand what went wrong and to fix the
process.

Preventative action

Involves analyzing data and identifying trends before non-conformities/problems

arise.
A health and safety preventative approach is required, as opposed to waiting
for problems to reveal themselves.

TIPS TO TRANSITION
Recommended Actions for Manufacturers
The following steps will help any manufacturer prepare for ISO 13485:2003
registration no matter what their current QMS situation is.

1. PURCHASE THE
STANDARD

You can only really get a true understanding of the requirements by reading
the standard. But first you have to buy
it. Visit www.bsiamericas.com/training
for more info on how to purchase
standards.
Once you have bought it, read it and
be sure to review the basic quality
concepts, and familiarize yourself with
the process model (PDCA), as well as
review all the specific requirements.

2. CONSIDER
TRAINING

3. PREPARE A
TRANSITION PLAN

Conduct a Gap Analysis

Identify the differences
between your existing
registration status and
ISO 13485:2003. This will
help identify the key areas
where you need to focus.

Consider training in ISO 9001:2000, as well as ISO 13485:2003.

Many of the ISO 9001:2000 process concepts are the foundation of
ISO 13485:2003. There is multiple years worth of general training
and transition experience related to ISO 9001:2000 from which medical
device manufacturers can learn.

Be sure to prepare a clear transition plan. Experience has shown us that

while the transition should not be too hard for most manufacturers,
it needs to be well thought out and planned effectively.

Identify Resources
Ensure you involve as many
people and departments as
efficiently possible, then
allocate responsibilities and
activities.

4. IMPLEMENT
ISO 13485:2003

Implement ISO 13485:2003. Use at least ISO 13485:1996 now and start
using ISO 13485:2003 as soon as possible.

Some key points to consider

Do not throw away any procedures - You need to stay in regulatory compliance at all
times, so dont make any sudden changes.
Stop using EN 46001 with immediate effect - This standard is no longer relevant.
Make sure Top Management is involved - The new standard looks for leadership,
commitment and active involvement and clause 5 of the standard emphasizes that Top
management shall!
Determine the appropriate scope and exclusions allowed by regulatory requirements.
Set appropriate Quality Policy and Quality Objectives.
Consider using process mapping, flow charting and electronic systems - Remember that
everything must be appropriately controlled and maintained.
Consider outsource processes and how they are controlled - This is a new element of the
standard and may take time to fully address.

5. COMMUNICATE CHANGES
INTERNALLY

Employees are the ultimate owners of the QMS. They need to fully
understand the changes in order for the new management system to be
effective.

6. UPDATE INTERNAL
AUDIT PROCEDURES

Update internal audit procedures and consider audits by functional area

(or process) rather than by clause. Auditors should consider new audit
trails and the expected evidence; it may be necessary to consider
auditor-training requirements.

7. CONSIDER A
PRE-ASSESSMENT

8. SCHEDULE REGISTRATION
ASSESSMENT

A pre-assessment can be a great help in ensuring you pass the registration

assessment the first time.

Scheduling this date now will create a goal to drive the rest of the
transition program. Contact BSI now to schedule your assessment.

ADDITIONAL BSI PRODUCTS AND SERVICES

BSI has developed a suite of products and services to

help you get closer to registration and get the most out
of your management system.

ISO 13485:2003 TRAINING

Understanding ISO 13485:2003 is an introductory
course that will give students a broad understanding
of the ISO 13485 QMS system requirements for the
medical devices standard.
ISO 13485:2003 Internal Auditor provides students
with a broad understanding of the ISO 13485 Quality
Management Systems requirements, including the
proposed revisions.
ISO 13485:2003 Management Briefing is an
introductory course that will give students a broad
understanding of the ISO 13485 QMS system
requirements for the medical devices standard.

ISO 9001:2000 TRAINING

Understanding ISO 9001:2000 provides an ideal introduction to the broad topic area of quality
standards and registration.
Implementing ISO 9001:2000 is a hands-on, workshop-styled training program covering all the
basic disciplines needed and the approaches that should be used when putting ISO 9001:2000
into practice.
Quality Systems Documentation provides practical guidance on how to write readable and
usable documents for Quality Management Systems.
ISO 9001:2000 Internal Quality Systems Auditor is RAB accredited and gives comprehensive
training in the proven techniques and accepted methods used for internal auditing.
ISO 9001:2000 Lead Auditor is RAB accredited and ensures a lead auditor thoroughly
understands the role and acquires the expertise needed to perform the audit role effectively.
The list of courses is constantly being updated so please visit www.bsiamericas.com/training
for the most up-to-date listing, more detailed descriptions, prices and dates of the next
course nearest you.

STANDARDS AND PUBLICATIONS

You can purchase the ISO 13485:2003 standard in addition to many others such as
the ISO 9000:2000 series of standards from www.bsiamericas.com/training

FREE GUIDANCE DOCUMENTS

BSI has developed a number of free documents to help you understand
ISO 9001:2000, ISO 14001, ISO 13485:2003 and much more to Get the
Most out of your management system.
These include:
What is ISO 9001:2000?
Glossary of ISO 14001 Terms
Practical Guide to Understanding ISO 13485:2003
These and more are available to download free of charge from:
www.bsiamericas.com/getthemost

BSI MANAGEMENT SYSTEMS

BSI Management Systems has over 42,000 registered clients in 90 countries,
making us the largest and most experienced registrar. This places BSI in an
unrivalled position of knowledge about companies needs, irrespective of
size and industry sector.
The span of BSIs services allows you to purchase the standards, train your
staff and gain registration - all from one committed business partner.
BSIs range of course offerings is among the most comprehensive available
and addresses the needs of quality professionals across the Americas. Add
to this the large number of dates in convenient locations and you have a
network of excellence, dedicated to your development.
Here are some more reasons to choose BSI:
Internationally experienced assessment staff who undergo the most
thorough training and qualification process of any registrar to ensure
that when they visit your company they understand the needs and
specific requirements of your industry
Our registration service is accredited by an independent accreditation
service, ensuring integrity of the registration decision
Use of the highly regarded and powerful BSI Registered Logo
Strong links with other standards and registration bodies and
technical consultancies

2004 by BSI Management Systems

QUALITY MANAGEMENT SYSTEMS FOR MEDICAL DEVICE MANUFACTURERS

I S O

1 3 4 8 5 : 2 0 0 3

BSI Management Systems

USA
12110 Sunset Hills Road
Suite 200
Reston, VA 20190
USA
Tel:

1 800 862 4977

703 437 9000
703 437 9001

Fax:

BSI Management Systems

Canada

Quality

17 Four Seasons Place

Suite 102
Toronto, ON M9B 6E6
Canada

Management

Tel:

1 800 862 6752

416 620 9991
416 620 9911

Fax:

Systems

shape the future

BSI Group:

Standards

Information

Training

Inspection

Testing

Assessment

Certification

BSIUSA40/MS/0104/E

inquiry@bsiamericas.com
www.bsiamericas.com