What is ISO 13485 ?

ISO 13485 is an International Organization for Standardization (ISO) standard,

published in 2003, that represents the requirements for a comprehensive (QMS)
Quality Management System for the design and manufacture of medical devices.

Benefits of ISO 13485:2003 Certification

Adopting this standard is beneficial to the organization in many ways:

Promotes harmonization of regulatory requirements for the manufacturers of

medical devices on an international scale.

ISO 13485 is a quality system standard for organizations that design, develop,
produce or service medical devices. All requirements of ISO 13485 are specific
to organizations manufacturing medical devices, regardless of the type or size of
the organization.

Companies that achieve ISO 13485 certification enjoy the benefits of an

increased amount of customers who have more reason to trust and purchase
products of consistent high quality.

ISO 13485 will benefit customers, suppliers, management, and especially

workers

Rapid and effective communication, feedback, and recognition on efforts made,

results achieved, and work to be done

Continuous assessment, improvement, and re-registration of systems.

ISO 13485 certification is advantageous to medical device companies which

export their products to global markets. Some of the additional requirements
relate to design controls, process controls (including environmental controls),
special processes, traceability, record retention, and regulatory actions, which
are more critical for the medical device industry.

ISO 13485 compliant management systems adopt a risk management approach

which includes assessment to identify & estimate risk, uses risk controls and
techniques with a view to eliminate hazardous situations throughout product
realization.

Assures the customers that the product complies with all relevant product &
service-oriented technical standards & regulations.

Emphasizes the cleanliness & sterility in the production area, which in turn
increases efficiency & enhances safety at the workplace.

ISO 13485 Implementation

Ten stages of ISO 13485: 2003 implementation program. Sincere effort and dedicated
team guarantees successful completion and certification through consultancy.
Stage 01 Appoint consultants - Well experienced in Medical device certification.
>
Stage 02
>

Knowledge in FDA, MDD, and GMP are added advantages for the consultants
Perform a 13485 GAP Analysis - If the organization already implemented
ISO 9001 quality management system. This is not required for those
implementing first time
Project Schedule - Consultants will work with the acting MR to prepare a

Stage 03 project schedule. The schedule will list the actions needed. The Process
>

Owners will be informed about there duties and responsibilities along with
timeline.
Develop Process Mapping - Consultants will guide you to develop Process
Mapping. There will be 2 levels of Process Maps:

Stage 04
>

Define process interactions.

Process Mapping based of its own.

Develop Documentation Consultants will identify the required

documents. This will include:
Stage 05
>

Stage 06
>
Stage 07
>

Quality Manual.

QMS procedures.

Protocols, Forms, Formats, Records, Reports etc.

Employee Training Consultants will help you identify the training needs of
your employees. Consultants will be providing training for all level of people
in the organization like awareness, GMP and internal auditor training.
Implementation Do what you documented, document what you does/td>

Stage 08 Establish quality goals and understand how they can best be
>

incorporated into your business operations.

Stage 09 Internal Audit - Consultants will provide internal audit along with certified
>

internal auditors.

Stage 10 Certification Audit - Consultants will be present during the day of

>

certification audit to help the in-house team..

ISO 13485:2003 Requirements in brief

Clause 1:

A Quality Management System for an organization that provides medical

Scope

devices and services that meets customer requirements.

Clause 2:
Normative
Reference

ISO 9000:2005 which should be used along with ISO 13485 standards. It
outlines the Quality Management Systems-Fundamentals and Vocabulary
Gives definitions used in the standard, many of which are in addition to
ISO 9001.

In-vitro diagnostic reagents

Software medical device

Class of Medical Device

Clause 3:

Active Implantable Medical Device

Terms and

Active Medical Device

Definitions

Advisory Notice

Customer Complaint

Implantable Medical Device

Labeling

Medical Device

Sterile Medical Device

Quality Manual with Scope of the QMS

Required Procedures

Required Forms & Records

Clause 4:
General
Requireme
nts

Control of Documents

Control of Forms

Clause 5:

Management Responsibility

Manageme

Quality Policy & Objectives

nt

Customer Focus & Customer Satisfaction

Responsibil

Management Review

Personnel & Training

Resource Management

Production of the product or service

Planning

Customer related processes and Customer Feedback

Clause 7:

Design

Product

Purchasing

Realization

Process control

Identification and Traceability

Customer Property

Requirements on monitoring processes to improve

Customer Satisfaction

Internal Audits

Control of Non-Conforming Product

Corrective and Preventive Action

ity
Clause 6:
Resource
Manageme
nt

Clause 8:
Measurem
ent,
Analysis
and
Improvem
ent

How Long It Takes to Achieve ISO 13485 Certification

The amount of time required to achieve ISO 13485 certification varies widely by
company. Many companies are able to implement ISO 13485 in 4-7 months if
utilizing outside consultants. Many people ask why the process takes so long. The

primary reason is that once your ISO 13485 quality system has been implemented,
you need to generate official records using implemented procedures that will be
referenced during your subsequent registration audit by a Certification Body. It is
possible to implement an ISO 13485:2003 quality management system in just a
few months, but without auditable records it would be extremely difficult to
achieve certification.

Factors that influence the time it takes to achieve ISO 13485

certification:
Commitment of senior management Delays in achieving certification often
occur when senior management views the implementation of ISO 13485 as just
another regulatory hurdle put in place by government. Companies that achieve
certification more quickly have the complete support of upper management who
recognize ISO 13485 as a tool for meeting customer requirements, reducing risk
and maintaining effective processes. Invariably, management support is key in
pushing through the changes often demanded by ISO 13485 implementation.
Dedication of resources The moral support of senior management is not
enough to make ISO implementation happen. The company must allocate
sufficient in-house resources. Hiring an outside consultant certainly helps the
process move more quickly, but without a dedicated management representative
who has the full support of senior management, change will happen slowly.
Ultimately, the decision of whether to bring in outside consultants depends on how
much revenue your company could generate by achieving compliance sooner. For
instance, if time to market is important to you and every month your product
is not on the market means thousands in lost sales, then hiring a consultant to
speed the process makes financial sense. In our experience, companies that
complete ISO 13485 quality system implementation in 4-7 months have a
management representative that dedicates 25-50% of their time to the
implementation process.
Size of the company, complexity of manufacturing If your company has 50
employees and one location, it often takes less time to implement ISO 13485 than
if you have 500 employees and three locations or you have complex manufacturing
processes (example: sterilization). With larger and more complex companies,
more procedures must be written and more people are involved. Paradoxically, this

is not always the case. Mid-size to larger companies sometimes have more
resources dedicated to achieving ISO 13485 certification and can sometimes push
through changes more quickly if there is support from all levels of senior
management.

Stages of the ISO 13485 certification process.

Companies that already have a quality management system in place such as ISO
9001:2000 or FDA Good Manufacturing Practice (GMP) can expect shorter
implementation times. Here are the stages of the ISO 13485:2003 certification
process:

ANALYSIS, PLANNING AND PROJECT KICKOFF

Define scope of implementation

Develop quality policy, objectives and manual

Conduct a gap analysis audit to determine areas of focus

Define objectives and create a task list

Conduct training for employees on ISO 13485

DOCUMENTATION DEVELOPMENT AND IMPLEMENTATION

Review current policies and procedures

Write new Standard Operating Procedures (SOP) and review Work Instructions

Start using new procedures to generate auditable records

INTERNAL AUDITING

Conduct internal audits

Conduct management review meeting

Train internal auditors

AUDIT AND SYSTEM REFINEMENT

Conduct pre-certification audit and final readiness review

Make post-audit modifications as needed

Address remaining issues

Send documents to certification body for desktop review

Typically, you will schedule your certification audit 4+ weeks after conducted your
final readiness review to allow for final changes to your system. Certification
Bodies normally issue ISO 13485 certificates about 6-8 weeks after a favorable
recommendation for certification.

STAGE 1 AUDIT
The purpose of the Stage 1 Audit is to obtain information about the applicant company
related to the size, complexity of operations and capabilities for which registration is
sought. The auditor will establish whether further development of the management
system is necessary before the Stage 2 Audit takes place.

STAGE 2 AUDIT
The stage 2 Audit is carried out to ascertain that whether the of the applicant companys
Management System can be certified based on the objective evidences found during the
course of audit.
The audit team compares what you say you do i.e. your documented management
system, against what you actually do.
The auditor will be looking for objective evidence (records, documents, etc) to verify
that the activities of the organization are in accordance with the documentation and the
requirements of the relevant management system standard.
All records resulting from the implementation and operation of the Management
System must be made available to the Audit team for evaluation.

CORRECTIVE ACTION REQUEST

If a non-conformance is detected during the Audit, a Corrective Action Request (CAR)
will be issued and a corrective action process will commence. The auditor will discuss
with you the reason for the CAR in order to explain the type of action that will be
required to correct the situation and will also explain how to follow-up and clear the
CAR.

SURVEILLANCE
Periodic surveillance Audits will be carried out to ensure that the management system
is not only being maintained, but is being reviewed and developed further to improve
the efficiency and effectiveness of the business processes. These Audits, generally at 6

/9 /12 monthly intervals will always cover certain key elements crucial to the success of
your business. These would include internal Audits, management reviews, continuing
operational control and corrective actions. Your Customer Complaints Register would
also be examined to see how quickly and effectively you handle customer complaints.
Other aspects of the Management System will be covered selectively, over the period of
certification, depending on their importance of their scope of certification.
The Management System Certificate will be valid, initially for a period of three years
from the date on which the Client is notified of its successful Audit, on condition that the
surveillance Audits have revealed no deterioration in the Management System.

Selecting a Certification Body for Your ISO 13485 Audit

There are several terms used to describe the third-party entities that perform
audits of medical device ISO 13485 quality management systems and associated
technical documentation. They are Notified Bodies (Europe), Registrars (Canada),
Conformity Assessment Bodies (Australia) and Registered Certification Bodies
(Japan). For purposes of simplicity, we refer to these entities as Certification
Bodies (CB) since all perform the same function: to certify that you are in
conformance with the ISO 13485 standard and applicable regulations.
When you are evaluating an ISO 13485 Certification Body, consider the following:

Future market expansion plans If you are looking to acquire European CE

Marking, consider your future plans. Might you expand to Canada or Japan? Not all
Certification Bodies can audit to the Canadian and Japanese regulations so you
would need to hire yet another auditing firm to conduct audits for these regulations.
If there is a reasonable chance you may expand to other markets in the future, be
sure to select one that will be able to offer you certification in those markets.

Size of the certification body This depends on your goals. Having a large
brand name as your Certification Body can have a direct impact on your ability to
secure new contracts with overseas firms simply because the name recognition of
your auditor lends credibility to your company. If your company is trying to break
into the Japanese market, for example, using a widely known Certification Body
such as TUV, BSI or UL could be beneficial. On the other hand, many small to
mid-sized Certification Bodies are reputable and can sometimes offer faster service
at lower prices than the big players.

Extra fees Before making your selection, ask the Certification Body if it charges
any special administrative, renewal or address change fees. If you are also seeking
CE Marking, find out how much it would cost to get extra copies of your CE
certificate. Ask where the auditor will be traveling from to conduct your audits.
Some firms include travel costs in their quote while others do not. Once you sign a
contract, you will not have any choice but to pay those fees so it is better to know
about them now.

Select a firm experienced with your medical device It is always good to

ask the Certification Body whether it has experience with your specific devices,
especially if you manufacture a higher risk (Class IIb, III or IV) device. Experience
also is critically important if you manufacture a product for which classification
may be open to interpretation (example: teeth whitening products). In this case,
you want a Certification Body that will support your classification if challenged by
a Ministry of Health or a competitor.
There are several firms authorized to conduct audits for European, Canadian,
Australian, Japanese and other international regulations and standards. Working
with one of these ISO 13485 certification bodies can be very beneficial if you intend
to sell your devices in several international markets.

Common Questions about ISO 13485:

Does ISO 13485 apply to ALL medical device manufacturers?

No, most manufacturers of Class I medical devices that are not provided
sterile or do not have a measuring function do not need to implement ISO
13485. Also, Standards are voluntary and many international markets (Europe,
Australia, Japan) offer other alternatives for meeting their national quality
management system requirements. One exception is Canada which requires Class
II, III and IV manufacturers to meet the ISO 13485 standard.

Who issues ISO 13485 certificates?

ISO 13485 certificates are issued by independent firms authorized by national
Ministries of Health to conduct audits of manufacturers quality systems. ISO
13485 certificates are never issued by a Ministry of Heath itself.

Is a CE Marking certificate the same as an ISO 13485 certificate?

No. CE Marking certificates are intended to demonstrate compliance of a device
with applicable European Directives. ISO 13485 certificates prove compliance of a
companys quality management system with the ISO 13485 standard. CE Marking
certificates are sometimes accepted as proof of compliance with the national
medical device regulations of some countries.

How long does it take to implement ISO 13485?

Most companies find it takes 4-7 months from the time they start the process until
the time certification is achieved. This figure can vary dramatically depending on
the company size, locations, complexity of manufacturing and dedication of
resources.

For how long is an ISO 13485 certificate valid?

Generally, certificates are valid for 3 or 4 years. However, nearly all manufacturers
must submit to annual audits by their certification body. Manufacturers of high risk
devices may also be subject to inspection by a national Ministry of Health.

Is the ISO 13485 standard free? Where can I get a copy?

The ISO 13485 standard is a copyrighted document published by the International
Organization for Standardization (ISO). You may purchase a copy of the standard
from the ISO website or from other websites authorized to sell standards
documents.

We outsource manufacturing. Do we need to implement ISO 13485?

In general, yes. However, if your contract manufacturer already has ISO 13485
certification, your ability to prove to your certification body that you have control
over the quality of goods being produced by your supplier becomes easier. Thus,
selecting an OEM (Original Equipment Manufacturer) that already has ISO 13485
certification is beneficial, but not required.

We already have US FDA GMP or ISO 9001. How difficult will it be to upgrade
to ISO 13485?
Companies that already have a well maintained and audited US FDA GMP or ISO
9001 quality system in place will find it relatively easy to make the changes
necessary to achieve ISO 13485 certification. The US Food and Drug
Administration does not recognize ISO 13485 but the US FDA did provide input
when ISO 13485 was being crafted so FDA Good Manufacturing Practice is similar
to ISO 13485. Likewise, ISO 9001 is the basis of ISO 13485 with additional
requirements specifically for medical device manufacturers. Therefore, upgrading
to ISO 13485 will be fairly straightforward.

What is the difference between ISO 9001 and ISO 13485?

Standard ISO 13485 is based on ISO 9001 quality management standard, although
the two standards differ enough that a manufacturer with ISO 13485 cannot also
claim compliance with ISO 9001. ISO 13485 was written to meet, and maintain
compliance with, regulatory requirements so it does not have the same emphasis
on customer satisfaction and continuous improvement found in ISO 9001.
Companies that manufacture products with medical and non-medical applications
are sometimes certified to both Standards.

Main Difference between ISO 13485 and ISO 9001

In ISO 13485 the term "customer satisfaction" replaced by the term "customer

fulfillment" and the term "continual improvement" by the term "maintenance of

efficiency".
13485 follows the structure and plan-do-check-act philosophy of ISO 9001: 2008.
However, there are differences between these two standards.

Some core differences between 13485 and 9001 follow.

1. Maintenance vs. Improvement
One of the core principles of 9001 is that a certified company must continually improve
the effectiveness of its management system. These improvements can relate to
processes, products or services that the company provides to its customers. In the
regulatory world of medical devices, however, improvements, though well intended,

can affect the safety and effectiveness of the product or services provided by the
company. So, rather than require that companies continually improve, 13485 requires
maintenance of the effectiveness of the quality management systems processes.
Consequently, continual improvement efforts may be limited to those areas in the
management system that do not pose a significant risk to product or process safety and
effectiveness.

2. Customer Satisfaction vs. Customer Feedback

Another core principle of 9001 is the requirement that certified companies must
monitor customer perception and subsequently use the results to improve the system.
For 13485, this requirement is replaced by the obligation to monitor whether a
company has met customer requirements. There is a difference between achieving
customer satisfaction and meeting customer requirements. For example, while a
customer may not be satisfied because a medical device causes discomfort, the device
may still be effective and safe; the emphasis in 13485 is on safety and effectiveness.
Customer perception in 9001 focuses on customer satisfaction from the customers
point of view. It is not enough to use the absence of customer complaints as evidence
of customer satisfaction; customer perception requires an organization to actively seek
the customer satisfaction levels.

3. Exclusions
Section 1.2 of 13485, Application, states that a company may justifiably exclude the
requirements for design and development if a regulatory requirement allows for it,
regardless of whether or not the company engages in such activities. As always, a
company needs to be careful how they define an exclusion. Even though the company
may not have primary responsibility, it still may have activities that impact the
excluded requirements. Auditors will test companies to ensure exclusions are justified.

4. Risk Management
Given the nature of the product being manufactured or service being provided, 13485
requires that companies calculate, analyze and mitigate the risks associated with the
product and processes. This is not unlike the requirement in the automotive sector for
companies to conduct failure mode and effects analysis (FMEAs) and develop
preventive measures to prevent undesirable results. Additional guidance can be found

in ISO 14971: 2007 Application of Risk Management to Medical Devices.

5. Additional Requirements
As is the case for other sector-specific standards, 13485 has additional requirements
that go beyond its 9001 foundation. Many of these requirements call for the
development of additional documents and documented procedures. Additional
requirements include:

Documenting procedures for design and development; purchasing; servicing;

validation of the application of computer software and sterilization processes;
identification of returned goods; traceability; control of product with a limited shelf life
or requiring special storage conditions; monitoring and measurement of product,
customer feedback and rework; and issuance and implementation of advisory notices,
for example, as in the case of a product recall.
Conducting formal risk analysis in product and service planning.
Addressing additional controls for cleanliness of product and contamination control,
work environment, and document and record control.
Documenting requirements for installation, service and sterilization activities and
processes as well as active implantable and implantable medical devices, risk
management, maintenance activities, cleanliness and installation.

While a company seeking dual certification does not have to necessarily maintain two
sets of quality management system documentation-one for 9001 and one for
13485-the company must identify and implement the unique requirements in each
standard. To ease the initiative to develop a 13485-conformant system, the standard
contains Annex B, which allows one to compare the requirements of 13485 with those
of 9001.

Understanding ISO 13485

Though based on ISO 9001, 13485 removes 9001s emphasis on continual
improvement and customer satisfaction. In its place is an emphasis on meeting

regulatory as well as customer requirements, risk management and maintaining

effective processes, namely the processes specific to the safe design, manufacture and
distribution of medical devices. ISO 13485 is in part designed to produce a
management system that facilitates compliance to the requirements of customers and
global regulators.

The Certification Process

Like any ISO certification, medical device manufacturers wishing to obtain 13485
certification first need to educate themselves on the requirements of regulators and
customers, as well as what a 13485-compliant management system will entail. Then a
management system that conforms to the standards requirements needs to be
implemented within the organization.
The first step to creating the management system should be drafting a quality manual;
the quality manual outlines an organizations goals, processes and procedures for
compliance and quality management. An employee with the know-how to develop and
implement such a program can create the management system internally; otherwise, a
hired consultant with an expertise in the 13485 market can be used. After the quality
manual has been written and a management system has been implemented, the
organization needs to seek a certification body it is comfortable with.
When seeking a certification body, the organization needs to be sure that the registrar
is accredited by an accrediting body to include 13485 certification in their scope. The
organization seeking certification should ask to see credentials and references from a
prospective registrar. For example, in North America, certification bodies will be
accredited through an organization such as ANSI/ASQ National Accreditation Board
(ANAB). There are accreditation boards in every major country that review certification
bodies to ensure they meet requirements.
It also is important to keep the target market in mind. For instance, if a medical device
manufacturer wants to sell in North America, it should seek certification through a
registrar accredited by a North American accreditation body to ensure they will meet
country-specific or customer requirements.

If a consultant is required, the organization needs to be sure that the prospect has
expertise in 13485, and requesting referrals from an accredited registrar also can aid in
finding the right match. It is important that the consultant understands the
organizations business, that the consultant has dealt with organizations of a similar
size before and has had experience with similar product lines.

Also, an organization should be wary of consultants that endeavor to radically change a

management system that is already performing well. The consultant should come in
and align their knowledge with your requirements and the customer requirements, and
that will work time after time.

The frequency of surveillance assessments will be determined by an organizations

scope as well as its performance, though they will usually be conducted annually or
semi- annually. However, organizations should expect a complete reassessment three
years after initial certification. A surveillance assessment takes into account concerns
such as the fulfillment of management responsibilities, the execution of internal audits
and how an organization is performing in relation to the state of the industry and
customer expectations.

Benefits of Dual Certification: 13485 & 9001

Medical device manufacturers can benefit from being both 9001 and 13485 certified.
While such manufacturers are not required to have 9001 certification, it can bring
further business benefits, because it focuses on business aspects that are good for all
businesses-for example, the emphasis on customer satisfaction and continuous process
improvement that a 13485 management system omits. Manufacturers of medical
devices also will need to acquire 9001 certification if they want to branch out to other
industries, as 13485 certification will not be honored where 9001 is required.