ISO 13485:2016 is a quality management standard for medical devices. This standard provides a basis for the quality management system in parallel to the EU MDR and other international regulatory changes which occurred since the second revision of the standard. On the other hand, this 2016 revision brought requirements closer to the US FDA expectations, by enhancing requirements for control of outsourced processes, validation, risk management, compliance with legal requirements..
Compared to the second revision (ISO 13485:2003) the basic structure with 8 main clauses remained same. The first three of which are introductory and the last five contain the mandatory requirements for the Quality Management System. Let’s have a look one by one.
ISO 13485 Quality Management System Standard
ISO 13485 Quality Management System can be implemented to organizations which take part in the life cycle of a medical device. As stated in our post about the EU MDR, the life cycle covers all phases from initial conception to final decommissioning and disposal. Organizations which are involved in design and development, production, storage, distribution, installation, servicing or associated activities can choose to implement an ISO 13485 Quality Management System. In other words, it is applicable to legal manufacturers, subcontractors of manufacturers, importers, distributors, and companies providing related services. By defining the scope of an ISO 13485 Quality Management System, the key question would be “What are the effects of the process to the safety of the concerned medical device ?” If the outputs of the process have an effect on medical device safety, ISO 13485 would be the best solution to control it.
Manufacturers often mix up the terms “not applicable” and “exclusion”. As per clause 1 of the ISO 13485, only clause 7.3 Design and Development can be excluded from the scope of the quality management system if applicable regulatory requirements permit.
If any requirement in clauses 6, 7 and 8 is not applicable due to the activities undertaken by the organization or the nature of the medical device for which the quality management system is applied, the organization may choose not to implement them. In such a case the justification for being not applicable shall be documented in the Quality Manual.
ISO 13485 defines what to do for safety of a medical device. In other words, it is just a requirement list. It does not define how to implement those requirements and manage the processes. “How’s” shall be defined according to many company specific factors such as, type and technical specification of medical device, staff competency, process complexity, company culture and applicable regulatory requirements. To establish a successful ISO 13485 Quality Management System a tailor-made approach shall be used by analysing the processes.
2 Normative references
Clause 2 of the ISO 13485 lists ISO 9000 Quality management systems — Fundamentals and vocabulary as a reference. Please not that, ISO 13485:2016 is not in line with the “High Level Structure” (HLS) developed by ISO. Therefore, the use of ISO 9001 with ISO 13485:2016 brings many additional requirements unlike the previous version of ISO 9001.
3 Terms and definitions
ISO 13485 with the terms “quality management system” and “regulatory purposes” within its name clearly aims manufacturers to help by meeting legal requirements of the country they intend to market their products. In clause 3 ISO 13485 lists 20 terms which are aligned with most of the medical device regulations around the world. Before you start to implement the standard in your organization it is important that you review these terms and definitions for a better understanding of clauses 4 to 8.
4 Quality management system
Clause 4 defines the requirements for a risk-based process approach together with documentation and record keeping measures.
The key for a successful implementation is to analyse each product realization process in a risk-based approach. The outcomes of the process risk management plan can be easily transformed to an implementation plan. Definition of process inputs, outputs, responsibilities, resources, performance criteria will help you a lot to identify the necessary control methods. The magic questions “What will happen if I do not control this process step?” and “What is the effect on the medical device safety?“ should be used to define limits of each process. Please be aware that an effective procedure for process risk management activities would be required to comply with clause 4.1 of the standard.
5 Management responsibility
Top management support is essential for a successful ISO 13485 Quality Management System implementation. Due to this fact, management commitment, customer focus are the key principals mentioned in clause 5 of the standard.
Quality policy shall provide a framework for establishing the quality objectives. You should set “SMART”1 objectives and prepare detailed action plans under PDCA (Plan – Do – Check – Act) approach. As part of the PDCA cycle, management review procedure shall demonstrate coformance to the clause 5.6 of the standard.
- Specific, Measurable, Attainable, Realistic, Time dependent
6 Resource Management
Clause 6 of the standard lists requirements for human resources, infrastructure and work environment. Again, to ensure the safety of the medical device, manufacturers shall provide enough resources covering these three topics.
The standard requires, that personnel performing work affecting product quality shall be competent on the basis of appropriate education, training, skills and experience. The necessary actions such as training shall be planned and implemented to reach the desired competency level. In that sense manufacturers shall evaluate the effectiveness of these actions and plan new under PDCA approach if needed.
The 2016 version of the standard has a better structure to specify the requirements for cleanliness and sterility. If required by the medical device specifications the cleanliness shall be established by implementing the contamination control requirements parallel to ISO 14644 and ISO 14698.
7 Product Realization
Clause 7 of the standard details the classical quality control approach to ensure the medical device safety. A good strategy to conform could be, to convert the defined product specification into a quality plan under a risk-based approach.
The requirements for customer related processes shall be defined and implemented according to clause 7.2 of the standard. Documented procedures for design and development and purchasing shall be established and implemented. The focus of these procedures shall be to ensure that medical device conforms to specified product data and complies with the regulatory requirements.
In the same manner to design and development, the production and service provisions shall be planned, carried out, monitored, and controlled to ensure that the medical device conforms to specifications. Again, to define the limits of the required control methods a risk-based approach shall be implemented. The defined manufacturing and quality control measures shall ensure the identification and traceability requirements of the standard.
8 Measurement, analysis and improvement
The monitoring, measurement, analysis and improvement processes shall demonstrate product and quality management system conformity. In addition, these processes shall maintain the effectiveness of the quality management system.
Methods to review and control the customer feedback, complaints shall be defined. Including these, tools like internal audits, nonconformity management procedure, corrective and preventive actions shall be embedded to each process of the quality management system. In that sense, the organization can achieve a high-level effectiveness and ensure that the medical devices are safe and comply with the regulatory requirements.
By implementing applicable requirements of ISO 13485:2016, a medical device manufacturer can ensure compliance with regulatory and legal requirements and improve process efficiency which will lead to safe medical devices. For a successful preparation phase an extensive gap analyses against the above-mentioned requirements would be extremely useful. In addition to this a robust risk management process, which is aligned with ISO 14971 and ISO/TR 24971 should be implemented as of day 1.
If you would like to get detailed information about a specific clause of the standard, do not hesitate to contact us and request a preliminary meeting. We would be happy to talk with you possible roadmaps for an effective ISO 13485 implementation.