ISO 13485 is an international standard used by Manufacturers of Medical Devices to help design a Quality Management System (QMS). It was developed to ensure that medical grade devices or software is safe, meets customer expectations, and complies with regulatory standards. Regulators such as the MHRA in the UK, European Commission, and FDA in the United States see ISO 13485 as the gold standard for medical device manufacturing, making it practically mandatory for companies to follow.
The standard was developed by experts globally, including volunteers and professionals, working under the International Organisation for Standardisation (ISO) and nationally-aligned bodies like the British Standards Institute (BSI) in the UK.
ISO 13485 provides guidelines for building a QMS- a system designed to ensure that all processes in a company work together efficiently, with clear roles and responsibilities, making it easier to manage and continuously improve product quality whilst keeping patients safe.
Requirements for ISO 13485
ISO 13485 is split into 8 sections, each containing “Requirements” that Medical Device companies need to meet (although specifically how they meet them is for the company to decide how best to implement).- Scope: a brief explanation of which organisations should or could use ISO 13485
- Normative References: other standards you need to read to understand all of ISO 13485.
- Terms and Definitions: a list of terms and their definitions specific to ISO 13485. It is worth noting that the definitions in ISO 13485 don’t always align with the definitions used in Regulations; for example, not all field safety corrective actions as defined in UK, EU or US regulations would fulfil the definition of a Corrective Action in ISO 13485.
Section 4 – Quality Management System
This section establishes the core requirements of what a Quality Management System is and how it must be run, including documentation and records, validation of automated processes and software tools, application of medical device regulations, change control and outsourcing. It also includes the Quality Manual – an overview of your Quality Management System as how it should function. For the most part, ISO 13485 is based on the principles of ISO 9001, meaning there is close alignment between the expectations of a Medical Device Quality Management System and a business quality management system. This is intentional as it allows businesses to ensure quality best practices permeate throughout all functions of their business and are not siloed to a product alone.Section 5 – Management Responsibility
This section establishes the responsibilities of Top Management in developing, managing and maintaining the Quality Management System, Quality Policy and Objectives, assigning resources and responsibilities, focusing on customers as well as planning and reviewing the Quality Management System.Section 6 – Resource Management:
For any medical device manufacturer, it’s essential to have the right resources available in order to run the Quality Management System. This section includes the need for the business to indicate specific requirements on how human resources are managed, as well as critical infrastructure and work environments which could lead to contamination of products.Section 7 – Product Realisation:
This is by far the biggest section. Section 7 covers the planning of operations, how to handle customer-facing activities (e.g. sales, marketing, invoicing, order processing), design and development of medical devices, purchasing and suppliers, production, cleanliness, installation, servicing, identification and preservation of medical devices. Building on the principles of ISO 9001 it enables the business to holistically consider all business critical processes required for the successful development, purchase and implementation of the medical device.Section 8 – Measurement, Analysis and Improvement:
This section ensures proper investigation and action on complaints and non-conforming products and processes. This may include processes for reporting ‘events’ to regulators, conducting internal audits, the monitoring of processes to ensure business efficiency and analysing product data. Depending on the risk level of the Medical Device this will determine the detail and complexity in which this section must be implemented.Certification to ISO 13485
Companies that manufacture or develop medical devices or who supply the medical device industry can be “certified” to ISO 13485, with some Classifications of Medical Device requiring a certification before regulatory approval. An independent certification body reviews or “audits” your business activities, documentation and staff to determine whether and how well you have applied ISO 13485 to your business. Depending on how your company is structured and relationships with suppliers, certification bodies may perform this audit at your main site, across all sites or perhaps at the site of a key supplier – for example, if you have outsourced software development for your product, they may need to audit your development house to certify your business. Certification bodies will need to repeat this audit each year to maintain your ISO 13485 certificate; they audit over a three-year cycle, with a more intensive audit in the first year (certification audit) and a less intensive audit in the second and third year (surveillance audit). However, be warned, not all ISO certifications are created equal. We recently unpacked this in more detail in our blog “Understanding ISO Standards and Certifications”. In some territories and for some products, ISO 13485 certification is part of your regulatory approval, but this is not always the case; lower-risk medical devices in the UK and Europe should follow ISO 13485, but do not need to be certified. For example, a Class 1 Software as a Medical Device (SaMD) deployed in the UK, does not require certification for regulatory approval but, depending on the product features and intended use the same product may need ISO 13485 certification to meet the requirements of EU MDR.Benefits of ISO 13485
When implemented well, ISO 13485 allows you to create a clear, thorough and comprehensive system for running a business that:- creates safe medical devices – e.g. through appropriate testing and inspection
- ensures customer satisfaction – e.g. by recording and responding to customer feedback
- fulfils regulatory requirements – e.g. by reporting safety incidents to regulators
Implementing ISO 13845: Before you get started
Unfortunately, many companies struggle to implement or maintain ISO 13485 compliance. The most common issues are:- Misunderstanding ISO 13485 requirements
- Not engaging all relevant staff
- Utilising generic policies that are not tailored to your business
- Not designing processes efficiently
- Not providing clear and user-friendly instructions for staff
- Disagreements about responsibilities
- Time-consuming manual administration
- Compliance becoming a distraction from innovation and improvements
ISO 13485 – Quality Management
Once you’ve completed your implementation and/or certification, the intention is that you continually maintain and improve the system you’ve set up, through activities such as:- Training new staff
- Making processes more efficient
- Maintaining process instructions
Integration with Other Standards – ISO 9001, ISO 27001 and ISO 42001
Management System standards developed by ISO – such as ISO 9001 for quality management of any business, ISO 27001 for information security management and ISO 42001 for AI management – and including ISO 13485 – are built to a standard structure through ISO’s Annex SL requirements. This means that these and similar Management System standards can be easily integrated into a single system – for example, allowing you to set up a single Product Development procedure that addresses quality, information security and AI requirements in a single process and if you decide to add another standard in future, it should be easy to integrate these new requirements into your existing structure (with some thorough planning and advice), which can give you a more gradual route to implementing compliance requirements than trying to do them all at once.Need help with ISO 13845?
With experience across a range of Software, Hardware and In-Vitro Diagnostic Medical Devices, we have the skills and knowledge you need to take your product to market. Whether you’re just starting out or looking for support, we’re here to help. Find out more about our tailored QMS services →Get expert ISO compliance support today.
Ready to accelerate growth with streamlined ISO compliance? Book your free, no obligation discovery call with one of our compliance experts below.