Understanding ISO 13485
ISO 13485: 2003 represents the requirements that medical device manufacturers must incorporate into their management systems. The current document supersedes its 1996 incarnation as well as EN 46001, EN 46002 and ISO 13488. Though based on ISO 9001, 13485 removes 9001’s emphasis on continual improvement and customer satisfaction. In its place is an emphasis on meeting regulatory as well as customer requirements, risk management and maintaining effective processes.
ISO 13485: 2003 represents the requirements that medical device manufacturers must incorporate into their management systems. The current document supersedes its 1996 incarnation as well as EN 46001, EN 46002 and ISO 13488.
Though based on ISO 9001, 13485 removes 9001’s emphasis on continual improvement and customer satisfaction. In its place is an emphasis on meeting regulatory as well as customer requirements, risk management and maintaining effective processes, namely the processes specific to the safe design, manufacture and distribution of medical devices.
13485 is in part designed to produce a management system that facilitates compliance to the requirements of customers and-preeminently-various global regulators. While being certified to 13485 does not fulfill the requirements of either the FDA or foreign regulators, the certification aligns an organization’s management system to the requirements of the FDA’s Quality System Regulation (QSR) requirements as well as many other regulatory requirements found throughout the world. Therefore, 13485 certification serves to create a management system that can be thought of as a framework on which to build compliance to various regulatory and customer requirements.
Christian Lupo, general manager of Ann Arbor, MI-based NSF International Strategic Registrations states, “If the proper management system framework is in place it should facilitate the identification and implementation of country-specific requirements for the management system of medical device manufacturers. ISO 13485 is not specific enough to contradict country specific requirements, and should serve as a baseline management system for all.”
13485 dictates that risk management must be thoroughly documented and conducted throughout a product’s entire lifecycle, from initial concept to delivery and post-delivery. However, the standard leaves the specifics to a related standard, ISO 14971: 2001, Application of Risk Management for Medical Devices. While 13485 states that a manufacturer’s management team is charged with the management of device-related risks and the development of risk management plans, 14971 defines a list of steps to be taken by management in order to fulfill risk-related requirements. While it is not mandatory that a manufacturer be 14971 certified in order to attain 13485 certification, being certified to the former standard can ease the attainment of certification to the latter.
“The fact that ISO 13485 counsels the application of ISO 14971 speaks to its importance for those seeking 13485 certification,” says Mairead Ridge, marketing associate for IBS America (Lexington, MA). “Compliance programs for both standards, when implemented together, can help manufacturers build an enterprise program for risk management and quality assurance.” Evidencing the consistent assessment and mitigation of risks throughout all stages of a product’s lifecycle is important for achieving certification to both 13485 and 14971.
Issues and Trends
The purpose of 13485 certification is sometimes misunderstood. 13485 certification does not fulfill the requirements of 9001, nor is it equivalent to or have the ability to take the place of any country-specific requirement for medical device manufacturers. As previously mentioned, the standard is in part meant to serve as a means to the creation of a management system that aligns with the requirements of various regulators.
Phillip C. Dobyns, technical manager for Wayne, PA-based HSB Registration Services, elaborating on this idea, says, “The ISO 13485 accomplishes a harmonization by writing specific medical device requirements in a generic framework that allows any specific or unique needs of local regulation to be addressed.”
Medical device manufacturers also should realize the importance that risk management bears in a 13485 management system. “A lot of places typically look at risk management only at the design and development function and they don’t carry it through the entire lifecycle of the product or process,” says Nadia Perreault, medical device technical manager for National Quality Assurance USA (NQA, Acton, MA). “People think that it is just a little snippet in time during the design and development phase.”
While Perreault points out that medical device manufacturers are not giving risk management its due gravity in their management systems, IBS’ Ridge reports that the recognition of the need for thorough enterprise-wide risk management practices is growing. “Risk assessments have become a key activity that manufacturers perform throughout the product lifecycle, whether they are designing new products, choosing suppliers, inspecting finished goods or performing corrective actions based on customer complaints,” says Ridge. A combination of increased regulation and technological advances is forcing medical device manufacturers to couple their management systems with enterprise-wide risk management programs.
13485 is no longer thought of as pertaining solely to finished medical device manufacturers. Today, such manufacturers are requiring their sub-tier suppliers to also attain 13485 certification. Of this phenomenon, Arlen Chapman, quality systems director for NQA, notes, “Medical device manufacturers want to realize better products and better services. I see it more from the financial standpoint for them-for cost savings, making sure they have good suppliers, that they’re communicating with them properly and managing them properly.” This is risk management enacted to establish supplier quality, as it is difficult for a manufacturer to single-handedly regulate the quality programs of its suppliers.
The Certification Process
Like any ISO certification, medical device manufacturers wishing to obtain 13485 certification first need to educate themselves on the requirements of regulators and customers, as well as what a 13485-compliant management system will entail. Then a management system that conforms to the standard’s requirements needs to be implemented within the organization.
The first step to creating the management system should be drafting a quality manual; the quality manual outlines an organization’s goals, processes and procedures for compliance and quality management. An employee with the know-how to develop and implement such a program can create the management system internally; otherwise, a hired consultant with an expertise in the 13485 market can be used. After the quality manual has been written and a management system has been implemented, the organization needs to seek a certification body it is comfortable with.
When seeking a certification body, the organization needs to be sure that the registrar is accredited by an accrediting body to include 13485 certification in their scope. The organization seeking certification should ask to see credentials and references from a prospective registrar. For example, in North America, certification bodies will be accredited through an organization such as ANSI/ASQ National Accreditation Board (ANAB). There are accreditation boards in every major country that review certification bodies to ensure they meet requirements.
It also is important to keep the target market in mind. For instance, if a medical device manufacturer wants to sell in North America, it should seek certification through a registrar accredited by a North American accreditation body to ensure they will meet country-specific or customer requirements.
Lupo notes that countries are reluctant to accept 13485 registration from another country’s accreditation body. “For example, Health Canada and the European Union do not accept an accredited registration from an ANAB accredited registrar,” says Lupo. “ANAB is part of the IAF MLA, yet U.S. accreditations are not accepted anywhere except for medical device manufacturers that only trade in the United States.”
If a consultant is required, the organization needs to be sure that the prospect has expertise in 13485, and requesting referrals from an accredited registrar also can aid in finding the right match. It is important that the consultant understands the organization’s business, that the consultant has dealt with organizations of a similar size before and has had experience with similar product lines.
Also, an organization should be wary of consultants that endeavor to radically change a management system that is already performing well. Steve Upton, medical device business unit manager for NQA, states, “The consultant should come in and align their knowledge with your requirements and the customer requirements, and that will work time after time.”
The steps to attaining 13485 certification are similar to those of 9001, with some type of off-site document review followed by a preassessment and then assessment. After certification, an organization will be subject to on-going surveillance by its certification body. The duration of the assessment is contingent on an organization’s scope-its size, number of personnel, and type and complexity of products manufactured. Taking these elements into consideration, an organization can expect an assessment to last anywhere from a couple of days to more than a month.
The frequency of surveillance assessments will be determined by an organization’s scope as well as its performance, though they will usually be conducted annually or semi- annually. However, organizations should expect a complete reassessment three years after initial certification. A surveillance assessment takes into account concerns such as the fulfillment of management responsibilities, the execution of internal audits and how an organization is performing in relation to the state of the industry and customer expectations.
ISO 13485 Tomorrow
An increase in 13485 certification and further regulatory harmonization are possibilities in the standard’s future. Dobyns says that at present few organizations voluntarily seek this sector-specific certification, but that that will change as customers elect to mandate it.
The Global Harmonization Task Force, a voluntary organization with members ranging from registrars to government agencies to top individuals in the medical device industry, is endeavoring to bring international harmonization to medical device certification through 13485. The organization is pushing for the use of 13485 in place of country-specific regulatory requirements.
For more information on the companies mentioned in this article, visit their Web sites:
- ANAB, www.anab.org
- HSB Registration Services, www.hsbiso.com
- IBS America, www.ibs-us.com
- National Quality Assurance USA (NQA), www.nqa-usa.com
- NSF International Strategic Registrations, www.nsf-isr.org
Visit www.qualitymag.com and type “medical device standards” into the search engine to find related articles. Among the results you’ll find:
- “Quality Standards: Harmonizing Standards,” by Kenneth Slickers, Ph.D.
- Quality 101: Quality Standards Defined”
- “The Traceability Advantage,” by Mark Symonds
- “MES Reduces FDA Compliance Costs,” by Joseph Vinhais
- “Quality Management: SOPs Relay Knowledge,” by Cindy Fazzi
Benefits of Dual Certification: 13485 & 9001
Medical device manufacturers can benefit from being both 9001 and 13485 certified. While such manufacturers are not required to have 9001 certification, it can bring further business benefits, because it focuses on business aspects that are good for all businesses-for example, the emphasis on customer satisfaction and continuous process improvement that a 13485 management system omits. Manufactures of medical devices also will need to acquire 9001 certification if they want to branch out to other industries, as 13485 certification will not be honored where 9001 is required.