ISO 13485: Basics and How to Get Started (QMS for Medical Devices)

iso 13485 checklist

In today’s business world, owners are constantly grappling with concerns and surmounting obstacles, the least of which is actually staying afloat financially in what can be an unforgiving economy.

However, the struggle to turn a profit pales in comparison to some of the harsher consequences of failing to comply with certain regulatory requirements.

Take HRIS broker Zenefits for example. Failure to comply with several licencing regulations issued by the California Department of Insurance landed them a $7million fine.

That’s just the tip of the iceberg; more severe penalties extend to include government bodies compelling you to dissolve your company, and ultimately the endangerment of the lives and well-being of individuals your organization is servicing.

“On a global scale, we are all being asked to do more with less—and for less. At some point soon, the current internal systems will not be able to hold back the deluge, and companies will be faced with a stark decision—consistently improve or perish” – Erik Myhrberg and Joseph Raciti, Practical Field Guide for ISO 13485

Often, these kinds of requirements take the form of the ISO 13485 standard for medical device manufacturers.

In this article, I’ll break down the ISO 13485 standard, from a basic introduction to suggestions and resources for implementing it in your business or organization.

What is ISO 13485?

Simply put, ISO 13485 is a set of requirements defined by The International Organization for Standardization, designed to be used by medical device manufacturers as a form of quality management system.

Perhaps the medical device industry’s most popular international standard for quality management, ISO 13485 provides a framework for manufacturers to implement the Medical Device Directives while simultaneously demonstrating a commitment to the quality and safety guidelines of medical devices.

As of writing, the most recent version of the standard is ISO 13485:2016.

Basically, ISO 13485 is like a quality management system for organizations involved in design, production, installation, and servicing of medical devices, with some other important requirements for good measure.

The ISO 13485 framework also forms the basis for auditing these same organizations, for both internal and external audits.

Why is ISO 13485 important?

Source

In the medical devices industry, quality management goes hand-in-hand with safety, and both are non-negotiables.

Requirements like those set out by ISO 13485 are strictly enforced throughout every stage of a medical device’s life-cycle, including stages after manufacturing like delivery, service, and maintenance.

Organizations using ISO 13485 can be involved in any stage of the medical devices life-cycle. Design, development, production, distribution, servicing; even supporting activities like maintenance and customer service.

Increasingly, ISO 13485 is becoming necessary for medical devices companies to compete for customer attention. This is because audits by customers (2nd party audits) are becoming less common due to the rise of 1st party (internal) and 3rd party (external, for certification) audits.

How do management systems work?

Source

A “management system” is a term that is very much like “business process management“. It’s a broad, umbrella term that refers to many different ways in which organizations manage all of their parts in order to achieve their objectives.

Some ISO standards are known as “management system standards”, or MSS. This term was introduced to try and establish a shared framework so that different management systems could integrate with and complement one another. It’s a more recent development of ISO standards.

For example, ISO 9001 is a management system standard. The management system here is a “quality management system”.

Similarly, ISO 14001 defines requirements for an “environmental management system“. You get the idea.

In the case of ISO 13485, it isn’t so much a management system in its own right; rather, it’s based on the core principles of ISO 9001 for quality management, applied in the context of medical devices manufacturing.

ISO management systems share a common high-level structure known as Annex L.

Annex L: the management system high-level structure (HLS)

Annex L (formerly known as Annex SL) is the high-level structure that allows all of these ISO management systems to work together harmoniously.

If you already use an MSS in your business, and you want to integrate another based on a completely different set of ISO requirements, then Annex L makes that possible.

Because of the Annex L structure, if you’re familiar with one MSS, you’ll be able to apply that knowledge with another one immediately, even if it’s your first time.

According to Annex L, a Management System Standard should follow the structure:

  • Scope
  • Normative references
  • Terms and definitions
  • Context of the organisation
  • Leadership
  • Planning
  • Support
  • Operation
  • Performance evaluation
  • Improvement

However, since ISO 13485:2016 isn’t a fully-fledged management system in its own right, it doesn’t share the high-level Annex L structure. Rather, it’s made up of five core elements, derived from the ISO 9001 structure for quality management systems.

ISO standards: Requirements vs. guidelines

There are two types of ISO management system standards:

  1. Ones that specify requirements (known as Type A, like ISO 9001 for quality management systems)
  2. Ones that act as guidelines (known as Type B, like ISO 26000 for social responsibility)

Some examples of Type A management system standards:

  • ISO 9001:2015, Quality management systems – Requirements
  • ISO 14001:2015, Environmental management systems – Requirements with guidance for use
  • ISO 50001:2018, Energy management systems – Requirements with guidance for use

And Type B:

ISO 13485 is an example of Type A; that means it defines a set of requirements, as opposed to just guidelines.

Quality management systems

A quality management system (QMS) is basically just a collection of policies, procedures, documented processes, and records that an organization uses to define the best practice principles for creating and delivering their product or service.

Every QMS is different, tailored to fit the specific business goals and services of a company. For ISO 13485, the quality management aspects focus on medical device manufacturing.

PDCA/PDSA

iso 13485 checklist

Part of every ISO quality management system involves the principles of Plan-Do-Check-Act, sometimes modified to Plan-Do-Study-Act.

PDSA and PDCA, including the differences between them, are discussed at length in this article on the Deming cycle.

In the context of ISO 13485, PDSA/PDCA can be understood as a framework of continuous improvement; to identify, understand, and improve on existing processes and procedures in the medical device design and manufacturing processes.

Why is ISO 13485 useful?

When implemented properly, ISO 113485 can be used to reap large cost and efficiency savings.
Here are some examples of how ISO 13485 can benefit your business or organization:

Public image and credibility

Customers will recognize ISO 13485 as a symbol of quality control and assurance.

Whether you’ve been certified by 3rd party CB or have implemented the standard yourself as part of an internal effort to establish a QMS, customers recognize that ISO 13485 is focused on providing high-quality products and services.

Customer satisfaction

Beyond public image, customers see direct benefits from the focus on customer satisfaction that ISO 13485 champions.

By focusing on and providing products and services based on a system for continuous customer satisfaction, you extend customer lifetime value and increase the likelihood of repeat business and word-of-mouth recommendation.

Total process integration

ISO 13485 is a BPM approach, which means you don’t just look at individual processes, but how they interact with one another.

By doing this, you can discover new areas for process improvement and ways to make your processes more efficient, by consolidating redundant tasks and eliminating manual work with techniques like automation and process improvement.

Make better decisions, based on evidence

Making “good decisions” isn’t straightforward; however, you can strive to make “better decisions” by using evidence to inform your decision-making process.

ISO 13485 helps inform your decision-making by way of the requirements for recording and documenting pretty much everything that goes on in the QMS.

When you know exactly where a process is failing, and have data to back it up, you’ll be in a better position to target your resources at solving the problem, and improve organizational efficiency and effectiveness.

Cultivate continuous improvement

continuous improvement process
Continuous improvement is more than a framework; it’s a mentality that can be cultivated in a workplace environment towards common goals.

The tendency for quality management systems to prioritize continuous improvement is what allows for ever-increasing gains in cost, time, and other resource savings.

By implementing a QMS to the requirements of ISO 13485, you encourage understanding of the value and cultivation of continuous improvement throughout your organization.

Empower your workforce

Adopting ISO 13485 means your workforce takes ownership for managing and innovating on the processes they’re using most often. Besides, who better to take responsibility for a process than the people working in and on them?

Core sections of ISO 13485

ISO 13485 is composed of eight clauses, the first three being introductory references. That leaves five core sections that constitute the requirements for ISO 13485:2016:

Section 4: Quality management system

iso 13485 checklist

This section establishes the general requirements for a quality management system, including how to document and record information.

Section four requirements:

  • Quality manual
  • Medical device file
  • Control of documents
  • Control of records

Section 5: Management responsibility

This is where the top management will find their responsibility requirements for implementing and maintaining the QMS. That means planning as well as the ongoing review to ensure the QMS is performing up-to-scratch.

Section five requirements:

  • Management commitment
  • Customer focus
  • Quality policy
  • Quality objectives & QMS planning
  • Responsibility, authority & communication
  • Management review

Section 6: Resource management

This section is relatively short, but it covers everything about resource control and management, including HR, physical spaces, organizational infrastructure, and the working environment.

Section six requirements:

  • Provision of resources
  • Human resources
  • Infrastructure
  • Work environment and contamination control

Section 7: Product realization

iso 13485 checklist

Product-specific requirements cover all components of the product (or service) design and creation of medical devices.

This includes everything from planning and product design, to creating and rolling-out products and services, to equipment control and servicing.

Section seven requirements:

  • Planning of product realization
  • Suitable planning for the organization’s operations
  • Design and development
  • Purchasing
  • Production and service provision
  • Control of monitoring and measuring equipment

Section 8: Measurement, analysis and improvement

Finally, section eight includes requirements for making sure you can understand how well your QMS is performing, and have the systems in place to fine-tune and optimize what is or isn’t working.

This includes corrective and preventative actions for assessing customer satisfaction, product non-conformance, assessing and improving quality policies and procedures, carrying out and assessing the results of internal audits, and implementing systems for continuous improvement.

Section eight requirements:

  • General
  • Goal of monitoring, measurement, analysis for improvement
  • Control of nonconforming product
  • Analysis of data
  • Improvement

ISO 13485 certification

Source

Certification isn’t a requirement of ISO 13485, but it can be necessary, depending on the context.

For example, certain government bodies might issue requirements for ISO 13485 certification; similarly, customers may require that their clients get certified to meet their specific needs.

So what does it mean to be ISO 13485 certified?

Simply put, it means an organization’s quality management system has been audited by a registered Lead Auditor or Certified Body to the requirements of ISO 13485, and have successfully proven that all requirements have been met.

Organizations can get ISO 13485 certified only by 3rd party organizations. However, it’s worth noting that ISO themselves don’t award certifications; they simply define the requirements for each standard.

Auditing ISO 13485

The ISO defines an audit as:

“[the] systematic, independent and documented process for obtaining audit evidence [records, statements of fact or other information which are relevant and verifiable] and evaluating it objectively to determine the extent to which the audit criteria [a set of policies, procedures or requirements] are fulfilled.” – ISO 19011:2018 – Guidelines for Auditing Management Systems

Audits are used to make sure requirements are being met; depending on the type and scope of audit, importance will be placed on different aspects.

How to audit a medical management system

Approaches will vary, depending on the context. With that in mind, there are two types of ISO audit:

External
External (3rd party) audits are the type that will lead to an ISO certification. These can only be performed by a registered Lead Auditor or Certified Body.

To reiterate: ISO do not perform audits to certify organizations to their standards. ISO audits are always performed by registered 3rd party auditors.

The organization employed to perform a third-party audit should have no conflict of interest.

Typically, third-party audits will result in certification; however, they may also result in a citation, fine, or penalty should the audit fail.

Internal
Internal (1st and 2nd) party audits can be performed by individuals within your organization; no special training is required per-se, although familiarity with the standard being audited to is of course a good idea.

You can’t get certified with internal audits, but they are still very useful. In fact, having a system in place for performing internal audits is a requirement for a quality management system as per ISO 9001:2015. So, in order to get certified, sooner or later you’ll have to acquaint yourself with internal audits.

Luckily for you, we have a template built specifically for performing internal audits against the ISO management systems, designed in accordance with the guidelines of 19011:2018 for auditing management systems.

With this checklist, you’ll be able to prepare an audit program for your ISO 13485 quality management system for medical devices.

ISO 19011:2018 Audit Checklist

ISO 19011 is the standard that defines guidelines for performing audits on management systems. By following this checklist, you can prepare an audit program for your ISO 13485 medical devices quality management system.

Click here to get the checklist.

You could also use this ISO 9001:2015 internal audit template to draw inspiration for the ISO 13485:2016 audit:

Using Process Street for ISO 13485

Process Street makes implementing ISO 13485 easier than ever. Since the 2015 updates to many ISO management system standards, it’s perfectly acceptable, if not encouraged to use a BPM software like Process Street to build and maintain your management systems.

These revisions also mean you can write SOPs that are highly actionable, and improve efficiency and effectiveness with features like conditional logic and role assignments, all while adhering to ISO requirements for document control.

This introductory webinar demonstrates some of the ways you can use Process Street to streamline your ISO management systems:

More ISO resources

Check out these articles on ISO and standard operating procedures:

We also have a bunch more premade ISO templates to make your life easier:

These are all completely free; just sign up for a new Process Street account (it takes less than 2 minutes).

What is the most important piece of advice you’d share to anyone looking to implement ISO 13485, or any other standard? Let us know in the comments below!

Get our posts & product updates earlier by simply subscribing

Oliver Peterson

Oliver Peterson is a content writer for Process Street with an interest in systems and processes, attempting to use them as tools for taking apart problems and gaining insight into building robust, lasting solutions.


2 Comments

The diagram labelled “waterfall design process for medical devices” is NOT a waterfall. Your mistake was to read it as a flow CHART (start here and go on to the end). It is rather a flow DIAGRAM showing how information flows between processes with no suggestion that one process precedes any other. The FDA’s own guidance document makes that clear. Nothing in that guidance requires one set of information to be complete before starting on the next, as would be required by a waterfall.
If I had a penny for every time I have pointed this out to people, I would have a lot more pennies than I do.

Hi Keith, thanks for the comment.

You’re right that the FDA guidance doesn’t require a waterfall approach. You’re also correct in stating that the diagram illustrates the flow of information in the process.

However, I’d argue it is still a “waterfall” diagram.

It illustrates a process for iterative device design and development, starting with the requirements of ISO 13485, and logically translating them into a medical device. It’s assumed that the process begins with recognizing user needs.

The principle here is that inputs cannot be designed or developed until user needs are fully understood and factored in, and so on for each subsequent step. The review in this case will also follow the completion of the process, in order to assess each step of design and development and figure out what could be improved.

As such, it is an example of continuous improvement wherein all of the steps feed back into one another; but order of execution is still important. That’s why I’d argue it makes sense to label the diagram as a “waterfall” diagram.

Let me know your thoughts on this. It’s an interesting (not to mention useful for other readers) conversation to pursue.


Leave a comment

Your email address will not be published. Required fields are marked.

Get a free Process Street account
and take control of your workflows today.

No Credit Card Required