In today’s business world, owners are constantly grappling with concerns and surmounting obstacles, the least of which is actually staying afloat financially in what can be an unforgiving economy.
However, the struggle to turn a profit pales in comparison to some of the harsher consequences of failing to comply with certain regulatory requirements.
Take HRIS broker Zenefits for example. Failure to comply with several licencing regulations issued by the California Department of Insurance landed them a $7million fine.
That’s just the tip of the iceberg; more severe penalties extend to include government bodies compelling you to dissolve your company, and ultimately the endangerment of the lives and well-being of individuals your organization is servicing.
“On a global scale, we are all being asked to do more with less—and for less. At some point soon, the current internal systems will not be able to hold back the deluge, and companies will be faced with a stark decision—consistently improve or perish” – Erik Myhrberg and Joseph Raciti, Practical Field Guide for ISO 13485
Often, these kinds of requirements take the form of the ISO 13485 standard for medical device manufacturers.
In this article, I’ll break down the ISO 13485 standard, from a basic introduction to suggestions and resources for implementing it in your business or organization.
What is ISO 13485?
Simply put, ISO 13485 is a set of requirements defined by The International Organization for Standardization, designed to be used by medical device manufacturers as a form of quality management system.
Perhaps the medical device industry’s most popular international standard for quality management, ISO 13485 provides a framework for manufacturers to implement the Medical Device Directives while simultaneously demonstrating a commitment to the quality and safety guidelines of medical devices.
As of writing, the most recent version of the standard is ISO 13485:2016.
Basically, ISO 13485 is like a quality management system for organizations involved in design, production, installation, and servicing of medical devices, with some other important requirements for good measure.
The ISO 13485 framework also forms the basis for auditing these same organizations, for both internal and external audits.
Why is ISO 13485 important?
In the medical devices industry, quality management goes hand-in-hand with safety, and both are non-negotiables.
Requirements like those set out by ISO 13485 are strictly enforced throughout every stage of a medical device’s life-cycle, including stages after manufacturing like delivery, service, and maintenance.
Organizations using ISO 13485 can be involved in any stage of the medical devices life-cycle. Design, development, production, distribution, servicing; even supporting activities like maintenance and customer service.
Increasingly, ISO 13485 is becoming necessary for medical devices companies to compete for customer attention. This is because audits by customers (2nd party audits) are becoming less common due to the rise of 1st party (internal) and 3rd party (external, for certification) audits.
How do management systems work?
A “management system” is a term that is very much like “business process management“. It’s a broad, umbrella term that refers to many different ways in which organizations manage all of their parts in order to achieve their objectives.
Some ISO standards are known as “management system standards”, or MSS. This term was introduced to try and establish a shared framework so that different management systems could integrate with and complement one another. It’s a more recent development of ISO standards.
For example, ISO 9001 is a management system standard. The management system here is a “quality management system”.
Similarly, ISO 14001 defines requirements for an “environmental management system“. You get the idea.
In the case of ISO 13485, it isn’t so much a management system in its own right; rather, it’s based on the core principles of ISO 9001 for quality management, applied in the context of medical devices manufacturing.
ISO management systems share a common high-level structure known as Annex L.
Annex L: the management system high-level structure (HLS)
Annex L (formerly known as Annex SL) is the high-level structure that allows all of these ISO management systems to work together harmoniously.
If you already use an MSS in your business, and you want to integrate another based on a completely different set of ISO requirements, then Annex L makes that possible.
Because of the Annex L structure, if you’re familiar with one MSS, you’ll be able to apply that knowledge with another one immediately, even if it’s your first time.
According to Annex L, a Management System Standard should follow the structure:
- Normative references
- Terms and definitions
- Context of the organisation
- Performance evaluation
However, since ISO 13485:2016 isn’t a fully-fledged management system in its own right, it doesn’t share the high-level Annex L structure. Rather, it’s made up of five core elements, derived from the ISO 9001 structure for quality management systems.
ISO standards: Requirements vs. guidelines
There are two types of ISO management system standards:
- Ones that specify requirements (known as Type A, like ISO 9001 for quality management systems)
- Ones that act as guidelines (known as Type B, like ISO 26000 for social responsibility)
Some examples of Type A management system standards:
- ISO 9001:2015, Quality management systems – Requirements
- ISO 14001:2015, Environmental management systems – Requirements with guidance for use
- ISO 50001:2018, Energy management systems – Requirements with guidance for use
And Type B:
- ISO 9004:2018, Quality management — Quality of an organization — Guidance to achieve sustained success
- ISO 26000:2010 Social responsibility – Guidance on social responsibility
ISO 13485 is an example of Type A; that means it defines a set of requirements, as opposed to just guidelines.
Quality management systems
A quality management system (QMS) is basically just a collection of policies, procedures, documented processes, and records that an organization uses to define the best practice principles for creating and delivering their product or service.
Every QMS is different, tailored to fit the specific business goals and services of a company. For ISO 13485, the quality management aspects focus on medical device manufacturing.
Part of every ISO quality management system involves the principles of Plan-Do-Check-Act, sometimes modified to Plan-Do-Study-Act.
PDSA and PDCA, including the differences between them, are discussed at length in this article on the Deming cycle.
In the context of ISO 13485, PDSA/PDCA can be understood as a framework of continuous improvement; to identify, understand, and improve on existing processes and procedures in the medical device design and manufacturing processes.
Why is ISO 13485 useful?
When implemented properly, ISO 113485 can be used to reap large cost and efficiency savings.
Here are some examples of how ISO 13485 can benefit your business or organization:
Public image and credibility
Customers will recognize ISO 13485 as a symbol of quality control and assurance.
Whether you’ve been certified by 3rd party CB or have implemented the standard yourself as part of an internal effort to establish a QMS, customers recognize that ISO 13485 is focused on providing high-quality products and services.
Beyond public image, customers see direct benefits from the focus on customer satisfaction that ISO 13485 champions.
By focusing on and providing products and services based on a system for continuous customer satisfaction, you extend customer lifetime value and increase the likelihood of repeat business and word-of-mouth recommendation.
Total process integration
ISO 13485 is a BPM approach, which means you don’t just look at individual processes, but how they interact with one another.
By doing this, you can discover new areas for process improvement and ways to make your processes more efficient, by consolidating redundant tasks and eliminating manual work with techniques like automation and process improvement.
Make better decisions, based on evidence
Making “good decisions” isn’t straightforward; however, you can strive to make “better decisions” by using evidence to inform your decision-making process.
ISO 13485 helps inform your decision-making by way of the requirements for recording and documenting pretty much everything that goes on in the QMS.
When you know exactly where a process is failing, and have data to back it up, you’ll be in a better position to target your resources at solving the problem, and improve organizational efficiency and effectiveness.
Cultivate continuous improvement
Continuous improvement is more than a framework; it’s a mentality that can be cultivated in a workplace environment towards common goals.
The tendency for quality management systems to prioritize continuous improvement is what allows for ever-increasing gains in cost, time, and other resource savings.
By implementing a QMS to the requirements of ISO 13485, you encourage understanding of the value and cultivation of continuous improvement throughout your organization.
Empower your workforce
Adopting ISO 13485 means your workforce takes ownership for managing and innovating on the processes they’re using most often. Besides, who better to take responsibility for a process than the people working in and on them?
Core sections of ISO 13485
ISO 13485 is composed of eight clauses, the first three being introductory references. That leaves five core sections that constitute the requirements for ISO 13485:2016:
Section 4: Quality management system
This section establishes the general requirements for a quality management system, including how to document and record information.
Section four requirements:
- Quality manual
- Medical device file
- Control of documents
- Control of records
Section 5: Management responsibility
This is where the top management will find their responsibility requirements for implementing and maintaining the QMS. That means planning as well as the ongoing review to ensure the QMS is performing up-to-scratch.
Section five requirements:
- Management commitment
- Customer focus
- Quality policy
- Quality objectives & QMS planning
- Responsibility, authority & communication
- Management review
Section 6: Resource management
This section is relatively short, but it covers everything about resource control and management, including HR, physical spaces, organizational infrastructure, and the working environment.
Section six requirements:
- Provision of resources
- Human resources
- Work environment and contamination control
Section 7: Product realization
Product-specific requirements cover all components of the product (or service) design and creation of medical devices.
This includes everything from planning and product design, to creating and rolling-out products and services, to equipment control and servicing.
Section seven requirements:
- Planning of product realization
- Suitable planning for the organization’s operations
- Design and development
- Production and service provision
- Control of monitoring and measuring equipment
Section 8: Measurement, analysis and improvement
Finally, section eight includes requirements for making sure you can understand how well your QMS is performing, and have the systems in place to fine-tune and optimize what is or isn’t working.
This includes corrective and preventative actions for assessing customer satisfaction, product non-conformance, assessing and improving quality policies and procedures, carrying out and assessing the results of internal audits, and implementing systems for continuous improvement.
Section eight requirements:
- Goal of monitoring, measurement, analysis for improvement
- Control of nonconforming product
- Analysis of data
ISO 13485 certification
Certification isn’t a requirement of ISO 13485, but it can be necessary, depending on the context.
For example, certain government bodies might issue requirements for ISO 13485 certification; similarly, customers may require that their clients get certified to meet their specific needs.
So what does it mean to be ISO 13485 certified?
Simply put, it means an organization’s quality management system has been audited by a registered Lead Auditor or Certified Body to the requirements of ISO 13485, and have successfully proven that all requirements have been met.
Organizations can get ISO 13485 certified only by 3rd party organizations. However, it’s worth noting that ISO themselves don’t award certifications; they simply define the requirements for each standard.
Auditing ISO 13485
The ISO defines an audit as:
“[the] systematic, independent and documented process for obtaining audit evidence [records, statements of fact or other information which are relevant and verifiable] and evaluating it objectively to determine the extent to which the audit criteria [a set of policies, procedures or requirements] are fulfilled.” – ISO 19011:2018 – Guidelines for Auditing Management Systems
Audits are used to make sure requirements are being met; depending on the type and scope of audit, importance will be placed on different aspects.
How to audit a medical management system
Approaches will vary, depending on the context. With that in mind, there are two types of ISO audit:
External (3rd party) audits are the type that will lead to an ISO certification. These can only be performed by a registered Lead Auditor or Certified Body.
To reiterate: ISO do not perform audits to certify organizations to their standards. ISO audits are always performed by registered 3rd party auditors.
The organization employed to perform a third-party audit should have no conflict of interest.
Typically, third-party audits will result in certification; however, they may also result in a citation, fine, or penalty should the audit fail.
Internal (1st and 2nd) party audits can be performed by individuals within your organization; no special training is required per-se, although familiarity with the standard being audited to is of course a good idea.
You can’t get certified with internal audits, but they are still very useful. In fact, having a system in place for performing internal audits is a requirement for a quality management system as per ISO 9001:2015. So, in order to get certified, sooner or later you’ll have to acquaint yourself with internal audits.
Luckily for you, we have a template built specifically for performing internal audits against the ISO management systems, designed in accordance with the guidelines of 19011:2018 for auditing management systems.
With this checklist, you’ll be able to prepare an audit program for your ISO 13485 quality management system for medical devices.
ISO 19011:2018 Audit Checklist
ISO 19011 is the standard that defines guidelines for performing audits on management systems. By following this checklist, you can prepare an audit program for your ISO 13485 medical devices quality management system.
Click here to get the checklist.
You could also use this ISO 9001:2015 internal audit template to draw inspiration for the ISO 13485:2016 audit:
Using Process Street for ISO 13485
Process Street makes implementing ISO 13485 easier than ever. Since the 2015 updates to many ISO management system standards, it’s perfectly acceptable, if not encouraged to use a BPM software like Process Street to build and maintain your management systems.
These revisions also mean you can write SOPs that are highly actionable, and improve efficiency and effectiveness with features like conditional logic and role assignments, all while adhering to ISO requirements for document control.
This introductory webinar demonstrates some of the ways you can use Process Street to streamline your ISO management systems:
More ISO resources
Check out these articles on ISO and standard operating procedures:
- Agile ISO: How to Combine Compliance with Rapid Process Improvement
- 20 Free SOP Templates to Make Recording Processes Quick and Painless
- What is a Quality Management System? The Key to ISO 9000
- What is Quality Management? The Definitive QMS Guide (Free ISO 9001 Template)
- What is an ISO Audit? Free ISO 9000 Self-Audit Checklist (ISO 9004:2018)
- What is ISO 9001 Certification? How to Get Certified (For Beginners)
- How to Write an Actionable Policy and Procedure Template (ISO Compliant!)
- What is ISO 14000? EMS Basics & Implementation (Environmental Management)
We also have a bunch more premade ISO templates to make your life easier:
- ISO 9000 Structure Template
- ISO 9000 Marketing Procedures
- Standard Operating Procedure (SOP) Template Structure
- ISO 14001 EMS Structure Template
- ISO 14001 EMS Mini-Manual Procedures
- ISO 14001 Environmental Management Self-Audit Checklist
- ISO 14001:2004 to ISO 14001:2015 EMS Transition Checklist
- ISO 9001 and ISO 14001 Integrated Management System (IMS) Checklist
These are all completely free; just sign up for a new Process Street account (it takes less than 2 minutes).
What is the most important piece of advice you’d share to anyone looking to implement ISO 13485, or any other standard? Let us know in the comments below!
The diagram labelled “waterfall design process for medical devices” is NOT a waterfall. Your mistake was to read it as a flow CHART (start here and go on to the end). It is rather a flow DIAGRAM showing how information flows between processes with no suggestion that one process precedes any other. The FDA’s own guidance document makes that clear. Nothing in that guidance requires one set of information to be complete before starting on the next, as would be required by a waterfall.
If I had a penny for every time I have pointed this out to people, I would have a lot more pennies than I do.
Hi Keith, thanks for the comment.
You’re right that the FDA guidance doesn’t require a waterfall approach. You’re also correct in stating that the diagram illustrates the flow of information in the process.
However, I’d argue it is still a “waterfall” diagram.
It illustrates a process for iterative device design and development, starting with the requirements of ISO 13485, and logically translating them into a medical device. It’s assumed that the process begins with recognizing user needs.
The principle here is that inputs cannot be designed or developed until user needs are fully understood and factored in, and so on for each subsequent step. The review in this case will also follow the completion of the process, in order to assess each step of design and development and figure out what could be improved.
As such, it is an example of continuous improvement wherein all of the steps feed back into one another; but order of execution is still important. That’s why I’d argue it makes sense to label the diagram as a “waterfall” diagram.
Let me know your thoughts on this. It’s an interesting (not to mention useful for other readers) conversation to pursue.
I’m keen to use Process Street for my business. We are also considering ISO 13485. I’m worried that we won’t be able to comply with ISO 13485 software validation requirements if we use cloud software because we won’t have control of updates and we won’t know when to re-validate. Is there a solution to this?
Hey Paul, the simple answer is that ISO 13485’s requirements about software validation apply to the medical devices in question, not the tools you use to implement/manage/audit your ISO standards, so there won’t be a problem.
Since ISO’s 2015 updates you have a lot more agility in how you maintain your standards, and as such you can use Process Street to implement ISO 13485, just like any other ISO standard.
Hope that helps – ISO can be tricky, especially since they’re constantly revising/updating everything. If you want any more advice or clarification, I’d be happy to set up a call to discuss how you can use Process Street.
We design and perform clinical trials as well as regulatory submissions. In your opinion:
1. Can we become ISO 13485 compliant and certified
2. Would it be beneficial
3. Do you offer training in this area
1. If you are creating medical devices as part of the design of these trials, then there is potential alignment with ISO 13485. This helps make sure that the devices you’re manufacturing are safe. If you’re not manufacturing medical devices as part of your service then maybe a more general Quality Management System would be useful for you. Something like ISO 9001? You can see our complete guide to that here: https://www.process.st/iso-9001/
2. It would be beneficial for international sales or for getting contracts with certain high value clients.
3. We don’t offer training, but in the ISO 9001 article linked above, you can find lots of resources including free process checklists and audit checklists. I recommend looking at this audit checklist to understand what a finalized ISO 9001 compliant QMS would be like: https://www.process.st/checklist/iso-9001-internal-audit-checklist-for-quality-management-systems/
Of course, we also offer software to make this whole experience easier! 🙂
I hope you find this helpful!