ISO 13485 Certification: Standard Definition, Audit Requirements
ISO 13485 is an internationally recognized standard that specifies requirements for a quality management system (QMS) in the medical device industry. It focuses on the design, development, production, installation, and servicing of medical devices and related services. ISO 13485 is based on the ISO 9001 standard but expands upon it in some sector-specific areas. The standard prioritizes regulatory compliance, risk management, and the control of processes related to the design, production, and distribution of medical devices.
An expansive audit process is applied to companies seeking accreditation in ISO 13485. Auditors check for complete internal compliance, robust monitoring processes, and traceability of records.
This article will discuss ISO 13485 certification, its audit requirements, criteria, benefits, and its related standards.
ISO 13485 certification confirms that the certified company has established suitable, independently audited processes and controls to ensure the safety, effectiveness, and quality of medical devices throughout their lifecycle. This encompasses control of processes from design and development to production, installation, servicing, and end-of-product life. To obtain ISO 13485 certification, an organization must build a QMS process internally that complies with the standard. With the QMS in place, the company undergoes a comprehensive audit by an accredited certification body. The audit assesses the organization's compliance with the ISO 13485 requirements and evaluates the effectiveness of its QMS.
Quality management systems are operations frameworks and structures that ensure the deliverables of the organization comply with: customer needs and expectations, regulatory standards, operational requirements, and internal self-improvement mechanisms within the company.
A well-defined QMS documents procedures, record keeping, communications, risk assessment, and continuous improvement methodologies. QMS standards adherence can be assessed and certified externally, with various parallel standards applicable to general and particular sectors and specializations. Key components of a quality management system are: quality policy, quality objectives, document control, risk management, employee training and competence, supplier management facilities, corrective and preventive actions, and continuous improvement.
QMS approaches are generally based on international standards such as ISO 9001. This provides a framework for the establishment, implementation, maintenance, and continuous improvement of quality-management measures. These systems can be adapted to various industries and tailored to meet specific market and regulatory requirements.
ISO 13485 is the standard developed for the medical device sector. It details QMS guidance that covers the design, development, production, installation, and servicing of medical devices. It is relevant to most activities in the medical device industry, including:
- Manufacturers of finished medical devices and systems. This covers the manufacture and supply of diagnostic tools, surgical instruments, implants, prosthetics, and other medical devices.
- Any company manufacturing custom components or supplying raw materials to the medical device sector.
- Any contract manufacturer or OEM providing services in the medical device sector so they can demonstrate the continuity of compliance through the entire process from concept to patient.
- Distributors and importers of medical devices to obviate their risk in the potential supply of faulty or non-compliant goods.
- Providers of services in the maintenance, calibration, repair, technical support, or other servicing of medical devices.
- Teams operating in medical device innovation and development. If they show pre-compliance at the ideation stage, it’s easier to comply later in the process as well.
These are the main ISO 13485 audit criteria:
- Document Review: The auditor reviews the organization's QMS documentation, (policies, procedures, work instructions, and records) to ensure it meets the requirements of ISO 13485.
- On-Site Audit: The audit aims to assess the documented system’s implementation and effectiveness as a standards-compliant QMS. It evaluates processes, procedures, and records and includes interviews with personnel to verify their understanding and engagement.
- Process Evaluation: Processes must be documented, controlled, and compliant with ISO 13485. This includes all stages, from design and development processes through risk management procedures to supplier management practices and other relevant processes.
- Regulatory Compliance: The audit confirms compliance with regulatory requirements, such as those from the FDA in the United States or the Medical Devices Directive in the European Union.
- Noncompliance and Corrective Actions: Any audit shortfalls must be addressed and corrected. Those non-compliant components will then need to be re-audited. The organization’s process for correcting these problems may also be assessed.
- Management Review: Auditors assess the top management’s internal QMS evaluation and improvement methods.
The ISO 13485 audit and accreditation process typically involves the following steps:
- Preparation: The applicant must build and implement a QMS that meets the standard. That often necessitates a major culture shift within the company. This needs buy-in from the entire organization.
- Documentation: The applicant team must document how their QMS complies with the standard. This requires detailed policies, procedures, work instructions, records, and various other documents.
- Internal Audit: This serves to test initial compliance. It is often performed by members of the applying organization to help the entire company prepare for the certification audit. This internal audit highlights any weaknesses so the company can improve on internal processes before the real audit.
- Certification Audit: The company invites (and pays for) an accredited certification organization to audit its QMS. The stage-one audit deals with documentation only; auditors review the company’s plan and process to verify that it complies with ISO 13485 on paper. This document review is supported by internal interviews to assess preparedness for the stage-two audit and develop a corrective actions list if necessary. Stage two audits assess the operational effectiveness of the QMS after any initial corrective actions have been completed. This entails more interviews and usually an on-site visit to test compliance and review quality records.
- Nonconformity Management: Any aspect which the auditors mark as lacking is considered a nonconformity. The company must take corrective actions in order to receive certification.
- Certification Decision: When the organization is judged to be in compliance, they’re issued an ISO 13485 certification.
- Surveillance Audits: These are conducted regularly (generally annually) by a certification body to validate that the organization is continuing to operate its QMS in compliance with ISO 13485.
Obtaining ISO 13485 certification offers several benefits for suppliers in the medical equipment space. For instance:
- Regulatory compliance makes it easier for certified organizations to take products to market because they have a simple way to demonstrate compliance with applicable regulations. This certification facilitates market access and regulatory approvals for medical devices, as regulatory bodies often recognize ISO 13485 as a reliable indicator of a robust quality management system.
- Companies often come out with better-quality products and safety records. ISO 13485 promotes a systematic approach that consistently produces safe and effective medical devices. Compliance with the standard helps them identify and mitigate risks. Appropriate controls throughout the product’s life cycle lead to improved product quality and better patient outcomes.
- ISO 13485-certified companies commonly report better customer and market confidence. The accreditation demonstrates an organization's commitment to quality and customer satisfaction, assuring customers, healthcare professionals, and end-users that they follow internationally recognized standards and best practices for medical device manufacturing. This can improve market acceptance and open new business opportunities.
- Certification demands that organizations establish effective processes and procedures, so they naturally see better efficiency as a result. These processes cover all aspects of medical device-related business including design, development, production, and service. This orderly approach streamlines operations, reduces errors and rework, and helps eliminate waste.
- Risk management and mitigation are key demands of ISO 13485 certification. A strong risk analysis approach equips organizations to identify potential risks associated with their products and processes and to implement appropriate mitigations. This helps them identify and address potential issues early, reducing adverse events, and protecting the organization’s reputation.
- Competitive advantage and market access accrue with ISO 13485 certification. Many customers, suppliers, and partners prefer to work with certified organizations because they’ve demonstrated commitment to quality and compliance. Certification can open new markets and facilitate international trade.
- Continuous improvement is a central tenet of ISO 13485. When improvement becomes part of the corporate culture, employees won’t think twice about monitoring their performance, defining objectives, and analyzing outcomes. When aspects come up lacking, they will know how (and be willing) to improve the processes.
ISO 13485 certification is not universally required for all companies in the medical device sector. However, there are certain situations and circumstances where ISO 13485 certification may be necessary or highly beneficial:
- Certification enforces regulatory compliance in certain sectors and technology areas.
- Most customers, distributors, and healthcare providers prefer certified clients and many require certification as a condition for doing business. These entities may request or demand suppliers or partners have ISO 13485 certification to ensure the quality and safety of their products.
- Certification may be a contractual obligation in the manufacturing or research and development of medical devices. Registration is often stipulated in contracts or agreements.
- Suppliers may require certification in order to uphold their own reputations.
- Risk management is required, codified, and improved as part of the establishment of a QMS. Certification demonstrates to the market a commitment to risk management practices and compliance with standards.
- ISO registration is very helpful in international business. It is a common industry language that makes the organization appear regulated and compliant, increasing long-distance confidence in the quality of outcomes/deliverables.
- Certification drives continuous improvement. ISO 13485 promotes a culture of continuous improvement and companies that want ongoing enhancements in their processes, product quality, and customer satisfaction often pursue ISO 13485 certification as a means to instill this cultural change into the business.
The ISO 13485 certification process is layered. The primary layer consists of national accreditation bodies that assess and authorize local-level service providers who, in turn, perform certification audits for registrant companies and organizations. In this way, the adherence/compliance of all parties is traceable back to the overarching national or regional accreditation service.
Accreditation of these service providers/certifiers is controlled by national or regional accreditation bodies that evaluate their competence to ensure they meet the standards required to certify others. The accreditation body applicable to your certifier will vary by region, but these are some of the leading national organizations:
- ANSI-ASQ National Accreditation Board (ANAB) - USA
- United Kingdom Accreditation Service (UKAS) - UK
- Standards Council of Canada (SCC) - Canada
- National Accreditation Board for Certification Bodies (NABCB) - India
- Deutsche Akkreditierungsstelle GmbH (DAkkS) - Germany
- JAS-ANZ (Joint Accreditation System of Australia and New Zealand) - Australia and New Zealand
- The Certification and Accreditation Administration of the People's Republic of China (CNCA) - China
As of March 31, 2022, we are proud to announce Xometry is ISO 13485 certified. This certification is based on the ISO 9001 process model approach and is a management systems standard specifically developed for manufacturing medical devices. It ensures all medical devices meet the proper regulatory compliance laws and customer needs. By becoming ISO 13485 certified, it demonstrates our Quality Management System is appropriate and effective for the safety and efficacy of manufacturing medical devices. This latest certification joins our growing list of certifications, including ISO 9001:2015 and AS9100D. Read our full Medical Device Manufacturing Certification press release.
There are several certifications and accreditations that are similar to ISO 13485 in terms of their focus on quality management systems in the medical device industry or related fields:
- FDA Quality System Regulation (QSR), also known as 21 CFR Part 820: This regulatory body in the US sets quality system requirements for medical device manufacturers. While not a certification or accreditation, compliance with the FDA QSR is mandatory for companies selling medical devices in the U.S. market.
- Medical Device Single Audit Program (MDSAP): This program allows medical device manufacturers to undergo a single audit to demonstrate compliance with the regulatory requirements of multiple countries, including the U.S., Canada, Brazil, Japan, and Australia.
- IEC 62304: Medical device software regulations are laid out in this standard. It provides requirements for the development, maintenance, and risk management of such software, and compliance is required for medical products that contain software.
- ISO 14971: This international standard covers medical device risk management. It provides guidance on the application of risk management principles and processes throughout the life cycle. ISO 14971 is often used to complement and enhance ISO 13485 risk management practices.
- ISO/IEC 27001: This standard is for information security management systems. Though not specific to the medical device industry, it can be highly relevant for products and services that handle patient data.
- ISO 9001: The ISO’s primary QMS standard applies to most industries, including the medical device sector. ISO 13485-registered organizations often choose to implement ISO 9001 as a broader QMS framework.
There are other certifications and standards that complement ISO 13485. The following certifications are not specific to the medical industry, but medical devices do fall under their purview:
- CE Marking: The CE conformity assessment mark indicates a product's compliance with health and safety requirements in Europe. Medical devices intended for sale in the European Economic Area must undergo a conformity assessment process, which includes compliance with ISO 13485.
- ISO 45001: The occupational health and safety management standard applies in all developed markets. It allows businesses to manage risk and workplace safety in order to protect the health and well-being of staff.
This article presented the ISO 13285 certification, explained it, and discussed its various audit requirements. To learn more about certifications, contact a Xometry representative.
Xometry provides a wide range of manufacturing capabilities and other value-added services for all of your prototyping and production needs. Visit our website to learn more or to request a free, no-obligation quote.
The content appearing on this webpage is for informational purposes only. Xometry makes no representation or warranty of any kind, be it expressed or implied, as to the accuracy, completeness, or validity of the information. Any performance parameters, geometric tolerances, specific design features, quality and types of materials, or processes should not be inferred to represent what will be delivered by third-party suppliers or manufacturers through Xometry’s network. Buyers seeking quotes for parts are responsible for defining the specific requirements for those parts. Please refer to our terms and conditions for more information.