NEW!!! Flexibility & configurability to the next level with the latest version of Matrix. Learn more!

What is ISO 13485?

ISO 13485 What Is it?

In this post, we'll discuss what ISO 13485 is all about, by whom it is used and what is important to take into account.

What is ISO 13485?

ISO is short for International Organization for Standardization. It's an independent, non-governmental, international organization that aims to bring together experts to agree on the best ways of doing things, from making products to managing processes.

The focus of the standards written by ISO and other standard organizations is multi-disciplinary. One of the "types" of standards is about management systems. Management system standards describe the requirements for sets of policies, processes and procedures used by an organization to ensure that it can fulfill the tasks required to achieve its objectives.

ISO 13485 is a standard that describes requirements for Quality Management Systems, in particular for the medical device industry. You can learn more about ISO 13485 in our recent video guide.

Why ISO 13485 is important?

The full title of this standard is: ISO 13485 Quality management systems - Requirements for regulatory purposes. This already highlights the importance of this standard. It does not only describe what is expected from the medical device industry in terms of Quality Management Systems, it also refers and links to the regulatory requirements. 

Organizations that need to comply with ISO 13485 need to demonstrate their ability to provide medical devices and related services that consistently meet customer and applicable regulatory requirements.

Such organizations can be involved in one or more stages of the life-cycle, including design and development, production, storage and distribution, installation, or servicing of a medical device and design and development or provision of associated activities (e.g. technical support). ISO 13485:2016 can also be used by suppliers or external parties that provide product, including quality management system-related services to such organizations to achieve regulatory compliance. The size of the organization does not affect the requirements or compliance with ISO or your quality processes.

ISO 13485:2016 is the current version of this standard and is a harmonized standard for the Medical Device Regulation and a recognized standard for FDA. That means that for both legislation (and others as well), this standard serves as the reference for requirements for quality management systems for medical device companies.

Evolution of ISO 13485

As mentioned above, currently the 2016 version of ISO 13485 applies. Forerunners were the EN 46001 standard which had to be combined with ISO 9001:1994. ISO 13485:1996 was based on ISO 9001:1994. The current ISO 13485: 2016 is a single standard. 

Although ISO 9001 forms the basis for ISO 13485, this does not mean that compliance with the requirements of ISO 13485 means that you also meet the requirements of ISO 9001. Both have a separate certification scheme and if you do not meet either, you may have a nonconforming product.

Scope of ISO 13485

ISO 13485 specifies requirements for quality management systems of organizations that provide medical devices and related services. This means that not only medical device manufacturers and/or subcontractors can or should use this standard. It also means that suppliers or external parties that provide products, including QMS-related services to these organizations can use this standard. This is why Matrix Requirements, as a platform provider for both product documentation as well QMS documentation is as well ISO 13485 certified.

Main elements of ISO 13485?

The Quality Management System should be based on a process-approach, which combines Plan-Do-Check-Act (PDCA) with a risk-based approach and can significantly impact customer satisfaction of your Medical Device.

Throughout all processes within the Quality Management System, the idea is that the organization defines and plans what they will be doing, implement it and make sure that there is a verifyable output from the processes. In case the output does not match the plan, improvements should be defined and implemented to avoid the same errors from happening again.

De PDCA cycle ensures you think about the planning, implementation and verification of all processes of your Quality Management System (QMS). A risk-based approach enables the organization to think about factors that could cause deviations from the planning. Combined, it shows how all processes are interlinked and how the organization can reduce as much as possible negative effects and deviations.

There are 5 main sections in the ISO 13485 standard:

  1. Quality Management System

  2. Management Responsibility

  3. Resource Management

  4. Product Realization

  5. Measurement, Analysis and Improvement

Quality Management System

Section 4 of ISO 13485 is the first section with actual requirements in the standard. It is subdivided in General Requirements and Documentation Requirements.

General requirements

The General Requirements paragraph defines that organizations need to establish and implement a Quality Management System (QMS), using the ISO 13485 standard but as well incorporating applicable regulatory requirements.

This means that the first few actions are:

  1. Establishing the scope of the QMS: what are the activities of the company? Which processes will be covered by the QMS?

  2. Defining the applicable regulatory requirements and making sure the processes are adapted to them

  3. Defining which internal and external factors might be influencing the QMS and applying a risk-based approach to them. If you want to learn more about process related risk-based approach, please download our ebook.

Furthermore it is important to take into account that even when you outsource certain activities/processes or you make use of tools, you as an organization still carry the full responsibility. Therefore, you have to implement certain ways to verify and validate that everything goes according to plan. If you are interested in learning more about software validation, please read our post on this topic.

Documentation requirements

In terms of documentation, ISO 13485 requires you to have Quality Management System (QMS) documentation in place that shows how the QMS works, starting from the high level Quality Manual, Quality Policy and Quality Objectives down to more detailed procedures and work instructions. Records are a specific type of documents that provide proof of the output of certain processes for your Medical Device. All documents within the QMS need to be controlled. If you want to learn more about how MatrixQMS can help with this effort, please check our webpage.

The standard defines in the different paragraphs whether or not a procedure needs to exist. However, organizations are not limited to these procedures. In general, a company should create as many procedures and work instructions that are needed for it to work in an efficient way, with a minimum of what is required by the ISO 13485 standard and other applicable regulatory requirements.

Management responsibility

There is an active role for top management in the establishment and maintenance of the Quality Management System (QMS) according to the ISO 13485 standard. In the PDCA cycle, top management needs to make sure the planning and resources are available for the organization to implement an effective QMS.

Top management of your Medical Device organization is responsible for making sure there is a Quality Policy that is in line with the company vision and the regulatory requirements and that the company adheres to this policy. They have a responsibility to plan, delegate authority, and communicate effectively. They are also responsible for a periodic review of operations and improvement within the organization, known as the Management Review

Resource management

As a requirement within ISO 13485, top management must ensure that adequate resources are available to effectively establish, implement and manage the Quality Management System (QMS) and its processes. These resources can refer to personnel, trainings, infrastructure, consumables, equipment, etc. This can be anything from establishing specific workflows to planning long term changes. 

Product realization

A Medical Device organization has to control the full cycle of product realization, from concept to implementation. Not only does this need to be planned, it should be documented as well within your Quality Management System (QMS). The ultimate goal is to produce safe and performant medical devices within the framework of the Quality Management System. This means there should be processes established to control the design and development, the transfer to production, the production itself and further processes that might follow such as installation and servicing activities. If you want to learn more on how Matrix can help documenting the design of your medical device, please check our webpage about MatrixALM.

The key is to follow the process from planning to inputs, outputs to review, onward to verification, followed by confirmation through validation. Transferring ideas, controlling the design, documenting any required changes, and retaining any and all files included in the process is critical in product realization. Defining and managing resources such as supplies, retaining critical information associated with each product, and determining how to verify these products should be clearly documented within a procedure.

Monitoring and maintaining equipment, as well as ensuring that identification requirements are met for the device itself, are also components of product realization.

Ensuring traceability, managing customer property, and ensuring preservation of product are also requirements of ISO 13485 and should be implemented in your Quality Management System.

Measurement, analysis, improvement for your Medical Device

In the second half of the PDCA cycle, you are supposed to check the output of your processes and act to improve if needed for your Medical Device design controls. In order to do so, you need to collect feedback. Feedback about your products, but as well about the effectiveness of your processes.

You can look at customer feedback, analyse complaints, look at the reportable incidents and react on audit findings. All of these are different sources of feedback.

In order to comply with ISO 13485, you should define all data that can provide input and feedback and analyze them so that you can ensure your QMS remains efficient and in line with what has been planned for. Furthermore, it is a way to ensure that the products that are being produced within the framework of this Quality Management System (QMS) remain safe and performant and as intended for your Medical Device.

Adopting ISO 13485 establishes a regulatory compliance framework for medical device organizations, ensuring they meet both international standards and specific requirements for medical devices, including those for implantable and sterile medical products. This compliance with ISO is fundamental for achieving customer satisfaction and ensuring product safety through effective quality management systems (QMS).

It mandates comprehensive monitoring and measuring of manufacturing processes, work environment conditions, and supply chain management to enhance product quality and safety.

The role of a notified body is crucial in validating compliance, especially for devices requiring CE marking to enter the European market. ISO 13485's QMS requirements are designed to ensure a practical foundation for product realization processes, supported by eQMS software and best practices in document control, complaint handling, and management reviews.

These efforts are aimed at streamlining processes, from design control to production and post-production, focusing on risk management, customer requirements, and the improvement of manufacturing medical devices.

With a focus on specific requirements for medical devices, including active implantable medical devices, the standard emphasizes the importance of roles and responsibilities, the establishment and implementation of quality systems, and the effective solution of adopting ISO to ensure regulatory and customer compliance.

The realization efforts extend to the entire product lifecycle, promoting a culture of continuous improvement and preventive actions.

By leveraging software tools, like ROI calculators and seeing interactive demos, organizations can calculate their ROI, demonstrating the tangible benefits of certified quality management software in enhancing device quality management, supply chain efficiency, and overall organizational effectiveness.

ISO 13485 serves as a guide to ISO certification, providing a clear pathway for medical device manufacturers to market their devices globally, ensuring they meet the additional requirements of the EU Medical Device Regulation (MDR) and other regulatory authorities, thereby supporting the industry's quality aspirations and commitment to patient safety.

How Matrix Requirements can help you with ISO 13485 certification?

We at Matrix know from experience that it's not always easy to create and maintain your documentation in a good way for your Medical Device. Having an effective QMS is about more than being able to show documents during an audit. A QMS needs to be fit for an organization and help it rather than causing delays. With our MatrixALM and MatrixQMS modules, we aim at helping companies to build and maintain their documentation, both for the products they develop as well as for their Quality Management System (QMS). Having everything centralized in one platform with the possibility to interlink and maintain traceability helps our customers in their journey to certification and beyond for their Medical Device. Learn more about how you can leverage ISO 13485 in our video guide.

About the Author
Ann Vankrunkelsven
RA/QA Manager