ISO Certification Requirement for Medical Devices

Narendra Kumar

01 Nov, 2019

The International Organization for Standardization (ISO) has introduced the ISO 13485 that is an international standard that sets down the rules and regulations for a quality management system (QMS) for manufacturers of medical devices and also for such organizations that support manufacturers of medical devices. The medical industry is a critical industry – ISO 13485, which pertains to the design and manufacture of medical devices is an assurance to the end-user or the customer that the medical device is free from danger and the quality of the product is reliable for use. Let’s read the requirements for ISO Certification for Medical Devices.

Setting Quality Objectives

Clause 4.2.1 of ISO 13485 mentions that quality objectives are essential for a Quality Management System (QMS) for manufacturers of medical devices. In details it has been explained as – a quality policy is required for setting goals of a QMS whereas quality objectives are the ways and means that would be adopted to reach the goal. The overall intention is to improve the system. Customer and regulatory requirements are the inputs of quality policy and the quality objectives help in achieving them. Since the organization as a whole needs to put its best foot forward to achieve the listed objectives, employees at every level within the system need to be informed of the quality objectives.

Once the products and processes that need to be monitored, measured and improved have been identified by the organization, it needs to set down SMART objectives (Specific, Measurable, Agreed, Realistic and Time-based).

1. Specific pertains to clearly and precisely defining the objective.
2. Measurable pertains to setting up a target or objective that is measurable because measures are indicators of whether work is happening in the right direction or not.
3. Agreed – until and unless each and every individual employee as well as the top management of the organization are informed and agree to the plan, objectives cannot be achieved.
4. Realistic –goals that are achievable are the ones that count. Unrealistic objectives will only lead to discouragement.
5. Time-based – goals and objectives are good as long as there is a timeline attached to them.

The Latest Version of ISO 13485

The ISO 13485 is based upon ISO 9001 but there are differences between both. One of the key differences that ISO 9001 emphasizes continual improvement whereas ISO 13485 talks about implementing and maintaining an effective quality system. Even the customer satisfaction related requirement is missing in the ISO 13485 standard.

In the initial years, there were two versions of this standard –ISO 13485 for Original Equipment Manufacturers (OEM) and ISO 13488 for contractual manufacturers (suppliers to manufacturers).  In 2003, both the standards were merged and there were revisions that were made. After the merger of the standards, many countries including Canada and the European Union made it mandatory for all medical device manufacturing companies to be ISO 13485 certified whether it be Class I devices or Class II-IV devices. It is mandatory even for subcontractors to be ISO 13485 certified or be audited for the same. The FDA^[1] certifications in the US are also similar to standards mentioned in ISO 13485. Hence it became mandatory for all manufacturers, sub-contractors, and suppliers of medical devices to obtain this certification for operating in these countries. Today governments of almost all countries in the world have made it a compulsory clause for organizations participating in government tenders.

The first version of this standard was published in 1996. Earlier there were different standards like the EN 46001 and EN 46002 which were later phased out after the introduction of the ISO 13485. The latest version of this standard was published on 1^st March 2016 thereby superseding the earlier versions –1996, 2003 and 2016. All organizations that are compliant with the earlier versions have been given time till 31^st March 2019 to upgrade to the latest one.

Minimum requirements to Obtain the ISO 13485 Certification

Any medical device manufacturing company will have to meet the following minimum requirements to obtain this certification:-

• An effective QMS needs to be adopted, recorded, implemented and maintained as per the requirements mentioned in ISO 13485.
• Requirements that have been mentioned as ‘appropriate’ need to be fulfilled; in case of any exemption from meeting a particular requirement, ample rational needs to be submitted for the same.
• Employees need to be trained on a continuous and regular basis.
• Whatever procedures are mentioned in the standard, the company has to adopt them
• Procedures need to be sequenced and proper interaction between them to be highlighted
• These procedures need to be analyzed and measured
• Records and documents as per the standard need to be made available
• Risk management has to be an integral part of the process of product development.
• The QMS needs to be reviewed as per ISO 13485 in context of its application value and efficiency

Obtaining the Certificate

Step-1: planning the Quality Management System. ISO 13485 mentions 19 procedures and a Quality Manual that the organization needs to identify and work upon to develop its quality plan. The first two procedures pertain to the Control of Documents and Control of Records. The quality plan is required to be written down properly, in sequence and the process of implementation. This is the time when the organization needs to identify the process owners of each of the procedures. This stage also should be used by the organization to appoint a certification body after due research and shortlisting.

This is also the time to make sure that there are sufficient resources in hand to implement the quality plan. Resources typically include people, money, time and equipment. This stage also requires communicating with internal stakeholders about the procedures, training them, carry out internal audits, preparing records, writing corrective action plans post internal audits and addressing aspects of the QMS that are not effective.

Step 2: implementing additional regulatory requirements – in the case of a manufacturer, the organization aims to target global markets, and then the organization needs to go ahead with other regulatory requirements that are necessary for operating in the selected countries.

Step 3: Design Controls –as per clause 7.3.1, 7.3.2 to 7.3.7, there are seven sections pertaining to design control requirements in ISO 13485. The controls are related to Design planning, Design Input, Design Output, Design reviews, Design Verification, Design Validations, and Design changes. What is required here is that the organization prepares a Waterfall Design to illustrate the procedures for the seven steps mentioned above. The procedure is required to be written, the team to be trained on design controls and risk management.

Step 4: Document control and Training –these two are required to ensure that the processes are running as required. Document changes need to follow specific tasks and procedures.

Step 5: Internal Audit, CAPA and Management Review –internal audit identifies problems. CAPA identifies the root cause of the problem and eliminates them. Management review is made to ascertain that resources are in place so that the QMS can work effectively.

Step 6: Stage 1 and Stage 2 audit and responding to findings –Stage 1 is a one-day audit for QMS documentation. Stage 2 audit is reviewing or records from the previous step.

After this, the certification auditor will recommend the company for ISO 13485 certification and also arrange for semi-annual or annual surveillance audits to be conducted.