Upgrading to ISO 13485 from ISO 9001. Differences and Considerations.

Kerri Williams of Platinum Registration was recently asked to make a presentation about upgrading an existing ISO 9001 management System to ISO 13485.

She kindly allows us to display her presentation.  With her agreement we have modified the content to remove background and benefit information about Platinum Registration. The presentation covers many of the differences between ISO 13485 and ISO 9001  but read below for more information about some of the issues which have to be considered.  You can see the presentation here: Upgrading to ISO 13485 from ISO 9001.

Organizations who are already registered to ISO 9001 are often interested in migrating to industry specific versions of the standard.  These include TS16949 (for the Automotive Industry), AS9100 (for the Aerospace Industry) and ISO 13485 (for the Medical Device Manufacturing Industry).  In some instances, customers are insisting on conformance and in others, organizations want the marketing advantage to break into or extend their involvement in the industry.

These versions enhance the requirements of ISO 9001 by adding additional requirements that must be built into the management system and implemented – with evidence, to demonstrate conformance to an auditor.

This presentation looks at the differences that exist between ISO 9001 and ISO 13485 but the principle is the same with the other standards.

With ISO 13485 the scope of the management system is very important.  ISO 13485 is used by the medical device regulatory agencies in Europe, Canada, Australia and Japan (among others) and has been accepted by a global harmonization task force which is supported by the US.  At this time, the FDA does not use ISO 13485 and thus steps must be taken to address their requirements (CFR 21 Pt 820) if it is also applicable.  For many higher risk devices, agencies require that this standard is implemented before they will allow the marketing of the medical device.

But these rules typically only apply to the device manufacturer.  Many contractors seeking ISO 13485 do not manufacture the actual device.  And even if they did manufacture a complete device, they would only have a secondary responsibility for meeting the regulatory requirements (including ISO 13485) unless it was their name on the label as the owner of the device.  More frequently a contractor is producing parts for the medical device company who might finally assemble and sell the device.  It is they who are subject to the regulatory requirements and they want an easy life justifying how some of their parts are made to their regulators.  Thus they are keen on the contractor registering to ISO 13485.

ISO 13485 contains a number of requirements that are applicable only to the device manufacturer.  For instance, the collection of post-market intelligence.  Being registered to ISO 13485 implies that you have the ability to collect post market intelligence about the medical device.  However, a contractor might not even know what device their part is used in.  In some situations the contractor cannot exclude these requirements (like for instance they might be able to exclude the requirement for the control of sterilization) and must be able to demonstrate an ability to do something that they will never have any use to do.

The contractor needs to think carefully about what they want their management system to cover (i.e. the scope) and make this clear to the chosen registrar and their auditor so that no surprises occur.  These things are not always spelled out in the standards and highlight the reason why experienced help is essential in order to achieve success.

Other differences and additions to the standard are much clearer and simply require updating or new documented procedures and the implementation of simple processes or training.  So long as the interpretation is understood (and it is not always clear) then this is a straight forward process that just takes time and resources.

All management systems require internal auditing.  Done well internal audits bring benefits by protecting against issues before they are found by the registrar, highlighting opportunities (and waste) and giving confidence in the effectiveness of the management system.  When upgrading to a new standard an internal audit needs to be conducted.  This will ensure you haven’t missed anything and show conformance to the new standard has been achieved.  Technically it is possible to audit only the changes but if this not done well, a registrar should reject the audit as ineffective.  Bearing in mind that an internal audit would be necessary anyway, a slightly enhanced audit for the new standard is just a little more effort than normal.

Cavendish Scott, Inc. has been consulting, training and auditing on the implementation of ISO 9001 and industry specific standards for 25 years.  Upgrading an existing ISO system to meet an additional standard is something we are frequently asked to assist with.  Typically we review documentation, make adjustments to existing documents and write new procedures, support with the training, understanding and implementation of new processes and changes.  We then conduct internal audits (which usually have to be completed anyway) at a slightly enhanced level to prove conformance with the additional standard – and guarantee successful registration.  For more information tell us a little about what you want to achieve with your QMS system.