What’s the Difference between ISO 9001 and ISO 13485?

By Dave Moskal

ISO 13485 Medical DevicesSome companies that already have ISO 9001 may be interested in also registering to ISO 13485 for medical devices. One of the primary questions that tend to come up is ‘What are the differences between the two of them?’ In this article I will explain some of these differences.

There is no doubt that medical devices need to be manufactured with processes that are under control. There also isn’t much of an argument against making sure that they are clean, and in some cases even sterilized. Whether it be for products that we use at home to treat ourselves; devices that are used at the doctor’s office for diagnostics; instruments that are used in hospitals for surgery; or equipment used in laboratories for analysis. Clean devices start with the manufacturing process and must continue all the way through until it’s being used.

Processes for Cleanliness of the Work Environment

For companies that have product realization activities where medical devices or components thereof, are manufactured, assembled, packaged or even repackaged, the control of cleanliness of the work environment is one of the many differences in 13485. Processes used to protect the product from contamination need to be determined, documented, and implemented. For example, contaminates can include fluids that are used during the machining or assembly processes. Therefore a process would need to be established to ensure that compatible fluids are used and are completely removed from the product. Additionally, processes would need to be established and documented to control the environment that the work is being performed in and where product is stored. This includes requirements for personal health, cleanliness, and clothing if contact between such personal and the product could have an adverse effect on the quality of the product. Not only do the processes need to be determined, documented and implemented, they also need to be measured and monitored to ensure that the controls of these processes remain effective. Some of the processes that may be established could include the use of a pest control specialist to ensure that rodents or insects could not contaminate the product; air filtration systems to ensure that pollen, dust or residue from manufacturing processes don’t contaminate the product; the establishment of a policy so that production personnel do not have food or open containers at their work stations; or personnel are required to wear gloves when handling product to ensure that body oils are not transferred to the product. You may determine that these or any number of other processes need to be established to ensure that the cleanliness of the product that is being produced will not be compromised.

Documentation of Risks

In addition to the cleanliness of the product, risks that are associated with the product realization process need to be determined and documented. While it is inherent during manufacturing, assembly, and packaging operations to understand what the risks are, 13485 requires that they also be documented. The documentation of the risks is an important element. It’s not only to understand where the weaknesses are in a process, but having the ability to understand what the true impact would be if the risk would occur. An additional benefit is to have the ability to know the action that needs to be taken to reduce the likelihood and/or severity of the risk should it be realized, thus having less of an impact on the quality of the part, not to mention delivery and customer satisfaction. Some risks that might be identified include material availability; environmental monitoring equipment not working properly; inadequate packaging that could fail causing the contamination; incorrect instructions being provided with the product.

Required Identification and Traceability of Product

Another difference between the two standards is the identification and traceability of product. Where the requirement in 9001 is ‘as required’, in 13485 it is required. Furthermore, each batch of medical devices that are produced, records that provide traceability and identify the amount that was manufactured and approved for distribution are required to be created, reviewed, approved and maintained. Like the processes for cleanliness and risk, these processes also need to be documented. Also operations for the labeling of the devices must be defined, implemented and documented to ensure that requirements are met consistently.

Document Customer Complaints

The last area that we will look at is that of customer satisfaction and complaints. While it is important in any management system to understand how satisfied customers are and to have a mechanism to receive, track, and analyze customer feedback, 13485 goes one step further. For medical devices these processes need to also be documented. It is important to get feedback from the customer, including complaints as well. So processes need to be established to ensure that any complaints are recorded each time they are received, no matter how they are received or by whom. All complaints must be investigated, no matter if the compliant appears to be insignificant or not. If it is determined that a Corrective or Preventive Action is not necessary, the reason for not using the CAPA process must be recorded and authorized. In addition, the process needs to be able to provide an early warning system so that the information received can be analyzed to know if there are any quality problems that should be fed into the Corrective or Preventive Action processes. A strong and effective early warning detection system that would alert of any actual or potential quality problems is crucial for any organization.

Process for Advisory Notices

The organization must have a process established and documented for advisory notices. The early warning system, customer feedback and complaints, and production processes are typically all used to understand if an issue warrants an advisory notice. The documented procedure would firstly need to identify the criteria used to determine if an advisory notice is actually needed. If it does, would the notice include a recall of the product or only a notification of a potential problem that could occur? Who would need to be notified and what method would be used to notify the affected parties? Your system should be able to guide you through not only the analysis of this, but the processes that are required after the analysis has been completed.

While these are only some of the differences, you can see that these differences between ISO 9001 and ISO 13485 Quality Management Systems are significant and cannot be taken lightly. Management must ensure that processes are developed, implemented, and documented so that personnel within the organization know how to handle, protect and identify medical devices. The organization also needs to ensure that the processes for customer communication including those of complaints and advisory notices have been established.

Cavendish Scott, Inc. has been working with ISO 9001 and ISO 13485 for over 25 years and we really understand how these standards should be applied. We have also been involved in many upgrades from ISO 9001 to ISO 13485. Contact us for more information.

Avoid Famous Mistakes with ISO 9001 - Avoid the most common mistakes with our free eBook