Rules and Regulatory Requirements.
The most important point about ISO 13485 is that it is often used in a regulatory environment. Organizations use it to implement an effective management system to meet regulatory requirements (Canadian, European and other Nations) for medical device manufacturers. In the US, the FDA has its own rules codified in the Federal Regulations CFR 21 Part 820 (FDA QSR [quality system requirements]). Although the words are different and some specific requirements are different (for instance, FDA QSR specifically requires “signatures” whereas ISO 13485 requires only “approval”), the overall effect of both sets of requirements is the same.
Having said that, if you are faced with the need to meet them, you have to explicitly demonstrate conformance to both. You implement one management system; one way of doing things in the organization and one set of documentation to describe them but each set of requirements must be individually and completely addressed (see this article for discussion about proving conformance)
The importance of an ISO standard in a regulatory context is that failure to do it thoroughly can cost the organization its ability to do business. If the regulators are not convinced that you have done a good job then they can and do stop you making and selling product. While ISO 9001 is voluntary and often implemented by the choice of an organization, ISO 13485, the certification bodies and regulators are serious stuff that should not be taken lightheartedly.
It is also fair to note that if is often easier to implement ISO in regulated industries because they are used to the controls. Management does not need to be convinced of the importance of documents and records. They are used to it. This is not an excuse to implement an overly bureaucratic system which is difficult and costly to maintain, although that is often how it has been implemented by people who were just not sure what they could get away with and so they went overboard. It just means that conformance must be clearly demonstrated and controversy should be avoided.
However, some organizations are pressured or decide to implement ISO 13485 even though they don’t actually make medical devices but because they serve the medical device industry, are a subcontractor to a medical device manufacturer and make components (or provide services) for them. They want to demonstrate their understanding of and commitment to quality in a medical device environment. And thus getting ISO 13485 does this.
Technically ISO 13485 was not written for these organizations. ISO 9001 is technically the correct standard but ISO 13485 does imply a better empathy with the medical device industry. Why is ISO 13485 inappropriate? Because the additional requirements included in the standard are not applicable to these organizations. Understandably the additional requirements focus on processes, issues and situations that are important to medical device manufacturers. If you don’t make a medical device they are not important and in some areas not applicable.
For instance one of the additional requirements in ISO 13485 is for the manufacturer to implement a process to issue advisory notices. These are technical bulletins to alert users and patients if relevant technical issues are discovered with a device. The more extreme version would be to have a system to recall devices if safety issues are discovered. ISO 13485 does not mandate recall although it does require the organization to implement an appropriate level of traceability.
8.5.1 General states “The organization shall establish documented procedures for the issue of advisory notices for medical devices. These procedures shall be capable of being implemented at any time. “
Because a contractor doesn’t actually manufacture medical devices, they will never actually issue advisory notices. There is no requirement to have a system for device components. That being said, if the manufacturer wants ISO 13485 certification then they still have to have a documented system and it must be demonstrable to work. In practice, because they know they will never need to use it, a very simple system should suffice.
This concept is applied to many of the additional requirements in ISO 13485 – 4.2.1 device master records, 220.127.116.11 sterilization, 7.3.1 handling returned devices, 18.104.22.168.2 implantable devices, etc.
And thus for subcontractors obtaining ISO 13485 certification is in some respects easy. All of the additional requirements have to be addressed but in practice many of them can be simplified. However, this additional certification (most contractors already have 9001) does cost more. There are often application fees and maintenance fees, the auditors are sometimes harder to schedule because they are fewer and more in demand. Sometimes certification bodies charge more for ISO 13485 auditing (a higher day rate) because the auditors are more expensive and you can guarantee that an ISO 13485 audit will be longer than the 9001 audit. depending on size but an additional day would be likely. Medical device auditors also spend a lot of time auditing medical device organizations and thus they are very focused, detail oriented and very picky because they recognize that their work is regulatory in nature and that they products they are auditing might affect patient and user safety. Thus expect them to be tough and picky auditors.
Cavendish Scott has substantial medical device experience working with both FDA QSR and ISO 13485. We provide systems support for implementing European MDD, IVDD and AIMDD as well as Canadian CMD.
How do I address ISO 13485? I already meet FDA QSR and I don’t want to end up with two separate systems.
How does a turnkey consulting project work?
What alternatives are there?
We think we are in great shape for ISO 13485, but how do we find out for sure?