ISO 13485

– Medical Devices –

⇓  Introduction to ISO 13485

⇓  What is ISO 13485
⇓  Why Implement ISO 13485
⇓  How to Implement ISO 13485
⇓  Learn More About ISO 13485

Introduction to ISO 13485: 2016

Medical technology is expanding at an astounding rate. New medical techniques, medications,
equipment and devices are currently being developed that could not have been imagined just a
few decades ago. Recent advancement in medicine, new medical technology, including
diagnostic and therapeutic devices, have revolutionized modern healthcare. With this swift
advancement of medical technology and devices, there is inherent risk. Companies that are
producing medical devices and equipment must develop the most effective quality practices.
Today’s consumers are constantly being bombarded by advertisements regarding litigation
against medical device manufacturers.  Just one major issue can have a profound impact not
only on the manufacturer, medical practitioner and most importantly the patient’s well-being.
Quality issues in many other types of products may cause inconvenience or put consumers at
nominal risk of illness or injury. With medical devices, quality issues could not only cause
serious health issues but can also lead to death.  Medical device manufacturers must develop
and implement a very robust quality management system that must encompass the entire
product life cycle.  To ensure the quality system is sufficient, most organizations pursue
certification of their quality management system to the latest revision of the ISO 13485
standard for Medical Devices Quality Management Systems.

What is ISO 13485: 2016

ISO 13485 is an international standard that specifies the quality management system
requirements for organizations involved with medical devices at any stage of the product
lifecycle. This would include the design, development, production, storage, distribution,
installation, service and technical support of the device. The ISO 13485:2016 revision is the
third edition of the standard and supersedes the previous ISO 13485:2013. This latest revision
of the standard contains considerable updates regarding risk-based quality processes, supplier
management, and strict adherence to regulatory requirements. This standard may be applied
to parties that provide material, product or services to the organization and is applicable to
organizations of all sizes large and small. In addition, any processes required to obtain or
maintain compliance to the ISO 13485:2016 standard that are not performed within the
organization, remain the responsibility of the organization and must be included within the
quality management system. The organization must monitor, control and ensure proper
maintenance of the external processes.
The ISO 13485:2016 standard focuses on a process approach to quality management within
an organization. The process approach is a review of the sequence, the inputs and outputs and
interaction of processes. Any activity that receives inputs and produces outputs is considered
a process. In most cases, the output of one process is the input for the next and so on. The
process approach perceives the management system not as a collection of documents but as
an active system of processes. Quality system processes should identify and mitigate risk. In
particular, the risk to product and process quality, to the business in general, and to meeting
customer or regulatory requirements. Organizations that utilize a process approach to quality
management tend to:
 Better understand and consistently meet or exceed product requirements
 Evaluate each process from a value-added perspective
 Achieve a higher level of process performance
 Continually improve processes based upon performance data and not on speculation
or opinion.

Why Implement ISO 13485: 2016

The importance of maintaining the highest quality achievable in the manufacture, distribution,
use and maintenance of medical devices is more vital than with other products and services.
Product quality issues in the majority of industries may result in widespread recalls,
substantial financial impact, and loss of brand equity. Quality problems with medical devices
can result in class action lawsuits, physical harm to patients, and potential loss of life.
Therefore, the importance of developing and implementing an ISO13485:2016 compliant
quality system cannot be overemphasized.  Numerous organizations have already realized a
significant savings in the Cost of Quality (COQ) in addition to the many other advantages of
adopting the requirements of the ISO13485:2016 standard. Some of the potential benefits are
as follows:
 Improved product quality resulting in enhanced brand equity.
 Increased customer satisfaction resulting in a higher level of repeat business.
 Increased efficiency and reduced costs through improved quality and reduced waste.
 Decision making based on facts and data, aligned with strategic goals.
 Development of a continuous improvement culture or mindset within the
organization
The ISO 13485 standard is widely accepted as the benchmark for medical device
manufacturers quality management systems.  Many organizations certified under the standard
have achieved improved product quality, reliability, regulatory compliance and are aligned with
industry best practices.  Organizations of any size or type can and are developing and
implementing ISO 13485 compliant quality management systems. The future of your quality
management system and your organization depends upon you.

How to Implement ISO 13485

Implementation of ISO 13485 and subsequent certification is going to require time, resources,
commitment, and full support of the management team. The amount of time and resources will
depend on whether or not your organization has an existing comprehensive and effective QMS
already in place. If your organization already conforms to other ISO standards the
transformation should be easier. Within the standard there are two informative sections that
provide comparisons to other ISO standards or revisions:
 ISO 13485:2003 and the newer ISO 13485:2016.
 ISO 13485:2016 and ISO 9001:2015
The majority of the remaining sections constitute the heart of the standard focusing on the
contents and requirements for developing and implementing and managing an ISO
13485:2016 compliant (QMS) Quality Management System.
Determine your product’s classification
Evaluate the features and characteristics of your product (medical device) or device, and define
its classification according to the associated risk. Medical devices are designated as Class I, II
or II; with the Class I devices posing the least risk of causing harm to the user or patient to
Class III which pose the highest potential risk. In addition, Class I devices are generally
simpler in design than the higher-level devices. There are several characteristics that play a
role in determining the class designation of a medical device including:
 The length of time the device will be used
 Are medicinal substances contained within the device?
 Whether or not the device is surgically invasive
 Is the device active or surgically implantable?
Management Responsibilities
More than one ISO standard requires management of an organization to demonstrate
leadership and commitment to the QMS. The ISO 13485 standard is no different in that
respect.  Top management of the organization must:
 Take ownership, responsibility and be accountable for the effectiveness of the QMS
 Assign Roles and Responsibilities regarding the QMS
 Provide adequate resources for the QMS
 Promote a culture of continual improvement
In addition, the leadership of the organization are required to identify a management
representative to which they assign responsibility and authority for the development and
continual improvement of the QMS. This representative would also serve as the “Go to” person
for any ISO 13485 questions by fellow associates or internal and third-party auditors.
Resource Management
The organization must provide adequate resources to support the QMS and provide evidence of
qualifications of key personnel. An organizational chart should be developed and maintained to
identify all positions which play a role in the success of the QMS.  The organizational chart
defines the names and titles of individuals in the management team as well as many of the
supporting roles within the organization.
 Roles, Responsibilities and Qualifications
Roles and responsibilities for each position defined within the organizational chart should be
documented. Be certain to talk in the terms of positions because personnel will come and go
requiring frequent updates to the documentation.
In order for any system, process, or business to be successful, the personnel supporting the
QMS must demonstrate competency to fulfill their duties. The organizations must define the
education, experience or formal training requirements for individuals performing work that will
impact the performance of the QMS. Job descriptions should be developed that include a list of
job responsibilities, preferred qualifications, and the normal physical demands of the position.
In addition, biographies and qualifications should be documented for individuals whose
positions directly affect the execution or performance of the QMS. This information should be
readily available for review by third party auditors.
Management Reviews
Organizational leadership meetings should be held at regular intervals to review the
performance of the QMS. The subject matter of the review meetings may include but is not
limited to the following:
 Status of any recommended actions from previous management reviews
 Discussing the potential internal or external issues impacting the QMS
 Any possible risks and opportunities relating to the QMS
 Ensure proper resources are being provided for the success of the QMS
 Evaluating the overall performance of the QMS in meeting planned objectives
Management should report any relevant information resulting from the reviews to workers and
other interested parties. The organization shall also retain documented records of the results
of the management reviews.
The Quality Management System
The organization must develop and implement a robust Quality Management System (QMS) in
order to comply with the standard. A robust QMS should consist of business policies,
procedures, forms, work instructions, and other supporting documents. The QMS should also
indicate the quality records to be generated, their storage location, and the period of time for
which they are retained. The QMS documentation should speak to the related requirements of
the standard, as well as any regulatory requirements. The organization is also responsible for
monitoring and ensuring adequate controls are in place for any outsourced processes
impacting compliance to the standard. Documented quality agreements as well as defined roles
and responsibilities are required for any outsourced processes.
Quality Policy and the Quality Manual
The ISO 13485 standard requires that leadership establish and maintain a Quality Policy and
a Quality Manual. The Quality policy is a statement consisting of the company stance
regarding product quality along with their basic goals or objectives and the plan to realize
them. The objectives are the more definitive goals related to the QMS and quality plans.
Organizations pursuing certification must set goals or objectives for the quality management
system, and provide resources to assure proper maintenance and continual improvement of
the QMS. The quality objectives should be documented, preferably measurable, consistently
monitored, maintained, updated, and properly communicated.  Furthermore, the organization
must also develop a Quality Manual. The quality manual should contain the Quality Policy
along with references to the supporting documents of the QMS.
QMS Documentation
The organization must document information relevant to the ISO 13485. In addition, the
organization must develop appropriate policies, procedures, work instructions or other
documentation specified by the organization that could affect the success of the QMS.  All
documents related to the QMS shall:
 Follow a standard format determined by the organization
 Have adequate protection of the content and control revisions.
 Document changes or updates to documents and ensure changes are identified and
traceable
 Be available for use where and when required, and the content protected.
In addition, the document control system must allow for proper access, distribution, storage,
retention and eventual disposition of documents.
 
Medical device files
This is one of the requirements that sets ISO 13485 apart from most of the ISO standards. Per
the ISO 13485 standard and legal requirements organizations must maintain a file for each
medical device or family of medical devices that they manufacture. Some of the information
required to be in the file is as follows:
 A general description of the medical device including intended purpose, labeling and
instructions for use.
 Specifications of the device / product
 Procedures for the manufacture, packaging, handling, storage and distribution of the
device.
 Documented procedures for measuring and monitoring
 Installation requirements and service of the device, if applicable
Quality Objectives
The standard requires organizations to set goals or objectives for the proper maintenance and
continual improvement of the QMS. The objectives should be agreed upon by management and
other involved parties. The objectives or goals should also be documented, measurable, and
properly communicated within the organization. In addition, criteria should be defined for
monitoring and measuring the performance and continual improvement of the QMS.
Measuring Performance
The organization should develop an internal auditing process. Internal audits should be
completed at regular intervals to ensure the QMS is meeting internal, legal or regulatory, and
ISO requirements. The audit findings function as evidence of the effectiveness of the QMS.
Records of the audit results shall be retained for a pre-determined length of time and available
for review by third party auditors.
Work Environment and Contamination Control
The ISO 13485:2016 standard also contains a section devoted to promoting a clean and safe
work environment and contamination controls. Organizations pursuing certification must
evaluate the work environment for any possible cleanliness, health, clothing or other factors
that may affect medical device safety or performance. In addition, the organization must verify
that the associates working in the area are competent and able to perform the job.
Furthermore, the standard indicates that the organization must plan and document controls
to prevent and/or detect any contamination. The controls must extend to the assembly and
packaging process.
Product Realization
The ISO 13485 standard has added requirements that impact the QMS. The ISO 13485:2016
version mandates that the organization shall plan and develop processes required for product
realization. The standard now includes the requirement for records of risk management
activities to be maintained. Organizations are also required to consider the following elements
during product realization:
 The work environment
 Contamination control
 Company infrastructure
 Handling of the product
 Proper storage of the product
 Distribution methods
 Product traceability
All these factors shall be taken into consideration during product realization. There are several
subheadings to be addressed within the product realization process. The following paragraphs
shall briefly touch on each one.
 Customer Related Processes
Within the standard there are requirements intended to ensure that the medical device meets
the customer’s needs. Product requirements must be formally reviewed and documented by
the organization. This review should be comprehensive and include product features,
performance requirements, and delivery and post-delivery activities such as installation,
maintenance, etc. There is a statement in the standard that requires the organization to review
and plan for user training needed to achieve the specified performance of the medical device
and ensure safe operation or use of the device. Communication with customers is important
for the successful launch of a product. The standard requires that an organization plan and
document the methods for ensuring adequate communication with customers. In addition, the
organization must document communication methods with regulatory authorities according to
applicable regulatory requirements.
Design and Development
Organizations are also responsible for documenting procedures and supporting documents for
design planning and development. The documents must be properly maintained and updated
regularly as new information is collected. Some other documentation requirements for the
product design development and planning phases include:
 Functional performance, usability and safety requirements
 Design inputs and outputs, including traceability
 Systematic design and development reviews
 Design verification and validation
 Transfer of design and development outputs to manufacturing
 Documented and controlled design change process
Purchasing
Organizations are required to evaluate supplier performance and determine the level of risk
assessed to the product (medical device) associated with the supplier. The organization is then
required to apply the appropriate controls based upon each supplier’s potential risk to the
product. This process must be documented and records maintained. Suppliers must inform
the organization of any changes to their components or to the product prior to the change.
Production and Service
Providing that servicing of the medical device is a product requirement, the organization must
document any servicing procedures, reference materials, and reference measurements
applicable to the product. The standard also requires the organization to examine the product
service records performed by the organization or its representatives as well as a supplier. The
standard also addresses documentation requirements relating to any product installation
activities by the organization or external parties.
Measurement, Data Analysis and Improvement
The organization shall develop and maintain systems, procedures and processes for
monitoring, measurement and continual improvement of the product and their processes. The
organization shall develop and implement quality procedures, or methods to ensure the
product meets or exceeds all customer and/or regulatory requirements. In addition, data must
be collected and analyzed to verify the effectiveness of the QMS. The data should include
information collected from monitoring and measuring the process and product as well as
feedback from customers and suppliers. The process of data analysis must be documented in a
procedure and the records of the analysis must be retained, available for review.
Control of Non-Conforming Product
To be ISO 13485 compliant, the organization must have a documented procedure which
defines the controls and roles and responsibilities for the control of nonconforming parts or
products. The procedure should cover preventive and detective controls in place to identify,
control, contain and prevent delivery of any non-conforming part or products. All non-
conformities shall be analyzed and evaluated to verify the need for any investigation of the
incident or communication to any external parties involved. There are recommended actions
based upon whether the non-conformity was discovered prior to or after delivery to the
customer. The following are examples of each scenario:
For nonconforming product detected prior to delivery
 Eliminate the nonconformity
 Preclude the original intended use or application
 Authorize its use, release, or acceptance only under concession.
Acceptance under concession is only permitted on the condition that approval is obtained from
the customer, and any applicable regulatory requirements are still met.
For nonconforming product detected after delivery
When nonconforming product is delivered to the customer or end user, the organization is
required to take action to minimize any adverse effects. Records of these actions must be
documented and maintained for review. In addition, the organization must have a documented
procedure for issuing advisory notices, which they are able to initiate at any time.
Reworking Product
For any reworking of the product to occur, the organization must have a documented
procedure that covers any possible negative effect the rework could have on the product.
Rework procedures should be reviewed and approved by management. In addition, there
should be a thorough inspection process in place to review the results of any rework. This is to
ensure that the product meets or exceed all customer and regulatory requirements.
 
Continual Improvement
To be truly effective over an extended period of time, the QMS must continually improve. In
many industries, organizations implement processes to asses risk to the product or process
quality. Through the evaluation of risk, an organization can identify opportunities for
improvement before a failure or non-conformity occurs. Many organizations also assess risks
from any potential hazards and identify opportunities to eliminate or reduce the risk.  In
addition, the organization must assure that they have a thorough understanding of any legal
or regulatory requirements that may apply to their organization, product, processes or
adherence to the standard. Plans for addressing legal requirements and addressing risks and
opportunities should be implemented during the development of the QMS. In order to truly
continually improve, organizations should actively seek out hazards and realize opportunities
for improvement that will make possible achievement of the intended goals and objectives of
the QMS. Improvement of the QMS is achievable through proactive identification of potential
non-conformities, implementing effective preventive and corrective actions and building a
continual improvement culture throughout the organization.
Corrective and Preventive Actions
The standard requires organizations to establish processes for reporting, analyzing and
developing Corrective Actions Preventative Actions (CAPA) to address any product
nonconformities. The organization must have a system in place and be prepared to react in a
timely manner when non-conformities occur. The team should take great care in defining the
hazard or non-conformity and determining the root cause. A root cause is defined as a
fundamental cause of an incident or non-conformity. When investigating non-conformities, if
we do not discover the root cause we will be treating a symptom and the issues will not be
resolved. The non-conformity may re-occur at the same workstation or elsewhere in the
organization. Many tools can be utilized for performing a Root Cause Analysis (RCA). Some
commonly used tools are listed below:
 Is/Is Not analysis.
 The Ishikawa or Fishbone Diagram
 5 Why & 5 How
 Failure Modes and Effects Analysis (FMEA)
Once the true “root cause” has been determined the organization or team must implement
appropriate corrective or preventive actions. In addition, the team should develop an action
plan for implementation and tracking the progress and documenting their effectiveness.  The
corrective actions should be determined and carried out with the active participation of
workers and the involvement of other relevant interested parties. In addition, the corrective
actions should be reviewed by management after a specified a specified length of time, usually
30 or 60 days to verify their continued effectiveness.
In Conclusion
ISO 13485 provides organizations with guidance for improving the quality of their products
and services, with the ultimate goal of achieving customer satisfaction and adherence to all
legal and regulatory requirements. Gaining compliance to an ISO standard requires a
measurable commitment of time and resources. Organizations willing to make that investment
will reap the benefits associated with certification and compliance to the ISO 13485:2016. With
the proper procedures, processes and documentation in place, an organization can gain a
positive reputation in the world marketplace along with potential financial benefits through
improved product quality and customer satisfaction. Through adherence to the standard and
development of a robust QMS, your organization can realize these benefits as you develop a
culture of continual improvement.  Establishing or updating your QMS to the requirements of
ISO13485:2016 may take several months or years depending on the size of the organization.
Successful implementation, maintenance, monitoring and continual improvement of the QMS
requires dedicated resources and constant support from organizational leadership. Measuring
effectiveness and continual improvement of the QMS may at times require the use of external
subject matter experts. If your organization is in need of additional resources or would like
more information regarding ISO 13485:2016 implementations, please contact one of the
professionals at Quality-One.