Manufacturing medical devices to ISO 13485:2016

ISO 13485:2016 is the latest standard from the International Organization for Standardization that sets out quality management system requirements, rules and guidelines for any company that designs, manufactures, installs, distributes or services medical devices. This includes companies that provide related services or components at any stage during a medical device product lifecycle, such as technical support, suppliers and external third parties. ISO 13485 allows a company to demonstrate that it consistently meets customer needs and medical device regulatory requirements and complies with local legislation. It is closely related to ISO 9001, which covers requirements for quality management systems, but emphasises areas such as risk management (demonstrated herewith), the work environment and medical device documentation and reporting.

What is a medical device?

A medical device under ISO 13485 covers any instrument, apparatus, equipment, implant, in vitro reagent or similar, which is used to diagnose, prevent or treat a medical condition. This coverage is clearly extensive and includes anything from basic manual tools such as scalpels, to wheelchairs, life-support machines, test kits and pacemakers.

Benefits of holding ISO 13485 certification

As the medical device industry is so highly regulated, the safety, effectiveness and performance of all products is crucial. Holding ISO 13485 certification clearly demonstrates to both customers and regulators a company’s commitment to continual improvement, safety and quality. Companies that hold ISO 13485 certification:

• Show they comply with medical device regulations and legal requirements, eliminating uncertainty for all stakeholders
• Successfully manage risk
• Manufacture quality medical devices consistently
• Improve processes, efficiencies and overall performance with an effective quality management system
• Reduce costs through efficiencies in processes and supply chains
• Gain competitive advantage
• Have more opportunities to access global markets and build company growth.

How to get ISO 13485 certification

This is a brief overview of the main things your company must do in order to achieve ISO 13485 certification. There are of course nuances and further detail within each of these steps.

1. Identify processes: firstly, it’s important to identify and collate all the processes your company carries out that are in any way connected with medical devices. Even if you don’t manufacture something commonly considered as a ‘device’, such as a scalpel or piece of medical equipment, you may manufacture a chemical that helps the device to function. This is still classed as a medical device.
2. Create a process flow: you must then produce a process flow. Start at purchasing (and note that any raw materials you use must meet certain standards), all the way through to dispatch, installation and ongoing servicing, if that’s something your company does. Look at all the processes in between your start and end points for the type of medical device your company works on. For example, this could be receipt of the purchased product, goods inwards verification, quality testing, storage, manufacturing and product release.
3. Establish risks: for each of your identified processes, you must compile a set of written procedures and establish where there is potential of risk to the quality of the product. This could be anything from risk of contamination or deterioration, control of records, employees not having undergone training and any suppliers that may need to go through an approval or checking process to ensure they are compliant. The next step is to identify and implement control measures that will reduce any possible risks.
4. Monitor and measure: you must monitor, measure and review all the processes and risks you’ve identified on an ongoing basis and record these reviews as they are carried out. Any equipment you use to monitor and measure your processes and products must also be controlled, calibrated and validated. Internal auditing is an important part of monitoring and measuring your processes, but can also include the number of complaints you may receive, any feedback from customers and any product non‑conformances or deficiencies. This must all be documented and any improvement actions should be identified and then implemented.
5. Manage change: it’s important to have a change control process in place for your quality management system. This should enable you to evaluate the impact of any changes to either the product or your processes and manage them appropriately. For example, if you are manufacturing an in vitro diagnostic reagent and you find the product is non-conforming, there must be procedures in place to correct this. You may have to stop dispatching the product, make corrections within the manufacturing process or even recall the product. You should also implement corrective and preventative action to address any future non-conformances.
6. Document everything: you must create a quality manual that references all the documents in your system and within each process. Each medical device must have its own file or record, which includes elements such as a product description, use, specifications, storage, handling, measuring, installation and servicing. These documents must be controlled, for example with version numbers and issue dates, and records must be kept for the lifetime of the device. You should be prepared to show any documentation to relevant regulatory authorities if applicable to the medical device you manufacture.
7. Organise external audits: it’s a requirement to have an external quality management system audit on an annual basis. This audit will check your processes and internal audits. If you want to obtain full ISO 13485 certification this will need to be renewed every three years.
8. Get management commitment: to successfully achieve ISO 13485 certification, management support is required to ensure you have the necessary availability of resources and infrastructure. This could be anything from new equipment, workspace such as a clean or a sterile environment, supporting services or budget. You should also undertake an annual management review. This should cover quality management system (QMS) performance over the course of the previous year using results from your internal audits, investigating anything that may have gone wrong, the number of complaints, any non‑conformances and delivery results. From this, improvement measures should be identified and implemented.

ISO 13485 and risk management

ISO 13485 is heavily biased to – and places great emphasis on – risk management, simply because medical devices are being used with people in some way. A risk-based approach is woven into the quality management system and is required through the lifecycle of the medical device. While this can be challenging for manufacturers of medical devices, it is a necessary focus that promotes safety, quality, compliance and product efficacy. For example, it’s a requirement that any employee working on an identified medical device process has a good working knowledge of ISO 13485 in order to minimise risk of human error and ensure they are able to make informed decisions.

Advice for manufacturers planning certification

Firstly, you should confirm that the device(s) your company manufactures can be defined as a medical device under ISO 13485 standards; or, if you provide a medical device service, that your service is related to a product defined as a medical device. Getting ISO 13485 certification is challenging and requires commitment so, secondly, it’s important that your leadership team confirms that holding the certification will add value to your company, meet its business objectives and support its strategy. While holding the full certification is not strictly necessary, as your company can still conform to and benefit from ISO 13485 standards without being externally certified, it does clearly demonstrate to all stakeholders that you comply with its requirements. If you do want to become independently certified there are two phases; the first covers documentation, while the second implements your quality management system and audits it. You must carry out phase two within six months of completing phase one.

ISO 13485 certification costs

For companies who wish to be fully ISO 13485 certified, there are associated costs for external, independent certification. Although you may be under cost pressure, it’s important to work with an independent auditor who will add real value to your company during the certification process. In this highly regulated industry, choose a reputable auditing company with extensive expertise rather than one that enables you to gain certification at the lowest price.

ISO 13485 and European Union medical device regulatory requirements

Complying with ISO 13485 standards and gaining the certification is also a first step towards complying with the European regulations and requirements for Medical Devices and in vitro Diagnostic Medical Devices (EU Directives 93/42/EEC, 90/385/EEC and 98/79/EEC).