ISO 13485 Certification Standard Definition and Audit Requirements
Learn about the requirements for a quality management system in the medical device industry.
The ISO 13485 certification standard is an internationally recognized standard that stipulates regulations for a quality management system (known as a QMS) in the field of medical devices. These rules focus on design, development, production, installation, and servicing both medical devices and relevant services. It’s based on the ISO 9001 standard, except ISO 13485 broadens it in some sector-specific areas. We’ll explain all about this certification, its audit requirements, criteria, benefits, and all the associated standards in this article.
What is ISO 13485 Certification?
As briefly explained in the intro, ISO 13485 is a necessary and important certification for businesses designing, producing, and/or distributing medical devices. The standard establishes QMS guidance for devices and relates to most activities in the medical device industry, including the construction and supply of diagnostic tools, surgical instruments, implants, prosthetics, and other completed medical devices. It also relates to any company that manufactures custom parts, or supplies raw materials to the medical device sector.
While it’s not universally required for all companies in the medical device sector, there are situations where it may be necessary, or at least highly beneficial. For starters, the certification demands regulatory adherence in some areas of technology. Most customers, distributors, and healthcare providers prefer clients who are certified and often require it to do business. Some suppliers require it to keep their own high reputations.
Certification can be a contractual obligation when manufacturing, or research and development of medical devices. Since it’s a requirement that a QMS manages risks, certification indicates a commitment to reducing risk and complying with standards. ISO registration also helps with international business. The well-known industry language increases confidence in a company.
The certificate proves a company’s regulatory compliance when it comes to these devices and covers risk management and controlled processes. Getting the certificate is no easy feat as companies are thoroughly inspected by auditors who are looking for absolute internal compliance, thorough monitoring processes, and recorded traceability from design and development to production, installation, servicing, and product end-of-life procedures. Ultimately, they want to make sure that a company can demonstrate processes and controls that guarantee the safety, effectiveness, and quality of medical devices for their whole lifespan.
Contract manufacturers or OEMs providing medical devices and related services use this standard to show their compliance throughout the process, from concept to patient use. It also applies to medical device distributors and importers to prevent risk in case of potentially faulty or non-compliant pieces. Also included are service providers in maintenance, calibration, repair, and technical support, and teams that work in medical device innovation and development. If they can show pre-compliance from the start, it’s easier to comply later in the process.
Benefits
There are lots of benefits that come with having an ISO 13485 certification. For instance, regulatory compliance makes it easier for companies to bring products to the market, since they have an easy way to show they’re in accordance with the rules. It also means they can release better-quality products with safety records. This is due to the systematic approach that ISO 13485 requires. It helps produce consistently safe medical devices and mitigate risks.
Certified companies often report better customer and market confidence, since it shows their commitment to quality and customer satisfaction. It shows both customers and healthcare professionals that they follow internationally recognized standards and practices. Since certification demands effective procedures, companies naturally see better efficiency and can detect and prevent issues early, as well as reduce mistakes, and prevent waste.
Most business partners prefer to work with certified organizations since they’ve shown commitment to compliance and quality so having the certificate will give a company an edge over the competition. ISO 13485 also demands regular improvement. When improvement is a part of the corporate culture, employees won’t think twice about tracking their performance and analyzing outcomes. And if aspects become substandard, they will know how to improve the process.
Quality Management Systems
To receive this certification, the company has to build an internal QMS operation that meets the standard. When the QMS is in place, the company goes through an extensive audit by someone with accredited certification. The audit evaluates the company’s compliance with the certification requirements and assesses the efficacy of the QMS. A QMS is a framework and structure for an operation. It ensures the results of the company comply with customer needs and expectations, regulatory standards, operational requirements, and internal self-improvement mechanisms within the company.
A solid QMS details procedures, record keeping, communications, risk assessment, and regular ways to improve, including policies and objectives, document control, employee training and capability, supplier management facilities, corrective and preventative actions, and constant improvement. Compliance with QMS standards can be evaluated and certified by outside sources, and there are similar standards that are relevant to both general and specific sectors and specializations.
Usually, QMS planning is based on international standards like ISO 9001. It gives creators a framework to establish, apply, and maintain quality-management measures with the aim of continual improvement. The systems can be adapted to lots of industries and individualized for specific markets and regulatory requirements.
Criteria
There are six main criteria for ISO 13485 audits. The auditor first goes over the organization’s QEM documentation (i.e., policies, methods, work directives) to confirm it meets requirements. Next is the on-site audit to assess the system’s execution and effectiveness and evaluate processes and procedures, including staff interviews to confirm they understand the criteria. Third is the process evaluation to ensure everything is documented and controlled, and after that, we have regulatory compliance. This shows whether the company meets requirements like those from the FDA in the U.S. or the Medical Devices Directive in the EU.
The fifth criteria is addressing noncompliance and corrective actions. Any points where the company fell short during the audit have to be addressed and fixed. The non-compliant components will have to be re-audited after being corrected. The auditor may also assess the organization’s process for correcting the problems. Finally, there is a management review. The auditors assess how management evaluates the QMS internally and their methods of improvement.
Audit/Accreditation Process
Typically, the ISO 13485 audit and accreditation process follows specific steps. It starts with preparation, when the applicant builds and applies a QMS that meets the standard. This may include a major culture shift within the company and needs the entire organization to be on board. Next is documentation, when the applicant team documents how the QMS complies with the standards. Third is an internal audit, which tests initial compliance. Doing this highlights weaknesses so the company can improve before the actual audit.
Once that’s completed, the company invites (and pays for) an accredited certification organization to audit its QMS. This is known as the certification audit and deals only with documentation. Auditors determine that the company’s plan complies with ISO 13485 on paper. Stage two evaluates the operational effectiveness of the QMS, once any necessary corrections are completed and is more hands-on.
Following the certification audit is nonconformity management. If there are aspects that the auditors find to be lacking, the company has to fix the issues in order to receive their certification. Once they have everything as it should be, the auditors confirm the fixes and issue the certificate. While having the certification is a great thing, the monitoring doesn’t end there. Companies are subject to regular (typically once a year) surveillance audits by a certification body to ensure that their QMS is still in compliance.
Accrediting Bodies
Gaining certification is a layered process. The primary layer includes national accreditation bodies that review and authorize local-level service providers. In turn, these providers do certification audits for registrant companies and organizations. This way, there is a traceable path of adherence for all parties, right up to the national or regional accreditation service.
Service providers receive accreditation from national or regional bodies that determine their ability to meet the standards needed to certify others. The accreditation body that’s relevant to your certifier will vary by region. Some leading national organizations are listed below.
| Standard | Abbreviation | Country |
|---|---|---|
Standard ANSI-ASQ National Accreditation Board | Abbreviation ANAB | Country USA |
Standard United Kingdom Accreditation Service | Abbreviation UKAS | Country UK |
Standard Standards Council of Canada | Abbreviation SCC | Country Canada |
Standard National Accreditation Board for Certification Bodies | Abbreviation NABCB | Country India |
Standard Deutsche Akkreditierungsstelle GmbH | Abbreviation DAkkS | Country Germany |
Standard Joint Accreditation System of Australia and New Zealand | Abbreviation JAS-ANZ | Country Australia/New Zealand |
Standard The Certification and Accreditation Administration of the People’s Republic of China | Abbreviation CNCA | Country China |
Accrediting Bodies
| Standard | What it covers | Other information |
|---|---|---|
Standard FDA Quality System Regulation (QSR) | What it covers Sets medical device quality system requirements in the U.S. for manufacturers | Other information Is also known as 21 CFR Part 820, and is mandatory to sell medical devices in the U.S. |
Standard Medical Device Single Audit Program (MDSAP) | What it covers A single audit to check for met regulations across different jurisdictions (so no need for multiple audits for each area) | Other information Determines adherence to the rules of countries like America, Canada, Brazil, Japan, and Australia |
Standard IEC 62304 | What it covers A compulsory European standard for medical device software programs | Other information Has regulations for software development, maintenance, and risk mitigation |
Standard ISO 14971 | What it covers An international standard for risk management of medical devices | Other information Focuses on managing risks in development and production and is often needed in addition to ISO 13485 |
Standard ISO 13971 | What it covers An international standard for risk management in medical devices, offering process guidance | Other information Often paired with ISO 13485 practices |
Standard IEC 60601 | What it covers Safety and performance requirements | Other information Particularly relevant for devices used in hospitals or that have direct contact with patients |
Standard ISO/IEC 27001 | What it covers Covers information security management systems | Other information Not specific to medical devices, but can be relevant for products and services that handle patient data |
Standard ISO 9001 | What it covers The primary QMS standard which applies to most industries | Other information ISO 13485-registered companies often add this for better quality management |
Standard CE Marking | What it covers The conformity assessment mark indicates a product’s compliance with health and safety requirements in Europe (including European Medical Device Regulation (EU 2017/745) or In Vitro Diagnostic Regulation (EU 2017/746), depending on the type of medical device | Other information Is mandatory for the sale of any medical device in the European Economic Area, includes adherence to ISO 13485 |
Standard ISO 45001 | What it covers A health and safety management standard that applies in all developed markets | Other information Helps businesses manage risk and workplace safety to protect staff health and well-being |
Similar Certifications/Accreditations
How Xometry Can Help
We are proud to say that as of March 31, 2022, Xometry is ISO 13485 certified. By becoming ISO 13485 certified, it shows that our QMS is appropriate and effective for the safety and quality of manufacturing medical devices. This certification joins our growing list, including ISO 9001:2915 and AS9100D. Read our full Medical Device Manufacturing Certification press release.
Xometry offers a wide range of manufacturing capabilities, including medical CNC machining, and other value-added services for your prototyping and production needs. You can get started today by uploading your designs to the Xometry Instant Quoting Engine®.
Disclaimer
The content appearing on this webpage is for informational purposes only. Xometry makes no representation or warranty of any kind, be it expressed or implied, as to the accuracy, completeness, or validity of the information. Any performance parameters, geometric tolerances, specific design features, quality and types of materials, or processes should not be inferred to represent what will be delivered by third-party suppliers or manufacturers through Xometry’s network. Buyers seeking quotes for parts are responsible for defining the specific requirements for those parts. Please refer to our terms and conditions for more information.