KNOW THE DIFFERENCE BETWEEN ISO 9001 & ISO 13485
Written by: P. K. SHARMA?????
(Lead Auditor & Trainer – ISO 13485:2016 – MD-QMS)
?In my experience helping company’s implement the ISO 13485 Quality Management System, I have come across those that already have a ISO 9001 quality system in place, and they believe it should only involve a certification audit to achieve implementation of ISO 13485 and obtain Certification.
?The reality is of course that it will almost certainly involve more effort than just booking a certification audit. Although, if a company already has a quality management system in place and certified to ISO 9001, it should take less effort to implement ISO 13485 than starting from scratch, but there are still some significant differences between the two standards that will likely need to be addressed.
?This encouraged me to write this article, and outline the key differences between the two standards, that should be considered by any company who has a ISO 9001:2015 QMS, and wants to meet the medical device quality management system requirements and obtain ISO 13485:2016 Certification.
?This is going to be a relatively high level summary of the differences, and for any company needing to implement ISO 13485, I highly recommend conducting an in depth Gap Analysis between your ISO 9001 QMS and the requirements of ISO 13485, before starting the implementation process.
?ISO 13485 – ISO 9001 Differences Include:
Background
ISO 13485:2016 is a medical device industry specific interpretation of ISO 9001 and is a stand- alone standard whose content makes no reference to ISO 9001. It was initially published in 1996, and revised editions released in 2003 and 2015.
With these updates ISO 13485 has become increasingly different from ISO 9001 and compliance with one standard does not necessarily imply compliance with the other. In fact it is almost certain, in my experience, that there will be significant effort required to build on the current QMS, to add the ISO 13485 requirements before ISO 13485 Certification can be achieved.
More on ISO 13485:2016
ISO 13485:2016 is a globally recognized regulatory and quality standard. It adopts the process model concepts of Plan, Do, Check, Act, same as ISO 9001. ISO 13485:2016 is designed for medical device companies of all sizes and all product classifications.
?The ISO 13485 standard is an effective solution to meet the comprehensive requirements for a QMS. Adopting ISO 13485 provides a practical foundation for manufacturers to address the regulations and responsibilities as well as demonstrating commitment to the safety and quality of medical devices.
?ISO 13485 was written to support medical device manufacturers in designing a QMS that establishes and maintains the effectiveness of their processes. It ensures the consistent design, development, production, delivery, servicing and maintenance of medical devices that are safe and fit for their intended purpose.
?The value of ISO 13485 is not just in the implementation but also in providing a tool for a thorough audit to test the effectiveness of the quality system. It provides the manufacturer with a higher level of confidence in the ability to consistently achieve and maintain compliance with regulatory requirements.
?It can provide improved management of processes, activities and functions which can result in reducing costs through ongoing improvements. By using the required robust design and development processes, it can help ensure quality is designed into the product and significantly reduce the costs of inspection and testing. It can also help to minimize surprises and failures which might adversely affect patient safety and damage the reputation of the manufacturer. .
Review of the differences between ISO 13485:2016 and ISO 9001:2015
Before getting into the differences in the two standards here is a summary of some of the similarities:
·??????The standard’s role in helping organizations achieve a quality management system
·??????Risk mitigation and assessment is a focus in both standards
·??????A focus on the realization of quality products through understanding the customer
·??????Both ISO 9001 and ISO 13485 use Deming cycles (Plan-Do-Check-Act)
·??????ISO 13485 and ISO 9001 emphasize employee competency and infrastructure for quality
Now the differences, and the table below is a quick snapshot of some of the top level key differences in the two standards, and we will focus on those:
For a company that already has a ISO 9001 quality system in place and is certified, the following will cover the most likely areas of difference, depending on the scope of their company and facility, that will need to be addressed in order to meet the ISO 13485:2016 requirements.
Device Files and Medical Device Terminology
For every medical device type or device family there needs to be Medical Device File established, and maintained that includes, or references documents that contain the following:
·??????Description of the product, its use and purpose, labeling and instructions for use.
·??????Specifications of the product.
·??????Specifications and procedures for manufacturing, storage, handling and distribution.
·??????Procedures for measuring and monitoring
·??????As appropriate procedures for installation and servicing
Risk Management
In ISO 9001 risk management is included, and is a requirement that appears in 7 different clauses of the Standard. In ISO 13485 the term “risk” is mentioned more than 40 times and in 12 different clauses.
As ISO 13485 is for medical devices it makes sense that risk has become a major part of the quality system and regulatory requirements.
In one of the very first ISO 13485 sections 4.1.2 b) General requirements, it states the organization shall:
apply a risk based approach to the control of the appropriate processes needed for the quality management system
Risk is also a requirement under Training, Design and Development, Purchasing, Validation of Processes and Software, and Feedback from Customers.
In order to comply with the ISO 13485:2016 requirements the organization must establish and maintain effective risk management processes throughout their Quality Management System.
Meeting Regulatory Requirements
ISO 9001 is a quality management system appropriate for all types of organizations, and can be applied broadly in companies across industries, and is a basis for voluntary certification. It does not include the need for compliance with regulatory requirements that may not exist for the companies specific industry and scope.
ISO 13485 is intended specifically for medical device companies and is a basis for regulatory certifications. ISO 13485:2016 specifically requires medical device companies to “establish and maintain records needed to demonstrate conformance to this International Standard and compliance with applicable regulatory requirements.”
Conformity with the ISO 13485:2016 QMS requirements does not always mean that compliance with local regulations has been achieved, especially in the United States where compliance with the FDA QSR is required for medical devices companies. Also for Europe compliance is also required to MDR, and many other countries have specific standard regulatory requirements.
Additional Procedures
This maybe the biggest difference in the two standards and the one involving the major percent of effort for any company who currently has ISO 9001 and wants to implement ISO 13485.
Every company will have a different starting point and end target need, based on the scope of their business, depth of their current QMS and how many procedures they currently have that go beyond the documented requirements of ISO 9001. However if we take the 6 mandatory procedures in ISO 9001 as compared to the 27 in ISO 13485, that is a significant difference.
Now let’s review a summary, by ISO 13485:2016 element, the potential differences with requirements that may need to be addressed by adding or revising documents for a company with a current ISO 9001 QMS:
Quality Management System and Management Responsibility
ISO 13485:2016 has some additional requirements under section 4 and 5 and some examples, include specific documentation and record requirements, as well added management responsibilities.
Examples:
The quality management system for ISO 13485 is to be documented and effectiveness maintained in accordance with the requirements of the standard and applicable regulatory requirements. (4.1.1)
The organization is required to document the role(s) undertaken by the organization under the applicable regulatory requirements. (4.1.1)
Determination of the processes required for the quality management system and the application of those processes throughout the organization considering the roles undertaken by the organization (4.1.2)
Changes to the quality management system processes need to be evaluated for their impact on the medical devices produced under their QMS (4.1.4b)
领英推荐
The Quality Manual shall include the scope of the quality management system, including details of and any justification for any exclusion or non-application. (4.2.2)
The management team is responsible for the quality policy and a framework for review quality objectives (5.3)
Quality objectives including those needed to meet applicable regulatory compliance must be verified and measured by management (5.4)
Top management is to ensure that responsibilities of personnel who manage, perform and verify work affecting quality are defined and documented. (5.5)
Management is responsible for maintaining QMS standards by assigning responsibility (5.5)
Management review to include customer feedback, reporting to regulatory authorities and any new or revised regulatory requirements (5.6)
Resource Management
ISO 13485:2016 incorporates in-depth requirements for resource management including Provision of Resources, Human Resources, Infrastructure, Work Environment and Contamination Control.
Examples:
Provision of resources to meet applicable regulatory and customer requirements (6.1) Maintenance activity requirements must be documented, and records maintained (6.4) Document requirements for personnel health, cleanliness, and clothing (6.4) Document where applicable, procedures for monitoring of the work environment (6.4)
Documented as appropriate systems for the containment of contaminated or potentially contaminated product if (6.4)
Product Realization
ISO 13485 provides in-depth requirements to improve customer product requirements and quality objectives, safety and customer satisfaction. Validation of process, equipment, cleanliness, and risk management throughout the product development life cycle are critical drivers of quality. ISO 13485 doesn't deemphasize the role of policy and procedure in quality or remove customer satisfaction as the outcome of a quality driven culture. Instead, it builds on these requirements with specific standards for production and the supply chain.
Examples:
Documented procedure requirements and records for risk management activities (7.1) Determine applicable regulatory requirements related to the product (7.2.1)
Plan and document procedures for customer communications for feedback, customer complaints, and advisory notices (7.2.3)
Procedures for Design and Development, and determination of Design Inputs including applicable regulatory requirements and standards and applicable output(s) of risk management. (7.3.3)
Procedures for Purchasing to include criteria for the evaluation and selection of suppliers based on the effect of the purchased product on the quality of the medical device and proportionate to the risks associated with the medical device. (7.4.1)
Document, define, and retain relevant purchasing information for traceability (7.4) Create and implement SOPs for labeling and packaging (7.5)
Create a unique, specific record for each batch of devices manufactured and approved (7.5)
Verify and approve each device batch record (7.5)
Document product cleanliness requirements if the device is sterilized, including sterilized before use (7.5)
As required create specific requirements for the installation and verification of the device, including guidelines for other organizations who may install or verify a device (7.5)
Create records of installation and verification (7.5)
Document servicing activities, procedures, and maintain records (7.5) Create procedures to identify and address returned products (7.5)
Create a process for traceability and the identification of product status (7.5)
Document procedures related to assuring product shelf life has not expired, if applicable (7.5)
Measurement, Analysis and Improvement
ISO 13485:2016 requires additional definition of the types of improvement activities medical device companies need to ensure products conform to requirements and are safe and effective.
Some of the main additions include requirements for customer feedback, monitoring of product performance, and how to control non-conforming product before delivery and after delivery.
Examples:
Procedure required for a feedback system to determine if customer requirements have been met and which provides potential input into risk management. (8.2.1)
Procedure for customer complaint handling and applicable regulatory requirements (8.2.2) Document the need to report information on complaints to regulatory authorities (8.2.3)
Monitor and measure products for quality throughout production and verify all quality requirements are met before the product is released (8.2.4)
?Document required rework activities and the release of nonconforming product (8.3) Create formal procedures for quality data collection, analysis, and retention (8.4)
Justify any customer complaints which are not investigated and create procedures for notifying applicable regulatory bodies of adverse events (8.5)
?Conclusion
?So a significant number of new procedures required as well as changes to other procedures which should already exist in the company’s current ISO 9001 quality management system.
CAPA Records in QMS
Procedures for Corrective and Preventive Actions are a requirement for both Standards and ISO 13485:2016 has the added requirement under 8.5.2 for:
?Records of the results of any investigation and action taken shall be maintained.
?That requirement may not be such a big difference, but one needs to remember that
ISO 13485:2016 also includes regulatory requirements, and CAPA can be one of those key areas under many International regulatory compliance requirements, i.e., United States FDA which places a major focus on CAPA.
Final Thoughts
First would like to emphasize again that this was just a summary with examples of some of the difference between the two standards.
?Any company planning to become certified to ISO 13485 should start their implementation with a detailed Gap Analysis, followed by the appropriate Implementation Plan.
?The steps involved in implementing ISO 13485:2016 with the established base of already holding the ISO 9001 QMS should be the same as if starting with no certified quality management system and I recommend you follow the process as shown below.
?Start with a gap analysis and implementation plan followed by revising your current procedures to include the ISO 13485 requirements as well as generating any additional procedures required.
Training can be ongoing as required, and same with Internal Audits. Start the certification process once you’re far enough along with the QMS implementation, and hopefully your current ISO 9001 Certification Body can also cover ISO 13485.
How can ‘DIYA Training & Certifications P. Ltd. help:
DIYA TRAINING AND CERTIFICATIONS P. LTD.
Want to learn more about our Consulting , please do write us back on :
Email : [email protected]?, Mobile : +91 9780585502 / +91 8427908000