ISO 13485 is an internationally recognized standard that specifies requirements for a quality management system (QMS) in the medical device industry. It focuses on the design, development, production, installation, and servicing of medical devices and related services. ISO 13485 is based on the ISO 9001 standard but expands upon it in some sector-specific areas. The standard prioritizes regulatory compliance, risk management, and the control of processes related to the design, production, and distribution of medical devices.
An expansive audit process is applied to companies seeking accreditation in ISO 13485. Auditors check for complete internal compliance, robust monitoring processes, and traceability of records.
This article will discuss ISO 13485 certification, its audit requirements, criteria, benefits, and its related standards.
What Is an ISO 13485 Certification?
ISO 13485 certification confirms that the certified company has established suitable, independently audited processes and controls to ensure the safety, effectiveness, and quality of medical devices throughout their lifecycle. This encompasses control of processes from design and development to production, installation, servicing, and end-of-product life. To obtain ISO 13485 certification, an organization must build a QMS process internally that complies with the standard. With the QMS in place, the company undergoes a comprehensive audit by an accredited certification body. The audit assesses the organization's compliance with the ISO 13485 requirements and evaluates the effectiveness of its QMS.
What Are Quality Management Systems?
Quality management systems are operations frameworks and structures that ensure the deliverables of the organization comply with: customer needs and expectations, regulatory standards, operational requirements, and internal self-improvement mechanisms within the company.
A well-defined QMS documents procedures, record keeping, communications, risk assessment, and continuous improvement methodologies. QMS standards adherence can be assessed and certified externally, with various parallel standards applicable to general and particular sectors and specializations. Key components of a quality management system are: quality policy, quality objectives, document control, risk management, employee training and competence, supplier management facilities, corrective and preventive actions, and continuous improvement.
QMS approaches are generally based on international standards such as ISO 9001. This provides a framework for the establishment, implementation, maintenance, and continuous improvement of quality-management measures. These systems can be adapted to various industries and tailored to meet specific market and regulatory requirements.
In Which Industries is ISO 13485 Relevant?
ISO 13485 is the standard developed for the medical device sector. It details QMS guidance that covers the design, development, production, installation, and servicing of medical devices. It is relevant to most activities in the medical device industry, including:
- Manufacturers of finished medical devices and systems. This covers the manufacture and supply of diagnostic tools, surgical instruments, implants, prosthetics, and other medical devices.
- Any company manufacturing custom components or supplying raw materials to the medical device sector.
- Any contract manufacturer or OEM providing services in the medical device sector so they can demonstrate the continuity of compliance through the entire process from concept to patient.
- Distributors and importers of medical devices to obviate their risk in the potential supply of faulty or non-compliant goods.
- Providers of services in the maintenance, calibration, repair, technical support, or other servicing of medical devices.
- Teams operating in medical device innovation and development. If they show pre-compliance at the ideation stage, it’s easier to comply later in the process as well.
What Are the ISO 13485 Audit Criteria?
These are the main ISO 13485 audit criteria:
- Document Review: The auditor reviews the organization's QMS documentation, (policies, procedures, work instructions, and records) to ensure it meets the requirements of ISO 13485.
- On-Site Audit: The audit aims to assess the documented system’s implementation and effectiveness as a standards-compliant QMS. It evaluates processes, procedures, and records and includes interviews with personnel to verify their understanding and engagement.
- Process Evaluation: Processes must be documented, controlled, and compliant with ISO 13485. This includes all stages, from design and development processes through risk management procedures to supplier management practices and other relevant processes.
- Regulatory Compliance: The audit confirms compliance with regulatory requirements, such as those from the FDA in the United States or the Medical Devices Directive in the European Union.
- Noncompliance and Corrective Actions: Any audit shortfalls must be addressed and corrected. Those non-compliant components will then need to be re-audited. The organization’s process for correcting these problems may also be assessed.
- Management Review: Auditors assess the top management’s internal QMS evaluation and improvement methods.
The ISO 13485 Audit and Accreditation Process
The ISO 13485 audit and accreditation process typically involves the following steps:
- Preparation: The applicant must build and implement a QMS that meets the standard. That often necessitates a major culture shift within the company. This needs buy-in from the entire organization.
- Documentation: The applicant team must document how their QMS complies with the standard. This requires detailed policies, procedures, work instructions, records, and various other documents.
- Internal Audit: This serves to test initial compliance. It is often performed by members of the applying organization to help the entire company prepare for the certification audit. This internal audit highlights any weaknesses so the company can improve on internal processes before the real audit.
- Certification Audit: The company invites (and pays for) an accredited certification organization to audit its QMS. The stage-one audit deals with documentation only; auditors review the company’s plan and process to verify that it complies with ISO 13485 on paper. This document review is supported by internal interviews to assess preparedness for the stage-two audit and develop a corrective actions list if necessary. Stage two audits assess the operational effectiveness of the QMS after any initial corrective actions have been completed. This entails more interviews and usually an on-site visit to test compliance and review quality records.
- Nonconformity Management: Any aspect which the auditors mark as lacking is considered a nonconformity. The company must take corrective actions in order to receive certification.
- Certification Decision: When the organization is judged to be in compliance, they’re issued an ISO 13485 certification.
- Surveillance Audits: These are conducted regularly (generally annually) by a certification body to validate that the organization is continuing to operate its QMS in compliance with ISO 13485.
What Are the Benefits of an ISO 13485 Certification?
Obtaining ISO 13485 certification offers several benefits for suppliers in the medical equipment space. For instance:
- Regulatory compliance makes it easier for certified organizations to take products to market because they have a simple way to demonstrate compliance with applicable regulations. This certification facilitates market access and regulatory approvals for medical devices, as regulatory bodies often recognize ISO 13485 as a reliable indicator of a robust quality management system.
- Companies often come out with better-quality products and safety records. ISO 13485 promotes a systematic approach that consistently produces safe and effective medical devices. Compliance with the standard helps them identify and mitigate risks. Appropriate controls throughout the product’s life cycle lead to improved product quality and better patient outcomes.
- ISO 13485-certified companies commonly report better customer and market confidence. The accreditation demonstrates an organization's commitment to quality and customer satisfaction, assuring customers, healthcare professionals, and end-users that they follow internationally recognized standards and best practices for medical device manufacturing. This can improve market acceptance and open new business opportunities.
- Certification demands that organizations establish effective processes and procedures, so they naturally see better efficiency as a result. These processes cover all aspects of medical device-related business including design, development, production, and service. This orderly approach streamlines operations, reduces errors and rework, and helps eliminate waste.
- Risk management and mitigation are key demands of ISO 13485 certification. A strong risk analysis approach equips organizations to identify potential risks associated with their products and processes and to implement appropriate mitigations. This helps them identify and address potential issues early, reducing adverse events, and protecting the organization’s reputation.
- Competitive advantage and market access accrue with ISO 13485 certification. Many customers, suppliers, and partners prefer to work with certified organizations because they’ve demonstrated commitment to quality and compliance. Certification can open new markets and facilitate international trade.
- Continuous improvement is a central tenet of ISO 13485. When improvement becomes part of the corporate culture, employees won’t think twice about monitoring their performance, defining objectives, and analyzing outcomes. When aspects come up lacking, they will know how (and be willing) to improve the processes.
When Are ISO 13485 Certifications Required?
ISO 13485 certification is not universally required for all companies in the medical device sector. However, there are certain situations and circumstances where ISO 13485 certification may be necessary or highly beneficial:
- Certification enforces regulatory compliance in certain sectors and technology areas.
- Most customers, distributors, and healthcare providers prefer certified clients and many require certification as a condition for doing business. These entities may request or demand suppliers or partners have ISO 13485 certification to ensure the quality and safety of their products.
- Certification may be a contractual obligation in the manufacturing or research and development of medical devices. Registration is often stipulated in contracts or agreements.
- Suppliers may require certification in order to uphold their own reputations.
- Risk management is required, codified, and improved as part of the establishment of a QMS. Certification demonstrates to the market a commitment to risk management practices and compliance with standards.
- ISO registration is very helpful in international business. It is a common industry language that makes the organization appear regulated and compliant, increasing long-distance confidence in the quality of outcomes/deliverables.
- Certification drives continuous improvement. ISO 13485 promotes a culture of continuous improvement and companies that want ongoing enhancements in their processes, product quality, and customer satisfaction often pursue ISO 13485 certification as a means to instill this cultural change into the business.
What Accrediting Body Issues ISO 13485 Certifications?
The ISO 13485 certification process is layered. The primary layer consists of national accreditation bodies that assess and authorize local-level service providers who, in turn, perform certification audits for registrant companies and organizations. In this way, the adherence/compliance of all parties is traceable back to the overarching national or regional accreditation service.
Accreditation of these service providers/certifiers is controlled by national or regional accreditation bodies that evaluate their competence to ensure they meet the standards required to certify others. The accreditation body applicable to your certifier will vary by region, but these are some of the leading national organizations:
- ANSI-ASQ National Accreditation Board (ANAB) - USA
- United Kingdom Accreditation Service (UKAS) - UK
- Standards Council of Canada (SCC) - Canada
- National Accreditation Board for Certification Bodies (NABCB) - India
- Deutsche Akkreditierungsstelle GmbH (DAkkS) - Germany
- JAS-ANZ (Joint Accreditation System of Australia and New Zealand) - Australia and New Zealand
- The Certification and Accreditation Administration of the People's Republic of China (CNCA) - China
Similar Certifications and Accreditations to ISO 13485
There are several certifications and accreditations that are similar to ISO 13485 in terms of their focus on quality management systems in the medical device industry or related fields:
- FDA Quality System Regulation (QSR), also known as 21 CFR Part 820: This regulatory body in the US sets quality system requirements for medical device manufacturers. While not a certification or accreditation, compliance with the FDA QSR is mandatory for companies selling medical devices in the U.S. market.
- Medical Device Single Audit Program (MDSAP): This program allows medical device manufacturers to undergo a single audit to demonstrate compliance with the regulatory requirements of multiple countries, including the U.S., Canada, Brazil, Japan, and Australia.
- IEC 62304: Medical device software regulations are laid out in this standard. It provides requirements for the development, maintenance, and risk management of such software, and compliance is required for medical products that contain software.
- ISO 14971: This international standard covers medical device risk management. It provides guidance on the application of risk management principles and processes throughout the life cycle. ISO 14971 is often used to complement and enhance ISO 13485 risk management practices.
- ISO/IEC 27001: This standard is for information security management systems. Though not specific to the medical device industry, it can be highly relevant for products and services that handle patient data.
- ISO 9001: The ISO’s primary QMS standard applies to most industries, including the medical device sector. ISO 13485-registered organizations often choose to implement ISO 9001 as a broader QMS framework.
Other Certifications That Relate to ISO 13485
There are other certifications and standards that complement ISO 13485. The following certifications are not specific to the medical industry, but medical devices do fall under their purview:
- CE Marking: The CE conformity assessment mark indicates a product's compliance with health and safety requirements in Europe. Medical devices intended for sale in the European Economic Area must undergo a conformity assessment process, which includes compliance with ISO 13485.
- ISO 45001: The occupational health and safety management standard applies in all developed markets. It allows businesses to manage risk and workplace safety in order to protect the health and well-being of staff.
This article presented the ISO 13285 certification, explained it, and discussed its various audit requirements. To learn more about certifications, contact a Xometry representative.
Xometry provides a wide range of manufacturing capabilities and other value-added services for all of your prototyping and production needs. Visit our website to learn more or to request a free, no-obligation quote.
The content appearing on this webpage is for informational purposes only. Xometry makes no representation or warranty of any kind, be it expressed or implied, as to the accuracy, completeness, or validity of the information. Any performance parameters, geometric tolerances, specific design features, quality and types of materials, or processes should not be inferred to represent what will be delivered by third-party suppliers or manufacturers through Xometry’s network. Buyers seeking quotes for parts are responsible for defining the specific requirements for those parts. Please refer to our terms and conditions for more information.
- Quality management system (QMS) ...
- Management responsibility. ...
- Resource management. ...
- Product realization. ...
- Measurement, analysis, improvement.
An ISO 13485 audit is an assessment process that allows organizations to ensure their compliance with the current QMS standard for medical devices. This process is also performed to help businesses obtain ISO 13485 certification.What is the ISO 13485 audit? ›
An ISO 13485 audit helps determine the actual status and health of your current QMS and processes. The purpose of quality audits is to verity that manufacturing, development, and related control facilities meet current good manufacturing processes (GMP), as well as conform to the commitments of ISO 13485.What is the frequency of internal audits recommended by the standard ISO 13485? ›
This is where the auditor will interview your staff and review your documented information (procedures, records, etc.) to verify you are meeting all the ISO 13485 requirements. Certification audits are typically conducted every three years.How much is audit for ISO 13485 certification? ›
|Certification Body Process||Non-Accredited||Accredited|
|Stage I Document Review Audit||$ 500||$ 1000|
|Stage II Certification Audit||$ 1000||$ 3000|
|Issue of Certificate||$ 500||$ 1000|
|TOTAL||$ 2000||$ 5000|
Like other ISO management system standards, certification to ISO 13485 is not a requirement of the standard, and organizations can reap many benefits from implementing the standard without undergoing the certification process.What are the five audit checklist? ›
- Establish the audit programme objectives.
- Prepare the audit plan.
- Perform the audit.
- Report the audit results.
- Follow up on post-audit activities.
An ISO audit is an audit of your organization's compliance with one of the standards set forth by the International Organization for Standardization (ISO).What is required for ISO audit? ›
To attain ISO certification, a company or organization must submit documents that report its internal processes, procedures and standards. These documents (or Quality Management System) determines that a company is able to provide quality products and services consistently.How to prepare for ISO 13485 audit? ›
- Verify that your documentation meets all of the requirements of the standard.
- Ensure your employees know their role in the QMS and are familiar with the ISO 13485 requirements that pertain to their role in the organization.
- The procedures and processes are correctly followed.
- Establish an internal audit procedure. ...
- Plan the organization's internal audit program. ...
- Perform internal audits at planned intervals. ...
- Keep a record of the audit plan and performance. ...
- Implement correction of nonconformances and their causes. ...
- Evaluate steps taken to resolve nonconformances.
These standards include an Audit Code of Ethics and the International Standards for the Professional Practices of Internal Auditing. These standards are focused on five assertions of internal audit. These five assertions are: existence, completeness, rights or obligations, valuation, and disclosure.Are internal audits mandatory requirement of ISO standard? ›
ISO 9001 provides an audit checklist that organisations are required to use when conducting internal audits. The checklist includes questions for assessing an organisation's context, leadership, planning and quality management systems, support structures, operations, performance evaluation and areas for improvement.What are generally acceptable auditing standards? ›
Generally accepted auditing standards (GAAS) are a set of systematic guidelines used by auditors when conducting audits of companies' financial records. GAAS helps to ensure the accuracy, consistency, and verifiability of auditors' actions and reports.How often are ISO audits required? ›
ISO audits happen every year. However, the frequency of audits can vary depending on the size of your company and the industry you are in. For example, companies that are required or expected to have an ISO certification may be audited more often than companies that are not.How often do you need to audit QMS? ›
Once certified, your business is required to have an annual surveillance audit, every three years a full audit is completed. How can QMS Audits help you to prepare for ISO 9001 Accreditation?How do I get an ISO audit certification? ›
- Develop your management system. Identify your core or business processes. ...
- Implement your system. Ensure procedures are being performed as they are described in your documentation. ...
- Verify that your system is effective. ...
- Register your system.
While ISO13485 isn't mandatory, it is helpful – not simply for placing your medical device in other markets. By implementing its requirements, you can save yourself a lot of time further down the line.What is the difference between ISO 13485 and ISO 13485? ›
There's Greater Emphasis on Risk in the ISO 13485:2016 Versions. Compared to ISO 13485:2012, the 2016 versions place greater emphasis on risk management and risk-based decision-making for processes outside the realm of product realization.What is the FDA proposed rule for ISO 13485? ›
The proposed rule states that manufacturers with an ISO 13485 certificate are not exempt from FDA inspections, nor will FDA issue ISO 13485 certificates based on a successful FDA inspection. FDA is providing 90 days for comment on the proposed rule, until May 24, 2022.
The 5/7 rule provides that an individual may not play a significant role in the audit of a particular audited body for more than 5 out of 7 financial years.What are the 4 C's of internal audit? ›
As for directors, there are four features to consider when evaluating the sufficiency of any risk-based audit plan: culture, competitiveness, compliance and cybersecurity – let's call them the Four C's, for short.What are the 8 principles of audit? ›
The basic principles of auditing are confidentiality, integrity, objectivity, independence, skills and competence, work performed by others, documentation, planning, audit evidence, accounting system and internal control, and audit reporting.What is audit requirements? ›
Auditing Requirements means the completion, approval by the Board of Directors of FER and publication of annual financial audits as required by the FER Law (as published on July 24, 2003) and the completion of a Road Maintenance and Financial Audit.What is audit criteria definition? ›
Audit criteria are standards against which the actual performance (adequacy of systems and practices and the economy, efficiency and effectiveness of activities) is compared or evaluated.What is ISO standard for internal audit? ›
Internal audit is a mandatory requirement of ISO 9001. Internal Audits are conducted internally by the organization. That means the organization initiates and plans this audit. This is a self-assessment of the processes implemented in the organization.What is the basic requirements for ISO certification? ›
The requirements and quality objectives of your products or services. The process guides, documents and resources your employees need to create products or services successfully. The monitoring, inspection or testing your company needs to ensure the quality of your products or services.What are ISO compliance requirements? ›
Being ISO compliant requires that organizations perform an internal audit of workplace hazards, as well as of future risks and challenges. Compliance with ISO 45001 ensures health and safety is an integral part of strategic decisions.Which ISO standard provides guidelines for auditing? ›
ISO 19011, Guidelines for auditing management systems, however, offers a uniform, harmonized approach, enabling effective auditing across multiple systems at the same time.How to do QMS audit? ›
- Performing an initial social audit assessment.
- Establishing a corrective action plan.
- Verifying corrective action implementation through detailed follow-up activities.
- Scheduling subsequent annual visits based on supplier risk level.
Compliance with ISO 13485 is required of most medical devices by all European Union members, UK, Canada, Japan, Australia, and many other countries. ISO 13485 is the quality standard accepted as the basis for CE marking in the EU.How do you prepare a process audit checklist? ›
- Understand the purpose of the audit. Before you create an audit checklist, discuss with the client why they want to perform an audit. ...
- Create the main heading of the checklist. ...
- Create subheadings. ...
- Create columns for evaluating compliance. ...
- Create a section for adding suggestions.
Internal audit should be performed with integrity, objectivity, confidentiality and competency. IIA Standards include the expectation that an internal audit function will establish policies and procedures to guide internal staff in carrying out their work.What are the key steps of internal audit? ›
Internal audit conducts assurance audits through a five-phase process which includes selection, planning, conducting fieldwork, reporting results, and following up on corrective action plans.How do you conduct an internal audit in a lab? ›
- Scope. The scope identifies the area of interest for the audit team and is used to define the limits. ...
- Audit Checklist. Checklists are critical points or processes that auditors intend to audit. ...
- Team Selection. ...
- Scheduling. ...
- Audit. ...
- Audit Report. ...
- Laboratory Record.
The principles of independence, objectivity, competence, confidentiality, professionalism, due professional care, and continuous improvement are essential for the internal audit function to fulfill its role as a trusted advisor to the organization.What are the 3 types of internal audits? ›
Types of Internal audits include compliance audits, operational audits, financial audits, and an information technology audits.What are the seven 7 objectives of internal audit? ›
The control objectives include authorization, completeness, accuracy, validity, physical safeguards and security, error handling and segregation of duties.Which audit is mandatory? ›
A statutory audit is compulsory for every company, even if the company has no turnover. Tax audit, on the contrary, is mandatory for every organisation whose annual turnover is more than ₹ 1 crore and the gross receipt is more than ₹25 lakhs.Which type of audits are mandatory? ›
A statutory audit is a mandatory audit of a company's financial records by an external entity. This audit is mandated by statute or law that governs an organization's principles and ethics.
Standards are principle-focused and provide a framework for performing and promoting internal auditing. The Standards are mandatory requirements consisting of: Statements of basic requirements for the professional practice of internal auditing and for evaluating the effectiveness of its performance.What is the difference between audit standards and audit procedures? ›
Auditing standards provide a measure of audit quality and the objectives to be achieved in an audit. Auditing procedures differ from auditing standards. Auditing procedures are acts that the auditor performs during the course of an audit to comply with auditing standards.What are key audit matters auditing standards? ›
Key audit matters are those matters that were communicated with those charged with governance and, in the auditor's profes- sional judgment, were of most significance in the audit of the fi- nancial statements of the current period.What do audit standards require the auditor? ›
Auditing Standard No. 12 requires the auditor to determine whether identified and assessed risks are significant risks. A significant risk is defined as a risk of material misstatement that requires special audit consideration.Is ISO 13485 mandatory for medical devices? ›
While ISO13485 isn't mandatory, it is helpful – not simply for placing your medical device in other markets. By implementing its requirements, you can save yourself a lot of time further down the line.How long does it take to get ISO 13485 certification? ›
Implementation usually takes 4-6 months for companies with fewer than 50 employees. Larger firms with more than 50 employees and/or multiple locations require more written procedures and involve more people, so implementation usually takes 6-12 months.Do you need ISO 13485 to manufacture medical devices? ›
Obtaining an ISO 13485 certification is not a requirement for medical device companies, but many organizations find benefits in obtaining third party certification and demonstrating to regulators that they have met the requirements of the standard.Does FDA require ISO 13485 certification? ›
US FDA rule adopts ISO 13485 medical device QMS requirements. Emergo by UL's new human factors tool - provides training, tools, and resources. Our software tools offer digital regulatory monitoring for medical device compliance and access to human factors engineering tools.Does FDA require ISO 13485? ›
ISO 13485, an internationally accepted standard, specifies the requirements for a QMS, particularly for the medical devices industry. FDA is aligning its requirements to this standard to drive a global convergence of medical device regulatory processes.Can you self certify ISO 13485? ›
It is NOT a personal standard – a person cannot get certified to ISO 13485. Instead, an organization or company becomes certified. An individual, however, CAN become an ISO 13485 Certified Lead Auditor after a 5-day training course. This then allows them to audit other companies.
According to FDA regulations, an unapproved medical device may normally only be used on human subjects through an approved clinical study in which the subjects meet certain criteria and the device is only used in accordance with the approved protocol by a clinical investigator participating in the clinical trial.What is the FDA equivalent to ISO 13485? ›
ISO 13485 provides a framework for manufacturers and suppliers to meet common regulatory requirements worldwide, and serves as a strong foundation to meet FDA Part 820 requirements, as well as the requirements of other regulatory bodies in the world.Do I need both ISO 9001 and ISO 13485? ›
ISO 13485 is a quality system for the medical device industry, and it effectively covers ISO 9001 with some additional requirements. What many medical device manufacturers fail to realize, however, is that comparing ISO 9001 and ISO 13485 is a valuable exercise.Why do you need ISO 13485 certification? ›
The ISO 13485 certification supports medical device manufacturers in plotting a QMS that creates and maintains the efficacy of their processes. It ensures the consistent design, development, production, installation, and delivery through to the disposal of medical devices that are safe for their intended purpose.Are ISO standards mandatory for medical devices? ›
ISO 14971 is a safety standard governing risk management in the medical device development process that is used worldwide. Medical device companies must have risk management processes that comply with ISO 14971 if they want to sell their product internationally.