• To establish a Quality Management System (QMS) that is oriented towards the design, development, production, and installation of medical devices and related services.
• To demonstrate your ability to supply medical devices and related services that meet customer expectations and comply with regulatory requirements.
• To evaluate how well your organization is able to meet customer expectations and comply with regulatory requirements.
• To become certified or registered.

ISO 13485 is not a product standard. It’s a process standard. Therefore, it’s not enough to establish a Quality Management System (QMS) that complies with the ISO 13485 standard, you also need to comply with all relevant product and service oriented technical standards and regulations.

ISO 13485 Vs ISO 9001

ISO 13485 is based on the ISO 9001 Quality Management standard. Both standards are organized in the same way and use basically the same numbering system. In addition, most of the ISO 13485 requirements are taken directly from ISO 9001 without modification.

However, some ISO 9001 requirements were modified and others were excluded. Of course, ISO 13485 also includes a special set of requirements specifically related to the supply of medical devices and related services. In general, ISO 13485 is made up of two kinds of requirements: old ISO 9001 requirements and new requirements that are specifically related to medical devices and associated services.

ISO 13485 excludes ISO 9001 requirements related to continual improvement and customer satisfaction. Continual improvement is excluded because most medical device regulations require organizations to maintain their Quality Management Systems, not to improve them. And customer satisfaction is excluded because committee members thought it was too subjective.

When ISO 9001 wants you to document a procedure, it also wants you to implement and maintain it. Section 4.2.1 of ISO 13485 expands on this idea by including requirements, activities, and special arrangements. More precisely: -

• When ISO 13485 wants you to document a procedure, the standard also wants you to implement and maintain it.
• When ISO 13485 wants you to document a requirement, the standard also wants you to implement and maintain it.
• When ISO 13485 wants you to document an activity, the standard also wants you to implement and maintain it.
• When ISO 13485 wants you to document an arrangement, the standard also wants you to implement and maintain it.

Whenever a procedure, requirement, activity, or special arrangement must be documented, it does so by explicitly asking you not only to document it but also to implement and maintain it.

ISO 13485 also places a greater emphasis on the use of procedures to regulate and control how activities and processes should be performed. In this sense, ISO 13485 is somewhat more prescriptive than ISO 9001. ISO 9001 often leaves it up to you to decide how work should be controlled, whereas ISO 13485 seems to have removed some of this flexibility by insisting on the use of formal procedures.

Since ISO 13485 is all about medical devices and related services, it of course adds many new requirements to address the specific needs of this industry such as ISO 14971 Risk Management.

Possible exclusions

ISO 9001 says that you may exclude or ignore some requirements if you can justify doing so. You can exclude section 7 product realization requirements if you cannot apply them because of the nature of your organization and its products. Similarly, ISO 13485 2003 says that you can exclude section 7 requirements if they are not applicable in your situation and does not violate the organization's medical devices statutory regulations.

You may also exclude section 7.3 design and development if official regulations allow you to do so and if you have made alternative arrangements that comply with these regulations.

Occasionally ISO 13485 uses the phrase “if appropriate” or “where appropriate”. When a requirement uses this phrase, you may ignore or exclude it if you can justify doing so.

Whenever you decide to exclude or ignore an ISO 13485 requirement make sure that you’ve got a good reason. Make sure you can justify and explain why, and make sure this explanation is documented in your quality manual.

How to develop a QMS

In order to become certified, you need to develop a Quality Management System (QMS) that complies with the ISO 13485 standard. But how do you do that?

One common approach is to carry out a Gap Analysis. Such an analysis will identify the gaps that exist between the new standard and your organization's processes. Once you know exactly what and where your gaps are, you can take steps to fill them. And once all of your gaps are filled, your Quality Management System will be ISO 13485 compliant. By using this approach, you will not only meet the new ISO 13485 standard, but you will also improve the overall effectiveness of your Quality Management System.

If you're currently ISO 13485:1996 or ISO 9001:2000 certified, you can call us to conduct Gap Analysis Tool on your Quality Management System to the new ISO 13485:2003 standard.

Once we've completed the Gap Analysis and filled all of the gaps, you're ready to ask a Registrar to audit the effectiveness of your Quality Management System. If your QMS meets ISO 13485:2003 requirements then the Registrar will then issue an official certificate to you and record your achievement in their registration.