Medical Device Standards: ISO 13485, ISO 9001 or Both?
I recently wrote this guest blog for Assent Risk Management outlining the recent changes to ISO13485:2016 and its ongoing relationship to ISO9001...
When ISO13485, the quality management standard for medical devices, received its last update and re-issue in 2016 it took the notable departure from using the current ISO9001 standard as its baseline.
Divergence of ISO13485 from ISO 9001
The previous version ISO13485:2012 included all requirements of ISO9001:2008 and added specific requirements relevant to the medical device industry, as such in many cases a single management system based on ISO13485:2012 could also receive ISO9001:2008 certification with little or no additional effort. In the current ISO13485:2016 standard the standard writers have actually maintained the ISO9001:2008 base, but haven’t utilised ISO9001:2015 as its base, and also hasn’t aligned with the Annex SL format of management system standards.
This has created something of a dilemma for organisations on whether to simply have their management system certified under either ISO9001:2015 or ISO13485:2016, or continue to be certified under both as had previously been the case.
This is an organisational decision that needs to consider a number of factors including the organisation’s position in the medical device supply chain (e.g. design, manufacture or service provided), external influences of regulatory obligations and client contractual requirements, as well as general organisational strategies regarding market growth/expansion and strategic direction of the organisation.
Whilst certification to both standards might seem the least favourable due to the apparent complexity in meeting two sets of requirements, it is considered that the effort put in may well reap benefits beyond initial expectations, and whilst certification itself may be optional in many circumstances, the intertwining of the requirements into a single management system approach should also reap organisational benefits.
Understanding the Requirements of Each Standard
As a starting point it is important to understand what each standard essentially is, without trawling each clause the distinction between each standard is important to note.
ISO9001:2015 has continued down the path of transition from an ‘old style’ quality control and quality assurance model to a business performance model, and whilst regulatory compliance is broadly addressed in the standard the emphasis is clearly on performance across a wider set of stakeholders with customer satisfaction in dominance.
ISO13485:2016 on the other hand, whilst maintaining its ISO9001:2008 base, and as such including elements such as process management, objectives and performance, now very much ties these subject areas and all other requirements of this standard to the associated regulatory requirements, therefore in many respects placing the external regulatory stakeholder in dominance.
The emphasis on regulatory compliance in ISO13485:2016 clearly makes sense for this potentially very high risk industry, and appropriate regulatory product approval is mandatory and a barrier to market entry in most, if not all, legal jurisdictions. That said however many medical device organisations are also commercial entities, operating in a competitive market place with shareholder ownership, and as such have the external influences and drivers of any other organisation and therefore need to manage their activities within this broader mindset, and this is where the ISO9001:2015 model may add benefit to the organisation.
Integration of ISO13485:2016 & ISO9001:2015
Integration of ISO13485:2016 and ISO9001:2015 requirements into a single management system is facilitated by correspondence tables given in ISO13485:2016, these provide quite a high level comparison of the standards and an organisation would have to scrutinise the details of the requirements in order to ensure compliance.
It is interesting to note that there are two tables provided, one comparing ISO13485:2016 to ISO9001:2015, and one comparing ISO9001:2015 to ISO13485:2016 – in the former many areas of ISO13485:2016 are identified as not addressed by ISO9001:2015, however in the latter there are no areas of ISO9001:2015 considered as not addressed by the ISO13485:2016 standard, this is considered a simplistic view however might be mitigated by an organisations position in the supply chain.
An ‘out and out’ medical device designer and manufacturer who already must meet regulatory requirements for their products may indeed be largely compliant with ISO9001:2015, however with ability to exclude non-applicable ISO13485:2016 requirements where justified, for those lower down the supply chain who might legitimately exclude many of the direct regulatory related requirements as they have no direct regulatory exposure, simply flow down by commercial contracts, the gaps may be wider than ISO13485:2016 tables would indicate.
A key area of concern would be section 4 of ISO9001:2015 regarding ‘context of the organisation’, although this is considered also mitigated by the fact that this section of the standard has little in terms of requirements for documented information, and outlines business practices that many organisations may well already have in place, albeit level of formality and documentation may vary dependant on organisational size and position in the supply chain.
In summary, it is important to note the divergence of ISO13485:2016 and ISO9001:2015, although this divergence is not considered to prohibit a single management system covering all requirements.
Whilst comparison tables of clauses may facilitate integration the devil, as always, is in the detail and its important to note the essential characteristics of both standards to ensure compliance to all requirements.
A detailed gap analysis would be required for anyone wishing to combine both standards in an integrated system, and the level of work required would be dependant on direction of travel from ISO9001:2015 to ISO13485:2016, or ISO13485:2016 to ISO9001:2015, as well as appropriate consideration of the organisational context including position in the medical device supply chain for further consideration of the implications of integration.