What is ISO13485 Medical Devices

Compassrose

Compassrose Limited

            ISO 9001

Quality Management

 

             ISO 9001

           World's Most                Recognised Standard


 

 ISO 14001

        Environmental         Management

 

            ISO 14001

Companies are to track their environmental concerns


 

 ISO 45001

        Health & Safety       Management

 

            ISO 45001

Companies are to track all aspects of Health and Safety

 

 ISO 27001

    Information Security         Management

 

ISO 27001

Companies look at all aspects of IT security

 

What is ISO13485 and what are the benefits?

 
 
 
 
 
 
 

            ISO 13485

Quality Management

 

ISO 13485

 Standard for the medical device industry

 

            ISO 22716

Quality Management

 

              ISO 22716


Control  production, control, storage, and shipment of cosmetic products

 

               AS9100

Quality Management

 

            ISO AS9100

Standard for the Aviation, Space, and Defense

 

            ISO Audit

       School Training 

           

ISO Audit Training and ISO Standards Training

 

Compassrose
Aequalis
Certification
Recycling
Pen Testing
New ISO

How ISO 9001 Works: The Quality Management Framework?


The Plan-Do-Check-Act (PDCA) cycle is the foundational methodology for establishing, maintaining, and continually improving your ISO 13485-compliant management system. This systematic approach ensures your organisation consistently meets regulatory requirements and delivers safe, effective medical devices.

PLAN: Establish your system's framework. Define the scope of your management system, identify applicable regulatory requirements (like MDR, FDA QSR), set objectives, and develop the necessary processes and documented procedures to ensure control over the medical device lifecycle.

DO: Execute and operate your processes. Implement your planned procedures across all stages—from design and development, purchasing, to production, servicing, and post-market surveillance. Ensure all activities are carried out under controlled conditions.

CHECK: Monitor and verify system performance. Conduct internal audits, analyse data from monitoring and measurement activities (like non-conforming product or customer feedback), and review the system's suitability and effectiveness in management review.

ACT: Take action to improve. Implement corrective and preventive actions (CAPA) to address root causes of nonconformities. Manage changes proactively and drive continual improvement to enhance the safety and performance of your medical devices.


Key Process Steps for Your Medical Device System:

  1. Establish the scopeand regulatory requirements for your devices.

  2. Develop and implementcontrolled procedures for design, production, and distribution.

  3. Monitor processesand the performance of devices on the market.

  4. Analyze datafrom audits, feedback, and nonconformities.

  5. Implement corrective actions through the CAPA process.

  6. Review system performance regularly in management review.

  7. Drive continual improvement to ensure ongoing safety and compliance.


This PDCA framework creates a robust cycle of control and improvement, ensuring your management system proactively addresses risk, meets stringent global regulations, and ultimately safeguards patient health.

ISO13485 plan do check act

Core Principles for a Compliant Medical Device Management System

Patient Safety and User Focus:

Prioritising the safety and performance of medical devices to protect patient health

and meet user needs.

Leadership Accountability for Compliance:

Ensuring top management establishes, resources, and upholds a system that

guarantees regulatory compliance and product safety.

Risk-Based Process Management:

Structuring and controlling all processes from design to post-market to mitigate risks to

device safety and quality.

Data-Driven Regulatory Decisions:

Basing decisions on objective evidence from verification, validation, monitoring, and post-market surveillance data.

Controlled Supply Chain and Partnerships:

Managing relationships with suppliers and outsourcers is a critical extension of your own controlled processes.

Proactive Culture of Improvement:

Fostering an environment dedicated to continually enhancing the effectiveness of the management system and device safety.

The Main ISO13485 Clauses - Complete Breakdown:


System Scope (Clause 4.1.1)

The scope defines the boundaries of your medical device management system. It specifies which products, processes, sites, and activities are included and certified. A clear scope is critical for Notified Body audits and regulatory submissions.

A compliant scope should specify:

  • Organisation: The specific legal entity or division covered.

  • Locations: All relevant manufacturing, warehousing, and design sites.

  • Device Families: The types of medical devices (e.g., Class IIa active therapeutic devices).

  • Lifecycle Stages: The activities covered (e.g., design, manufacturing, servicing, sterile packaging).

Guidance:

The scope must be truthful and accurate. Any exclusion of applicable requirements from the standard (e.g., design controls if you are only a manufacturer) must be explicitly justified. Avoid vague terms; clarity is essential for regulatory credibility.


13485 Management System (Clause 4)

This is the core of establishing your system’s documented framework.

  • 4.1 General Requirements: Mandates the establishment of a complete, documented system that is effectively implemented, maintained, and continually improved according to the standard's requirements.

  • 4.2 Documentation Requirements: Defines the mandatory documents and records, including the Quality Manual, documented procedures (e.g., for CAPA, management review), and device-specific records like the Design History File (DHF) and Device Master Record (DMR).


Management Responsibility (Clause 5)

Ensures leadership accountability for system effectiveness and regulatory compliance.

  • 5.1 Management Commitment: Requires top management to actively demonstrate commitment by establishing the quality policy, ensuring resource availability, promoting regulatory awareness, and conducting management reviews.

  • 5.2 Customer Focus: While patient safety is paramount, management must ensure that requirements from customers (e.g., distributors, healthcare providers) are determined and met to enhance satisfaction.

  • 5.3 Quality Policy: Leadership must establish a policy that is appropriate to the organisation’s role, includes commitments to compliance and safety, and provides a framework for quality objectives.

  • 5.4 Planning: Requires management to establish measurable quality objectives and plan the system to meet all requirements, including changes, in a controlled manner.

  • 5.5 Responsibility, Authority, and Communication: Demands clear assignment of roles (e.g., Management Representative) and authorities, along with establishing effective internal communication processes about the system’s effectiveness.


Resource Management (Clause 6)

Covers the provision of necessary infrastructure, personnel, and work environment.

  • 6.1 Provision of Resources: Requires the determination and provision of resources needed to maintain the system and meet regulatory requirements.

  • 6.2 Human Resources: Ensures personnel are competent based on education, training, skills, and experience for tasks affecting product quality.

  • 6.3 Infrastructure: Mandates provision of buildings, workspace, equipment (including calibration), and supporting services (e.g., utilities, IT) needed for product conformity.

  • 6.4 Work Environment and Contamination Control: Requires management of the physical work environment (e.g., cleanliness, temperature) necessary for product quality, with special attention to sterile devices and contamination control.


Product Realisation (Clause 7)

The heart of device-specific controls, covering the entire lifecycle from planning to delivery.

  • 7.1 Planning of Product Realisation: Requires planning of device-specific processes aligned with other system requirements (e.g., design, purchasing, production).

  • 7.2 Customer-related Processes: Covers determination of product requirements, review of orders/contracts, and customer communication (e.g., feedback, advisory notices).

  • 7.3 Design and Development: The critical subsystem for controlling the design process. It mandates a phased approach with planning, inputs, outputs, reviews, verification, validation, and transfer—all documented in the Design History File (DHF).

  • 7.4 Purchasing: Controls the process for selecting and monitoring suppliers (external providers) and verifying purchased product to ensure it meets specified requirements.

  • 7.5 Production and Service Provision: Ensures operations are controlled via documented procedures, work instructions, and validation of processes where outputs cannot be verified by monitoring (special processes). It also covers product identification, traceability, preservation, and control of monitoring/measuring equipment.

  • 7.6 Control of Monitoring and Measuring Equipment: Requires that equipment used to verify product conformity is calibrated, controlled, and maintained.


Measurement, Analysis, and Improvement (Clause 8)

The "Check and Act" mechanism for the system.

  • 8.1 General: Requires planning and implementing monitoring, measurement, analysis, and improvement processes.

  • 8.2 Monitoring and Measurement: Includes feedback systems (customer satisfaction), internal audits, and monitoring of processes and product (e.g., in-process testing, final inspection).

  • 8.3 Control of Nonconforming Product: Mandates a procedure to identify, document, segregate, and evaluate nonconforming product, including determining the need for reporting to regulatory authorities.

  • 8.4 Analysis of Data: Requires analysis of data from monitoring activities to demonstrate system suitability, effectiveness, and to identify opportunities for improvement.

  • 8.5 Improvement: Encompasses the Corrective and Preventive Action (CAPA)process for eliminating causes of nonconformities and preventing their recurrence. It also mandates a procedure for management review to assess system performance and drive  continual improvement.


For more information, visit www.compassrose.one

ISO 13485 Frequently Asked Questions.


What is ISO 13485, and is it a legal requirement in the UK?

Answer:

ISO 13485 is the international standard for a Quality Management System (QMS)

Specific to medical devices. It is not, by itself, a direct legal requirement. However,

it is the most effective and globally recognised way to demonstrate compliance with

the UK Medical Devices Regulations 2002 (UK MDR 2002), which are law. For

market access, a UK Approved Body will almost always audit your QMS against

ISO 13485. Therefore, for any medical device manufacturer, importer, or distributor in

the UK, it is a de facto necessity.


How did Brexit affect ISO 13485 certification for the UK market?

Answer:

Brexit created a separate UK regulatory framework. To place a device on the Great Britain (England, Scotland, Wales) market, you now need:

  • UKCA marking (replacing the EU's CE mark for the GB market).

  • Certification from a UK Approved Body(replacing the EU Notified Body).
    Your QMS will be audited to ISO 13485 by the UK Approved Body. For the Northern Ireland market, the EU MDR/IVDR applies, requiring CE marking and an EU Notified Body.


What is the difference between ISO 13485 and ISO 9001?

Answer:

While both are QMS standards, ISO 13485 is specific to medical devices and is a regulatory compliance tool.  Key differences include:

  • Focus: ISO 13485 mandates risk management throughout the device lifecycle and regulatory compliance. ISO 9001 has a broader focus on customer satisfaction.

  • "Continual Improvement": ISO 9001 explicitly requires it. ISO 13485 requires a focus on maintaining the effectiveness of the QMS, which implicitly drives improvement.

  • Documentation: ISO 13485 has more stringent documentation and traceability requirements (e.g., Design History File, Device Master Record).


How long does it take to get ISO 13485 certified in the UK?

Answer:

For an established company, the process typically takes 4 to 12 months. This timeline includes gap analysis, system development, implementation (running the system for several months to gather records), internal audits, management review, and the two-stage certification audit by a UK Approved Body. Start-ups or companies with no existing QMS should expect it to take longer.


How much does ISO 13485 certification cost in the UK?

Answer:

Costs are highly variable but significant. They typically include:

  • Consultancy (optional but common):£10,000 - £40,000+ (depending on the size of the company, products and the number of sites).

  • Training:£1,000 - £5,000+.

  • Accreditation or UKAS Fees: Based on company size and complexity, often £4,000 - £20,000+ for the initial audit, with annual surveillance and then rectification over 3 years.  

  • Internal Costs (staff time, system development):This is often the largest, hidden cost.


What are the most common reasons for failing an ISO 13485 audit?

Answer:

The most common non-conformities are found in:

  • Clause 7.3 Design and Development:Inadequate design controls, poor verification/validation, or insufficient risk management documentation.

  • Clause 8.3 Control of Nonconforming Product: Weak procedures or failure to link non-conformities to an effective CAPA.

  • Clause 8.5 Improvement: A weak or poorly documentedCAPA (Corrective and Preventive Action)process that doesn't address root causes.

  • Clause 4.2 Documentation: Uncontrolled documents or missing records.


Can a company self-certify to ISO 13485?

Answer:

NO. The term "certification" oexplicitly means an external Certification Body (which for medical devices must be a UK Approved Body) has audited your QMS and issued a certificate.

  • Why? The integrity of the medical device market relies on impartial verification that your system is effective. A self-issued certificate has no regulatory or customer credibility.

UKCA Marking Conformity Assessment

This is the process of proving your device meets the UK MDR's safety and performance requirements. The routes to do this are defined in law.


Is ISO 13485 required for software as a medical device (SaMD) in the UK?

Answer:

Yes, absolutely. The UK MDR classifies Software as a Medical Device (SaMD) as a medical device. ISO 13485 is the required QMS standard, and you must also apply the principles of IEC 62304(software lifecycle standard) within your QMS. Cybersecurity and data protection (UK GDPR) are also critical components.


What is the role of a "UK Responsible Person" and ISO 13485?

Answer:

In the UK a Responsible Person (UKRP) is a legal requirement for non-UK manufacturers placing devices on the GB market. The UKRP acts as your local regulatory contact. While the UKRP does not need to be ISO 13485 certified, the manufacturer's QMS must be. The UKRP will verify that you have this certification and that your technical documentation is in order.


How does ISO 13485 relate to the UK MDR and MHRA?

Answer:

  • UK MDR sets the legal requirements for safety and performance.

  • ISO 13485 provides the proven framework for a QMS to meet those legal requirements consistently. UK Approved Bodies(designated by the MHRA) audit your QMS against ISO 13485 to check you meet the UK MDR.

  • The MHRAis the UK regulator that oversees the system, approves the Approved Bodies, and conducts market surveillance.


Essentially, ISO 13485 is the bridge between your company's operations and UK regulatory compliance.

For more information see https://compassrose.one/common-iso-standards-compliance/iso13485

ISO13485 questions
Compassrose Limited
Privacy policy
Privacy policy

OK
Call nowEmail usFind us