For the medical device CE mark: is ISO 9001 certification required? The advantages and dangers of focusing too much on ISO certification are also reviewed.
ISO 9001 is a general quality management system standard, and ISO 9001:2008 is the most recent revision. The focus of that ISO 9001 is customer satisfaction and continual improvement. For medical devices, the applicable international standard is ISO 13485:2003. This Standard is based upon the ISO 9001 standard, but clauses were added for the specific needs of medical device regulations. In addition, the focus of the standard was changed:
For CE Marking of medical devices, there is a European National version of the standard: EN ISO 13485:2012 (http://bit.ly/ENISO13485-2012). This is the official harmonized version of the standard, and certification to EN ISO 13485 presumes compliance with the applicable European New Approach Directives (http://bit.ly/PlenaryVoteBlog). It is not, however, “required” to be ISO certified to either standard for CE Marking.
If a company chooses not to be certified to a harmonized standard, then the company must:
- Be audited to one of the New Approach Directives by their Notified Body, and
- Demonstrate how the quality management system they have created complies with the requirements of the applicable Directive(s).
Advantages of ISO certification
The primary advantage of ISO Certification is that your quality system is standardized. Standardization makes it easier for auditors to do their job, and for companies to implement “off-the-shelf” solutions for routine issues that most medical device companies are faced with. Your customers will recognize international standards and this increases consumer confidence. It has been a huge benefit to the European Union (EU), because the EU Member States (http://bit.ly/CECountries) have been able to rely heavily upon international standards, instead of having legal debates over nuances between technical Standards developed by each member state.
Another advantage of using harmonized ISO standards is that regulators are able to establish minimum requirements for all companies. In my experience, the ISO standards are more burdensome for low-risk devices than is probably necessary. However, the ISO standards are often less burdensome for high-risk devices than is probably necessary. For the CE Marking process to work effectively, manufacturers must be the experts for their specific device and know when it is necessary to do more than the minimum. For example, there is an ASTM test specification for cyclic testing of orthopedic implants, but recent experience with metal-on-metal (MoM) implants has demonstrated that the ASTM test method is not an adequate predictor of long-term safety and performance. If manufacturers do not develop this expertise, then technical reviews for CE Marking can be quite painful and drawn out as the reviewer is forced to educate the manufacturer on the “State of the Art.”
Dangers of focusing too much upon ISO certification
I find that most medical device company managers are well aware of the ISO 13485 requirements today, but I also believe that many are less aware of the requirements of 21 CFR 820 (http://bit.ly/21CFR820-25) than they were prior to ISO 13485:2003. Some consulting clients have managers that believe certain regulatory requirements are “just an ISO thing.” It concerns me when the Top Management of a company doesn’t understand basic differences between ISO certification, compliance with 21 CFR 820 and other regulatory requirements. It is the responsibility of the Management Representative to promote awareness of regulatory requirements throughout the organization (i.e., ISO 13485, Clause 5.5.1c), but the Management Representative needs the support and commitment of Top Management to promote awareness effectively.
CAPAs, Internal Audits and Management Reviews are core processes of the ISO 13485 standard, but these are also regulatory requirements for the US FDA, Health Canada and CE Marking medical devices in Europe. ISO 13485 Certification, however, is only a mandatory requirement for Canadian Medical Device Licensing (http://bit.ly/FindCMDR). Companies need to focus on the core processes of the quality system and get these right first. In many ways, I would prefer to see companies develop their own quality system architecture that best fits their needs. One company I audited actually did this. Their company has “Leadership Principles.” You can map all of the clauses of ISO 13485 to a specific “Leadership Principle” at that company, but there are requirements included in their principles that exceed the requirements of ISO 13485. If there were no ISO standards, we might see more creative thinking and innovation in the area of quality management systems. Therefore, I encourage every Management Representative to challenge the status quo and to think of ways to improve beyond ISO standards AND meet regulatory requirements.