ISO 9001

How to reconcile the conflict between ISO 13485 and ISO 9001

This blog explains how to reconcile the conflict between ISO 13485 and ISO 9001, and discusses whether you should maintain dual certification.

how to reconcile diverging standards How to reconcile the conflict between ISO 13485 and ISO 9001

What is the conflict between ISO 13485 and ISO 9001?

The previous version of ISO 13485 was released in 2003. That standard was written following the same format and structure as the overall quality system standard at the time (i.e., ISO 9001:2000). In 2008, there was an update to the ISO 9001 standard, but the changes were minor, only clarified a few points, and the periodic review of ISO 13485 in 2008 determined there was not a need to update 13485 at that time. Unfortunately, the proposed structure of the ISO 9001 standard was radically different, and this forces companies with dual certification to reconcile the conflict between ISO 13485 and ISO 9001.

On December 1-5, 2014, the working group for the revision of ISO 13485 (i.e., TC 210 WG1), met at AAMI’s Standards week to review the comments and prepare a first Draft International Standard (DIS). We should have some updates on the progress of the DIS later in December, but hopefully, the news will not be delayed in publication until 2016. The following is a summary of the status before last that meeting.

Updated ISO 13485 and ISO 9001 Standards Being Released

In 2015, there will be a new international version of ISO 9001 released. This new version will have dramatic changes to the standard–including the addition of a new section on risk management and the adoption of the new High-Level Structure (HLS) changing from 9 sections to 11. The ISO 13485 standard is also anticipated to have a new international version released in 2015, but the ISO 13485 standard will maintain the current HLS with nine sections. The timing of the ISO 9001:2015 release and the ISO 13485:2015 release will likely be around the same time (Correction: the ISO 13485:2016 standard was released in February 2016). Both standards are expected to have a three-year transition period for implementation. The combination of the three-year transition and lessened requirements in the new version of ISO 9001 for a structured quality manual should allow most manufacturers to wait until the ISO 13485 release before they begin drafting a quality plan for compliance with the new standards. Some of my clients have already indicated that they may drop their ISO 9001 certification when it expires, instead of changing their quality system to comply with the ISO 9001:2015 requirements. However, my clients will not have the ability to allow their ISO 13485 certification to lapse. Will Health Canada be updating GD210 and continue to require ISO 13485 certification for medical device licensing? What should companies do?

Update on the reconciliation of ISO 13485:2016 and ISO 9001:2015 on May 29, 2020:

  • GD210 was never updated, and instead, it was replaced by MDSAP
  • ISO 13485:2016 certification, under the MDSAP program, is required for Canadian Medical Device Licensing
  • Many device companies have dropped the ISO 9001 certification.

Recommendations

From the experience of preparing for the ISO 13485:2016 and ISO 9001:2015 releases, I learned that obtaining draft versions of the standards before publication is invaluable. I was able to use the drafts to help prepare quality plans for the transition. Second, companies need to train their management teams and auditors on the differences between the current and the new standards to enable a gap analysis to be completed. Any manager that is responsible for a procedure required by the current version of a standard should receive training specific to the changes to understand how they will meet the requirements for documented information. Most companies will need to improve their risk management competency (which was updated again in December 2019). I recommend that companies begin drafting their quality plans and enter discussions with their certification body for quality system changes as early as possible. I also recommend that medical device companies maintain a quality manual structure that follows the ISO 13485:2016 standard rather than the ISO 9001:2015 standard. Following ISO 13485:2016 will help everyone locate information faster.

There is also specific text in the introduction of ISO 9001:2015 that states it is not the intent of the standard to imply the need to align your quality management system to the clause structure of the standard. Companies that maintain ISO 9001 certification should consider including cross-references between the two standards in their quality manual.

Historical Note

There are also European National (EN) versions of each standard (e.g., EN ISO 13485:2012). The EN versions are harmonized with the EU directives, but the content of the body or normative sections of the standards are identical. Historically, the differences were explained in Annex ZA, which was the last Annex in the EN version of the standard. In 2009 the harmonization annex for ISO 14971 (i.e., the medical device risk management standard) was split into three parts to match up with the three directives for medical devices (i.e., the MDD, AIMD, and IVDD). The new annexes (i.e., ZA, ZB, and ZC) were moved to the front of the EN version of the standard. The changes to ISO 14971 consisted of a correction and the change to Annex ZA. In 2012, there were new harmonization annexes created for ISO 13485 to follow the same format that was used for the EN ISO 14971 annexes. It is expected that these “zed” annexes will be released with a new EN version of the standard shortly after the international standard is published.

How to reconcile the conflict between ISO 13485 and ISO 9001 Read More »

Medical Device CE Mark: Is ISO 9001 Certification Required?

For the medical device CE mark: is ISO 9001 certification required? The advantages and dangers of focusing too much on ISO certification are also reviewed.

ISO 9001 is a general quality management system standard, and ISO 9001:2008 is the most recent revision. The focus of that ISO 9001 is customer satisfaction and continual improvement. For medical devices, the applicable international Standard is ISO 13485:2003. This Standard is based upon the ISO 9001 standard, but clauses were added for the specific needs of medical device regulations. Also, the focus of the Standard was changed:

table faq 6 Medical Device CE Mark: Is ISO 9001 Certification Required?

For CE Marking of medical devices, there is a European National version of the Standard: EN ISO 13485:2012 (http://bit.ly/ENISO13485-2012). This is the official harmonized version of the Standard, and certification to EN ISO 13485 presumes compliance with the applicable European New Approach Directives (http://bit.ly/PlenaryVoteBlog). It is not, however, “required” to be ISO certified to either Standard for CE Marking.

If a company chooses not to be certified to a harmonized standard, then the company must:

  1. Be audited to one of the New Approach Directives by their Notified Body, and
  2. Demonstrate how the quality management system they have created complies with the requirements of the applicable Directive(s).

Advantages of ISO certification

The primary advantage of ISO Certification is that your quality system is standardized. Standardization makes it easier for auditors to do their job, and for companies to implement “off-the-shelf” solutions for routine issues that most medical device companies are faced with. Your customers will recognize international standards, and this increases consumer confidence. It has been a considerable benefit to the European Union (EU), because the EU Member States (http://bit.ly/CECountries) have been able to rely heavily upon international standards, instead of having legal debates over nuances between technical Standards developed by each member state.

Another advantage of using harmonized ISO standards is that regulators can establish minimum requirements for all companies. In my experience, the ISO standards are more burdensome for low-risk devices than is probably necessary. However, the ISO standards are often less burdensome for high-risk devices than is perhaps necessary. For the CE Marking process to work effectively, manufacturers must be the experts for their specific device and know when it is required to do more than the minimum. For example, there is an ASTM test specification for cyclic testing of orthopedic implants. Still, recent experience with metal-on-metal (MoM) implants has demonstrated that the ASTM test method is not an adequate predictor of long-term safety and performance. If manufacturers do not develop this expertise, then technical reviews for CE Marking can be quite painful and drawn out as the reviewer is forced to educate the manufacturer on the “State of the Art.”

Dangers of focusing too much upon ISO certification

I find that most medical device company managers are well aware of the ISO 13485 requirements today, but I also believe that many are less aware of the requirements of 21 CFR 820 (http://bit.ly/21CFR820-25) than they were before ISO 13485:2003. Some consulting clients have managers that believe certain regulatory requirements are “just an ISO thing.” It concerns me when the Top Management of a company doesn’t understand basic differences between ISO certification, compliance with 21 CFR 820, and other regulatory requirements. It is the responsibility of the Management Representative to promote awareness of regulatory requirements throughout the organization (i.e., ISO 13485, Clause 5.5.1c). Still, the Management Representative needs the support and commitment of Top Management to promote awareness effectively.

CAPAs, Internal Audits, and Management Reviews are core processes of the ISO 13485 standard. Still, these are also regulatory requirements for the US FDA, Health Canada and CE Marking medical devices in Europe. ISO 13485 Certification, however, is only a mandatory requirement for Canadian Medical Device Licensing (http://bit.ly/FindCMDR). Companies need to focus on the core processes of the quality system and get these right first. In many ways, I would prefer to see companies develop their quality system architecture that best fits their needs. One company I audited did this. Their company has “Leadership Principles.” You can map all of the clauses of ISO 13485 to a specific “Leadership Principle” at that company, but there are requirements included in their principles that exceed the requirements of ISO 13485. If there were no ISO standards, we might see more creative thinking and innovation in the area of quality management systems. Therefore, I encourage every Management Representative to challenge the status quo and to think of ways to improve beyond ISO standards AND meet regulatory requirements.

Medical Device CE Mark: Is ISO 9001 Certification Required? Read More »

Scroll to Top