ISO 13485 vs. ISO 9001: understanding the key differences for medical devices

What's the difference between ISO 13485 and ISO 9001?

Do you need to adhere to both, or just one of them?

Fortunately, you only need to worry about ISO 13485:2016 if you're going to make and distribute medical devices. To obtain a CE marking, which indicates conformity with safety standards for products sold in the European Economic Area, medical device manufacturers must either obtain a certification with a notified body or have a quality system in place.

ISO 13485 is a quality system for the medical device industry, and it effectively covers ISO 9001 with some additional requirements.

What many medical device manufacturers fail to realize, however, is that comparing ISO 9001 and ISO 13485 is a valuable exercise. By understanding the differences between these two standards, you learn where device manufacturers need to raise the bar on quality.

Table of Contents

1. What is ISO 9001?
2. What is ISO 13485?
3. ISO 13485 and ISO 9001 for medical devices: how they differ
   1. QMS
   2. Management responsibility
   3. Resource management
   4. Product realization
   5. Measurement, analysis and improvement
4. Electronic quality management systems for ISO 13485 compliance

What is ISO 9001?

ISO 9001 is the general quality management standard, suitable for businesses of any shape, size and sector.

ISO 9001 is designed to give businesses the formative baseline ingredients of a quality management system.

Certification proves that your business has embedded key quality management components into your operation, including:

• Principles of customer focus, leadership engagement and continuous improvement
• A process approach, such as Plan Do Check Act
• Risk-based thinking
• Evidence-based decision-making

RELATED READING: Top 10 ISO 9001 quality management system requirements

What is ISO 13485?

ISO 13485 takes things a step further.

Rather than being generic and applicable to any business, ISO 13485 is a framework designed specifically for medical device quality management.

Because medical devices are potentially high-impact life-saving products, compared to, say, a window manufacturing company or a furniture business, its requirements are naturally more stringent.

RELATED READING: Everything you need to know about ISO 13485

With that in mind, let's dive into the key differences between ISO 9001 and ISO 13485.

ISO 13485 and ISO 9001 for medical devices: how they differ

The primary difference between ISO 13485 and ISO 9001 for medical devices is the scope of these quality standards.

ISO 9001 is the international standard which provides specifications for a quality management system which can be applied at any organization regardless of industry, product or service, or company size.

ISO 13485 is a comprehensive management system specifically for the manufacture of medical devices. It places a more significant focus on regulatory compliance and offers less flexibility in the organizational process.

There are significant similarities between the two standards, including:

• The standard’s role in helping organizations achieve a quality management system
• Risk mitigation and assessment is a significant focus in both standards
• A focus on the realization of quality products through understanding the customer
• Both 9001 and 13485 use Deming cycles (Plan-Do-Check-Act)
• 13485 and 9001 emphasize employee competency and infrastructure for quality

There are several areas of difference, however, which we'll cover below. Medical device manufacturers face additional requirements for creating a robust quality management system (QMS), management responsibility, resource management, product realization, and more.

QMS

ISO standards define a QMS as a set of "policies, processes, and procedures" required for the planning and execution of a core business area. These policies and procedures are frequently supported by an ISO-compliant electronic quality management system (eQMS) software. Organizations must address all requirements within the standard, including documentation to achieve certification or a CE mark.

ISO 13485 builds on the requirements of ISO 9001 by specifically addressing the responsibility of the device manufacturer for “maintaining the effectiveness of the quality management system.” Additional areas in which 13485 exceeds 9001 are related to documentation and records controls.

• Include regulatory documents with system documentation (4.2)
• The QMS should include a file identifying product specification documents (4.2)
• A Device master record must specifically define QMS requirements (4.2)
• Changes to QMS documentation must be reviewed and approved by the original approver or another designated individual with adequate background information (4.2)
• Changes must be reviewed and approved by the original approving function or another identified individual who has sufficient subject matter expertise (4.2)
• The manufacturer is required to designate data retention standards based on product lifetime and regulatory requirements (4.2)

RELATED READING: What is the best ISO 13485 quality management system software?

Management responsibility

ISO 9001 allows the organization's management team to assign quality responsibilities without defining roles. ISO 13485 requires organizations to identify a member of the management team who is responsible for each aspect of the QMS. Also, the standard for medical device manufacturers specifically addresses the need for managers to commit to regulatory compliance and review new and revised cGMP regulations which impact the organization.

• The management team is responsible for quality policy and a framework for QMS review (5.3)
• QMS goals and compliance must be verified and measured by management (5.4)
• Every member of the organization must have defined responsibilities for managing, performing, and verifying the QMS (5.5)
• Management is responsible for maintaining QMS standards by assigning responsibility (5.5)
• Management review must include regulatory updates (5.6) 

Resource management

Both ISO 9001:2015 and ISO 13485:2016 adopted a more in-depth focus on resource management, defined as the various equipment, buildings, and IT resources needed for quality product realization. Specific requirements for device manufacturers are focused on environmental standards and contamination control for product safety.

• Maintenance activity requirements must be documented (6.4)
• Retain records of maintenance-related activities (6.4)
• Document requirements for personnel health, cleanliness, and clothing (6.4)
• If applicable, document procedures for monitoring the work environment (6.4)
• Create formal systems for the containment of contaminated product if applicable (6.4)
• Develop documented requirements for active risk management (7.1)
• Maintain risk management records (7.1)
• Create policies for customer communications in the event of advisory notices (7.2.3)

RELATED READING: What an ISO 13485 quality manual for medical devices should look like

Product realization

ISO 9001 positions product realization as a result of effective procedures and policies. The 9001 standard focuses on customer needs as a measure of quality, and sets forth operating standards which support quality product realization.

ISO 13485 provides more in-depth specifics to improve safety and customer satisfaction. Validation of process, equipment, cleanliness, and risk management throughout the product life cycle are critical drivers of quality. ISO 13485 doesn't deemphasize the role of policy and procedure in quality or remove customer satisfaction as the outcome of a quality driven culture. Instead, it builds on these requirements with specific standards for production and the supply chain.

• Document, define, and retain relevant purchasing information for traceability (7.3)
• Provide access to procedures, requirements, SOPs, and reference materials to personnel at the point of work (7.5)
• Create and implement SOPs for labeling and packaging (7.5)
• Create a unique, specific record for each batch of devices manufactured and approved (7.5)
• Verify and approve each device batch record (7.5)
• Document product cleanliness requirements if the device is sterilized, including sterilized before use (7.5)
• Create specific requirements for the installation and verification of the device, including guidelines for other organizations who may install or verify a device (7.5)
• Create records of installation and verification (7.5)
• Document servicing activities, procedures, and maintain records (7.5)
• Create procedures to identify and address returned products (7.5)
• Create a process for traceability and the identification of product status (7.5)
• Document all SOPs related to conformity (7.5)
• Document all procedures related to assuring product shelf life has not expired, if applicable (7.5)

Measurement, analysis and improvement

ISO 9001 takes a process-driven approach to continual improvement. ISO 13485 creates a more granular definition of the types of improvement activities device manufacturers need to ensure products are safe and effective. Some key differences between 9001 and 13485 include standards for customer feedback, monitoring product performance, and how to address a non-conforming product.

• Create a procedure for a feedback system which provides early warning of nonconformances (8.2.1)
• Review nonconformances within the feedback system (8.2.1)
• Monitor and measure products for quality throughout production (8.2.4)
• Verify all quality requirements are met before the product is released or delivered (8.2.4)
• Document rework activities and the release of nonconforming product which meets regulatory requirements (8.3)
• Create formal procedures for quality data collection, analysis, and retention (8.4)
• Document the implementation of advisory notices (8.5)
• Justify customer complaints which don't result in CAPA (8.5)
• Create documented procedures for notifying regulators of adverse events (8.5)

Related Reading: How to Rock ISO 13485, Cardiaccs Did It 2x Faster with Qualio

Electronic quality management systems for ISO 13485 compliance

Comparing ISO 13485:2016 to ISO 9001:2015 reveals the extensive actions medical device manufacturers must take to ensure product quality.

A process- and customer-driven QMS is a highly useful tool for creating a quality driven culture and continuous improvement in many industries. ISO 13485 builds on ISO 9001 while providing additional requirements for effective management, documentation, and measurement to produce safe medical devices.

 An eQMS designed specifically for medical device manufacturers can simplify the process of achieving the highly specific requirements for data capture, retention, and documentation. A solution designed under ISO 13485 can streamline your time to certification and create automated workflows which help your organization fulfill requirements throughout the product lifecycle.

Qualio is the leading eQMS for medical device manufacturers from the startup phase through mid-market. Give Qualio a test drive today. The requirements of 13485 are more extensive and specific than the guidelines of ISO 9001.