224
Chapter 15: Use of Standards in Medical Device Global Regulatory Strategy
industries.17 ISO 13485 and ISO 9001 are mov-
ing farther apart: however, as ISO 9001 evolves
into a true ‘quality system.’ In the past, most of
the ISO 9001 clauses, subclauses and format
were identical to those in ISO 13485, but this
has changed to facilitate understanding of the
differences. The latest edition of the ISO 13485
has Tables B.1 and B.2 in its Annex B to show
the correspondence between ISO 13485:2016
and ISO 9001:2015.
For most jurisdictions, including the EU,
Australia and Canada, the preferred method to
prove conformity with regulatory requirements
is certification of the manufacturer’s QMS to
ISO 13485. In December 2018, FDA formally
announced its intention to transition away
from the Quality Systems Regulation (QSR)
per 21 CFR Part 820 and transition to ISO
13485:2016 for its audit inspections of medical
device manufacturers.18 FDA stated that “We
recognize there will be a significant impact
on FDA for implementation. For example:
Training on ISO 13485 requirements, interpre-
tation, best practices, etc. to CDRH staff and
ORA investigators and compliance officers.
Changes to the inspection model (QSIT).
Revisions/updates to numerous documents.
Changes to IT systems. Transition period will
likely be a few years.”19
The 2016 revision for ISO 13485 placed
more emphasis on QMS across the entire
supply chain and is intended to address the
total product lifecycle of medical devices,
among other changes to the previous edition.
In March 2019, FDA discontinued accepting
Declaration of Conformity to ISO 13485: 2003
for regulatory purposes and confirmed that ISO
13485:2016 should be used instead.
As described previously, process standards
largely are nonprescriptive: the requirements are
presented, but how to meet those requirements
is not specified. The standard recognizes a wide
variety of medical devices (from simple and low-
risk to complex and high-risk) are developed by
a multitude of organizations (from small start-
ups with small staffs to large, multi-national
corporations with thousands of employees) thus,
processes successful for one organization will not
be the same as those for another.
ISO 13485 includes general QMS require-
ments, management’s overall QMS responsibility,
resource management (both human and physical
resources), product realization and measurement,
analysis and improvement.
In the US, FDA stipulates a manufacturer
(domestic or importer) must have a QSR-
compliant QMS. The QMS standard, ISO
13485, was first adopted in the US as ANSI/
AAMI/ISO 13485:2003. Although ISO 13485
and QSR elements are similar, they are not
identical. A manufacturer may need to fulfill
certain obligations to comply with the QSR that
are not part of ISO 13485. One example is the
QSR requirement to use statistical techniques
not specified in ISO 13485.
At the time of writing this chapter, ISO
13485:2016 is not officially recognized by the
EU Commission. Upon publication, the man-
ufacturer must review the gap between the
harmonized standard and EU MDR require-
ments to ensure compliance.
Despite these differences, using ISO 13485
still can streamline QMS establishment to meet
the majority of regulatory agency requirements
around the world. It is worth noting here links
exist between other standards and ISO 13485.
How ISO 13485 outlines the basic manufac-
turer QMS framework was described earlier.
However, other process standards less overarch-
ing than ISO 13485 exist that help frame QMS
subprocesses or subsections. Examples include
ISO 14001 Environmental Management Systems
and ISO 14971 Risk Management.
ISO 14971 Medical Devices—Application
of Risk Management to Medical Devices
ISO 14971 specifies the process to identify
hazards associated with medical devices, to esti-
mate and evaluate and control those risks and
monitor the controls’ effectiveness throughout
the product lifecycle.20 It is referenced in ISO
13485 and numerous other standards, as the one
in which guidance related to risk management
during product realization may be found.
To emphasize, this standard outlines the
risk management process but does not prescribe
the specific hazards and risks to be mitigated
and controlled for each medical device type.
Chapter 15: Use of Standards in Medical Device Global Regulatory Strategy
industries.17 ISO 13485 and ISO 9001 are mov-
ing farther apart: however, as ISO 9001 evolves
into a true ‘quality system.’ In the past, most of
the ISO 9001 clauses, subclauses and format
were identical to those in ISO 13485, but this
has changed to facilitate understanding of the
differences. The latest edition of the ISO 13485
has Tables B.1 and B.2 in its Annex B to show
the correspondence between ISO 13485:2016
and ISO 9001:2015.
For most jurisdictions, including the EU,
Australia and Canada, the preferred method to
prove conformity with regulatory requirements
is certification of the manufacturer’s QMS to
ISO 13485. In December 2018, FDA formally
announced its intention to transition away
from the Quality Systems Regulation (QSR)
per 21 CFR Part 820 and transition to ISO
13485:2016 for its audit inspections of medical
device manufacturers.18 FDA stated that “We
recognize there will be a significant impact
on FDA for implementation. For example:
Training on ISO 13485 requirements, interpre-
tation, best practices, etc. to CDRH staff and
ORA investigators and compliance officers.
Changes to the inspection model (QSIT).
Revisions/updates to numerous documents.
Changes to IT systems. Transition period will
likely be a few years.”19
The 2016 revision for ISO 13485 placed
more emphasis on QMS across the entire
supply chain and is intended to address the
total product lifecycle of medical devices,
among other changes to the previous edition.
In March 2019, FDA discontinued accepting
Declaration of Conformity to ISO 13485: 2003
for regulatory purposes and confirmed that ISO
13485:2016 should be used instead.
As described previously, process standards
largely are nonprescriptive: the requirements are
presented, but how to meet those requirements
is not specified. The standard recognizes a wide
variety of medical devices (from simple and low-
risk to complex and high-risk) are developed by
a multitude of organizations (from small start-
ups with small staffs to large, multi-national
corporations with thousands of employees) thus,
processes successful for one organization will not
be the same as those for another.
ISO 13485 includes general QMS require-
ments, management’s overall QMS responsibility,
resource management (both human and physical
resources), product realization and measurement,
analysis and improvement.
In the US, FDA stipulates a manufacturer
(domestic or importer) must have a QSR-
compliant QMS. The QMS standard, ISO
13485, was first adopted in the US as ANSI/
AAMI/ISO 13485:2003. Although ISO 13485
and QSR elements are similar, they are not
identical. A manufacturer may need to fulfill
certain obligations to comply with the QSR that
are not part of ISO 13485. One example is the
QSR requirement to use statistical techniques
not specified in ISO 13485.
At the time of writing this chapter, ISO
13485:2016 is not officially recognized by the
EU Commission. Upon publication, the man-
ufacturer must review the gap between the
harmonized standard and EU MDR require-
ments to ensure compliance.
Despite these differences, using ISO 13485
still can streamline QMS establishment to meet
the majority of regulatory agency requirements
around the world. It is worth noting here links
exist between other standards and ISO 13485.
How ISO 13485 outlines the basic manufac-
turer QMS framework was described earlier.
However, other process standards less overarch-
ing than ISO 13485 exist that help frame QMS
subprocesses or subsections. Examples include
ISO 14001 Environmental Management Systems
and ISO 14971 Risk Management.
ISO 14971 Medical Devices—Application
of Risk Management to Medical Devices
ISO 14971 specifies the process to identify
hazards associated with medical devices, to esti-
mate and evaluate and control those risks and
monitor the controls’ effectiveness throughout
the product lifecycle.20 It is referenced in ISO
13485 and numerous other standards, as the one
in which guidance related to risk management
during product realization may be found.
To emphasize, this standard outlines the
risk management process but does not prescribe
the specific hazards and risks to be mitigated
and controlled for each medical device type.