ISO 13485 sets out the requirements for a quality management system (QMS) specifically for organisations operating in the medical devices industry and providing products – such as instruments, machines, and implants – and associated services. With stringent regulatory requirements at every stage, it is essential, wherever you may sit in the supply chain, to demonstrate that the quality management processes you use are robust and compliant. You need to show that you can consistently design, produce and place on the market, medical devices that are safe and fit for their intended purpose. ISO 13485 was written with this in mind, to be used by a wide range of organisations wherever they sit in the supply chain.

ISO 13485 is a well-established route to regulatory compliance. It incorporates some key concepts shared with other management standards plus some important and more prescriptive elements for meeting regulatory requirements and ensuring patient safety. This includes risk management focused on the complete life cycle, extra controls over suppliers, management of change, prevention of contamination, and requirements for communication with regulatory authorities.

Meeting the requirements of ISO 13485 will ensure that you plan and implement an effective management system in accordance with your regulatory obligations. Whether you are setting out for the first time with the standard or taking a second look at your existing system, we can help you through all the detailed requirements for certification and then to maximise the effectiveness of your QMS.

Do you operate in the medical device sector? Yes? Then you have two choices.

1. Work out all your regulatory requirements, both technical and managerial, and address them one by one.
2. Establish an ISO 13485 quality management system to create a framework and foundation for compliance, then fill in the gaps.

Many organisations choose option B because it has the added benefit of a shiny new ISO certificate for use in tender qualification, with a bonus that ISO 9001 can be included with no extra effort.

In short, if you’re in the medical devices sector you must comply with the regulations and ISO 13485 is a very good, and trusted, way of proving that compliance.

It’s true that ISO 13485 is quite a difficult standard to comply with, think ISO 9001 on steroids, however even the smallest organisation can meet the standard. The trick is to have a clear roadmap, sufficient time and a fabulous consultant (*hint hint*). A common way of approaching this is to start with ISO 9001 and built towards the meatier ISO 13485.  

In the medical devices sector, it’s quite simple. You either have ISO 13485 as your main route to regulatory approval, or you do it the hard way.

Every territory has its own regulatory regime, but they are all gradually falling in line with ISO 13485 as a framework. Building your own compliance around this standard makes sense from a future-proofing perspective (who knows where you’ll want to sell your device in the long run!)

Medical Tech appears to be having a boom in the UK, and your competitors will not just be making the same products as you but competing for the same funding too. We understand the cycle of development, funding and regulatory approval and how difficult it is to decide when to start investing in a proper QMS as a step towards compliance. 

The beauty of taking the ISO route to regulatory compliance is that you can start the process and create the QMS very early on in the development of your device. This is because there are two types of requirements to meet: management and technical. The management aspects can be put in place as soon as you have any kind of management structure, in fact, the earlier the better as this means new joiners will have a system to work with and won’t corrupt your organisation with the bad habits of their previous roles.

The other advantage of starting early is that we can align your project stages and work packages with the availability of funding. Even if there are pauses in the cycle, we can adjust our speed accordingly.

We are, first and foremost, a quality management consultancy. And we are really keen on the consulting part. By engaging with us you can be assured we will listen carefully to your story and understand the details of what you want, and what you need (which are not always the same thing!). Our consultants can then offer you a uniquely tailored solution. We're Quality People, and we understand how to bend and shape the ISO framework to add value to your business. 

Whilst ISO 13485 itself has not changed since 2016, the regulatory landscape for medical devices has swung into alignment with the standard. One of the world’s major regulatory bodies, the US Food and Drug Administration (FDA) has, in February 2024, decided to incorporate ISO 13485 “by reference” in the quality system regulation (QSR) by amending the Current Good Manufacturing Practice (CGMP) requirement. The new regulation is called The Quality Management System Regulation (QMSR) Final Rule.

Golly what a lot of acronyms.

But, the good news is that it should now be easier to use ISO 13485 as one of your tools to achieve FDA approval. Of course the standard is already accepted in the UK and EU.

The “interesting” thing (honest) about ISO 13485:2016 is that it is based on ISO 9001:2008 and not on the current ISO 9001:2015.

It’s interesting to us Quality Nerds, anyway… the reason being that it’s a rejection of the watering down of ISO 9001 for general use in favour of a more prescriptive standard for the higher risk medical device industry. This is why we refer to ISO 13485 as one of the more ‘exotic’ standards alongside other safety-critical, industry-specific, QMS standards (ie: aerospace, automotive). The practical upshot of this devastatingly interesting fact is that complying with ISO 13485:2016 does not automatically mean you comply with ISO 9001:2015. However, the differences are small enough to make this entire paragraph somewhat redundant. =)

Still with us?

Like all good QMS standards, this one sets out the key requirements for your quality management system including the processes you operate, the things you measure, the checks you carry out and the way you ensure product quality throughout the supply chain.

Being based on the old ISO 9001, it still mandates a quality manual and a quality management representative, two bits of bureaucracy that have been phased out from many other QMS standards. With a primary objective of ensuring patient safety, ISO 13485 has many additional controls driven by risk management and regulatory compliance. These include segregation, cleanliness, sterilisation and contamination control. There are further specific requirements for software and for implantable medical devices.

One of the main reasons for adopting ISO 13485 is that it is a recognised route to regulatory compliance. As a step towards regulatory compliance the standard requires you to establish a medical device file for each device type or family.  Knowing what to include in the device file is one of the critical success factors when dealing with ISO 13485 – don’t worry, we’ve a consultant for that!

The first step towards achieving compliance is to identify any gaps between the policies, processes, and procedures you already have in place compared to the requirements of the standard, and to develop an action plan for implementing any new aspects or for amending what you may already have in place.

We can support you by getting under the skin of what you really need and understanding what you currently have in place as a starting point. Sometimes your existing procedures can be adapted or improved, other times it will be necessary to create new stuff. There’s no getting away from the fact that, for ISO 13485, you do need a detailed QMS, but it doesn’t have to be a bureaucratic nightmare, that’s where we come in! We can ensure you get the right balance between compliance and simplicity. Our approach is always to build on the good things you’re already doing and to ensure that anything new is suitable, usable and sensible.

In common with most ISO QMS standards you will need to demonstrate that you both say what you do, and then do what you say. This means it will be necessary to implement an internal audit programme and formal management reviews before you can get certified. 

Certification by an independent, accredited body is the best demonstration of your compliance to ISO 13485. Certification means that your system is scrutinised and verified on a scheduled basis through an external audit programme. It is an excellent way of confirming your application of your own system – to yourselves, to regulatory bodies and to your stakeholders.

In the UK, certification to ISO 13485 should be undertaken through one of the certification bodies accredited by UKAS, the UK’s National Accreditation Body for certification, calibration, inspection and testing services. Only UKAS-accredited certification bodies are recognised by the UK Government and major purchasers, and they operate programmes for transition to the new revision of the standard, as well as for new clients.

We can help you to choose a UKAS-accredited certification body and can support you through the certification process. We can help you however you need us to, whether by preparing documentation, training and mentoring, reviewing and auditing, or by working with you to develop and integrate your system beyond certification so that it always meets your needs as well as the requirements of the standard.

Becoming certified to ISO 13485 requires planning, commitment, and resources. How much work is involved will depend on your current stage of development, the size of your organisation and number of people involved. We will work closely with you to identify gaps and synergies against the requirements of the standard, drawing up a workable action plan to achieve your objectives – including certification - in the most efficient way. Our effective project management and extensive know-how will support your schedule and budget, with the right resources to help you at every stage. Beyond certification we can continue to work with you as your business goes forward so that you continue to maintain and develop your system.

As the standard is specifically oriented towards the medical device industry and with a variety of regulatory requirements to meet, ISO 13485 does require a significant amount of documentation. The temptation is to go overboard, covering every base conceivable instead of focusing on critical and mandatory documentation.

There are two types of documentation to worry about. The first is the business rules and tools which are used to create the medical device in a safe and quality-assured manner (in other words, your quality management system). The second is all the records you have to produce to prove that you’ve applied your QMS and carried out all the processes, checks, tests, etc which demonstrate your device’s compliance, not only with your QMS but with all applicable regulatory requirements. We can help minimise the first set of documents, but there’s not a lot we can do about that second set other than providing structure and guidance to ensure compliance.

How long is a piece of string? 

You’re not a cookie-cutter company, so we don’t deal with cookie-cutter prices. But let’s talk about what makes up the cost of UKAS accreditation: 

• Finding out where you’re starting from, where you need to be and how to get there. (GSAAP). 

• In house resources to manage and deliver the work plan. 

• External consultants to help with parts of the plan that are outside your skills and experience (or time). 

• UKAS fees. 

• Maintenance of your accreditation. Not just polishing the frame. 

Depending on the size, scale and complexity of your organisation, you may need more or less consultancy time. We can work with you based on a specific number of days at an agreed rate; carefully scoped, fixed price work packages; or a combination of both to suit your budget. 

There is a difference between certification and accreditation. In the UK there is only one government approved accreditation body (UKAS). When your customers are asking to see your ISO certification, they expect to see the UKAS logo alongside the certification body’s logo. Without this, your customer may reject the certificate and you may find you've a costly exercise to undo the commercial damage, upgrade your system and put yourself through the certification process all over again. We can help you choose a UKAS accredited certification body to make sure you aren’t going to get any awkward questions later.

We’ve been in this game a long time now and have developed a proven system of tackling the requirements of ISO certification with you. We begin with our Gap & Synergy Assessment with Action Plan (GSAAP for those acronym lovers) which shows us how close you already are to the standard requirements. We find, usually, that there are many more synergies than you’d expect - you’re running a successful business after all, aren’t you?

This gives us a head-start when creating the QMS and gives you the opportunity to get to know your consultant and confirm you enjoy working with us before embarking on the good ship certification. At this point you’re able to take the GSAAP and run, but of course we’d like to think you’d want to keep working with us to help you with the documentation (Stage 1) and implementation (Stage 2).

We help share the load by reviewing what you create, or creating things for your review - business manuals, process maps, policies and procedures, etc. Once this is all done, there’s a desktop audit by the certification body to check all your documentation complies with the rigours of your chosen standard - and yes, we can be involved in this as your advocate, interpreter, translator or referee. Stage 1 is all about ‘saying what you do’ as a business. But you can’t just say what you do, you also need to ‘do what you say’. Stage 2 is all about those documents coming off the page and becoming a ‘real’ entity in your business. The burden of proof is on you to show that your system, as you’ve set out in Stage 1, is working as you say it should be. It takes time to gather this body of evidence, anywhere from 2-3 months, and this evidence can take various forms. Our role during Stage 2 is to provide training, mentoring, internal audits and management reviews to ensure your business is ready for the Stage 2 external audit. It’s entirely normal for a few ‘nonconformities’ to arise, especially at this stage, but we’ll be there to help you deal with them and make sure you get that recommendation for certification.

At this point you’re able to take your new ISO Certificate, pat yourselves on the back for a job well done and send us on our merry way, happiness all round. However, we recommend you stick with us for this first year. Why? So we can help establish quarterly health checks to keep things ticking over. No one wants to be thrown into a full-blown panic 11 months down the line as the surveillance visit looms and you realise things have gotten a little wobbly. With us on board that little while longer, you can be sure that the gears are turning and the processes are followed so when the auditor returns, you’re armed and, if not dangerous, at least prepared.