Episode 26 – The ISO 13485 Standard
The ISO 13485 Standard
In this episode of the Quality Hub podcast, host Xavier Francis engages ISO experts Murphy Shaw and Matthew Pilley, consultants at Core Business Solutions, in a discussion centered around ISO 13485, a critical standard for medical devices. Murphy and Matthew emphasize the rigorous controls and risk management inherent in ISO 13485. They clarify that the standard applies not only to manufacturers of implantable devices but also to various healthcare industry players, from software providers to equipment suppliers.
Core Business Solutions publishes ISO Certification podcast episodes weekly. You can find more episodes here.
Episode 26 Key Content
Hello, everyone, and thanks for listening to the Quality Hub chatting with ISO experts. I’m your host, and today we’re here with consultants here at Core Business Solutions. Thanks for being here today, gentlemen.
Thank you.
Yeah happy to be here. Thanks.
Thanks, guys, for being here. We do appreciate you taking the time to be here. Just for everybody here listening over the next several weeks, we’re excited to explore a range of ISO standards beyond the well-known ISO 9001, which is a quality management system. At Core Business Solutions. Our ability to work with companies extends well beyond ISO 9001. We support our customers with consulting, training, software, and comprehensive arrays of ISO standards. In addition, we support cybersecurity NIST and CMMC compliance and certification. Today we’re going to be talking about ISO 13485, a medical device standard with Murphy and Matthew as we begin. Could you guys share a little bit about your experiences and journeys?
Yeah, thanks. So I got my start with 13485 back with a medical packaging company along with Matthew. I worked for him for a little while.
I didn’t realize you two had been former colleagues.
Yeah. Yeah, for quite some time. I think we worked together for about 11 years before I moved on, and I moved on to more of the contract manufacturer side of things with a C&C facility. More directly into the implants. Implantable devices, which were also ISO 13485, which we’ll talk about later. And then from there I came to CORE to become a consultant to help a variety of customers get ISO 13485 certified.
Well, that’s great. So, Matt, I didn’t realize, like I said before, that you two were colleagues. What’s your journey and experience?
Yeah, so I spent my entire working career working in the medical packaging space. So sterile barrier packaging for for medical devices. I started very young and just kind of eventually worked my way into quality roles. At some point, Murphy and I crossed paths. And yeah, we’ve got some history together for sure.
That’s great. So you’ve been here about six months, eh?
Yeah. Correct.
Okay, well, that’s great. We’re excited to hear what you guys have to say. And I do appreciate you being here, but we’re gonna start with Matthew today. Your first question is, what are the primary objectives and benefits of ISO 13485 and how does that relate to 9001?
Yeah. So I would say that you know, the primary objective is to ensure that there is a common set of regulations and requirements, right? That applies to the manufacture and distribution of really anything that’s classified as a medical device or for supporting products, you know, materials and services that might be a direct or indirect input into those products.
So we’re not talking just about devices. We’re talking about almost anything that would go into making those devices or even packaging them.
Absolutely. In addition to that, I would say that the purpose of the standard is to bring in organizations, business processes, things like procurement, design and development, manufacturing, distribution, and the overall quality management system expectations kind of under a stricter level of control. The benefit of 13485 is that it requires organizations to formally define their processes for quality management system elements. They’re called out in the standard. And so they do that by way of written procedures and work instructions. And doing so, an organization is required to put a deliberate level of thought and focus into how these processes not only meet the standard but kind of how they fit into an organization’s business model. Right?
Okay, that makes sense.
Ultimately, you should give a business better visibility into how they’re performing about products and services, you know, their efficiencies, complaints, and non-conforming products. And certainly, you know, the customer experience overall.
So in that way, it is similar to 9001. You’re dealing with complaints. Non-conformity is efficiency in customer experience.
Yeah, Yeah, for sure. There’s a lot of overlap. And also, you know, in terms of relation to 9001, where 9001 sets a baseline in a framework for your quality management system, 13485 is kind of a natural next step, right? So it’s an expansion of those same requirements and a few more that take QMS to the next level. So where 9001 requires a company to demonstrate that they have processes in place. 13485 says, Now, you know, show me the evidence. Right? So, so your processes, procedures, work instructions. They all need to be supported by written documentation and objective evidence that supports what’s been defined within those documents. So with 13485, it’s kind of like, you know, show me what you’re planning to do by way of procedure and then show me the written or the documented evidence that you carried those things out as you intended. Right?
So in 9001, that comes a little later, that comes a little sooner, and 13485?
Yeah. And, those requirements for documentation 13485 are kind of there from the outset. You can get away with a little less formality in 9001. You don’t have that 9001 standard that doesn’t require you to have written procedures. But you have to have them right out of the gate with 13485. So and it’s you know, your system matures over time with you. So with 9001, you may not happen to start but then.
Yeah, it’s a good thing to do.
Right. As your system becomes more robust. But the other key difference with 13485 is that it forces you to look at your process, the processes, through the lens of risk. Right. So there’s a heavy emphasis on risk within that standard. So, you know, risk in your manufacturing process risk and risk in how your internal audit program is developed. Introduction of risk within your change management process, where your corrective and preventive action processes ultimately really any kind of unintended risk that could result in an end user or a patient coming in contact with a product that can compromise patient safety.
I mean, that makes sense. Where I mean, you’re dealing with life and death here potentially. So the risk is, is far greater to the end user than it might be if somebody doesn’t get the lids for their cups for coffee.
Yeah, 100%. You don’t always think of it that way. You know, when you’re living in that world every day. But, all of those processes ultimately come down to, you know, making what you hope is a better and safer product for customers.
Absolutely. Well, this helps us to see the similarities and differences. I appreciate that, Matthew. So, Murphy, what devices fall under the purview of 13485?
Well, ISO 13485 is geared towards the medical and healthcare industries. More specifically, the implantable devices such as stents, screws, or even pacemakers in general, items that go inside the body.
So joints and screws meshes, all of those types of things are what we’re talking about.
Yes. And that’s where it’s geared towards. That’s why it was designed and implemented. It doesn’t mean you need to manufacture only those specific types of devices to be certified to 13485.
Okay. All right.
If you are manufacturing a delivery device for those products, sterile packaging, as I and Matt alluded to earlier, basically anything in the health care industry you can become ISO 13485 certified. You know, since I started here at Core, I’ve had all types of clients become certified. Anyone from providing software for a telecommunications service provider that does maintenance on defibrillators and even businesses who are simply providing a rolling cart, you know, for a dental office.
So, it’s really broader than devices and just packaging. I mean, that’s interesting, you should say, for telecommunications and also software. I mean, if you’re dealing with a pacemaker, those things need to be updated. You know, they may have firmware updates just like a computer or other pieces of other pieces of equipment. Could you imagine putting something in that doesn’t work right into something that’s in somebody’s body that’s being programmed? I mean, that’s that could that could be fatal. So that makes sense why that would come under this purview as well.
Yep, absolutely. So, you know, ISO 13485 exists because, within the medical and healthcare industry, it’s extremely important for traceability of the materials and the people who are involved with the manufacturing of such devices. You know, product specifications come into play. You know, we’re talking about saving, improving, or prolonging human life.
Absolutely.
So it’s key to have strict requirements and controls in place. You need that reliability and consistency in the medical devices or the equipment that you’re using. You know, this industry can’t afford to have a lack of controls and zero regulation, you know, because that topic is very important to humanity.
It’s very similar in AS9100 that way where, you know, you’re talking about dealing with things that can potentially, you know, keep people safe or harm them. It clears up why some businesses may look into 13485 as a standard they might want to become certified to. So, Matthew, what are the key principles and requirements outlined in 13485? And is there an overlap with FDA requirements?
So I guess I would start by saying that the key principles of 13485 in many cases are the same as those found in in 9001. Right. And so it’s not exactly 1 to 1, but things such as management commitment, you know, quality planning, the establishment of quality objectives, qualification and training personnel, purchasing non-conformity, the corrective action. All of these elements are also part of the 13485 requirements.
Okay, so what are the ones that aren’t part of 9001 that don’t kind of go hand in hand?
Well, along with additional requirements, specific 13485, such as increased manufacturing controls, equipment and process validation, and cleanliness of the work environment and the product. Other requirements are not always applicable to every organization, but, you know, depending upon what they’re manufacturing, if it’s classified as a device. There are things like installation and post-delivery servicing requirements for medical devices. Along with sterilization. So it really kind of depends on what the organization is manufacturing and how their devices are classified.
Okay. And that’s sort of an FDA thing?
Yes. Right, right, right. So there are different levels of classification for the device depending upon, you know, its application and it and its, you know, use on the patient. Right. Is it an implantable device or is it something that’s just used as a delivery mechanism outside the body? So there are different classifications. You know, in terms of the FDA, their quality system regulation.
Specific to medical devices is the code of federal regulations or the CFR part A20, which defines the federal government’s requirements and expectations for a quality management system.
There’s a high degree of overlap between CFR party 20 and 13485, but there are some differences. And to that point, there’s an effort underway by the FDA to harmonize the QSR, which includes Part A 20 with the requirements of 13485. You know, the reason for that is quality system regulation by the FDA. It’s it’s got some age on it. And I think it was last published in 1996.
Where are they? That’s a long time.
Yeah, it’s you know, it’s dated. Right. Those requirements are specific to manufacturers in the U.S. 13485 is an internationally recognized set of standards for medical devices that gets reviewed every five years or so. And then it’s either updated or approved in its current state. Right. So there’s kind of a regular review of those documents and a determination as to whether or not they need to be revised and updated based on the standard of the day. Right. The requirement.
Right. Well, I mean, ISO standards do get updated quite often. I mean, 96. I can’t imagine the different devices that we have from then. Using the frequency of ISO standards being updated is probably a good call for the FDA I would think.
We’ve been waiting a long time for the FDA to harmonize with ISO 13485, so it’s a good thing that it’s finally on the horizon here.
That is great.
Yeah, I think with that, you know, with that effort to align regulations, there’s there’s going to be some change. I think the estimate at this time is somewhere between a year to two years before those changes go into effect. But you know what those timelines are. You know, very likely could shift at some point. But I guess, you know, kind of one final note on the differences between the FDA requirements and 13485.
You know, if an organization is manufacturing and distributing a medical device in the U.S., they have to be registered with the FDA, right? They’ve got to be compliant with the FDA’s regulation party. ISO 13485 is a voluntary standard, right? So a business either chooses to pursue certification or it doesn’t. It isn’t a requirement for them to become 13485 certified. But for those companies that serve the health care industry, you know, many, if not most, pursue certification because the market demands it, their customers demand it. And if a company chooses to pursue certification then here at Core, we’re to help them achieve that objective.
So using the ISO standard to help you put your procedures in place that align with the FDA would make sense. It’s almost like, here’s your rules, you figure out how to do them. ISO helps you give you a framework for how to put those into a way that you can, a framework that you can use and make sure you’re staying compliant. And so those are software with code also helps in that where if you have devices that need to be checked frequently, measurement devices, things like that, you can put those into.
Yeah, that’s what’s the great thing about the platform is that it gives you that, that functionality, that kind of easy way to manage everything in kind of a centralized location in terms of required documentation and records and all that sort of stuff. So it’s efficient in that way.
That ends and people like you are here to help anyone interested in learning more about, you know, if they’re ready for 13485 and maybe working with Core now. Murphy in this ever-changing world of medical devices, how does 13485 impact a company’s reputation, compliance, and overall business operations?
Well, when it comes to being certified, the 13485 the reputation of the standard does impact the business’s reputation as well. You know, it’s as Matt alluded to earlier, it’s a more robust, strict standard than ISO 9001. It has more requirements to ensure controls are in place, which you would expect in the medical industry since we’re talking about saving lives.
Absolutely. I mean, saving lives are making the quality of life better for someone is certainly a good thing. And we want to do that in a way that’s going to be safe,
For sure. For sure. And if your company is certified, your customers feel safe and, you know, they have the confidence in you that your work that they’re working with a world-class supplier that will provide high-quality products and services. The businesses that implement 13485 benefit because of the requirements. To ensure, that companies are more involved with monitoring and establishing the controls. You know, so there’s a lot more oversight of the processes. They’re looking at a lot more data to track the performance of all their processes. And, you know, the big thing is repeatability and consistency.
Well, when you’re talking about medical devices, consistency and repeatability are paramount. You want to make sure you can get the device working every time or, you know, the consistency of if you’re talking about an implantable, it’s always going to be the same.
Precisely. And, you know, with management being more involved and constant monitoring of the processes that lead the company to improvements. You know, they’re constantly evaluating the need for change and to improve efficiencies, you know, the quality of the work. But also streamlining and simplifying the processes for the workers. You know, if you’re simplifying the processes, it makes it easier on the training program as well.
Absolutely.
So, you know, to summarize all that, you know, the implementation of ISO 13485 in your business will lead to increased customer and sales process streamlining and improvements, product or service quality, reliability, and just overall business integrity. And with your documentation.
Well, all those things will certainly make customers as well as management happy with how the business can thrive and even grow. It’s interesting to see how 13485 just kind of adds and pushes a little bit more on the documentation and that from 9001, I know there are some of these standards that we will be talking about in the next month or two. Some of them are a slight variation from 9001. Some of them are completely you’ve got 100 or more controls and things that you have to deal with. So this one is a little bit similar, but it does make the difference when you’re dealing with medical devices and packaging and things like that. Appreciate your guys’s experience. And with that, do you have any stories or experiences that might stand out to you, the customer, or maybe someone who saw the benefits of 13485?
Yeah, well, since I started working with Core, you know, I’ve had several clients that we’ve gotten ISO 13485 certified and they’re, you know, one-man shop startups who need a lot of help getting established. I referenced one in the last podcast that I did with you.
I remember that.
About the life-saving apparatus, you know, CPR up in, you know, that guy. All he had was a drawing. We helped him implement all of his processes and all of his documentation and got him certified. You know, the client started coming to him. He started selling. So, you know, it’s a success story. You know, he built that company from the ground up, from nothing, you know, drawing on a napkin, going way back. Matt and I working for our previous company. We were previously 9001. And we brought that company up to 13485 standards and got that got them certified. And, you know, our processes, they just grew over time and, you know, they naturally evolved and you know, the standard just leads to improvements.
Was that a choice that you guys made to become 13485 certified in your previous place?
Yeah, I mean, well, there were a few drivers that led us to that, right? So first of all, there’s competition, right? And there was a competition that was that was certified at 13485. Right. So just from a control standpoint and customer expectations. Right. So there was there was some need there to to transition to 13485 based on that. But also as we kind of touched on, there’s there’s that higher level of control, right? Management wanted to see that kind of extra layer. Right. And that kind of more deliberate effort to improve things kind of be put in place.
You know, it took a little bit of effort. So it’s not an automatic type thing, right? So if you’re 9001 certified and you’re thinking about moving to 13485, the good news is that you’ve got that structure, you’ve got that basic framework for your quality management system. And so you can just kind of build off of that and meet the requirements of 13485, you know, put your procedures in place, generate records that support, you know, those procedures as objective evidence and that sort of thing.
From an IMS standpoint, then do you see people sticking with, like they say they keep 9001 and just add 13485 or is it replacing the 9001?
Well, I in my short time with Core, I’ve seen it both ways. I would say it seems to be more of we’re 9001 and we want to maintain that. We want to maintain that but also get certified.
It probably depends on what space you’re in to say you’re doing something and you’re doing software and now you’re branching out into software that is going to help with a medical device. You don’t want to lose 9001 because, on the non-medical side, you may need to keep that.
Yeah, yeah, right. Yeah, there’s some of that going on. In many cases, it is customer-driven. I mean, most of the time we hear, you know, I have an I may win this contract, right? But that contract requirement is that I’m certified right to the standard of that standard. So we’ve certainly seen some of that. But I think there are benefits. There are benefits to both. Right. But I know that to Murphy’s point, back in 2010, when we got certified at 13485, we dropped 9001 because we didn’t for what we did and the space that we were in, it didn’t necessarily make sense to maintain, but there was not a need. So, you know, it’s all about your business and what your business needs.
Absolutely. And we can help with all of that. Appreciate you guys or anything else you want to share about 13485 or anything?
Just we’re here to help you, you know, so, you know, contact Core and you know me and Matt, I don’t know if any other consultants also do. 13485 but we’re probably the main ones, so we’re going to help you through it.
Awesome. Well, gentlemen, this has been awesome. Especially great if a company out there might be thinking about the 13485 standards. We want to thank you so much for being here today and sharing your expertise.
Thanks, X. Appreciate it.
Thank you very much. Looking forward to the next one.
Awesome. We want to thank everyone who’s listened to our podcast today. We hope that it’s been informative for you. And if you’re looking for more information like what Murphy said about contacting core business solutions and we can help you with any ISO certification or cyber security, please email us at info@thecoresolution.com. And if you haven’t already followed us on your favorite podcast platform, please be sure to do so. That way you won’t miss the next quality podcast when it’s released next week. Have a great day and thanks for being here.