ISO 13485: 2003 represents the requirements that medical device manufacturers must incorporate into their management systems. The current document supersedes its 1996 incarnation as well as EN 46001, EN 46002 and ISO 13488.
The purpose of the ISO 13485 certification is sometimes misunderstood. The ISO 13485 certification does not fulfill the requirements of 9001, nor is it equivalent to or have the ability to take the place of any country-specific requirement for medical device manufacturers. The standard is in part meant to serve as a means to the creation of a management system that aligns with the requirements of various regulators.
Though based on ISO 9001, ISO 13485 removes 9001’s emphasis on continual improvement and customer satisfaction. In its place is an emphasis on meeting regulatory as well as customer requirements, risk management and maintaining effective processes, namely the processes specific to the safe design, manufacture and distribution of medical devices.
ISO 13485 is in part designed to produce a management system that facilitates compliance to the requirements of customers and—preeminently—various global regulators. While being certified to 13485 does not fulfill the requirements of either the FDA or foreign regulators, the certification aligns an organization’s management system to the requirements of the FDA’s Quality System Regulation (QSR) requirements as well as many other regulatory requirements found throughout the world. Therefore, ISO 13485 certification serves to create a management system that can be thought of as a framework on which to build compliance to various regulatory and customer requirements.
ISO 13485 dictates that risk management must be thoroughly documented and conducted throughout a product’s entire lifecycle, from initial concept to delivery and post-delivery. However, the standard leaves the specifics to a related standard, ISO 14971, Application of Risk Management for Medical Devices. While 13485 states that a manufacturer’s management team is charged with the management of device-related risks and the development of risk management plans, 14971 defines a list of steps to be taken by management in order to fulfill risk-related requirements. While it is not mandatory that a manufacturer be 14971 certified in order to attain the ISO 13485 certification. But the manufacturer must show compliance to ISO 14971.