A Guide to ISO 13485 for Medical Device Startups

Like many industries, the medical device market experienced a pandemic-induced slump in 2020-21. As the world economy recovers, the global medical devices market is projected to grow from $455.34 billion in 2021 to $657.98 billion in 2028.

Before companies can enter the US market, they must navigate a narrow funnel of FDA approval. When you consider the projected market growth relative to the small number of devices approved annually by the US FDA, you can see how critical a well-managed compliance and approval strategy is to medical device startups’’ financial forecasts.

Getting a medical device to market involves a lot of complexity apart from designing the device itself. Click To Tweet

There is a fundamental regulatory aspect that medical device companies have to plan for, ideally from the beginning of the development phase.

We all know medical device companies must show FDA compliance to get FDA approval in the US. The ISO 13485:2016 certification is not technically required, yet it is an entrenched best practice in the medical device ecosystem that helps companies and service providers with FDA regulatory compliance and company performance.

What is ISO 13485:2016?

The ISO 13485:2016 is the Quality Management System (QMS) Standard for the medical device industry. Companies developing, producing, or servicing medical devices may apply for certification.

Here is the official definition:

ISO 13485:2016:2016 specifies requirements for a quality management system where an organization needs to demonstrate its ability to provide medical devices and related services that consistently meet customer and applicable regulatory requirements.

Because the FDA requires a QMS for medical device regulatory compliance, satisfying the ISO 13485:2016 standard is one way to check off that box in the FDA approval process.

In September 2021, the standard was amended to integrate with European Union medical device regulations, simplifying certification for companies that want to sell their products and services internationally.

The QMS is critical for regulatory compliance yet is also a significant project in and of itself. This combination has led to an industry sector of service providers that create and maintain the QMS.

The ISO 13485:2016 standard is available for purchase and in a “read-only” format here: https://www.iso.org/obp/ui#iso:std:iso:13485:ed-3:v1:en

Who needs ISO 13485:2016?

The standard is designed for organizations designing, producing, installing, or servicing medical devices and related services. Certification bodies may also use the standard as a baseline for their auditing processes.

Medical technology companies in the US are legally required to comply with FDA quality system regulations outlined and 21 CFR part 820. So, as pointed out above, although the ISO 13485 certification is not required, in practical terms, it helps with the FDA approval process. The FDA requirements and ISO 13485:2016 are very similar, and you can see more differences at this link.

What is the Purpose of ISO 13485:2016?

The purpose of the ISO 13485:2016 is to:

• Emphasize awareness that the regulatory requirements are management’s responsibility.

• Set up controls in the work environment to ensure product safety and traceability.

• Adopt a risk management approach across the product life-cycle, from design to outputs (results) in the marketplace.

• Specify requirements for verifying results of corrective and preventive actions.

• Focus on maintaining the continued utility and effectiveness of the QMS.

Compatibility and Performance Benefits of ISO 13485:2016

One of the main benefits of a QMS is that it puts organizational policies into a specific format that is FDA compliance compatible. Apart from that, there are business performance benefits to integrating ISO 13485:2016 compliance into company systems because it systemizes documentation, prioritizes quality reviews, and improvement adjustments. Adopting the standard can help the overall efficiency and quality of a company’s results.

A High-Level Overview of the Standard

The ISO 13485:2016 standard has eight clauses. Clauses 4-8 are required to achieve certification. The Standard is organized as follows:

Clause 1 – Covers QMS requirements. This clause is informational only and does not have any requirements to meet.

Clause 2 – Normative references list other ISO documents or standards necessary for applying the ISO 13485:2016 standard.

Clause 3 – Terms and Definitions: clarifies the meanings of terms used in the standard.

Clause 4 – Quality Management System: States the general requirements for a Quality Management System. This clause includes two subclauses:

• 4.1 General Requirements
• 4.2 Documentation Requirements, which includes Quality Manual with Scope of the QMS, Required Procedures, Required Forms & Records, Control of Documents, Control of Forms

Clause 5 – Management Responsibility: details the responsibility of Management, including six subclauses:

• 5.1 Management Commitment
• 5.2 Customer Focus
• 5.3 Quality Policy
• 5.4 Planning
• 5.5 Responsibility, Authority, and Communication
• 5.6 Management Review, including actions and results

Clause 6 – Resource Management: covers the requirements for resources regarding the QMS and ISO standards. Includes four subclauses:

• 6.1 Provision of resources
• 6.2 Human Resources
• 6.3 Infrastructure
• 6.4 Work Environment and Contamination Control

Clause 7 – Product Realization: what the product will be, how it will enter and interact with the marketplace. This clause has six subclauses:

• 7.1 Planning of Product Realization
• 7.2 Customer Related Processes
• 7.3 Design and Development
• 7.4 Purchasing
• 7.5 Production and Service Provision
• 7.6 Control of Monitoring and Measuring Equipment

Clause 8 – Measurement and Analysis: requirements for measurement analysis and improvements of these processes including

• 8.1 General
• 8.2 Monitoring and Measurement
• 8.3 Control of nonconforming product
• 8.4 Analysis of data
• 8.5 Improvement

Getting Started

An ISO standard, by its very nature, is a very technical document. Stakeholders should review the document through the lens of their product or service and niche. An understanding of generally accepted interpretations of the contents is helpful:

• When a requirement is qualified by the phrase as appropriate, it is assumed to be appropriate unless the organization can justify otherwise.

• A requirement is appropriate if it is necessary for the product or service to meet requirements, to comply with applicable regulatory requirements, and for the organization to carry out corrective actions.

• When the term product is used, it can also mean service.

• In the standard terminology, the word shall indicates a requirement, should indicates a recommendation, may indicates permission, and can indicates a possibility or capability.

Once companies have an idea of the scope of work involved, here are suggested steps for beginning the journey to certification:

1. Create a quality plan

2. Conduct an internal audit

3. Initiate corrective actions

4. Conduct a management review

5. Entering the audit phase:

ISO 13485:2016 requires a 2 stage registration audit to become a certified organization.
The goal of a Stage 1 Audit is to determine an organization’s preparedness for its Stage 2 Certification Audit.

The Stage 2 Audit assesses the implementation and success of the organization’s ISO 13485:2016 management system.

A third party performs the external 2 stage registration audit. If both audits are successful, then an organization will be certified to ISO 13485:2016.

Pulling It All Together

Setting up a QMS can be time-consuming, but you don’t necessarily have to start from scratch. You can start by looking at existing organizational policies for adaptation to an ISO 13485:2016-compliant QMS. Areas to look at include existing HR policies, departmental policies, department practices, existing work instructions, and existing documentation.

Best practices for compliance and company performance prioritize having a QMS in place as early as possible. Trying to re-create QMS months or even years into development can cause delays that are potentially fatal to the company if the time between launch and revenue is on a very tight schedule.

For this reason, some consultants consider the management review to be the most critical part because it is where company leadership comes face to face, for better or worse, with the current state of their QMS. The success of the QMS is critical to regulatory compliance and approval, and management buy-in is critical to the success of the QMS.
Creating and maintaining a compliant medical device connectivity infrastructure is complex, expensive, and time-consuming. Those are all reasons why many medical device companies outsource their compliance infrastructure to pre-existing platforms like the Galen Cloud™.

Galen Data’s platform allows companies to wirelessly collect, store, share, and quickly analyze patient data. Dashboards and alerts for the manufacturer, medical team, and patients, are also provided within the platform. The software platform is compliant with FDA, HIPAA, and CE Mark standards and is ISO 13485:2016:2016 certified.

The Galen Cloud™ has accelerated the time-to-market for dozens of medical device companies by providing the compliant solution needed for FDA approval. Our Data team is equipped with decades of experience in software and regulatory compliance and is committed to device connectivity. Do you have questions about this critical aspect of your business? Contact us today for more information.