ISO13485:2003 VS ISO 9001:2000

Ritesh Chintakuntla

Why not adopt ISO 9001:2000 ?

  The Medical Device Industry did not agree with all the changes to ISO 9001:2000

  Harmonizing with the QSR (GMP) requirements   ISO 9001:2000 places an emphasis on Continual

Improvement and Customer Satisfaction   Harmonizing EN 4600X Standards with ISO 13485   Not user friendly   Lacked Process orientation   Could not tailor ISO to scope of registration

(service)

What they wanted to accomplish in the ISO 13485:2003

  Useable by organizations of all sizes   Specific to the Medical Device Community   Easily Understood   Compatible with “other” management systems

  9001:2000, ISO 14001

  Direct relationship with the activities involved in running the business

ISO 13485 Series Standards - QMS   ISO 9000: Quality management system fundamentals and

vocabulary   Except as noted in section 3 of 13485

  ISO 13485: Quality Management System Requirements   combines ISO 13485 and 13488   limitations will be indicated on certificate

  ISO/TS 14969: Quality Management Systems-Medical Devices-Guidance on the Application of ISO 13485

What has Changed?

ISO 13485 now has a totally new structure,   ‘20 elements’ is too linear,

  Adopted ‘process’ approach

  Emphasis is now on regulatory requirements for a quality management system rather than a quality assurance system.

  Increased attention to production of a conforming product and delivery of a conforming service is included in and is part of the quality management system.

  There is now only one management system requirement standard, i.e. ISO 13485, where previously there were two requirement standards: ISO 13485 and ISO 13488.

2003 Changes Continued   Went from 20 elements to 8

  Elements 4-8 contain all the requirements

  Emphasis on Consistency through Documentation

  Does Allow for permissible exclusions   Exclusions need justification!

  Organization replaces supplier to refer to the company implementing the standard

  Supplier replaces subcontractor when referring to companies that your company purchases goods and services from

2003 Changes - Continued

  Top Management must be involved in establishing and communicating the purpose and direction of the organization   The management system begins and ends with objectives

established by Top management   Top management – responsibility for profit or loss*

  Top Management needs to create an atmosphere in which people are not afraid to become involved, and desire to help the company meet its goals and objectives

Why Can’t the FDA change Part 820 to harmonize it with 9000:2000

  The FDA and medical device regulators take issue with following ISO 9001:2000 philosophies:

  Customer Satisfaction- goes above and beyond the safety and efficacy of medical devices. Evaluating customer satisfaction beyond safety is not FDA’s purpose

  Continuous Improvement- done simply for the sake of operating more efficiently is outside the scope of medical device regulatory agencies.

  Documentation- documentation is needed to know what a company intends to do and what they actually did- ISO 9001:2000 requires less documentation than does 13485:2003

  Process Approach- FDA does not feel its necessary for companies to change the structure of their documentation.   FDA is assuming the purpose of the change in ISO is a change in

documentation and that companies do not already use the process approach.

FDA/QSR harmonization with the ISO Standards

  The FDA is planning on some level of harmonization with ISO 13485 in late 2002 – early 2003.   Provided that ISO 13485 will remain more true to the medical

device/regulatory viewpoint

  Many other countries rely on ISO standards in regulating medical devices.   Promotes International Consistency.

  FDA and device regulatory agencies from other countries can more readily rely on one another's inspections and exchange inspection reports if the quality system requirements are similar.

Why Would Medical Device Manufacturers want to maintain ISO 9001:2000 Certification as well as 13485:2003

  Customers (Doctor’s, Hospitals, OEM’s) perceive a level of security in knowing they are buying from a manufacturer that has an ISO 9001 certified system.

  Helps companies obtain product certification CE mark,

  Companies do not have to be ISO certified to get CE Mark

  Depending on the product or service companies could opt for ISO 17025

Permissible Exclusions - Allowable

  (7.5.3) Identification and traceability - only partially applicable where there is no specific traceability requirement for the organization’s product

  (7.5.2) Customer property - Nothing is provided from the customer to the supplier in the realization of its products or processes

  (7.6) The organizations needs no measuring and test equipment to provide evidence of conformity

Differences

Guidance standards

ISO 14969:200X will be the guidance document for implementation to 13485:2003

 Section 3 of ISO 13485 has additional Terms and Definitions not included in ISO 9000:2000

ISO 9000:2000 and ISO 9004:2000 used as “consistent pair”

Differences: Section 4.1

  13485: "Maintain the Effectiveness of these processes"  Records that you are meeting requirements and stated

objectives

  9001:2000: “Continual Improvement of these Processes“

Differences: Section 4.2.3

  Organization must define the period for retention of obsolete documents  Duration must be for the life of the device  or as specified by relevant regulatory requirements

(GMP/GLP)

  9001:2000 Does not specify retention times

Differences: Section 4.2.4

Additional Requirement in Section 4.2.4 13485:2003 that are not in 9001:2000

  "Records shall be established and maintained to provide evidence of conformity to requirements and of the effective operation of the quality management system. records shall remain legible, readily identifiable and retrievable. A documented procedure shall be established to define the controls needed for the identification, storage, protection, retrieval, retention time and disposition of records.

  Records from suppliers which demonstrate conformance to specified requirements and the effective operation of the quality management system shall be maintained. The organization shall retain the records for a period of time at least equivalent to the lifetime of the medical device as defined by the organization, but not less than 2 years from the date of last shipment from the organization.

  NOTE National or regional regulations may require a period longer than 2 years. The organization shall establish and maintain a record for each batch of medical devices that provides traceability

  to the extent specified in 7.5.3 and identifies the quantity manufactured and quantity approved for distribution. The batch record shall be verified and approved.

  NOTE A batch may be a single medical device."

Differences: Section 5

  Section 5.1 of 13485:2003 does not require "Continually Improving its effectiveness"   ISO 9001:2000 does.

  Section 5.2 of 13485:2003 focus is on meeting the customers needs   9001:2000 is focused on meeting and exceeding the customers needs.

  Section 5.3 of 13485:2003 emphasizes maintaining the system   9001:2000 talks about continual improvement

Differences: Section 6

  Section 6.2.2 of 13485:2003 Requires a procedure for training where as ISO 9001:2000 does not.

  Section 6.4 Work Environment of 13485:2003 is more detailed (i.e. health records, cleanliness of clothing and personnel, environmental monitoring) than the same section in 9001:2000

Differences: Section 7

  Section 7.3 Design and Development of 13485:2003 references ISO 14971 (Risk Analysis) 9001:2000 does not.

  Section 7.5.1 of 13485:2003 has added sub-clause G, which talks about packaging and labeling.

  Section 7.5.1.1 Cleanliness of Product and contamination control (Cleaning of product) is added for 13485:2003

  Section 7.5.1.2 Installation (Installing the Device) is added for 13485:2003

  Section 7.5.1.3 Servicing (After the Device is installed) is added for 13485:2003

Differences: Section 7 - cont’d

  Section 7.5.2 Validation of processes for production and service provision- additional requirements for 13485:

  “The organization shall establish and maintain documented procedures for the validation of the application of computer software (and changes to such software and/or its application) for production and service operations and measuring and monitoring operations (see 8.2) that affect the ability of the product to conform to specified requirements. Such software applications shall be validated prior to initial use. The results of validation shall be recorded (see 4.2.4).”

Particular requirement for sterile medical devices:

  “The organization shall subject the medical device to a validated sterilization process and record all the process parameters of the sterilization process (see 4.2.4).”

Differences: Section 7 - cont’d   Section 7.5.3 Identification and Traceability- additional requirements for

13485:

  Particular requirements for active implantable medical devices and implantable medical devices:

  a) “When defining the extent of traceability, the organization shall include all components and materials used, and records of the environmental conditions when these could cause the medical device not to satisfy its specified requirements.”

  b) “The organization shall require that its agents or distributors maintain records of the distribution of medical devices with regard to traceability and that such records are available for inspection.”

  c) “The organization shall ensure that the name and address of the shipping package consignee is recorded (see 4.2.4).”

Differences: Section 7 - cont’d

Section 7.5.5 Preservation of product- additional requirements for 13485:   ”The organization shall establish and maintain documented procedures for the control of product with a limited shelf-life or requiring special storage conditions. Such special storage conditions shall be controlled and recorded.” (FIFO)

Differences: Section 8

  Section 8.1 Measurement, analysis and Improvement- additional Requirements for 13485:

  If statistical techniques are used, organization shall establish and maintain documented procedures to implement and control their application.

Differences: Section 8 - cont’d

 Section 8.2.1 Customer Feedback- Additional Requirements for 13485:   “The organization shall establish and maintain a documented feedback

system to provide early warning of quality problems and for input into the corrective and preventive action system [see 7.2.3c)].”

  “If regulations require the organization to gain experience from the post-production phase, the review of this experience shall form part of the feedback system (see 8.5.1).”

Differences: Section 8 - cont’d

Section 8.2.4 Monitoring and measurement of Product- additional requirements for 13485:

 Particular requirement for active implantable devices and implantable devices:

 “The organization shall record (see 4.2.4) the identity of personnel performing any inspection or testing.”

Section 8.3 Control of nonconforming product- additional requirements for 13485:

 “If product needs to be reworked (one or more times), the organization shall document the rework in a work instruction that has undergone the same authorization and approval procedure as the original work instruction. Prior to authorization and approval, a determination of any adverse effect of the rework upon product shall be made and documented.”

Requirements for Documents – 92K

  ISO 9001:2000 requires a minimum of 6 procedures.

  Quality Manual

  4.2.3 Control of Documents

  4.2.4 Control of Records

  8.2.2 Internal Audit

  8.5.2 Corrective Action

  8.5.3 Preventive Action

Requirements for documents 13485

ISO 13485:2003 requires a minimum of 19 procedures!

  Quality Manual

  4.2.3 Control of Documents

  4.2.4 Control of Records

  6.2.2 Competence, awareness and training

  7.3 Design and Development

  7.4.1 Purchasing Process

  7.5.1.2 Installation activities (if applicable)

  7.5.1.3 Servicing activities (when required)

  7.5.3.1 Identification

  7.5.3.2 Traceability

  7.5.5 Preservation of Product

  7.6 Control of Measuring and Monitoring Devices

  8.1 Statistical Techniques (if used)

  8.2.2 Internal Audits

  8.3 Control of nonconforming product

  8.4 Analysis of Data

  8.5 Improvement

  8.5.2 Corrective Action

  8.5.3 Preventive Action

ISO 13485:2003 Certification = Certification to ISO 9001:2000???

  ISO 13485 is a stand alone standard   It is based on ISO 9001:2000.

  Primary objective of ISO13485 is to facilitate harmonized medical device regulatory requirements.

  Includes some particular requirements for medical devices and excludes some of the ISO 9001:2000 requirements

  These exclusions prevent users from claiming conformity with ISO9001:2000!

Thanks for reading!!! Feedback Welcome.