When ISO 9001 was produced by the International Standards Organization, it put forth the general quality standard that organizations could adopt to ensure that the organization is focused on quality, the basic structure is in place, and the product it is offering will be at acceptable levels. That was readily accepted and embraced. For the medical device industry, ISO 13485 specifies requirements for a quality management system where a medical device organization needs to demonstrate its ability to provide medical devices and related services that consistently meet customer and applicable regulatory requirements.
FDA has always been a leader in the world when it comes to ensuring the safety of medical devices. It has been pioneering regulations to ensure that the medical devices being brought to market are safe. This is a consistent trend; it was the first to offer a Quality System Regulation (QSR), which set the stage for the basic structure for quality that a lot of medical device companies now routinely have in place. FDA demanded that medical device organizations prove that the medical device will do what it is intended to do.
During the research and development (R&D) process, the company would need to break it down by specifications — such as electrical, mechanical, and software and tie them to functional requirements. The company would go through the design process, meeting laid out requirements and specifications, identifying risks, and so on to specify exactly the functional requirements. They would go through the design processes and then address the specific requirements, identify the associated risks and hazards, and apply appropriate risk mitigations.
The end result is to ensure that the patient uses a safe product. The way FDA does this is to have medical device companies think through their processes of developing a medical device. ISO 13485 is in line with this approach, particularly as it relates to the design control cycle.
Design controls are essentially defined as a set of management practices used to control the process of design and development of medical devices. By focusing on the process first, companies gain a better understanding of the design control inputs and outputs. Both FDA and ISO 13485 design control requirements can then be applied to a process that best enables the company to develop a quality product.
Looking at other industries that handle product development, there is generally a thought process of first identifying the customer problem that needs to be solved and then working from there to develop a product. Similarly, for medical devices, developers must first identify the patient’s problem as a foundation to the design and development of the device — and then, the company must document the design all along the way. The intent is not to make companies jump through hoops, but to have companies design and build products with intent and ensure that they address the problem they want to solve.
Verification and validation is the last step. At the end of the design control cycle, the company will have a design master file that is home to documentation showing all the steps taken during the design control process.
Changes to ISO 13485
In 2003, ISO released the first version of the 13485 standard, which focused on harmonizing and organizing the requirements for a quality management system (QMS). There were still gaps that were not covered so within the last year, ISO updated the standard and incorporated more than a decade of experience, learning, and understanding. More structure and guidance for medical device companies was added. 1
The ISO 13485 standard has been adopted by medical device manufacturers and distributors as well as many regulatory agencies around the world. The original intent of ISO 13485 was to help companies establish a QMS where they can prove that they are designing a product according to plan and that they have controls over the R&D and manufacturing processes. In the end, they will produce a product that does good, not harm.
The New ISO 13485:2016
The new standard provides direction on design controls. The following are changes that relate to design controls and the impact the changes will have on medical device companies (see Table 1). It is important to remember that the medical device company is responsible for the quality regardless of whether a deviation or product flaw came from the supplier or within the company’s own walls. At the end of the day, the medical device is theirs and the responsibility belongs fully to the device manufacturer.
Does this make a hard road? A common question that arises when people learn about additional changes is whether adding more structure adds more burden to a company.
The truth is, if a company is designing and putting out a good product, these standards will make life easier. This can be particularly true for smaller organizations. For instance, a small medical device company can find it increasingly difficult to compete head-to-head against a large company with more resources. The place they can compete one-to-one is on standards and regulations.
Standards such as ISO 13485 level the playing field between global powerhouses and small companies because everyone is forced to make a good product. Those companies that leverage lean and agile models can focus on bringing a product to market that is equal in quality to massive companies that have more resources.
When embraced, standards and regulations are not a hindrance but rather a help. In fact, they are an enabling factor that can help companies compete on a level playing field and succeed.
Karthik Sriram is a Senior Advisor at UL Compliance to Performance, Princeton, NJ. He can be reached at