Many organisations are scared off by talk of CE Marking, Notified Bodies, regulatory inspections, unannounced/surprise audits and the like.
It's all nonsense (well, almost all). You don't believe me? Then read on. There could be a lot of high-margin business that you're missing out on.
In this article we’ll consider nine frequently asked questions:
Let’s get started.
Frequently Asked Questions About ISO 13485 and Supplying to the Medical Device Sector
1. Is ISO 13485 certification mandatory for supplying medical devices?
We're considering the position of component and packaging (including labelling) manufacturers and logistics/distribution companies. The former input materials and services to medical device manufacturers and the latter provide distribution and other services for the finished product.
To answer the question: ISO 13485 is designed and intended for use by the entire medical device supply chain. And what tends to happen is that those evaluating potential suppliers have a tendency to ask about ISO 13485.
Indeed, some manufacturers mandate it as a prerequisite requirement. So, it can only help to have such certification. Surprisingly, it is not necessary to be a supplier to the medical device sector to get ISO 13485 certification.
Yes, you can get certified as a medical device component manufacturer without manufacturing any components.
2. Is ISO 9001 certification alone enough to supply medical devices?
There are many suppliers to the sector with ISO 9001 certification alone where additional requirements are dealt with in a Sales Contract or SLA (service level agreement).
It gets a bit more complex for distributors. Some regulatory bodies (e.g. Ireland HPRA) have guidelines that mention ISO 13485 certification. Regulators of the pharma and medical device sectors have a long history of treating guidelines as ‘holy writ’. They will audit/inspect against guidelines as if they were mandatory.
While it is far from certain, many CBs (certification bodies) expect ISO 13485 certification to become the norm for distributors, and prospective distributors, in the near future.
So, if customers are happy with ISO 9001 certification, don’t change. But, if you want to add to your list of medical device customers, or enter the sector, ISO 13485 certification is necessary.
3. Is ISO 13485 just an add-on to ISO 9001?
No, it’s not. There are two significant differences between ISO 9001 and ISO 13485
- ISO 9001 uses the new HLS structure while ISO 13485 retains the structure of ISO 9001:2000.
- ISO 9001 is not prescriptive while ISO 13485 has up to 139 requirements for documentation. These include a quality manual, a documented management representative and preventive action, among other things. All of which are no longer needed for ISO 9001 certification.
An integrated management system is often suggested here. But this is not a practical proposition. These are two distinctive standards requiring two management systems, albeit ones that are compatible with one another and have shared processes/procedures (e.g. a combined internal audit programme and a single nonconformance procedure).
4. Do we have to get CE marking of components?
No. While you may be asked by a customer to affix a CE mark to a component, you will be doing so on the ‘manufacturer’s’ behalf.
Regulations under ISO standards define the ‘manufacturer’ as the entity that holds the marketing authorisation/licence. Only ‘manufacturers’ need to engage in the protracted and (usually) expensive process for getting a CE mark for a medical device or an IVDMD.
Suppliers to manufacturers (including distributors) do NOT require CE marks.
5. Do medical device suppliers have to comply with a lot of regulations?
Again, no. Regulatory requirements will be defined in the contract (or SLA) by the ‘manufacturer’. There are no regulations that you would be subject to directly.
6. Do medical device suppliers have to comply with a lot of Guideline requirements?
Yet again, no. Regulatory guidelines, to the extent applicable, will remain the responsibility of ‘manufacturers’ and will be reflected, where necessary, in contract and SLAs.
7. Will medical component suppliers be subjected to surprise audits?
As a component manufacturer and supplier to the medical device sector, you will only be subject to Unannounced Audits (a.k.a. Surprise Audits) if your customer - the ‘manufacturer’ - has designated your company as a ‘crucial supplier’ or a ‘critical subcontractor ‘in paperwork submitted in pursuit of CE marking.
Your contract or SLA with the ‘manufacturer’ will advise you of the designation, if applicable. If it doesn’t, ask them in writing (an email will suffice) of your status.
It is more likely that distributors will be subject to Unannounced Audits because of the critical role they play in maintaining the integrity of product identification and traceability.
8. Can we have combined ISO 9001/ISO 13485 audits and save on costs?
A combined audit is not a practical proposition; the two standards are very different. ISO 9001 focuses on customer satisfaction and ISO 13485 focuses on the product (quality, performance, traceability, market feedback, et cetera).
Of course, audit fees are always negotiable. If requesting back-to-back audits against the two standards, you should expect a significant discount.
9. Does addressing risks in our ISO 9001 QMS also satisfy ISO 13485 requirements?
To conclude - you need to get into this high-margin sector
I hope these answers have encouraged you. The market for medical devices and in-vitro devices is growing at an astonishing rate. There are more than 10,000 different types of devices registered globally. And the compound rate of market growth is in excess of 14% per annum by value.
In seeking new suppliers, ‘manufacturers’ place a far higher priority on quality and on-time delivery than on price. You need to get into this high-margin sector. As a basic confirmation of your capability, you need ISO 13485 Certification.
What are you waiting for?
Note: First posted in Jun 2018; revised and updated in May 2021.