Go to ScienceSoft Global
ISO 13485 vs. ISO 9001 to Attest Medical Device Manufacturers’ Compliance
Editor’s note: Gala compares ISO 9001 and ISO 13485 and explains how to understand which of these standards is right for your medical device manufacturing organization. If you want to know how to implement a quality management system (QMS) in accordance with ISO 9001 or ISO 13485, you are welcome to turn to ScienceSoft's team for healthcare IT consulting.
The quality management system (QMS) covers the full production cycle of the software or a device. To understand the difference between ISO 9001 and ISO 13485, let's compare these international standards.
ISO 13485 and ISO 9001: The Essence
ISO 9001
ISO 9001 is an international standard developed by the International Organization for Standardization (ISO) for the creation, implementation, and maintenance of QMS and aimed at increasing clients’ satisfaction with the quality of products or services. ISO 9001 can be followed by organizations regardless of the industry. The standard was revised several times, with the latest version published in 2015 and an update planned for 2026.
ISO 13485
ISO 13485 is the international quality management standard for medical devices. Its last revision took place in 2016. The requirements of ISO 13485:2016 were developed to ensure the safety of all stages of a medical device life cycle. This standard applies to all companies involved in the design, production, installation, or servicing of medical devices.
Why Obtain ISO 9001 and ISO 13485 Certifications?
Both certificates are mostly voluntary (at least, formally). ISO 13485 is only legally required in Canada for medical devices of Class II and higher. However, you might notice that a lot of companies are keen on getting certified. In fact, as of December 31, 2023, more than 33,000 companies worldwide have been certified to ISO 13485 (an increase of over 11% from the previous year), and more than 838,000 to ISO 9001.
So, what’s driving the demand? There are several factors to this. Firstly, these standards often serve as de facto regulatory benchmarks. Although they are not typically listed in the official legislation, many countries base their QMS requirements on these standards or even reference them directly. For instance, the European Commission establishes that compliance with the harmonized standards (one of which is ISO 13485) is equivalent to compliance with the relevant parts of the Medical Device Regulation (MDR). Similarly, ISO 9001 serves as the basis for conformity assessment of non-medical device products required to enter the European market.
The U.S. FDA also recognizes ISO 13485 as substantially equivalent to its own Quality System Regulation and has even initiated a harmonization process to bring its 21 CFR Part 820 closer to the internationally recognized standards. Some regulatory bodies may accept the certification as valid support for local conformity documentation. So, while it won’t grant you automatic regulatory approval, getting an official certification will definitely ease your way toward market entry practically anywhere in the world.
Another reason to obtain ISO 9001 and ISO 13485 certifications is that they are often a prerequisite for collaborations where clients and partners need reliable proof of compliance across the supply chain. Many companies won’t even consider working with an uncertified supplier or partner because that means they would have to conduct their own costly and time-consuming audits.
Lastly, a mature quality management system implies a high quality of the products or services provided. Therefore, being certified by an authorized organization increases your reliability in the eyes of potential clients. In fact, ISO has performed an analysis of 42 studies that showed that ISO 9001-certified companies typically experience significant sales growth.
ISO 13485 and ISO 9001: Similarities
Risk assessment
Both standards highlight the importance of incorporating risk management into the design and production stages and developing a risk management strategy to minimize the possible negative consequences of risks.
Customer focus
Both ISO 13485 and ISO 9001 aim to make certain that customers are satisfied with the final product.
Employee competency
To comply with either of these two standards, the medical device manufacturing organization must ensure that its employees are competent to carry out their assigned work.
ISO 13485 and ISO 9001: Differences
In general, the ISO 9001 standard can be used for various industries (e.g., manufacturing), but ISO 13485 applies exclusively to medical devices and Software as a Medical Device (SaMD). There are also other prominent differences:
Quality requirements
For ISO 9001, customer satisfaction is the hallmark of a quality-oriented culture. ISO 13485 focuses on the safety of customers and regulatory compliance. In addition to the quality-oriented culture, it establishes specific requirements for the design, development, production, and delivery of medical devices that are safe for their intended purpose.
Quality improvement model
Both standards use a PDCA (Plan-Do-Check-Act) cycle, a continuous quality improvement model that consists of a logical sequence of four repetitive steps for constant enhancement to a product or service. However, ISO 13485 takes a more controlled approach to it. Even small tweaks in medical device production could have huge consequences for end users. So, any changes to processes must be justified, documented, and validated to ensure they don’t introduce new risks.
Documentation control
ISO 13485, in comparison with ISO 9001, is more demanding in terms of documentation: it requires the inclusion of regulatory documents (detailed product specification, description of production processes, installation and maintenance processes) in the system documentation.
Distribution of duties
ISO 9001 allows organizations to distribute the responsibilities for quality control without being tied to specific managers, while ISO 13485 states that a medical device manufacturer must appoint a certain employee from the management to be responsible for QMS.
Risk management
ISO 13485 focuses on the development of documentation for risk management and requires a medical device manufacturer to maintain records of the risk management process during the medical device production. In addition, the standard obliges medical device manufacturers to analyze consumer complaints and establish after-sales supervision of the conformity of the product to the declared quality.
Resource management
Resources, according to both standards, are defined as the various equipment, buildings, personnel, and IT resources required to create high-quality products. According to ISO 13485, the organization, which is involved in the full production cycle of medical devices, has to document the requirements for the health and cleanliness of personnel clothing, monitor the production environment, and develop systems for the containment of contaminated products.
For your convenience, we prepared a table that summarizes the key differences between the two standards:
|
Aspect |
ISO 13485 |
ISO 9001 |
|
Risk assessment (A highlighted need for thorough risk management during design and production) |
✔ |
✔ |
|
Customer focus (Aimed at customer satisfaction) |
✔ |
✔ |
|
Employee competency (The company must ensure its employees are competent to perform assigned tasks) |
✔ |
✔ |
|
Industry scope |
Applies exclusively to medical devices and Software as a Medical Device (SaMD). |
Applies to a wide range of industries. |
|
Quality requirements |
Emphasizes product safety and regulatory compliance. |
Focuses on customer satisfaction. |
|
Quality model (PDCA) |
Strict: all changes must be justified, documented, and validated. |
Looser: repeated improvements are seen as an integral part of the QMS. |
|
Documentation control |
Requires the inclusion of regulatory documentation. |
Less demanding in terms of providing regulatory documentation. |
|
Distribution of duties |
Requires appointing a dedicated management representative for QMS. |
Allows for the distribution of QMS responsibilities across roles. |
|
Risk management |
Requires full lifecycle documentation, complaint tracking, and post-market surveillance. |
Encourages risk-based thinking but does not require detailed records or post-market follow-up. |
|
Resource management |
Requires specialized protocols for staff hygiene, environmental monitoring, and contamination control. |
Focuses on providing the necessary infrastructure, personnel, and suitable work environment in general. |
Which Standard Should You Choose?
Opt for ISO 9001 if you:
- Manufacture non-medical products or offer general services, such as IT services or consulting, that aren’t targeted at the medical domain.
- Want an industry-independent QMS certification to boost credibility and customer satisfaction.
Adopt ISO 13485 if you:
- Design, manufacture, or service medical devices or related components.
- Develop software classified as a medical device (e.g., clinical decision support tools, diagnostic apps).
- Want to prepare for regulatory submission (e.g., CE marking certification, TGA approval).
Also, you may consider obtaining both ISO 9001 & ISO 13485 if you serve both medical and non-medical markets.
Make your QMS compliant with international standards
If your company isn’t sure that its healthcare software qualifies as SaMD and what certification is relevant in your case, our healthcare IT team will be glad to provide a consultation on how to improve your existing QMS or build a fully compliant one from scratch. With our mature corporate QMS, both ISO 9001 and ISO 13485 certifications, and proficiency in FDA and MDR requirements, we are ready to help you navigate regulatory complexities and ensure your QMS meets all applicable international standards.