5 Real Differences Between ISO 9001 and ISO 13485

ISO 9001 and ISO 13485 are ranges of standards that address different aspects of quality management within a family of terms called ISO 9000.  The goal is to organize the internal rules of the business to ensure the best possible customer satisfaction and product production.

What are the differences between ISO 9001 and ISO 13485? The differences between ISO 900 and 13485 is that ISO 9001 is an international standard for a quality management system. ISO 9001 standard is used to install the best possible format when ensuring consumer satisfaction with products and services.

On the other hand, ISO 13485 is the standard for a medical device quality management system. It was the only system that did not receive the 2015 update of ISO 9001. But, many do believe ISO 13485 will be based on ISO 9001 in the near future.

ISO 13485

Since ISO 13485 does include the previous  ISO 9001 (2008) standards, it does hold its own additional requirements. ISO13485 was most recently updated in 2015.  ISO 13485 standards are focused on the effectiveness and quality of medical devices.

The Differences Between ISO 9001 and ISO 13845

There are a lot of similarities between ISO 13845 and ISO 9001 that focus in on the goal of producing high-quality products.  There are also 5 significant differences in the structure and aim of these systems.

The differences are in 5 areas

  1. Product specifics
  2. Regulatory requirements
  3. Documentation requirements
  4. Customer satisfaction
  5. Continual improvement

The ISO 13845 Document methods for uncertainty management in product recognition is much more than that of ISO 9001. Clinical Performance evaluation is a part of design and development validation. It has to be in line with regulatory requirements for the ISO 13845 quality management system.

The monitoring and measurement of the status of a product is a requirement in the ISO 13485  quality management system. Customer property is their health information which must remain concealed from any third-source party.

Authorized employees must be identified, concessions must pass the governing requirements of ISO 13485, and they must determine the effect of any and all rework. 

ISO 13845 documentation requirements are much more thorough than that of ISO 9001. Companies certifying medical devices must include a risk- assessment systems in product realization.

Each medical device file states

  • General description
  • Product specification
  • Manufacturing process
  • Installation processes
  • Servicing processes

The quality manual is used to define the structure of documentation within the QMS. The release of out-of-date documents is required for the lifetime of a medical device. Responsibilities and authorities must be recorded in addition to being defined and described. Any relations among personnel must be documented.

Maintenance of activities that affect product quality, Communication of health, clothing, and contamination is obligated. Complaints must be examined in response to customer feedback, which includes the authorization of documentation when remedial actions are not taken.

The purchased products must be traceable including documents and records. There must be documentation of the methods and processes for control the qualification of the foundation. Document requirements for cleanliness or contamination control of the product are necessary.

Installation activities, including confirming, and servicing projects, must be documented. Manage reports and documents for every sterilization batch.

Document procedures for validation of computer software, validation of sterilization, product identification including returns and traceability. Document procedures for traceability are required.

Documentation for implantable medical devices is to include components, materials, and work conditions as well as records of the identifying personnel performing the inspection.

Preserving conventionality of the product is a requirement in order to control measuring and monitoring devices including software that affects product conformity. There also is a feedback system for early warning of all quality problems.

ISO 9001 is not undeviatingly linked to organizational requirements. However, ISO 13845 is when it concerns complaint handling's and post-market monitoring.

Medical devices

The ISO 13845 is subject to much more rigorous standards due to the application of the products. Medical devices have their own unique terminology within the industry.

There are specific rules and qualifications staff members must be aware of to avoid contamination. Unlike ISO 9001, ISO 13485 is concerned about the cleanliness and contamination control of their products.

When it comes to regulatory requirements, the purpose of the standard is to expedite the effectiveness of quality management system regulations around the globe.

Meeting product handling requirements is also an essential component of this standard, as the plan is to produce reliable products which have adequate performance.

It is both an international and national standard for all staff to be well-versed in the protocol. The Intent is to monitor information in order to meet customer satisfaction.

The ISO 9001 standard follows basic quality principles such as

  • Customer focus; the 9001 system's main focus is customer satisfaction
  • Leadership within the confines of the company creates unity and organization among the ranks
  • The engagement of people ensures the customer's needs are understood and met in regards to the ISO standard
  • The desired result is achieved when activities are considered a process
  • Logical decision-making that suits the interest of the company and consumer likewise is needed
  • Management must select suppliers that increase value, limit waste, and optimize cost efficiency
  • ISO 13485 requires a representation of efficient implementation and maintenance of the quality of the system

Unlike most systems in the ISO 9000 family of systems, ISO 13845 does not follow the 2015 update of ISO 9001. The structure of ISO 13845 is not compatible with other systems within the family.

When Was ISO 9001 Updated? How Has it Changed?

ISO 9001 first began in 1987.  The first revision took place in 2000 and while the most recent update took place in 2015. 

ISO 9001 Revision 2015 includes:

  • Introduction to the information and principles of the new implementations
  • Scope out and define working projects for the foundation.
  • Normative reference
  • Determine terms and definitions for the company to use in product creation and salesmanship.
  • Set the quality management system of policies and processes required for planning and execution.
  • A strong developing force behind the need for resources
  • The declaration of the chosen product and its relationship with the consumer.
  • The measurements and improvements that keep the company afloat.

The  ISO 9001 2015 update significantly changes the landscape after the third clause in 2008's revision to include the context of the organization, leadership, planning, operation, and performance evaluation in replacement of the quality management system.

Both systems maintain the idea of providing the best possible service and products while continuously improving the standard of the company. These systems are not law but are best known for their ability to implement firmness and precision.

What Does It Mean To Be ISO 9001 or ISO 13485 Certified?

To be ISO certified, an organization has to meet the requirements of the ISO 9001 management system while forcing the company to focus on consumer satisfaction and implement improvements to the system.

It would be a 3-6 month process before an organization can become ISO 9001 certified.

The size of the organization or the industry does not matter. The ISO 9001 is the standard for many companies and is the only system among the 9000 family that needs a certification.

ISO certification can enhance an organization’s credibility by showing that their services will meet customer expectations. In most situations or in certain industries, certification can be required or legally mandated.

The certification process includes implementing the requirements of the ISO 9001 (2015). After that is finished, completing a successful registrar’s audit confirming the organization meets those requirements is required to complete certification..

ISO 13845 does require certification yet, a third-party source certification would be quite beneficial. There are special qualifications that a quality management system needs to engage to become certified.

Each organization needs to show its own capacity to produce medical devices and services that meet customer and regulatory demands.

ISO Certified

6 steps to ensure ISO certification

1. Planning quality system

  • Writing a quality document is not enough; Companies will need to document quality plans when implementing changes in the system.
  • A company then needs to select a consultant. The standard requires that the consultant is well-versed in the subject matter and/ or specified within the industry.
  • Each company is required to fill out an application and quote in order to find an independent consultant. There can be one within the company, but he cannot perform an external audit.

2. Meet regulatory requirements

When developing a plan, U.S medical devices need to fall under FDA 21 CFR 820. FDA 21 CFR 820 is  known as the quality system regulation that outlines current manufacturing good practices. Which is that which governs methods used in, and facilitates the design, packaging, and labeling of devices in human use. 

3. Implementing design controls

Essentially Setting managing principles used to control the design process and building process of medical devices.

4. Documents, record, and training

  • Another qualification for a quality manual is to define the process of interactions within the management system.
  • A standard template includes the bottom row, middle row, and top row.
  • Bottom row - Supports training and document control.
  • Middle row- Has core processes of purchases, production, and shipping.
  • Top row- relates to the management processes.

Each of these levels has associated procedures that will need to be witnessed and controlled. The document control procedure is the one to serve as a foundation for the entire management quality system.

Any and all design control procedures  and forms will need to be approved.

After these procedures have been approved, the company will need to begin training personnel on the procedures. Documentation is required.

After each procedure is done, the corresponding disposition will need to be written in as well. This will allow for a natural growth within your manual so it can reflect what was done instead of being copied from the original international  standard.

5. Management processes

  • This is a proactive step that ISO places heavy emphasis on that requires organizations to consider potential risk in the operating environment.
  • There has to be an integration of risk management and business processes.
  • Corrective actions, internal auditing, and management review are primary focuses.
  • Implementing an internal audit will begin by identifying some areas of weakness that can be then be managed and developed into a strength. Processes such as CAPA are implemented as the first step to corrective action.
  • Conduct management review.
  • An external audit is then performed on the internal audit, CAPA, and management review by an independent person. Consultation from within the company is not allowed.
  • The external audit does not need to be done within the confines of the company. Remote Audits are possible because the management representative is the primary interviewee.

6. Certification audit

This is a 2 step process. Steps one and two need to be audited by industry-specific and ISO personnel.

Step 1 is typically a one-day audit where negative and positive findings are reported. Nonconformities, or negative finding, will need to undergo corrective action before step two can begin.

Once there is sufficient evidence of progress towards conformity, step two can take place.

Step 2 is a multiple day audit with various auditors. This is a period where the rest of the quality management system processes will be audited. 

The recommendation of certification can be revoked if there are major requirements not met. This requires another audit.  If they remain minor, only a corrective plan is needed to receive the certification.

Step 1 will require

  1. Quality manual
  2. Company organization charts
  3. Controlled procedure list
  4. Internal audit and schedule
  5. CAPA procedure
  6. Management review procedure
  7. CAPA log
  8. Management review minutes

Once the audit is complete, the report and recommended certification are reviewed and accepted. The company applies remedial action methods for the Stage 2 findings.

After the corrective action plans are accepted, the certification agent will conduct an internal review of all documentation.

A month after the corrective actions are approved, the certification will be issued to the company. 

The certification is a process-based standard. It does not define the quality of the products in ISO 9001. This is true, however, for ISO 13485.  One person can not receive the ISO certification unless they are a company or organization alone.

There is a 3-year period of recertification in order to remain adept to ISO document requirements.  The certification body will decide whether not the company reaches the new requirements. 

The CB needs to be accredited by an IAF body member before auditing another company. ISO 17021 ensures an international acceptance of the Certification body's certification.

It is possible, however, to be an ISO 9001 certified lead auditor after a 5-day training.  This certification gives the auditor the ability to audit other companies.

To become ISO 9001 certified, the company must follow the standards and requirements of the ISO system.

Then an auditor will visit the organization rates the performance of the company against the latest requirements of the ISO QMS.

requirements folder

What Does it Take to Become Certified?

Some of the requirements needed to become Certified include:

  1. An understanding of ISO 9001 system approach. It would be best to ensure everyone within the company has a decent idea of what new implemented system is.
  2. Performing a gap analysis; which is an objective comparison of a company's standard against that of ISO requirements. When performing a gap analysis, it is best to focus on what is in place rather than what isn't.
  3. Summarize and understand the audit findings to make sense of what needs to be improved as well as what can remain as is. 
  4. Develop a plan for the project. Developing a plan forms structure and consistency within the companies workspace.
  5. Improve employee awareness of ISO 9001. To make sure employees know the system they are working within.
  6. Documenting the system by identifying and analyzing sections of the company the fall the furthest away from ISO standards.
  7. Apply the rules and structure of ISO to all parts of the company to ensure the practice of required protocol.
  8. Create an Internal Audit to allow editing of the company's system from within their own QMS.
  9. Remain open-minded to improvements. Continuously applying and adapting the company or organization to meet ISO standards.

There is not a Certification for ISO 13845. There is no requirement that companies need to be able to design, produce, and implement medical products and services.

All ISO standard is reviewed after 5 years to ensure relevancy in the current marketplace. ISO 13485:2016 was designed to respond to the latest quality management systems practices such as changes in technology.

The International Standard offers rules, guidelines or features for projects or for their issues. Aimed at achieving the maximum level of engagement in a given setting. It can take on many appearances.

Apart from product models, other instances include test methods, systems of practice, standards, and management operations  are included in the International requirement.


ISO 9001 & Other Standards


Written: 26th July 2019
Author: Richard Keen

Richard Keen

Richard Keen

Richard is our Compliance Director, responsible for content & product development.
But most importantly he is ISO's biggest fanboy and a true evangelist of the standards.
Learn more about Richard