The most fundamental difference between the two standards is that ISO 13485 is tailored specifically to medical device
companies, whereas ISO 9001 can be used by any company, of any size, within any industry sector. Additionally, ISO 9001
requires the certified company or organization to demonstrate continual improvement based upon the newly added sections of
9.0 and 10.0. By contrast, ISO 13485 requires ongoing improvement but only as much as needed to demonstrate that its quality
system is effectively implemented and maintained. ISO 9001 requires continual improvement of the effectiveness of the QMS by
virtue of the rearranged requirements, planning orientation and formal deployment of the risk and opportunity analysis.
Another principal difference is that ISO 13485 excludes the ISO 9001 requirements regarding customer satisfaction, focusing
instead on regulatory requirements for post-market surveillance activity. This newest version requires device manufacturers, as
well as their sub-tier suppliers and contractors, to apply risk management with analysis from the product’s concept and design
phases throughout product realization and servicing. The standard also requires that risk management practices be applied to
the processes of the quality management system (QMS) itself as part of the rigorous formality of planning (see section ISO 9001
– 6.0). Prior to the 2016 version, risk management was only required in relation to product planning (ISO 14971) and not to the
processes that resulted in its manufacture (e.g.,design control and risk-based quality reviews).
According to a recently released white paper, the ISO 13485 standard is now at a “new level of application,” due to the following:
1. “Any actions taken by a business must be measures for controlling risk…”
2. “Critical factors must be evaluated as risk and opportunistic (R&O) driven outcomes.”
3. “As a result of 1&2 it is explicitly imperative to make planning a tangible and documented activity with appropriate
review and actions at executive level decision making.”3
Due to these new elements within the 2016 standard, and increased levels of various aspects of quality management (see
section header below – “What are the Major Differences Between ISO 13485:2003 and ISO 13485:2016?”) some medical device
companies may find it in their best interest to comply with ISO 13485 only as opposed to seeking certification with both 9001
and 13485. However, one thing that is likely to remain the same (despite the changes in the most recent version of the 13485 standard) is
that non-medical device companies will often upgrade or migrate from 9001 to ISO 13485 (or maintain both certifications) in
order to introduce their existing products for use in medical (device) applications. Additionally, device manufacturers that intend
to market their products within the European Union will need to address compliance with the requirements of the applicable
Medical Device Directive (MDD) and CE marking process. Some medical device companies will also do the same based on their
own unique needs. This has created a whole new positioning of registrars in the regulatory intent of a certification process. (e.g.,
MDSAP audits).