WHEN EVALUATING MANUFACTURERS of cleanroom equipment and supplies, many companies are confused about “ISO certification” of the manufacturers and the meaning behind certification. The intent of this article is to demystify ISO certification and to summarize the key differences between ISO 9000 and ISO 13485 quality standards.
ISO 9001:2000 can be viewed as a general quality standard that is applicable to virtually any industry. It has been used for companies ranging from semiconductor manufacturers to home construction companies and retail automobile dealerships. ISO 13485:2003 is much more comprehensive and detailed, and stresses aspects (documentation of activities, traceability, product cleanliness, personnel requirements, sterilization, etc.) that are of acute importance to medicaldevice companies, the agencies that regulate them, and end users.
History of Quality Standards
The concept of quality standards emerged during the first half of the twentieth century. The first known use of any document resembling a quality standard was during World War II. At that time, the British were experiencing problems with their bombs detonating while still in the factory. Procedures were written describing how the bombs were to be assembled and inspected on-site by the government.
As technology rapidly advanced during the 1950s similar types of problems developed in various industries. The United States military became involved, and by the early 1960s had issued MIL-Q-9858A Quality Program Requirements and MIL-I-45208A Inspection System Requirements to be used for military procurement. Following the lead of the U.S. military, NASA developed a quality system standard forits suppliers.
Concurrent with technological advances, an increase in international trade stimulated interest in the development of standards that would be universally recognized and applicable to various types of industries. Accordingly, in 1980 the International Standards Organization (commonly known as ISO) organized the Technical Committee 176 to develop such a standard.
The first issuance of the ISO standards was in 1987, followed by revisions in 1994 and 2000. In the 1987 and 1994 versions, there were two levels of standards:w 9001: Design/Development, Production, Installation, and Servicing
- 9002: Production, Installation, and Servicing
With the 2000 revision, the 9001 and 9002 structure was eliminated, and all requirements were captured in one document: ISO 9001:2000. Certifications to ISO 9001:1994 and ISO 9002:1994 were no longer valid as of December 14, 2003.
How the Certification Process Works
ISO certification applies to quality systems, not products themselves. In fact, it is prohibited to affix a symbol or claim denoting ISO certification to any product. ISO does not directly certify companies. Actual company certifications are purchased from companies called certification bodies. These certification bodies obtain accreditation from the national ISO member organizations. The certification bodies are private companies seeking profits. Due to the popularity of the ISO standards, the certification process has grown into a competitive mini-industry. There is no shortage of companies able and willing to sell ISO certification.
Companies achieve certification by demonstrating compliance to the quality system requirements. Evidence for compliance is generated through periodic audits by the certification bodies. The frequency of these audits typically ranges from twice a year to once every three years. The company seeking certificationpays fees for the assessments and the ISO certificates.
The Path to Certification
To be ISO compliant requires the creation of numerous documented systems. For an unregulated company, it typically takes 1 to 3 years to put the required systems in place and demonstrate their effective operation to the certification body. Companies that are already in a regulated environment, such as medical device manufacturers and drug manufacturers, have an easier pathway to certification. These companies are required by law to comply with the Good Manufacturing Practices (GMPs) published in the Code of Federal Regulations and enforced by the United States Food and Drug Administration. There is significant content commonality between the GMPs and the ISO standards. As a result, drug andmedical device companies can acquire ISO certification in 6 to 18 months.
The Value of Certification
The ISO standards provide the basis of a sound quality system, utilizing the best thinking acquired from several decades of experience. Based on the volume of documentation required, some detractors point out that ISO certification creates bureaucracy and stifles creativity. Most companies are not ISO certified, yet many are performing satisfactorily in their marketplaces. Similarly, there are companies that hold ISO certificates yet deliver substandard products and/or services. However, it would be accurate to say that compliance to ISO standards increases the probability of supplying product of acceptable quality, and provides a reasonable degree of assurance to both customersand regulators.
End of Millennium Paradigm Change
Prior to the 2000 change, ISO 9000 had been organized into 20 elements. These elements had become nearly sacrosanct to quality professionals and regulatory agencies. They addressed the full spectrum of quality system requirements rangingfrom management responsibility to product inspection and statistical techniques.
These elements served the industry well for many years, but changes were needed. For one, full compliance with ISO 9001:1994 required at least 18 documented operating procedures. In contrast, ISO 9001:2000 requires only 6. More significant was the transition from a procedure-based system to a process-oriented approach. The 20 elements were transmuted and collapsed to only 5 key sections as shown in Table 1.
Other changes also were included; most notably the requirement to measure customer satisfaction and to implement continual improvement objectives. The operation of the process-based ISO 9001:2000 system, showing interrelationships and feedback loops, can be graphically depicted using this illustration taken directly from a guidance to the standard (See Figure 1).
| Section | Description |
| 1 | Documentation requirements |
| 2 | Management responsibility |
| 3 | Resource management |
| 4 | Product realization |
| 5 | Measurement, analysis, and improvement |
| Table 1. Twenty elements have been reduced to five sections in ISO 9000 |
Figure 1. Model of a process-based quality management system
The Emergence of ISO 13485
Despite the nearly universal applicability of the ISO 9000 series of standards, perceived needs for industry specific standards emerged in the mid 1990s. Medical devices were deemed to be worthy of additional requirements, given the need for very high standards for safety and effectiveness. The technical committee went to work and ISO 13485 Quality systems – Medical devices – Particular requirements for the application of ISO 9001 was issued in 1996, based on the 20 elements. A second revision was issued in 2003, based on the ISO 9001:2000 process oriented approach. In general ISO 13485 requires that more activities be proceduralized and documented. However, there are also numerous new specificrequirements for medical devices:
1. Product specifications and quality system requirements must exist for each type/model of medical device,
including the complete manufacturing process
2. Defined record retention periods must exist to assure that key documents are available for the lifetime of the medical device, or at least two years
3. Top management must establish the interrelation of all personnel involved with quality, and assure the
independence and authority to perform the required tasks
4. Top management must promote the awareness of regulatory requirements
5. Regulatory requirements must be considered in the input phase of product design
6. Documented procedures must be written for periodic maintenance of manufacturing and measurement equipment
7. Health, cleanliness, and clothing of personnel must be controlled if contact between the personnel or work environment could adversely affect the product
8. Environmental controls must be established in manufacturing if environmental conditions can adversely affect the product
9. Training requirements must be designated for temporary workers
10. Documented processes must exist for risk management throughout the product design, manufacturing, and delivery processes, including the use of ISO 14971, a guidance specific to risk management
11. Procedures must be established for issuance of advisory notices (information provided to customers of delivered devices with information and/or recommended actions related to the use, modification, return/recall, or destruction of a device) including appropriate design transfer activities in the product development process
12. Specific consideration of safety requirements during the product development process
13. The inclusion of specialists during the design review phase of product development
14. The requirement to perform clinical evaluations and/or evaluation of medical device performance in accordance with national or regional regulations
15. Retention of purchasing documents to assure traceability
16. Creating verified and authorized batch records to include quantity manufactured and quantity released for distribution
17. Documenting requirements for product cleanliness
18. Documenting processes for medical device installation
19. Documenting processes for product servicing
20. For sterile products, lot traceable records that include sterilization process parameters
21. Validation of software used in manufacturing or the device itself
22. Validation of sterilization processes
23. Segregation of products returned by customers
24. Systems to provide traceability
25. For implantable devices, special documentation requirements for traceability, distribution, and receiving customers
26. The identification of product status throughout the manufacturing process and supply chain to assure that only properly released product is available to customers
27. The management of used product to avoid contamination, if applicable
28. Early warning feedback systems for identification and correction of quality problems
29. The identification of personnel performing any inspection or testing
30. Acceptance by concession (deviation) only if regulatory requirements are met
31. Formalized rework processes, including the determination of any adverse effect of the rework on product quality
32. Managing of customer complaints
33. Reporting of adverse events to regulatory authorities, if applicable
34. Formal evaluation of the effectiveness of implemented corrective and preventive actions
Contrast of ISO 13485 and ISO 9001:2000
As summarized in the previous section, compliance with ISO 13485 requires significantly more procedures and documents. However, there are two concepts in ISO 9001:2000 that did not carry over. One is the requirement for systems to measure customer satisfaction. The second is for continuous improvement of the quality system. The developers of ISO 13485 did not view these requirements as appropriate for the heavily regulated medical industry. There is the additional practical problem related to the abilities of certification bodies to accurately assessthese subjective requirements.
Summary
When evaluating products for use within a cleanroom, it is recommended to use suppliers who manufacture and are held accountable to the most rigorous quality standards. Although ISO 9001 applies to all types of organizations, regardless of size or function, it can assist companies to achieve recognized quality standards. For the medical device industry, where consistent product quality is crucial, ISO 13485 specifies additional obligations and requirements for a comprehensive quality management system designed to meet customer and regulatoryrequirements.
Mike Groesbeck is Vice President of Quality Operations for Cardinal Healthin McGaw Park, Illinois. He can be contacted at 847-578-2329 or [email protected].
