ISO 13485:2012
Medical Devices Management

ISO Consultant Colin says…


ISO 13485: 2012 – What’s it all about ?
ISO 13485 is slightly different to many of the management system standards. Through the European Medical Devices Directive, 93/42/EEC, anyone intending to put a medical device onto the market in the EEC must have their Quality System assessed and certified prior to the goods being released. This certification must be against ISO 9001 or ISO 13485 and ISO 14971*, and be completed by a Notified Body. On a successful outcome of this assessment a certificate of conformity is issued allowing use of a CE Mark on the goods concerned and permission to sell the device in the European Market.
Hence certification against ISO 13485 directly affects a company’s ability to trade, while management system standards in other industries, such as ISO 9001, are rarely directly specified, legal requirements prior to entering a market.
*ISO 14791 is titled “Medical Devices: application of risk management” and should be used in conjunction with ISO 13485 when developing medical devices.

Essential for suppliers of medical devices

Increase access to more markets worldwide

Increase efficiency, cut costs

Why would my business want approval against this standard ?
As indicated above, if you want entry to this market, then approval against this standard is mandatory. Hence the decision to go through the potentially expensive certification is much more simple, if you want to be in this market this is one of the costs of entry.

How long would it take to become approved ?
This is a difficult question as so much depends on the type of product and size of business, but starting from scratch it is unlikely that a company would gain certification in less than six months. As a single product business with under 30 employees I would anticipate this needing at least 15 days of our help to get through the initial approval and be awarded a certificate of conformance.

What must I need to do ?
In short, identify the areas of your business where significant risk to the Security of your information exists. Then develop and implement appropriate controls to reduce that risk.
Annex A of ISO 27001 gives a range of controls which can be used to control information security. The applicability of these controls against your business needs to be established, and where the risk is significant, controls need to be developed.
The effectiveness of these controls must then be assessed through a series of internal audits, and by monitoring your security performance against measureable objectives. A system for the reporting of security breaches and potential breaches also needs to be established.

What is this likely to cost ?
Our fee’s are based on a day rate. The number of days are based on your activities, but are typically 10-12 days for a small business.
Certification by a UKAS ( i.e. UK Government approved body) is likely to cost £ 5-6000 for a three year certificate.