Considerations in Achieving ISO Certification
There has been a great deal of confusion concerning whether being in
compliance with the medical device Good Manufacturing Practices (GMP) would
successfully lead to obtaining ISO certification (with minimum changes and
costs), or whether achieving ISO certification is going to be a long, expensive
road. The ultimate success of your ISO program will not depend solely on how
well defined your quality system is, but rather your company’s commitment to
GMP vs ISO: Which Road to Quality?
Both GMP and ISO are quality systems in their own right. As the revised GMP
became final in June 1997, the two systems became closer in how they are written
and how a company should be achieving quality. There is, however, a real
difference between GMP compliance and ISO certification.
The GMPs are a regulatory requirement mandated by law, and if you are
manufacturing medical devices for U.S. distribution, you must be in compliance
with these regulations. ISO, on the other hand, is a voluntary certification
obtained by a company when they determine that the certification is beneficial
to their operations and/or marketing strategies. (At the present time ISO is the
accepted quality system standard for the European Community, Australia, and
South America. Other countries are also planning on accepting the ISO 9000
standard as their standard for a quality system.)
So, which came first, the chicken or the egg?
GMPs for medical device manufacturers were instituted in 1978, and the ISO
9000 standard became effective in 1987. The ISO 9000 standard is not specific
for any industry or service, while GMP is specific for medical device, drug,
blood bank, and low acid canned food industries.
Will the revised GMP bring the GMP and ISO closer together?
The revised GMP includes design review, management review, vendor
qualification, and corrective and preventive action. So, could it be assumed
that the revised GMP will make ISO certification easier to obtain? The answer is
that it depends. You must remember that ISO is precision, while GMP is
compliance. Precision is the ability to repeat a task time after time and obtain
the same results. An ISO certification audit certifies that your system is in
place, assuring capability of providing precision. If precision cannot be
achieved, policies and procedures will address these issues.
The GMPs are supposed to assure the ability to repeat operations accurately.
However, the FDA’s main focus (in the GMP audit review) is preventing
adulterated products from entering the marketplace, not assuring that your
present system will successfully handle problems after they occur.
The fundamental difference between GMP and ISO is that both have different
agendas. Once this is understood, the road to achieving ISO certification for a
medical device company (who is in GMP compliance) will be much easier, faster,
and less expensive.
How does a company go from GMP compliance to ISO certification?
Point #1: Understand ISO 9000 requirements.
Though the revised GMP and ISO are now closer in determining how a quality
system should be implemented, the manner in which both accomplish the task are
different. Look at the ISO standard and become familiar with it (including each
and every paragraph of each section, since the audit covers how your company is
complying with this standard down to each paragraph).
Point #2: See where your GMP quality system complies with the ISO quality.
Once you understand the ISO standard, take your present quality system for
GMP compliance and review it to ensure it covers each paragraph of the ISO
standards. You will then be able to determine what you will be required to write
and implement in meeting the ISO standard.
Point #3: A good mental attitude: GMP to ISO is a lot easier than you think.
A good mental attitude is critical in structuring your project to achieve ISO
certification. The individuals must be properly instructed to assure that
responsible time frames are met.
Point #4: If your company has achieved GMP compliance, then you already meet
75% of the ISO requirements.
The side-by-side review of your GMP quality system and the ISO standard may
indicate that you are probably already meeting 75% of the ISO standard. If your
company has been implementing the revised GMP, raising that to approximately 80%
compliant with the ISO standard is a realistic goal.
Point #5: A GMP mentality provides the necessary environment for successful
In a regulated industry, maintaining documents and records requirements has
been ingrained in the thought processes of responsible individuals. The ISO
standard requires such discipline, therefore, being GMP compliant is an ideal
environment for achieving ISO certification without much deviation in your
Point #6: The GMPs provide the basis of a quality system.
Having a quality system in place facilitates the achievement of ISO
certification. The main basis of the ISO standard is the preparation,
acceptance, and implementation of a quality system. Adjusting your system to
meet the ISO standard will be much easier than starting from scratch.
Point #7: ISO is an independent certification and is audited to conformity.
The ISO certification audit determines your quality system’s uniformity to
the ISO standard. Each and every section, as well as the subsections, of the
standard will be audited to assure conformity. This is entirely different than
an FDA GMP audit. The FDA audit is predetermined based on the FDA’s areas of
concern, manpower, and economics. The FDA may spend two weeks in one company
conducting an initial inspection and may only spend one day during the follow-up
inspection of the same company. In contrast, the ISO auditor’s schedule is based
on firm size and number of employees. This assures uniformity of the certified
bodies and ensures that all aspects of the standard are covered during the
Point #8: The ISO is a checklist audit, and each point is checked to assure
As in Point #7, understanding how the ISO audit will be conducted is
critical. The audit is conducted as a checklist audit. The ISO auditor will go
down the standard and make sure that each section and subsection is covered in
your quality system and that procedures are being implemented correctly.
Point #9: A quality policy manual must be written.
For GMP compliance, the FDA has not mandated a company quality policy manual,
only a quality procedure manual. Many companies have outlined their policy
statements in each section of the procedures manual. However, for ISO
certification, a policy statement is a requirement. If there are certain sections of the policy manual that are not necessary for
operations, then it must be stated that the section does not apply.
Point #10: Outlining and following a systematic plan with milestones and time
frames is critical.
ISO is a process that must be accomplished over an extended period of time.
In order to gain staff acceptance for this project, a systematic plan (with
milestones and time frames) should be prepared and then everyone should be
committed to the plan. The project leader must hold people accountable to time
frames. If the plan cannot be met, then the project should be placed on hold.
The plan should be prepared like a PERT chart (working from the goal back) to
assure that time frames are attainable and realistic.
Once the ten points outlined here have been reviewed, fully understood, and
implemented, then defining the objective is next.
ISO 9000? If you’re conducting design review, then you must be certified to
ISO 9001, otherwise ISO 9002 would be advisable.
CE mark? If you are intending to distribute your company’s device in
Europe, then obtaining CE mark certification is required. It is necessary to
determine which class your device category falls under and whether ISO
certification will be required as part of the CE mark certification. The CE mark
and ISO certification audits can be completed at the same time.
Which certifying body? A certified body must be chosen. This decision
should be dependent upon the certified body experience with your product(s)
type. In order to assure that the audit goes smoothly, it is critical to ensure
that you are assigned an auditor who understands your product.
European address? One of the requirements of obtaining a CE mark is that
you have an address in Europe where all complaints (and events involving your
device) can be reported. You could use your distributor, but in the event you
change distributors, the address will still be on the labels, and all problems
regarding your products will be forwarded to them. Obviously, this could cause
some problems. It may be advisable to use an independent company that is set up
contractually to act only as your CE mark address.
Costs? This is a difficult area to address. Determining whether this
project will be conducted in-house or outside is necessary. The amount of time
allocated by your staff (and the various departments), as well as training
costs, should be accounted for in the cost analysis.
Once the objectives have been established, the next step is establishing the
project approach. The following should be considered in developing your
Appoint a project leader/management representative.
The project’s success is dependent upon the project leader. This individual
should have quality systems experience and be a respected staff member. The
project leader must assure that time frames are met. In the ISO standard (as
well as in the revised GMP), a management representative must be appointed to
work with the ISO auditor (and be involved in the various aspects of the Quality
System). Usually the management representative serves as the project leader
because of his/her intimate knowledge of the Quality System, ISO requirements,
and required documentation.
Form a committee.
Depending on company size, forming a committee to work with the project
leader is beneficial. The committee should be represented by various
disciplines. This helps when obtaining input from various departments when the
program is implemented. Committee meetings should be scheduled on a regular
basis, kept short, and have a written agenda. Meeting minutes should be kept.
Once the committee is established, members should be trained in basic ISO
requirements so that everyone has a clear understanding of the requirements, how
they apply to the company, and what tasks must be accomplished in order to
achieve ISO certification. Furthermore, such knowledge is valuable in
constructing milestone and time-frame charts.
The next step is conducting a gap analysis of the present system and
determining what is missing and what is required to achieve compliance with the
Set the milestone chart.
Once the committee has been established, members trained, and gap analysis
completed outlining what is required to achieve compliance, the next priority is
determining the milestone chart for the project. Each step and procedure needed
(as determined by the gap analysis) should be defined on the chart. The more
detailed the chart, the greater probability of the project’s success.
Set the time frames.
Once the milestone chart has been prepared, it is necessary to define time
frames for accomplishing tasks. Time frames must be realistic and adhered to.
Take into consideration that your company manufactures a product and the staff
cannot stop everything else to work exclusively on the ISO program. Schedule
time for unanticipated events.
Obtain consensus and commitment.
At this point, the committee must agree on the milestone chart and time frame
requirements. The agreement should be in writing, signed off, and all
appropriate personnel should be given a copy.
Time frames must be realistic. Each time frame may have many components. The
following are considerations in establishing your project’s time frames:
This is the most critical part of achieving time frames. Without the
commitment of the committee (and especially of top management), the project will
not meet defined time frames. If the project leader keeps the project on target,
the commitment of the committee members should remain firm.
If your company is presently marketing to Europe (or desires to enter the
European market), obtaining the CE mark and ISO certification is a necessity
which serves as a catalyst for the project’s success.
A company’s financial condition plays a major role in successfully achieving
ISO certification within the projected time frames. Without the company’s
financial support for training and additional assistance (i.e. consultants),
time frames are in jeopardy.
Determining staff requirements needed to prepare, review, train, and
implement all documentation necessary for achieving ISO certification is
necessary. If the company does not have the necessary staff and is not willing
to go outside for additional assistance, this may affect established time
The following should be considered in determining time frames for achieving
Manuals must be in place and all procedures must be prepared to assure that
your company can meet ISO requirements.
Operate under the guidelines.
Prior to the certification audit it is recommended that you operate under the
procedures for three months. This is to provide the ISO auditor assurance that
you have implemented the procedures and are in compliance with the standard.
During this time frame, you have also been operating under the GMP. The GMP
requires most of the same documentation as the ISO standard. This three month
period of ISO documentation could possibly eliminate requesting the
Once you have been operating in compliance with the standard for three months
or so, you should have a preassessment audit conducted assuring that your
company will be capable of passing the ISO certification audit. As your company
has spent a great deal of time, money, and energy in assuring compliance and
preparing for the audit, a preassessment audit is a valuable tool and a good
exercise for testing your quality system.
Based on personal experience with companies that wished to obtain ISO
certification and were already considered to be in compliance with GMP, ISO
certification was obtained in the following time frames. (Be aware that these
companies were committed to the project and had achieved a well-defined level of
GMP compliance before ISO certification was started.)
Less than 15 employees 6 months
15 – 30 employees 9 months
31 – 60 employees 12 months
61 – 100 employees 12 to 15 months
Over 100 employees dependent upon the organization’s commitment and the
complexity of the operations.
A critical consideration in successfully achieving ISO certification is
deciding whether to hire a consultant to assist with the project. The management
team should make this decision based on the company’s resources and time frames
in accomplishing this project. If a company is in need of information,
interpretation, and staff assistance, and they have the resources, then hiring a
consultant could prove very beneficial. The following are some criteria in
selecting a consulting firm:
Their knowledge of GMPs and the ISO standard
To achieve ISO certification in the quickest and most economical manner and
still maintain GMP compliance, your consultant should not only have intimate
knowledge of ISO standards, but a thorough understanding of the GMPs and, more
important, how the FDA is enforcing the regulations. There should be one quality
system that incorporates both standards and addresses the issues.
As with any vendor, the costs should be competitive. Review all costs and
make sure that you are comparing "apples with apples and not oranges." Each bid
for the project must be reviewed based on the deliverables they are responsible
for providing. Proposals should be based on the project at hand and not on an
hourly or daily basis. A project-based proposal is goal oriented and provides no
incentive to have the project extended. If the proposal is based on an hourly or
daily basis, there is no incentive in meeting objectives in any defined time
As with costs, billing practices are important. Usually the time required for
the project is intensive at the start and end of the project. Billing should
reflect the initiation fee, a monthly billing schedule, and incentive for
completing the goal: ISO certification.
Is the consulting company staffed by lead assessors and GMP experts? In
assuring that your objects are achieved within desired time frames, consultants
should possess both these qualifications.
Number of successful certifications, references?
Determine the experience of the consulting company in implementing quality
systems for ISO certification and how many companies they have been able to
obtain certification for. A good idea is obtaining references from other
companies to determine how the consultants interact with the management team,
convey and provide information, and meet defined goals.
Does the consulting company set up a defined goal in the project plan using a
milestone chart for the company? These defined goals are for both the company
and the consultant, and they should be signed and agreed upon by both parties.
If there are delays, these should be explained and documented in the project
Do they practice what they preach: Are they ISO certified?
The consulting firm you ultimately choose should be ISO certified. If a
consulting company has been operating under the ISO standard or Certified Body,
it means they have hands on experience in how the program works and an
understanding of the real value of the standard. This is especially true when
related to the quality of customer service. Also, if the consulting company is
ISO certified, it will make qualifying them easier as part of your vendor
The road traveled from GMP compliance to ISO certification is not just a
matter of adding additional documents, but involves a mind set and an
understanding of how quality systems are the same and how they differ. The
process of obtaining ISO certification for a company already in GMP compliance
does not have to be a daunting task of mass proportions. It is unfortunate that
there are two standards that have to be dealt with but, for the most part, the
GMP and the ISO standards for quality have the same ideas and requirements.
Successful completion should be achieved without much pain.
About the Author
Alan P. Schwartz is Executive Vice President of mdi Consultants, Inc., Great
Neck, NY. He has been providing consulting services to the medical device
industry since 1978. Prior to mdi, Schwartz was an FDA Supervisor of Field
Investigations. He has been to more than 700 companies worldwide and set up over
350 quality programs. mdi has six offices throughout the US, as well as offices
in Mexico, Brazil, Thailand, Taiwan, Pakistan, and Egypt. He can be contacted by
phone at 516-482-9001, by fax at 516-482-0186, and e-mail at
Return To Previous Page
Copywrite Journal of GMP Compliance, Institute
of Validation Technology, April, 1998