未分類

Understanding the Concept of “Organization” in ISO Standards

Understanding the Concept of “Organization” in ISO Standards

Introduction

In the context of quality management systems, the term “organization” has a specific and important meaning that differs from common usage. This article explains how “organization” is defined in ISO 9001 and ISO 13485, and why understanding this definition is critical for proper implementation of quality management systems in medical device companies and other industries.

What is an “Organization” in ISO Standards?

In ISO 9001:2015 (the current version of the general quality management system standard) and ISO 13485:2016 (the current version of the medical device quality management system standard), the term “organization” refers to a group of people and facilities that operate under the same Quality Management System (QMS).

The critical point to understand is that the definition of “organization” is based on the QMS scope, not on legal entity boundaries. This distinction has significant practical implications for how companies structure and manage their quality systems.

Key Principles

Principle 1: Legal Entity Boundaries Do Not Define the Organization

Whether entities share the same legal corporate structure is not the determining factor for whether they constitute the same “organization” under ISO standards. What matters is whether they operate under a unified QMS with consistent policies, procedures, and quality objectives.

Example: A corporation may manufacture both consumer products and medical devices. If the consumer products division operates under ISO 9001 and the medical device division operates under ISO 13485, these divisions represent two different “organizations” in ISO terminology, even though they belong to the same legal entity. Each maintains its own quality manual, procedures, and quality management processes tailored to their respective regulatory requirements and product characteristics.

Principle 2: Same QMS = Same Organization, Regardless of Legal Structure

Conversely, separate legal entities can be part of the same “organization” if they operate under a unified QMS. This is common in manufacturing arrangements where a parent company and its manufacturing subsidiaries share quality management processes.

Example: A medical device company (legal entity A) may own a manufacturing facility that is incorporated as a separate legal entity (legal entity B). If both entities operate under the same ISO 13485 QMS—sharing the same quality manual, procedures, management review processes, and quality objectives—they constitute a single “organization” from the ISO perspective. The QMS documentation would reflect this unified structure, and both entities would be included in the scope of the same ISO 13485 certification.

Understanding the Organization-QMS Relationship

The following table illustrates how different scenarios relate to organizational boundaries:

ScenarioSame Legal Entity?Same QMS?Same “Organization”?
Consumer products and medical devices in one companyYesNo (ISO 9001 vs ISO 13485)No – Different organizations
Parent company and wholly-owned manufacturing subsidiary under unified QMSNoYesYes – Same organization
Two independent suppliers to a medical device companyNoNoNo – Different organizations
Two divisions of a company both under ISO 9001YesYesYes – Same organization
Medical device company and contract manufacturer with separate QMSNoNoNo – Different organizations

Outsourcing Between Different Organizations

When an organization operating under ISO 13485 engages another organization operating under a different QMS (such as ISO 9001), this arrangement is treated as outsourcing, even if both entities are part of the same corporate group. This classification carries specific requirements and responsibilities.

Common Outsourcing Scenarios

Example 1: Internal Procurement Services A medical device manufacturing division (operating under ISO 13485) requests the corporate procurement department (operating under ISO 9001) to purchase components needed for medical device production. Even though both are part of the same company, this is considered outsourcing because they operate under different quality management systems with different scopes and requirements.

Example 2: Shared Engineering Resources A medical device company might utilize engineering resources from its consumer products division for tasks such as mechanical design or software development. If the divisions maintain separate QMS, this constitutes outsourcing and must be managed accordingly.

Managing Outsourced Processes

According to ISO 13485:2016 Clause 4.1, when processes affecting product quality or regulatory requirements are outsourced, the organization retains full responsibility for ensuring these processes meet all applicable requirements. The standard requires specific controls and documentation.

Key Requirements for Outsourced Process Control

1. Documentation of Outsourced Processes The organization must clearly identify and document which processes are outsourced within their QMS. This should be detailed in procedures or standard operating procedures (SOPs) rather than in the quality manual itself, as the quality manual should remain a high-level document.

2. Defined Controls Organizations must establish and maintain appropriate controls over outsourced processes. The nature and extent of these controls should be proportionate to the risk associated with the outsourced activity and its potential impact on product safety and regulatory compliance.

3. Quality Agreements Documented quality agreements must be established with the entity performing the outsourced work. These agreements should clearly define:

  • Specific quality requirements and acceptance criteria
  • Roles and responsibilities of both parties
  • Communication protocols
  • Change control procedures
  • Access rights for verification and auditing
  • Requirements for documentation and record keeping
  • Procedures for handling nonconformities

4. Supplier Management Even when outsourcing to another division within the same company, formal supplier management processes apply, including:

  • Initial evaluation and approval
  • Regular monitoring and performance evaluation
  • Periodic reassessment based on risk
  • Corrective action processes when performance issues arise

5. Verification Activities The organization must implement appropriate verification activities, which may include:

  • Review of documentation and records
  • On-site audits or inspections
  • Testing or inspection of products or services received
  • Review of process validation data
  • Assessment of the supplier’s quality management system

Risk-Based Approach to Outsourcing

ISO 13485:2016 emphasizes a risk-based approach to managing outsourced processes. The level of control and oversight should be proportionate to:

  • The potential impact on product safety and performance
  • The complexity of the outsourced process
  • The supplier’s demonstrated capability and track record
  • Applicable regulatory requirements
  • The criticality of the component or service to the final device

Regulatory Considerations

Different Regulatory Requirements by Region

Organizations must be aware that regulatory expectations regarding QMS and organizational boundaries may vary by jurisdiction. For example:

  • European Union: Under the Medical Device Regulation (MDR) 2017/745 and In Vitro Diagnostic Regulation (IVDR) 2017/746, harmonized with EN ISO 13485:2016, the manufacturer bears ultimate responsibility for all aspects of the device regardless of outsourcing arrangements.
  • United States: The FDA Quality System Regulation (QSR) 21 CFR Part 820 has similar requirements, and the FDA has proposed revisions to harmonize more closely with ISO 13485. The FDA clearly states that manufacturers cannot delegate their regulatory responsibilities through outsourcing.
  • Other Markets: Many countries including Canada, Japan, Australia, and others recognize or require ISO 13485 certification as part of their medical device regulatory framework.

Implications for Multi-Site Certification

When pursuing ISO 13485 certification across multiple sites:

  • All sites included in the certification scope must operate under the same QMS
  • The quality manual must clearly define the scope including all covered sites
  • Management review must address all sites within the organization
  • Internal audits must cover all sites proportionate to risk and activities
  • Certified organizations must notify their certification body of significant organizational changes

Practical Implementation Guidance

Determining Organizational Boundaries

Organizations should carefully consider the following when establishing QMS boundaries:

  1. Product Portfolio: Different product types with different regulatory requirements may necessitate separate QMS
  2. Regulatory Strategy: Market access plans and regulatory pathways influence QMS structure
  3. Operational Efficiency: Balance compliance requirements with practical operational considerations
  4. Risk Management: Ensure the QMS structure supports effective risk management throughout the product lifecycle
  5. Resource Sharing: Consider how resources, facilities, and personnel will be allocated across QMS boundaries

Documentation Requirements

Clear documentation of organizational scope and boundaries is essential:

  • The quality manual must explicitly state the scope of the QMS
  • Any exclusions must be justified based on the nature of activities and products
  • Organizational charts should reflect QMS structure, not just corporate structure
  • Roles and responsibilities must be clearly defined across organizational boundaries
  • Interface management between different organizations must be documented

Communication and Training

Effective implementation requires that all personnel understand:

  • How the organization is defined for QMS purposes
  • Which QMS applies to their activities
  • Procedures for interfacing with other organizations (including internal divisions)
  • Their responsibilities regarding outsourced processes
  • How to escalate quality issues across organizational boundaries

Common Pitfalls to Avoid

  1. Assuming Legal Structure Equals QMS Structure: Do not assume that corporate divisions automatically constitute the same organization for ISO purposes
  2. Insufficient Control of Internal Outsourcing: Internal outsourcing between divisions requires the same rigor as external outsourcing
  3. Inadequate Documentation of Scope: Clearly define and document which entities and activities fall within the QMS scope
  4. Lack of Quality Agreements: Even for internal outsourcing, formal quality agreements are necessary
  5. Inconsistent Application: Ensure consistent application of QMS requirements across all sites and activities within the organizational scope

Conclusion

Understanding the concept of “organization” in ISO standards is fundamental to proper implementation of quality management systems. The key takeaway is that organizational boundaries are defined by the scope of the QMS, not by legal corporate structures. This understanding is particularly important for companies operating multiple QMS, those engaged in outsourcing arrangements, or those with complex corporate structures involving multiple legal entities.

For medical device manufacturers operating under ISO 13485, recognizing when activities constitute outsourcing—even within the same corporate family—ensures proper controls are established to maintain product safety, regulatory compliance, and customer satisfaction. The risk-based approach required by current standards allows organizations to tailor their control strategies appropriately while maintaining the ultimate responsibility for all aspects of their quality management system.

As ISO standards continue to evolve—with ISO 9001 expected to be revised in 2026—organizations should stay informed about changes that may affect how they structure and manage their quality management systems. Regular management review, ongoing monitoring of regulatory requirements, and periodic reassessment of organizational boundaries and outsourcing arrangements are essential practices for maintaining an effective and compliant QMS.

Note: This article is based on ISO 9001:2015 and ISO 13485:2016, which are the current versions as of early 2025. Organizations should always refer to the official ISO standards for authoritative requirements and consult with qualified professionals for specific implementation guidance.

FDA Issues Comprehensive Guidance on Data Integrity and CGMP Compliance Previous post On Continuous Improvement Next post

Related post

Comment

There are no comment yet.