Does a Metals Distributor Need ISO 13485?
  • 1-844-884-7733

Does a raw materials distributor need to be certified to ISO 13485:2016 in order to best do business with medical device manufacturers and OEM's? Should they be?

(TL;DR) Not in my opinion. Not as long as you transition your 9001:2008 system into a 9001:2015 certified program that is true to the standard and taken seriously within your organization.

When I was considering adding ISO 13485 to our ISO 9001 certification back in 2011 I asked these questions to members of LinkedIn groups that focused on ISO 13485 and ISO for small business. Results were mixed. Most members employed by larger companies thought ISO 13485 certification didn't matter at the distribution level. ISO 9001 was good enough. Small business owners, though, were less sure. Any chance of losing business is frightening to a small business. If you don't have a big budget to do unlimited market research you tend to err on the side of caution.

That's what I did. I recommended we do what some of our competitors were doing and get 13485 certified. Working with a consultant, we identified the additional documentation we'd need to maintain and came up with procedural changes that would allow us to show an auditor we were differentiating "medical materials" from the metals we sell to the aerospace and general machining industries. Now, after much thought--and talks with customers--I've decided that the new revision (ISO 13485:2015) isn't appropriate for our company.

Changes to the standards

With the recent revisions of 9001 and 13485 the two standards have literally gone in different directions. No longer is the whole text of 9001 contained within 13485. In fact, none of the new structure of 9001 is carried over to 13485, and much of the text no longer coincides.  But in other, more essential, ways they've actually come together.

I think that 9001:2015 is a big improvement over the 2008 revision. It truly brings the standard into the new century, with it's melding of "documents" and "records" into a something more fitting of the digital era--"documented information".  Allowing the importance of the information itself to be what determines how it's generated, stored, and retained is much more realistic in a world where data capture and presentation methods can change many times before the data itself is obsolete.

The following important changes to 13485 and 9001 effect raw materials suppliers. In the case of 13485, they would lead to many non-applications of requirements that are essential to the heart of that standard. Taking them would make a 13485 certification way too watered down to mean anything. Changes to 9001, though, have made dropping 13485 an easy thing to do. As far as our distribution business goes, it brings every benefit we gained from 13485 certification into the current 9001 standard.


  • Lining itself up more with regulatory bodies like the FDA. This is meaningful to medical device manufacturers, but not so important to their raw material suppliers.
  • Requiring risk management in the purchasing process to be proportionate to the risk associated with the medical device. This is an important change, but suppliers like us have to treat all material purchases as equally important. Our only risk is buying the wrong product, or buying from a shady supplier. We can't rightfully assign proportionate risk to what our customers do with the materials we purchase and then sell to them. End usage is rarely shared with us, so we can't know that one's use is more 'important' than another's?
  • Requirement to document a procedure for the validation of computer software. Another very important addition, but this implies that the software effects the quality of the product. This is very true within the medical device industry, but not in a raw materials distribution. We have to make sure that our software works to complete our process map (including record control), but it doesn't have the opportunity to directly change the product itself.


  • Incorporating risk management (in place of the dreaded Preventive Action requirement). This was a requirement of 13485:2003 that we followed and included individually in every one of our processes. It is one of the most important benefits our business gained. The thought that goes into formalizing risk management can, and should, bring the whole purpose of your business into focus.
  • Eliminating exemptions in favor of non-applications (and requiring justification for every non-application). This might seem like just a change in wording, but I think it's a very effective change. Allowing exemptions also allowed for a very generic "we don't do that, so it doesn't apply" sort of blanket statement that covered whole chunks of the standard at one time. Justifying non-applications individually forces us to take a look at the entire system as a whole. How does each non-application effect every other aspect of the system? It's a good question to consider, and one that can take auditing and improvement to a new level. The more you have to think about every 'cog', the more you can see the system as a whole.
  • Requiring auditable consideration of "interested parties". This means that if you know you have a medical device company as a customer, you better consider every aspect of 13485 that effects their perception of your products and services. I take this to mean that a thorough integration of all relevant requirements of 13485 are built into your 9001 system. We know we sell metals for surgical and implant use. We will continue to keep our standards in line with our customer's expectations.

What's the conclusion?

I know this is a very superficial examination. It's going to take a long time and a lot of audits before the full effect of these changes are fully integrated into all of our systems. I do think, though, that the question of whether or not a raw materials distributor needs to be certified to ISO 13485:2016 (if they want to remain a valuable supplier to the medical device industry) can be answered with a fairly certain "no". ISO 9001:2015 is so improved that it covers all quality concerns of a distributor without an unnecessary burden of redundant record keeping. As long as a non-manufacturing distribution company takes 9001:2015 seriously, and implements it intelligently, their quality system should fulfill the expectations of their customers.