F.A.Q.
Frequently Asked Questions
The first questions are answered – I look forward to more!
What is the difference between ISO 13485 and GMP?
ISO 13485 (the process standard) focuses on how a company is organized. It is specifically intended for medical devices and also—especially—relates to the QMS. Certification is carried out by commercial notified bodies (e.g., TÜV Süd). It covers the entire life cycle of a medical device—from the initial idea through design and manufacturing to distribution.
Focus: “Do we have all processes under control to develop and manufacture a safe product?”
GMP (Good Manufacturing Practice) is significantly stricter and more specific when it comes to actual production. It is about hygiene, preventing cross-contamination, precise documentation of every batch, and equipment qualification. It is primarily intended for medicinal products (pharma) but is increasingly being used in medical technology as well. Certification is carried out by government authorities (regulatory inspections/audits).
Focus: “Has each individual tablet or each scalpel been produced exactly as specified?”
Rule of thumb: ISO 13485 is the foundation for management (how we work), while GMP is the rulebook for the shop floor (how we produce cleanly and without errors). In many countries, compliance with ISO 13485 is the first step toward meeting legal GMP requirements.
What is the difference between GMP and GAMP 5?
The fundamental difference between GMP and GAMP 5 lies in their scope: while GMP is the general “house rules” for pharmaceutical manufacturing, GAMP 5 provides specialized guidance for the automation used in that manufacturing.
GMP (the foundation): It covers everything that can affect the quality of a medicinal product—from raw material purchasing and laboratory hygiene to facilities, personnel, and batch documentation. Compliance is mandatory in order to obtain a manufacturing authorization.
GAMP 5 (a guideline): Since modern production is almost always automated, GAMP 5 helps translate GMP’s complex requirements to software and hardware. It uses a risk-based approach to scale the testing effort (validation) depending on the criticality of the system. It is a guideline and not legally mandatory—but it is recognized worldwide as an industry standard and makes validation and the management of computerized systems easier (because it defines an approach and the expected scope of testing).
Regulatory documents (such as EU-GMP Annex 11) require computerized systems to be validated. GAMP 5 provides practical guidance on how to perform this validation in line with the current state of the art.
What/how/why “risk-based”?
A risk-based approach is about focusing effort where failures could directly endanger patient safety or product quality.
It is impossible—too expensive and not effective—to examine every small detail with the maximum possible effort. Based on risk analyses, the level of effort is tailored to the hazard potential. You first assess: “What happens if this function fails?” and then verify, validate, and qualify until defined risk/acceptance criteria are met.
Auditors (such as the FDA) now explicitly require companies to justify why they test how much, and where.
This explains the immense importance of risk management, because even simple mistakes can directly lead to hazards. But the risk-based approach allows manufacturers to use their (limited) resources in a transparent and most sensible way.
Risk-based determination of sample size? What?
The days of setting arbitrary sample sizes are over. Regulatory authorities—the FDA and EU Notified Bodies—now require a documented, statistically sound justification for every test protocol we create. This means the sample size must not be based on an estimate; it must be calculated from your specific risk profile.
We are trying to demonstrate the safety of medical devices, and that evidence must be mathematically sound. The requirements are clear: both 21 CFR 820.250(b) and ISO 13485 require statistical methods with a documented rationale for sampling plans. In practice, sample size depends on three factors:
- How severe is a failure? (risk per ISO 14971)
- How certain do we need to be? (confidence level)
- What percentage of devices must perform as intended? (reliability)
So, once again, risk management comes first. That’s where you define how hazards are mapped to severity levels and, as a result, what level of confidence and reliability you require. Regulators generally expect 95% confidence as a minimum requirement for safety-critical tests. The required reliability depends on the risk—catastrophic failures may require 99.9% reliability, while minor issues may only require 90%.
After that, it’s statistics.
Further resources and tools can be found on GitHub (linked on the homepage).
What does hapi mean?
HApi is the name of our training platform and is a combination of my first name, HAns, and the initials of my partner, Patrizia Inschlag. We create the courses together.
What's the deal with ♄?
♄ is the astronomical symbol for Saturn. In Roman mythology, Saturn is the god of sowing, and the symbol is meant to represent a sickle. Since it resembles the letter ‘h’ and stands for work, I use it in my logo. It also reminds me of my father, who was passionate about astronomy.