Frequently Asked Questions

ISO 13485 Frequently Asked Questions

Comprehensive answers about ISO 13485 medical device quality management system certification — from costs and timelines to design controls, FDA integration, and the audit process.

Getting Started

Foundational questions about ISO 13485 and medical device quality management.

ISO 13485 is the international standard for quality management systems specific to the medical device industry. It specifies requirements for organizations involved in the design, production, installation, and servicing of medical devices. Any company in the medical device supply chain needs ISO 13485 — including device manufacturers, contract manufacturers, component suppliers, sterile packaging companies, and software as medical device (SaMD) developers. It is required for EU market access under MDR and strongly expected by the FDA for companies selling devices in the United States.
Both are quality management system standards, but ISO 13485 is specifically designed for the medical device industry. ISO 13485 requires design and development controls (Clause 7.3), risk management integration per ISO 14971, sterile device manufacturing requirements, regulatory compliance tracking, and full product traceability. Unlike ISO 9001, ISO 13485 focuses on maintaining quality system effectiveness rather than continual improvement. ISO 13485 also includes specific requirements for work environment validation and complaint handling that ISO 9001 does not address. For comprehensive multi-standard consulting, visit certify.consulting.
ISO 13485 certification is mandatory for CE marking under the EU Medical Devices Regulation (MDR) and required by many international regulatory frameworks including Canada (MDSAP) and Australia (TGA). In the United States, ISO 13485 certification is not legally required by the FDA, but the FDA's new QMSR regulation harmonizes with ISO 13485, making it the de facto standard. Many medical device companies also require ISO 13485 certification from their suppliers through contractual obligations, so even when not legally mandated it is often a business necessity.
Yes, a company can hold both ISO 9001 and ISO 13485 certifications simultaneously. Many organizations maintain both when they produce medical devices alongside non-medical products. The two standards share common management system elements like document control, management review, and internal audit, which reduces duplication. However, there are structural differences — ISO 13485 does not require continual improvement in the same way ISO 9001 does, and ISO 13485 includes medical-device-specific requirements. An integrated management system approach is often the most efficient path to dual certification.

Costs & Timeline

What to expect in terms of investment and project duration.

ISO 13485 certification costs vary based on organization size, number of product lines, and regulatory complexity. Consulting fees typically range from $15,000 to $75,000 for implementation support, while certification body audit fees range from $8,000 to $25,000. Medical device startups building a QMS from scratch are at the lower end, while established companies with multiple product lines and sterile devices are at the higher end. Additional costs may include training, quality management software, and document control system subscriptions. We offer a free consultation to provide a tailored cost estimate for your specific situation.
Most organizations achieve ISO 13485 certification within 6 to 12 months. The timeline depends on organization size, product complexity (Class I vs. Class III), existing quality system maturity, and whether design controls need to be built from scratch. Companies with existing ISO 9001 systems typically move faster due to shared management system elements. Startups with no existing QMS generally take 9 to 12 months, while companies upgrading from ISO 9001 may achieve certification in 4 to 6 months. Our structured methodology and hands-on support keep projects on track.
After initial certification, ongoing costs include annual surveillance audits ($5,000 to $15,000 per year), recertification audits every three years ($8,000 to $20,000), internal audit program costs, management review activities, and CAPA system maintenance. You should also budget for training new employees on QMS procedures, document control system subscriptions, and potential consultant support during surveillance audits. Many organizations find that maintaining a well-implemented QMS actually reduces overall quality costs by catching issues earlier and preventing costly recalls or regulatory actions.

Design Controls

Understanding ISO 13485 Clause 7.3 design and development requirements.

Design controls are the structured processes required under ISO 13485 Clause 7.3 for the design and development of medical devices. They include design planning, design inputs, design outputs, design review, design verification, design validation, design transfer, and design change control. These controls ensure that medical devices meet user needs and intended uses while complying with regulatory requirements. Design controls produce critical documentation including the Design History File (DHF) that supports regulatory submissions to the FDA and other regulatory bodies.
A Design History File (DHF) is the compilation of records that describes the design history of a finished medical device. It contains all documentation generated during the design control process, including design plans, design inputs and outputs, review records, verification and validation results, risk analysis per ISO 14971, and design transfer records. The DHF demonstrates that the device was developed in accordance with the approved design plan and applicable regulatory requirements. It is a critical deliverable for both ISO 13485 compliance and FDA 510(k) submissions, serving as the primary evidence of a controlled design process.
Under ISO 13485, design controls apply to any organization involved in the design and development of medical devices. If your organization only manufactures devices to another company's specifications without performing any design activities, you may exclude Clause 7.3 — but this exclusion must be justified and documented in your quality manual. However, most regulatory bodies, including the FDA and EU notified bodies, expect to see design controls for any company that makes design decisions affecting the safety and performance of a medical device, even if those decisions seem minor. When in doubt, it is safer to implement design controls.
FDA

FDA Integration

How ISO 13485 connects to FDA requirements and regulatory submissions.

The FDA's Quality System Regulation (QSR, 21 CFR 820) has historically been the US regulatory requirement for medical device quality systems. In 2024, the FDA finalized the Quality Management System Regulation (QMSR), which directly incorporates ISO 13485:2016 by reference. This means that complying with ISO 13485 now substantially satisfies FDA quality system requirements. The QMSR transition period extends to February 2026, after which ISO 13485 becomes the recognized framework for FDA compliance. This harmonization reduces the burden of maintaining separate compliance programs for FDA and ISO requirements.
ISO 13485 certification alone does not fully satisfy all FDA requirements, but it provides the quality management system foundation that the FDA expects. With QMSR harmonization, ISO 13485 compliance covers the core quality system requirements. However, the FDA also requires device-specific regulatory submissions (510(k), PMA, De Novo), facility registration and device listing, Medical Device Reporting (MDR), and Unique Device Identification (UDI). ISO 13485 certification demonstrates a mature quality system and significantly supports your overall FDA compliance efforts, but it is one component of a broader regulatory strategy.
ISO 13485 provides the quality management system infrastructure that produces key documentation for 510(k) submissions. Your design history file (DHF), risk management file per ISO 14971, verification and validation records, and design controls documentation are all direct products of ISO 13485 implementation that support 510(k) substantial equivalence submissions. A well-implemented ISO 13485 system ensures that your design outputs are traceable to design inputs, which is exactly what FDA reviewers evaluate during 510(k) review. Companies with robust ISO 13485 systems consistently produce stronger, more complete regulatory submissions.

EU MDR & Global Market Access

International regulatory requirements and how ISO 13485 enables global market entry.

Yes, ISO 13485 certification is effectively required for EU MDR compliance. The EU Medical Devices Regulation (MDR 2017/745) requires manufacturers to implement a quality management system, and notified bodies use ISO 13485 as the primary standard for QMS assessment during the conformity assessment process. While the MDR does not explicitly mandate ISO 13485 by name, achieving CE marking without ISO 13485 certification is practically impossible because notified bodies require it as part of their assessment procedure for all device classifications except certain Class I devices.
ISO 13485 is the globally recognized standard for medical device quality management and facilitates market access in virtually every major market. Canada requires ISO 13485 through the Medical Device Single Audit Program (MDSAP). Australia's TGA recognizes ISO 13485 as part of its regulatory framework. Japan's PMDA expects ISO 13485 compliance for imported medical devices. Brazil's ANVISA and many other national regulatory agencies also recognize or require the standard. ISO 13485 certification from an accredited body is often the single most impactful step a medical device company can take for international market access.
Notified bodies are organizations designated by EU member states to assess whether medical devices meet regulatory requirements for CE marking. They conduct ISO 13485 audits as part of the conformity assessment process under the EU MDR. A notified body will audit your quality management system against ISO 13485, review your technical documentation, and issue the CE certificate if requirements are met. Choosing the right notified body is important — they vary in expertise, capacity, and turnaround time. Availability has been a significant challenge since the MDR transition, and early engagement is strongly recommended.

Audit Process

What to expect during the ISO 13485 certification audit.

The ISO 13485 certification audit is conducted by an accredited certification body in two stages. Stage 1 is a documentation review where auditors evaluate your quality manual, procedures, and overall QMS structure for adequacy. Stage 2 is the implementation audit where auditors verify that your QMS is effectively implemented through interviews, process observations, and record reviews. Auditors assess compliance with all applicable ISO 13485 clauses, check risk management integration, review design control records, and evaluate CAPA effectiveness. Any major or minor nonconformities must be addressed before certification is granted.
Stage 1 is the documentation and readiness review, typically conducted on-site over 1 to 2 days. Auditors review your quality manual, documented procedures, process maps, and verify that your QMS documentation meets ISO 13485 requirements. They identify any gaps that must be closed before Stage 2. Stage 2 is the full implementation audit, conducted on-site over 2 to 5 days depending on organization size and complexity. Auditors evaluate whether your documented processes are actually being followed, interview employees at all levels, observe manufacturing and quality operations, review records, and assess the overall effectiveness of your quality management system. Stage 2 typically occurs 1 to 3 months after Stage 1 to allow time to address any findings.

Still Have Questions?

Every medical device company's situation is unique. Schedule a free consultation to discuss your specific ISO 13485 certification questions, or reach out directly.

support@certify.consulting — Expert guidance on your medical device QMS certification journey.

Learn More

Related Resources