A proven, phase-by-phase roadmap for building a compliant medical device quality management system. Whether you are a startup launching your first device or an established manufacturer upgrading your QMS, this guide covers every step from initial gap analysis through successful third-party certification audit.
ISO 13485:2016 is the internationally recognized standard for medical device quality management systems. For manufacturers, contract suppliers, and service providers in the medical device industry, a certified QMS is not merely a badge of honor -- it is a regulatory prerequisite for market access in most jurisdictions worldwide.
In the European Union, compliance with ISO 13485 is effectively mandatory under the Medical Device Regulation (MDR 2017/745). In the United States, ISO 13485 maps closely to FDA 21 CFR Part 820 (the Quality System Regulation), and notified bodies, distributors, and procurement departments increasingly require it. If you are planning a FDA 510(k) submission, building your QMS on the ISO 13485 framework positions you for success with both the FDA and international regulators simultaneously.
The challenge is that ISO 13485 implementation is not a documentation exercise. It requires building real, functioning processes -- from design controls and risk management through purchasing, production, and post-market surveillance. Companies that treat it as a paperwork-only project consistently fail their certification audits or build systems that crumble under real regulatory scrutiny. The guide below is based on the methodology we use with every client: a structured, phase-by-phase approach that has achieved a 100% first-time certification audit pass rate across more than 200 engagements.
Months 1-2
Gap Analysis & Planning
Months 2-5
QMS Documentation & Process Design
Months 5-9
Implementation & Operational Readiness
Months 9-12
Verification & Certification Audit
Phase 1 — Months 1-2
Every successful ISO 13485 implementation begins with an honest assessment of where you stand today relative to where the standard requires you to be. The gap analysis is not a checklist exercise -- it is a diagnostic that reveals the true scope of work ahead and informs every decision that follows.
We evaluate your current operations against every clause of ISO 13485:2016 -- from management responsibility (Clause 5) through monitoring and measurement (Clause 8). Each requirement is rated as compliant, partially compliant, or non-compliant, with specific findings documented for remediation planning.
ISO 13485 does not exist in isolation. We map your specific regulatory requirements -- FDA QSR (21 CFR 820), EU MDR, Health Canada CMDR, or other applicable frameworks -- so the QMS you build satisfies all relevant authorities from day one, eliminating costly rework later.
Based on gap analysis findings, we develop a detailed project plan with milestones, responsible parties, resource requirements, and a realistic timeline. This becomes your implementation roadmap -- the single source of truth that keeps the project on schedule and within budget.
ISO 13485 Clause 5 requires top management to demonstrate commitment to the QMS. We help leadership define the QMS scope, establish a quality policy, assign a management representative, and commit the resources necessary for successful implementation and ongoing maintenance.
Phase 2 — Months 2-5
With your gap analysis complete and project plan approved, the documentation phase transforms identified gaps into a functioning document control hierarchy. ISO 13485 requires a four-tier documentation structure: quality manual, procedures, work instructions, and records. Each level must be developed with your specific products, processes, and regulatory context in mind.
The quality manual is the top-tier document that defines your QMS scope, references applicable procedures, and describes how your organization meets each ISO 13485 requirement. It is not a generic template -- it must reflect your actual organizational structure, product portfolio, and the regulatory jurisdictions you serve. We develop quality manuals that auditors can follow and employees can actually use, establishing the quality policy, quality objectives, and management responsibility framework required by Clauses 4 and 5.
Clause 4.2.4 (Document Control) and Clause 4.2.5 (Record Control) are among the most frequently cited nonconformities in ISO 13485 audits. Your document control system must ensure that only current, approved versions of documents are available at points of use, and that obsolete documents are identified and prevented from unintended use. Record retention must comply with regulatory requirements -- typically the lifetime of the device plus a minimum period specified by applicable regulations. We design document control procedures that integrate with your existing IT infrastructure and scale with your organization.
During this phase, we develop the complete set of QMS procedures your organization needs. The specific procedures required depend on your product type, manufacturing processes, and regulatory strategy, but every ISO 13485-certified company needs documented procedures covering these core areas:
Phase 3 — Months 5-9
Documentation without execution is shelf-ware. Phase 3 is where your QMS comes alive -- procedures are deployed, personnel are trained, processes are validated, and records begin accumulating the objective evidence that auditors will expect to see. This is typically the longest phase and the one where disciplined project management makes the difference between on-time certification and costly delays.
For companies designing medical devices, design controls are among the most critical -- and most complex -- elements of the QMS. ISO 13485 Clause 7.3 requires documented procedures covering design planning, inputs, outputs, reviews, verification, validation, transfer, and change control. Each design phase must produce traceable records that demonstrate the device meets its intended use and user needs.
We guide your engineering and quality teams through the design control process, ensuring that design history files (DHFs) are complete, risk management per ISO 14971 is integrated throughout, and traceability matrices link user needs to design inputs, design outputs, verification testing, and validation evidence.
Your medical device is only as good as the materials and components that go into it. ISO 13485 requires documented purchasing procedures, supplier evaluation and re-evaluation criteria, and verification of purchased product. We help you establish an approved supplier list (ASL), define risk-based supplier qualification requirements, implement incoming inspection protocols, and create supplier quality agreements that protect your product quality and regulatory compliance throughout the supply chain.
Clause 7.5 covers the controlled conditions under which your device is manufactured, tested, packaged, labeled, and delivered. This includes process validation for special processes (e.g., sterilization, welding, software) where output cannot be fully verified by inspection alone. We help you develop device master records (DMRs), establish manufacturing batch records, implement unique device identification (UDI) labeling, define cleanroom and environmental monitoring protocols where applicable, and validate production processes to demonstrate consistent, reproducible output. Traceability must be maintained throughout -- from raw materials to finished device distribution.
Risk management is woven throughout ISO 13485, not confined to a single clause. ISO 14971 must be applied across product realization, from initial concept through post-market surveillance. We ensure risk management files are established early, hazard analysis is thorough, risk controls are verified and validated, and residual risk is evaluated against your risk acceptability criteria. This integrated approach prevents the common audit finding of "risk management exists but is not connected to actual design and production decisions."
Every person performing work that affects product quality must be competent based on appropriate education, training, skills, and experience. We develop training matrices that map each role to required competencies, design training curricula for QMS awareness and procedure-specific training, and establish effectiveness evaluation methods that go beyond "signature on a training log" to demonstrate true understanding and capability.
Phase 4 — Months 9-12
The final phase is where you verify that every element of your QMS works as intended, close any remaining gaps, and demonstrate readiness for the certification body's external audit. This is not the time for surprises -- our systematic verification approach ensures you enter the certification audit with confidence.
The CAPA system is the engine of continuous improvement in your QMS. ISO 13485 Clause 8.5.2 (Corrective Action) and Clause 8.5.3 (Preventive Action) require documented procedures for investigating nonconformities, determining root causes, implementing corrective actions, and verifying their effectiveness. We design CAPA systems that integrate complaint handling, audit findings, nonconforming product dispositions, and process monitoring data into a single, cohesive improvement framework. A well-functioning CAPA system is what auditors look at to determine whether your QMS is alive and improving or static and performative.
Internal audits are your pre-certification dress rehearsal. ISO 13485 requires a documented internal audit procedure, planned audit schedule covering all QMS processes, trained auditors independent from the areas they audit, and documented findings with corrective action follow-up. We train your internal audit team, develop risk-based audit schedules, provide audit checklists aligned to ISO 13485:2016, and conduct mock audits that simulate the certification body's approach. This ensures your team is prepared not just on paper, but in practice -- knowing how to answer auditor questions, locate objective evidence, and demonstrate process understanding.
Before the certification audit, top management must conduct a formal management review. This meeting evaluates the overall effectiveness of the QMS based on required inputs: audit results, customer feedback, process performance, product conformity, CAPA status, changes that could affect the QMS, and recommendations for improvement. The management review output must include decisions and actions related to QMS improvement, resource needs, and changes to quality objectives. We prepare the agenda, compile data packages, and facilitate the meeting to ensure it produces the documented evidence auditors require.
The certification audit typically occurs in two stages. Stage 1 is a documentation review and readiness assessment where the auditor verifies your QMS documentation is complete and determines whether you are ready for the on-site audit. Stage 2 is the full on-site audit where the auditor evaluates implementation effectiveness through interviews, observation, and record sampling.
We prepare your team for both stages: organizing documentation for efficient auditor access, conducting mock interviews with key personnel, reviewing record-keeping completeness, and addressing any findings from the Stage 1 review before Stage 2 begins. Our clients maintain a 100% first-time certification audit pass rate because we do not recommend scheduling the audit until the system is genuinely ready -- not when the calendar says it should be.
A Series A-funded medical device startup developing a Class II cardiovascular monitoring device engaged us at the pre-submission stage. They had no existing QMS infrastructure, a team of 12 engineers, and needed both ISO 13485 certification and a 510(k) submission to meet investor milestones.
Using our four-phase methodology, we built their QMS from the ground up: completed a gap analysis in 3 weeks, developed all documentation in parallel with their design control activities, trained the full team, and conducted two rounds of internal audits. The company achieved ISO 13485 certification on the first attempt with zero major nonconformities and submitted their 510(k) within 30 days of certification.
10
Months to Certification
0
Major Nonconformities
1st
Attempt Certification
The difference between a QMS that passes audit and a QMS that actually works comes down to implementation expertise. Part of the Certify Consulting network.
Across 200+ engagements, every client that has followed our implementation methodology has passed their certification audit on the first attempt. We do not recommend scheduling audits until your system is genuinely ready.
We build QMS frameworks that satisfy both ISO 13485 certification bodies and FDA reviewers simultaneously. If you need a 510(k) submission, our integrated approach saves months of duplicated effort.
Jared Clark holds Regulatory Affairs Certified (RAC) and Certified Manager of Quality/Organizational Excellence (CMQ-OE) credentials, plus JD, MBA, and PMP designations -- a combination that bridges regulatory strategy and quality operations.
Answers to the most common questions medical device companies ask before starting their ISO 13485 implementation journey.
ISO 13485 implementation typically takes 6 to 12 months depending on company size, product complexity, and existing QMS maturity. Startups building a QMS from scratch average 9-12 months, while established companies with partial systems in place can achieve certification in 6-8 months. Our structured four-phase approach has helped over 200 medical device clients maintain predictable timelines with a 100% first-time audit pass rate.
ISO 13485 implementation costs vary based on organization size and complexity. Total investment typically includes consulting fees, documentation management tools, employee training, internal resource allocation, and certification body audit fees. Engaging an experienced consultant with RAC and CMQ-OE credentials reduces rework and accelerates timelines, often lowering overall costs compared to in-house implementation attempts. Schedule a free consultation for a customized cost estimate.
Yes, and we strongly recommend it. ISO 13485 and FDA 510(k) share significant overlap in design controls, risk management, and document control requirements. An integrated implementation approach addresses both requirements in parallel, reducing total effort by 30-40%. This is one of our core strengths -- we build QMS frameworks that satisfy both ISO 13485 certification auditors and FDA reviewers from day one, eliminating the need for costly retroactive documentation.
While both are quality management system standards, ISO 13485 is specifically designed for medical device organizations. Key differences include mandatory risk management per ISO 14971, design and development controls, sterile manufacturing requirements, regulatory reporting obligations, and traceability requirements throughout the product lifecycle. ISO 13485 also requires a validated production environment and formal complaint handling linked to regulatory vigilance reporting. For a deeper overview of the standard, see our guide on what is ISO 13485.
In the EU, ISO 13485 certification is effectively mandatory under the Medical Device Regulation (MDR 2017/745) -- Notified Bodies require it as part of the conformity assessment process. In the US, while not strictly required by the FDA, ISO 13485 certification demonstrates compliance with 21 CFR Part 820 (Quality System Regulation) and is increasingly expected by customers, distributors, and strategic partners. Most serious medical device companies pursue certification regardless of their primary regulatory jurisdiction because it opens global market access and signals quality commitment to stakeholders.
Schedule a free gap assessment with Jared Clark, RAC, CMQ-OE, to discuss your medical device QMS requirements, timeline, and regulatory strategy. Over 200 companies have trusted us to guide their ISO 13485 certification journey.
ISO 13485 & FDA Regulatory Consultant
Jared Clark is a Regulatory Affairs Certified (RAC) consultant specializing in ISO 13485 quality management systems and FDA regulatory strategy for medical device companies. With dual credentials in quality management (CMQ-OE) and regulatory affairs (RAC), Jared bridges the gap between QMS implementation and regulatory submissions -- ensuring the system you build satisfies auditors and regulators alike. His legal background (JD) and project management expertise (PMP, MBA) bring a structured, risk-aware approach to every engagement.
Over 200 medical device companies -- from pre-revenue startups to established manufacturers -- have trusted Jared to guide their ISO 13485 certification and FDA clearance journeys, maintaining a 100% first-time certification audit pass rate.