Everything you need to know about ISO 13485:2016 — the international standard for medical device quality management systems. From certification requirements and design controls to FDA alignment and global regulatory acceptance.
By Jared Clark, JD, MBA, PMP, CMQ-OE, RAC — Updated February 2026
ISO 13485 is the internationally recognized standard for quality management systems (QMS) in the medical device industry. Published by the International Organization for Standardization (ISO), it establishes a comprehensive framework of requirements that organizations must meet to consistently design, develop, manufacture, and distribute safe and effective medical devices. The current version, ISO 13485:2016, represents the culmination of decades of regulatory experience and industry best practices refined into a single, auditable standard.
Unlike general quality management standards, ISO 13485 was purpose-built for the unique challenges of the medical device sector. Every requirement in the standard exists because a failure in that area could directly impact patient safety. From the traceability of raw materials through validated manufacturing processes to post-market surveillance of devices already in clinical use, ISO 13485 provides the structural backbone that regulators around the world rely on to ensure medical devices perform as intended.
The scope of ISO 13485 extends far beyond device manufacturers alone. Contract manufacturers, sterilization service providers, component suppliers, design houses, distributors, and even organizations providing maintenance and repair services for medical devices can all fall within the standard's scope. If your organization touches any phase of the medical device lifecycle — from initial concept through end-of-life disposal — ISO 13485 likely applies to you.
The 2016 revision of ISO 13485 introduced several significant enhancements over the previous 2003 edition. The updated standard places greater emphasis on risk-based decision making throughout the entire QMS, not just within design and development. It strengthened requirements for supplier and outsourced process controls, recognizing that modern medical device supply chains are increasingly complex and global. Validation requirements for computer software used in the QMS were also expanded, reflecting the industry's growing reliance on electronic quality management systems, enterprise resource planning (ERP) platforms, and automated manufacturing equipment.
Additionally, ISO 13485:2016 improved alignment with regulatory requirements worldwide, particularly those of the European Union, the U.S. Food and Drug Administration (FDA), Health Canada, Australia's Therapeutic Goods Administration (TGA), and Japan's Pharmaceuticals and Medical Devices Agency (PMDA). This harmonization was intentional: the standard's authors worked closely with regulators to ensure that ISO 13485 certification would serve as a reliable indicator of regulatory readiness across multiple markets.
Organizations familiar with ISO 9001 (the general quality management system standard) often ask how it relates to ISO 13485. While both standards share a common heritage and structural similarities, they serve fundamentally different purposes. ISO 9001 focuses on customer satisfaction and continual improvement across any industry. ISO 13485 focuses on regulatory compliance and maintaining the effectiveness of processes that directly affect device safety.
A critical distinction: ISO 13485 does not require "continual improvement" in the ISO 9001 sense. Instead, it requires organizations to maintain the effectiveness of their quality management system. In the medical device context, a validated process that consistently produces safe devices should not be changed merely for the sake of improvement — changes introduce risk, and risk must be managed. This philosophical difference reflects the safety-critical nature of the medical device industry, where stability and predictability are valued over innovation for its own sake.
ISO 13485:2016 is organized into eight clauses, with Clauses 4 through 8 containing the auditable requirements. Each clause addresses a critical dimension of your quality management system.
Clause 4 establishes the foundational requirements for your QMS. It mandates that organizations document their quality policy, quality objectives, quality manual, and all required procedures. You must define the scope of your QMS, identify the processes needed, determine their sequence and interaction, and establish criteria for effective operation and control.
Key deliverables: Quality Manual, Document Control procedure, Record Control procedure, QMS process map, product realization planning documentation.
Clause 5 requires top management to demonstrate commitment to the QMS through active leadership. This includes establishing the quality policy, ensuring quality objectives are set, conducting management reviews, appointing a management representative, ensuring adequate resources, and maintaining effective internal communication about QMS effectiveness.
Key deliverables: Quality Policy, Quality Objectives, Management Review procedure and records, organizational chart with QMS responsibilities, management representative appointment.
Clause 6 addresses the resources needed to implement and maintain the QMS. This encompasses human resources (including competence, training, and awareness), infrastructure (buildings, equipment, supporting services), and work environment (conditions needed to achieve product conformity, such as cleanroom environments, temperature controls, and contamination prevention).
Key deliverables: Training procedure and records, competency matrices, infrastructure maintenance plans, work environment monitoring records, contamination control procedures (where applicable).
Clause 7 is the largest and most detailed section of the standard. It covers every aspect of bringing a medical device from concept to market: planning, customer requirements, design and development controls (7.3), purchasing, production and service provision, and control of monitoring and measuring equipment. For most organizations, this clause drives the majority of QMS documentation.
Key deliverables: Design controls (DHF), risk management file, purchasing controls, supplier qualification, process validation (IQ/OQ/PQ), production records (DHR), traceability system, calibration program.
Clause 8 establishes the feedback and monitoring mechanisms that keep your QMS effective. It requires internal audits, process and product monitoring, control of nonconforming product, complaint handling, reporting to regulatory authorities, and corrective and preventive actions (CAPA). This clause ensures your QMS is self-correcting and that quality signals are captured and acted upon.
Key deliverables: Internal audit program, CAPA procedure, complaint handling procedure, nonconforming product procedure, regulatory reporting procedure (MDR/vigilance), post-market surveillance plan.
Design controls are arguably the most critical — and most complex — requirement in ISO 13485. Clause 7.3 mandates a structured, documented approach to medical device design and development that ensures safety and effectiveness are built into the device from the earliest stages. For any organization that designs medical devices (as opposed to manufacturing to someone else's specifications), design controls are mandatory and non-negotiable.
The design control process follows a structured sequence: Design Planning defines the development phases, responsibilities, review points, and verification/validation activities. Design Inputs capture functional, performance, safety, and regulatory requirements. Design Outputs translate those inputs into specifications, drawings, and manufacturing instructions. Design Reviews provide systematic evaluations at defined stages. Design Verification confirms that outputs meet inputs (did we build it right?). Design Validation confirms the device meets user needs and intended use under actual or simulated conditions (did we build the right thing?). Finally, Design Transfer ensures the design can be reliably reproduced in manufacturing.
7 Stages
Planning, Inputs, Outputs, Reviews, Verification, Validation, Transfer
DHF
Design History File — the complete record of your design control activities
The output of your design control process is the Design History File (DHF), a compilation of all records that describe the design history of the finished device. The DHF is not merely a regulatory requirement — it is the single most important body of evidence demonstrating that your device was designed with appropriate rigor. Auditors will scrutinize the DHF extensively during both ISO 13485 certification audits and FDA inspections.
Design change control is equally critical. Any change to a design input, output, or process after initial approval must go through a formal change order process that includes impact assessment, re-verification or re-validation as appropriate, and approval by authorized personnel. Uncontrolled design changes are among the most common and most serious audit findings in the medical device industry.
For a comprehensive walkthrough of implementing design controls — including templates, common pitfalls, and audit preparation strategies — see our dedicated Design Controls guide.
Risk management is woven throughout every layer of ISO 13485. Clause 7.1 explicitly requires organizations to apply risk management during product realization, and risk-based thinking underpins requirements in design controls (7.3), purchasing (7.4), production and service provision (7.5), and monitoring and measurement (8.2). The standard references ISO 14971:2019 (Application of Risk Management to Medical Devices) as the definitive methodology for medical device risk management.
ISO 14971 provides the framework for identifying hazards associated with a medical device, estimating and evaluating the associated risks, controlling those risks to acceptable levels, and monitoring the effectiveness of risk controls throughout the product lifecycle. The key deliverable is the Risk Management File, which contains or references all risk management activities: hazard identification, risk estimation (severity and probability), risk evaluation against acceptance criteria, risk control measures, verification of risk control effectiveness, and evaluation of overall residual risk.
Risk Analysis
Identify intended use, reasonably foreseeable misuse, hazards, hazardous situations, and estimate risk for each (severity x probability of occurrence).
Risk Evaluation
Compare estimated risks against defined acceptability criteria. Determine which risks require risk control measures.
Risk Control
Implement controls using the priority hierarchy: inherently safe design, protective measures in the device or manufacturing process, and information for safety (labeling, instructions).
Residual Risk Evaluation
Verify risk control effectiveness. Evaluate whether new hazards were introduced. Assess overall residual risk acceptability considering the clinical benefit.
Production & Post-Production Monitoring
Collect and review production data, complaint data, and post-market information. Update the risk management file when new hazards or risk information emerges.
A common misconception is that risk management is a one-time activity performed during design and development. In reality, ISO 14971 — and by extension ISO 13485 — requires risk management to continue throughout the entire product lifecycle. Production data, complaint trends, field corrective actions, and post-market surveillance findings must all feed back into the risk management file. This creates a living document that evolves as real-world evidence accumulates.
From a certification audit perspective, auditors will look for evidence that risk management is not siloed within the engineering department but is integrated across the organization. Purchasing decisions, supplier qualifications, process validation protocols, complaint investigations, and CAPA activities should all demonstrate risk-based thinking. Organizations that treat risk management as a checkbox exercise rather than an integrated discipline are the ones most likely to receive major nonconformities during their certification audit.
ISO 13485 certification is recognized by regulatory authorities worldwide. Understanding how each major market uses the standard helps you plan a global market access strategy.
The FDA's new Quality Management System Regulation (QMSR), effective February 2026, directly incorporates ISO 13485:2016 by reference. This landmark change replaces the legacy 21 CFR 820 Quality System Regulation (QSR) that had been in effect since 1996. Organizations with ISO 13485 certification are now substantially aligned with FDA requirements.
FDA-specific requirements still apply for Medical Device Reporting (MDR), complaint handling timelines, Corrections and Removals, and Unique Device Identification (UDI). The FDA also conducts its own facility inspections independent of ISO 13485 certification.
Under the Medical Devices Regulation (EU 2017/745), ISO 13485 certification is a mandatory prerequisite for CE marking. Notified Bodies are required to audit your QMS against ISO 13485 as part of the conformity assessment process. Without ISO 13485 certification, you cannot legally place medical devices on the European market.
The MDR also imposes additional requirements beyond ISO 13485, including post-market surveillance plans, periodic safety update reports (PSURs), clinical evaluation reports (CERs), and Unique Device Identification (UDI-DI) registration in EUDAMED.
Health Canada's Medical Devices Single Audit Program (MDSAP) uses ISO 13485 as its foundation. MDSAP audits evaluate your QMS against ISO 13485 requirements plus the specific regulatory requirements of participating countries (Canada, the US, Brazil, Australia, and Japan).
For Class II, III, and IV medical devices, Health Canada requires evidence of QMS compliance as part of the Medical Device Licence (MDL) application. An MDSAP certificate with Canadian regulatory requirements is the most efficient pathway.
The Australian Therapeutic Goods Administration (TGA) requires manufacturers of medical devices to have a QMS conforming to ISO 13485. TGA accepts MDSAP audit reports that include Australian regulatory requirements, making it efficient to combine Australian and Canadian market access in a single audit program. For higher-risk devices, TGA requires conformity assessment through a designated auditing body.
Japan's Pharmaceuticals and Medical Devices Agency (PMDA) requires QMS compliance based on the Japanese QMS Ordinance (MHLW Ordinance No. 169), which is closely aligned with ISO 13485. Japan participates in the MDSAP program, and MDSAP audit reports including Japanese regulatory requirements are accepted as evidence of QMS compliance for device registration (Shonin) applications.
From initial gap analysis to certificate issuance, the certification journey follows a proven seven-step path. Most organizations complete the process in 6 to 12 months depending on their starting point and device complexity.
A comprehensive evaluation of your current quality system against every applicable clause of ISO 13485:2016. The gap analysis identifies what you already have, what needs to be created, and what needs to be modified. This produces a prioritized remediation plan with effort estimates and resource requirements. Typical duration: 2–4 weeks.
Develop or revise your Quality Manual, standard operating procedures (SOPs), work instructions, forms, and templates. Documentation must cover all applicable clauses: document control, management review, design controls, purchasing, production, CAPA, complaint handling, internal audit, and more. Every procedure should reflect how your organization actually operates — not generic boilerplate. Typical duration: 8–16 weeks.
Roll out the documented procedures across the organization. Train all personnel on the QMS requirements relevant to their roles. Ensure processes are being followed and records are being generated. This phase often includes process validation activities (IQ/OQ/PQ) for manufacturing processes and software validation for QMS tools. Typical duration: 4–8 weeks.
Conduct a thorough internal audit of the entire QMS before engaging the certification body. The internal audit should cover all applicable clauses and mirror the rigor of an external audit. Findings are documented, root causes are identified, and corrective actions are implemented and verified. This is your final opportunity to catch and fix issues before the formal assessment. Typical duration: 2–4 weeks.
Top management reviews the QMS effectiveness using data from internal audits, process performance, complaint trends, CAPA status, regulatory changes, and resource adequacy. The management review meeting produces documented decisions and action items. At least one complete management review cycle must be completed before the certification audit. Typical duration: 1–2 weeks.
Stage 1 (documentation review): The certification body reviews your quality manual, procedures, and overall QMS documentation for completeness and conformity. Stage 2 (implementation audit): Auditors visit your facility to verify that documented processes are implemented, followed, and effective. They interview personnel, review records, observe operations, and evaluate evidence across all applicable clauses. Any nonconformities must be corrected within a defined timeframe. Typical duration: 3–6 weeks (including preparation and NC closure).
Upon successful completion of the Stage 2 audit and closure of all nonconformities, the certification body issues your ISO 13485 certificate. The certificate is valid for three years. Annual surveillance audits (typically covering a subset of clauses each year) ensure ongoing compliance. A full recertification audit is conducted before the certificate expires. The goal is to maintain a culture of sustained compliance rather than audit-cycle-driven bursts of activity.
While both standards govern quality management systems, the differences are substantial. Understanding them is essential for medical device organizations deciding which standard — or both — to pursue.
| Dimension | ISO 13485:2016 | ISO 9001:2015 |
|---|---|---|
| Industry Focus | Medical devices only | Any industry |
| Primary Goal | Regulatory compliance & safety | Customer satisfaction & improvement |
| Continual Improvement | Not required — focuses on maintaining effectiveness | Required (Clause 10.3) |
| Design Controls | Mandatory (Clause 7.3) with specific stages | General design requirements only |
| Risk Management | Mandatory per ISO 14971 throughout lifecycle | Risk-based thinking (less prescriptive) |
| Traceability | Full product traceability required (lot/serial) | Identification and traceability as needed |
| Process Validation | Required for non-verifiable processes (IQ/OQ/PQ) | Validation where output cannot be verified |
| Sterile Devices | Specific requirements for sterile barrier systems | Not applicable |
| Complaint Handling | Mandatory with regulatory reporting requirements | Customer feedback handling |
| Regulatory Reporting | Required (adverse events, field safety actions) | Not required |
| Record Retention | Minimum device lifetime (often 15+ years) | As determined by organization |
Can you hold both certifications? Yes, and many medical device organizations do. ISO 9001 provides the continual improvement framework that ISO 13485 intentionally omits, while ISO 13485 provides the regulatory rigor that ISO 9001 lacks. An integrated management system approach allows you to satisfy both standards with a single set of procedures, reducing documentation burden while gaining the broadest possible market recognition. However, if you must choose one, ISO 13485 is the clear priority for any medical device organization — it is the standard that regulators require and auditors expect.
For a comprehensive view of all ISO certification services — including ISO 9001, ISO 14001, ISO 27001, ISO 42001, and more — visit certify.consulting.
Expert answers to the most common questions about ISO 13485 certification, implementation, and compliance.
Schedule a free consultation to discuss your medical device quality management goals, assess your current readiness, and get a tailored roadmap to certification.
No commitment required. Expert guidance on your medical device QMS certification journey.