Medical device companies operate in one of the most highly regulated industries in the world. To consistently deliver safe and effective products while meeting regulatory requirements, organizations need a structured approach to quality management.
ISO 13485 is the internationally recognized standard for quality management systems in the medical device industry. It provides a framework for building and maintaining the processes needed to consistently meet customer and regulatory requirements while supporting product quality throughout the device lifecycle.
For many organizations, achieving ISO 13485 certification is an important milestone. It demonstrates a commitment to quality, helps streamline regulatory compliance, and can support access to global markets. More importantly, it helps create a quality-driven culture that reduces risk, improves consistency, and supports long-term business growth.
In this guide, we'll explain the key requirements of the standard, who needs certification, how audits and certification work, what documentation is required, and how ISO 13485 differs from ISO 9001.
What is ISO 13485?
Published by the International Organization for Standardization (ISO), ISO 13485 is the internationally recognized standard for quality management systems in the medical device industry. It outlines the requirements organizations must meet to establish, maintain, and continually improve a Quality Management System (QMS) that supports both product quality and regulatory compliance.
Why does ISO 13485 matter?
Medical device companies operate in a highly regulated environment where quality failures can have serious consequences for patients, businesses, and regulators alike. ISO 13485 provides a structured approach to managing quality throughout the product lifecycle and demonstrates that an organization has established processes to consistently meet both customer and regulatory expectations.
What is the current version of ISO 13485?
The current version of the standard is ISO 13485:2016. It is widely adopted by manufacturers, certification bodies, and regulators around the world and serves as the foundation for many medical device quality systems.
Who should implement ISO 13485?
ISO 13485 is most commonly associated with medical device manufacturers, but its scope extends further. Organizations throughout the medical device supply chain can benefit from implementing the standard, including:
- Medical device manufacturers
- In vitro diagnostic (IVD) manufacturers
- Contract manufacturers
- Critical component suppliers
- Design and development partners
- Sterilization service providers
- Distributors and importers
- Software providers supporting medical devices
In practice, any organization whose activities can affect the safety, quality, or regulatory compliance of a medical device may benefit from an ISO 13485-compliant quality management system.
Is ISO 13485 mandatory?
ISO 13485 certification is not universally required by law. In theory, an organization could develop its own quality management system and demonstrate compliance with applicable regulatory requirements without implementing ISO 13485.
In practice, however, most medical device companies choose to align their quality systems with ISO 13485. The standard provides a well-established framework that has been widely accepted by regulators, certification bodies, and industry stakeholders around the world. Rather than building a quality system from scratch, organizations can use ISO 13485 as a structured roadmap for implementing the processes, controls, and documentation needed to support compliance.
ISO 13485 also aligns closely with many regulatory frameworks. It supports compliance with the EU MDR and IVDR, is widely recognized through the Medical Device Single Audit Program (MDSAP) and is becoming increasingly important as the FDA's Quality Management System Regulation (QMSR) aligns more closely with the standard.
EU MDR checklist
ISO 13485 requirements explained
Before diving into implementation, it's helpful to understand how ISO 13485 is structured.
The standard contains a range of detailed requirements, but at a high level, they all support the same goal: ensuring medical device organizations can consistently deliver safe, effective, and compliant products. Rather than focusing on individual procedures, ISO 13485 takes a process-based approach, requiring organizations to establish a quality management system that governs how work is performed, documented, monitored, and improved.
The requirements are grouped into several key areas that work together to create an effective quality management system.
Quality management system requirements
At the foundation of the standard is the Quality Management System itself. Organizations must establish, document, implement, and maintain processes that support product quality and regulatory compliance.
This includes defining responsibilities, maintaining controlled documentation, keeping quality records, and ensuring processes are monitored and updated as needed. In many ways, this section provides the framework upon which all other ISO 13485 requirements are built.
Management responsibility
ISO 13485 places significant responsibility on leadership. Quality cannot be delegated entirely to the quality department; management is expected to actively support and oversee the effectiveness of the QMS.
This includes establishing quality objectives, providing adequate resources, reviewing system performance, and ensuring quality remains a priority throughout the organization.
Resource management
Even the best-designed quality system cannot function without the right resources. ISO 13485 therefore requires organizations to ensure personnel are appropriately qualified and trained, infrastructure is suitable for its intended purpose, and the working environment supports consistent product quality.
Product realization
Product realization covers the activities involved in bringing a medical device from concept to customer. Depending on the organization's role, this may include design and development, supplier management, purchasing controls, manufacturing activities, process validation, product identification, and traceability.
Scilife Academy: Medical Device QMS: ISO 13485:2016 Essentials from Clause 1 to Clause 4
ISO 13485 vs ISO 9001: what’s the difference?
Organizations that are new to the medical device industry are often already familiar with ISO 9001. Both standards are built around the principles of quality management and share a similar structure, which is why ISO 9001 is often seen as a useful starting point.
However, ISO 13485 was developed specifically for the medical device industry and includes additional requirements that reflect the sector's regulatory and patient safety obligations.
While ISO 9001 focuses on customer satisfaction and continual improvement, ISO 13485 focuses on consistently meeting regulatory requirements and ensuring the safety and effectiveness of medical devices.
As a result, organizations implementing ISO 13485 are typically expected to maintain more extensive documentation, stronger supplier controls, greater product traceability, and more rigorous validation activities than organizations operating solely under ISO 9001.
However, many of the core principles remain the same. Organizations that already have an ISO 9001-certified QMS often have a solid foundation in place.
For a more detailed comparison, read our guide to the differences between ISO 13485 and ISO 9001.
How to implement ISO 13485
Implementing ISO 13485 is about more than creating procedures or preparing for an audit. The goal is to build a quality management system that supports both regulatory compliance and day-to-day operations.
While every organization's journey will look slightly different, most successful implementations follow a similar path.
Step 1: Conduct a gap assessment
Before building or updating a quality management system, it's important to understand where you stand today. A gap assessment compares existing processes, documentation, and controls against ISO 13485 requirements to identify areas that need attention.
Step 2: Define the scope of your QMS
Once gaps have been identified, the next step is to establish the scope and structure of the quality management system.
This includes defining which products, services, and activities fall within the QMS, identifying process owners, assigning responsibilities, and documenting how different processes interact.
Step 3: Develop and organize documentation
Documentation is a core component of ISO 13485. Organizations must establish and maintain the procedures, records, and supporting documents needed to demonstrate that processes are being followed consistently.
Perhaps more important than creating documentation, is ensuring it remains controlled, accessible, and up to date.
Step 4: Integrate risk management throughout the QMS
Risk management is not a standalone activity under ISO 13485. It should be integrated throughout the product lifecycle and reflected in key quality processes.
Organizations should establish methods for identifying, evaluating, controlling, and monitoring risks associated with their products and processes.
Step 5: Establish supplier controls
Many organizations rely on external suppliers and service providers to support product development and manufacturing. Because supplier performance can directly impact product quality, ISO 13485 requires organizations to establish appropriate controls over externally provided products and services.
Step 6: Train employees and establish competency
A quality system is only effective if employees understand their responsibilities within it. Organizations must ensure personnel have the education, training, skills, and experience needed to perform their roles effectively.
Training should be documented, regularly reviewed, and linked to competency requirements where appropriate.
Step 7: Perform internal audits
Internal audits provide an opportunity to evaluate whether the quality management system is functioning as intended and meeting ISO 13485 requirements.
Beyond identifying nonconformities, internal audits can help uncover process inefficiencies, highlight improvement opportunities, and prepare the organization for external assessments.
Step 8: Conduct management reviews
ISO 13485 requires leadership to take an active role in overseeing the effectiveness of the quality management system.
Management reviews provide a structured opportunity to evaluate quality performance, review audit findings, assess risks, and ensure adequate resources are available to support the organization's quality objectives.
Step 9: Prepare for certification
, the quality management system should already be operating in practice rather than existing only on paper.
Processes should be implemented, employees trained, records generated, and internal audits completed.
Common ISO 13485 implementation mistakes
Implementing ISO 13485 can be a significant undertaking, particularly for organizations building a quality management system for the first time. While every company faces different challenges, certain issues appear repeatedly during implementation and certification audits.
Treating ISO 13485 as a documentation project
One of the most common mistakes is focusing on documentation rather than implementation. Organizations may invest significant effort in writing procedures, only to discover during an audit that the documented processes are not consistently followed in practice.
Weak document control practices
As organizations grow, procedures, forms, and records can quickly become difficult to manage. Outdated documents, inconsistent approval processes, and uncontrolled copies are frequent sources of audit findings.
Underestimating training and competency requirements
Training records are often treated as an administrative exercise rather than evidence of competency. However, ISO 13485 requires organizations not only to provide training, but also to ensure personnel can perform their assigned responsibilities.
Inadequate supplier oversight
Many organizations rely heavily on suppliers for components, manufacturing activities, or specialized services. When supplier qualification and monitoring processes are weak, quality and compliance risks can quickly extend beyond the organization's direct control.
Separating risk management from the QMS
Risk management is often treated as a standalone regulatory requirement, particularly during product development. In reality, ISO 13485 expects risk-based thinking to be integrated throughout the quality management system.
Viewing certification as the finish line
Achieving ISO 13485 certification is an important milestone, but maintaining compliance requires ongoing effort. Organizations that treat certification as a one-time project often struggle during surveillance audits because processes gradually drift away from documented requirements. Successful organizations view ISO 13485 as an ongoing quality framework rather than a certification exercise.
Neglecting internal audits
Internal audits are one of the most effective tools for identifying issues before they become regulatory observations or certification findings. Yet they are often rushed, delayed, or treated as a box-ticking activity.
When used effectively, internal audits provide valuable insight into process performance and help organizations continuously strengthen their quality systems.
Understanding ISO 13485 certification
Implementing an ISO 13485-compliant quality management system is one thing. Demonstrating that the system meets the requirements of the standard is another.
ISO 13485 certification is an independent assessment conducted by an accredited certification body. During the certification process, auditors evaluate whether an organization's quality management system conforms to the requirements of ISO 13485 and whether those processes are being followed in practice.
How does the certification process work?
While the exact process may vary slightly between certification bodies, ISO 13485 certification typically involves two audit stages.
Stage 1 audit: reviewing readiness
The Stage 1 audit focuses on determining whether the organization is ready for full certification assessment.
During this phase, auditors review documentation, evaluate the scope of the quality management system, and assess whether the core elements required by ISO 13485 are in place. The goal is to identify significant gaps or areas that need attention before moving to the next stage.
Stage 2 audit: evaluating implementation
The Stage 2 audit focuses on how the quality management system operates in practice.
Auditors assess whether documented procedures are being followed and review objective evidence demonstrating compliance with ISO 13485 requirements.
What happens if nonconformities are identified?
Most organizations receive at least some audit findings during the certification process. These findings, known as nonconformities, can range from minor issues to more significant gaps that require corrective action.
Organizations are typically expected to investigate the root cause of the issue, implement corrective actions, and provide evidence that the problem has been addressed before certification can be granted or maintained.
Maintaining ISO 13485 certification
Achieving certification is not the end of the process. Certification bodies conduct periodic surveillance audits to verify that the quality management system continues to meet ISO 13485 requirements.
Most organizations undergo annual surveillance audits, and a more comprehensive recertification audit every five years.
How long does ISO 13485 certification take?
The time required to achieve certification varies considerably depending on the size of the organization, the complexity of its operations, and the maturity of its existing quality system.
Organizations with established quality processes may be able to prepare for certification within several months, while companies building a quality management system from the ground up often require significantly more time.
ISO 13485 audits: what to expect
Audits are one of the primary mechanisms used to evaluate whether a quality management system is functioning as intended. Rather than being a one-time certification exercise, audits play an ongoing role in maintaining compliance, identifying weaknesses, and driving continuous improvement.
Internal audits
Internal audits are conducted by the organization itself or by qualified external auditors acting on its behalf. They are a required part of ISO 13485 and provide an opportunity to assess the effectiveness of the quality management system before issues are identified by customers, regulators, or certification bodies.
Certification audits
Certification audits are conducted by an accredited certification body to assess conformity with ISO 13485 requirements. These audits evaluate both the design of the quality management system and its implementation in practice.
Surveillance audits
After certification has been granted, surveillance audits are conducted periodically to confirm that the quality management system continues to operate effectively.
How to prepare for an ISO 13485 audit
The most effective audit preparation begins long before the audit itself. Organizations that maintain current documentation, complete internal audits regularly, and address issues as they arise are typically far better prepared than those attempting to prepare in the weeks leading up to an assessment.
For a practical checklist and preparation tips, read our guide to ISO 13485 audit preparation.
ISO 13485 training and employee competency
People play a central role in every quality management system. Even the most well-designed procedures are only effective if employees understand their responsibilities and have the knowledge and skills needed to perform them consistently.
For that reason, ISO 13485 places significant emphasis on training and competency. Organizations must ensure personnel are qualified to perform their assigned tasks based on an appropriate combination of education, training, skills, and experience.
Training requirements under ISO 13485
Training should provide employees with the knowledge needed to perform their roles effectively within the quality management system.
Depending on the role, this may include training on quality procedures, regulatory requirements, job-specific responsibilities, risk management activities, and other processes relevant to product quality and compliance.
Training needs will vary across the organization, but the objective remains the same: ensuring employees understand how their activities contribute to product quality and regulatory compliance.
Competency goes beyond training
One common misconception is that completing training automatically demonstrates competency. In reality, ISO 13485 expects organizations to evaluate whether personnel can effectively perform their assigned responsibilities.
For example, an employee may attend a training session on a procedure, but organizations should also consider whether that individual can apply the procedure correctly in practice.
Maintaining training records
Organizations are required to maintain records demonstrating that training and competency requirements have been met.
These records may include training completion dates, training materials, attendance records, competency assessments, or other evidence that personnel have received appropriate instruction and are qualified to perform their duties.
Supporting continuous development
Competency is not a one-time achievement. As regulations evolve, procedures change, and organizations introduce new products or technologies, training requirements also change.
Regular refresher training, ongoing professional development, and periodic competency assessments help ensure employees remain qualified and capable of supporting the organization's quality objectives over time.
For a deeper look at training requirements, competency management, and best practices, explore our guide to ISO 13485 training.
How an eQMS supports ISO 13485 compliance
Maintaining an ISO 13485-compliant quality management system involves far more than creating procedures and passing audits. Organizations must continuously manage documents, training records, supplier information, CAPAs, complaints, audits, and other quality activities while ensuring that information remains accurate, accessible, and up to date.
An electronic Quality Management System (eQMS) helps centralize and streamline these activities, making it easier to maintain compliance and support ongoing quality management efforts.
Strengthening document control
Document control is one of the foundational requirements of ISO 13485, but it can quickly become challenging when documents are stored across multiple locations or managed manually.
An eQMS helps organizations maintain control over quality documentation by providing centralized access, version control, approval workflows, and audit trails.
Simplifying training and competency management
As organizations grow, maintaining training records and demonstrating employee competency becomes increasingly complex.
Digital training management tools can help automate training assignments, track completion status, maintain training records, and provide the documentation needed during audits.
Supporting CAPA and quality event management
Managing nonconformities, investigations, corrective actions, and complaints often involve multiple stakeholders and large volumes of documentation.
An eQMS helps organizations track quality events throughout their lifecycle, improve visibility into open actions, support root cause investigations, and identify trends that may otherwise go unnoticed.
Maintaining continuous audit readiness
One of the most significant advantages of an eQMS is the ability to maintain ongoing visibility into quality activities rather than preparing for audits retrospectively.
When documents, training records, CAPAs, audits, and quality events are managed within a centralized system, organizations can more easily demonstrate compliance and respond to auditor requests. Instead of gathering evidence from multiple spreadsheets, folders, and email chains, information is readily available when needed.
Why organizations choose Scilife
Scilife's eQMS platform is designed specifically for life sciences organizations and supports the processes most critical to ISO 13485 compliance, including document control, training management, quality events, CAPA, audits, and supplier management.
By bringing these activities together in a single platform, organizations can reduce administrative burden, improve visibility across quality processes, and maintain a state of continuous audit readiness.
Recommended learning:
Why Scilife is the smarter choice for ISO 13485 QMS software.
ISO 13485 and FDA QMSR harmonization
For many years, medical device manufacturers selling products in the United States have been required to comply with the FDA's Quality System Regulation (QSR) under 21 CFR Part 820. While the regulation shares many similarities with ISO 13485, organizations have often had to navigate differences between FDA requirements and international quality system expectations.
That is changing.
The FDA is transitioning from the Quality System Regulation (QSR) to the Quality Management System Regulation (QMSR), one of the most significant quality-system-related regulatory developments in recent years.
What is QMSR?
Under QMSR, the FDA has incorporated ISO 13485:2016 by reference into its quality management system requirements. The goal is to better align FDA expectations with internationally recognized quality system requirements and reduce unnecessary duplication between regulatory frameworks.
What does harmonization mean for manufacturers?
Organizations that already maintain an ISO 13485-compliant quality management system may find it easier to align quality processes across different markets.
Rather than managing separate approaches for different regulatory jurisdictions, manufacturers can work toward a more unified quality system that supports both international and FDA requirements.
Why align with ISO 13485 now?
Organizations that invest in robust ISO 13485 processes today may be better positioned to navigate future regulatory requirements, support global market access, and maintain compliance across multiple jurisdictions.
For a deeper look at the FDA transition and its implications, explore our guide to ISO 13485 and FDA QMSR harmonization.
Webinar: Quality Management System Regulation: Key strategies to prepare for the transition
Conclusion
ISO 13485 has become the global standard for quality management systems in the medical device industry, providing organizations with a structured framework for managing quality, demonstrating compliance, and supporting patient safety.
While achieving certification is often a key objective, the value of ISO 13485 extends far beyond the certification audit itself. A well-implemented quality management system helps organizations establish consistent processes, manage risk effectively, improve operational visibility, and adapt to changing regulatory expectations.
Learn how Scilife helps medical device organizations improve quality and compliance.
