ISO 13485: the essential guide
Have you spent countless stressful hours preparing for ISO 13485 certification?
You’re not alone.
ISO 13485 is the internationally recognized quality management benchmark for medical device manufacturers. Getting ISO 13485 certified guarantees the trust of your regulators, stakeholders and future customers while quickening your route to market.
There’s no denying that it’s a complex process which needs to be done right.
But with some expert guidance and the right toolset, there’s absolutely no reason your company can’t unlock and embed lasting ISO 13485 compliance.
This guide contains everything your team needs to kickstart and complete a successful ISO 13485 accreditation journey and to get your medical device to market before your competitors. Let’s dive in.
What does ISO 13485 mean?
ISO 13485 is an internationally agreed upon set of standard quality management system (QMS) requirements for any company involved in the design, production, installation, servicing and manufacturing of medical devices.
ISO 13485 was first published in 1996 and has since been revised in 2003 and 2016.
The current version, ISO 13485:2016, came into effect in March 2016. The aim of these requirements is to ensure that medical devices and services consistently meet customer expectations and relevant regulatory requirements.
What does ISO 13485 stand for?
The 'ISO' in ISO 13485 stands for the International Organization for Standardization, which publishes the international standards governing most modern industries.
Yep - as you've probably noticed, 'ISO' isn't an acronym or initialism for International Organization for Standardization. So why does it have that name, and not IOS?
The reason is that, as an internationally focused organization, any business acronym in English wouldn't neatly translate into other languages. 'ISO' was therefore agreed upon as a snappy, short-form version of the Organization's full name.
And '13485' is simply the designated numerical code given to ISO's medical device quality management standard.
Is ISO 13485 certification or accreditation?
Certification.
ISO 13485 certification is provided to any medical device organization that meets the requirements of ISO 13485.
ISO accreditation, on the other hand, is provided to a conformity assessment body as proof of its integrity, impartiality and operational ability.
It's a confusing distinction, and the terms are often used interchangeably, but in the strictest sense of the word: if you're a testing body of any kind - like a testing lab, certification body, or inspection agency - you'll need accreditation.
The companies that those bodies inspect for compliance get certified once they pass their audits.
Why is ISO 13485 certification important?
ISO is an international non-governmental organization of industry leaders who share their knowledge and expertise to provide solutions for global challenges.
ISO 13485 effectively covers ISO 9001 with a few additional requirements. Consumers and the life science supply chain have come to trust ISO, and they’ll often refuse to purchase medical device products from companies that lack ISO 13485 certification.
To obtain CE marking—which indicates conformity with safety standards for products sold in the European Economic Area—medical device manufacturers must get ISO 13485 certified with a notified body and have a quality management system in place.
ISO 13485 has also taken on additional significance in the United States in recent years, as the FDA plans to harmonize its own 21 CFR 820 medical device quality requirements with those of ISO 13485. Indeed, the ISO 13485 vs 21 CFR 820 comparison which American medical device manufacturers have had to work through in the past looks set to be broken down when the FDA's new QMSR goes live in 2026 - making ISO 13485 best practice a key part of American national regulatory expectations.
How much does it cost to get ISO 13485 certification?
ISO 13485 certification cost will vary significantly depending on the size and complexity of your organization and of your product offering. Fees are paid directly to the notified body conducting your ISO 13485 assessment.
Aim for a very broad ballpark figure of around $20,000 as a minimum. This comprises the typical annual certification fee of $3000-5000, typical audit costs of around $3000 per day, plus any other billable planning and reporting time and the associated work and time expenses of your own internal preparation work.
Smaller businesses with, say, fewer than 10 heads may be able to secure certification for less than this, while larger businesses demanding longer audit and prep times should expect to pay more.
5 key elements of ISO 13485
ISO 13485 includes requirements for design and development, risk management, production and post-production processes for medical device companies. Below are five key requirements from ISO 13485 that are critical for companies wanting to get ISO 13485 certified.
1. Quality management system (QMS)
To be certified to ISO 13485, a company must implement and maintain a quality management system that meets the requirements set out in the standard. This section talks about general quality management system requirements, as well as the documentation needed to implement and maintain an effective quality management system.
According to ISO, organizations need to:
- Determine the processes the quality management system requires and what's needed to apply these processes throughout the organization, taking into account the various roles involved,
- Apply a risk-based approach to the control of the appropriate processes needed for the quality management system, and
- Determine the sequence and interaction of these processes
2. Management responsibility
This section outlines the unique roles and responsibilities of management as it pertains to quality management system implementation and maintenance.
In short, management should provide evidence of its commitment to the development and maintenance of the quality management system and its effectiveness. To do that:
- Communicate the importance of meeting regulatory requirements
- Establish high-value quality policy
- Ensure that quality objectives are established
- Conduct management reviews
- Ensure availability of quality management system resources
3. Resource management
This phase outlines the resources life sciences organizations should commit to implement the quality management system and maintain system effectiveness. It outlines the provisions needed to meet major regulatory and customer requirements.
Resources outlined in this section include:
- The provision of resources
- Human resources
- Infrastructure
- Work environment
- Contamination control
4. Product realization
In a rush to get products into development as soon as possible, many organizations often overlook the planning phase. Section 7.1 requires that you appropriately plan your realization efforts.
More specifically, it states that you should:
- Establish the quality requirements for your product(s)
- Define what your required processes will be and what supporting documentation will be needed for those processes
- Outline the company infrastructure that will need to be created and what the work environment should be like
- Define employee qualification and training requirements
- Establish your processes for verification, validation, measurement, monitoring, handling, inspection, storage, distribution, and traceability
Finally, you have to organize all of that information in such a way that it can be easily accessed and understood.
5. Measurement, analysis, improvement
According to ISO, "the organization shall plan and implement the monitor, measurement, analysis, and improvement processes" related to the quality management system and products.
In this pursuit, organizations need to:
- Demonstrate conformity of product
- Ensure conformity of the quality management system
- Maintain the effectiveness of the quality management system
Taking these elements together, here's a handy ISO 13485 diagram you can use to map out the key activities you need in place for an ISO 13485 QMS.
ISO 13485 clauses
ISO 13485 contains 8 clauses as part of its requirements.
They are:
- Scope
- Normative References
- Terms and Definitions
- General requirements
- Management responsibility
- Resource management
- Product realization
- Measurement, analysis and improvement
Let's briefly review each clause:
1. Scope
The scope sets out the intended outcomes of the modern medical device quality management system, including the significance of the process approach and continuous improvement.
2. Normative References
Provides details of the reference standards or publications relevant to the particular standard, including ISO 9001:2015.
3. Terms & Definitions
Details terms and definitions applicable to the standard, including definitions of Active Implantable Medical Device, Active Medical Device, Advisory Notice, Customer Complaint, Implantable Medical Device, Labeling, Medical Device and Sterile Medical Device
4. General requirements
Lays out the broad requirements for a properly documented ISO13485 QMS, including:
- Quality manual with clear QMS scope
- Documentation control procedures
- Required forms, records and SOPs
5. Management responsibility
Concerns the role of ‘top management’: the group of people who direct and control your organization at the highest level. Customer and patient satisfaction and safety should be overseen and maintained by top management with:
- Clear responsibilities
- Frequent management reviews
- A clear quality policy with objectives
6. Resource management
Requirements for how resources are managed and applied to meet your quality objectives, including personnel, equipment and training.
7. Product realization
Maps out requirements for the end-to-end medical device product realization process, including:
- Production and manufacture
- Capturing and actioning feedback
- Planning
- Design
- Purchasing
- Traceability
8. Measurement, analysis and improvement
Breaks down how to monitor and analyze your processes with a view to continuous refinement and improvement. Core considerations include:
- Auditing
- CAPAs
- Non-conformance control
- Measuring and maximizing customer satisfaction and patient/product safety
ISO 13485 vs. ISO 9001
ISO 9001 lays the framework for a quality management system that can be applied no matter what industry you’re in or what your product, service, or company size is. If your company intends to manufacture medical devices, you’ll need to seek ISO 13485 certification.
What is the primary difference between ISO 13485 and ISO 9001?
The key difference between ISO 13485 and ISO 9001 is focus.
ISO 9001 is broad and can be applied to any business.
ISO 13485 is niche, and designed specifically for medical device companies.
ISO 13485 therefore has additional requirements not found in ISO 9001, that are specific to medical device manufacturers.
Let’s take a look at the similarities and differences between ISO 9001 and ISO 13485, so you can get a better understanding of where you need to raise the bar on quality as a medical device manufacturer.
Similarities between ISO 13485 and ISO 9001
- Each standard helps organizations achieve a quality management system
- Both place a focus on risk mitigation and assessment
- Both utilize the Deming cycle, also known as Plan Do Check Act
- They each place a focus on competency and infrastructure for quality
- Both emphasize understanding the customer for the realization of quality products
Additional requirements for ISO 13485
- Device master record explicitly defining QMS requirements
- Feedback and review system for non-conformance detection 18
- Product quality control (monitoring and measuring) throughout production process
- Set quality requirements must be met before product release and delivery
- Advisory notices, rework activity, release of non-conforming product (which still meets regulatory requirements) must be documented
- Personnel require access to procedures, requirements and reference materials at the point of work
- Unique and specific records for every approved and verified device batch
- Installation and verification device requirements
- Maintained records of device installation, verification and servicing activities and procedures
- QMS containing product specification documents and quality policy, with a framework for reviews and updates controlled by the management team
- Management must verify QMS goals and compliance
- Documented procedures for shelf life, quality data collection/analysis/ retention, maintenance activity, risk/environment management, adverse event flagging, product conformity, identification, returns, maintenance, labeling and packaging
What is an ISO 13485 medical device file?
The ISO 13485 medical device file is a key document you'll need to demonstrate compliance to the standard.
In a nutshell, your MDF should document your device's design, development, and testing activity to prove that it works as intended.
It should also include your risk management activities, as well as any post-market surveillance data once your device is in the public realm.
9 tips to prepare for ISO 13485 certification
Now that we understand the key components and clauses of ISO 13485 and the differences with ISO 9001, it's time to look at preparation for certification. This process doesn't have to be complicated or overwhelming. Follow these nine tips to help you get ISO 13485 certified faster.
Familiarize yourself with the guidelines
Take time to read the guidelines thoroughly and make sure you understand what’s required of you to become certified. You can view a preview and purchase the complete document on ISO13485 from ISO’s website.
Meet CAPA standards
Refer to the FDA’s inspection guidelines and to ISO 13485 8.5.3 (prevention) and ISO 13485 8.5.2 (correction) to ensure your company meets CAPA standards. Failure to meet CAPA standards is the number one trigger for FDA citations in the medical device industry.
Implement complaint procedures
Establish complaint procedures that follow the guidelines laid out in FDA CFR 820.198 and ISO 13485 8.2.2. A lack of standard procedures for handling complaints or failure to provide evidence that they followed procedures is the second most common reason organizations received a 483 observation.
Include purchasing controls
Create a written procedure for supply chain management to reduce the risk of noncompliance or supplier risks that could compromise your device quality.
Develop MDR procedures
MDR (Medical Device Reporting) should include events and annual reports as detailed under FDA CFR 803.17 and ISO 13485:2016. Written procedures and systems are critical for compliance with record-keeping guidelines for MDR.
Create a process to prepare for the audit
Review the following areas every three months, so you aren’t putting internal audits off until the last minute:
- Design
- Trainings
- Purchasing
- Quality assurance
Focus on upstream quality
Manufacturers use the term “Upstream Quality (UQA)” to refer to a concept that relates to quality from the start. Focusing on UQA means putting effort into planning in the early stages to reduce quality issues later down the line.
Prepare to talk to the auditor
Auditors don’t fail or pass you right there on the spot. Interactions are generally low-pressure and more conversational. Avoid giving any information you aren’t sure of and be prepared to have a productive conversation.
Use an eQMS — not a paper-based system!
Electronic quality management systems designed for life sciences companies — like Qualio — are built using the ISO 13485 framework for quality control, operational efficiency, regulatory compliance and the safe manufacture of medical devices.
Unless you want to hire an in-house team of IT staff to run your eQMS, you need software that’s simple and easy to use. The perfect eQMS should provide essential functions such as document control, training, and the ability to expand to other areas — like CAPA — as you get closer to product approval. And as your company grows, your eQMS needs to grow with you.
A robust eQMS should offer essential components for risk management, testing, and other procedures to streamline product submission.
An International Trade Administration study found that 73% of medical device manufacturers have 20 or fewer employees, so utilizing a cloud-based eQMS is critical for effective collaboration among a distributed workforce.
Benefits of ISO 13485:2016 certification
While ISO 9001:2015 covers a broad range of businesses and industries, ISO 13485:2016 has a narrower focus on the medical device industry. By adhering to the guidelines set out in ISO 13485:2016, your organization can enjoy several benefits, including:
- Bringing quality and continuous improvement into the heart of your medical device organization
- Improved patient/customer satisfaction – by consistently providing safe medical devices that meet customer requirements
- Enhanced reputation and credibility – by being ISO 13485:2016 accredited, you can demonstrate to customers, suppliers and other stakeholders that your organization is serious about quality
- Greater efficiency – ISO13485 can help streamline your processes, making your organization more efficient overall
- Reduced costs – ISO 13485:2016 can lead to reduced waste, rework and other inefficiencies, thereby reducing your organization’s overall costs
- Improved risk management – by having a robust quality management system in place, you can more effectively identify and manage risks associated with your medical devices
- A stronger foundation for growth – ISO 13485:2016 can provide a solid foundation for your organization to grow and expand its operations into new markets.
What is the software for ISO 13485?
ISO 13485 software is a specific category of quality management software designed for medical device companies seeking ISO 13485 certification.
Medical device quality management software offers a diverse range of business benefits, including centralizing your document and design control information and allowing collaborative digital workflows for closing out CAPAs.
ISO 13485 certification takes a lot of deep, coordinated and consistent activity across all areas of your medical device organization - as such, it's no surprise that software for ISO 13485 certification is getting increasingly popular.