QMS

ISO 13485:2016

Current Version

Medical Devices — Quality Management Systems — Requirements for Regulatory Purposes

ISO

ISO 13485:2016 — Medical Devices Quality Management Systems

ISO 13485:2016 specifies requirements for a quality management system where an organization needs to demonstrate its ability to provide medical devices and related services that consistently meet customer and applicable regulatory requirements. It is the globally recognized standard for medical device QMS and is accepted or mandated by regulators in over 100 countries.

2016
Current Version
5
Main Clauses
100+
Countries Accepting
3 yrs
Cert Validity

What is ISO 13485:2016?

ISO 13485:2016 is an internationally recognized standard published by the International Organization for Standardization (ISO). It defines the requirements for a Quality Management System (QMS) specifically designed for organizations involved in the design, production, installation, and servicing of medical devices, and the design, development, and provision of related services.

Unlike general quality standards, ISO 13485 places particular emphasis on patient safety, regulatory compliance, and risk management throughout the product lifecycle. The standard requires organizations to maintain the effectiveness of the QMS — not merely to demonstrate initial compliance — and explicitly incorporates regulatory requirements as a primary driver of QMS design.

The 2016 revision (the current version) introduced significant changes including an increased emphasis on risk-based thinking across all QMS processes, enhanced requirements for software used in the QMS, stronger post-market surveillance requirements, and updates to design and development controls.

Relationship to ISO 9001

ISO 13485 was historically harmonized with ISO 9001 but the two standards have diverged significantly since ISO 9001:2015 shifted to a high-level structure (Annex SL) framework. ISO 13485:2016 intentionally did not adopt the Annex SL structure and retains its own clause numbering and requirements.

ISO 9001:2015
  • • General commercial quality management
  • • Customer satisfaction focus
  • • Risk-based thinking (broader)
  • • Annex SL high-level structure
  • • No mandatory records (risk-based)
  • • No explicit post-market requirements
ISO 13485:2016
  • • Medical device-specific QMS
  • • Patient safety & regulatory focus
  • • Extensive mandatory records
  • • Explicit post-market surveillance
  • • Sterile product & implant controls
  • • Design & development controls

Note: ISO 13485 certification does not confer ISO 9001 certification. For regulatory purposes, ISO 13485 is the required standard for medical devices. Some regulatory bodies (e.g., Health Canada via MDSAP) mandate ISO 13485 certification as a market access requirement.

Why It Matters for Medical Device Manufacturers

Market Access

Required for CE marking (EU MDR/IVDR), Health Canada licensing, TGA conformity assessment, and accepted under MDSAP for FDA, Health Canada, ANVISA, TGA, and PMDA audits.

Regulatory Framework

Provides the documented quality framework required to satisfy premarket submissions (510(k), PMA, Technical File, Design Dossier) and post-market obligations.

Risk Management Integration

Structurally aligned with ISO 14971 (risk management for medical devices), enabling an integrated risk and quality framework across the product lifecycle.

Supply Chain Confidence

Increasingly required by OEMs and large device manufacturers from their component and contract manufacturing suppliers. Demonstrates systematic quality controls.

Incident Prevention

Systematic CAPA, complaint handling, and post-market surveillance requirements reduce the likelihood of serious adverse events and regulatory enforcement actions.

MDSAP Efficiency

ISO 13485 certification is the foundation of MDSAP (Medical Device Single Audit Program), allowing a single audit to satisfy requirements in 5 jurisdictions simultaneously.

Certification Process Overview

1
Gap Assessment2–4 weeks

Conduct an internal gap analysis against ISO 13485:2016 requirements. Identify missing procedures, records, and process controls. Develop a remediation roadmap.

2
QMS Implementation3–12 months

Develop and implement required procedures, work instructions, forms, and records. Train personnel. Establish monitoring, measurement, and CAPA processes.

3
Internal Audit2–4 weeks

Conduct a full internal audit of the QMS against ISO 13485:2016 requirements. Raise and close all findings before Stage 1 audit.

4
Management Review1–2 days

Conduct management review with all required inputs. Document outputs and action items. Demonstrates top management commitment to the QMS.

5
Stage 1 Audit (Certification Body)1–2 days

Document review (desk audit) by an accredited certification body (CB). CB reviews your QMS documentation for adequacy and readiness for Stage 2.

6
Stage 2 Audit (Certification Body)2–5 days

On-site audit of QMS implementation. CB verifies that documented processes are effectively implemented and that the QMS meets ISO 13485 requirements.

7
Certification Issued2–6 weeks

CB reviews audit findings, closes any non-conformances, and issues ISO 13485 certificate. Certificate is valid for 3 years subject to annual surveillance audits.

8
Surveillance & RecertificationAnnual + 3yr cycle

Annual surveillance audits by the CB to verify ongoing compliance. Recertification audit conducted every 3 years to renew the certificate.