ISO 13485

ISO 13485 is the international consensus standard that specifies requirements for a quality management system where an organisation needs to demonstrate its ability to provide medical devices and related services that consistently meet customer and applicable regulatory requirements. It was first published in 1996, with the current edition ISO 13485:2016 and an Amendment 1 published in 2021 (a minor amendment principally about climate-action wording and a scope clarification).

ISO 13485 is a regulatory standard, not a generic quality standard. Its structure deliberately mirrors ISO 9001 in many places, but it strips out the customer-satisfaction emphasis of 9001 and replaces it with explicit requirements for regulatory compliance, risk management, design controls, sterile/implantable device controls, and post-market surveillance. It is referenced as the harmonised standard for QMS under EU MDR 2017/745 Article 10(9), accepted by all five MDSAP regulators (FDA, Health Canada, TGA, ANVISA, MHLW/PMDA), and — from 2 February 2026 — incorporated by reference into the FDA's new Quality Management System Regulation (QMSR), replacing the long-standing 21 CFR Part 820 Quality System Regulation.

ISO 13485 is organised in eight clauses. The first three are scope and normative references. The five substantive clauses define the QMS.

• Clause 4 — Quality Management System. General QMS requirements, document control, record control, the quality manual, the requirement to define each device's role in the supply chain (manufacturer, importer, distributor, contract manufacturer).
• Clause 5 — Management Responsibility. Top management's accountability for the QMS: policy, planning, responsibility and authority, management representative, internal communication, management review.
• Clause 6 — Resource Management. Human resources (competence, training, awareness), infrastructure (buildings, equipment, IT), work environment and contamination control, particularly for sterile devices.
• Clause 7 — Product Realisation. The biggest clause. Planning of product realisation, customer-related processes, design and development (the famous clause 7.3 — design controls), purchasing, production and service provision (including process validation), control of monitoring and measuring equipment.
• Clause 8 — Measurement, Analysis and Improvement. Feedback, complaint handling, reporting to regulatory authorities, internal audit, monitoring of processes and product, control of nonconforming product, analysis of data, CAPA, and the explicit improvement clause.

Every clause has an 'shall' requirement (mandatory) and most have a 'shall maintain documented information' or 'shall retain records' obligation. The records and documents collectively constitute the auditable evidence of the QMS.

Clause 7.3 (Design and development) is where ISO 13485 most clearly diverges from ISO 9001. It mandates a documented design-control process producing a Design History File (DHF) that proves the device was developed against user needs, with risk management integrated throughout, and verified and validated before release to manufacturing.

7.3.2 Design and development planning

A plan that describes the stages, the responsibilities, the reviews, the verification and validation activities, the design-transfer activities and the risk-management activities. Updated as the design evolves.

7.3.3 Design inputs

User needs, intended use, regulatory requirements, applicable standards, and results from risk management. Inputs must be reviewed for adequacy and approved.

7.3.4 Design outputs

The drawings, specifications, code, labelling artwork, training materials and the DMR content. Outputs must be in a form that allows verification against inputs and must include or reference acceptance criteria.

7.3.5 Design review

Formal reviews at defined stages, with participants representing functions affected by the stage, plus independent reviewers. Documented.

7.3.6 Design verification

Confirmation that outputs meet inputs. Testing, inspection, analysis. Documented with results.

7.3.7 Design validation

Confirmation, often through clinical evaluation, that the device meets the user needs and intended use. Performed on initial production units or equivalents.

7.3.8 Design transfer

The formal handover from design to manufacturing. The DMR is the artefact; transfer is the act of approving it.

7.3.9 Control of design changes

Every change after the initial transfer goes through review, verification, validation (as appropriate) and approval before implementation. Risk re-assessment is required.

7.3.10 Design and development files

The DHF — one file per device or per device family — retained for the device's life plus the regulatory minimum.

ISO 13485 references ISO 14971 — the medical-device risk-management standard — as the source for the risk-management process. The interplay is explicit: 13485 clauses 7.1, 7.3.3, 7.3.7, 7.3.9, 7.5.1, 8.2.1 and 8.5.2 all require risk-management activities or outputs. The DHF must include the risk-management file from ISO 14971.

In a well-run device QMS, the risk-management file is updated continuously — at design transfer, at every design change, at every CAPA, at every post-market signal that changes the residual risk picture. EU MDR Annex I and FDA's expectations under QMSR both treat the risk file as a living document; a static one is a routine audit finding.

An organisation certified to ISO 9001 cannot claim ISO 13485 conformance without significant additional work — typically design-control implementation, sterile-controls evidence, validated processes, and a regulatory-reporting procedure that doesn't exist in 9001-land.

On 2 February 2024 the FDA published the final Quality Management System Regulation (QMSR) rule, amending 21 CFR Part 820 to incorporate ISO 13485:2016 by reference. The effective date is 2 February 2026 — a two-year transition. After that date, the substantive QMS requirements for medical-device manufacturers selling in the US are the ISO 13485 clauses, augmented by the FDA-specific provisions retained in Part 820 (which become a much thinner regulation focused on the things ISO does not address: device-history-record specifics, complaint-files specifics, definitions, applicability).

The practical impact: a manufacturer already certified to ISO 13485 and exporting to Europe needs to add the FDA-specific Part 820 retained provisions (notably the DHR detail in old §820.184 and complaint-handling detail in old §820.198, both substantially preserved) to its existing QMS. A manufacturer currently certified only to Part 820 needs to upgrade to full ISO 13485 — design-control language, management-responsibility specifics, supplier-controls structure all change in non-trivial ways. The FDA has stated it will continue its inspectional cadence; QSIT (the existing inspection technique) is being updated into a 'QMSR Inspection Technique' guidance.

The Medical Device Single Audit Program (MDSAP) is an IMDRF-coordinated programme under which a single audit by an authorised auditing organisation satisfies the regulatory inspection needs of five participating regulators: FDA (US), Health Canada, TGA (Australia), ANVISA (Brazil), and MHLW/PMDA (Japan). Health Canada has made MDSAP mandatory for licence-holding manufacturers since January 2019. FDA accepts MDSAP audit reports in lieu of routine surveillance inspections. The other three regulators use MDSAP variably.

MDSAP audits are conducted against ISO 13485 plus the country-specific regulatory requirements of each participating regulator. The audit model is process-based and covers seven tasks: management, measurement-analysis-improvement, medical device adverse events and advisory notices reporting, design and development, production and service controls, purchasing, and device marketing authorisation and facility registration. The non-conformity grading scale (Grade 1 through 5) is more granular than typical ISO certification audits.

1. Risk-management file frozen at design transfer. CAPA outcomes, post-market signals and design changes have updated the residual risk picture but the file does not show it.
2. Design changes implemented without 7.3.9 review and re-verification. The change-control system exists but only catches major changes.
3. Supplier controls weak — approved-supplier list with no evidence of qualification, no periodic re-evaluation, no audit programme proportionate to risk.
4. Process validation done at IQ/OQ/PQ and never re-validated. Equipment moved, parameters drifted, software updated — no re-qualification.
5. Complaints not classified for regulatory reporting. Threshold for MDR (US) or MIR (EU) decisions is informal; some events that should be reported aren't.
6. Internal audit programme covers ISO clauses but never asks 'is this clause being implemented effectively?' — auditors check existence, not effectiveness.
7. Management review is a slide-deck once a year. The clause requires inputs (audits, complaints, CAPA, supplier performance, changes, etc) and outputs (decisions, resource needs). Most reviews skip the outputs.
8. Training records show attendance but not competence. Clause 6.2 requires demonstrated competence for personnel performing work affecting product quality.

V5's medical-devices industry profile is built so that the records the QMS demands — DHF, DMR, DHR, complaint files, CAPA, supplier qualification, risk-management file, training records, audit-trail evidence — are produced as the by-product of running the shop floor, not as a separate documentation exercise.

• Document control (clause 4.2.4): every controlled document has approved versions, effective dates, distribution lists, and acknowledgement records; obsolete versions are retained and locked.
• Design controls (clause 7.3): DHF as a structured object with inputs, outputs, reviews, verification/validation, design transfer, and change records — each design change re-evaluating the risk file.
• Production and service provision (clause 7.5): work orders execute against the DMR snapshot; the eDHR captures per-unit evidence; process validation status is tracked at the process-step level.
• Purchasing (clause 7.4): supplier qualification, periodic re-evaluation, incoming inspection records, supplier corrective-action requests.
• CAPA (clause 8.5.2/8.5.3) and complaint handling (clause 8.2.2): one workflow from intake through investigation, root cause, action, effectiveness check; regulatory-reporting decision built in.
• Management responsibility (clause 5): policy, objectives, management-review meetings with structured inputs and recorded outputs, all available on the audit view.
• QMSR (2026) ready: the platform handles both the ISO 13485 substance and the retained Part 820 specifics (DHR detail, complaint-file detail) without parallel systems.