ISO 13485 Medical Devices – Quality management systems certification


ISO 13485:2003 specifies requirements for a quality management system where an organization needs to demonstrate its ability to provide medical devices and related services that consistently meet customer and regulatory requirements.


The primary objective of ISO 13485 is to facilitate harmonized medical device regulatory requirements for quality management systems. As a result, it includes some particular requirements for medical devices and excludes some of the requirements of ISO 9001 that may not be appropriate.


While it remains a stand-alone standard, ISO 13485 is generally harmonized with ISO 9001. A principal difference, however, is that ISO 9001 requires the organization to demonstrate continual improvement, whereas ISO 13485 requires only that the certified organisation demonstrate the quality system is effectively implemented and maintained. Additionally, the ISO 9001 requirements regarding customer satisfaction are absent from the medical device standard.


Other specific differences include:

– the promotion and awareness of regulatory requirements as a management responsibility. Examples of market-specific regulatory requirements include 21 CFR 820, the Quality System Regulation for medical devices sold in the United States, enforced by the U.S. Food and Drug Administration (FDA), or the Medical Devices Directive 93/42/EEC, required for doing business in the European Union

– controls in the work environment to ensure product safety

– focus on risk management activities and design control activities during product development

– specific requirements for inspection and traceability for implantable devices

– specific requirements for documentation and validation of processes for sterile medical devices

– specific requirements for verification of the effectiveness of corrective and preventive actions

Start your journey towards certification today

Please contact us by email or phone and we will ensure your needs are our priority as we develop an agreed assessment programme


ISO 13485:2016

Whether your organisation is certified to EN ISO 13485:2012 (or ISO 13485:2003) or you’re interested in gaining certification to the revised Standard, or if you’re an internal auditor or a lead auditor wondering how and when the 2016 Standard will affect you, we’ve got some answers for you.

The motivation for change

All ISO standards are reviewed and revised regularly to make sure they remain relevant to the marketplace. ISO 13485:2016 responds to the latest QMS practices, reflecting the evolution in medical device technology and changes in regulatory requirements and expectations.

Safety and performance of medical devices are paramount in this highly regulated industry.  For this reason, quality management systems are a regulatory or legal requirement in many countries.

ISO 13485 can help organizations involved in any part of a medical device’s life cycle to…

  • Demonstrate compliance with regulatory and legal requirements,
  • Ensure the establishment of QMS practices that consistently yield safe and effective medical devices,
  • Manage risk effectively,
  • Improve processes and efficiencies as necessary, and
  • Gain a competitive advantage.

The updated Standard seeks to facilitate medical device manufacturers and their suppliers achieve these goals.

Applicability of ISO 13485:2016

ISO 13485:2016 is a quality management system that can be used by an organization involved in one or more stages of the life-cycle of a medical device, including:

  • design and development
  • production
  • storage and distribution
  • installation
  • servicing and final decommissioning and disposal of medical devices
  • design and development
  • provision of associated activities (e.g. technical support)

The requirements of the Standard can also be used by suppliers or other external parties providing product (e.g. raw materials, components, subassemblies, medical devices, sterilization services, calibration services, distribution services, maintenance services) to such organizations.

Several jurisdictions have regulatory requirements for the application of quality management systems by organizations with a variety of roles in the supply chain for medical devices.  Consequently, the Standard requires that the organization:

  • identifies its role(s) under applicable regulatory requirements
  • identifies the regulatory requirements that apply to its activities under these roles
  • incorporates these applicable regulatory requirements within its quality management system.

The main changes

The ISO 13485:2016 Standard was published in March 2016 in two editions, namely,

  • ISO 13485:2016 – the international edition, and,
  • EN ISO 13485:2016 – the edition harmonised with European Union Directives for medical devices.

The harmonised EN edition is identical word-for-word with the international edition.  However, it contains three additional annexes identifying where compliance with the Standard does not adequately address requirements in the Directives.  These three Annex Zs provide greater clarity on the applicability and alignment of the current AIMDD (active implantable medical device directive), MDD (medical device directive) and IVDD (in vitro medical device directive) with the Standard.

For the sake of clarity, we shall refer only to ISO 13485:2016.

The new version of ISO 13485 places greater emphasis on risk management and risk-based decision making for processes outside the realm of product realization.

The focus is on risks associated with the safety and performance of medical devices and compliance with regulatory requirements. In addition, the standard asks organizations to be more stringent when it comes to outsourcing processes by putting into place controls (e.g.  written agreements) for assessing their suppliers, again based on risk.

There is also more frequent mention of regulatory requirements.  These were mentioned 16 times in the 2003 version and 72 times in the 2016 version.

While the new Standard remains compatible with ISO 9001:2015, it retains the familiar structure of the previous Standard.  Even though published after the new ISO 9001 Standard, it does not follow Annex SL – the new high level structure (HLS). This common framework intended for all ISO management systems – helping to keep consistency, aligning different management system standards, offering matching sub-clauses and applying s common language across all standards – has been ignored.  No doubt this is because of the imprecise nature and ambiguous wording of the HLS-based Standards.

The ISO 13485:2016 Standard was published in March 2016 in two editions, namely,

  • ISO 13485:2016 – the international edition, and,
  • EN ISO 13485:2016 – the edition harmonised with European Union Directives for medical devices.

The harmonised edition is identical word-for-word with the international edition.  However, it contains three additional annexes identifying where compliance with the Standard does not adequately address requirements in the Directives.  These three Annex Zs provide greater clarity on the applicability and alignment of the current AIMDD (active implantable medical device directive), MDD (medical device directive) and IVDD (in vitro medical device directive) with the Standard.

Table A.1 of Annex A provides a clause-by-clause comparison of the new 2016 edition of the Standard versus the previous edition and details the specific changes relating to each clause.  This is a great asset for those transitioning to the new edition as it can be readily converted into an audit checklist.

The structural relationship between ISO 13485:2016 and ISO 9001:2015 is outlined in Annex B. The mismatch between the two Standards is clearly to be seen, and those manufacturers and suppliers who require certification to both Standards are advised to have two Quality Manuals, one for each Standard to show how quality policy will address the differing requirements.  An integrated set of procedures can then implement the policies across the common processes.

The transition to the new Standard

All organizations currently certified to EN ISO 13485:2012 (or ISO 13485:2003) will need to transition to the new requirements by 30th March 2019.  The IAF has stipulated this transition period.

How soon can I start the transition process?

You can start preparing for the transition immediately, educating the relevant people in your business and revising documentation and records in line with the changed requirements. We suggest that you progressively introduce the necessary changes.

How long will EN ISO 13485:2012 (or ISO 13485:2003) continue to be recognised and audited to?

The current standard will be recognized and can be audited to until the end of the 3-year transition period for ISO 13485:2016.

Regarding Certification Bodies (CBs) and their accreditation for the provision of certification to ISO 13485, IAF Resolution 2015/13 allocates a 3-year transition period also to them.

Thus from 31st March 2019 all accredited certifications to EN ISO 13485:2012 will cease to be valid. IAF has also stated that 2 years from publication all new certifications and recertifications issued must be to ISO 13485:2016.

Can I upgrade in 2016 during a re-certification audit?

Yes, providing your system meets all of the requirements of ISO 13485:2016.  But make sure your CB has completed its transition, namely, that it has accreditation to the new Standard.  It is unlikely that many CB will have competed their transition before October 2016.

Will the transition mean additional CB days and additional costs?

It is expected that clients will transition during the course of their continuing audit visits and there will be little requirement for additional time to review and assessment your implementation of the new requirements.  You should not expect additional costs here.

What if I want to transition before the end of my 3-year CB Contract?

You may transition immediately now that the 3-year transition period begins; however, this may require additional days and as such, you may incur additional costs.  Talk to your CB.

How do I find out how far we are through the transition process?

Your CB should be in contact with you to discuss this.  Additionally, the Lead Auditor should discuss your transition progress at each audit visit to see where you are on your journey.

What if I want an extension to scope? Does that have to be to the 2016 version of the standard?

No, you can extend the scope of your existing certificate against the 2012 version of the standard. You must however transition by 31st March 2019; otherwise your certificate will be invalid.

I’m currently implementing/considering certification to ISO 13485; what should I do?

If you have already started implementing ISO 13485:2003 OR EN ISO 13485:2012, continue as planned – you still have until 31st March 2019 to transition to the new standard. Do familiarise yourself well in advance with the new requirements especially in relation to documentation and records.

If you haven’t started implementation yet, we would recommend that you obtain a copy of the 2016 version and implement this version.

I have an integrated system for both ISO 9001 and ISO 13485 with a single Quality Manual; how will the changes to ISO 13485 and these standards affect my system and transition?

With the significantly different structures of the two new versions of these standards (see Annex B of ISO 13485:2016), it will be difficult to devise a single, useable Quality Manual to address both Standards.  We emphasise the word useable – it can be done but will it be easy to implement, maintain and audit?

While aware that a quality manual is not a requirement of ISO 9001:2015, we recommend two Quality Manuals – one for each Standard.  As mentioned above, an integrated set of procedures can then implement the policies across the common processes.

I have questions regarding my certification now – who do I talk to?

Call your CB who will be happy to answer your specific questions.

Are there things we should do in advance of the transition?

Yes, there’s no need to wait years to make changes you could benefit from immediately.  Here are some suggestions…

  • Review your current approach and spring clean where appropriate;
  • Engage with the leaders of the business as many of the proposed changes will impact on them and help them understand those issues which they must manage and those they can delegate;
  • Taking a product life cycle approach, review the identification, management and control of your processes;
  • Start to consider how you can adopt and benefit from the concept of risk and opportunity management and its application throughout your supply chain;
  • Read the introduction section of the Standard, it contains some very valuable guidance on the concepts contained in the standard.

Conversion of auditor certification

I’m presently a qualified lead auditor/internal auditor, do I need to retrain for the new version of the standard?

Whilst your existing knowledge and experience is invaluable, this is the biggest change to the standard in a decade.

It’s vital you understand the new/expanded requirements which won’t be familiar.

We would recommend that you take the relevant Auditor Conversion Course as this will build on your existing knowledge and help you to feel confident about the new version of the standard.

We are also certified to both ISO 13485 and ISO 9001. Do I need to undergo training for both standards?

There are important and significantly different changes to both standards. We would recommend that you take formal training for both Standards to make sure you fully understand what this means to your organization.


Can I get a detailed listing of the differences between EN ISO 13485:2012 (or ISO 13485:2003) and ISO 13485:2016?

These are clearly set out in Annex A of the Standard.

Are organizations still allowed to exclude requirements of ISO 13485?

Yes, provided regulatory requirement permit it, non-applicable parts of the Standard may be claimed as exclusions.  An organization can only decide that a requirement is not applicable if…

  • it is not possible and/or
  • 2) its decision will not affect its ability or responsibility to ensure the conformity of products and services to customer requirements.

Justification for exclusions must be documented.

I hear that there is greater emphasis on regulatory requirements in the new version. How significant?

In the 2003/2012 version regulations were mentioned 16 times; while in the 2016 version you will find regulations mentioned 72 times.

The Medical Device Single Audit Program (MDSAP) is based on ISO 13485.  What is this and will it affect European Regulatory Area?

International regulators have sought an agreed global approach to medical device manufacturing oversight for some time.  Their grouping, IMDRF, the International Medical Device Regulatory Forum, is well-advanced on a pilot program, MDSAP, which will conclude in 2016, and which it is hoped will be adopted by the participating bodies in 2017.  Regulatory bodies from USA, Canada, Brazil, Japan and Australia are the ones directly involved; the European Medicines Agency have only a ‘watching brief’ involvement.

The MDSAP is intended to allow MDSAP-recognized Auditing Organizations (AOs) to conduct a single audit of a medical device manufacturer that will satisfy the relevant requirements of the medical device regulatory authorities participating in the scheme. Even before the pilot is completed, Canada Health has announced its formal adoption for Canada from 2019.

AOs include many European Notified Bodies and consequently the possibility of a single audit by an AO in fulfilment of both EU and MDSAP regulatory requirements is very real. EU authorities have made no announcement to date of permitting such audits.

Note that it is not intended that manufacturers of new and/or high-risk class 3 devices would be included in MDSAP where current direct inspections by regulatory bodies will continue.

What impact will the new EU Medical Device Requirements (MDRs) have for users on ISO 13485?

It is now five years since work on these Directive began (AIMDD, MDD and IVDD) and, while completion of its transit through the European Commission and Parliament nears its end (2017 seem the most likely completion date), there is much detailed ‘legwork’ to be done before the Directive can become law.  For example, there needs to be agreement on the unique device identification scheme to be introduced with the US FDA and other regulators to avoid a confusing multiplicity of identifiers for a given device to be sold in multiple markets.

Will suppliers to medical device manufacturers be affected by the new MDRs?

This certainly seems likely.  The entire supply chain – materials, packaging and labelling, distribution and other services – will be affected.  The current draft MDRs includes a requirement that Notified Bodies will be required to extend vigilance and post-market surveillance audits to the supply chain.

This means that suppliers to medical device manufacturers will also be subject to ‘surprise’ audits.



The following sources were used in the preparation of these notes:

  1. Various Articles:,2015, ISO/TC 176/SC2
  2. Overview: SO 13485 – Quality management for medical devices, March 2016, ISO