ISO 13485 – Requirements for Medical Device Quality Management Systems

March 10, 2016

On February 25, 2016, the International Organization for Standardization (ISO) published its updated ISO 13485 guidance. The guidance, which was originally published in 2003, is the global standard for medical device quality management systems. Specifically, the guidance includes “requirements for a quality management system where an organization needs to demonstrate its ability to provide medical devices related to services that consistently meet customer and applicable regulatory requirements.”

The requirements for a medical device quality management system are comprehensive, and adoption of the ISO 13485 standard provides a way for organizations to meet these strict requirements.

Is ISO 13485 Certification Required?

ISO 13485 certification is not legally required, as organizations can create a quality management system suited to their own unique needs so long as it meets the regulatory requirements for medical devices where they will be made and sold. Organizations may choose to implement the ISO 13485 standard without seeking certification. However, ISO 13485 certification is an extra step that can show regulators you’ve met the requirements of the standard.

ISO 13485 Requirements Overview

If organizations choose to adopt the ISO 13485 standard and/or seek certifications, it’s important to have an understanding of its requirements. ISO 13485 has several requirements to ensure the medical device meets all regulatory requirements. These requirements apply to all organizations regardless of size unless specifically noted.

ISO 13485 is split up into eight sections. The first three sections of ISO 13485 are an introduction, while the remaining five sections provide mandatory requirements for the quality management system. Here is an overview of each section:

  • Section 1: Scope: A high-level overview of ISO 13485 including its purpose and applicability
  • Section 2: Normal references: Notes that ISO 9000:2015 will be referenced
  • Section 3: Terms and definitions: Provides a list of relevant terms and definitions with regards to ISO 13485
  • Section 4: Quality management systems: General quality management system requirements, and documentation requirements for ISO 13485
  • Section 5: Management responsibility: Discusses the need and for top management to commit to the development and implementation of ISO 13485
  • Section 6: Resource management: States the need for the organization to identify and provide all resources to implement and maintain ISO 13485
  • Section 7: Product realization: Discusses the organizational requirements for product realization
  • Section 8: Measurement, analysis, and improvement: Provides requirements for organizations to monitor, measure, analyze, and improve processes regarding the product and quality management system.

For more information, you can view the full ISO 13485 documentation.

Who is ISO 13485 for?

According to the ISO Transition Planning Guidance, the updated document “is intended for current users of ISO 13485:2003, those who are intending to use ISO 13485:2016, as well as other interested parties” including, but not limited to:

  • Medical device manufacturers
  • Accreditation bodies
  • Certification bodies
  • Registrars
  • Regulatory authorities responsible for implementation and surveillance of medical device regulatory requirements that will include the use of ISO 13485:2016
  • International and national standards bodies.

In addition, ISO has stated that the “requirements of ISO 13485:2016 are applicable to organizations regardless of their size and regardless of their type except where explicitly stated. Wherever requirements are specified as applying to medical devices, the requirements apply equally to associated services as supplied by the organization.”

ISO 13485:2003 vs. ISO 13485:2016

The revised guidance highlights the importance of having a quality management system (QMS) in place throughout the supply chain. Furthermore, ISO 13485:2016 draws particular attention to requirements regarding device usability and post-market surveillance.

Although the new document is simply a revision to the original guidance, there are a number of fairly significant differences between the two. According to the Regulatory Affairs Professional Society (RAPS), the largest differences between the 2003 and 2016 versions of the guidance include the following:

  • “Incorporation of risk-based approaches beyond product realization. Risk is considered in the context of the safety and performance of the medical device and in meeting regulatory requirements;
  • Increased linkage with regulatory requirements, particularly for regulatory documentation;
  • Application to organizations throughout the life cycle and supply chain for medical devices;
  • Harmonization of the requirements for software validation for different software applications (QMS software, process control software, software for monitoring and measurement) in different clauses of the standard;
  • Emphasis on appropriate infrastructure, particularly for production of sterile medical devices, and addition of requirements for validation of sterile barrier properties;
  • Additional requirements in design and development on consideration of usability, use of standards, verification and validation planning, design transfer and design records;
  • Emphasis on complaint handling and reporting to regulatory authorities in accordance with regulatory requirements, and consideration of post-market surveillance; and
  • Planning and documenting corrective action and preventive action, and implementing corrective action without undue delay.”

Differences Between ISO 13485 and EN ISO 13485

While ISO 13485 is an internationally recognized standard set of requirements for medical devices, it also has a European counterpart (EN ISO 13485) which is issued in the EU with one key addition. ISO 13485 and EN ISO 13485 have the same main text, but EN ISO 13485 includes additional Z annexes regarding compliance with MDD (directives 90/385/EEC, 93/42/EEC, and 98/79/EC).

ISO 13485:2003 Expiration Date

Manufacturers, regulators, certification bodies, and any other applicable parties were given three years to transition from ISO 13485:2003 to ISO 13485:2016. As of 2/28/2019, any existing ISO 13485:2003 certificates are expired.

Do you manufacture a medical device or any other type of FDA-regulated product?

We can help ensure that your product is compliant with all regulatory requirements. Do not hesitate to contact us with questions about preparing for these or any other regulatory standards. For additional information on our services and how we can help you, contact us today.


January 20, 2016

Cybersecurity in Medical Devices Part 1: Networked Medical Devices & Cybersecurity Vulnerabilities

On January 15, 2016, FDA published a draft guidance providing medical device manufacturers with a number of recommendations to protect patients from cybersecurity vulnerabilities in their devices....

June 22, 2021

Understanding Cybersecurity Threats to Medical Devices

The threat of cyber-attacks against medical devices is real. Medical devices capable of connecting, wirelessly, wired, or to portable media such as a USB drive, are more vulnerable to cybersecurity...

August 31, 2015

Report Says FDA Significantly Reduced Medical Device Review Times

Earlier this year, FDA published a report announcing that the Agency’s device program has shown “a pattern of markedly improved performance.” Over the past five years, FDA has been working to improve...