ISO 13485:2016 is the international standard for quality management systems in the medical device industry. It specifies requirements for a QMS that demonstrates the ability to provide medical devices and related services that consistently meet customer and regulatory requirements

ISO 13485:2016 was published on March 1, 2016

This standard is essential for medical device manufacturers, suppliers to the medical device industry, regulatory affairs professionals, quality assurance managers, and healthcare technology companies

ISO 13485:2016 applies to organizations involved in one or more stages of the medical device life-cycle, including design, development, production, storage, distribution, installation, servicing, and final decommissioning

While not always mandatory, certification is often required for regulatory compliance and market access. For the FDA, conformity with ISO 13485:2016 and additional QMSR requirements is needed from February 02, 2026

Key requirements include:

• Establishing a QMS with documented processes
• Implementing risk management throughout the QMS
• Maintaining a medical device file for each product
• Ensuring design and development controls
• Managing suppliers and outsourced processes
• Implementing production and process controls
• Conducting internal audits and management reviews

Required documentation includes:

• Quality manual
• Quality policy and objectives
• Documented procedures and records
• Documents needed for effective planning, operation, and control of processes

• Understand ISO 13485:2016 requirements
• Develop a Quality Management System
• Conduct a gap analysis
• Implement necessary changes
• Conduct internal audits
• Select a certification body
• Undergo the certification audit

Implementation time varies depending on the organization's size and complexity, but typically ranges from 6 to 12 months

Training should cover:

• ISO 13485:2016 requirements
• QMS processes and procedures
• Job-specific responsibilities
• Risk management
• Regulatory requirements

Organizations must evaluate the effectiveness of training actions taken. This can be done through assessments, quizzes, or observation of improved job performance

The FDA is harmonizing its Quality System Regulation (QSR) with ISO 13485:2016. The new Quality Management System Regulation (QMSR) will align closely with ISO 13485:2016 requirements

Yes, ISO 13485:2016 is widely recognized and adopted globally, particularly in countries with significant medical device industries

The standard requires organizations to continually improve the effectiveness of their QMS through the use of quality policy, objectives, audit results, data analysis, corrective and preventive actions, and management review

Risk management is a key focus, requiring organizations to apply a risk-based approach to control processes and maintain an effective QMS throughout the product lifecycle

ISO 13485:2016 provides detailed requirements for design and development processes, including:

• Planning and input requirements
• Design and development outputs
• Design reviews and verification
• Design validation
• Design transfer to manufacturing
• Control of design changes
• Design and development files

Design validation should:

• Be performed on representative product samples
• Ensure the product meets user needs and intended uses
• Include clinical evaluations or performance evaluations where appropriate
• Be completed before product release for use

The standard requires organizations to:

• Implement systematic procedures to collect and review production and post-production information
• Determine the need for action, including reporting to regulatory authorities
• Handle customer complaints
• Implement effective product recall procedures

Organizations must:

• Establish documented procedures for notification to regulatory authorities
• Maintain records of reportable events
• Investigate adverse events and implement necessary corrective actions

The standard requires validation of software used in:

• The quality management system
• Production and service provision
• Monitoring and measurement of requirements
  Validation should be proportionate to the risk associated with the use of the software.

Software should be revalidated:

• After changes or upgrades
• After maintenance activities that could affect software performance
• At planned intervals based on risk assessment

The standard requires organizations to:

• Establish criteria for supplier evaluation and selection
• Monitor and re-evaluate supplier performance
• Ensure purchased products conform to specified requirements
• Maintain documented purchasing information

Supplier audits should:

• Be risk-based, considering the impact of the supplied product on final device quality
• Evaluate the supplier's ability to meet specified requirements
• Include on-site audits where appropriate
• Result in documented evidence of supplier conformity

The standard requires validation of:

• Production processes where the resulting output cannot be verified
• Sterilization processes
• Clean room and controlled environment processes
• Software used in production and service provision

Organizations should:

• Define validation protocols with acceptance criteria
• Perform validation using worst-case scenarios
• Document validation results
• Implement ongoing process monitoring
• Revalidate processes after significant changes

The standard:

• Aligns with regulatory requirements in major markets (e.g., EU, USA, Canada)
• Provides a framework for meeting quality system requirements
• Facilitates regulatory submissions and inspections
• Supports compliance with market-specific regulations (e.g., EU MDR, MDSAP)

While ISO 13485:2016 certification doesn't automatically ensure EU MDR compliance, it provides a strong foundation. Organizations need to address additional MDR-specific requirements for full compliance.

Organizations must:

• Conduct internal audits at planned intervals
• Define audit criteria, scope, frequency, and methods
• Select impartial and objective auditors
• Ensure management takes timely corrective actions on audit findings
• Maintain audit records

Best practices include:

• Training internal auditors on ISO 13485:2016 requirements
• Using risk-based approaches to determine audit frequency and scope
• Implementing a robust CAPA system for addressing audit findings
• Regularly reviewing audit program effectiveness

Risk management is a key focus throughout the standard, requiring:

• Application of risk management techniques to product realization processes
• Consideration of risk in change management
• Risk-based approaches to supplier management and process controls
• Integration of risk management with post-market surveillance activities

ISO 14971 is the primary standard referenced for risk management in medical devices. Organizations should apply ISO 14971 principles throughout the product lifecycle.