What Is ISO 13485? A Guide to Medical Device Quality Management Systems
The Essential Guide to Requirements Management and Traceability
Chapters
- 1. Requirements Management
- Overview
- 1 What is Requirements Management? A Complete Guide
- 2 Why do you need Requirements Management?
- 3 Four Stages of Requirements Management Processes
- 4 Adopting an Agile Approach to Requirements Management
- 5 Status Request Changes
- 6 Conquering the 5 Biggest Challenges of Requirements Management
- 7 Three Reasons You Need a Requirements Management Solution
- 8 Guide to Poor Requirements: Identify Causes, Repercussions, and How to Fix Them
- 2. Writing Requirements
- Overview
- 1 Functional requirements examples and templates
- 2 What Is a Product Requirements Document? A Complete PRD Guide
- 3 What Is a User Requirement Specification (URS)? How to Write and Manage One
- 4 Identifying and Measuring Requirements Quality
- 5 How to Write a System Requirements Specification (SRS) Document
- 6 The Fundamentals of Business Requirements: Examples of Business Requirements and the Importance of Excellence
- 7 What Is a Compliance Risk Assessment? Steps, Framework, and Examples
- 8 Adopting the EARS Notation to Improve Requirements Engineering
- 9 Jama Connect Advisor™
- 10 Frequently Asked Questions about the EARS Notation and Jama Connect Advisor™
- 11 How to Write an Effective Product Requirements Document (PRD)
- 12 Functional vs. Non-Functional Requirements
- 13 What Are Nonfunctional Requirements and How Do They Impact Product Development?
- 14 What Is a Software Design Specification? Key Components + Template
- 15 Characteristics of Effective Software Requirements and Software Requirements Specifications (SRS)
- 16 8 Do’s and Don’ts for Writing Requirements
- 17 Project Requirements: Types, Process, and Best Practices
- 3. Requirements Gathering and Management Processes
- Overview
- 1 Requirements Engineering
- 2 Requirements Analysis
- 3 A Guide to Requirements Elicitation for Product Teams
- 4 Requirements Gathering Techniques for Agile Product Teams
- 5 Requirements Gathering in Software Engineering: Process, Techniques, and Best Practices
- 6 Defining and Implementing a Requirements Baseline
- 7 Managing Project Scope — Why It Matters and Best Practices
- 8 How Long Do Requirements Take?
- 9 How to Reuse Requirements Across Multiple Products
- 4. Requirements Traceability
- Overview
- 1 What is Requirements Traceability? Importance Explained
- 2 Tracing Your Way to Success: The Crucial Role of Traceability in Modern Product and Systems Development
- 3 Bidirectional Traceability: What It Is and How to Implement It
- 4 What is Engineering Change Management (ECM)? A Complete Guide
- 5 Change Impact Analysis (CIA): A Short Guide for Effective Implementation
- 6 What is Meant by Version Control?
- 7 Key Traceability Challenges and Tips for Ensuring Accountability and Efficiency
- 8 The Role of a Data Thread in Product and Software Development
- 9 Unraveling the Digital Thread: Enhancing Connectivity and Efficiency
- 10 What is a Traceability Matrix? A Guide to Requirements Traceability
- 11 How to Create and Use a Requirements Traceability Matrix (RTM)
- 12 Traceability Matrix 101: Why It’s Not the Ultimate Solution for Managing Requirements
- 13 Live Traceability vs. After-the-Fact Traceability
- 14 Overcoming Barriers to Live Requirements Traceability™
- 15 Requirements Traceability, What Are You Missing?
- 16 Four Best Practices for Requirements Traceability
- 17 Requirements Traceability: Links in the Chain
- 18 What Are the Benefits of End-to-End Traceability During Product Development?
- 19 FAQs About Requirements Traceability
- 20 Product Traceability for Regulated Industries: A Complete Guide to Audit-Ready Compliance
- 5. Requirements Management Tools and Software
- Overview
- 1 Selecting the Right Requirements Management Tools and Software
- 2 Why Investing in Requirements Management Software Makes Business Sense During an Economic Downturn
- 3 Why Word and Excel Alone is Not Enough for Product, Software, and Systems Development
- 4 Can You Track Requirements in Excel?
- 5 What Is Application Lifecycle Management (ALM)?
- 6 Is There Life After DOORS®?
- 7 Can You Track Requirements in Jira?
- 8 Checklist: Selecting a Requirements Management Tool
- 6. Requirements Validation and Verification
- 7. Meeting Regulatory Compliance and Industry Standards
- Overview
- 1 Understanding ISO Standards
- 2 Understanding ISO/IEC 27001: A Guide to Information Security Management
- 3 What is DevSecOps? A Guide to Building Secure Software
- 4 Compliance Management
- 5 What is FMEA? Failure Mode and Effects Analysis Guide
- 6 TÜV SÜD: Ensuring Safety, Quality, and Sustainability Worldwide
- 8. Systems Engineering
- Overview
- 1 What is Systems Engineering?
- 2 How Do Engineers Collaborate? A Guide to Streamlined Teamwork and Innovation
- 3 The Systems Engineering Body of Knowledge (SEBoK)
- 4 What is MBSE? Model-Based Systems Engineering Explained
- 5 Digital Engineering Between Government and Contractors
- 6 Digital Engineering Tools: The Key to Driving Innovation and Efficiency in Complex Systems
- 9. Automotive Development
- 10. Medical Device & Life Sciences Development
- Overview
- 1 The Importance of Benefit-Risk Analysis in Medical Device Development
- 2 Software as a Medical Device: Revolutionizing Healthcare
- 3 What’s a Design History File, and How Are DHFs Used by Product Teams?
- 4 Navigating the Risks of Software of Unknown Pedigree (SOUP) in the Medical Device & Life Sciences Industry
- 5 What Is ISO 13485? A Guide to Medical Device Quality Management Systems
- 6 What You Need to Know: ANSI/AAMI SW96:2023 — Medical Device Security
- 7 ISO 13485 vs ISO 9001: Understanding the Differences and Synergies
- 8 What Is IEC 62304? A Guide to Medical Device Software
- 9 What Is a Device Master Record (DMR)? Definition and FDA Requirements
- 10 Failure Modes, Effects, and Diagnostic Analysis (FMEDA) for Medical Devices: What You Need to Know
- 11 Embracing the Future of Healthcare: Exploring the Internet of Medical Things (IoMT)
- 12 What Is General Safety and Performance Requirements (GSPR)? What You Need To Know
- 13 What Is IEC 62366? A Guide to Medical Device Usability Engineering
- 11. Aerospace & Defense Development
- Overview
- 1 What Is ARP4754A? A Complete Guide to Civil Aircraft and Systems Development Assurance
- 2 Understanding ARP4761A: Guidelines for System Safety Assessment in Aerospace
- 3 What Is DO-254? A Complete Guide to Airborne Hardware Design Assurance
- 4 What Is DO-178C? A Complete Guide to Airborne Software Certification
- 12. Architecture, Engineering, and Construction (AEC industry) Development
- 13. Industrial Manufacturing & Machinery, Automation & Robotics, Consumer Electronics, and Energy
- 14. Semiconductor Development
- 15. AI in Product Development
- 16. Risk Management
- 17. Product Development Terms and Definitions
Chapter 10: What Is ISO 13485? A Guide to Medical Device Quality Management Systems
Chapters
- 1. Requirements Management
- Overview
- 1 What is Requirements Management? A Complete Guide
- 2 Why do you need Requirements Management?
- 3 Four Stages of Requirements Management Processes
- 4 Adopting an Agile Approach to Requirements Management
- 5 Status Request Changes
- 6 Conquering the 5 Biggest Challenges of Requirements Management
- 7 Three Reasons You Need a Requirements Management Solution
- 8 Guide to Poor Requirements: Identify Causes, Repercussions, and How to Fix Them
- 2. Writing Requirements
- Overview
- 1 Functional requirements examples and templates
- 2 What Is a Product Requirements Document? A Complete PRD Guide
- 3 What Is a User Requirement Specification (URS)? How to Write and Manage One
- 4 Identifying and Measuring Requirements Quality
- 5 How to Write a System Requirements Specification (SRS) Document
- 6 The Fundamentals of Business Requirements: Examples of Business Requirements and the Importance of Excellence
- 7 What Is a Compliance Risk Assessment? Steps, Framework, and Examples
- 8 Adopting the EARS Notation to Improve Requirements Engineering
- 9 Jama Connect Advisor™
- 10 Frequently Asked Questions about the EARS Notation and Jama Connect Advisor™
- 11 How to Write an Effective Product Requirements Document (PRD)
- 12 Functional vs. Non-Functional Requirements
- 13 What Are Nonfunctional Requirements and How Do They Impact Product Development?
- 14 What Is a Software Design Specification? Key Components + Template
- 15 Characteristics of Effective Software Requirements and Software Requirements Specifications (SRS)
- 16 8 Do’s and Don’ts for Writing Requirements
- 17 Project Requirements: Types, Process, and Best Practices
- 3. Requirements Gathering and Management Processes
- Overview
- 1 Requirements Engineering
- 2 Requirements Analysis
- 3 A Guide to Requirements Elicitation for Product Teams
- 4 Requirements Gathering Techniques for Agile Product Teams
- 5 Requirements Gathering in Software Engineering: Process, Techniques, and Best Practices
- 6 Defining and Implementing a Requirements Baseline
- 7 Managing Project Scope — Why It Matters and Best Practices
- 8 How Long Do Requirements Take?
- 9 How to Reuse Requirements Across Multiple Products
- 4. Requirements Traceability
- Overview
- 1 What is Requirements Traceability? Importance Explained
- 2 Tracing Your Way to Success: The Crucial Role of Traceability in Modern Product and Systems Development
- 3 Bidirectional Traceability: What It Is and How to Implement It
- 4 What is Engineering Change Management (ECM)? A Complete Guide
- 5 Change Impact Analysis (CIA): A Short Guide for Effective Implementation
- 6 What is Meant by Version Control?
- 7 Key Traceability Challenges and Tips for Ensuring Accountability and Efficiency
- 8 The Role of a Data Thread in Product and Software Development
- 9 Unraveling the Digital Thread: Enhancing Connectivity and Efficiency
- 10 What is a Traceability Matrix? A Guide to Requirements Traceability
- 11 How to Create and Use a Requirements Traceability Matrix (RTM)
- 12 Traceability Matrix 101: Why It’s Not the Ultimate Solution for Managing Requirements
- 13 Live Traceability vs. After-the-Fact Traceability
- 14 Overcoming Barriers to Live Requirements Traceability™
- 15 Requirements Traceability, What Are You Missing?
- 16 Four Best Practices for Requirements Traceability
- 17 Requirements Traceability: Links in the Chain
- 18 What Are the Benefits of End-to-End Traceability During Product Development?
- 19 FAQs About Requirements Traceability
- 20 Product Traceability for Regulated Industries: A Complete Guide to Audit-Ready Compliance
- 5. Requirements Management Tools and Software
- Overview
- 1 Selecting the Right Requirements Management Tools and Software
- 2 Why Investing in Requirements Management Software Makes Business Sense During an Economic Downturn
- 3 Why Word and Excel Alone is Not Enough for Product, Software, and Systems Development
- 4 Can You Track Requirements in Excel?
- 5 What Is Application Lifecycle Management (ALM)?
- 6 Is There Life After DOORS®?
- 7 Can You Track Requirements in Jira?
- 8 Checklist: Selecting a Requirements Management Tool
- 6. Requirements Validation and Verification
- 7. Meeting Regulatory Compliance and Industry Standards
- Overview
- 1 Understanding ISO Standards
- 2 Understanding ISO/IEC 27001: A Guide to Information Security Management
- 3 What is DevSecOps? A Guide to Building Secure Software
- 4 Compliance Management
- 5 What is FMEA? Failure Mode and Effects Analysis Guide
- 6 TÜV SÜD: Ensuring Safety, Quality, and Sustainability Worldwide
- 8. Systems Engineering
- Overview
- 1 What is Systems Engineering?
- 2 How Do Engineers Collaborate? A Guide to Streamlined Teamwork and Innovation
- 3 The Systems Engineering Body of Knowledge (SEBoK)
- 4 What is MBSE? Model-Based Systems Engineering Explained
- 5 Digital Engineering Between Government and Contractors
- 6 Digital Engineering Tools: The Key to Driving Innovation and Efficiency in Complex Systems
- 9. Automotive Development
- 10. Medical Device & Life Sciences Development
- Overview
- 1 The Importance of Benefit-Risk Analysis in Medical Device Development
- 2 Software as a Medical Device: Revolutionizing Healthcare
- 3 What’s a Design History File, and How Are DHFs Used by Product Teams?
- 4 Navigating the Risks of Software of Unknown Pedigree (SOUP) in the Medical Device & Life Sciences Industry
- 5 What Is ISO 13485? A Guide to Medical Device Quality Management Systems
- 6 What You Need to Know: ANSI/AAMI SW96:2023 — Medical Device Security
- 7 ISO 13485 vs ISO 9001: Understanding the Differences and Synergies
- 8 What Is IEC 62304? A Guide to Medical Device Software
- 9 What Is a Device Master Record (DMR)? Definition and FDA Requirements
- 10 Failure Modes, Effects, and Diagnostic Analysis (FMEDA) for Medical Devices: What You Need to Know
- 11 Embracing the Future of Healthcare: Exploring the Internet of Medical Things (IoMT)
- 12 What Is General Safety and Performance Requirements (GSPR)? What You Need To Know
- 13 What Is IEC 62366? A Guide to Medical Device Usability Engineering
- 11. Aerospace & Defense Development
- Overview
- 1 What Is ARP4754A? A Complete Guide to Civil Aircraft and Systems Development Assurance
- 2 Understanding ARP4761A: Guidelines for System Safety Assessment in Aerospace
- 3 What Is DO-254? A Complete Guide to Airborne Hardware Design Assurance
- 4 What Is DO-178C? A Complete Guide to Airborne Software Certification
- 12. Architecture, Engineering, and Construction (AEC industry) Development
- 13. Industrial Manufacturing & Machinery, Automation & Robotics, Consumer Electronics, and Energy
- 14. Semiconductor Development
- 15. AI in Product Development
- 16. Risk Management
- 17. Product Development Terms and Definitions
What Is ISO 13485? A Guide to Medical Device Quality Management Systems
A registrar arrives for a Stage 2 audit, asks to sample one design input, and follows the trail through risk records, verification results, and a signed design review without anyone scrambling for a binder. That is what a working ISO 13485 quality management system looks like in practice.
Now that the FDA’s Quality Management System Regulation (QMSR) has pulled ISO 13485:2016 into 21 CFR Part 820 by reference, the standard sits at the center of medical device compliance across US, EU, and MDSAP markets. This guide covers the eight clauses of ISO 13485:2016, how the standard ties into ISO 9001, ISO 14971, IEC 62304, and EU MDR, and what the certification path looks like under the QMSR.
What Is ISO 13485?
ISO 13485:2016 defines the QMS requirements an organization needs to consistently meet customer and applicable regulatory requirements for medical devices. Conformity is voluntary at the standard level, but third-party certification is the practical route most manufacturers take to support market access.
Its 2016 revision added explicit risk-based thinking across the QMS itself, separate from the product-level risk management ISO 14971 covers. That change is one reason the FDA later chose to incorporate ISO 13485:2016 by reference instead of maintaining a parallel set of QS Regulation requirements.
Who ISO 13485 Applies To
ISO 13485 applies to any organization involved in the lifecycle of a medical device, including design and development, production, installation, servicing, and distribution. Contract manufacturers, sterilization providers, importers, and component suppliers are all in scope when their work affects device safety or performance.
A Short History of the 2016 Edition
ISO 13485 was first published in 1996 as a medical-device adaptation of ISO 9001, then revised in 2003. The 2016 third edition decoupled from ISO 9001 and rebuilt around regulatory expectations from FDA, Health Canada, and notified bodies.
The Eight Clauses of ISO 13485:2016
The standard is organized into eight clauses. Clauses 1 through 3 set the foundation, and Clauses 4 through 8 contain the auditable requirements registrars and FDA investigators sample during audits.
Clauses 1–3: Scope, References, and Definitions
Clause 1 (Scope), Clause 2 (Normative References), and Clause 3 (Terms and Definitions) frame the standard. They define which organizations the document applies to, which referenced standards apply, and the vocabulary used throughout. These clauses are not auditable on their own, but they govern how every requirement that follows is interpreted.
Clause 4: Quality Management System Requirements
Clause 4 sets out the general QMS requirements, including documented procedures, a quality manual, a medical device file for each device family, and document and record control. It is also where the 2016 risk-based approach lands at the QMS level, requiring the organization to apply risk management to QMS processes, not only to products.
The medical device file is the per-product folder a registrar usually samples first. For each device family, Clause 4.2.3 expects a description of the device and its intended use, product specifications, labeling and instructions for use, procedures for manufacturing and packaging, procedures for measuring and monitoring, and procedures for installation and servicing where applicable. It is the running record of how a device is built, controlled, and supported, and Clause 4.2.3 expects it to be kept current as the design evolves.
Clause 5: Management Responsibility
Top management has to set quality policy and objectives, plan the QMS, conduct management reviews, and appoint a Management Representative who reports on QMS performance. ISO 13485:2016 keeps the Management Representative role that ISO 9001:2015 dropped, and registrars look for evidence the role is active.
Clause 6: Resource Management
Clause 6 covers people, infrastructure, and work environment. Personnel competence and training records, facility controls, and contamination controls sit here, alongside specific provisions for sterile and implantable devices. Resource management often reads light, but it is where audits surface gaps in training records and environmental monitoring.
Clause 7: Product Realization and Design Controls
Clause 7 is the largest and most heavily audited clause. It covers planning, customer-related processes, design and development, purchasing, production and service provision, and control of monitoring and measuring equipment. Design controls under Clause 7.3 line up closely with the FDA design control framework, and Clause 7.5.8 covers product identification and traceability that align with regulatory requirements such as unique device identification under 21 CFR Part 830.
Clause 8: Measurement, Analysis, and Improvement
Clause 8 closes the loop. Internal audits, control of nonconforming products, complaint handling, regulatory reporting, and corrective and preventive action (CAPA) live here. Most CAPA findings during certification audits trace back to weak linkages between Clause 8 records and the design and risk records in Clause 7.
How ISO 13485 Connects to ISO 9001, ISO 14971, IEC 62304, and EU MDR
ISO 13485 does not sit alone. Most teams implement it inside a small set of companion standards and regulations that cover risk, software lifecycle, and EU market access.
ISO 13485 vs. ISO 9001
ISO 13485 grew out of ISO 9001, but the two have diverged. ISO 9001:2015 emphasizes continual improvement to enhance customer satisfaction, while ISO 13485:2016 requires the organization to maintain QMS effectiveness and meet applicable regulatory requirements that protect device safety. Conformity to one does not imply conformity to the other.
ISO 14971 and IEC 62304 as Companion Standards
ISO 14971:2019 is the standard for application of risk management to medical devices, and ISO 13485 Clause 7 references it throughout product realization. For software-containing devices, IEC 62304 defines the software lifecycle processes that sit inside the ISO 13485 QMS. Most teams treat all three as one connected compliance effort.
EU MDR and IVDR
EU MDR 2017/745 Article 10 requires manufacturers to maintain a QMS, and ISO 13485 is the standard most teams use to support Annex IX conformity assessment. The same applies to IVDR 2017/746 for in vitro diagnostics. Notified bodies typically expect a certified ISO 13485 QMS during conformity assessment, even though the regulation itself does not name it.
ISO 13485 and the FDA’s Quality Management System Regulation (QMSR)
The FDA published the QMSR Final Rule on January 31, 2024 (Federal Register publication February 2, 2024). The rule retitled 21 CFR Part 820 from the Quality System Regulation to the Quality Management System Regulation and incorporated ISO 13485:2016 by reference. The QMSR took effect on February 2, 2026.
What Changed Under 21 CFR Part 820 in February 2026
Many prior Part 820 numbered requirements were withdrawn and replaced with references to ISO 13485:2016, including design controls, document controls, purchasing controls, production controls, and CAPA. US manufacturers already running an ISO 13485 QMS saw the smallest amount of rework. Teams running a Part 820-only QMS had to remap procedures to the ISO clause structure.
Where ISO 13485 Ends and FDA-Specific Requirements Begin
The QMSR did not adopt ISO 13485 wholesale. Several Part 820 sections were retained because they cover obligations ISO 13485 does not address, and three come up most often during US audits:
- Section 820.10: Brings ISO 13485:2016 QMS requirements into Part 820 while preserving FDA device-specific obligations.
- Section 820.35: Preserves Medical Device Reporting documentation under 21 CFR Part 803, complaint and servicing records, and unique device identification documentation under Part 830.
- Section 820.45: Retains FDA labeling and packaging inspection requirements ISO 13485 does not address separately.
The FDA neither requires nor issues ISO 13485 certificates, and a certified QMS does not exempt a manufacturer from inspection.
The Path to ISO 13485 Certification
Certification is not required by ISO itself, but most manufacturers pursue it to support market access in the EU, in MDSAP jurisdictions, and on customer audits. The process runs through an accredited certification body, also called a registrar.
Stage 1 and Stage 2 Audits
Initial certification is a two-stage external audit. Stage 1 is a documentation review of the QMS for completeness and readiness against the ISO 13485 clauses. Stage 2 is an on-site audit of how the QMS is implemented day to day, sampling design records, risk files, CAPA, and supplier records. Registrars schedule the two stages weeks or months apart so teams can address Stage 1 findings first.
Surveillance and the Three-Year Cycle
ISO 13485 certificates are valid for three years. Registrars maintain certification through annual surveillance audits and conduct a full recertification audit at the end of the third year.
MDSAP and the Single-Audit Path
The Medical Device Single Audit Program lets a recognized auditing organization run one ISO 13485-based audit that satisfies the QMS requirements of five regulators: Australia (TGA), Brazil (ANVISA), Canada (Health Canada), Japan (MHLW and PMDA), and the US (FDA). Health Canada requires MDSAP for market access, while the other four regulators accept it. The FDA recognizes MDSAP audit reports in lieu of routine inspection, though for-cause and pre-approval inspections still apply. For manufacturers selling into more than one of those markets, a single audit cycle replaces what used to be several, which is the practical reason most multi-market teams pursue it.
Common Pitfalls That Derail ISO 13485 Compliance
Most ISO 13485 findings cluster around the same weaknesses, and they tend to trace back to records that were assembled before an audit instead of maintained during development. Four come up most often:
- Weak design and risk linkage: Design inputs, design outputs, verification results, and ISO 14971 risk records living in separate tools rarely line up cleanly when a registrar samples one requirement end to end.
- CAPA without root cause: CAPA records that document the corrective action without a defensible root cause analysis are one of the most common findings under Clause 8.
- Supplier control gaps: Clause 7.4 expects evaluation, selection, and ongoing monitoring of suppliers, and registrars frequently find supplier files that stop at initial qualification.
- Stale management review: Clause 5.6 expects management review to drive QMS improvements, and meeting minutes that read as a status update without decisions or actions consistently come back as findings.
Addressing these during the QMS build, instead of during the registrar’s first visit, is the difference between a clean certification audit and a long list of nonconformities.
How Jama Connect Supports ISO 13485 Compliance
Most ISO 13485 nonconformities trace back to gaps between design inputs, risk records, verification evidence, and the change history that connects them. The records exist, but they sit in spreadsheets, document stores, and ticket systems that no one wired together until the registrar arrived. By then, reconstructing the trail before Stage 2 is its own project.
Jama Connect® is a requirements management platform with a pre-built medical device framework aligned to ISO 13485, IEC 62304, ISO 14971, and FDA design controls under the QMSR. The framework includes templates for design inputs, design outputs, and Design History File and Device Master Record exports, and it ties risk management records from FMEA and hazard analysis directly to design inputs and verification. Live Traceability™ keeps requirements, risk records, design outputs, and test cases connected as designs change, so a single requirement edit flags every downstream record that needs review.
Building ISO 13485 Compliance Into Daily Engineering Work
ISO 13485 rewards teams that wire records together as designs evolve. The QMSR raised the stakes for US manufacturers by pulling the standard into 21 CFR Part 820 by reference, so the same trace that supports an EU notified body now supports an FDA investigator.
If your design controls, risk records, and verification evidence still live in separate tools and your next QMSR-aligned audit is on the calendar, the gaps tend to surface at the worst time. Start a free 30-day trial of Jama Connect and see how its medical device framework keeps design, risk, and verification linked when an auditor traces a single requirement end to end.
Frequently Asked Questions About ISO 13485
Is ISO 13485 certification mandatory?
Third-party certification is voluntary under the standard itself. The FDA does not require or issue ISO 13485 certificates, even after the QMSR took effect on February 2, 2026. In the EU and in MDSAP jurisdictions, certification is the practical route most manufacturers take to support market access, and notified bodies often expect a certified QMS during MDR Annex IX conformity assessment.
How does ISO 13485 differ from ISO 9001?
ISO 13485 grew out of ISO 9001, but it is a standalone standard, and conformity to one does not imply conformity to the other. ISO 9001:2015 emphasizes continual improvement to enhance customer satisfaction, while ISO 13485:2016 requires manufacturers to maintain QMS effectiveness and meet regulatory requirements that support device safety. ISO 13485 also keeps prescriptive documentation requirements such as a quality manual and a Management Representative that ISO 9001:2015 dropped.
Does ISO 13485 certification satisfy FDA requirements?
No. The QMSR pulls ISO 13485:2016 into 21 CFR Part 820 by reference, but it preserves FDA-specific obligations such as Medical Device Reporting under Part 803, unique device identification under Part 830, and labeling and packaging controls under Section 820.45. The FDA neither requires nor issues ISO 13485 certificates, and an existing certificate does not exempt a manufacturer from FDA inspection.
How long does ISO 13485 certification take to obtain?
Timing depends on QMS readiness more than on audit calendars. Most teams complete preparation, Stage 1, Stage 2, and the certification body decision in 6 to 12 months, with single-site startups closer to 6 and multi-site organizations closer to 12. Registrars expect real records, internal audit results, and at least one management review before Stage 2, so operating history paces the calendar more than paperwork does.
How much does ISO 13485 certification cost?
Accredited certification bodies do not publish standard fee schedules, but most teams budget between $15,000 for a lean single-site startup and $100,000 or more for a multi-site organization with complex devices. The main drivers are headcount, number of sites, device complexity, and whether outside consultants help with the QMS build. Surveillance audits add a recurring annual cost on top of the initial certification.
This article was authored by Tom Rish and published on May 6, 2026.