ISO 13485

ISO 13485, Medical devices – Quality management systems – Requirements for regulatory purposes, is an internationally agreed standard that sets out the requirements for a quality management system specific to the medical devices industry.

It is designed to be used by organizations throughout the life cycle of a medical device, from initial conception to production and post-production, including final decommission and disposal. It also covers aspects such as storage, distribution, installation and servicing, and the provision of associated services.

In addition, the standard can be used by other internal and external parties, such as certification bodies, to help them with their certification processes, or by supply chain organizations that are required by contract to conform. ISO 13485 helps an organization design a quality management system that establishes and maintains the effectiveness of its processes. It reflects a strong commitment to continual improvement and gives customers confidence in its ability to bring safe and effective products to market.

What is a medical device?

A medical device is an instrument, apparatus, implement, machine, implant, in vitro reagent, or other similar article, that is intended for use in the diagnosis, prevention and treatment of disease or other medical conditions.

There is a huge variety of medical devices, ranging from basic hand tools to complex computer- controlled machines. These include simple devices like wound dressings and scalpels; durable devices like wheelchairs and dentist chairs; implantable devices like cardiac pacemakers and monitors, prosthetic limbs and prosthetic joints; life-supporting devices like respirators and lung ventilators; sophisticated, software-controlled devices like CT scanners and MRI machines; and in vitro diagnostic reagents and test kits.

What is a quality management system?

A quality management system (QMS) is a set of policies, processes and procedures that help an organization meet the requirements expected by its stakeholders. It is based on the Plan-Do-Check-Act cycle, a four-step management method used in business for the control and continual improvement of processes and products. In the medical devices industry, a QMS is required by regulators in most countries. ISO 13485 enables an organization to consistently provide safe and effective medical devices and fulfil customer and regulatory requirements. It is also flexible enough to meet the individual needs of different types of medical devices organizations.

Regulations differ widely from one country to another. For this reason, ISO 13485 does not set detailed requirements, but asks a medical devices organization to identify those regulatory requirements that are relevant to its individual situation and incorporate them into its QMS. Moreover, the standard is compatible with an organization’s other management systems.

What benefits will it bring to my organization?

Safety and performance of medical devices are paramount in this highly regulated industry; this is why quality management systems are a regulatory or legal requirement in many countries. ISO 13485 can help organizations involved in any part of a medical device’s life cycle:

  • Demonstrate compliance with regulatory and legal requirements
  • Ensure the establishment of QMS practices that consistently yield safe and effective medical devices
  • Manage risk effectively
  • Improve processes and efficiencies as necessary
  • Gain a competitive advantage

Why was ISO 13485 revised?

All ISO standards are reviewed and revised regularly to make sure they remain relevant to the marketplace. ISO 13485:2016 responds to the latest QMS practices, reflecting the evolution in medical device technology and changes in regulatory requirements and expectations. This ensures that the standard remains compatible with other management system standards, including the new edition of ISO 9001.

What are the key improvements?

The new version of ISO 13485 places greater emphasis on risk management and risk-based decision making for processes outside the realm of product realization. The focus is on risks associated with the safety and performance of medical devices and compliance with regulatory requirements. In addition, the standard asks organizations to be more stringent when it comes to outsourcing processes by put- ting into place controls, such as written agreements, for assessing their suppliers – again based on risk.

ISO 13485 also reflects the increased regulatory requirements for organizations across the medical devices sup- ply chain, namely:

  • A greater emphasis on appropriate infrastructure, particularly for the production of sterile medical devices, and additional requirements for the validation of sterile barrier properties
  • Increased alignment with regulatory requirements and, in particular, regulatory documentation
  • More focus on post-market activities, including complaint handling and regulatory reporting
  • Broadening of the standard’s application to encompass organizations that interact with the medical devices manufacturer, including those involved in:
    • Design and development or repair and maintenance of medical devices
    • Supply of raw materials, components or subassemblies
    • Performance of services such as contract manufacture, sterilization, logistics or calibration of measurement equipment
    • Import or distribution of medical devices
  • Additional requirements in the design and development of medical devices, taking into consideration their usability, the use of standards, and a more robust planning for the verification, validation, transfer and records maintenance of the design and development activities
  • Harmonization of validation requirements for different software applications, such as QMS software, process control software, software for monitoring and measurement+

I am certified to ISO 13485:2003, what does it mean for me?

Certification is not a requirement of ISO 13485, and organizations can reap the benefits of the standard without being certified. However, third-party certification – where an independent certification body audits your compliance to the standard

– can be a way of demonstrating to stakeholders and regulatory authorities that you meet the requirements.

Organizations certified to ISO 13485:2003 are granted a three-year transition period to migrate to the new edition of the standard. After this time, if you wish to obtain third-party validation, you will have to seek certification to the new version. For more details about transitioning to ISO 13485:2016, talk to your certification body. Additional information may be obtained at

Relationship with ISO 9001

While ISO 13485 is a stand-alone standard, it is similar in scope and intent to ISO 9001, Quality management systems. It contains additional requirements specific to organizations involved in the life cycle of medical devices, while other elements of ISO 9001 have been removed that are not relevant as regulatory requirements. Like all ISO management system standards, it is designed to be integrated into an organization’s existing management systems.



  • ISO Website

  • ISO Website section on health

  • ISO Website section on management standards

  • ISO focus magazine