Definition and purpose

ISO 13485 specifies requirements for a quality management system wherein an organization needs to demonstrate its ability to provide medical devices and related services that consistently meet customer requirements and regulatory requirements applicable to medical devices and related services.

Governing Body

The standard is published by the International Organization for Standardization (ISO).

Last updated

ISO/IEC 11801 was published in 2016. It was reviewed and confirmed in 2020 and remains current.

Applies to

ISO 13485 applies to organizations involved in the entire lifecycle of medical devices, from design and development to production, distribution, installation, and servicing. This includes suppliers and other external parties providing products or services to such organizations.

Controls and requirements

Some key requirements and sections of the ISO 13485 standard include:

• Scope of the quality management system.
• Quality Management System general requirements, including documentation.
• Management Responsibility for quality, including a focus on customer requirements and resource management.
• Resource Management to ensure the competence and training of personnel.
• Product Realization covering design and development, purchasing, production, and service provision.
• Measurement, Analysis, and Improvement to ensure product conformity, corrective actions, and preventive actions.
• Regulatory requirements specific to medical devices.
• Risk Management throughout product realization.
• Validation of processes for production and service provision.

Please refer to the official ISO 13485:2016 standard documentation for a detailed list of controls and requirements.

Audit type, frequency, and duration

ISO 13485 audits can be internal (conducted by the organization itself) or external (conducted by third-party certification bodies). The external audit can be broken down into Stage 1 (preliminary assessment) and Stage 2 (comprehensive assessment). Internal audits are usually annual, but the frequency can be determined by the organization based on its internal audit procedure. For maintaining certification, surveillance audits are typically conducted annually by certification bodies, with a recertification audit every three years.

The audit duration depends on various factors like the size of the organization, complexity of processes, number of products, and the scope of the audit. A small organization might need just a few days, while larger entities could require several weeks.