ISO 13485:2016 Implementation Guide: Step-by-Step from Zero to Certification — QMS Structure, Clause-by-Clause Requirements, Cost, Timeline, and FDA QMSR Alignment
Complete step-by-step guide to implementing ISO 13485:2016 from scratch. Covers all 8 clauses, documentation hierarchy, certification process (Stage 1 and Stage 2 audits), costs ($5K-$60K+), timeline (6-24 months), notified body selection, and alignment with FDA QMSR effective February 2026.
ISO 13485 Is Now the Foundation of FDA Device Regulation
On February 2, 2026, the FDA's Quality Management System Regulation (QMSR) became effective, incorporating ISO 13485:2016 by reference into 21 CFR Part 820. This means the international standard that has governed medical device quality systems in Europe, Japan, Canada, and Australia for years is now the baseline for U.S. device manufacturing compliance as well.
For the approximately 53,000 organizations holding ISO 13485 certificates globally, this alignment reduces regulatory burden. For companies without ISO 13485 — particularly U.S. manufacturers who operated only under the old QSR — it represents a fundamental shift. The FDA will not require ISO 13485 certification, but inspectors will assess compliance against ISO 13485 requirements during FDA inspections using the new Compliance Program 7382.850.
Whether you are building a QMS from scratch for a startup, transitioning from the old QSR to QMSR, or pursuing formal ISO 13485 certification for market access, this guide provides the complete implementation roadmap: every clause, every step, every cost, and every timeline.
What Is ISO 13485:2016?
ISO 13485:2016 — Medical devices — Quality management systems — Requirements for regulatory purposes — is the internationally recognized standard defining quality management system requirements specific to the medical device industry.
Unlike ISO 9001 (the general quality management standard), ISO 13485 is designed for an environment where the primary focus is regulatory compliance and patient safety, not customer satisfaction. Key differences from ISO 9001:
| Dimension | ISO 9001 | ISO 13485:2016 |
|---|---|---|
| Primary focus | Customer satisfaction | Regulatory compliance, device safety and effectiveness |
| Structure | Annex SL (10 clauses) | Independent structure (8 clauses) |
| Risk | Risk-based thinking (broad) | Risk management integrated throughout (ISO 14971 aligned) |
| Documentation | Less prescriptive | Highly prescriptive — specific procedures and records required |
| Continuous improvement | Core requirement | Required, but through corrective action rather than customer feedback |
| Design controls | Not specific | Mandatory for device manufacturers — design inputs, outputs, verification, validation |
| Traceability | General requirement | Enhanced — implantable devices require full component and environmental records |
| Regulatory alignment | None | Explicitly requires compliance with applicable regulatory requirements |
| Certification purpose | Business improvement | Regulatory market access (EU MDR, MDSAP, TGA, etc.) |
The 8 Clauses of ISO 13485:2016
ISO 13485 has 8 clauses. Clauses 1-3 are scope, normative references, and terms. Clauses 4-8 contain the requirements your QMS must meet.
Clause 1: Scope
Defines that the standard applies to organizations involved in one or more stages of the medical device lifecycle, including design, production, storage, distribution, installation, servicing, and decommissioning. The standard can also apply to suppliers and external parties providing services to such organizations.
Clause 2: Normative References
References ISO 9000:2015 (Quality management systems — Fundamentals and vocabulary) for terms and definitions.
Clause 3: Terms and Definitions
Defines key terms used throughout the standard. Important definitions include:
- Medical device: Instrument, apparatus, implement, machine, appliance, implant, reagent for in vitro use, software, material, or other similar article intended by the manufacturer to be used alone or in combination
- Manufacturer: Natural or legal person with responsibility for design and/or manufacture of a medical device
- Authorized representative: Natural or legal person established within a country that has received written acceptance from the manufacturer to act on their behalf for specified tasks
Clause 4: Quality Management System
| Sub-clause | Requirement | Key Actions |
|---|---|---|
| 4.1 | General requirements | Establish, document, implement, and maintain a QMS. Determine processes needed, their sequence and interaction. Outsource processes must be controlled. |
| 4.1.3 | Application to products | For regulatory compliance, apply relevant requirements based on the role you play in the product lifecycle |
| 4.1.5 | Outsourced processes | Control and monitor outsourced processes. The organization retains responsibility for conformity. Document quality agreements. |
| 4.2 | Documentation requirements | Quality manual, medical device file, documented procedures, and records |
| 4.2.1 | General | Document the quality policy, quality objectives, quality manual, documented procedures, documents needed for planning and operation, records |
| 4.2.2 | Quality manual | Include scope, exclusions with justification, documented procedures or references, description of process interactions |
| 4.2.3 | Medical device file | For each device type or family: specifications, manufacturing procedures, labeling, measuring/monitoring instructions |
| 4.2.4 | Control of documents | Approve before issue, review periodically, identify changes, ensure versions available at point of use, legible, identifiable |
| 4.2.5 | Control of records | Retain for at least the product lifetime or as required by regulation, minimum 2 years. Legible, identifiable, retrievable. |
Clause 5: Management Responsibility
| Sub-clause | Requirement |
|---|---|
| 5.1 | Management commitment — establish quality policy, ensure resources, conduct management reviews |
| 5.2 | Customer focus — meet customer and regulatory requirements |
| 5.3 | Quality policy — appropriate to the organization, communicated, reviewed |
| 5.4 | Planning — quality objectives and QMS planning |
| 5.5 | Responsibility, authority, and communication — define and communicate roles |
| 5.6 | Management review — at planned intervals, with defined inputs and outputs |
Clause 6: Resource Management
| Sub-clause | Requirement |
|---|---|
| 6.1 | Provision of resources — determine and provide needed resources |
| 6.2 | Human resources — personnel must be competent (education, training, skills, experience). Training must be documented. Awareness of device impact on patient safety. |
| 6.3 | Infrastructure — buildings, workspace, process equipment, supporting services |
| 6.4 | Work environment — define, document, and monitor conditions for conformity and product safety. Contamination control where needed. |
Clause 7: Product Realization (The Core)
This is the most substantial clause and the heart of medical device manufacturing:
7.1 — Planning of Product Realization
Plan and document processes needed for product realization. Include quality objectives, product requirements, required processes and documents, verification/validation activities, and records.
7.2 — Customer-Related Processes
Determine requirements: specified requirements, intended use requirements, statutory and regulatory requirements, user training. Review before committing to supply.
7.3 — Design and Development
| Design Phase | Requirements |
|---|---|
| 7.3.2 Design inputs | Functional, performance, and regulatory requirements. Address output not verifiable later. Record and review inputs for adequacy. |
| 7.3.3 Design outputs | Meet input requirements, include acceptance criteria, define product characteristics essential for safety. Approved before release. |
| 7.3.4 Design review | At suitable stages. Participants include representatives from all functions concerned. Records of reviews and actions. |
| 7.3.5 Design verification | Output meets input requirements. Document results and conclusions. |
| 7.3.6 Design validation | Device meets user needs and intended use. On representative product. Include clinical evaluation if applicable. |
| 7.3.7 Design transfer | Procedures to ensure design outputs are verified as suitable for manufacturing before transfer. |
| 7.3.8 Design changes | Identify, document, and control changes. Evaluate effect on function, performance, safety. Verify and validate before implementation. |
| 7.3.9 Design history file (DHF) | Maintain records of design inputs, outputs, reviews, verification, validation, changes, and transfer. |
7.4 — Purchasing Control
Evaluate and select suppliers. Establish purchasing information including product requirements. Verify purchased products meet requirements. Maintain approved supplier list. Evaluate supplier performance.
7.5 — Production and Service Provision
| Sub-clause | Requirement |
|---|---|
| 7.5.1 | Production control — controlled conditions, documented procedures, controlled environment, monitoring equipment |
| 7.5.2 | Cleanliness of product — where required, define and document cleanliness requirements |
| 7.5.3 | Installation activities — if required, document acceptance criteria and verify |
| 7.5.4 | Servicing activities — if required, document procedures and records. Use for post-market feedback. |
| 7.5.5 | Particular requirements for sterile medical devices — sterilization processes must be validated |
| 7.5.6 | Validation of processes for production — where output cannot be verified by monitoring, validate the process. Document validation protocols and records. |
| 7.5.7 | Particular requirements for validation of processes for production — specific validation requirements for sterile, software, and automated processes |
| 7.5.8 | Identification — identify product throughout realization |
| 7.5.9 | Traceability — define extent of traceability. For implantable devices: record all components, materials, and work environment conditions. |
| 7.5.10 | Customer property — identify, verify, protect, and maintain customer property |
| 7.5.11 | Preservation of product — preserve during processing, storage, handling, and distribution |
7.6 — Control of Monitoring and Measuring Equipment
Determine monitoring and measurement needs. Provide appropriate equipment. Calibrate at specified intervals against traceable standards. Adjust as necessary. Protect from damage. Evaluate validity of previous results if equipment found out of calibration.
Clause 8: Measurement, Analysis, and Improvement
| Sub-clause | Requirement |
|---|---|
| 8.1 | General — plan and implement monitoring, measurement, analysis, and improvement processes |
| 8.2.1 | Feedback — collect and monitor data from production and post-production activities |
| 8.2.2 | Complaint handling — documented procedures for receiving, evaluating, investigating, and determining if reporting is required |
| 8.2.3 | Reporting to regulatory authorities — notify as required by applicable regulations |
| 8.2.4 | Internal audit — planned intervals, risk-based approach, trained auditors, documented procedures |
| 8.2.5 | Monitoring and measurement of processes — demonstrate process ability to achieve planned results |
| 8.2.6 | Monitoring and measurement of product — verify requirements met. Evidence maintained. Release by authorized person. |
| 8.3.1 | Control of nonconforming product — identify, document, evaluate, segregate. Determine disposition. Notify relevant parties. |
| 8.3.2 | Actions in response to nonconforming product detected before delivery — rework, re-inspect, or reject |
| 8.3.3 | Actions in response to nonconforming product detected after delivery — advisory notice, recall, investigation |
| 8.3.4 | Rework — document rework, re-inspect per applicable acceptance criteria and procedures |
| 8.4 | Analysis of data — collect and analyze data to evaluate QMS suitability and effectiveness. Include feedback, complaint data, process conformity, supplier performance, audit findings. |
| 8.5.1 | Improvement — improve QMS effectiveness through quality policy, objectives, audit results, data analysis, corrective actions, and management review |
| 8.5.2 | Corrective action — investigate nonconformities, determine causes, evaluate need for action, implement, review effectiveness, update risks, record changes |
| 8.5.3 | Preventive action — determine potential nonconformities, evaluate need for action, implement, review effectiveness, record changes |
Step-by-Step Implementation Roadmap
Phase 1: Foundation (Months 1-2)
| Step | Action | Output |
|---|---|---|
| 1.1 | Get management commitment | Executive sponsorship letter, budget approval, resource allocation. Without this, the project will fail. |
| 1.2 | Define scope | What products, processes, and sites will the QMS cover? What regulatory markets? Document the scope clearly. |
| 1.3 | Identify applicable requirements | List all legal, regulatory, customer, and standard requirements. Include EU MDR, FDA QMSR, MDSAP as applicable. |
| 1.4 | Conduct gap analysis | Compare current practices against ISO 13485 requirements. Document gaps by clause. Prioritize by risk. |
| 1.5 | Build the project plan | Timeline, milestones, owners, resources, budget. Include external consultant support if needed. |
| 1.6 | Establish the quality policy | Draft and approve the quality policy. Communicate to all employees. |
Phase 2: Documentation Development (Months 2-5)
| Step | Action | Output |
|---|---|---|
| 2.1 | Write the Quality Manual | Scope, exclusions with justification, organizational structure, process interaction map, reference to procedures |
| 2.2 | Develop Level 2 procedures | Design control, CAPA, document control, record control, purchasing, production control, complaint handling, internal audit, management review, training, calibration, nonconforming product, risk management |
| 2.3 | Develop Level 3 work instructions | Step-by-step instructions for critical manufacturing, testing, and inspection operations |
| 2.4 | Create Level 4 forms and templates | Batch records, inspection forms, training records, audit checklists, CAPA forms, complaint forms |
| 2.5 | Create medical device files | For each device type: specifications, manufacturing procedures, labeling, risk management file |
| 2.6 | Develop risk management documentation | Risk management plan per ISO 14971, risk analysis (FMEA/FMECA), risk evaluation, risk control measures, risk/benefit analysis |
Phase 3: Implementation (Months 4-8)
| Step | Action | Output |
|---|---|---|
| 3.1 | Train all personnel | Role-specific training on new procedures. Competency assessments. Training records. |
| 3.2 | Deploy the QMS | All procedures implemented. Document control system operational. Records being generated. |
| 3.3 | Execute design controls | For products under development: design plans, inputs, outputs, reviews, verification, validation |
| 3.4 | Qualify suppliers | Supplier evaluations, audits, quality agreements, approved supplier list |
| 3.5 | Validate processes | IQ/OQ/PQ protocols for critical manufacturing processes. Software validation per IEC 62304. |
| 3.6 | Establish calibration program | Identify instruments, establish calibration schedules, traceable to national/international standards |
| 3.7 | Operate the QMS for minimum 3 months | Generate records demonstrating effective implementation. BSI requires minimum 3 months of records at Stage 2 audit. |
Phase 4: Internal Audit and Management Review (Months 8-10)
| Step | Action | Output |
|---|---|---|
| 4.1 | Train internal auditors | ISO 19011 training, audit methodology, practical exercises |
| 4.2 | Conduct full internal audit | Audit all QMS processes. Document findings (nonconformities and observations). |
| 4.3 | Implement corrective actions | Close all internal audit nonconformities. Document root cause analysis and effectiveness verification. |
| 4.4 | Conduct management review | Review audit results, customer feedback, process performance, CAPA status, regulatory changes, quality objectives |
| 4.5 | Address management review outputs | Implement improvement actions from management review. Close before certification audit. |
Phase 5: Certification Audit (Months 10-14)
| Step | Action | Output |
|---|---|---|
| 5.1 | Select certification body | Choose an accredited certification body (see section below). Request proposal. Schedule audits. |
| 5.2 | Stage 1 audit | Document review and readiness assessment. Auditor reviews QMS documentation, scope, mandatory procedures. Identifies gaps. |
| 5.3 | Address Stage 1 findings | Close any minor findings from Stage 1. Typically 4+ weeks between Stage 1 and Stage 2. |
| 5.4 | Stage 2 audit | On-site assessment of QMS implementation. Auditor samples device files, production records, training, complaints, CAPA, supplier files, calibrations, validation evidence. |
| 5.5 | Address Stage 2 findings | Close nonconformities. Major nonconformities must be corrected and verified. Minor nonconformities need a credible plan. |
| 5.6 | Certification decision | Certification body reviews audit evidence and issues the certificate (typically 1-2 months after Stage 2). |
Phase 6: Maintenance (Ongoing)
| Activity | Frequency | Purpose |
|---|---|---|
| Surveillance audits | Annual | Certification body verifies continued compliance. Reviews mandatory elements plus selected processes. |
| Internal audits | Annual (minimum) | Risk-based schedule covering all QMS processes over the certification cycle |
| Management reviews | Annual (minimum) | Review QMS performance and improvement opportunities |
| Re-certification audit | Every 3 years | Full re-assessment before certificate expires |
ISO 13485 Certification Cost
Cost Breakdown
Costs vary significantly based on company size, number of sites, device complexity, and geographic location:
| Cost Category | Small Company (<25 employees) | Medium Company (25-100) | Large Company (100+ employees) |
|---|---|---|---|
| Consultant/implementation | $5,000-$15,000 | $15,000-$40,000 | $40,000-$100,000+ |
| Certification body (Stage 1+2) | $2,000-$5,000 | $5,000-$15,000 | $15,000-$40,000+ |
| Annual surveillance audits | $1,000-$3,000/year | $3,000-$8,000/year | $8,000-$20,000+/year |
| Re-certification (Year 3) | $2,000-$5,000 | $5,000-$15,000 | $15,000-$40,000+ |
| Training | $2,000-$5,000 | $5,000-$15,000 | $15,000-$30,000 |
| Document management system | $3,000-$10,000 | $10,000-$30,000 | $30,000-$100,000+ |
| Total first year | $15,000-$40,000 | $40,000-$120,000 | $120,000-$350,000+ |
| Annual ongoing | $5,000-$15,000 | $15,000-$40,000 | $40,000-$100,000+ |
Additional cost estimates from industry sources:
- UK startups: approximately £35,000-£45,000 from scratch to certified (first year), including quality manager salary
- QMS consultancy alone: $9,000 (offsite) to $21,000 (onsite) for full implementation support
- Certification body fees for accredited audit: approximately $5,000 for a small business (<10 employees), with $500 added per additional 10 employees
What Drives Cost Higher
| Factor | Impact |
|---|---|
| Multiple manufacturing sites | Each site requires separate or extended audit coverage |
| High-risk device classes (Class III, implantable) | More rigorous audit, more documentation, more Notified Body scrutiny |
| Multiple product lines | Each product line needs a medical device file and risk management file |
| International market access (EU, Japan, Canada) | MDSAP audit adds cost but provides multi-country coverage |
| Paper-based documentation | Higher labor cost for record management and retrieval |
| Lack of internal quality expertise | Greater reliance on external consultants |
Timeline
| Milestone | Typical Duration | Notes |
|---|---|---|
| Gap analysis and planning | 1-2 months | Can be faster with experienced quality staff |
| Documentation development | 2-4 months | Quality Manual, procedures, work instructions, forms |
| QMS implementation and operation | 3-6 months | Must generate at least 3 months of records before Stage 2 |
| Internal audit and CAPA closure | 1-3 months | Full internal audit plus corrective action closure |
| Stage 1 audit | 1-2 days on-site | Document review and readiness check |
| Stage 1 to Stage 2 gap | 4+ weeks | Recommended minimum to address findings |
| Stage 2 audit | 2-5 days on-site | Depends on organization size and complexity |
| Certification decision | 1-2 months | Certification body review and processing |
| Total: preparation to certificate | 6-24 months | 12-24 months most common per BSI; 6-9 months achievable for well-resourced teams |
Selecting a Certification Body
Key Selection Criteria
| Criterion | What to Look For |
|---|---|
| Accreditation | Must be accredited by a recognized accreditation body (e.g., ANAB in the U.S., UKAS in the UK, DAkkS in Germany). Accreditation ensures the certification body itself is competent. |
| Medical device experience | Choose a body with demonstrated experience auditing your device type and risk class |
| Regulatory coverage | If you need MDSAP (Canada, Japan, Brazil, Australia, U.S.), ensure the body is authorized for all five jurisdictions |
| Geographic coverage | Auditors available in your region reduce travel costs and scheduling delays |
| Availability | Notified body backlogs can delay audits by 12-18 months. Book early. |
| Reputation | Ask for references. Check accreditation body websites for any sanctions. |
| Cost transparency | Clear proposals with Stage 1, Stage 2, surveillance, and re-certification costs |
Major Certification Bodies
| Body | Headquarters | Key Strengths |
|---|---|---|
| BSI Group | UK | Largest medical device certification body globally, extensive MDSAP coverage |
| TÜV SÜD | Germany | Strong EU presence, experienced with high-risk devices |
| SGS | Switzerland | Global reach, multi-standard certification capability |
| DEKRA | Germany | EU market access expertise |
| DNV | Norway | Strong Scandinavian presence, integrated management system audits |
| Bureau Veritas | France | Global network, multi-industry certification |
| Intertek | UK | Testing and certification combined |
| NSF-ISR | USA | Strong North American presence |
Common Implementation Pitfalls and How to Avoid Them
| Pitfall | Consequence | How to Avoid |
|---|---|---|
| Lack of management commitment | Project stalls, resources withheld, implementation incomplete | Get written executive sponsorship with budget and resource allocation before starting |
| Scope too broad initially | Overwhelmed team, delayed implementation, audit failures | Start with core products and expand scope in subsequent cycles |
| Documentation-heavy QMS | Unusable procedures, resistance from staff, compliance burden | Follow the "document what's necessary" principle — not every process needs a 20-page procedure |
| Insufficient training | Personnel not following procedures, audit findings, data integrity issues | Train all roles on relevant procedures, assess competency, document training |
| Rushing to certification | Immature QMS, major nonconformities at audit, costly rework | Allow minimum 3 months of operational records before Stage 2 audit |
| Ignoring FDA-specific requirements | QMS passes ISO 13485 audit but fails FDA inspection | Map both ISO 13485 and QMSR (820.10, 820.35, 820.45) requirements into your QMS |
| No internal audit capability | Reliance on external auditors, expensive corrections, delayed CAPA | Train internal auditors (ISO 19011), establish internal audit program early |
| Poor supplier management | Incoming material issues, production failures, audit findings | Implement supplier evaluation and monitoring from the start |
| Separate QMS from business operations | QMS becomes overhead rather than value-adding | Integrate quality into daily operations, make quality objectives business objectives |
QMSR Alignment: What ISO 13485 Certification Does Not Cover
If you are implementing ISO 13485 for U.S. market compliance under the QMSR, be aware that ISO 13485 certification alone does not guarantee QMSR compliance. The FDA has added specific requirements:
| QMSR Section | Requirement | ISO 13485 Coverage |
|---|---|---|
| 820.3(b) | FDA-specific definitions (e.g., "device," "labeling" from FD&C Act) | Partial — some terms have different definitions |
| 820.10(b) | Identify all applicable regulatory requirements | Addressed generally in Clause 4.1.1 but FDA expects explicit documentation |
| 820.35 | Complaint handling procedures, servicing records, UDI compliance | Complaint handling in Clause 8.2.2, but UDI and specific servicing requirements are FDA additions |
| 820.45 | Physical examination of device labeling before release | Not in ISO 13485 — labeling inspection is an FDA-specific addition |
Documentation Toolkit: What You Need
Required Documents (Explicitly Required by ISO 13485)
| Document | Clause Reference |
|---|---|
| Quality manual | 4.2.2 |
| Quality policy | 5.3 |
| Quality objectives | 5.4.1 |
| Job descriptions / organizational structure | 5.5.1 |
| Management review procedure and records | 5.6.1 |
| Training procedure and records | 6.2 |
| Work environment documentation | 6.4 |
| Product realization planning records | 7.1 |
| Design and development plan | 7.3.2 |
| Design inputs | 7.3.2 |
| Design outputs | 7.3.3 |
| Design review records | 7.3.4 |
| Design verification records | 7.3.5 |
| Design validation records | 7.3.6 |
| Design transfer records | 7.3.7 |
| Design change records | 7.3.8 |
| Design history file (DHF) | 7.3.9 |
| Purchasing procedure and records | 7.4 |
| Supplier evaluation records | 7.4.1 |
| Production control procedures | 7.5.1 |
| Process validation protocols and reports | 7.5.6 |
| Traceability records | 7.5.9 |
| Calibration procedure and records | 7.6 |
| Complaint handling procedure and records | 8.2.2 |
| Internal audit procedure and records | 8.2.4 |
| Nonconforming product procedure and records | 8.3.1 |
| CAPA procedure and records | 8.5.2, 8.5.3 |
| Installation and servicing procedures (if applicable) | 7.5.3, 7.5.4 |
| Sterilization validation (if applicable) | 7.5.5 |
| Risk management file per ISO 14971 | 7.1 |
Typical Documentation Volume
| Organization Type | Procedures | Work Instructions | Forms/Templates |
|---|---|---|---|
| Small startup (Class I/II) | 15-25 | 10-20 | 30-50 |
| Medium manufacturer (Class II) | 25-40 | 20-40 | 50-100 |
| Large manufacturer (Class II/III) | 40-60+ | 40-80+ | 100-200+ |
Frequently Asked Questions
How long does it take to get ISO 13485 certified?
The typical timeline is 6-24 months from project kickoff to certification. BSI estimates the full journey at approximately 12-24 months. The Johner Institute reports guiding companies to certification in 6-9 months when well-resourced. Key factors affecting timeline: organization size, device complexity, existing quality system maturity, resource availability, and certification body scheduling. Notified body backlogs can add 12-18 months to the scheduling timeline.
How much does ISO 13485 certification cost?
For a small company (<25 employees), total first-year costs range from $15,000-$40,000 including consultant support, certification body fees, training, and documentation systems. For medium companies (25-100 employees), expect $40,000-$120,000. Large organizations (100+ employees) can spend $120,000-$350,000+. Annual ongoing costs for surveillance audits and maintenance are approximately one-third of the initial investment. Certification body fees alone for a small accredited audit are approximately $5,000.
Is ISO 13485 certification mandatory?
ISO 13485 certification is not legally mandated by the FDA. The QMSR incorporates ISO 13485:2016 by reference, but the FDA assesses compliance during inspections rather than requiring certification. However, ISO 13485 certification is effectively required for EU market access (via Notified Body assessment under EU MDR), for Canada (via MDSAP requirement), and is strongly expected in Japan, Australia, and many other jurisdictions.
What is the difference between Stage 1 and Stage 2 audits?
Stage 1 is a document review and readiness assessment. The auditor reviews your QMS documentation, confirms scope, evaluates mandatory procedures, and identifies gaps. No implementation evidence is assessed. Stage 2 is the on-site compliance audit where the auditor verifies that your QMS is actually implemented and effective — they sample device files, production records, training records, complaints, CAPA, supplier files, calibrations, and validation evidence. Both stages must be passed for certification.
How long is ISO 13485 certification valid?
ISO 13485 certification is valid for three years from the date of issue. During this period, the certification body conducts annual surveillance audits to verify continued compliance. At the end of the three-year cycle, a full re-certification audit is required. Surveillance audits are less intensive than the initial certification but review mandatory elements plus selected processes each year.
Can I exclude any ISO 13485 requirements?
ISO 13485 allows exclusions only for design and development (Clause 7.3) and for specific requirements that do not apply to the organization's role. Any exclusion must be justified in the quality manual. You cannot exclude requirements in Clause 4, 5, 6, or 8. Exclusions in Clause 7 (beyond 7.3) are permitted only if they do not affect the organization's ability or responsibility to provide product that meets customer and applicable regulatory requirements.
What is MDSAP and how does it relate to ISO 13485?
The Medical Device Single Audit Program (MDSAP) is a program that allows a single audit of a medical device manufacturer's quality system to satisfy the requirements of multiple regulatory jurisdictions: Australia (TGA), Brazil (ANVISA), Canada (Health Canada), Japan (MHLW/PMDA), and the United States (FDA). MDSAP audits are conducted against ISO 13485:2016 plus jurisdiction-specific requirements from all five countries. Canada requires MDSAP certification for Class II, III, and IV devices. The FDA accepts MDSAP audit reports as part of its inspection program but does not require MDSAP certification.
What happens if I fail the certification audit?
If major nonconformities are identified at Stage 2, certification is not granted until they are corrected and verified. You will need to implement corrective actions, provide evidence of closure, and undergo a follow-up audit (partial or full, depending on findings). Minor nonconformities require a credible corrective action plan with a timeline but do not prevent certification. Most certification bodies allow 90-180 days to close major nonconformities.
Do I need a consultant to implement ISO 13485?
A consultant is not mandatory, but is highly recommended for organizations without prior ISO 13485 experience. The standard is complex, the documentation requirements are extensive, and the certification process has nuances that experienced consultants navigate efficiently. Organizations with an experienced quality manager and prior QMS experience may implement without external help. The trade-off is time: consultants typically accelerate implementation by 30-50%.
How does ISO 13485 relate to risk management?
ISO 13485 integrates risk management throughout the standard, referencing ISO 14971 (Application of risk management to medical devices) for the risk management framework. Risk management is required in design and development (Clause 7.3), production processes (Clause 7.5), supplier management (Clause 7.4), and CAPA (Clause 8.5). The QMSR strengthens this emphasis — the FDA explicitly recommends adopting ISO 14971 for risk management practices to align with QMSR expectations.