ISO 13485 vs ISO 9001: Key Differences, Requirements, and Which Standard You Need

A detailed comparison of ISO 13485 and ISO 9001 — clause-by-clause differences, regulatory requirements, when you need each standard, and how to transition between them.

Why This Comparison Matters

If you manufacture, design, or distribute products and you are evaluating quality management system (QMS) standards, you will inevitably face this question: ISO 13485 or ISO 9001? Or both?

The answer has real consequences. Choose the wrong standard and you may fail a regulatory submission, lose a major customer, or spend months building a QMS that does not meet your market's requirements. Choose correctly and you build a quality system that satisfies regulators, wins customer confidence, and supports your business strategy.

This guide provides a thorough, clause-by-clause comparison of ISO 13485:2016 and ISO 9001:2015 so you can make that decision with confidence. We cover the philosophical differences, structural gaps, regulatory implications, transition strategies, cost considerations, and common misconceptions that trip up even experienced quality professionals.

Quick-Reference Summary

Before we get into the details, here is a high-level snapshot for quick reference.

Aspect	ISO 9001:2015	ISO 13485:2016
Scope	Any industry, any organization	Medical devices only
Primary goal	Customer satisfaction and continual improvement	Regulatory compliance and device safety
Structure	10 clauses (Annex SL Harmonized Structure)	8 clauses (aligned with ISO 9001:2008)
Risk approach	Risk-based thinking (general concept)	Formal, documented risk management per ISO 14971
Continual improvement	Explicitly required	Not mandated — focus is on maintaining QMS effectiveness
Quality manual	Not required	Required
Design controls	Can be excluded if not applicable	Required for device manufacturers; prescriptive
Process validation	General requirement	Detailed, prescriptive, specific to device manufacturing
Traceability	Basic requirement	Extensive — UDI, lot/serial tracking, implant traceability
Complaint handling	Part of customer feedback	Separate, formal process with regulatory reporting obligations
Regulatory focus	Minimal (11 mentions of "regulatory")	Central (58 mentions of "regulatory")
Software validation	Not required for QMS software	Required for all QMS software
Advisory notices / recalls	Not addressed	Documented procedure required
Preventive action	Absorbed into risk-based thinking	Separate, documented procedure required
Training effectiveness	Not prescriptive — ensure competence	Must evaluate and document training effectiveness
Sterile device requirements	Not addressed	Specific requirements for cleanliness, sterilization validation, sterile barrier systems
Post-market surveillance	General customer feedback	Formal documented system with regulatory reporting obligations
Installation/servicing	General post-delivery activities	Documented procedures, records, and acceptance criteria required
PDCA application	Aggressive — change drives improvement	Conservative — changes require formal justification and validation
Certification cost (3-year cycle)	$15,000-$60,000	$35,000-$150,000
Global certifications issued	Over 1.2 million	Over 33,000

ISO 9001: The Universal Quality Standard

Purpose and Scope

ISO 9001:2015 is the world's most widely adopted quality management standard. It applies to any organization regardless of size, industry, or product type — from software companies to steel mills, hospitals to hotels, logistics firms to law practices. Over 1.2 million organizations worldwide hold ISO 9001 certification.

The standard establishes the baseline ingredients of an effective quality management system:

Customer focus — Understanding and meeting customer requirements
Leadership engagement — Top management driving the quality culture
Process approach — Managing activities as interconnected processes
Risk-based thinking — Identifying and addressing risks and opportunities
Evidence-based decision-making — Using data to drive decisions
Continual improvement — Systematically enhancing performance over time
Relationship management — Managing relationships with interested parties (suppliers, partners, regulators)

Structure

ISO 9001:2015 follows the Annex SL Harmonized Structure (previously called the High-Level Structure), which is the common framework mandated for all ISO management system standards. This structure contains 10 clauses:

Scope
Normative references
Terms and definitions
Context of the organization
Leadership
Planning
Support
Operation
Performance evaluation
Improvement

This structure makes it straightforward to integrate ISO 9001 with other standards like ISO 14001 (environmental), ISO 45001 (occupational health and safety), and ISO 27001 (information security) into a single integrated management system.

Key Characteristics

Flexibility — The standard is intentionally generic. Organizations define their own processes, metrics, and documentation needs.
Continual improvement mandate — ISO 9001 explicitly requires organizations to continually improve the suitability, adequacy, and effectiveness of the QMS.
No quality manual required — As of the 2015 revision, a quality manual is no longer mandatory (though many organizations still maintain one).
Context of the organization — A concept introduced in 2015 requiring organizations to understand their internal/external environment and the needs of interested parties.
No management representative required — The 2015 revision removed the requirement for a dedicated management representative, distributing QMS accountability across top management instead.

History and Revisions

Understanding the revision history helps explain why the two standards have diverged.

Year	ISO 9001 Milestone
1987	First edition published — focused on quality assurance through inspection and testing
1994	Second edition — added preventive action, enhanced documentation requirements
2000	Major revision — introduced the process approach and customer satisfaction focus
2008	Minor revision — clarified language, no new requirements
2015	Current edition — adopted Annex SL structure, introduced risk-based thinking, removed quality manual and management representative requirements, added context of the organization

ISO 9001:2015 was confirmed in its current form in 2021, meaning no changes were required. The next scheduled review cycle is expected around 2026-2027. As of March 2026, ISO 9001:2015 remains the current edition.

ISO 13485: The Medical Device Quality Standard

Purpose and Scope

ISO 13485:2016 is the international quality management standard designed exclusively for organizations involved in the lifecycle of medical devices. It applies to manufacturers, contract manufacturers, design houses, sterilization service providers, distributors, importers, and component suppliers whose work affects device quality, safety, or performance.

The standard's stated objective is to facilitate harmonized medical device regulatory requirements for quality management systems. Its focus is not on customer satisfaction in the broad commercial sense — it is on ensuring that medical devices are consistently safe and meet applicable regulatory requirements.

Structure

ISO 13485:2016 follows an 8-clause structure aligned with the older ISO 9001:2008 format:

Scope
Normative references
Terms and definitions
Quality management system
Management responsibility
Resource management
Product realization
Measurement, analysis, and improvement

This is a critical point: ISO 13485:2016 was developed in alignment with ISO 9001:2008, not ISO 9001:2015. The ISO technical committee responsible for ISO 13485 (TC 210) deliberately chose not to adopt the Annex SL Harmonized Structure, concluding that concepts like "context of the organization" and "leadership" (as framed in ISO 9001:2015) were not necessary for the medical device quality management model.

Why does the structure matter? If your organization maintains an integrated management system with ISO 9001:2015 and other Annex SL-based standards, adding ISO 13485 requires mapping between two fundamentally different clause structures. This adds complexity to your documentation, internal audit program, and management review process.

Key Characteristics

Regulatory compliance as the primary driver — The term "regulatory requirements" appears 58 times in ISO 13485:2016 compared to just 11 times in ISO 9001:2015. The entire standard is oriented around demonstrating compliance with applicable regulations.
Risk management throughout the product lifecycle — Not just "risk-based thinking" in the general sense, but formal, documented risk management processes applied to every aspect of the QMS and product realization.
Quality manual is required — Unlike ISO 9001:2015, ISO 13485 explicitly requires a quality manual that describes the scope of the QMS, references documented procedures, and describes process interactions.
No continual improvement mandate — ISO 13485 requires organizations to maintain the effectiveness of the QMS, but does not mandate continual improvement in the way ISO 9001 does. This is intentional: in a regulated environment, a validated process that works consistently is preferable to one that changes frequently in pursuit of optimization.
Medical device file — Required for each device type or family, containing comprehensive documentation describing the device, its intended use, specifications, manufacturing procedures, and applicable regulatory requirements.
Software validation — Any computer software used in the QMS must be validated before initial use and after any changes.

History and Revisions

Year	ISO 13485 Milestone
1996	First edition published — based on ISO 9001:1994 with medical device-specific additions
2003	Second edition — aligned with ISO 9001:2000; introduced the process approach; expanded design control and risk management requirements
2016	Current edition — expanded risk management throughout the QMS; strengthened supplier controls, complaint handling, and post-market surveillance requirements; aligned with ISO 9001:2008 structure (deliberately not ISO 9001:2015)
2025	Confirmed in current form — no revision required; next review expected around 2030

The decision not to align with ISO 9001:2015 in the 2016 revision was controversial. ISO TC 210 concluded that the regulatory purpose of ISO 13485 was best served by maintaining the established structure that regulators worldwide had already incorporated into their frameworks. This means the two standards have structurally diverged — a gap that will eventually be closed when ISO 13485 is revised to adopt the Harmonized Structure (expected post-2028).

Who Needs ISO 13485?

The standard applies to any organization involved in the lifecycle of a medical device:

Device manufacturers — both finished device and component manufacturers
Contract manufacturers — organizations manufacturing on behalf of device companies
Design houses — companies that design devices but outsource manufacturing
Sterilization service providers — third-party sterilizers
Distributors and importers — where they perform activities affecting device quality (repackaging, relabeling, storage under controlled conditions)
Service and maintenance providers — organizations servicing or refurbishing medical devices
Raw material and component suppliers — increasingly required by OEM customers
Software developers — companies developing software as a medical device (SaMD) or software that is a component of a device

A common misconception is that only the finished device manufacturer needs ISO 13485. In reality, the entire supply chain is increasingly expected to maintain ISO 13485-compliant quality systems, and notified body auditors routinely verify that critical suppliers are controlled appropriately.

What the Two Standards Have in Common

Before exploring the differences, it helps to recognize the significant common ground. Both ISO 9001 and ISO 13485:

Establish a quality management system — Both require organizations to define, document, implement, and maintain a structured QMS with defined processes and procedures.
Require a process approach — Both standards require organizations to identify their processes, determine their sequence and interaction, and manage them systematically.
Emphasize risk assessment — Both highlight the importance of incorporating risk management into design and production stages, though they differ significantly in how prescriptive they are (covered in detail below).
Focus on customer requirements — Both aim to ensure customer requirements are understood and met. ISO 9001 frames this broadly as customer satisfaction; ISO 13485 frames it through a regulatory and safety lens.
Use the Plan-Do-Check-Act (PDCA) cycle — Both standards are built on the Deming cycle of continuous quality improvement, though ISO 13485 applies PDCA more conservatively (see below).
Require employee competency — Both mandate that personnel performing quality-affecting work be competent based on education, training, skills, and experience, and that competence be documented.
Require internal audits — Both require systematic internal audit programs to verify QMS conformity and effectiveness.
Require management review — Both mandate periodic management review of the QMS, though the scope of required inputs differs.
Address supplier/external provider control — Both require evaluation and monitoring of suppliers/external providers, though ISO 13485 is more prescriptive.
Require corrective action — Both mandate formal processes for identifying nonconformities, determining root causes, and implementing corrective actions.
Support use of statistical techniques — Both encourage data-driven decision-making and statistical analysis for quality monitoring and improvement.
Are auditable by third parties — Both support certification audits by accredited registrars, providing external validation of QMS conformity.

Understanding these similarities is important because it means that organizations holding either certification already have a quality management foundation. The differences lie in scope, prescriptiveness, and regulatory orientation — which we cover next.

The Core Philosophical Difference

Before diving into clause-by-clause details, it is worth understanding the fundamental philosophical divergence between these two standards.

ISO 9001 asks: "Are your customers satisfied?"

ISO 9001 is built around the concept that quality is ultimately measured by customer satisfaction. The standard pushes organizations to understand customer needs, deliver products and services that meet those needs, gather feedback, and continually improve. Customer satisfaction is both the metric and the goal.

ISO 13485 asks: "Is the device safe and does it meet regulatory requirements?"

ISO 13485 redefines the concept of quality in the context of medical devices. Customer satisfaction is still relevant, but it is secondary to patient safety and regulatory compliance. The standard treats regulatory requirements as non-negotiable constraints that override all other considerations. When ISO 13485 refers to "customer," it often means the regulator as much as the end user.

This is not a trivial distinction. It affects how you design your processes, what you measure, how you handle complaints, and what your management reviews focus on.

Example: Under ISO 9001, a complaint about product packaging being inconvenient is a legitimate driver of corrective action and process improvement. Under ISO 13485, the same complaint about packaging would be evaluated first through a safety and regulatory lens — could the packaging issue affect device sterility, integrity, or labeling visibility? The response and its documentation differ accordingly.

The PDCA Cycle: Same Foundation, Different Application

Both standards are built on the Plan-Do-Check-Act (PDCA) Deming cycle — the iterative model for continuous quality improvement. However, the way each standard applies PDCA reveals their philosophical difference.

ISO 9001 encourages organizations to use PDCA aggressively. The "Act" phase is expected to drive repeated improvements, optimize processes, and enhance customer satisfaction over time. Change is seen as a positive force — a well-functioning ISO 9001 QMS is one that evolves constantly.

ISO 13485 applies PDCA more conservatively. In medical device manufacturing, even small changes to validated processes can introduce new risks to patient safety. The "Act" phase under ISO 13485 requires that any changes be formally justified, documented, risk-assessed, and validated before implementation. The standard treats a proven, stable process as more valuable than a frequently optimized one. This does not mean improvement is discouraged — it means improvement must go through formal change control and validation before being deployed.

Practical impact: An ISO 9001 process improvement might involve a production manager adjusting a workflow based on monthly efficiency data and documenting the change afterward. Under ISO 13485, that same change would require a formal change request, risk assessment, potential revalidation, and pre-approval before implementation.

Clause-by-Clause Comparison

The following table provides a detailed comparison of the major auditable requirements in both standards. Because the two standards use different clause numbering (ISO 9001:2015 uses 10 clauses; ISO 13485:2016 uses 8 clauses), the comparison is organized by topic area.

Quality Management System Foundation

Topic	ISO 9001:2015	ISO 13485:2016
QMS scope	Organization defines its scope based on context, interested parties, and products/services (Clause 4.3)	Scope must specify which products, activities, and locations are covered; exclusions limited to Clause 7 and must be justified (Clause 4.2.2)
Quality manual	Not required (removed in 2015 revision)	Required — must describe QMS scope, reference procedures, and describe process interactions (Clause 4.2.2)
Quality policy	Established by top management; communicated and understood (Clause 5.2)	Established by top management; includes commitment to regulatory compliance and QMS effectiveness (Clause 5.3)
Quality objectives	Measurable, consistent with policy, monitored, communicated (Clause 6.2)	Measurable, established at relevant functions and levels, consistent with policy (Clause 5.4.1)
Process approach	Required — identify processes, determine sequence and interaction, assign resources (Clause 4.4)	Required — identify processes, determine sequence and interaction, apply risk-based approach (Clause 4.1)
Context of the organization	Required — determine internal/external issues and needs of interested parties (Clause 4.1, 4.2)	Not required — concept does not exist in ISO 13485
Interested parties	Must determine relevant interested parties and their requirements (Clause 4.2)	Not addressed as a separate requirement; regulatory bodies and customers are addressed through specific clauses

Documentation and Records

Topic	ISO 9001:2015	ISO 13485:2016
Documented information	Uses the term "documented information" for both documents and records (Clause 7.5)	Uses traditional terms: "documents" and "records" separately (Clause 4.2)
Document control	Control of documented information — approval, review, updates, distribution, access, storage, disposition (Clause 7.5.2, 7.5.3)	Document control with specific requirements: changes must be reviewed and approved by the original approving function or designated individual with adequate background (Clause 4.2.4)
Record retention	Retain documented information as evidence of conformity (Clause 7.5.3)	Retain records for at least the lifetime of the device or as specified by regulatory requirements, whichever is longer (Clause 4.2.5)
Regulatory documents	No specific requirement	Must include applicable regulatory requirements within QMS documentation (Clause 4.2.1)
Medical device file	Not applicable	Required for each device type or family — comprehensive file describing the device, specifications, manufacturing, and regulatory requirements (Clause 4.2.3)
Software validation	No specific requirement for QMS software	Computer software used in the QMS must be validated before initial use and after changes; validation proportionate to risk (Clause 4.1.6)

Management and Leadership

Topic	ISO 9001:2015	ISO 13485:2016
Leadership concept	"Leadership" — top management must demonstrate leadership and commitment to the QMS (Clause 5.1)	"Management responsibility" — management must provide evidence of commitment to QMS development, implementation, and maintaining effectiveness (Clause 5.1)
Management representative	Not explicitly required (removed in 2015 — responsibility distributed to top management)	Required — a member of management must be appointed with defined authority and responsibility for the QMS (Clause 5.5.2)
Customer focus	Top management must ensure customer requirements are determined and met; enhance customer satisfaction (Clause 5.1.2)	Ensure customer and regulatory requirements are determined and met (Clause 5.2)
Management review inputs	Performance metrics, audit results, customer feedback, nonconformities, improvement opportunities, effectiveness of risk actions, supplier performance (Clause 9.3.2)	Feedback, complaint handling, reporting to regulatory authorities, audit results, process/product monitoring, corrective/preventive actions, follow-up from previous reviews, changes affecting QMS, improvement recommendations, and regulatory updates (Clause 5.6.2)
Regulatory compliance	Must determine and meet applicable statutory and regulatory requirements (general)	Must commit to regulatory compliance; management review must include regulatory updates and new/revised regulations (Clause 5.6.2)
Organizational roles	Top management assigns roles, responsibilities, and authorities (Clause 5.3)	Every member of the organization must have defined responsibilities for managing, performing, and verifying QMS activities (Clause 5.5.1)

Resource Management

Topic	ISO 9001:2015	ISO 13485:2016
Competence	Determine necessary competence; ensure competence through education, training, or experience; retain evidence (Clause 7.2)	Personnel must be competent based on education, training, skills, and experience; training effectiveness must be evaluated; competency records maintained (Clause 6.2)
Infrastructure	Determine, provide, and maintain infrastructure needed for conformity (Clause 7.1.3)	Determine, provide, and maintain infrastructure; document maintenance requirements and activities (Clause 6.3)
Work environment	Determine, provide, and maintain the environment necessary for conformity (Clause 7.1.4)	Document requirements for health, cleanliness, and clothing of personnel; document work environment conditions and monitoring procedures; establish contamination control systems where applicable (Clause 6.4)
Monitoring and measuring resources	Ensure resources are suitable; maintain calibration records (Clause 7.1.5)	Calibrate or verify at specified intervals; maintain calibration records; document procedures (Clause 7.6)

Training Requirements

Training and competence management is an area where the standards diverge more than the clause-by-clause tables above might suggest.

Aspect	ISO 9001:2015	ISO 13485:2016
Competence scope	Persons doing work that affects quality performance must be competent (Clause 7.2)	Personnel performing work affecting product quality must be competent; scope explicitly includes regulatory awareness (Clause 6.2)
Training needs identification	Not prescriptive — organization determines what competence is needed	Documented procedures for identifying training needs are expected; training must be planned based on identified gaps
Training effectiveness	Must ensure competence is achieved; method not prescribed	Training effectiveness must be evaluated and documented — it is not sufficient to simply deliver training; the organization must verify that training achieved its intended outcome (Clause 6.2)
Regulatory awareness	Not specifically required	Personnel must be made aware of applicable regulatory requirements relevant to their role and the consequences of noncompliance
Records	Retain evidence of competence (Clause 7.2)	Maintain records of education, training, skills, and experience for all personnel affecting product quality (Clause 6.2)
Scope of personnel	Persons under the organization's control	Explicitly extends to all personnel performing work affecting product quality, including temporary workers and contractors

Practical impact: An ISO 9001-certified company might satisfy the training requirement with a spreadsheet tracking who attended which courses. Under ISO 13485, auditors expect documented training procedures, training plans linked to job functions, competency assessments (not just attendance records), and evidence that training was effective — for example, through post-training testing, observed demonstration of skills, or supervised performance.

Product/Service Realization and Operations

Topic	ISO 9001:2015	ISO 13485:2016
Planning	Plan, implement, and control processes needed for products/services; determine requirements, acceptance criteria (Clause 8.1)	Plan product realization including quality objectives, risk management activities, verification/validation activities, and required records (Clause 7.1)
Risk management	"Risk-based thinking" — identify risks and opportunities; take actions to address them (Clause 6.1)	Formal documented risk management processes throughout the entire product lifecycle; maintain risk management records (Clause 7.1)
Customer requirements	Determine requirements for products/services including regulatory; review before commitment; communicate with customers (Clause 8.2)	Determine product requirements including regulatory; review before commitment; establish policies for customer communications including advisory notices (Clause 7.2)
Design and development	Plan, determine inputs and outputs, conduct reviews, verification, validation, manage changes (Clause 8.3) — can be excluded if not applicable	Plan, determine inputs and outputs, conduct reviews, verification, validation, manage changes, design transfer to manufacturing; includes risk analysis; design files required (Clause 7.3) — required for device manufacturers
Purchasing	Evaluate and select suppliers based on ability to meet requirements; verify purchased products (Clause 8.4)	Evaluate, select, and re-evaluate suppliers; maintain documented purchasing procedures; document and retain purchasing information for traceability; verify purchased products; risk-based supplier control (Clause 7.4)
Production and service	Control production and service provision under controlled conditions (Clause 8.5)	Control production under documented conditions including SOPs, work instructions, reference materials at point of work, labeling/packaging procedures, unique batch records, product cleanliness requirements, installation/servicing records, and procedures for returned products (Clause 7.5)
Process validation	Validate processes where output cannot be verified by subsequent monitoring (Clause 8.5.1)	Validate processes where output cannot be verified by subsequent monitoring; includes sterilization processes, software, manufacturing processes; document validation procedures, methods, and records (Clause 7.5.6)
Identification and traceability	Identify outputs; identify status with respect to monitoring/measurement; control unique identification when traceability is a requirement (Clause 8.5.2)	Identify product throughout realization; document procedures for traceability; for implantable devices, record all materials, components, and work environment conditions; maintain records of each batch (Clause 7.5.8, 7.5.9)
Preservation	Preserve outputs during production and service provision (Clause 8.5.4)	Preserve product during processing and delivery; document procedures for shelf life management; document product cleanliness and contamination control (Clause 7.5.11)

Monitoring, Measurement, and Improvement

Topic	ISO 9001:2015	ISO 13485:2016
Customer satisfaction	Monitor customer perception of the degree to which requirements have been met (Clause 9.1.2)	Establish a feedback system providing early warning of quality problems; monitor information on whether the organization has met customer requirements; review feedback including complaints (Clause 8.2.1)
Internal audits	Conduct at planned intervals; ensure objectivity and impartiality; report results to management (Clause 9.2)	Conduct at planned intervals; document audit procedures; ensure objectivity; take timely correction and corrective action; maintain records (Clause 8.2.2)
Process monitoring	Monitor, measure, analyze, and evaluate QMS processes (Clause 9.1.1)	Apply suitable methods for monitoring QMS processes; if planned results are not achieved, take correction and corrective action (Clause 8.2.3)
Product monitoring	Verify product/service requirements have been met; retain evidence of conformity (Clause 8.6)	Monitor and measure product for quality throughout production; verify all quality requirements are met before release; record the identity of the person authorizing release (Clause 8.2.4)
Nonconforming product	Identify and control nonconforming outputs; take appropriate action; retain documented information (Clause 8.7)	Identify and control nonconforming product; document dispositions (rework, accept by concession, regrade, reject); document rework activities; if product delivered before detection, take appropriate action including regulatory notification (Clause 8.3)
Advisory notices	Not applicable	Document procedures for issuing advisory notices (recalls, field safety corrective actions); procedure must be capable of being implemented at any time (Clause 8.3.3)
Data analysis	Analyze and evaluate data from monitoring and measurement (Clause 9.1.3)	Collect and analyze data including feedback, product conformity, process trends, and supplier performance; formal documented procedures required (Clause 8.4)
Continual improvement	Continually improve the suitability, adequacy, and effectiveness of the QMS (Clause 10.1)	Identify and implement changes needed to ensure and maintain QMS suitability, adequacy, and effectiveness; continual improvement is not explicitly mandated (Clause 8.5.1)
Corrective action	Determine causes of nonconformities; implement action; review effectiveness (Clause 10.2)	Documented procedure required; review nonconformities including complaints; determine causes; evaluate need for action; implement action; verify no adverse effect on finished device; review effectiveness of action taken (Clause 8.5.2)
Preventive action	Addressed through risk-based thinking (Clause 6.1); separate preventive action clause removed in 2015	Documented procedure required; determine potential nonconformities and causes; evaluate need for preventive action; implement and record action; review effectiveness (Clause 8.5.3)
Complaint handling	Not addressed as a separate requirement; part of customer feedback and corrective action	Documented procedures for complaint handling; evaluate complaints for reportable events; justify complaints that do not result in CAPA; document procedures for notifying regulators of adverse events (Clause 8.2.1, 8.5.1)

Document and Record Control: A Closer Look

Document and record control is an area where the practical differences between the two standards are felt daily by quality teams.

ISO 9001:2015 Approach

ISO 9001:2015 introduced the unified term "documented information" to cover both documents (things you control and update) and records (things you retain as evidence). This was a deliberate simplification. The standard requires that documented information be:

Created and updated with appropriate identification, format, and approval
Controlled for distribution, access, retrieval, use, storage, preservation, and disposition

The standard gives organizations wide latitude in how they implement document control. There is no requirement for a specific documented procedure for document control — the organization decides what level of formality is needed.

ISO 13485:2016 Approach

ISO 13485 retains the traditional distinction between "documents" and "records" and imposes significantly stricter requirements:

A documented procedure for document control is explicitly required (Clause 4.2.4)
A documented procedure for record control is explicitly required (Clause 4.2.5)
Changes to documents must be reviewed and approved by the original approving function or another designated individual with adequate background information
Record retention periods must be defined and must be at least the lifetime of the device as defined by the organization, or as specified by applicable regulatory requirements, whichever is longer
For implantable devices, records must be retained for at least 2 years beyond the expected service life of the device, but no less than 15 years from the date of release
Regulatory documents must be included within the QMS documentation
The quality system must include a medical device file for each device type or family

Practical impact: In an ISO 9001 environment, a company might retain quality records for 3-5 years and then dispose of them. In an ISO 13485 environment, records for an implantable device with a 10-year expected service life must be retained for at least 15 years — and potentially longer if regulatory requirements in your target markets specify longer retention periods. This has significant implications for your records management system, storage capacity, and IT infrastructure.

Document Types Unique to ISO 13485

Document	ISO 9001	ISO 13485	Purpose
Quality manual	Not required	Required	Describes QMS scope, procedures, process interactions
Medical device file	N/A	Required	Comprehensive file for each device type/family
Device master record (DMR)	N/A	Referenced in QMSR	Complete set of specifications and instructions for manufacturing
Device history record (DHR)	N/A	Referenced in QMSR	Production record for each unit/batch
Design history file (DHF)	N/A	Expected by auditors	Complete record of design and development
Risk management file	N/A	Required	Documentation of risk management activities per ISO 14971

Risk Management: A Deeper Look

Both standards address risk, but their approaches differ significantly.

ISO 9001:2015 — Risk-Based Thinking

ISO 9001:2015 introduced the concept of "risk-based thinking" as a replacement for the standalone preventive action clause from ISO 9001:2008. The standard requires organizations to:

Determine risks and opportunities that could affect the QMS's ability to achieve intended results
Plan and implement actions to address those risks and opportunities
Evaluate the effectiveness of those actions

However, ISO 9001 does not prescribe a specific risk management methodology, does not require a formal risk register, and does not mandate documented risk management procedures. The approach is intentionally flexible — a small service company's risk assessment can be much simpler than that of a large manufacturer.

ISO 13485:2016 — Formal Risk Management

ISO 13485 takes a fundamentally different approach. Risk management is not a concept woven into the standard's philosophy — it is a set of explicit, documented requirements:

Risk management processes must be established and maintained throughout the product lifecycle (Clause 7.1)
Risk management records must be maintained (Clause 7.1)
Risk is addressed in design and development inputs, design verification and validation, supplier evaluation, process validation, complaint handling, and corrective/preventive action
The standard works in conjunction with ISO 14971 (Application of risk management to medical devices), which provides the detailed framework for product-level risk management

In practice, this means medical device companies must maintain:

A risk management plan for each device
A risk analysis (hazard identification, risk estimation, risk evaluation)
Risk control measures and their verification
An overall residual risk evaluation
A risk management report
Post-production monitoring data that feeds back into risk management

Practical implication: An ISO 9001 auditor will check that you have considered risks and opportunities. An ISO 13485 auditor will ask to see your risk management files, trace specific hazards through your risk analysis to risk controls, and verify that post-market data has been evaluated against your risk management plan.

Design and Development: Where the Standards Diverge Most

Design and development controls represent one of the most significant differences between the two standards.

ISO 9001:2015

Design and development requirements (Clause 8.3) are straightforward and can be excluded entirely if the organization does not perform design activities. The standard requires planning, inputs, controls (reviews, verification, validation), outputs, and change management. The requirements are general and apply to any product or service.

ISO 13485:2016

Design and development requirements (Clause 7.3) are extensive, prescriptive, and cannot be excluded for device manufacturers. Key additions beyond what ISO 9001 requires:

Risk analysis must be part of the design input process
Design transfer — documented procedures for transferring verified and validated design outputs to manufacturing. This is an explicit clause in ISO 13485 with no equivalent in ISO 9001.
Design files — a complete record of design and development activities must be maintained
Regulatory requirements must be included as design inputs
Clinical evaluation data (where applicable) must support design validation
Traceability matrix — while not explicitly named in the standard text, auditors expect a requirements traceability matrix linking inputs to outputs to verification and validation activities

Why this matters: A company transitioning from ISO 9001 to ISO 13485 often underestimates the effort needed to build a compliant design control process. In an ISO 9001 environment, design verification might be informal testing documented in a spreadsheet. In ISO 13485, design verification requires formal protocols, predefined acceptance criteria, documented results, and traceability to specific design inputs.

Design and Development Comparison Table

Design Stage	ISO 9001:2015 (Clause 8.3)	ISO 13485:2016 (Clause 7.3)
Planning	Plan stages, reviews, V&V, responsibilities	Plan stages, reviews, V&V, responsibilities; include risk management activities in the plan
Inputs	Functional/performance requirements, regulatory requirements, prior design info	Functional/performance requirements, regulatory requirements, risk management outputs, prior design info, usability requirements
Outputs	Must meet input requirements; provide information for production	Must meet input requirements; provide information for purchasing, production, and servicing; contain acceptance criteria; specify essential characteristics for safe use
Reviews	Systematic evaluation at suitable stages	Systematic evaluation at suitable stages; participants must include representatives of functions concerned with the design stage being reviewed
Verification	Confirm outputs meet inputs; retain records	Confirm outputs meet inputs; retain records of results and any necessary actions
Validation	Confirm product meets intended use; retain records	Confirm product meets defined user needs and intended uses; performed on representative product under defined conditions; clinical evaluation data where applicable
Transfer	Not addressed as a separate requirement	Explicit requirement to transfer verified and validated design outputs to manufacturing; documented procedures required
Changes	Identify, review, control changes	Identify, document, review, verify, validate (as appropriate), and approve changes before implementation; evaluate effect on constituent parts, in-process and delivered product
Design files	Not required	Required — complete record of design and development activities
Exclusion	Can be excluded if organization does not design	Cannot be excluded for device manufacturers

Process Validation Requirements

ISO 9001:2015

ISO 9001 requires validation of processes where the resulting output cannot be verified by subsequent monitoring or measurement (Clause 8.5.1). The requirement is brief and non-prescriptive. Many ISO 9001-certified organizations apply this only to special processes like welding or heat treatment.

ISO 13485:2016

ISO 13485 significantly expands process validation requirements (Clause 7.5.6):

Validation is required for any production or service provision process where the output cannot be fully verified afterward
Validation must include defined criteria for review and approval of processes
Validation must include approval of equipment and qualification of personnel
Validation must include the use of specific methods and procedures
Requirements for records of validation activities
Requirements for revalidation when changes occur (including process changes, equipment changes, and corrective actions)
Sterilization process validation has additional specific requirements (Clause 7.5.7) and must be performed before initial use
Software used in production or the QMS must be validated (Clause 4.1.6, 7.5.6, 7.6)

Common processes requiring validation in medical device manufacturing include sterilization (EtO, gamma, e-beam, steam), sealing (pouch sealing, blister sealing), welding (ultrasonic, laser, RF), soldering and crimping, cleaning and passivation, coating and surface treatment, and software processes embedded in the device or used in manufacturing.

Process Validation Comparison

Validation Aspect	ISO 9001:2015	ISO 13485:2016
When required	Processes where output cannot be verified by subsequent monitoring	Same trigger, but applied more broadly to device manufacturing
Equipment approval	Not specifically required	Must include approval of equipment
Personnel qualification	General competence requirements	Must include qualification of personnel for the specific process
Methods and procedures	General requirement	Must use specific, documented methods and procedures
Revalidation	Not explicitly addressed	Required when changes occur to process, equipment, or as a result of corrective action
Sterilization processes	Not addressed	Specific requirements (Clause 7.5.7); must be validated before initial use
Software validation	Not required for QMS software	Required for production software and QMS software (Clause 4.1.6)
Records	General requirement to retain evidence	Specific records of validation activities required

Common audit finding: Organizations transitioning from ISO 9001 to ISO 13485 often have inadequate process validation. A process that was "qualified" under ISO 9001 with informal testing may not meet ISO 13485's requirements for formal protocols, predefined acceptance criteria, equipment qualification, and operator qualification records. Plan to revalidate critical processes under a more rigorous protocol framework.

Purchasing and Supplier Management

ISO 9001:2015

ISO 9001 requires organizations to evaluate and select external providers (suppliers) based on their ability to provide products and services that conform to requirements (Clause 8.4). The standard requires defined criteria for evaluation, selection, monitoring of performance, and re-evaluation. It does not prescribe specific methodologies.

ISO 13485:2016

ISO 13485 takes supplier control further (Clause 7.4):

Risk-based supplier control — the type and extent of control applied to the supplier must be proportionate to the effect of the purchased product on subsequent product realization or the final medical device
Documented purchasing procedures — procedures for purchasing must be documented
Purchasing information must be retained for traceability — this is important for regulatory traceability back to the component level
Supplier agreements must include requirements for notification of changes to purchased product (so the device manufacturer can evaluate the impact on device safety and performance)
Re-evaluation at planned intervals — not just "as needed" but at documented intervals
Records of evaluation results and follow-up actions must be maintained

Supplier Management Aspect	ISO 9001:2015	ISO 13485:2016
Supplier evaluation criteria	Required, organization defines	Required, must be documented and risk-based
Approved supplier list	Not explicitly required	Expected for critical suppliers
Supplier audit program	Not required	Expected for critical components/services
Change notification from suppliers	Not required	Required — suppliers must notify of changes
Purchasing records for traceability	Not specifically required	Required — retained for traceability
Re-evaluation frequency	"At planned intervals" or as needed	Documented intervals

Sterile Medical Device Requirements

One of the most significant areas where ISO 13485 goes beyond ISO 9001 is in its specific requirements for sterile medical devices. ISO 9001 has no concept of sterility or sterile product requirements.

ISO 13485 Sterile Device Provisions

ISO 13485:2016 includes dedicated requirements for organizations that manufacture sterile devices:

Cleanliness of product (Clause 6.4.2) — Document requirements for product cleanliness or contamination control of product if the product is cleaned prior to sterilization or its use, if the product is supplied non-sterile and is to be subjected to a cleaning process prior to sterilization or its use, or if the product cannot be cleaned prior to sterilization or use and its cleanliness is of significance in use
Particular requirements for sterile medical devices — ISO 13485 includes specific sub-clauses addressing the unique needs of sterile products throughout the standard:
- Contamination control (Clause 6.4.1) — Establish documented requirements for health, cleanliness, and clothing of personnel who come into contact with product or work environment. This includes personnel hygiene protocols, gowning procedures, and environmental monitoring
- Sterilization process validation (Clause 7.5.7) — Sterilization processes must be validated before initial use, with records maintained. This validation must demonstrate that the sterilization process consistently delivers the specified sterility assurance level (SAL)
- Sterile barrier system validation (Clause 7.5.7) — Packaging processes that form the sterile barrier system must be validated before initial use
- Batch records — For sterile devices, batch records must include sterilization process parameters and results, enabling traceability of sterilization conditions for each batch

Why This Matters

Organizations entering the sterile device space from an ISO 9001 background face a significant gap. ISO 9001 requires "suitable work environment" in general terms, but it has no requirements for cleanroom classification, environmental monitoring, gowning procedures, sterilization validation, or sterile barrier system integrity. Building the infrastructure and documentation for sterile device manufacturing often represents one of the largest investments in an ISO 13485 transition.

Sterile Device Aspect	ISO 9001:2015	ISO 13485:2016
Product cleanliness requirements	Not addressed	Documented requirements for product cleanliness and contamination control
Personnel hygiene/gowning	Not addressed	Documented requirements for health, cleanliness, and clothing of personnel
Environmental monitoring	General "work environment" requirement	Documented work environment conditions and monitoring procedures
Sterilization validation	Not addressed	Required before initial use; specific clause (7.5.7)
Sterile barrier system	Not addressed	Packaging forming sterile barrier must be validated
Contamination control systems	Not addressed	Required where applicable (Clause 6.4.1)

Installation and Servicing Requirements

ISO 13485 includes specific requirements for installation and servicing activities that have no equivalent in ISO 9001.

Installation (Clause 7.5.3)

When installation of a medical device is a specified requirement:

The organization must document requirements for medical device installation and acceptance criteria for verification of installation
If the agreed customer requirements allow installation to be performed by a party other than the organization or its authorized agent, the organization must provide documented requirements for installation and verification
Records of installation and verification performed by the organization or its authorized agent must be maintained

Servicing (Clause 7.5.4)

When servicing is a specified requirement:

The organization must document servicing procedures, reference materials, and reference measuring procedures
Records of servicing activities must be analyzed and used as feedback for improvement, including contribution to the monitoring and measurement processes and complaint handling
Servicing records must be maintained

Returned Product (Clause 7.5.1)

ISO 13485 requires specific procedures for handling returned medical devices:

Documented procedures for handling returned product
Procedures must address identifying, segregating, and examining returned devices
Returned devices must be identified and distinguished from conforming product at all times

Practical impact: ISO 9001 addresses "post-delivery activities" in general terms, asking organizations to consider them as needed. ISO 13485 mandates documented procedures and records for installation verification, servicing activities, and returned product handling — recognizing that these post-delivery activities directly affect patient safety.

Post-Market Surveillance and Feedback Systems

Post-market surveillance (PMS) is a critical area where ISO 13485's regulatory focus is most apparent. ISO 9001 addresses post-delivery customer feedback in general terms; ISO 13485 establishes it as a formal, documented system with regulatory reporting obligations.

ISO 9001:2015 Approach

ISO 9001 requires organizations to monitor customer perceptions and gather feedback as part of its performance evaluation framework (Clause 9.1.2). The standard does not prescribe how feedback should be collected, analyzed, or acted upon beyond using it as an input for improvement.

ISO 13485:2016 Approach

ISO 13485 establishes a comprehensive feedback and surveillance system (Clause 8.2.1):

A documented procedure for a feedback system must be established to provide early warning of quality problems and as input for corrective and preventive action processes
The feedback system must include provisions for gathering data from production and post-production activities — including customer complaints, user facility reports, field service data, and regulatory database reviews
Feedback must be reviewed for evidence that the product does not meet its specified requirements, including monitoring of complaints for trends
If applicable regulatory requirements require the organization to gain specific experience from post-production activities, the review of this experience must form part of the feedback process
The feedback system feeds directly into risk management — post-market data must be evaluated against the risk management plan and may trigger updates to risk analyses and risk control measures
Post-market feedback must be included as an input to management review (Clause 5.6.2)

How Post-Market Surveillance Connects to Other ISO 13485 Requirements

Post-market surveillance does not stand alone in ISO 13485 — it connects to multiple other clauses:

Connected Requirement	How PMS Data Feeds In
Complaint handling (8.2.1)	PMS provides the systematic framework within which complaints are received, evaluated, and investigated
Risk management (7.1)	Post-production data must be evaluated against the risk management file; trends may trigger risk reassessment
CAPA (8.5.2, 8.5.3)	PMS data identifying quality problems triggers corrective and preventive action processes
Advisory notices (8.3.3)	PMS data may trigger field safety corrective actions, recalls, or advisory notices
Management review (5.6.2)	PMS data, including complaint trends and regulatory reporting, is a required management review input
Design changes (7.3.9)	Post-market data may necessitate design changes, which must follow design control procedures

Key distinction: ISO 9001's feedback system is driven by a desire to improve customer satisfaction. ISO 13485's feedback system is driven by a regulatory obligation to monitor device safety and performance in real-world use, detect problems early, and take action to protect patients. The stakes — and the documentation requirements — are fundamentally different.

Internal Audit Approach

ISO 9001:2015

Internal audits (Clause 9.2) must be conducted at planned intervals. The standard requires an audit program that considers the importance of processes, changes affecting the organization, and results of previous audits. Auditor objectivity and impartiality must be ensured. Results are reported to relevant management.

ISO 13485:2016

Internal audits (Clause 8.2.2) follow a similar framework but with additional regulatory dimensions:

Audits must verify that the QMS conforms to the standard and to applicable regulatory requirements
The audit procedure must be documented (ISO 9001 no longer requires a documented procedure for internal audits)
Records of audit findings and corrective actions must be maintained
Auditors in a medical device environment must understand the regulatory landscape, not just the standard — they need to verify that processes comply with the relevant regulations (FDA 21 CFR 820, EU MDR, etc.)
Internal audits often serve as preparation for notified body audits, MDSAP audits, or FDA inspections

Tip: If you are transitioning from ISO 9001 to ISO 13485, plan to retrain your internal auditors. ISO 9001 auditors who lack medical device regulatory knowledge will miss critical compliance gaps that an external auditor will catch.

Management Review Differences

Management review is required by both standards, but the scope and inputs differ in ways that affect how medical device companies run their reviews.

Comparison of Management Review Inputs

Input Required	ISO 9001:2015 (Clause 9.3.2)	ISO 13485:2016 (Clause 5.6.2)
Audit results	Yes	Yes
Customer feedback	Yes	Yes (including complaints)
Process performance and product conformity	Yes	Yes
Corrective/preventive actions	Yes (corrective action status)	Yes (both corrective and preventive action status)
Follow-up from previous reviews	Yes	Yes
Changes affecting the QMS	Yes	Yes
Improvement recommendations	Yes (opportunities for improvement)	Yes
Complaint handling	Implicit (part of customer feedback)	Explicit and separate input
Regulatory reporting	Not required	Required — reporting to regulatory authorities
Regulatory updates	Not required	Required — new or revised regulatory requirements
Risk management outputs	Not explicitly required	Expected as part of monitoring data
Advisory notice status	Not applicable	Expected — status of any field actions
Supplier performance	Yes	Yes

The most significant difference is the regulatory dimension. ISO 13485 management reviews must explicitly address reporting to regulatory authorities, new or revised regulatory requirements, and the status of any advisory notices or field safety corrective actions. This means the management review agenda for a medical device company is substantially longer and more compliance-focused than for a typical ISO 9001 organization.

Best practice: Schedule ISO 13485 management reviews at least semi-annually (every 6 months) rather than the minimum "planned intervals." The volume of regulatory changes, complaint data, and CAPA activity in a medical device company typically warrants more frequent review than the annual cadence common in ISO 9001 environments.

FDA QMSR and Its Alignment with ISO 13485

One of the most significant regulatory developments in recent years is the FDA's Quality Management System Regulation (QMSR), which takes effect on February 2, 2026.

What Changed

The QMSR replaces the legacy Quality System Regulation (QSR, 21 CFR Part 820) that had been in place since 1996. Instead of prescribing its own set of detailed requirements, the new QMSR incorporates ISO 13485:2016 by reference. Part 820 is now much shorter — most of its text simply directs you to the relevant section of ISO 13485:2016.

Why It Matters for This Comparison

The QMSR fundamentally changes the landscape for U.S. medical device manufacturers:

Before QMSR: A company selling devices in the U.S. needed to comply with 21 CFR 820 (QSR). A company selling in the EU needed ISO 13485 certification. These were parallel but separate requirements, leading to dual compliance efforts and, often, dual documentation.
After QMSR (February 2, 2026): The U.S. and international requirements are aligned at the ISO 13485:2016 level. Companies maintaining an ISO 13485-compliant QMS are substantially aligned with the FDA's requirements. The QMSR adds some FDA-specific requirements on top of ISO 13485, but the foundation is the same standard.

FDA-Specific Additions Beyond ISO 13485

The QMSR retains certain FDA-specific requirements that go beyond what ISO 13485:2016 covers:

Complaint files — specific requirements for complaint records (21 CFR 820.198)
Medical Device Reporting (MDR) — obligations to report adverse events under 21 CFR 803
Corrections and removals — requirements for recalls and field corrections (21 CFR 806)
Reports of corrections, removals, and recalls — documentation and reporting obligations
Unique Device Identification (UDI) — labeling and identification requirements
Design history file (DHF) and device master record (DMR) — specific file structure requirements

Bottom line for companies choosing between standards: If you sell medical devices in the U.S. market, the QMSR makes ISO 13485 compliance effectively mandatory. Maintaining a separate "FDA-only" quality system that ignores ISO 13485 is no longer a viable strategy.

QMSR Transition Timeline

Milestone	Date
Final rule published	February 2, 2024
Transition period begins	February 2, 2024
QMSR takes effect	February 2, 2026
Legacy QSR no longer acceptable	February 2, 2026
ISO 13485:2016 next review	Approximately 2030

Organizations that have been maintaining an ISO 13485-certified QMS and addressing FDA-specific requirements are well-positioned for the transition. Organizations that have been operating under the legacy QSR without ISO 13485 alignment need to conduct a gap analysis and update their systems before the effective date.

Benefits of Certification

Understanding the practical benefits of each certification helps inform the decision of which standard to pursue — beyond simply meeting minimum requirements.

Benefits of ISO 9001 Certification

Increased efficiency and reduced waste — The process approach and continual improvement mandate drive organizations to identify and eliminate inefficiencies
Higher customer satisfaction — The standard's focus on understanding and meeting customer requirements directly improves customer outcomes
Stronger market reputation — ISO 9001 is the most widely recognized quality credential globally, signaling reliability to customers, partners, and prospects
Easier compliance with customer demands — Many procurement specifications reference ISO 9001; certification removes a barrier to winning contracts
Universal applicability — Works across all industries and organization sizes, making it a versatile investment
Foundation for industry-specific standards — ISO 9001 serves as the base for IATF 16949 (automotive), AS9100 (aerospace), ISO 22000 (food safety), and others
Demonstrated sales growth — ISO research analyzing 42 studies found that ISO 9001-certified companies typically experience significant sales growth compared to uncertified competitors

Benefits of ISO 13485 Certification

Required for market access — Effectively mandatory for selling medical devices in the EU, Canada, Japan, Australia, Brazil, South Korea, and many other markets. Without it, you cannot obtain CE marking and may be excluded from major markets entirely
Reduces risk of unsafe products — The standard's prescriptive controls for design, production, and monitoring are specifically designed to prevent patient harm
Improves regulatory approval processes — A well-implemented ISO 13485 QMS produces the documentation and evidence that regulators need to evaluate your submissions
Builds trust with healthcare providers and regulators — Certification signals to hospitals, clinicians, and regulatory bodies that your organization meets internationally recognized quality standards
Prerequisite for business partnerships — Many OEMs, distributors, and group purchasing organizations will not consider working with an uncertified supplier because that would require them to conduct their own costly supplier audits
Aligns with FDA QMSR — With the QMSR incorporating ISO 13485 by reference, certification provides the strongest foundation for FDA compliance
Supports MDSAP participation — ISO 13485 certification is a prerequisite for the Medical Device Single Audit Program, which can replace multiple country-specific audits with a single assessment
Investor and acquirer expectations — In the medical device industry, investors and potential acquirers routinely evaluate whether a company has an ISO 13485-compliant QMS as a basic measure of operational maturity

When You Need ISO 13485

You need ISO 13485 certification if any of the following apply:

You manufacture medical devices or IVDs — whether finished devices, components, or accessories
You sell devices in the EU — notified bodies require an ISO 13485-certified QMS for CE marking under the EU MDR/IVDR
You sell devices in Canada — Health Canada requires ISO 13485 certification through MDSAP
You sell devices in the U.S. — while ISO 13485 certification is not legally required, the QMSR (effective February 2026) incorporates ISO 13485 by reference, making compliance essential
You sell devices in Japan, Australia, Brazil, South Korea, India, Saudi Arabia, Turkey, or Russia — all of these markets require or strongly expect ISO 13485 certification
Your medical device customers require it — OEMs and contract manufacturers routinely require ISO 13485 certification from their suppliers
You provide contract sterilization, testing, or other services to device manufacturers — many will require ISO 13485 certification from service providers

Markets and Regulators Requiring ISO 13485

Market	Regulatory Authority	ISO 13485 Requirement
European Union	Notified Bodies under EU MDR/IVDR	Effectively mandatory for CE marking
United States	FDA	Incorporated by reference in QMSR (effective Feb 2026)
Canada	Health Canada	Required via MDSAP
Japan	PMDA/MHLW	Required — JPAL based on ISO 13485
Australia	TGA	Required via MDSAP
Brazil	ANVISA	Required via MDSAP
South Korea	MFDS	Required — KGMP based on ISO 13485
China	NMPA	Separate standard (GB/T 42061) aligned with ISO 13485
India	CDSCO	Required for manufacturing licenses under MDR 2017
Saudi Arabia	SFDA	Required for device registration
Turkey	TITCK	Required — follows EU MDR model
Russia	Roszdravnadzor	Required for device registration
Taiwan	TFDA	Required for Class II and III devices
Israel	AMAR/MOH	Required for device registration

When You Need ISO 9001

ISO 9001 certification is the right choice when:

You operate in a non-medical industry — manufacturing, services, construction, IT, logistics, education, government, etc.
Your customers contractually require ISO 9001 — common in automotive supply chains (though IATF 16949 is preferred), aerospace (though AS9100 is preferred), and general industrial supply chains
You want a foundational QMS — ISO 9001 provides a solid framework for any organization looking to formalize quality management
You are entering a new market and need a universally recognized quality credential
You operate in defense or government contracting — many government procurement specifications reference ISO 9001
You are a service organization — laboratories, testing facilities, consulting firms, IT service providers, and professional services firms often use ISO 9001 as their primary quality standard

Industries Where ISO 9001 Is the Default Standard

Industry	Typical Standard	Notes
General manufacturing	ISO 9001	Foundation for most industrial quality systems
Automotive	IATF 16949 (builds on ISO 9001)	ISO 9001 alone is rarely sufficient for OEM suppliers
Aerospace	AS9100 (builds on ISO 9001)	ISO 9001 alone is rarely sufficient for defense/aerospace
Construction	ISO 9001	Increasingly required by major contractors
IT / Software	ISO 9001 + ISO 27001	Often combined with information security standards
Food manufacturing	ISO 22000 or FSSC 22000	Industry-specific; ISO 9001 may supplement but not replace
Oil and gas	ISO 9001 + API standards	Combined with industry-specific API requirements
Government contracting	ISO 9001	Referenced in many procurement specifications
Education	ISO 9001 or ISO 21001	Growing adoption for quality assurance

When You Need Both Standards

Dual certification makes sense in specific scenarios:

Contract manufacturers serving both medical and non-medical customers — ISO 13485 is required by medical device customers; ISO 9001 may be required by aerospace, automotive, or industrial customers
Diversified manufacturers with medical and non-medical product lines — a single integrated QMS with dual certification can cover both segments
Component suppliers who serve the medical device industry as one of several markets
Companies transitioning into medical devices from another industry who want to maintain their existing ISO 9001 certification while adding ISO 13485

Dual Certification: Practical Considerations

Consideration	Detail
Audit days	Dual certification adds audit days — some can be combined if audits are conducted simultaneously, but total audit burden increases
Audit cost	Expect 30-50% higher annual audit costs compared to single certification
Documentation	You can maintain a single integrated QMS, but you must ensure it satisfies both standards — the differing structures require careful mapping
Registrar selection	Choose a registrar accredited for both standards; conducting both audits with a single registrar reduces scheduling complexity and often reduces cost
Internal audits	Internal audit program must cover requirements of both standards
Management review	Can be combined, but must address all inputs required by both standards

Cost-saving tip: If you pursue dual certification, negotiate a combined audit with a single registrar. Many registrars offer integrated audit programs where both standards are assessed during the same visit, reducing travel costs and audit days.

Building an Integrated Management System

If you pursue dual certification, building a single integrated management system (IMS) is far more efficient than maintaining two separate quality systems. Here is how to structure it.

Cross-Reference Matrix Approach

Create a master cross-reference matrix that maps every clause of ISO 13485:2016 to its corresponding requirement in ISO 9001:2015. Your procedures, work instructions, and records can then reference this matrix rather than duplicating content. A simplified mapping looks like this:

ISO 13485:2016 Clause	Topic	ISO 9001:2015 Clause
4.1	General QMS requirements	4.4
4.2	Documentation requirements	7.5
5.1	Management commitment	5.1
5.2	Customer focus	5.1.2
5.3	Quality policy	5.2
5.4	Planning	6.2
5.5	Responsibility, authority, communication	5.3
5.6	Management review	9.3
6.1	Provision of resources	7.1.1
6.2	Human resources	7.1.2, 7.2
6.3	Infrastructure	7.1.3
6.4	Work environment	7.1.4
7.1	Planning of product realization	8.1
7.2	Customer-related processes	8.2
7.3	Design and development	8.3
7.4	Purchasing	8.4
7.5	Production and service provision	8.5
7.6	Control of monitoring and measuring equipment	7.1.5
8.1	General (measurement, analysis, improvement)	9.1
8.2	Monitoring and measurement	9.1, 9.2
8.3	Control of nonconforming product	8.7
8.4	Analysis of data	9.1.3
8.5	Improvement	10.1, 10.2, 10.3
N/A	Context of the organization	4.1, 4.2 (ISO 9001 only)
N/A	Actions to address risks and opportunities	6.1 (ISO 9001 only)

Single Document System

Write procedures that satisfy the more stringent of the two standards (usually ISO 13485) and add supplementary elements to address ISO 9001-unique requirements (context of the organization, interested parties, continual improvement). This means your core procedures exceed ISO 9001 requirements in most areas, with a small overlay for ISO 9001-specific concepts.

Transitioning from ISO 9001 to ISO 13485

Many companies entering the medical device industry already hold ISO 9001 certification. Transitioning to ISO 13485 is not a simple upgrade — it requires significant additions to your QMS. Here is a structured approach.

Step 1: Executive Commitment and Planning (Weeks 1-4)

Secure leadership buy-in and resource allocation — ISO 13485 implementation requires dedicated quality team time, potential consulting support, and budget for certification
Assign a project lead with quality system and regulatory knowledge
Develop a project plan with timeline and milestones

Step 2: Gap Analysis (Weeks 2-6)

Conduct a thorough gap analysis comparing your current ISO 9001-certified QMS against every clause in ISO 13485:2016. Key areas where gaps are typically largest:

Gap Area	What ISO 9001 Has	What ISO 13485 Adds
Quality manual	May not exist (not required since 2015)	Must be created
Risk management	Risk-based thinking (general)	Formal, documented risk management processes per ISO 14971
Design controls	General requirements (or excluded)	Extensive, prescriptive requirements including design transfer
Medical device file	Does not exist	Required for each device type/family
Software validation	Not required	Required for all QMS software
Process validation	General requirement	Detailed, prescriptive requirements for specific processes
Regulatory documentation	Minimal	Must be integrated throughout the QMS
Complaint handling	Part of customer feedback	Separate, formal process with regulatory reporting
Advisory notices	Not applicable	Documented procedure for recalls/field actions
Traceability	Basic	Extensive, to component level
Work environment	General	Documented contamination control, cleanliness, clothing requirements

Step 3: Build the Medical Device-Specific Framework (Weeks 4-16)

Address the gaps identified in Step 2:

Create or update the quality manual to reflect ISO 13485 requirements
Establish risk management processes aligned with ISO 14971
Develop or enhance design controls with all required stages (planning, inputs, outputs, reviews, verification, validation, transfer, changes)
Create medical device files for each device type or family
Validate QMS software (eQMS, ERP, spreadsheets used for quality decisions)
Establish or enhance complaint handling with regulatory reporting triggers
Create advisory notice procedures for recalls and field safety corrective actions
Enhance traceability systems to device/batch/serial number level
Document work environment controls (contamination control, cleanliness, environmental monitoring)
Enhance supplier controls with documented purchasing procedures, change notification requirements, and risk-based evaluation criteria

Step 4: Training (Weeks 8-16)

Training is critical and often underestimated during transition projects:

All relevant personnel must be trained on new or updated procedures — do not limit training to the quality team
Provide ISO 13485-specific training for the quality team, including the standard itself and its relationship to applicable regulations
Retrain internal auditors to audit against ISO 13485 and applicable regulatory requirements — consider sending key auditors to a formal ISO 13485 lead auditor course
Train design engineers on design control procedures including the requirements for design inputs, outputs, reviews, verification, validation, transfer, and change management
Train production staff on process validation, traceability, and work environment requirements
Document all training activities and assess competency — ISO 13485 requires evidence that training was effective, not just that it occurred

Step 5: Implementation and Internal Audits (Weeks 12-24)

Implement the new and updated processes and procedures across all applicable functions
Generate sufficient records to demonstrate effective implementation — auditors will want to see evidence of at least 3-6 months of operation
Conduct a full internal audit cycle against ISO 13485:2016, covering all applicable clauses
Document all audit findings and ensure corrective actions are initiated and tracked
Conduct a management review addressing all required inputs per Clause 5.6.2, including regulatory reporting and complaint handling
Conduct a pre-assessment or mock audit if possible — many registrars offer this service (though using your certification body for pre-assessment can create a conflict of interest)

Step 6: Certification Audit (Weeks 20-30)

The certification audit is a two-stage process:

Stage 1 audit (typically 1-2 days on-site): The auditor reviews your QMS documentation, verifies that your system is designed to meet ISO 13485 requirements, and assesses readiness for the Stage 2 audit. Common Stage 1 findings include incomplete documentation, missing procedures, or quality manual gaps. You will receive a report and must address any findings before proceeding.
Stage 2 audit (typically 2-5 days on-site, depending on organization size): The auditor verifies that your documented system is implemented and effective. This involves interviewing personnel, reviewing records, observing processes, and tracing products through the system. Nonconformities are classified as major or minor.
Closing nonconformities: Major nonconformities must be resolved before certification can be granted. Minor nonconformities must be addressed within a specified timeframe (usually 90 days). Once nonconformities are closed, the registrar issues the ISO 13485 certificate.
Surveillance cycle: After certification, annual surveillance audits (typically 1-2 days) are conducted in years 2 and 3. A full recertification audit occurs in year 4 to renew the certificate.

Typical Timeline and Budget

Organization Size	Typical Timeline	Estimated Budget (Implementation + Certification)
Small (under 50 employees)	6-9 months	$25,000-$60,000
Medium (50-250 employees)	9-14 months	$50,000-$120,000
Large (250+ employees, multi-site)	12-18+ months	$100,000-$300,000+

These ranges include internal labor, consulting support, training, software/tools, and certification body fees. The largest variable is whether you need significant help from external consultants or have in-house ISO 13485 expertise.

Certification Body Selection

For ISO 9001

The ISO 9001 certification body market is large and competitive. There are hundreds of accredited registrars worldwide. Key considerations:

Ensure the registrar is accredited by a recognized accreditation body (e.g., ANAB, UKAS, DAkkS, JAS-ANZ)
Compare pricing for the initial certification audit plus the three-year surveillance cycle
Consider industry experience — a registrar familiar with your industry will provide more value during the audit

For ISO 13485

The ISO 13485 certification body market is smaller and more specialized. Not all ISO 9001 registrars are also accredited for ISO 13485. Additional considerations:

Notified body vs. general registrar — If you need CE marking for the EU market, your notified body (e.g., BSI, TUV SUD, Dekra, SGS) can also be your ISO 13485 registrar. This can create efficiency, but also means a single body controls both your certification and your market access.
MDSAP recognition — If you sell in MDSAP markets (Canada, Australia, Brazil, Japan, U.S.), consider a registrar that is an authorized MDSAP auditing organization. An MDSAP audit covers ISO 13485 plus market-specific regulatory requirements in a single audit, potentially replacing multiple separate audits.
Regulatory scope — Ensure the registrar understands the specific regulatory requirements of your target markets
Audit team expertise — ISO 13485 auditors should have medical device industry experience, not just quality system auditing experience

Cost Comparison

Cost Element	ISO 9001	ISO 13485
Initial certification audit	$3,000-$12,000	$5,000-$20,000
Annual surveillance audit	$2,000-$6,000	$3,000-$10,000
Recertification (every 3 years)	$3,000-$10,000	$5,000-$18,000
Implementation (with consultant)	$5,000-$30,000	$15,000-$80,000
Implementation (internal only)	$2,000-$10,000	$8,000-$40,000
Total 3-year cost (typical)	$15,000-$60,000	$35,000-$150,000

Costs vary significantly based on organization size, number of sites, product complexity, device risk classification, and geographic location. The figures above represent typical ranges for small to mid-size organizations.

Using an Electronic Quality Management System (eQMS)

Given the extensive documentation, record-keeping, and traceability requirements — especially under ISO 13485 — many organizations implement an electronic quality management system (eQMS) to manage their QMS digitally. While neither standard mandates the use of an eQMS, it has become a practical necessity for most medical device companies and a significant advantage for ISO 9001-certified organizations.

Why an eQMS Matters More for ISO 13485

The documentation burden under ISO 13485 is substantially heavier than under ISO 9001. An eQMS helps manage:

Document control — Automated version control, approval workflows, and distribution tracking. ISO 13485 requires that document changes be reviewed and approved by the original approving function — an eQMS enforces this automatically.
Training management — Linking training requirements to job roles, tracking completion, and documenting competency assessments. ISO 13485's requirement that training effectiveness be evaluated is significantly easier to manage digitally.
CAPA management — Tracking corrective and preventive actions from initiation through effectiveness verification, with linkage to complaints, audit findings, and nonconformities.
Complaint handling — Logging, investigating, and tracking complaints with automated escalation for potential reportable events. ISO 13485 requires that complaints not resulting in CAPA be documented with a justification — an eQMS makes this traceable.
Audit management — Scheduling, conducting, and tracking internal audit findings and corrective actions.
Supplier management — Maintaining approved supplier lists, tracking evaluation and re-evaluation schedules, and managing supplier change notifications.
Risk management — Maintaining risk management files with linkage to design inputs, CAPA, and post-market surveillance data.
Design control — Managing design inputs, outputs, reviews, verification, validation, and transfer with full traceability.

Key Considerations When Selecting an eQMS

Consideration	ISO 9001 Focus	ISO 13485 Focus
Validation requirement	No validation requirement for QMS software	QMS software must be validated before initial use and after changes (Clause 4.1.6) — the eQMS itself must be validated
Regulatory templates	Not needed	Medical device-specific templates (complaint forms, CAPA forms, design review templates) save significant setup time
21 CFR Part 11 compliance	Not required	Required if selling in the U.S. market — electronic signatures and audit trails must meet FDA requirements
Integration capability	Nice to have	Important — integration with ERP, PLM, and manufacturing systems supports traceability requirements
Scalability	Moderate need	Critical — the system must handle growing documentation as you add products, markets, and regulatory requirements

Important note: If you implement an eQMS under ISO 13485, remember that the software itself is part of your QMS and must be validated per Clause 4.1.6. This means conducting installation qualification, operational qualification, and performance qualification, and maintaining validation records. This validation requirement also applies to spreadsheets, databases, and any other software used to make quality decisions.

The Annex SL Question: Will ISO 13485 Adopt the Harmonized Structure?

A frequently asked question among quality professionals managing integrated management systems. Here is the current status.

Background

Since 2012, ISO has required all new and revised management system standards to adopt the Harmonized Structure (formerly called the High-Level Structure or Annex SL). ISO 9001:2015, ISO 14001:2015, ISO 45001:2018, and ISO 27001:2022 all follow this structure. ISO 13485:2016 does not.

Why ISO 13485 Has Not Adopted It

When ISO TC 210 developed ISO 13485:2016, they made a deliberate decision not to adopt the Annex SL structure. Their reasoning:

ISO 13485 is a regulatory tool, not just a management system standard. It must align with the needs of regulators worldwide, many of whom had already incorporated the existing structure into their regulatory frameworks.
The ISO 9001:2015 concepts of "context of the organization" and "interested parties" were deemed unnecessary for a standard whose regulatory context is explicitly defined by law.
Changing the clause structure would require global regulators to update their references, creating a multi-year disruption.

What Happens Next

ISO 13485:2016 was confirmed in its current form in 2025 and will not be up for review again until 2030. However, ISO has indicated that the next revision of ISO 13485 will need to adopt the Harmonized Structure (now called Annex L). This means:

The next revision (likely post-2028) will restructure from 8 clauses to 10 clauses
Core concepts from the Harmonized Structure (context, leadership, planning for risks and opportunities) will be incorporated
The medical device-specific requirements will be preserved and potentially strengthened
There will be a multi-year transition period

What to do now: If you maintain an integrated management system, create a cross-reference matrix mapping ISO 13485 clauses to Annex SL clauses. This makes it manageable today and positions you for the eventual structural change.

Traceability, Complaint Handling, and Advisory Notices: Regulatory Requirements Unique to ISO 13485

These three areas represent requirements in ISO 13485 that have no meaningful equivalent in ISO 9001. They reflect the regulated nature of the medical device industry and are among the areas auditors examine most closely.

Traceability

ISO 9001 requires traceability only "where it is a requirement" — leaving it to the organization to determine when traceability is necessary. For many ISO 9001-certified organizations, traceability is limited to batch or lot identification.

ISO 13485 takes a fundamentally different approach:

Documented procedures for traceability are required (Clause 7.5.9)
The extent of traceability must meet applicable regulatory requirements (which, for most markets, is extensive)
For implantable devices, traceability must extend to all materials, components, and work environment conditions used in manufacturing
Organizations must maintain records that identify the amount manufactured and amount approved for distribution for each batch
Traceability supports field actions — if a problem is discovered, you must be able to identify which units are affected and where they were distributed

In practice, medical device traceability means maintaining lot or serial number tracking from incoming raw materials through every production step to final distribution, including records of who received which lots/serial numbers.

Complaint Handling

ISO 9001 addresses customer complaints as part of the broader customer feedback and corrective action processes. There is no separate, formal complaint handling requirement.

ISO 13485 establishes complaint handling as a distinct, documented process (Clause 8.2.1, 8.5.1):

A documented procedure for complaint handling is required
Complaints must be evaluated for their potential to constitute a reportable event (adverse event, serious injury, malfunction)
If a complaint involves a reportable event, the organization must notify the appropriate regulatory authority
Complaints that do not result in a CAPA must be documented with a justification for why no action was taken
Complaint records must be maintained and made available to regulatory authorities upon request
The complaint handling system must serve as an early warning system for quality problems

Advisory Notices

ISO 9001 has no concept of advisory notices. ISO 13485 requires:

A documented procedure for issuing advisory notices (recalls, field safety corrective actions, field safety notices)
The procedure must be capable of being implemented at any time — meaning it must be ready to execute immediately, not developed ad hoc when a problem arises
Records of advisory notice activities, including investigation, decision-making, and regulatory notifications
Advisory notice implementation must be documented and reported to regulatory authorities as required

Key insight: These three areas — traceability, complaint handling, and advisory notices — are where the regulatory purpose of ISO 13485 is most visible. They exist because medical devices can directly affect patient safety, and regulators need the ability to trace problems, evaluate complaints, and ensure that dangerous products can be recalled quickly and completely. ISO 9001 does not need these mechanisms because the consequences of product failure in most industries, while serious, do not typically involve patient safety.

Common Misconceptions

Misconception 1: "ISO 13485 is just ISO 9001 with a few extras"

Reality: While ISO 13485 shares heritage with ISO 9001, they are structurally different standards with fundamentally different objectives. ISO 13485 adds extensive requirements for risk management, design controls, process validation, traceability, complaint handling, and regulatory compliance that go far beyond "a few extras." Companies that treat ISO 13485 as "ISO 9001 plus a layer" consistently underestimate the implementation effort.

Misconception 2: "If I have ISO 13485, I automatically meet ISO 9001"

Reality: No. While ISO 13485 is more stringent in many areas, ISO 9001:2015 includes requirements that ISO 13485 does not address — most notably "context of the organization," "interested parties," the Annex SL structure, and the explicit mandate for continual improvement. An ISO 13485-certified company would need to add these elements to achieve ISO 9001 certification.

Misconception 3: "If I have ISO 9001, transitioning to ISO 13485 is quick"

Reality: ISO 9001 provides a useful foundation, but the transition typically takes 6-18 months depending on organization size and complexity. The biggest gaps — risk management processes, design controls, medical device files, process validation, regulatory documentation, complaint handling, and traceability systems — require substantial effort to build.

Misconception 4: "ISO 13485 requires continual improvement"

Reality: ISO 13485 requires maintaining the effectiveness of the QMS but does not mandate continual improvement in the way ISO 9001 does. The standard requires corrective action and preventive action (CAPA), and organizations must identify and implement necessary changes, but the emphasis is on consistency and reliability, not continuous optimization. This is by design — in a regulated environment, stability and reproducibility of validated processes are valued over frequent change.

Misconception 5: "Only manufacturers need ISO 13485"

Reality: The standard applies to any organization involved in the medical device lifecycle, including contract manufacturers, design houses, sterilization service providers, distributors, importers (where they perform quality-affecting activities), service providers, and component suppliers. The scope of your QMS should reflect your actual role in the supply chain.

Misconception 6: "ISO 13485 certification means I am FDA-compliant"

Reality: ISO 13485 certification demonstrates QMS conformity to the standard, but it does not automatically satisfy all FDA requirements. The QMSR incorporates ISO 13485 by reference but adds FDA-specific requirements. Additionally, FDA regulations cover areas beyond the QMS (device listing, premarket submissions, labeling, adverse event reporting) that ISO 13485 does not address. ISO 13485 certification provides a strong foundation for FDA compliance, but it is not a substitute for full regulatory compliance.

Misconception 7: "Small companies do not need ISO 13485"

Reality: The standard applies regardless of company size. A two-person startup designing an implantable device needs ISO 13485 just as much as a multinational corporation. In fact, many investors and potential acquirers will not consider a medical device startup that does not have at least an ISO 13485-compliant QMS in place.

Decision Framework: Which Standard Do You Need?

Use this decision tree to determine which standard applies to your situation.

Question 1: Do you manufacture, design, distribute, or service medical devices or IVDs?

Yes → You need ISO 13485. Proceed to Question 2.
No → You need ISO 9001 (or an industry-specific standard built on ISO 9001). ISO 13485 does not apply to you.

Question 2: Do you also manufacture or provide products/services for non-medical industries?

Yes → Evaluate whether your non-medical customers require ISO 9001. If they do, pursue dual certification. If they do not, ISO 13485 alone may be sufficient.
No → ISO 13485 alone is sufficient for your business.

Question 3: Do you sell devices in the U.S. market?

Yes → Ensure your ISO 13485 QMS addresses the QMSR's FDA-specific requirements (complaint files, MDR reporting, corrections and removals, UDI). Building your QMS around ISO 13485:2016 aligns you with the QMSR effective February 2, 2026.
No → Focus on the regulatory requirements of your specific target markets, all of which reference or require ISO 13485.

Question 4: Do you sell in multiple international markets?

Yes → Consider MDSAP certification, which covers ISO 13485 plus market-specific regulatory requirements for the U.S., Canada, Australia, Brazil, and Japan in a single audit program.
No → Standard ISO 13485 certification with market-specific regulatory compliance is appropriate.

Key Takeaways

Different purposes — ISO 9001 targets customer satisfaction and continual improvement across any industry. ISO 13485 targets safety, regulatory compliance, and QMS effectiveness specifically for medical devices.
Different structures — ISO 9001:2015 uses the 10-clause Annex SL Harmonized Structure. ISO 13485:2016 uses the older 8-clause structure from ISO 9001:2008.
Regulatory weight — ISO 13485 is required or effectively required by regulators in the EU, Canada, Japan, Australia, Brazil, South Korea, India, and many other markets. With the QMSR (effective February 2026), the U.S. FDA has also aligned with ISO 13485.
Risk management — ISO 9001 introduces risk-based thinking as a general concept. ISO 13485 requires formal, documented risk management processes throughout the product lifecycle, aligned with ISO 14971.
Design controls — ISO 13485 imposes prescriptive design control requirements that are significantly more demanding than ISO 9001, including design transfer and design files.
No automatic equivalence — Holding one certification does not satisfy the other. Each has unique requirements that the other does not cover.
Dual certification is viable but adds cost and complexity. It is worth pursuing only if your business serves both medical and non-medical customers who each require their respective standard.
The QMSR changes the equation — For U.S. market participants, ISO 13485 compliance is now effectively mandatory, making it the default choice for medical device companies.
Transition from ISO 9001 to ISO 13485 is feasible but requires significant effort (typically 6-18 months) and should not be underestimated.
The future — When ISO 13485 is eventually revised, it will adopt the Harmonized Structure, bringing it structurally closer to ISO 9001:2015 and making integrated management systems easier to maintain.

Frequently Asked Questions

Can I use ISO 9001 instead of ISO 13485 for medical devices?

No. ISO 9001 does not include the medical device-specific requirements (risk management, design controls, complaint handling, regulatory documentation, traceability, process validation, advisory notices) that regulators require. While ISO 9001 provides a solid quality management foundation, it is not accepted as a substitute for ISO 13485 by any major medical device regulatory authority.

Does ISO 13485 certification satisfy ISO 9001 requirements?

Not fully. ISO 13485 covers many of the same areas as ISO 9001, and is more stringent in most areas related to product quality. However, ISO 9001:2015 includes requirements that ISO 13485 does not address, such as "context of the organization," formal identification of interested parties, and an explicit continual improvement mandate. If you need ISO 9001 certification, you must separately demonstrate conformity to those requirements.

Is ISO 13485 certification required by the FDA?

ISO 13485 certification is not technically required by the FDA — the FDA does not accept third-party certifications as a substitute for FDA inspections (with the exception of the Accredited Persons program for certain devices). However, with the QMSR incorporating ISO 13485:2016 by reference effective February 2, 2026, compliance with ISO 13485 is the most direct path to meeting FDA quality system requirements.

How long does it take to get ISO 13485 certified if I already have ISO 9001?

Typically 6-12 months for a small to mid-size company with a well-functioning ISO 9001 QMS. The timeline depends on the complexity of your products, the extent of your existing design control process, and whether you need to implement new processes for risk management, process validation, and regulatory documentation. Companies starting from scratch typically require 9-18 months.

Can I use the same registrar for both ISO 9001 and ISO 13485?

Yes, if the registrar is accredited for both standards. Using a single registrar simplifies scheduling, allows for combined audits, and often reduces total cost. Confirm that the registrar has auditors with medical device industry experience for the ISO 13485 portion.

What is MDSAP and how does it relate to ISO 13485?

The Medical Device Single Audit Program (MDSAP) is a program that allows a single audit of a medical device manufacturer's QMS to satisfy the requirements of multiple regulatory authorities (currently the U.S., Canada, Australia, Brazil, and Japan). MDSAP audits are conducted against ISO 13485 plus the specific regulatory requirements of each participating country. ISO 13485 certification is a prerequisite for MDSAP.

If I only sell devices in the U.S., do I need ISO 13485?

With the QMSR effective February 2, 2026, compliance with ISO 13485:2016 is the most practical path to meeting FDA quality system requirements, even if you only sell in the U.S. You are not required to obtain third-party certification, but building your QMS around ISO 13485 will align you with the QMSR and prepare you for future market expansion.

What is the relationship between ISO 13485 and ISO 14971?

ISO 14971 (Application of risk management to medical devices) is the standard that defines how to conduct risk management for medical devices. ISO 13485 requires that risk management be applied throughout the product lifecycle but references ISO 14971 as the framework for how to do it. In practice, you need both: ISO 13485 tells you that you must do risk management; ISO 14971 tells you how.

Is ISO 13485 being revised?

ISO 13485:2016 was confirmed in its current form in 2025. The next review is expected around 2030. When a revision does occur, it is expected to adopt the Harmonized Structure (Annex L), which will bring its clause structure in line with ISO 9001:2015 and other modern management system standards. No timeline has been set for this revision.

What are the biggest challenges when implementing ISO 13485 for the first time?

The most common challenges are: (1) establishing a compliant design control process with full traceability, (2) implementing formal risk management aligned with ISO 14971, (3) validating QMS software and production processes, (4) building a regulatory documentation framework, (5) establishing complaint handling and adverse event reporting procedures, and (6) creating the medical device file structure. Companies entering from non-medical industries consistently underestimate the documentation and process rigor required.

Do I need a consultant to implement ISO 13485?

Not necessarily, but it depends on your team's experience. If your quality team has ISO 13485-specific expertise and medical device regulatory knowledge, you can implement in-house. If your team's experience is primarily with ISO 9001 or other general standards, a consultant with ISO 13485 implementation experience can significantly reduce your timeline and help you avoid common pitfalls. Consultants are particularly valuable for establishing risk management processes, design controls, and the regulatory documentation framework. Expect to pay $150-$300/hour for an experienced ISO 13485 consultant, or $15,000-$60,000 for a full implementation project depending on scope.

How do the audit experiences differ between ISO 9001 and ISO 13485?

ISO 9001 audits tend to focus on process effectiveness, customer satisfaction data, continual improvement evidence, and management commitment. The auditor has flexibility in how they assess these areas. ISO 13485 audits are more prescriptive and documentation-heavy. Auditors will ask to see specific records (risk management files, design files, process validation protocols, complaint logs, CAPA records, training records), trace products through the system from design inputs to finished goods, verify regulatory compliance, and check that every required documented procedure exists and is followed. ISO 13485 audits typically take more time and involve more detailed record review than ISO 9001 audits.

Can a component supplier get ISO 13485 certified even if they do not design or manufacture finished devices?

Yes. ISO 13485 is structured so that organizations can exclude clauses that do not apply to their activities. A component supplier that does not perform design activities can exclude Clause 7.3 (Design and Development), provided this exclusion is justified in their quality manual. The supplier's QMS would still need to address manufacturing controls, traceability, incoming inspection, process validation, and other applicable requirements. Many finished device manufacturers increasingly require their critical component suppliers to hold ISO 13485 certification.

How does ISO 13485 relate to the ISO 9000 family of standards?

ISO 13485 was originally developed as a medical device-specific interpretation of ISO 9001 and was based on its quality requirements. However, since its initial publication in 1996, ISO 13485 has evolved into a fully standalone standard. The current edition (ISO 13485:2016) makes no normative references to ISO 9001 as source material. Compliance with one standard does not imply compliance with the other. While they share heritage in quality management principles, they are now structurally and substantively different documents maintained by different ISO technical committees (TC 176 for ISO 9001; TC 210 for ISO 13485).

How should I prepare for an ISO 13485 certification audit?

Preparation should include: (1) develop a comprehensive QMS aligned with all applicable clauses of ISO 13485:2016, (2) maintain complete and traceable documentation including quality manual, procedures, work instructions, and records, (3) ensure all staff have received appropriate training and that training effectiveness has been documented, (4) conduct at least one full internal audit cycle covering all applicable clauses, (5) complete a management review addressing all required inputs per Clause 5.6.2, (6) perform a gap analysis identifying and closing any remaining nonconformities, (7) ensure risk management files are complete for all device types, (8) verify that complaint handling, CAPA, and advisory notice procedures are documented and operational, and (9) accumulate at least 3-6 months of records demonstrating effective QMS implementation. Many organizations also conduct a pre-assessment or mock audit to identify issues before the formal certification audit.

Does ISO 13485 apply to Software as a Medical Device (SaMD)?

Yes. ISO 13485 applies to any organization involved in the lifecycle of medical devices, including software that qualifies as a medical device under applicable regulations. Companies developing SaMD must comply with ISO 13485 requirements including design controls, risk management (aligned with ISO 14971), software validation, complaint handling, and post-market surveillance. IEC 62304 (Medical Device Software Lifecycle Processes) is typically implemented alongside ISO 13485 to address software-specific lifecycle requirements. The intersection of ISO 13485 and IEC 62304 provides a comprehensive framework for SaMD quality management.

How many companies are certified to each standard?

As of the most recent ISO survey data, over 1.2 million organizations worldwide hold ISO 9001 certification, making it the most widely adopted management system standard in the world. ISO 13485 certifications exceed 33,000 globally, with the number growing at approximately 11% per year. The large difference reflects the universal applicability of ISO 9001 versus the industry-specific focus of ISO 13485. Within the medical device industry, ISO 13485 is the dominant QMS standard.