verified_user
Standardful
Homechevron_rightStandardschevron_rightISO 13485:2016
ActiveInternational Standardupdate Standard Updated: March 2016fact_check Fact checked: Jun 28, 2026

ISO 13485:2016

Medical devices — Quality management systems — Requirements for regulatory purposes

apartmentPublishing Organization:International Organization for Standardization (ISO)

Standard Introduction

ISO 13485:2016 is an active standard published by International Organization for Standardization (ISO). It is commonly used across Medical Devices, Healthcare and applies in Global.

Use this page to review the official documentation, current status, and the certification or assessment bodies most commonly associated with ISO 13485:2016.

medical_services

Medical Device Specific

Unlike general ISO 9001, this standard is tailored specifically for medical device organizations — addressing regulatory requirements, risk management, and product safety throughout the entire lifecycle.

shield

Risk-Based Approach

Requires risk management to be applied throughout product realization, from design and development through production, storage, distribution, and post-market surveillance.

public

Global Regulatory Recognition

Recognized by regulatory authorities worldwide including the EU (MDR/IVDR), Canada (CMDCAS), Japan (JPAL), Australia (TGA), and Brazil (ANVISA) — with over 32,000 valid certificates globally.

list_alt Key QMS Requirements

  • Quality management system documentation and control
  • Management responsibility and commitment
  • Resource management and competence
  • Product realization planning and risk management
  • Design and development controls with verification and validation
  • Purchasing and supplier controls
  • Production and service provision with process validation
  • Monitoring, measurement, and corrective/preventive action

Who Needs to Comply?

groups

Any organization involved in the design, development, production, storage, distribution, installation, servicing, or disposal of medical devices and related services — including component suppliers, contract manufacturers, and sterilization service providers.

Key Requirements

1

Design & Development Controls

Establish and maintain procedures for design planning, inputs, outputs, reviews, verification, validation, and transfer. Maintain a design history file documenting the entire development lifecycle.

2

Risk Management

Apply risk management throughout product realization per ISO 14971. Identify hazards, estimate and evaluate risks, implement controls, and verify their effectiveness. Maintain risk management files.

3

Process Validation

Validate production and service processes where resulting output cannot be fully verified by subsequent inspection or testing — including sterilization, software validation, and cleanroom processes.

4

Traceability & Post-Market Surveillance

Maintain traceability records for each medical device or batch. Establish procedures for complaint handling, adverse event reporting, and post-market surveillance to identify improvement opportunities.

5

Supplier Controls

Evaluate and select suppliers based on their ability to meet requirements. Establish purchasing specifications, verify purchased products, and maintain records of supplier performance and approved supplier lists.

Implementation Roadmap

1
Phase 1schedule Duration: 3-6 weeks

Define medical-device QMS scope

Identify product families, lifecycle activities, sites, outsourced processes, regulatory jurisdictions, and applicable quality-system obligations. Confirm whether design, manufacturing, servicing, installation, distribution, or software activities are in scope.

2
Phase 2schedule Duration: 6-12 weeks

Build process and risk controls

Map ISO 13485 processes for document control, management responsibility, resource management, product realization, supplier control, design and development, sterilization, traceability, risk management, and feedback.

3
Phase 3schedule Duration: 12-28 weeks

Implement records and validation

Deploy controlled procedures, device master records, design history files, process validation, software validation, purchasing records, training, complaint handling, nonconformance, CAPA, and post-market feedback evidence.

4
Phase 4schedule Duration: Ongoing

Audit and sustain certification

Run internal audits and management reviews, close CAPA, prepare for certification or regulatory audits, and maintain change control as products, suppliers, regulations, and production processes evolve.

Compliance Checklist

0 / 12

checklist QMS scope and governance

checklist Product realization

checklist Feedback and improvement

Penalties & Enforcement

warning

ISO 13485 is voluntary, but certification is effectively mandatory for market access in most jurisdictions. Loss of certification can prevent marketing medical devices in the EU (MDR), Canada, Japan, Australia, and other regulated markets. Regulatory authorities may halt production or issue recalls.

Frequently Asked Questions

Who needs ISO 13485?

expand_more

ISO 13485 is used by organizations involved in one or more stages of the medical-device lifecycle, including design, development, production, storage, distribution, installation, servicing, and related support services.

Is ISO 13485 the same as ISO 9001?

expand_more

No. ISO 13485 is specific to medical devices and emphasizes regulatory requirements, risk management, documented procedures, validation, traceability, complaint handling, and product safety. It is related to quality management but not interchangeable with ISO 9001.

Does ISO 13485 require risk management?

expand_more

Yes. Risk-based thinking is embedded in product realization and QMS processes, and medical-device organizations commonly link ISO 13485 evidence to ISO 14971 risk-management files.

How does ISO 13485 relate to FDA QMSR?

expand_more

FDA has incorporated ISO 13485:2016 by reference as the foundation for the Quality Management System Regulation, making alignment especially important for manufacturers serving the U.S. market.

What audit evidence is most important?

expand_more

Auditors typically expect controlled procedures, design and development records, risk files, validation evidence, supplier controls, training records, complaint handling, CAPA, internal audits, and management review outputs.

Official Documentation

View All

Implementation Timeline

edit_document
1996
First edition of ISO 13485 published
update
2003
Second edition published, aligned with ISO 9001:2000
check_circle
March 2016
Third edition (ISO 13485:2016) published with emphasis on risk management and regulatory requirements
event
March 2019
Transition deadline — all certifications must conform to the 2016 edition
verified
May 2021
ISO 13485:2016 confirmed (reaffirmed) without revision

Related Categories