Skip to content

Introduction to ISO 13485: 2016

Medical technology is expanding at an astounding rate. New medical techniques, medications, equipment and devices are currently being developed that could not have been imagined just a few decades ago. Recent advancement in medicine, new medical technology, including diagnostic and therapeutic devices, have revolutionized modern healthcare. With this swift advancement of medical technology and devices, there is inherent risk. Companies that are producing medical devices and equipment must develop the most effective quality practices. Today’s consumers are constantly being bombarded by advertisements regarding litigation against medical device manufacturers.  Just one major issue can have a profound impact not only on the manufacturer, medical practitioner and most importantly the patient’s well-being. Quality issues in many other types of products may cause inconvenience or put consumers at nominal risk of illness or injury. With medical devices, quality issues could not only cause serious health issues but can also lead to death.  Medical device manufacturers must develop and implement a very robust quality management system that must encompass the entire product life cycle.  To ensure the quality system is sufficient, most organizations pursue certification of their quality management system to the latest revision of the ISO 13485 standard for Medical Devices Quality Management Systems.

What is ISO 13485: 2016

ISO 13485 is an international standard that specifies the quality management system requirements for organizations involved with medical devices at any stage of the product lifecycle. This would include the design, development, production, storage, distribution, installation, service and technical support of the device. The ISO 13485:2016 revision is the third edition of the standard and supersedes the previous ISO 13485:2013. This latest revision of the standard contains considerable updates regarding risk-based quality processes, supplier management, and strict adherence to regulatory requirements. This standard may be applied to parties that provide material, product or services to the organization and is applicable to organizations of all sizes large and small. In addition, any processes required to obtain or maintain compliance to the ISO 13485:2016 standard that are not performed within the organization, remain the responsibility of the organization and must be included within the quality management system. The organization must monitor, control and ensure proper maintenance of the external processes.

The ISO 13485:2016 standard focuses on a process approach to quality management within an organization. The process approach is a review of the sequence, the inputs and outputs and interaction of processes. Any activity that receives inputs and produces outputs is considered a process. In most cases, the output of one process is the input for the next and so on. The process approach perceives the management system not as a collection of documents but as an active system of processes. Quality system processes should identify and mitigate risk. In particular, the risk to product and process quality, to the business in general, and to meeting customer or regulatory requirements. Organizations that utilize a process approach to quality management tend to:

  • Better understand and consistently meet or exceed product requirements
  • Evaluate each process from a value-added perspective
  • Achieve a higher level of process performance
  • Continually improve processes based upon performance data and not on speculation or opinion.

Why Implement ISO 13485: 2016

The importance of maintaining the highest quality achievable in the manufacture, distribution, use and maintenance of medical devices is more vital than with other products and services. Product quality issues in the majority of industries may result in widespread recalls, substantial financial impact, and loss of brand equity. Quality problems with medical devices can result in class action lawsuits, physical harm to patients, and potential loss of life. Therefore, the importance of developing and implementing an ISO13485:2016 compliant quality system cannot be overemphasized.  Numerous organizations have already realized a significant savings in the Cost of Quality (COQ) in addition to the many other advantages of adopting the requirements of the ISO13485:2016 standard. Some of the potential benefits are as follows:

  • Improved product quality resulting in enhanced brand equity.
  • Increased customer satisfaction resulting in a higher level of repeat business.
  • Increased efficiency and reduced costs through improved quality and reduced waste.
  • Decision making based on facts and data, aligned with strategic goals.
  • Development of a continuous improvement culture or mindset within the organization

The ISO 13485 standard is widely accepted as the benchmark for medical device manufacturers quality management systems.  Many organizations certified under the standard have achieved improved product quality, reliability, regulatory compliance and are aligned with industry best practices.  Organizations of any size or type can and are developing and implementing ISO 13485 compliant quality management systems. The future of your quality management system and your organization depends upon you.

How to Implement ISO 13485

Implementation of ISO 13485 and subsequent certification is going to require time, resources, commitment, and full support of the management team. The amount of time and resources will depend on whether or not your organization has an existing comprehensive and effective QMS already in place. If your organization already conforms to other ISO standards the transformation should be easier. Within the standard there are two informative sections that provide comparisons to other ISO standards or revisions:

  • ISO 13485:2003 and the newer ISO 13485:2016.
  • ISO 13485:2016 and ISO 9001:2015

The majority of the remaining sections constitute the heart of the standard focusing on the contents and requirements for developing and implementing and managing an ISO 13485:2016 compliant (QMS) Quality Management System.

Determine your product’s classification

Evaluate the features and characteristics of your product (medical device) or device, and define its classification according to the associated risk. Medical devices are designated as Class I, II or II; with the Class I devices posing the least risk of causing harm to the user or patient to Class III which pose the highest potential risk. In addition, Class I devices are generally simpler in design than the higher-level devices. There are several characteristics that play a role in determining the class designation of a medical device including:

  • The length of time the device will be used
  • Are medicinal substances contained within the device?
  • Whether or not the device is surgically invasive
  • Is the device active or surgically implantable?

Management Responsibilities

More than one ISO standard requires management of an organization to demonstrate leadership and commitment to the QMS. The ISO 13485 standard is no different in that respect.  Top management of the organization must:

  • Take ownership, responsibility and be accountable for the effectiveness of the QMS
  • Assign Roles and Responsibilities regarding the QMS
  • Provide adequate resources for the QMS
  • Promote a culture of continual improvement

In addition, the leadership of the organization are required to identify a management representative to which they assign responsibility and authority for the development and continual improvement of the QMS. This representative would also serve as the “Go to” person for any ISO 13485 questions by fellow associates or internal and third-party auditors.

Resource Management

The organization must provide adequate resources to support the QMS and provide evidence of qualifications of key personnel. An organizational chart should be developed and maintained to identify all positions which play a role in the success of the QMS.  The organizational chart defines the names and titles of individuals in the management team as well as many of the supporting roles within the organization.

Roles, Responsibilities and Qualifications

Roles and responsibilities for each position defined within the organizational chart should be documented. Be certain to talk in the terms of positions because personnel will come and go requiring frequent updates to the documentation.

In order for any system, process, or business to be successful, the personnel supporting the QMS must demonstrate competency to fulfill their duties. The organizations must define the education, experience or formal training requirements for individuals performing work that will impact the performance of the QMS. Job descriptions should be developed that include a list of job responsibilities, preferred qualifications, and the normal physical demands of the position. In addition, biographies and qualifications should be documented for individuals whose positions directly affect the execution or performance of the QMS. This information should be readily available for review by third party auditors.

Management Reviews

Organizational leadership meetings should be held at regular intervals to review the performance of the QMS. The subject matter of the review meetings may include but is not limited to the following:

  • Status of any recommended actions from previous management reviews
  • Discussing the potential internal or external issues impacting the QMS
  • Any possible risks and opportunities relating to the QMS
  • Ensure proper resources are being provided for the success of the QMS
  • Evaluating the overall performance of the QMS in meeting planned objectives

Management should report any relevant information resulting from the reviews to workers and other interested parties. The organization shall also retain documented records of the results of the management reviews.

The Quality Management System

The organization must develop and implement a robust Quality Management System (QMS) in order to comply with the standard. A robust QMS should consist of business policies, procedures, forms, work instructions, and other supporting documents. The QMS should also indicate the quality records to be generated, their storage location, and the period of time for which they are retained. The QMS documentation should speak to the related requirements of the standard, as well as any regulatory requirements. The organization is also responsible for monitoring and ensuring adequate controls are in place for any outsourced processes impacting compliance to the standard. Documented quality agreements as well as defined roles and responsibilities are required for any outsourced processes.

Quality Policy and the Quality Manual

The ISO 13485 standard requires that leadership establish and maintain a Quality Policy and a Quality Manual. The Quality policy is a statement consisting of the company stance regarding product quality along with their basic goals or objectives and the plan to realize them. The objectives are the more definitive goals related to the QMS and quality plans. Organizations pursuing certification must set goals or objectives for the quality management system, and provide resources to assure proper maintenance and continual improvement of the QMS. The quality objectives should be documented, preferably measurable, consistently monitored, maintained, updated, and properly communicated.  Furthermore, the organization must also develop a Quality Manual. The quality manual should contain the Quality Policy along with references to the supporting documents of the QMS.

QMS Documentation

The organization must document information relevant to the ISO 13485. In addition, the organization must develop appropriate policies, procedures, work instructions or other documentation specified by the organization that could affect the success of the QMS.  All documents related to the QMS shall:

  • Follow a standard format determined by the organization
  • Have adequate protection of the content and control revisions.
  • Document changes or updates to documents and ensure changes are identified and traceable
  • Be available for use where and when required, and the content protected.

In addition, the document control system must allow for proper access, distribution, storage, retention and eventual disposition of documents.


Medical device files

This is one of the requirements that sets ISO 13485 apart from most of the ISO standards. Per the ISO 13485 standard and legal requirements organizations must maintain a file for each medical device or family of medical devices that they manufacture. Some of the information required to be in the file is as follows:

  • A general description of the medical device including intended purpose, labeling and instructions for use.
  • Specifications of the device / product
  • Procedures for the manufacture, packaging, handling, storage and distribution of the device.
  • Documented procedures for measuring and monitoring
  • Installation requirements and service of the device, if applicable

Quality Objectives

The standard requires organizations to set goals or objectives for the proper maintenance and continual improvement of the QMS. The objectives should be agreed upon by management and other involved parties. The objectives or goals should also be documented, measurable, and properly communicated within the organization. In addition, criteria should be defined for monitoring and measuring the performance and continual improvement of the QMS.

Measuring Performance

The organization should develop an internal auditing process. Internal audits should be completed at regular intervals to ensure the QMS is meeting internal, legal or regulatory, and ISO requirements. The audit findings function as evidence of the effectiveness of the QMS. Records of the audit results shall be retained for a pre-determined length of time and available for review by third party auditors.

Work Environment and Contamination Control

The ISO 13485:2016 standard also contains a section devoted to promoting a clean and safe work environment and contamination controls. Organizations pursuing certification must evaluate the work environment for any possible cleanliness, health, clothing or other factors that may affect medical device safety or performance. In addition, the organization must verify that the associates working in the area are competent and able to perform the job. Furthermore, the standard indicates that the organization must plan and document controls to prevent and/or detect any contamination. The controls must extend to the assembly and packaging process.

Product Realization

The ISO 13485 standard has added requirements that impact the QMS. The ISO 13485:2016 version mandates that the organization shall plan and develop processes required for product realization. The standard now includes the requirement for records of risk management activities to be maintained. Organizations are also required to consider the following elements during product realization:

  • The work environment
  • Contamination control
  • Company infrastructure
  • Handling of the product
  • Proper storage of the product
  • Distribution methods
  • Product traceability

All these factors shall be taken into consideration during product realization. There are several subheadings to be addressed within the product realization process. The following paragraphs shall briefly touch on each one.

 Customer Related Processes

Within the standard there are requirements intended to ensure that the medical device meets the customer’s needs. Product requirements must be formally reviewed and documented by the organization. This review should be comprehensive and include product features, performance requirements, and delivery and post-delivery activities such as installation, maintenance, etc. There is a statement in the standard that requires the organization to review and plan for user training needed to achieve the specified performance of the medical device and ensure safe operation or use of the device. Communication with customers is important for the successful launch of a product. The standard requires that an organization plan and document the methods for ensuring adequate communication with customers. In addition, the organization must document communication methods with regulatory authorities according to applicable regulatory requirements.

Design and Development

Organizations are also responsible for documenting procedures and supporting documents for design planning and development. The documents must be properly maintained and updated regularly as new information is collected. Some other documentation requirements for the product design development and planning phases include:

  • Functional performance, usability and safety requirements
  • Design inputs and outputs, including traceability
  • Systematic design and development reviews
  • Design verification and validation
  • Transfer of design and development outputs to manufacturing
  • Documented and controlled design change process


Organizations are required to evaluate supplier performance and determine the level of risk assessed to the product (medical device) associated with the supplier. The organization is then required to apply the appropriate controls based upon each supplier’s potential risk to the product. This process must be documented and records maintained. Suppliers must inform the organization of any changes to their components or to the product prior to the change.

Production and Service

Providing that servicing of the medical device is a product requirement, the organization must document any servicing procedures, reference materials, and reference measurements applicable to the product. The standard also requires the organization to examine the product service records performed by the organization or its representatives as well as a supplier. The standard also addresses documentation requirements relating to any product installation activities by the organization or external parties.

Measurement, Data Analysis and Improvement

The organization shall develop and maintain systems, procedures and processes for monitoring, measurement and continual improvement of the product and their processes. The organization shall develop and implement quality procedures, or methods to ensure the product meets or exceeds all customer and/or regulatory requirements. In addition, data must be collected and analyzed to verify the effectiveness of the QMS. The data should include information collected from monitoring and measuring the process and product as well as feedback from customers and suppliers. The process of data analysis must be documented in a procedure and the records of the analysis must be retained, available for review.

Control of Non-Conforming Product

To be ISO 13485 compliant, the organization must have a documented procedure which defines the controls and roles and responsibilities for the control of nonconforming parts or products. The procedure should cover preventive and detective controls in place to identify, control, contain and prevent delivery of any non-conforming part or products. All non-conformities shall be analyzed and evaluated to verify the need for any investigation of the incident or communication to any external parties involved. There are recommended actions based upon whether the non-conformity was discovered prior to or after delivery to the customer. The following are examples of each scenario:

For nonconforming product detected prior to delivery

  • Eliminate the nonconformity
  • Preclude the original intended use or application
  • Authorize its use, release, or acceptance only under concession.

Acceptance under concession is only permitted on the condition that approval is obtained from the customer, and any applicable regulatory requirements are still met.

For nonconforming product detected after delivery

When nonconforming product is delivered to the customer or end user, the organization is required to take action to minimize any adverse effects. Records of these actions must be documented and maintained for review. In addition, the organization must have a documented procedure for issuing advisory notices, which they are able to initiate at any time.

Reworking Product

For any reworking of the product to occur, the organization must have a documented procedure that covers any possible negative effect the rework could have on the product. Rework procedures should be reviewed and approved by management. In addition, there should be a thorough inspection process in place to review the results of any rework. This is to ensure that the product meets or exceed all customer and regulatory requirements.


Continual Improvement

To be truly effective over an extended period of time, the QMS must continually improve. In many industries, organizations implement processes to asses risk to the product or process quality. Through the evaluation of risk, an organization can identify opportunities for improvement before a failure or non-conformity occurs. Many organizations also assess risks from any potential hazards and identify opportunities to eliminate or reduce the risk.  In addition, the organization must assure that they have a thorough understanding of any legal or regulatory requirements that may apply to their organization, product, processes or adherence to the standard. Plans for addressing legal requirements and addressing risks and opportunities should be implemented during the development of the QMS. In order to truly continually improve, organizations should actively seek out hazards and realize opportunities for improvement that will make possible achievement of the intended goals and objectives of the QMS. Improvement of the QMS is achievable through proactive identification of potential non-conformities, implementing effective preventive and corrective actions and building a continual improvement culture throughout the organization.

Corrective and Preventive Actions

The standard requires organizations to establish processes for reporting, analyzing and developing Corrective Actions Preventative Actions (CAPA) to address any product nonconformities. The organization must have a system in place and be prepared to react in a timely manner when non-conformities occur. The team should take great care in defining the hazard or non-conformity and determining the root cause. A root cause is defined as a fundamental cause of an incident or non-conformity. When investigating non-conformities, if we do not discover the root cause we will be treating a symptom and the issues will not be resolved. The non-conformity may re-occur at the same workstation or elsewhere in the organization. Many tools can be utilized for performing a Root Cause Analysis (RCA). Some commonly used tools are listed below:

Once the true “root cause” has been determined the organization or team must implement appropriate corrective or preventive actions. In addition, the team should develop an action plan for implementation and tracking the progress and documenting their effectiveness.  The corrective actions should be determined and carried out with the active participation of workers and the involvement of other relevant interested parties. In addition, the corrective actions should be reviewed by management after a specified a specified length of time, usually 30 or 60 days to verify their continued effectiveness.

In Conclusion

ISO 13485 provides organizations with guidance for improving the quality of their products and services, with the ultimate goal of achieving customer satisfaction and adherence to all legal and regulatory requirements. Gaining compliance to an ISO standard requires a measurable commitment of time and resources. Organizations willing to make that investment will reap the benefits associated with certification and compliance to the ISO 13485:2016. With the proper procedures, processes and documentation in place, an organization can gain a positive reputation in the world marketplace along with potential financial benefits through improved product quality and customer satisfaction. Through adherence to the standard and development of a robust QMS, your organization can realize these benefits as you develop a culture of continual improvement.  Establishing or updating your QMS to the requirements of ISO13485:2016 may take several months or years depending on the size of the organization. Successful implementation, maintenance, monitoring and continual improvement of the QMS requires dedicated resources and constant support from organizational leadership. Measuring effectiveness and continual improvement of the QMS may at times require the use of external subject matter experts. If your organization is in need of additional resources or would like more information regarding ISO 13485:2016 implementations, please contact one of the professionals at Quality-One.

Learn More About ISO 13485: 2016

Quality-One offers Environmental Management Systems Development through Consulting, Training and Project Support. Quality-One provides Knowledge, Guidance and Direction in EMS development activities, tailored to your unique wants, needs and desires.  Let us help you Discover the Value of ISO 13485 Consulting, ISO 13485 Training or ISO 13485 Project Support.

Back To Top