All terms

    ISO 13485

    International standard for medical device quality management systems.

    Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed May 5, 2026

    Definition

    ISO 13485:2016 specifies requirements for a quality management system where an organization needs to demonstrate its ability to provide medical devices and related services that consistently meet customer and applicable regulatory requirements.

    What this means in practice

    ISO 13485 is referenced or required by regulators worldwide, including the EU (under MDR/IVDR) and Health Canada. FDA's Quality Management System Regulation (QMSR), effective February 2, 2026, explicitly incorporates ISO 13485:2016 by reference, replacing the previous 21 CFR Part 820 Quality System Regulation. Certification is issued by accredited third-party registrars and is renewed on a three-year cycle with annual surveillance audits.

    Examples

    • A Class II diagnostic manufacturer maintaining a single ISO 13485 QMS used to satisfy FDA QMSR, EU MDR, and Health Canada requirements.
    • A contract manufacturer holding ISO 13485 certification to support MDSAP audits across five participating regulators.

    Use cases

    1 scenario
    1

    Contract manufacturer onboarding a new medical device customer

    Quality Manager

    A CMO holds an ISO 13485 certificate from a notified body. A new EU MDR customer audits the QMS, confirms design transfer, supplier control, and CAPA processes meet the standard, and adds the CMO to their approved supplier list.

    OutcomeOnboarding takes 6 weeks instead of 6 months because the QMS is already evidence-based and audited.
    Common pitfalls
    • Treating ISO 13485 certification as proof of regulatory approval. Certification confirms QMS conformity; individual products still require the appropriate marketing authorization (510(k), PMA, CE mark, etc.).
    • Copying an ISO 9001 QMS without adding medical-device-specific requirements (design controls, risk management, UDI, post-market surveillance, complaint handling).
    • Weak supplier controls. ISO 13485 expects documented supplier evaluation, monitoring, and re-evaluation proportional to component risk.
    • Under-scoping the QMS. Software design, cybersecurity, and contract-manufacturer activities all fall within scope when they affect the finished device.

    Frequently asked questions

    ISO 9001 is a general quality management standard focused on continual improvement and customer satisfaction. ISO 13485 is medical-device-specific and emphasizes regulatory compliance, risk management, design controls, and traceability. An ISO 13485 QMS is not a superset of ISO 9001; the two have diverged.

    Cross-references

    Used by

    Overlaps with

    Shared paths + category

    Latest in MedTech

    Primary references

    3 sources
    Link health: 2 verified 1 unchecked· last checked 2026-06-20
    ISO·1FDA·2
    1. 1
      ISO 13485:2016
      Verified
      ISOiso.org
    2. 2
      FDA Quality Management System Regulation (QMSR)
      Unchecked
      FDAfda.gov
    3. 3
      FDA Recognized Consensus Standards
      Verified
      FDAaccessdata.fda.gov

    Inline markers like [1] jump to the matching reference above.