DMS Insights from Cognidox

ISO 13485:2016: What does it take to meet medical device QMS requirements?

Written by Joe Byrne | 22 Jul, 2025

Navigating the complexities of ISO 13485:2016 can be daunting - especially for innovative start-ups and scale ups who need to work fast. But building a compliant Quality Management System (QMS) doesn’t have to be disruptive, expensive, or tie you up in red tape.

This blog explains what ISO 13485:2016 really requires from you and how the right Electronic Quality Management System (eQMS) can help you meet the standard efficiently and effectively.

What is ISO 13485:2016?

ISO 13485:2016 is the internationally recognised standard for medical device quality management systems. It ensures that companies consistently design, develop, manufacture, and distribute devices that are safe, effective and compliant with regulatory requirements.

To gain ISO 13485, your organisation must build and maintain a documented QMS that provides:

  • Document and record control
  • Risk-based decision-making
  • Effective CAPA processes
  • Product traceability
  • Continuous improvement

A word of warning: There’s no such thing as “Off-the-Shelf” ISO 13485 compliance

ISO 13485 compliance isn't about blindly following someone else’s pre-written procedures. It’s about documenting and controlling your unique processes in a way that demonstrates to regulators your ability to consistently deliver safe and effective products. 

ISO 13485 defines what your Quality Management System must achieve, but it doesn’t dictate exactly how you should work.

So, let’s look at what the clauses of the standard actually require of you.

What are the 8 clauses of ISO 13485

ISO 13485:2106 comprises 8 clauses:

  1. Scope
  2. Normative References
  3. Terms and Definitions 
  4. Quality Management System 
  5. Management responsibility 
  6. Resource management 
  7. Product realisation
  8. Measurement, analysis and improvement

Of these, clauses 4 - 8 cover the major, mandatory requirements of the standard.

What are the 5 major clauses of ISO 13485?

Clause 4: Quality Management System (QMS)

At the core of ISO 13485 is the requirement to build a documented QMS (Quality Management System). 

WATCH: What is a QMS? Medical device consultant Sam Shelley explains.

General Requirements

Instead of telling you exactly how to design and build your product, ISO 13485 specifies the essential mechanics of a QMS.

It defines how your QMS should support your business in building cycles of PDCA (Plan, Do, Check, and Act) that can drive a process of continual quality assurance.

It also introduces the concept of risk-based thinking that should inform the way you approach quality management in your organisation.

Document Control: the foundation of ISO 13485

Clause 4's core requirement is document and record control. This is the backbone of your whole QMS - the way you define quality requirements and minimise the risk of non-compliance in the way you work.

Document control in ISO 13485 Clause 4:

An eQMS driven by robust document and record control can help you deliver consistent deliverables:

  • Document Control: Your QMS needs a strong process for creating, reviewing, approving, and updating critical documents such as Standard Operating Procedures (SOPs) and work instructions. It must control revisions, ensuring that only the current, approved versions are easily usable and accessible to relevant personnel. Obsolete documents must be securely archived, maintaining full traceability.
  • Record Control: Procedures are vital for identifying, retrieving, and protecting your records against loss, damage, or unauthorised access. These records are your undeniable proof – the evidence that you designed and manufactured your product precisely according to requirements.

These controls ensure:

  • Everyone is working from the correct version of each procedure
  • Training is aligned with your most up-to-date SOPs
  • All your decision-making remains traceable and auditable
  • Your team is generating evidence of compliance as they work

Clause 4 also specifies the production of two key pieces of documentation:

Quality Manual

Your quality manual describes the scope of your QMS and the hierarchy of documentation in your system. The manual defines how all your QMS procedures should work together to generate the documents and records that can prove your products have been specified, designed and manufactured according to requirements and regulations.

Having a quality manual in place and document controls powering the way you work ensures you can follow procedures consistently to produce required outcomes and outputs.  

As Sam Shelley puts it:

“ISO 13485 compliance is not just a case of having a folder on the shelf that has procedures in it. You actually need to be following those procedures because the records you create from them are going to form the evidence for your medical device file. That’s the evidence you need to legally place your product in different markets around the world”

Following your unique SOPs should help your team generate required sets of documentation, such as the medical device technical file.

Medical Device File

The standard defines the content requirements for the medical device file (once known by the FDA as the Device Master Record). The file must include:

  • Description of the product, including intended use and indications for use.
  • Product labelling and instructions for use.
  • Specifications for the product.
  • Specifications and procedures for manufacturing, inspection, labelling, packaging, storage, handling, and distribution.
  • Specifications for measuring and monitoring.
  • Specifications and procedures for product installation (if applicable).
  • Procedures for product servicing (if applicable).

WATCH: Sam Shelley explains why you can’t buy ISO 13485 compliance ‘off-the-shelf’

Clause 5: Management Responsibility

Top management's role is critical in the effectiveness of the QMS:

  • Commitment and Leadership: Leadership must demonstrate a commitment to developing and implementing the QMS and continually improving its effectiveness. This includes communicating the importance of meeting regulatory and customer requirements throughout the organisation.
  • Policy and Objectives: Establishing a quality policy that is aligned with the organisation's purpose and the expectations of its customers. Quality objectives should be measurable and consistent with the quality policy.
  • Roles, Responsibilities, and Authorities: Clearly defining and communicating the organisation's roles, responsibilities, and authorities to ensure effective QMS processes.

Clause 6: Resource Management

The standard emphasises the need for adequate resources, which include:

  • Personnel: Ensuring that all personnel involved in quality processes are competent based on education, training, skills, and experience. This might include conducting training programs and setting up digital tools for self-attestation to build data for compliance.
  • Infrastructure and Work Environment: Providing the necessary infrastructure (facilities, equipment, software) and work environment to support product requirements. This includes managing the work environment to ensure product safety, particularly in clean rooms or controlled environments for certain medical devices.

Clause 7: Product Realisation

This involves the entire process of bringing a medical device from concept to delivery:

  • Planning: Establishing quality objectives and requirements for the product and planning the stages of product development.
  • Design and Development: Applying systematic design and development processes, including risk management, verification, and validation activities to ensure the product meets specified requirements.
  • Production and Service Provision: Implementing controlled conditions for production, including monitoring and control of equipment, facilities, and materials to ensure product conformity.
  • Delivery: Ensuring that the final product is properly packaged, labelled, and delivered in a way that maintains its integrity and conformity.

Clause 8:Measurement, Analysis, and Improvement

Continuous improvement is a cornerstone of ISO 13485:

Monitoring and measurement: Regularly monitoring and measuring critical aspects of the QMS and product to ensure conformity to product requirements and QMS effectiveness. This includes feedback mechanisms, internal audits, and monitoring of production and service processes.

Analysis of data: Analysing data gathered from monitoring activities to identify trends, opportunities for improvement, and the need for corrective or preventive actions.

Improvement: Implementing actions to improve processes based on data analysis and outcomes of audits and reviews. This includes corrective actions to address nonconformities and preventive actions to eliminate potential non-conformities.

Why ISO 13485 matters

Quite apart from ensuring the quality and safety of your end products, gaining ISO 13485 is often a prerequisite for gaining regulatory approval. For example, you’ll likely need ISO 13485 to be granted a CE marking by a Notifying Body in the EU.

In the same way, the harmonisation of FDA 21 CFR Part 820 and ISO 13485 will soon make the standard the required stepping stone for every developer in the US, the world’s largest medical device market.

9 reasons you need to digitise and automate for ISO 13485 compliance 

The modern medical device development process can be fraught with complexity. In the new era of IoT, implantables, SaMD (software as medical device) and generative AI, developers are generating huge amounts of design, testing and safety documentation within complex, multi-team sprints.

Companies need to digitise and automate their processes to manage all this documented information to meet the demands of ISO 13485 for control and traceability.

  1. Enhanced document control: Automation ensures that all documents are easily accessible, up-to-date, and controlled according to ISO 13485 requirements. It eliminates the risks of lost or outdated documents, facilitating better management of document lifecycles.
  2. Improved traceability: An automated QMS enhances the traceability of products throughout their lifecycle, a key requirement of ISO 13485. It enables accurate tracking of design changes, manufacturing processes, and distribution paths.
  3. Consistent compliance: Automating compliance-related tasks, like CAPA (Corrective and Preventive Actions) and audits, ensures that these critical processes are conducted in a timely and effective manner, aligning with ISO 13485 standards.
  4. Streamlined processes: Automation standardises processes across the organisation, reducing variability and ensuring consistent adherence to quality procedures, crucial for ISO 13485 compliance.
  5. Increased efficiency: Automated workflows reduce manual tasks, freeing up valuable resources and time that can be redirected towards innovation and improvement, thus speeding up the certification process.
  6. Enhanced quality management: With an automated QMS, monitoring and measuring quality metrics become more straightforward, allowing for real-time quality management and improvements aligned with ISO 13485 requirements.
  7. Better risk management: Automation provides tools for more effective risk management, a cornerstone of ISO 13485. It enables a systematic approach to identifying, evaluating, and mitigating risks associated with medical device manufacturing.
  8. Audit readiness: An automated QMS keeps all necessary documentation and records audit-ready, simplifying the audit process required for ISO 13485 certification and ensuring that any required information is easily retrievable.
  9. Scalability: As your company grows, an automated QMS can quickly scale to accommodate new products, processes, or regulatory requirements, ensuring continuous compliance with ISO 13485.

What’s standing in the way of your company gaining ISO 13485?

Most medical device developers understand the necessity of a robust QMS. If you are currently using a paper-based system or coping with a DIY digital approach, you will be acutely aware of how difficult it is to prepare such a system for auditing by a Notified Body.

But the complexity of many proprietary eQMS systems may also put you off taking the digital leap, precisely because they feel like a rigid, one-size-fits-all solution that forces you to change your processes, rather than supporting them.

You need formal digital tools that meet the control and traceability requirements of ISO 13485 without changing the ‘way you do things’ just to meet the demands of a piece of QMS software.

In fact, auditors and regulators are keen on Quality Management Systems that do not impose unnecessary processes because it inflates the risk of the system becoming too unwieldy to use effectively. The risk of ‘overprocessing’ can be as dangerous as a lack of control.

Take a lean approach to ISO 13485

Given that ISO 13485 compliance is not an off-the-shelf purchase, nor a one-size-fits-all solution, the quest for a lean eQMS is essential. This means searching for a system that integrates ISO 13485 compliance seamlessly into your existing business operations.

And for those working to build their quality management system from scratch, that also means choosing tools and processes that give you the flexibility to start small and scale up -  introducing procedures as you need them, and only when they add value.

 Watch: How to roll out your QMS in stages – Sam Shelley explains

As you consider how to ready your business to gain ISO 13485, look for a partner and a set of digital tools that you can adopt and adapt to fit the way you work. You need a system that can act as a robust digital framework for compliance without taking months to implement or stopping your development in its tracks.

Last updated: 22/07/25
View full post