ISO 9001 vs ISO 13485. What’s the difference?

AdobeStock_389824546 copy

ISO 9001 is the internationally recognised standard for quality management used in many sectors from construction to high-tech manufacturing. ISO 13485, on the other hand, is the QMS standard specifically for those working in the medical device industry.

This blog post looks at the similarities and differences between the two standards and what digital tools developers and manufacturers need in place to meet them.

What do the ISO 9001 and ISO 13485 standards have in common?

  • Both standards are intended to help companies plan, build, and maintain an effective Quality Management System
  • Both focus on the realisation of products through meeting customer needs
  • Risk assessment and mitigation is a significant focus in both standards
  • Both 9001 and 13485 use cycles of Plan-Do-Check-Act to proactively assure quality
  • Both emphasise employee competency and infrastructure to deliver quality outcomes

So, you want to be a successful medical device developer? You should read this  first 

How do the quality standards differ?

ISO 13485 is based on the ISO 9001 standard. However, because of its focus on regulatory compliance and patient safety, ISO 13485 is much more prescriptive in its demands. These differences include:


ISO 13485 is more demanding in terms of documentation and document control than ISO 9001. Developers must produce user requirements and detailed product specifications - then provide formal evidence of validation against deliverables for internal and external audits. The standard specifies the creation of technical files that will answer regulatory requirements. A QMS designed to the ISO 13485 standard will ensure you have the data you need to generate such regulatory documents as the: DHF (Design History File) DHR (Design History Record) and Device Master Record (DMR).

Design and development controls

Design and development controls in ISO 13485 are much more stringent than those in ISO 9001, with separate sections in ISO 13485 for design review, verification and validation. There are also specific requirements relating to medical device function, clinical evaluations, safety requirements and risk management.

Resource management

Both ISO 13485 and ISO 9001 specify that you should have sufficient control of your resources to deliver products to the required standard. This includes access to the right equipment, buildings, competent personnel, and IT resources. But ISO 13485 also demands medical device developers and manufacturers should have ways of documenting and managing sector-specific requirements such as:

  • Cleanliness of clothing
  • Temporary work conditions
  • Contaminated product controls

Management Responsibility

ISO 9001 allows a business to assign quality responsibilities without defining roles. But ISO 13485 demands businesses identify a member of the management team who will be responsible for each aspect of the QMS. Also, the standard for medical device manufacturers specifically addresses the need for managers to ensure awareness of regulatory requirements across the business, regularly reviewing all the cGMP (Current Good Manufacturing Practice) regulations which impact the organization.  

Improvement models

Clause 10.3 in the ISO 9001 standard focuses on customer satisfaction as the ultimate measure of quality. Working in sequences of planning, execution and review (Plan, Do, Check, Act), the standard encourages companies to continuously improve their products and practices by:

  • Finding new internal efficiencies
  • Identifying and meeting new customer requirements
  • Matching and exceeding the level of performance that your sector expects

On the other hand, ISO 13485:2016 does not mention ‘continuous improvement’. Instead, it requires all organizations to focus on ‘improvements’, ensuring their QMS is always effective in securing the ongoing safety of end users.  Here's what the regulation actually says:

8.5 Improvement

8.5.1 General

The organization shall identify and implement any changes necessary to ensure and maintain the continued suitability, adequacy and effectiveness of the quality management system as well as medical device safety and performance through the use of the quality policy, quality objectives, audit results, post-market surveillance, analysis of data, corrective actions, preventive actions and management review.

Working in cycles of ‘Plan, Do, Check, Act’ (aka Denning Cycle) is a requirement of both standards. In ISO 13485, though, it's all about determining and specifying end user needs, then translating them into engineering specifications that exactly meet those needs. It’s about guarding against the risk of product failure and potential patient injury by refining how you identify non-conformities and their root causes in decisive and trackable ways

ISO 9001 vs ISO 13485; additional requirements for medical device developers


ISO 9001:2015

ISO 13485:2016

7.1.4 Environment for the operation of processes

6.4 Work environment and containment control

7.5.3 Control of documented information

4.2.3 Medical device file

4.2.4 Control of documents

4.2.5 Control of records

7.3.10 Design and development files

8.3.4 Design and development controls

7.3.5 Design and development review

7.3.6 Design and development verification

7.3.7 Design and development transfer

8.5 5 Post delivery activities

7.5.1 Control of production and service provision

7.5.3. Installation activities

7.5.4 Service activities

8.2.2 Complaint handling

8.2.3 Reporting to regulatory authorities

8.3.3 Actions in response to nonconforming product after delivery

9.1.2 Customer satisfaction

7.2.3 Communication

8.2.1 Feedback

8.2.2 Complaint handling

10.2 Non-conformity and corrective plan

8.3 Control of nonconforming product

8.5.2 Corrective action

No equivalent clause

7.5.2 Cleanliness of product

7.5.5 Particular requirements for sterile medical devices

7.5.7 Particular requirements for validation of processes for sterilisation and sterile barrier system

Both standards are the key to developing products of consistent quality and evidencing to partners, auditors and regulators that they’re able to do so.

To continue meeting the standards and implement improvements effectively over time, you need the digital tools to manage these processes digitally. Whether you need to gain SO 9001 or ISO 13485 you need to automate document and change controls to accelerate workflows, while helping de-risk your passage to launch and beyond.

Download our guide to digital document control for medical device developers

How can you move from ISO 9001 to ISO 13485?

But businesses who are moving into medical device development for the first time will need even more advice and support in meeting the specific requirements of ISO 13485.

The right digital QMS will also come with the specific SOP templates and forms that you need to adapt your processes to meet the particular requirements related to medical device development.

But these shouldn’t be overly rigid, complex or time-consuming to implement. Templated forms and processes should be easy to tweak and optimise to meet the regulation while supporting the way you want to work.

The right eQMS will help you control your processes and structure your documentation in a way that exactly meets your business needs and your regulatory obligations, without slowing your business down.

A great eQMS will seamlessly support you as your business ambitions grow and you explore new opportunities in new sectors that may make new quality demands.

New call-to-action

Tags: ISO 9001:2015, Quality Management System, Compliance, ISO 13485:2016

Joe Byrne

Written by Joe Byrne

Joe Byrne is the CEO of Cognidox. With a career spanning medical device start-ups and fortune 500 companies, Joe has over 25 years of experience in the medical device and high-tech product development industries. With extensive experience in scaling businesses, process improvement, quality, medical devices and product development, Joe is a regular contributor to the Cognidox DMS Insights blog where he shares expertise on scaling and streamlining the entire product development cycle, empowering enterprises to achieve governance, compliance, and rigour.

Related Posts

8 tips for documenting your SOPs (Standard Operating Procedures)

There are many reasons why organisations need to document their SOPs. From ensuring uniformity in ...

Should you use Microsoft software to build your own digital QMS?

SMEs creating a digital Quality Management System (QMS) will often reach for the most familiar ...

Document Control requirements in ISO 9001:2015; what you need to know

Document control is a key part of any Quality Management System (QMS) and, therefore, a requirement ...

A short guide to non-conformance reports; what, why and how

How do you log and deal with non-conformities so that faulty products don't end up in the hands of ...

What does it take to make your TMF an eTMF?

A Trial Master File (TMF) is a comprehensive collection of documents that ensures the conduct of ...

Data integrity in life sciences: the vital role of ALCOA principles

Data integrity is central to the safe development and manufacturing of every life-science product ...

A short guide to non-conformance reports; what, why and how

How do you log and deal with non-conformities so that faulty products don't end up in the hands of ...

Data integrity in life sciences: the vital role of ALCOA principles

Data integrity is central to the safe development and manufacturing of every life-science product ...

Corrective action: why, when and how?

It’s the job of your corrective action process to identify and eliminate the systemic issues that ...

Medical Device Technical File requirements: what you need to know

What is the medical device technical file? What should it contain and how should it be structured? ...

Implementing Medical Device Design Controls for ISO 13485 and FDA 21 CFR 820

30 years ago the FDA introduced robust new requirements for medical device design control following ...