Quality Management System & ISO 13485

The ISO 13485 is a harmonized standard, which lays down the requirements for quality management systems (QMS) for medical devices.

Medical device manufacturers have to, therefore, above all, according to ISO 13485 be certified, because according to Appendix II of the Medical Device Directive MDD they can explain the compliance of their products themselves. For medical devices which incorporate software or standalone software, the IEC 62304 also demands a QMS and recommends an ISO 13485.

The validity of the quality management system will be examined by external auditors ( usually notified bodies ) and internal audits.

FAQ “ISO 13485 and QM-System”

Question 1: Do I need a (certified) quality management system?

If your product is NOT in class I, you most probably need a certified QM system. Only conformity assessment procedures based on MDR Annex IV (EC verification) respectively MDR Annex XI part B do not require a certified QM-system. However, this approach is rather the exception.

If your product is in class I, there is QM-system demanded by MDR and by IEC 62304. But this QM system does not have to be certified.

Question 2: I already have an ISO 9001 certificate. Is this sufficient?

No. If you need a certified QM system (see question 1), only an ISO 13485 certification is sufficient to prove compliance with regulatory requirements.

Question 3: Who may certify my QM system?

Only notified bodies to certify your QM system. They have to have the accreditation for “Annex Certificates”.


Pay attention that you do not pick a certification body that “only” may certify ISO 13485 compliance

Both, the EU but also national authorities publish lists of “accredited” notified bodies as for example the German ZLG.

Question 3: How long does it take to establish and certify a QM-System?

Typically it takes between six and nine months between project start and audit respectively certification. Currently, the availability of notified bodies is an issue.

Small and medium-sized companies have to invest 30 to 50 person-days. However, operating a quality management system requires continuous efforts to audit, improve, and to re-certify the processes respectively the system. 

Question 4: How does the Verity Compliance support the certification process

Verity Compliance is specialized in establishing, improving, and preparing QM systems for audits. All of our customers, we are talking about hundreds, successfully passed audits. With no exception!

Requirements by ISO 13485:2016

ISO 13485:2016 is the (only) standard to prove compliance with regulatory requirements related to quality management systems.

In order to establish such a quality management system you must:

    1. Describe your organization including quality policy, goals, and hierarchy
    2. Describe the processes of your organization. Among others these processes have to cover


      1. Development
      2. Production
      3. Service delivery
      4. Risk management
      5. Document control
      6. Internal audits
      7. Management reviews
      8. Corrective and preventive actions
      9. Handling of resources (human resources, infrastructure, equipment, locations)
      10. Communication with customers

    3. Allocate financial and human resources including quality management deputy
    4. Live these processes accordingly and prove this by documenting what you did


Additional information

Download our Starter-Kit, which contains high-resolution mindmaps of ISO 13485 and other standards (all hierarchical levels).

Establish an ISO 13485 compliant quality management system

The Johner Institut recommends the following steps to fast and systematically establish a quality management system that complies with regulatory requirements such as MDD, MDR, ISO 13485, and 21 CFR part 820.

1. Step: Define the scope

Dependent on your activities you define the scope of your quality management system:

  • Development: y/n, type of products
  • Production: y/n, type of production e.g. including sterilization, circuit board production
  • Service: y/n, type of service e.g. installation, maintenance, hotline, training
  • Legal manufacturer versus service provider
  • Interfaces to customers (end-user, other company) and to suppliers

2. Step: Select notified body

Currently, there is a high demand for notified bodies, as many notified bodies lost their accreditation. Therefore it is important to pick early in the process your notified body. 

Additional information

Read here more about notified bodies.

3. Step: Establish a quality management system

Now you start defining your “rules” in terms of standard operating procedures, work instructions, templates, forms, checklists, etc.:

  • Identify all processes (derived from 1. step)
  • Identify inputs and outputs for all processes
  • Describe interdependencies between processes
  • Describe / model processes (process steps, inputs and outputs for each process step, roles, and responsibilities)
  • Define methods and instructions on how to perform each process step. Optionally extract these requirements in a work instruction. Define how these process steps have to be documented e.g. using templates, checklists, or computer systems.

Make sure that you cover all processes as demanded by regulatory requirements in particular by ISO 13485:2016 respectively 21 CFR part 820.

4. Step: Work according to your quality management system

Your company now starts working according to these process descriptions (SOP) and work instructions (WI). It generates “records” proving compliance. E.g. your team fills out forms, templates, and checklists or works with computer systems as instructed.

5. Step: Prepare audit

Before the final audit verify that everything is prepared:

  • An internal audit took place
  • Management performed a review of the quality management system
  • The team worked according to SOPs and WIs
  • External suppliers have been audited
  • Computerized systems have been validated

6. Step: Get audited and celebrate

Your notified body will audit your company for two to ten (or even more) days depending on the size of your organization. 

If you passed the audit successfully you will obtain the certificate(s). Don’t forget to celebrate your success.

If you need any help in this road, just contact us. We are specialized to support companies to fast and efficiently pass audits. We never had a customer (we are talking about hundreds) that did not pass the audit!

Dos and Don’ts of Quality Management

The most relevant success factors are

  • Management commitment
  • Aspiration to improve the organization and not just to pass an audit
  • Common approach: Every process owner describes the processes herself
  • Intelligent people with common sense
  • Understanding of risk management
  • Awareness that a quality management system lives (forever)

We discourage:

  • Documenting retrospectively
  • “Re-use” of templates that do not exactly fit your (desired) way of acting
  • Assigning responsibility for the QM system (exclusively) to the quality management deputy
  • Top-down order e.g. dictating SOPs