MSECB logo in the brands color, dark red


Home → News & Resources → Experts Talk

ISO 13485 – Q&A Session

This session covers the most frequently asked questions about the ISO 13485:2016 standard. ISO 13485 is designed to be used by any organization that is involved in the design, production, installation and servicing of medical devices and related services. Being certified to this standard proves that organizations are committed to the safety and quality of their products, which as a result improves the organization’s overall performance, increases credibility, global recognition, customer satisfaction, and reduces and potentially eliminate uncertainties.

1. What is the purpose of ISO 13485 and why is this standard so important? 

ISO 13485 (Medical devices – Quality management systems – Requirements) for regulatory purposes aims to specify the QMS requirements for organizations involved in the medical device industry including the regulatory authorities. ISO 13485 standard provides the framework to include generic medical device requirements and specific regulatory requirements.

It is the worldwide reference quality system standard for medical devices. Obtaining an ISO 13485 certification gives organizations credibility that they understand and comply with the medical device industry standards.

2. Which industries can benefit the most from the ISO 13485 and how? 

Organizations in the health sector, mainly companies that design, manufacture and service medical devices, can benefit the most from ISO 13485 standard.

For instance:

  • Companies that reprocess medical devices
  • Hospitals that service or reprocess medical devices
  • Consultants that provide technical services in design and development
  • Companies that provide sterilization services
  • Contract manufacturers

3. Why should companies that manufacture medical devices have a quality management system (QMS) based on ISO 13485? 

Obtaining an ISO 13485 certification demonstrates the commitment of the organizations to meet the requirements of the standard that are outsourced by the customer.

The Original Equipment Manufacturer (OEM) or legal manufacturer (company that has their name on the label) of the medical device will prefer to outsource their activities to a company that rather has ISO 13485 certification. Since the risk of not complying with medical device quality requirements is usually lower when dealing with a company that has obtained ISO 13485 certification. 

4. Do companies that do not manufacture medical devices need ISO 13485? 

Companies that do not manufacture medical devices but are interested in pursuing medical device work can be certified to ISO 13485 if they demonstrate that their QMS meets the ISO 13485 requirements.

Furthermore, companies that provide other value-added services, such as design or servicing, can benefit from following the ISO 13485 requirements and getting certified against it.

5. What are the differences and similarities between ISO 13485 and ISO 9001? Should medical device manufacturers have both standards?

ISO 9001:2015 is a generic standard that can be applied in any industry while ISO 13485 addresses specific medical device requirements. ISO 13485:2016 is a stand-alone standard and is based on ISO 9001:2008 standard with additional medical device requirements.

Furthermore, there are no specific documentation requirements for ISO 9001 but there are many documentation requirements for ISO 13485.

ISO 9001 emphasizes continual improvement and customer satisfaction whereas, ISO 13485 focuses on meeting the regulatory requirements and risk management and controls that ensure safe and effective medical devices.

Manufacturers could obtain both standards and they could provide business benefits if they produce products for other industries besides medical devices.

6. What is the relationship between ISO 13485 and FDA Quality System Regulation? How is ISO 13485 related to quality management system regulations around the world?

ISO 13485:2016 has not been formally accepted by the FDA as the quality system regulation for the USA. However, FDA has been involved in the development of ISO 13485:2016 standard and is expected to formally accept the standard within the year. The current quality management system requirements are covered in the FDA Quality System Regulations, which are very similar to ISO 13485:2016.

In all other major markets, such as the EU, UK, Canada, Australia, Brazil, Japan and the rest of the world, ISO 13485 is considered as the quality management system standard for medical devices. This is due to the structure of ISO 13485 which allows to incorporate various regulatory requirements and be part of the quality management system.

7. How does the certification audit against ISO 13485 impact the company’s business? 

There are several impacts of obtaining ISO 13485 certification. The certification, demonstrates the commitment for the companies to work in the medical device sector which is one of the most dynamic and high growth sectors.

This certification may permit the companies to be involved as a supplier to OEMs and/or in small to large projects. Additionally, it proves the organizations commitment to improve medical devices and health services that will impact human beings all over the world.

8. What are some steps that an organization should follow during the ISO 13485 certification audit?

  • Management must make a commitment to provide the resources for this project.
  • Organization shall assign a management representative to oversee and promote the project to interested parties.
  • Assign process owners who will be involved in preparing the documentation required.
  • Prepare the documentation of QMS including the quality manual, procedures, and instructions. The quality manual outlines the company’s policies for complying with the ISO standard and refers to its procedures. The procedures provide the details for who is responsible and how the activities are performed. Procedures refer to the records required. Having someone with experience about the standard can save time and reduce the risk of not complying and misinterpreting the ISO 13485 requirements.
  • Train personnel on the quality manual, procedures, and work instructions.
  • Implement all the documented requirements.
  • Perform the internal audit of the quality management system. Ensure that the Internal audit of the QMS is performed by someone with experience and who can provide a simulation of the certification audit.
  • Conduct the management review of the quality system.
  • Hire an accredited certification body to provide ISO 13485:2016 certification services. The contract is usually set for three years and includes a Stage 1 and 2 audit during the first year, and Surveillance audits for years two and three of the contract. Recertification audit and a new contract will be needed after three years.
  • The certification body will conduct a Stage 1 audit. The Stage 1 activities include the review of documentation and to review whether the systems are ready to be audited at Stage 2. The output of the Stage 1 audit is an audit report and schedule for Stage 2 activities.
  • The auditor during Stage 2 audit will audit all processes of the quality system. If there are any nonconformities, the delivering of the certificate will be postponed until all nonconformities are corrected.
  • Once you receive the certificate, the company’s QMS is certified against ISO 13485:2016 standard.

9. What would be your advice towards companies that are thinking of getting certified with ISO 13485? 

  • Educate yourself on the standard either through self-training or by participating in a training course.
  • Determine the resources that are available internally, and if not sufficient, look for an experienced qualified consultant to assist or lead the project.
  • Conduct a gap analysis to understand what needs to be done to implement ISO 13485.
  • Establish a project plan. Implementing a QMS requires the team’s effort. The team should include top management representatives who should meet every week to update the status of the QMS implementation.

About the Responder


Danny Kroo, is a Canadian quality management systems auditor with over 34 years dedication in the medical device and aerospace industries. He received a Bachelor of Engineering from Concordia University and a Diploma in Management from McGill University in which he is also an Affiliate Member of the Biomedical Engineering department and a lecturer for the graduate course entitled “Medical Device Regulatory Affairs and Quality Management”. He is primarily engaged with aerospace, medical devices and general manufacturing services companies in order to optimize and improve their quality systems. Mr. Kroo is a certified MSECB Auditor, assessing quality systems and providing regulatory services for ISO 13485. Additionally, his expertise cover ISO 9001, MDSAP (Health Canada and FDA), CE Marking (Medical Device Regulations), AS9100, and AS912.


MSECB is accredited by IAS to offer audit and certification services for a wide range of ISO Standards. If you are interested to certify your management systems start by getting a Free Quote