ISO 13485 Requirements

This topic is part of the SG Systems Global regulatory & operations glossary.

Updated October 2025 • Medical Device QMS Requirements • QA, RA, Design, Manufacturing, IT

ISO 13485 requirements define what a medical device quality management system (QMS) must do to consistently design, manufacture, and service devices that are safe, effective, and compliant with regulatory expectations. They cover the full product lifecycle: quality policy and objectives, documentation, design and development controls, risk management, supplier management, production and process controls, cleanliness and contamination control, traceability, complaint handling, CAPA, and post-market feedback. Unlike generic quality standards, ISO 13485 is written specifically for medical devices and is tightly aligned with regulatory frameworks.

“ISO 13485 requirements are the contract between your QMS and patient safety: they spell out what ‘controlled’ must mean for design, production, and feedback.”

1) Structure of ISO 13485 Requirements

ISO 13485 is structured into clauses that define high-level obligations and detailed requirements for the QMS. At a practical level, manufacturers group requirements into:

• QMS foundation: scope, quality manual, documented processes, and interactions.
• Management responsibility: leadership commitment, Quality Policy, objectives, and Management Review.
• Resource management: people, competence, training, infrastructure, and work environment.
• Product realization: everything from customer requirements and design control to purchasing, production, and servicing.
• Measurement, analysis, improvement: monitoring, internal audit, complaints, CAPA, and continual improvement.

These requirements are intentionally process-oriented: auditors will follow real workflows (e.g., “complaint to CAPA”) rather than reading clauses in order.

2) QMS Foundation – Scope, Documentation & Interactions

ISO 13485 requires a defined and documented quality management system that:

• Identifies scope (devices, locations, regulatory jurisdictions).
• Maintains a quality manual describing processes and their interactions.
• Includes documented procedures, work instructions, and records under Document Control.
• Defines how outsourced processes and suppliers are controlled.

In practice, this means mapping how product and information flow across design, production, warehouse, and post-market processes—and keeping that map synchronized with reality.

3) Management Responsibility & Leadership Requirements

ISO 13485 expects leadership to own the QMS, not delegate it to QA alone. Key requirements include:

• A documented Quality Policy and measurable objectives.
• Defined responsibilities and authorities, including management representative.
• Regular, documented Management Reviews with inputs (audit results, complaint trends, CAPA, resource needs) and outputs (actions, resource decisions, improvements).
• Evidence of commitment to meeting regulatory and customer requirements.

If senior management cannot explain the QMS or show how it drives actions and resourcing, auditors will question compliance with ISO 13485 leadership requirements.

4) Resource Management – People, Infrastructure & Environment

ISO 13485 requires that organizations provide and manage resources needed for an effective QMS and safe device realization:

• Human resources: defined competencies, training plans, and records linked to the Training Matrix.
• Infrastructure: buildings, utilities, production equipment, IT, and supporting services.
• Work environment: conditions (cleanliness, contamination control, environmental parameters) necessary to ensure product safety and performance.

For many device manufacturers, this overlaps with cleanroom controls, ESD protection, environmental monitoring, and equipment calibration status.

5) Product Realization – High-Level Requirements

“Product realization” is ISO 13485’s umbrella term for everything from initial requirements to service and recalls. Requirements include:

• Planning of product realization (including risk management and quality objectives).
• Customer-related processes (requirements, communication, feedback).
• Design and development controls.
• Purchasing and supplier management.
• Production and service provision, including installation and servicing when applicable.
• Control of monitoring and measuring devices (calibration, maintenance, traceability).

These requirements ensure that what you promise in design and labeling is consistently delivered on the shop floor and in the field.

6) Design & Development Requirements

ISO 13485 includes detailed design requirements that intersect with technical documentation and regulatory files. Key expectations:

• Design planning: defined stages, responsibilities, and interfaces.
• Design inputs: functional, performance, regulatory, risk, usability, and environmental requirements.
• Design outputs: drawings, specifications, and production information that meet inputs.
• Design review, verification, and validation: planned, documented, and tied to risk controls and clinical performance.
• Design transfer: controlled handoff to manufacturing with clear criteria.
• Design changes: risk-based change control with documented impact assessment and re-verification/validation.

Design records (DHF) must show complete traceability from user needs and risks to verification/validation activities and acceptance decisions.

7) Risk Management Requirements (ISO 13485 & ISO 14971)

ISO 13485 references risk management throughout, expecting alignment with ISO 14971. Requirements include:

• Planning risk management activities for each device or device family.
• Identifying hazards, estimating and evaluating risks, and defining control measures.
• Linking risk controls to design, labeling, production, and post-market surveillance.
• Maintaining risk files as living documents across the device lifecycle.

Your QMS should embed risk thinking into design reviews, change control, CAPA, and Post-Market Surveillance, not treat it as a stand-alone spreadsheet exercise.

8) Purchasing & Supplier Control Requirements

ISO 13485 places strong requirements on controlling purchased product and outsourced processes, including:

• Criteria and procedures for supplier qualification and periodic re-evaluation.
• Documented purchasing information (requirements, specifications, quality expectations).
• Verification of purchased product (incoming inspection, testing, certificates of conformity/analysis).
• Quality agreements defining responsibilities, communication, and change notification.

For critical components and outsourced sterilization, testing, or contract manufacturing, auditors expect a risk-based level of scrutiny and documented oversight.

9) Production & Process Control Requirements

ISO 13485 requirements for production and service provision include:

• Documented work instructions for critical operations.
• Process validation where output cannot be fully verified (e.g., sterilization, welding, bonding, software loading).
• Control of production equipment, tools, and fixtures.
• Identification and traceability of materials, intermediates, and final devices.
• Cleanliness, contamination control, and handling of sterile or implantable devices.
• Validation and re-validation of cleaning, sterilization, and packaging processes.

Evidence typically lives in routing records, equipment logs, eDHR systems, and process validation reports tied to risk files and regulatory submissions.

10) Identification, Traceability & Device History Requirements

ISO 13485 requires that devices can be traced from raw materials to finished goods and beyond. Key elements:

• Identification through production (labels, barcodes, UDI where applicable).
• Traceability of components, materials, and work steps, particularly for implantable and high-risk devices.
• Maintenance of Device History Records (DHR) or their electronic equivalents (eDHR).
• Recall and field safety corrective action readiness.

Traceability requirements tie directly into MES, WMS, and labeling systems—weakness here is one of the fastest paths to major nonconformities.

11) Cleanliness, Contamination & Sterilization Requirements

For devices requiring controlled conditions, ISO 13485 lays out requirements for:

• Cleanliness of product and work environment appropriate to device use.
• Contamination control plans and monitoring.
• Sterilization process validation, routine control, and re-qualification.
• Packaging design and validation to maintain sterility or cleanliness to point of use.

These requirements must align with process validation, environmental monitoring, and labeling claims in technical documentation and regulatory submissions.

12) Monitoring, Measurement, Complaints & CAPA Requirements

ISO 13485 expects an evidence-driven feedback loop. Key requirements include:

• Planning measurement and monitoring of processes and product characteristics.
• Implementing internal audits to verify QMS effectiveness.
• Systematic complaint handling and reporting, including vigilance requirements.
• Nonconforming product control and documented disposition.
• CAPA processes with root cause analysis, actions, and effectiveness checks.

ISO 13485 requirements in this area are where regulators look first: repeated issues with poor CAPA effectiveness are a major signal of deeper QMS problems.

13) Data Integrity & Record-Keeping Requirements

While ISO 13485 doesn’t use the term “ALCOA(+),” its requirements assume trustworthy records. Expectations are that records are:

• Attributable, legible, contemporaneous, original, accurate—and complete.
• Maintained under document and record control with defined retention times.
• Protected from loss, damage, and unauthorized changes.
• Reviewable for audits, inspections, and product safety investigations.

In modern environments, this means integrating ISO 13485 requirements with electronic record controls, audit trails, and where applicable, Part 11/Annex 11 expectations.

14) ISO 13485 vs. ISO 9001 Requirements

ISO 13485 is based on ISO 9001 but adds device-specific and regulatory-focused requirements:

• Stronger documentation, validation, and traceability expectations.
• Explicit linkage to regulatory compliance and risk management.
• Enhanced cleanliness, contamination, and sterile processing controls.
• More prescriptive requirements for design, complaint handling, and CAPA.

Put simply: ISO 9001 asks if you run a quality system; ISO 13485 asks if you run a quality system that protects patients and satisfies regulators for medical devices.

15) Integration with Regulatory Frameworks (MDR, QMSR, MDSAP)

ISO 13485 requirements are designed to support, not replace, medical device regulations. Examples:

• EU MDR/IVDR: ISO 13485 provides the backbone QMS for technical documentation, PMS, vigilance, and clinical evaluation.
• US FDA QMSR: FDA’s move to the Quality Management System Regulation harmonizes 21 CFR 820 with ISO 13485, tightening expectations for risk and data integrity.
• MDSAP: Uses ISO 13485 as a base, layering jurisdiction-specific requirements (e.g., reporting, licensing).

Your QMS should explicitly map how ISO 13485 requirements are extended for each regulated market you serve.

16) Demonstrating Conformity – Evidence & Metrics

To show that ISO 13485 requirements are truly implemented, organizations typically monitor:

• On-time closure of internal audit findings and CAPA.
• Complaint trends and field performance indicators.
• Training completion and competence for QMS-critical roles.
• Timeliness and effectiveness of Management Reviews.
• Process capability for critical characteristics where applicable.

These metrics provide a practical view of whether ISO 13485 requirements are a living system or a “tick-box” exercise barely surviving annual audits.

17) How ISO 13485 Requirements Map to V5 by SG Systems Global

End-to-end QMS digitalization. The V5 platform supports ISO 13485 requirements by connecting documented QMS processes (document control, training, CAPA, internal audit) to real-time production, warehouse, and quality records. Requirements move from static procedures into enforced workflows.

Product realization & traceability. V5’s MES and WMS layers record material lots, serials, process steps, and operator actions into structured eDHR and eBR records, directly supporting ISO 13485 requirements for production control, identification, traceability, and DHR completeness.

Risk, CAPA, and feedback loops. Findings from complaints, nonconforming product, internal audits, and process deviations can be turned into CAPA tasks linked to specific devices, batches, and customers. V5’s risk register and dashboards help manufacturers show how risk controls are applied, monitored, and improved over time.

Training & role-based access. ISO 13485 requirements for competence and awareness are supported by V5’s training links, role-based permissions, and e-signatures. Only trained, authorized personnel can perform critical actions; training and re-training events are evidenced automatically.

Audit-ready records for ISO 13485 audits. Instead of hunting across spreadsheets and point systems, manufacturers can use V5 to produce coherent, read-only evidence packs: DHR/eDHR extracts, calibration logs, CAPA histories, training reports, and audit trails—all time-stamped and aligned with ISO 13485 expectations.

Bottom line: ISO 13485 requirements define what your device QMS must do; V5 provides an integrated way to implement and prove those requirements at the point of work.

18) FAQ

Q1. Do ISO 13485 requirements apply to all medical device companies?
They apply to any organization that chooses to implement an ISO 13485-compliant QMS—manufacturers, contract manufacturers, critical suppliers, and some service providers. Regulators and customers increasingly expect ISO 13485 alignment across the device supply chain.

Q2. Are ISO 13485 requirements the same as regulatory requirements?
No. ISO 13485 defines a QMS framework; regulations (e.g., MDR, IVDR, FDA, national laws) add device-specific, clinical, and market requirements. Your QMS should integrate ISO 13485 requirements with all applicable regulatory obligations.

Q3. How are ISO 13485 requirements different from ISO 9001?
ISO 13485 is more prescriptive, with stronger emphasis on regulatory compliance, risk management, validation, traceability, cleanliness, and sterile processing. ISO 9001 is generic and may not be sufficient for medical devices without additional controls.

Q4. How detailed must procedures be to meet ISO 13485 requirements?
Procedures must be detailed enough that trained personnel can perform tasks consistently, and that auditors can verify how requirements are met. Critical processes (design, risk, sterilization, complaint handling, CAPA) usually need clear step-by-step instructions and acceptance criteria.

Q5. Can software and digital systems help meet ISO 13485 requirements?
Yes. Digital QMS, MES, LIMS, and WMS platforms centralize records, enforce workflows, provide audit trails, and support eDHR/eBR, which makes it easier to implement and demonstrate compliance with ISO 13485 requirements—provided they are validated and properly controlled.

Q6. How do ISO 13485 requirements evolve over time?
The standard is revised periodically, and regulators issue guidance and new expectations (e.g., on risk, data integrity, cybersecurity). Organizations should track updates, adjust their QMS, and reflect changes in procedures, training, and technical documentation.

Related Reading
• Core QMS: Quality Management System (QMS) | Document Control | Management Review
• Device-Specific: Device History Record (DHR) | eDHR Software | Electronic Batch Record (eBR)
• Risk & Improvement: Risk Management (QRM) | CAPA | Post-Market Surveillance | Internal Audit
• Digital Execution: MES | WMS | LIMS