ISO 13485 is the international standard that defines requirements for a medical device quality management system (QMS), including document/record controls, risk integration, supplier controls, validation, traceability, and closed-loop improvement.

ISO 13485Glossary

ISO 13485

Q: What’s the difference between ISO 13485 and ISO 9001?

ISO 9001 is a general quality management standard. ISO 13485 is medical-device specific and places stronger emphasis on regulatory-style evidence, traceability, and risk integration.

Q: What do ISO 13485 auditors focus on?

Auditors focus on evidence threads across document control, change control, nonconformance management, complaint handling, and CAPA with verified effectiveness.

Q: How does ISO 14971 relate to ISO 13485?

ISO 13485 requires risk to be integrated into QMS controls; ISO 14971 is the commonly used medical device risk management framework to implement that expectation.

This topic is part of the SG Systems Global regulatory & operations guide library.

Updated January 2026 • ISO 13485, medical device QMS, ISO 14971 risk management, design controls, document & record control, supplier qualification, validation, traceability, complaints & CAPA, internal audits & management review • Quality & Compliance

ISO 13485 is the international standard that defines requirements for a medical device quality management system (QMS). It is not “a binder standard.” It is a control standard: it expects you to prove—through records and repeatable behaviors—that you can consistently meet applicable requirements across purchasing, production, distribution/service, and postmarket feedback.

ISO 13485 is frequently implemented alongside a risk framework such as ISO 14971 medical device risk management and is commonly mapped to jurisdictional requirements such as 21 CFR Part 820 and EU MDR. The standard’s real-world value is that it gives auditors and customers a consistent way to test whether your quality system is “real” (controlled) or “paper” (documented but porous).

In practice, ISO 13485 boils down to one unforgiving question: can you produce trustworthy evidence that you did what you said you do—when the process is under pressure? That evidence is anchored in controls like document control, change control, nonconformance management, complaint handling, and closed-loop CAPA proven by a CAPA effectiveness check.

“ISO 13485 doesn’t reward paperwork. It rewards control you can prove.”

ISO 13485 • ISO 13485 requirements • ISO 13485 audit • ISO 13485 standards • ISO 14971 • Notified body • MDSAP • QMS • Document control system • Change control • Internal audit • Management review • CAPA

TL;DR: ISO 13485 is the core medical device QMS standard. A compliant program is not defined by “having policies,” but by hard, testable controls: (1) document control + revision control so only current instructions execute; (2) governed change control (often via a change control board and document change requests); (3) risk integration using ISO 14971 and practical risk matrices; (4) supplier control via supplier qualification and supplier audit programs; (5) validated operations via process validation and (where applicable) computer system validation (CSV); (6) controlled records with electronic signatures, audit trails, and data integrity; and (7) closed-loop performance through nonconformance management, complaint handling, trending, and CAPA that passes an effectiveness check. V5 mention (minimal): in SG Systems Global V5 deployments, these controls are typically realized through an eQMS integrated with execution systems such as MES and, where distribution evidence matters, WMS.

Table of Contents

What ISO 13485 means (plain-English)
Who needs ISO 13485 and when it applies
The core control model: what auditors actually test
Document & record control: preventing “silent drift”
Risk and design controls: ISO 14971 and lifecycle evidence
Supplier controls: qualification, audits, and change notification
Production/service provision: validation, acceptance, traceability
Electronic records: signatures, audit trails, data integrity
Postmarket feedback: complaints, CAPA, reporting
Governance: internal audits and management review
KPIs that prove the system is working
Common pitfalls: how ISO 13485 gets “papered over”
Copy/paste demo script and scorecard
Extended FAQ

1) What ISO 13485 means (plain-English)

ISO 13485 is a requirements standard for a controlled quality management system in the medical device domain. “Controlled” means:

Only approved instructions execute: governed by document control systems and revision control.
Changes are intentional and assessed: governed by change control.
Nonconforming product is contained: managed through nonconformance management, quarantine, and hold/release.
Problems drive prevention: closed-loop CAPA that proves effectiveness via effectiveness checks.

Important note: This is a glossary entry intended to describe how ISO 13485 is operationalized. Always align your interpretation with your certification body and the regulatory requirements of your target markets.

2) Who needs ISO 13485 and when it applies

ISO 13485 commonly applies to organizations that design, manufacture, distribute, service, or otherwise influence the quality of medical devices. Typical cases:

Device manufacturers & CMOs: evidence of controlled execution and release.
Critical suppliers: components, sterilization, packaging, labs (see supplier quality management).
Distribution/service networks: traceability and complaint feedback loops (see traceability and complaint handling).

Certification context can include audits by a registrar, and in some markets oversight and assessment may also involve a notified body or programs such as MDSAP.

3) The core control model: what auditors actually test

ISO 13485 audits typically follow “evidence threads” rather than isolated procedures. Common threads:

Thread	What it starts with	What the auditor expects to see (linked evidence)
Complaint thread	Customer complaint	Triage → investigation → trending → CAPA → effectiveness.
Nonconformance thread	Nonconformance / deviation	Containment → quarantine / hold → disposition → CAPA linkage when required.
Change thread	Change control	Risk/impact assessment → updated documents (DCR) → training updates → validation updates (process validation / CSV).
Supplier thread	Supplier qualification	Approval basis → monitoring → supplier audits → supplier change handling → SCAR where applicable.

Thread-based auditing punishes “documentation islands.” If your documents exist but aren’t linked to execution evidence, auditors read that as lack of control.

4) Document & record control: preventing “silent drift”

ISO 13485 expects that controlled documents govern how work is performed, and controlled records prove what happened.

Document control: establish a document control system with clear standards, a plan, and a governing SOP.
Revision control: enforce revision control so obsolete instructions cannot be used.
Record integrity: protect records with data integrity expectations, supported by record retention and archiving.

Control rule
If people can “finish the paperwork later,” your evidence is negotiable—and auditors will treat it that way (see data integrity).

5) Risk and design controls: ISO 14971 and lifecycle evidence

ISO 13485 expects risk to be integrated into planning and controls. Many organizations implement this using ISO 14971 and operational tools like a risk matrix and a documented QRM approach.

If you perform design and development, ISO 13485 evidence is commonly organized around:

If you do not design (e.g., contract manufacturing), you still must manage risk in execution and change—often through process risk tools such as PFMEA and controlled translation into work instructions.

6) Supplier controls: qualification, audits, and change notification

ISO 13485 expects suppliers to be controlled as an extension of your quality system.

Qualification: define approval criteria and maintain evidence via supplier qualification and onboarding.
Ongoing oversight: maintain risk-scaled monitoring (see supplier risk management).
Audit discipline: execute a supplier audit program where risk requires it.
Formal expectations: define responsibilities in a quality agreement.

Supplier reality: If your process cannot reliably capture supplier changes before they hit production, you don’t have supplier control—you have supplier surprises.

7) Production/service provision: validation, acceptance, traceability

ISO 13485 expects production and service activities to be planned, controlled, and supported by evidence:

Validation where needed: process validation and supporting qualification evidence (e.g., IQ/OQ/PQ).
Acceptance evidence: defined inspections and test records (see incoming inspection and in-process controls such as IPC).
Status control: prevent release of nonconforming/held product using quarantine and release status control.
Traceability: maintain product genealogy and distribution accountability (see traceability and chain of custody).
UDI/label controls (where applicable): UDI, labeling, and label verification.

Traceability is only real if you can execute a rapid-response test (see recall drill) without investigative chaos.

8) Electronic records: signatures, audit trails, data integrity

ISO 13485 does not require digital systems, but if you use electronic records, auditors will test credibility. Core controls include:

Electronic signatures aligned with role-based access and access provisioning.
Audit trails that make changes visible and attributable.
Data integrity enforcement and retention discipline.
Validated systems where required (see CSV and GAMP 5).
Market overlays where applicable (e.g., 21 CFR Part 11).

Compliance reality: If a record can be edited without a trustworthy audit trail, it’s not evidence—it’s a draft.

9) Postmarket feedback: complaints, CAPA, reporting

ISO 13485 expects postmarket signals to feed containment and prevention:

Complaint handling with consistent triage and investigation
Complaint trending to detect signals early
Issue control via nonconformance management and deviation management
Closed-loop CAPA with a defined effectiveness check
Regulatory surveillance and reporting where applicable (see postmarket surveillance and medical device reporting (MDR))

10) Governance: internal audits and management review

ISO 13485 governance is how you prove the system stays alive after certification:

Internal audits: planned and executed audits (see internal audit) with disciplined closure (see audit finding management).
Management review: leadership review of performance, risks, and outcomes (see management review).
Event visibility: consolidated event control (see quality event management).

11) KPIs that prove the system is working

ISO 13485 performance should show up in measurable control and response outcomes. Practical KPIs:

CAPA effectiveness pass rate
% of CAPAs that pass a documented effectiveness check.

Complaint cycle time
Median time from intake to closure under the complaint process.

Repeat nonconformance rate
Recurrence of the same nonconformance class after closure.

Document version compliance
% of work areas using current revision-controlled instructions.

Supplier escape rate
Defects traced to suppliers despite qualification (trend by supplier).

Trace response time
Time to produce an impacted-lot list for a recall drill.

12) Common pitfalls: how ISO 13485 gets “papered over”

Obsolete instructions remain in circulation: weak document control systems and broken revision control.
Change is handled informally: bypassing change control and retro-documenting later.
CAPA closes fast, not right: shallow root cause and no real effectiveness check.
Supplier changes arrive silently: weak supplier risk management and unclear notification expectations.
Electronic records are editable without proof: missing audit trails and weak data integrity.

Fast test: Pick one closed complaint and request the full evidence thread: complaint → investigation → impacted lots/serials → containment/hold decisions → CAPA → effectiveness → document/training updates. If the thread can’t be produced quickly, the system is not controlled.

13) Copy/paste demo script and scorecard

Use this script to force a control-real walkthrough (not a policy tour).

Demo Script A — Document & Change Control

Show an approved SOP in the document control system and prove revision control.
Initiate a document change request and route approvals via a controlled process (e.g., change control board).
Show training impact captured in a training matrix.

Demo Script B — Nonconformance → Hold → Disposition

Create a nonconformance tied to a lot/serial scope.
Demonstrate containment through quarantine and hold.
Show disposition evidence and link to CAPA when required.

Demo Script C — Complaint → CAPA → Effectiveness

Log a complaint under the complaint process.
Open CAPA and define an effectiveness check.
Show the evidence thread from complaint to effectiveness closure.

Dimension	What to score	What “excellent” looks like
Evidence linkage	Threaded records across events	Fast, complete trace from quality events to lots/serials to CAPA outcomes.
Hard gating	Hold/quarantine enforcement	Quarantine blocks release; release is explicit and auditable.
Change integrity	Impact completeness	Change control covers docs + training + validation before use.
Electronic credibility	Signatures + audit trail + integrity	Trusted e-signatures and audit trails aligned to data integrity.
Supplier control	Qualification + monitoring	Risk-based supplier qualification with auditable oversight and escalation.

14) Extended FAQ

Q1. What is ISO 13485?
ISO 13485 is the international standard that defines requirements for a medical device QMS, including document/record controls, risk integration, supplier controls, validation, traceability, and closed-loop improvement.

Q2. What’s the difference between ISO 13485 and ISO 9001?
ISO 9001 is a general quality management standard (see ISO 9001). ISO 13485 is medical-device specific and places stronger emphasis on regulatory-style evidence, traceability, and risk integration.

Q3. What do ISO 13485 auditors focus on?
They focus on evidence threads: document control, change control, nonconformance management, complaints, and CAPA with an effectiveness check.

Q4. How does ISO 14971 relate to ISO 13485?
ISO 13485 requires risk to be integrated into QMS planning and controls; ISO 14971 is the commonly used medical device risk management framework to implement that expectation.

Q5. What regulations often overlap with ISO 13485?
Market-specific requirements may overlap, including 21 CFR Part 820, EU MDR, and electronic record controls such as 21 CFR Part 11 when applicable.

BACK TO GLOSSARY

OUR SOLUTIONS

Three Systems. One Seamless Experience.

Explore how V5 MES, QMS, and WMS work together to digitize production, automate compliance, and track inventory — all without the paperwork.

Manufacturing Execution System (MES)

Control every batch, every step.

Direct every batch, blend, and product with live workflows, spec enforcement, deviation tracking, and batch review—no clipboards needed.

Faster batch cycles
Error-proof production
Full electronic traceability

LEARN MORE

Quality Management System (QMS)

Enforce quality, not paperwork.

Capture every SOP, check, and audit with real-time compliance, deviation control, CAPA workflows, and digital signatures—no binders needed.

100% paperless compliance
Instant deviation alerts
Audit-ready, always

Learn More

Warehouse Management System (WMS)

Inventory you can trust.

Track every bag, batch, and pallet with live inventory, allergen segregation, expiry control, and automated labeling—no spreadsheets.

Full lot and expiry traceability
FEFO/FIFO enforced
Real-time stock accuracy