Thank you!
We will contact you shortly
Quality Management System and ISO 13485
The ISO 13485 standard is the international benchmark for quality management in the medical device industry. Its main goal is to ensure product safety and performance by anticipating risks and promoting continuous improvement throughout the design, manufacturing, and commercialization processes.
The ISO 13485 standard is organized into eight clauses, focusing on quality management systems for medical devices. It begins by defining the scope, normative references, and terms, then centers on requirements for the quality management system, management responsibility, resource management, product realization, and measurement, analysis, and improvement. Each section details how organizations must document, implement, and maintain processes to ensure both quality and regulatory compliance, including risk management, traceability, process validation, and comprehensive record keeping. Its structure is designed for applicability throughout the product lifecycle, covering activities from design and development, through production, distribution, and post-market support.
Key aspects of ISO 13485
Proactive risk management
The standard requires manufacturers to identify, analyze, and reduce risks from product design to retirement, ensuring patient and user safety.
Comprehensive traceability
Traceability is not just a regulatory requirement – it is vital for efficient safety alerts and recalls. Proper traceability enables rapid identification of issues and protects your company’s reputation.
Validation of critical processes
ISO 13485 urges manufacturers to prove that processes such as sterilization, packaging, or software really fulfill their purpose, preventing hidden failures that could affect product safety.
Continuous improvement and quality culture
The system promotes internal audits, regular reviews, and ongoing staff training, driving innovation and adaptability to regulatory changes.
Facilitates international market access
Compliance with ISO 13485 harmonizes regulatory requirements for major markets such as the European MDR, optimizing commercialization opportunities.
It's important to note that, as of today, achieving ISO 13485 certification does not automatically mean compliance with all FDA requirements. The FDA is currently harmonizing its regulation with ISO 13485 through the new QMSR rule, which will be fully enforced in 2026, yet some US-specific requirements will remain. Therefore, manufacturers must prepare their quality management system to address both standards and keep monitoring regulatory changes.
Auditing
Principles of auditing
1. Integrity: the foundation of professionalism2. Fair presentation: the obligation to report truthfully and accurately3. Due professional care: the application of diligence and judgement in auditing4. Confidentiality: security of information5. Independence: the basis for the impartiality of the audit and objectivity of the audit conclusions6. Evidence-based approach: the rational method for reaching reliable and reproducible audit conclusions in a systematic audit process7. Risk-based approach: an audit approach that considers risks and opportunities
Audit frequency
Internal AuditsMedical device manufacturers are required to perform internal audits at planned intervals to verify that the quality management system (QMS) remains effective and compliant.There is no fixed “one-size-fits-all” frequency set by the standard. Instead, the audit programme should be based on factors such as the criticality of the process, previous audit results, changes in regulations, product risk class, and organizational changes.In practice, many manufacturers perform a full internal audit cycle at least once per year, but higher-risk areas may be reviewed more frequently.
Supplier AuditsSuppliers providing critical components or services that could impact product quality or patient safety must also be audited on a risk-based schedule.High-risk suppliers (e.g., those providing sterilization, software development, or critical components) are typically audited every 1–2 years, depending on performance and compliance history.Lower-risk suppliers may be monitored through other methods (e.g., questionnaires, performance reviews) and audited less frequently.The frequency should be defined in the manufacturer’s supplier control procedure, again based on risk, performance, and regulatory requirements.Audit programme
An audit programme is a structured plan that defines how audits will be carried out within a specific period of time, usually covering one calendar year. It is not just a schedule of audits, but a structured approach to ensure that all audits are conducted consistently, objectively, and effectively. The programme sets the framework for when audits will take place, which areas will be covered, and how resources will be allocated.
Following the principles of ISO 19011, the programme should be planned, implemented, monitored, and reviewed on a periodic basis. This ensures that all relevant processes and activities are assessed regularly and that the plan reflects changes in risks, regulations, or organizational priorities.
Audit plan
An audit plan is the detailed outline for conducting a specific audit within the framework of the audit programme. While the programme defines the overall schedule and strategy for a given period, the plan focuses on the practical execution of an individual audit.
ISO 19011 states that the audit plan should be prepared before each audit and agreed upon with the auditee. It ensures clarity, efficiency, and transparency during the audit process.
Each audit plan is time-bound to a single audit event. It is prepared for that specific audit and cannot be reused as-is for another.
A clear and agreed audit plan helps avoid misunderstandings, ensures that the audit is completed within scope and timeframe, and provides structure for collecting objective evidence.Conducting the audit
Conducting an audit is the process of systematically evaluating a process, system, or supplier to determine compliance with applicable standards, regulations, and internal procedures. It is the core activity of an audit, translating the plans and programmes into actionable assessment.
Key Steps1. Opening meeting2. Collecting evidence3. Assessing findings4. Communication during the audit5. Closing meeting
Purpose of Conducting Audits1. Verify that the quality management system and processes are operating effectively.2. Identify nonconformities or risks that could affect product safety, compliance, or performance.3. Provide actionable recommendations for corrective actions and continuous improvement.4. Demonstrate a culture of accountability and readiness for regulatory inspections.
Auditors may use checklists as a structured tool to ensure all relevant points are assessed and nothing is overlooked. Using checklists, tailored to the specific type of audit, helps auditors cover all critical areas, maintain consistency, and gather evidence systematically, supporting reliable and actionable audit outcomes.Audit reporting
The audit report summarizes the audit objectives, scope, criteria, findings, and conclusions. It highlights nonconformities, areas for improvement, and good practices observed during the audit. Reports should be clear, concise, and evidence-based to ensure that management and auditees can make informed decisions.
Confidentiality should be maintained, and the report should only be shared with authorized personnel.
Nonconformities and opportunities for improvement identified in the audit require corrective or preventive actions. The responsible teams should implement actions within agreed timelines, and evidence of completion should be documented. Auditors or management may perform follow-up checks to verify that corrective actions are effective and that the issue will not recur.