We've gathered in this post all the commonly asked questions about ISO 13485 Certification together with expert answers.
Here are those questions:
- What is ISO?
- What is ISO 13485?
- What is the purpose of ISO 13485?
- What is a Medical Device Management System (MDMS)?
- What is the Purpose of a Medical Device Management System?
- Who Needs a Medical Device Management System?
- What are the Benefits of a Medical Device Management System?
- What is ISO 13485 Certification?
- Do You Need ISO 13485 Certification?
- Who needs ISO 13485 Certification?
- Does ISO 13485 Certification require the services of a Notified Body?
- What are the Benefits of ISO 13485 Certification?
- Is ISO 13485 Feedback the same as ISO 9001 Customer Satisfaction?
- Why does ISO 13485 call for documentation many times while ISO 9001 does not?
- Is ISO 13485 intended for Medical Device Manufacturers only?
- Do applicable regulatory requirements mentioned in ISO 13485 include ISO 14971 and other ISO Standards?
- How much does ISO 13485 Certification Cost?
- Who issues ISO 134851 Certification Certificates?
- How to get an ISO 13485 Certificate
- How to Choose a Certification Body?
- Are online ISO 13485 Certificates that you can get within 30 days legitimate?
- Why is it Important to Get Certified by the Proper Certification Body?
- How does the ISO 13485 Certification Process Go?
- How to check the ISO 13485 Certification of an organization?
- Do Management Representatives or others responsible for an MDMS need training?
- Do Internal Auditors need training?
Click on the question to go directly to the Answer.
What is ISO?
The International Organization for Standardization (ISO for short) is the world's largest developer of voluntary International Standards. Their collection of 21,000+ standards offers solutions and best practice guidance for all types of technology and businesses, helping companies and organizations to increase performance while protecting consumers and the planet.
While most are product and technical standards, the ISO has developed 40+ management system standards.
The best known of these include ISO 9001 (quality), ISO 14001 (environment), ISO 45001 (health & safety) and ISO 27001 (information security management). The feature they all have in common is that they are auditable. They are written to facilitate auditing by an independent third party (e.g., CAB) to confirm compliance with the standards’ requirements.
ISO 13485 is a quality management system standard based on ISO 9001, which is considered the parent of all the other standards.
For more visit ISO 9001 on the ISO website.
What is ISO 13485?
ISO 13485 (or to give it its full title ISO 13495:2016, Medical devices, Quality management systems - requirements for regulatory purposes) is an internationally-recognised standard that sets out the requirement for a Medical Device Management System (MDMS).
It was initially published in 1996 as ISO 13485:1996 and revised in 2003. Associated standards since replaced by ISO 13485 include ISO 13488, EN 46001 and EN 46002. The current standard has been adopted by the EU as a harmonized standard with the title EN ISO 13485:2016.
It is identical with ISO 13485, sometimes referred to as the international version, except for the addition of 3 Annexes related to EU Directives. These Annexes are now out-of-date as they do not correspond with the current EU Medical Device Regulations (EU Regulation 2017/725 for medical devices and EU Regulation 2017/726 for in-vitro medical devices).
A revision of ISO 13485 to take account of EU Directives, MDSAP adoption, FDA application of ISO 13485, the adoption of the HLS - high-level structure mandated for ISO management system standards, etc. has been mooted but to date, no progress is reported by ISO and no due date for publication can even be guessed at other than that it is unlikely to be published before 2026.
Note that because of its now-antiquated structure, and the regulatory focus of its requirements, it is not easy to integrate an ISO 13485 management system and an ISO 9001 management system into a single QMS. Most organizations working to both standards maintain two Quality manuals.
For more information visit 13485 Medical Devices on the ISO website.
What is the purpose of ISO 13485?
The purpose of the Standard is to specify requirements for a quality management system that can be used by an organization involved in one or more stages of the life-cycle of a medical device, including design and development, production, storage and distribution, installation, servicing and final decommissioning and disposal of medical devices, and design and development, or provision of associated activities ( e.g. technical support).
The requirements in this International Standard can also be used by suppliers or other external parties providing product (e.g. raw materials, components, subassemblies, medical devices, sterilization services, calibration services, distribution services, maintenance services) to such organizations.
For more visit ISO 13485 and Supplying to the Medical Device Sector: FAQs
What is a Medical Device Management System?
An ISO medical device management system is defined as a formalized system that documents processes, procedures, and responsibilities covering all aspects of design, manufacturing, supplier management, risk management, complaint handling, clinical data, storage, distribution, product labelling, etc.
It is expressed as the organizational goals and aspirations, compliance with applicable regulations and standards, and the resources needed to implement and maintain them. Most medical devices will require some form of a QMS; the complexity of the MDMS will vary based on the classification of the device and the technical and manufacturing difficulties.
What is the Purpose of a Medical Device Management System?
A medical device management system helps coordinate and direct an organization’s activities to meet customer and regulatory requirements, and improve its effectiveness and efficiency on a continuous basis. And to provide documentary and other evidence to facilitate third-party, independent auditing of the system to demonstrate compliance with the standard's requirements.
Who needs a Medical Device Management System?
All organizations involved in one or more stages of the life-cycle of a medical device, whether they realise it or not, already have an informal MDMS. You look after your customers, don’t you? You strive to consistently provide customers with good medical device products, components or service. You are always trying to improve to stay ahead of competitors?
So, you have an MDMS and the fundamental question is, do we need to formalise the system? Invariably the answer is yes.
As ISO 13485 becomes the recognized standard throughout the medical device lifecycle, a formal medical device management system becomes a prerequisite. If yours is a component manufacturer or a logistics company wishing to break into the medical device sector, having an ISO 13485 Certificate to present will 'open doors'.
And, strangely, an organization does not need to be involved in medical device production or support in any way to qualify for an ISO 13485 Certificate. Intent to get involved is enough!
What are the benefits of a formal Medical Device Management System?
There are at least fourteen benefits that organizations with a medical device quality management system in place can enjoy such as:
- Immediate benefit #1: A body of evidence to demonstrate compliance with applicable legal and regulatory requirements. Under EU MDR and IVDR there can be a formidable mass of documentation required
- Immediate benefit #2: Management systems are designed to a) Get it right the first time, b) Be consistent and reliable, c) Seek out the root causes of problems, and, d) Not to repeat mistakes.
- Immediate benefit #3: All aspects of supply, installation, maintenance throughout the product lifecycle are done in compliance with applicable regulations.
- Organized management: An organization certified to the Standard is managed in a standard and structured way
- Clarity of Purpose: Staff are clear as to their responsibilities, authorities, and accountabilities
- Processes and procedures suited to the Mission and strategic objectives you have set for the organization.
- Internal audits to monitor compliance with requirements and highlight deficiencies.
- Corrective actions to prevent recurrence of errors - try to make mistakes only once, if at all.
- Informed Board of directors knowing that the organization is focused on strategic objectives while satisfying compliance requirements, and planning and acting to address future challenges.
- Management satisfaction knowing that the organization is functioning in line with strategic objectives.
- Reduce errors: Fewer costly errors, less rework, replacement of goods and/or services, and increased productivity.
- Fewer customer complaints as fewer errors occur.
- Better retention of customers: again, a consequence of reduced errors.
- Management performance improved as less time spent apologizing to customers and managing the unnecessary repetition of work.
An ISO 13485 Certificate is recognition from a Certification Body – CAB (usually, an accredited Certification Body), or in relation to EU regulations a Notified Body, that an organization has implemented and is maintaining a quality management system that meets the requirements of ISO 13485:2016.
Do You Need ISO 13485 Certification?
Yes and No. In many cases, such as that of component manufacturers, ISO 13485 Certification is not mandatory but can be a useful tool to add credibility. This can be done by demonstrating that your product or service meets the expectations of your medical device manufacturing customers. For some industries, certification is a legal or contractual requirement.
Who needs ISO 13485 Certification?
Organizations globally, both public and private spheres, and from every economic sector who are involved in the provision of medical device products and associated services need to demonstrate compliance with ISO 13485. This would include distributors and those trading in medical devices and this apply to any stage of the lifecycle,
Does ISO 13485 Certification require the services of a Notified Body?
We need to consider three different types of organizations here ...
- Notified Bodies are only required for compliance with EU Regulations. For all medical device classifications, other than Class 1, and for all IVDs other than Class A, a Notified Body is needed. In addition to certification audit services the Notified Body will issue a Certificate of Conformity necessary for the use of CE Marking (and providing or arranging necessary laboratory, clinical and other support).
- MDSAP Certification Body: a limited number of Certification, most bodies operating globally, have been appointed to undertake certification audits under this scheme for medical device manufacturers.
- Accredited Certification Bodies: For Class 1 medical devices and Class A IVDs in the EU, for the rest of the world where MDSAP does not apply, and for all organizations in the supply chain who are not manufacturers these are the auditors to be used.
And what about the UK? At the time of writing the UK's MHRA is following the EU Regulations pending a decision as to the long-term requirements, which are expected later in 2021.
What are the Benefits of Having ISO 13485 Certification?
The effective implementation and maintenance of ISO 13485 certification come with at least six benefits, similar to those that come with having a formal Medical Device Management System. These include:
- Feedback: First and foremost, ISO 13485 Certification is about confirming compliance with regulation and then through Feedback (including PMS - Post Market Surveillance) that the device remains fit-for-purpose in fulfilling its specification and purpose, and identifying opportunities for improvement.
- Reputation: be taken seriously as a prospective supplier, other than a manufacturer, as the holder of ISO 13485 Certification, which is based on the independent assessment of an accredited certification body.
- Qualify for pre-tender and tender opportunities, especially for distributors to the public sector.
- Status: On equal terms with the ‘big’ boys’ – the size of your organization won’t hold you back. And for newcomers, you demonstrate commitment to the medical device sector.
- Risk management is implemented by manufacturers and others to ensure the safe and miss-use use of the device. Invariably, ISO 14971 is used here. Apart from this a risk-based approach is applied to all processes.
- Objectives and improvement obligation focus’ you on setting targets for improvement and then planning and implementing them in a timely manner.
Is ISO 13485 Feedback the same as ISO 9001 Customer Satisfaction?
Definitely not the same and this a very common mistake. If we compare the definitions for the two standards the difference is easily determined.
For ISO 9001, Customer satisfaction is defined as the Customer’s perception of the degree to which the customer's requirements have been fulfilled.
- Customer complaints are a common indicator of low customer satisfaction but their absence does not necessarily imply high customer satisfaction.
- Even when customer requirements have been agreed with the customer and fulfilled, this does not necessarily ensure high customer satisfaction.
For ISO 13485, Feedback is defined as opinions, comments and expressions of interest in a product, a service or a complaints-handling process.
- Product-focused feedback is the requirement here and not customer-focused satisfaction
- Feedback is vital for gathering production and post-production information, the latter being the foundation of Post-Market Surveillance (PMS) and the revision and updating of product safety risk assessments.
Why does ISO 13485 call for documentation many times while ISO 9001 does not?
The title of this Standard focuses on Regulations, which then focuses on the assemble of documentary evidence to demonstrate compliance with applicable Regulation (ISO 9001 avoids any mandatory documentation so as to be flexible and wide-ranging as possible in its application).
Is ISO 13485 intended for Medical Device Manufacturers only?
The 2016 version of the Standard makes clear that ISO 13485 is not intended for manufacturers alone. It states in Section 1, Scope::
This International Standard specifies requirements for a quality management system where an organization needs to demonstrate its ability to provide medical devices and related services that consistently meet customer and applicable regulatory requirements. Such organizations can be involved in one or more stages of the life-cycle, including design and development, production, storage and distribution, installation, or servicing of a medical device and design and development or provision of associated activities ( e.g. technical support). This International Standard can also be used by suppliers or external parties that provide product, including quality management system-related services to such organizations.
Yet many organizations are scared off by talk of CE Marking, Notified Bodies, regulatory inspections, unannounced/surprise audits and the like. It's all nonsense (well, almost all). There could be a lot of high-margin business that you're missing out on.
Man inspecting medical devices
Do applicable regulatory requirements mentioned in ISO 13485 include ISO 14971 and other ISO Standards?
In the EU all harmonized ISO Standards (i.e. the ones beginning EN ISO) are officially optional. If these Standards are not applied where they could be applied, Auditors will ask for evidence of alternative methods used to achieve the same end result. Both ISO 14971 and ISO 15223-1:2016 (the medical device labelling Standard) need special mention.
ISO 14971 is a standard for the application of risk management methods for the safe use of medical devices throughout their life-cycle. ISO 13485 Clause 7.1, Planning for product realization states that: 'Further information can be found in ISO 14971'. This means that the use of ISO 14971 is not mandatory. However, almost without exception, every medical device manufacturer uses ISO 14971 to address product safety.
The use of ISO 15223-1 for labelling etc., while not mentioned in ISO 13485, is a requirement in MDR and so this Standard must be used.
The number and status of EN ISO Standards for medical devices is under constant review. Visit Commission Implementing Decision (EU) 2021/610 of 14 April 2021 for harmonized standards.
In the UK at the time of writing the EU MDD and IVDD continue to apply and the commentary above for the EU continues to apply. Change to a new UK regulatory regime is expected soon with the transition of the EU to MDR and IVDR regulations.
In the USA the FDA continues to tease out its formal adoption of ISO 13485 in US regulation. Clarification is expected by year-end.
How much does ISO 13485 Certification Cost?
The cost of ISO 13485 certification varies hugely based on the size of the organization, geographical location and on economic prosperity.
Let’s take the example of an SME with 10 employees. Here are some typical prices from the UK for 2021 for a Class 1 Device (1) or for a distributor, component manufacturer or logistics company, where we consider three scenarios …
Minimum Consultancy Support (4)
Maximum Consultancy Support (5)
Develop MDMS (8 days)
Implement MDMS (8 days)
Maintain MDMS (2 x 3 years)
Certification Year 1
Total 3-year Cost
Typical duration to Certification
- Other than for Class 1 medical device and Class A IVD the services of a Notified Body is required. The costs here will pale into insignificance when compared to the six-figure sums that will be involved in using a Notified Body.
- It is necessary to examine a 3-year horizon as CABs play games with their quotations and that can be confusing. What is a given, however, is that CAB Audits and the associated contract must, under IAF rules, be based on a 3-year cycle.
- No outside help. The project leader would need ISO 13485 Lead Implementer Training.
- Four days of consultancy support included here. Priced at £ 500 p.d., consultancy costs range from £300 to £700 per day. Essential that satisfactory references are obtained for previous ISO 9001 projects.
- Maintenance here includes 2 days annually for internal auditing and Management Review support.
- Other than for Class 1 medical device and Class A IVD the services of a Notified Body is required. The costs here will pale into insignificance when compared to the six-figure sums that will be involved in using a Notified Body.
The best advice in controlling costs is to shop around and recheck the competitiveness of your chosen CAB regularly.
Who Issues ISO 13485 Certification?
The ISO develops International Standards, such as ISO 9001 and ISO 14001, but is not involved in their certification.
ISO does not issue certificates. ISO 13485 certification is performed by external certification bodies; so, a company or organization cannot be certified by the ISO organization itself.
How to Get an ISO 13485 Certificate?
Certificates are issued by CABs to organizations after they have gone through an ISO Certification process. This is based on a comprehensive 2-stage audit (itself based on the auditing standard, ISO 19011), that involves a review of documentation and an independent on-site audit.
The CAB gathers and documents objective evidence of compliance with the requirements of ISO 13485. After the CAB has confirmed that all the requirements of the ISO 13485 Standard have been implemented and are being maintained, a Certificate is issued as is permission to use logos to publicise the fact.
How to Choose a Certification Body?
The choice of CAB is important. An accredited CAB (e.g. BSI) should be used wherever possible and with ISO 13485 one won’t be difficult to find.
Accreditation, which is issued by a nationally recognized Accreditation Board (e.g., UKAS) is an important confirmation as to the legitimacy of the CAB. To help ensure an international ‘level playing field’ for CAB auditing standards, National Accreditation Boards have their own international organization, the International Accreditation Forum (IAF), which oversees an ongoing programme of witnessed self-assessment of IAF Members of each others’ activities.
A Certificate from an accredited CAB will carry three logos. #1 the CAB’s own logo and #2 the Accreditation Boards logo and #3 the IAF logo. If you present an ISO 13485 Certificate to a customer or potential customer that does not carry all three logos, expect to be challenged. Without a plausible explanation, you can expect your approach to be rejected.
Are online ISO 13485 Certificates that you can get within 30 days Legitimate?
Legally speaking? Yes. But the Certificate is worthless. There are ‘cowboy’ CABs (whom you should ask to explain how an organization can create 3-months of records, the minimum needed to prove maintenance of a medical device management system, in 7 days) and even ‘cowboy’ Accreditation Bodies.
With ISO 13485 Certificates, making sure you have the real thing fundamentally means choosing a CAB that will get you an IAF logo of your Certificate. Ask about it by name and accept nothing else.
Why is it Important to Get Certified by the Proper Certification Body?
Remember that those reviewing tender and quotation documents are unlikely to be inexperienced. They will recognise a phoney Certification instantly. And your offering will go directly into the rubbish bin with the hard work you’ve expended to develop products and services you are proud of totally wasted.
Most importantly, you wouldn't want an ISO Auditor to find such bogus Certificates when checking your evaluation of external providers (suppliers).
How does the ISO 13485 Certification Process Go?
As you will have seen in the cost data above, there are two stages in securing ISO 13485 Certification:
Stage 1. Develop, implement and maintain a suitable MDMS for your organization and
Stage 2. Engage the services of a CAB to undertake the necessary evaluations and ISO Certification Audits.
Stage 1. Develop, implement, and maintain a suitable QMS for your organization:
Our Infographic shown here nicely illustrates the multi-step process involved in preparing for Certification (click on the infographic image to get a copy for yourself). Whichever of the three approaches you choose (or variants thereof) you will benefit from our ISO 13485 Lead Implementer Course in managing and directing your ISO 13485 Project.
Stage 2. Engage the services of a CAB to undertake the necessary evaluations and audits:
When choosing a certification body, you should:
- Evaluate several certification bodies.
- Check if the certification body auditing activities include ISO 13485:2016.
- Check if it is accredited. Accreditation is not compulsory, and non-accreditation does not necessarily mean it is not reputable, but it does provide independent confirmation of competence. To find an accredited certification body, contact the national accreditation body in your country or visit the International Accreditation Forum.
Note: the terms certification and accreditation cannot be used interchangeably, though it is not uncommon to do so. The difference between certification and accreditation are as follows:
Certification – the provision by an independent body of written assurance (a certificate) that the product, service, or system in question meets specific requirements.
Accreditation – the formal recognition by an independent body, generally known as an accreditation body, that a certification body operates according to international standards.
How to check the ISO 13485 Certification of an organization?
The IAF, after struggling with the issue for many years, launched IAF CertSearch. This is an exclusive global database for accredited management system certifications. Other databases, irrespective of the organization publishing them, should be treated with scepticism or, better still, ignored.
Currently, CertSearch has over 400,000 valid certifications across more than 150 economies covering a range of sectors, 4000 certification bodies and 68 IAF MLA signatory accreditation bodies. While highly dependable, this database is a long way from being complete when one considers that there are 1 million-plus organizations certified to ISO 9001:2015 alone.
Businesses and governments can digitally validate an organization’s certification(s), in order to determine if a certificate is valid and if the Certification Body issuing the certificate is accredited to issue certifications to that standard.
The direct route is, of course, always open to you – ask the organization for a copy of their current Certificate. Many will have their Certificate on display on their website.
For more visit IAF CertSearch
Do Management Representatives or others responsible for a Medical Device Management System need training?
The training of a Management Representative or others with day-to-day responsibility to maintain an MDMS is NOT mandatory.
Training is implied as part of developing competence but not a specific stand-alone requirement. So, unless you determined to outsource this support indefinitely (and technically that’s not permitted), you need to train your Management Representative. And you’re in luck. We’ve got exactly the Course you need.
For more visit ISO 13485 Lead Implementer Course.
Do Internal Auditors need training?
Again, training here is not mandatory. But effective internal audits are essential to doing a professional job in maintaining your Medical Device Management System and in avoiding nasty surprises at your next Certification Body audit.
Also, if you don’t train them, your auditors won’t have any of the skills necessary to ‘harvesting’ those improvement suggestions from the people in your organization who actually do the work.
For more visit ISO 13485 Internal Auditor Course.
Got a Question we haven't answered?
We'd love to hear it and, if possible, answer it for you. Just use our Support Ticket System. You'll find a Knowledge Base there that might have an immediate answer for you. Otherwise, fill in a Ticket.
For more visit deGRANDSON Support Ticket.
- ISO Training Courses Overview
- ISO Auditor Certification: Boosts your Job Prospects
- ISO 14971 Medical Device Risk Management - Foundation
- Medical Device Regulations (MDR) Classifications: US vs EU
deGRANDSON Global is an ISO Certified Educational Organization
We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which in our opinion are commercially compromised), it is based on independent third-party assessment. It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.