# ISO 13485 Quality Management System for Medical Device Manufacturers ISO 13485:2016 is the internationally recognized quality management system standard for medical device manufacturers. It is not optional. If you sell devices in the European Union, your Notified Bo... ## ISO 13485 Quality Management System for Medical Device Manufacturers FreedomDev builds digital ISO 13485:2016 quality management systems for medical device manufacturers — design controls, document control, CAPA, risk management integrated with ISO 14971, supplier management, management review, and Notified Body audit readiness. From startup device companies pursuing first CE marking to established manufacturers aligning legacy QMS infrastructure with EU MDR 2017/745 and FDA 21 CFR Part 820 requirements, we deliver validated QMS software that replaces paper-based quality systems with enforceable digital workflows. --- ## Our Process 1. **QMS Gap Assessment and Clause Mapping (2-3 Weeks)** — We conduct a detailed gap assessment of your current quality management system against every applicable clause of ISO 13485:2016 and, where applicable, FDA 21 CFR Part 820, EU MDR 2017/745 Annex IX, and MDSAP requirements. For each clause, we document the current state (how you comply today), the gap (what is missing, incomplete, or dependent on manual processes), and the target state (how the digital QMS will address the requirement). We review your existing quality manual, SOPs, work instructions, forms, and records to identify what carries over into the digital system and what needs to be rewritten. For companies pursuing first ISO 13485 certification, we develop the QMS documentation framework in parallel with the system design. Deliverable: a clause-by-clause compliance matrix with system requirements specifications for every QMS process that will be digitized. 2. **QMS Architecture and Workflow Design (2-4 Weeks)** — We design the digital QMS architecture based on the clause mapping from Step 1. Every QMS process — document control, design controls, CAPA, supplier management, complaint handling, internal audit, management review, training, production controls — is modeled as a state machine with defined entry conditions, transition rules, authorization requirements, evidence capture points, and exit criteria. Approval chains map to your organizational structure and quality procedures. Notification and escalation rules reflect your SOP-defined timelines. Data relationships between modules mirror the interdependencies in your quality system — a complaint links to a CAPA, which links to a design change, which links to a risk management update, which triggers supplier re-evaluation. For FDA-regulated companies requiring 21 CFR Part 11 compliance, we design the audit trail architecture, electronic signature implementation, and validation strategy (GAMP 5 methodology) in this phase. Your quality team reviews and approves every workflow design before development begins. 3. **QMS Software Development (8-14 Weeks)** — We build the QMS in module sequence prioritized by audit risk and operational impact. Document control and audit trail functionality are always built first because they underpin every other module — once document control is live, your team immediately begins working with controlled electronic documents instead of paper. Design controls and CAPA modules follow because these are the highest-scrutiny areas during Notified Body audits. Supplier management, complaint handling, internal audit, management review, and training management are built in the subsequent phases. Each module is developed with full traceability from the clause mapping requirements through design specifications to test evidence. Integration with your existing systems — ERP for purchasing data, production systems for manufacturing records, document storage for legacy file migration — happens incrementally. We migrate your existing QMS records (open CAPAs, active design files, current supplier approvals, training records) into the new system so that you do not lose continuity or audit history. 4. **System Validation and Notified Body Readiness (3-5 Weeks)** — For FDA-regulated environments, we execute the full IQ/OQ/PQ validation protocol per GAMP 5 Category 5 guidelines. Installation Qualification verifies that all system components are installed per specifications. Operational Qualification tests every function against its requirements specification under normal, boundary, and error conditions. Performance Qualification demonstrates sustained reliable operation with your production data, your users, and your actual quality workflows. Validation deliverables include the validation plan, requirements traceability matrix, test protocols, executed test records, deviation reports, and the validation summary report. For Notified Body audit readiness, we prepare the QMS technical file: system architecture documentation, data integrity controls, backup and recovery procedures, access control specifications, and change management procedures for the QMS software itself. We also conduct a mock audit of the digital QMS against your Notified Body's typical audit checklist to identify any remaining gaps before the certification audit. 5. **Deployment, Training, and Certification Support (Ongoing)** — We deploy in phases aligned with your certification timeline. Phase 1 (document control and training management) goes live first to establish the controlled document environment. Phase 2 (CAPA, complaint handling, and nonconformance management) activates the quality event workflows. Phase 3 (design controls, supplier management, internal audit, and management review) completes the QMS digitization. Each phase includes role-specific training: quality engineers learn CAPA investigation and root cause analysis workflows, document control specialists learn review and approval administration, design engineers learn the design control process, procurement learns supplier qualification and monitoring, and management learns the review dashboard and quality objective tracking. Post-deployment support includes regulatory change monitoring (ISO 13485 amendments, FDA QMSR updates, EU MDR implementing guidance), system updates, Notified Body audit support, and ongoing optimization based on user feedback and quality data analysis. Maintenance runs $2,500-$6,000/month depending on system scope and regulatory complexity. --- ## Frequently Asked Questions ### What is ISO 13485 and why is it required for medical device companies? ISO 13485:2016 is the international standard that specifies requirements for a quality management system where an organization needs to demonstrate its ability to provide medical devices and related services that consistently meet customer and applicable regulatory requirements. Unlike ISO 9001 — which ISO 13485 was historically derived from — ISO 13485 is specific to the medical device industry and includes requirements for risk management, design controls, sterile manufacturing, traceability, and regulatory reporting that ISO 9001 does not address. ISO 13485 certification is required by regulation in most major medical device markets. In the European Union, Notified Bodies require a certified ISO 13485 QMS as part of the conformity assessment procedure under EU MDR 2017/745 — you cannot obtain CE marking without it. Health Canada, TGA Australia, ANVISA Brazil, and MHLW Japan all accept ISO 13485 certification through the MDSAP (Medical Device Single Audit Program) as evidence of QMS compliance. In the United States, FDA's Quality System Regulation (21 CFR Part 820) is not identical to ISO 13485, but the FDA has published a proposed rule to replace Part 820 with a regulation that incorporates ISO 13485 by reference — the Quality Management System Regulation (QMSR). Even before the QMSR takes effect, FDA inspectors use ISO 13485 as a benchmark during facility inspections because it is recognized as a consensus standard. For any medical device company selling internationally, ISO 13485 certification is not a competitive advantage — it is a market access prerequisite. ### How does ISO 13485 differ from FDA 21 CFR Part 820, and do I need both? ISO 13485:2016 and FDA 21 CFR Part 820 share approximately 80% of their requirements because both address the same fundamental question: does the manufacturer have a quality system that ensures medical devices are consistently safe and effective? However, the differences matter. FDA Part 820 includes requirements that ISO 13485 does not explicitly state — for example, Part 820.198 requires specific complaint file documentation, Part 820.90 requires documented nonconforming product review including investigation proportional to the significance of the nonconformity, and Part 820.184 requires Device History Records (DHR) for every production unit. Conversely, ISO 13485 has requirements with no direct Part 820 equivalent — clause 4.2.3 requires a medical device file for each device type or device family, and clause 7.3.8 (design and development transfer) has more explicit requirements than Part 820.30(h) for design transfer activities. If you sell only in the EU, you need ISO 13485 certification. If you sell only in the US, you need Part 820 compliance (no third-party certification required — FDA enforces through inspection). If you sell in both markets — which most device companies of any scale do — you need a QMS that satisfies both simultaneously. FreedomDev builds QMS software with dual mapping: every workflow, form, and record structure is designed to satisfy both ISO 13485 clause requirements and the corresponding Part 820 section. This eliminates the need for separate compliance activities for each standard and produces a single set of quality records that satisfies auditors from both regulatory frameworks. ### What does an ISO 13485 Notified Body audit involve and how should we prepare? A Notified Body audit under EU MDR 2017/745 evaluates your QMS against ISO 13485:2016 and the applicable MDR requirements for your device classification. The audit happens in two stages. Stage 1 is a documentation review: the audit team examines your quality manual, SOPs, quality objectives, organizational structure, management review records, and the overall design of your QMS to determine whether it is sufficient to proceed to Stage 2. Stage 1 findings do not block certification but identify areas requiring attention before the on-site audit. Stage 2 is the on-site assessment: auditors spend 2-5 days (depending on company size and device portfolio) evaluating the implementation and effectiveness of your QMS. They interview operators, quality engineers, design engineers, management, and regulatory affairs. They pull specific records — a complaint file, a CAPA, a design history file, a supplier evaluation, a batch record — and trace them end-to-end to verify that your actual practices match your documented procedures. Common areas of focus include design control traceability (can you trace every design input to its verification evidence?), CAPA effectiveness (did the corrective action actually prevent recurrence?), document control (are operators using the current version of every procedure?), and supplier management (are your critical suppliers evaluated and monitored per your defined criteria?). After initial certification, surveillance audits occur annually and recertification audits every three years. FreedomDev's digital QMS prepares you by ensuring every record the auditor requests is retrievable in minutes, every traceability chain is intact, and every overdue action item is visible and escalated before the audit date — not discovered during it. ### How does ISO 14971 risk management integrate with ISO 13485? ISO 13485:2016 clause 7.1 requires that you plan and develop the processes needed for product realization, and that this planning includes risk management requirements. The standard itself does not define a specific risk management process — it references ISO 14971 (Application of risk management to medical devices) as the recognized methodology. ISO 14971:2019 defines a systematic process: identify the intended use and reasonably foreseeable misuse, identify known and foreseeable hazards in normal and fault conditions, estimate the risk for each hazardous situation (severity of harm multiplied by probability of occurrence), evaluate each risk against your defined acceptability criteria, implement risk control measures for unacceptable risks (in priority order: inherent safety by design, protective measures in the device or manufacturing process, information for safety), verify that each risk control measure is effective, evaluate residual risk, and conduct risk-benefit analysis where residual risk exceeds your acceptability threshold. In practice, risk management touches nearly every ISO 13485 process. Design inputs include risk analysis outputs (clause 7.3.3). Design verification includes verification that risk controls are implemented and effective. Design validation confirms that risk control measures work in the actual use environment. CAPA investigations evaluate whether complaints or nonconformances indicate new hazards or changed risk levels. Post-market surveillance data feeds back into the risk management file per ISO 14971 clause 10.3. FreedomDev's QMS integrates the risk management file as a living system of linked records — not a standalone spreadsheet that someone manually updates when they remember. When a CAPA identifies a new failure mode, the system flags the affected risk analysis records for review. When a design change modifies a risk control measure, the system requires residual risk re-evaluation before the change is approved. ### How much does a digital ISO 13485 QMS cost to build? Cost depends on the scope of QMS processes being digitized, the number of regulatory frameworks being mapped, integration requirements with existing systems, and whether formal validation (IQ/OQ/PQ) is required. A focused QMS covering the core ISO 13485 processes — document control, CAPA, complaint handling, supplier management, internal audit, management review, and training — for a single-site company with one device family typically costs $120,000-$180,000. A comprehensive QMS that adds design controls, risk management integration, production batch records, EU MDR post-market surveillance modules, and dual-mapping to FDA 21 CFR Part 820 for a multi-site company with multiple device families runs $200,000-$300,000+. FDA system validation (IQ/OQ/PQ per GAMP 5) adds $20,000-$45,000 depending on system complexity and the number of validation test cases. Migration of existing QMS records — open CAPAs, active design files, historical complaint data, supplier qualification records, training histories — adds $10,000-$30,000 depending on volume and data quality. Compare this to the off-the-shelf eQMS market: Greenlight Guru's annual licensing starts at approximately $30,000-$60,000 per year for small teams and scales to $100,000+ for larger organizations. MasterControl ranges from $50,000-$200,000+ annually. Both require implementation consulting ($50,000-$150,000) and ongoing configuration effort. Over a 5-year horizon, custom QMS software from FreedomDev costs 30-50% less than off-the-shelf platforms for companies with more than 50 QMS users, and delivers a system that maps exactly to your quality procedures rather than forcing your procedures to adapt to the platform's workflow engine. Annual maintenance for custom systems runs $30,000-$72,000 including regulatory change monitoring, system updates, and technical support. ### Can you migrate our existing paper-based or spreadsheet QMS to a digital system without losing audit history? Yes, and preserving audit continuity is a non-negotiable requirement of the migration. Your Notified Body auditor will expect to see unbroken quality records spanning the transition from paper to digital. During a surveillance audit six months after go-live, the auditor may pull a CAPA that was initiated on paper, transitioned to the digital system mid-investigation, and closed digitally. The record must be complete and traceable across both formats. Our migration process works as follows. First, we catalog every category of quality record in your current system: open and closed CAPAs (with full investigation histories), active design history files, current and historical supplier evaluations, controlled document library with revision histories, training records, complaint files, internal audit records, management review minutes, and nonconformance records. Second, we define the migration mapping: which fields in your paper forms or spreadsheets correspond to which fields in the digital system, how approval signatures translate to electronic signature records, and how document revision histories are preserved. Third, we execute the migration with verification: every migrated record is verified against the source document for accuracy and completeness. For records that originated on paper, we maintain the scanned original as an attachment linked to the digital record so that auditors can trace back to the source. Fourth, we establish a clear cutover date documented in your QMS change management process, with a rationale record explaining the system transition. Your quality manual and applicable SOPs are updated to reference the digital system, reviewed, approved, and training is completed before the cutover date — creating an unbroken procedural chain that auditors can follow. ### How does this QMS handle EU MDR requirements beyond what ISO 13485 covers? EU MDR 2017/745 imposes requirements that go significantly beyond ISO 13485:2016, and Notified Bodies now assess these MDR-specific requirements during ISO 13485 certification audits for EU market access. The key additions include post-market surveillance (PMS) obligations under MDR Articles 83-86, which require a PMS plan for every device, a PMS report for Class I devices, and a Periodic Safety Update Report (PSUR) for Class IIa, IIb, and III devices with defined update frequencies. Our QMS generates PSUR content automatically from complaint data, CAPA trends, literature monitoring records, and post-market clinical follow-up data already captured in the system. MDR Article 87 requires vigilance reporting of serious incidents through EUDAMED — our system classifies complaints against the MDR serious incident criteria and generates the reportable event notification with the required data elements. MDR Annex II requires comprehensive technical documentation including a benefit-risk analysis that references current clinical data — our system links the risk management file to the clinical evaluation report and flags when post-market data may affect the benefit-risk determination. MDR Article 27 requires Unique Device Identification (UDI) assignment and management — our system maintains the UDI database, tracks UDI-DI assignments per device model and configuration, and supports EUDAMED registration data preparation. MDR Annex XIV Part A requires clinical evaluation with systematic review of clinical data — our system manages the clinical evaluation plan, literature search protocols, clinical data abstractions, and the clinical evaluation report with revision tracking tied to post-market clinical follow-up milestones. These are not bolt-on features. They are integrated into the QMS architecture so that MDR compliance data flows naturally from the same operational records that satisfy ISO 13485. --- **Canonical URL**: https://freedomdev.com/solutions/iso-13485-medical-device _Last updated: 2026-05-12_