News & Commentary on ISO Management System Standards

    Preparing for the first ISO 13485 Certification Audit

    Audit Meeting Biteable-3

    Your old ISO 9001 QMS 'dolled up' with the language of the 2016 Standard is not going to be adequate.

    When you are first audited against ISO 13485:2016, the Auditors, whether a Notified Body or Certification Body, will, as usual, be seeking objective evidence of your compliance with the Standard. Being an audit against ISO 13485, a different style of Quality Management System standard, the extent of the implementation and maintenance of new or changed requirements versus ISO 9001:2015, will be of particular interest. 

    What's different about ISO 13485:2016?

    There are seven key areas whose requirements you can expect them to concentrate on.  These are...

    1. Unfamiliar Definitions in ISO 13485:2016

    Be sure to include a review of the definitions in Part 3 of the Standard in the development, or migration, of your Quality Management System (QMS). We draw your attention in particular to these:

    • Advisory notice - covers changes in the use, modification, return, or destruction of a medical device, and regulatory requirements also apply.  If your organization holds the marketing authorization/license, don't ignore the requirements here.
    • Clinical evaluation - the verification of clinical safety and performance is now included in expanded EU Regulations - check it out.
    • Complaint - definition differs from ISO 9000.
    • Labeling - as in Regulations, the definition includes instructions for use.
    • Manufacturer - The definition now includes seven explanatory Notes.
    • Medical device - the definition here is different from that in EU or FDA Regulations, and you will need to reconcile your QMS against both.
    • Post-market surveillance - because of the emphasis Regulators place on feedback from the market, especially after the launch of new products, expect external auditors also to emphasize requirements here.

    If these terms are new to you, you need ISO 13485 training.

    Path to ISO 13485 Certification Infographic



    2. Expanded Requirements for Risk Management in ISO 13485:2016

    By now, we are familiar with risk-based thinking as required by ISO 9001.  But risk gets a different treatment in ISO 13485.  While ISO 9001 is concerned with business risk and consequential effects on customer satisfaction,

    ISO 13485 focuses on the medical device itself and the risks in use and misuse to patients' and end-users' safety.  A fully-featured risk management process is needed where risks are analyzed and evaluated; where a reduction in risk is needed, a risk treatment plan is developed, which must also be implemented and reviewed.

    Providers of goods and services to the medical device sector (e.g., component manufacturers and logistics companies) are not excused from requirements here and, for lack of support and information from the medical device manufacturers, may struggle with this one.

    3. Resource Management with Special Attention to People

    The provision of adequate resources, and in particular human resources, needs special attention.  The work environment (e.g., cleanroom) and contamination control (e.g., staff attire, behavior, and habits) will be focused on.  The use of temporary staff will get much attention.  Staff will be interviewed about contamination control, for example.

    4. Different set of Management Responsibilities in ISO 13485:2016

    Quality Objectives and plans to achieve them will be examined. Responsibilities and authorities will be checked to ensure that all responsibilities for regulatory requirements have been assigned and that authorities - especially regarding the release of the product - are defined.

    Internal communication will get renewed attention as it is key to ensuring that the good intentions documented in the MDMS get implemented and are maintained. 

    5. Focus on Documentation - Procedures and Records - where up to 139 instances may apply

    There are now 139 (sic) instances in the 2016 Standard where documentation is mentioned. In developing your system, a careful check needs to be made to ensure that all applicable mentions of documentation are acted upon. 

    These requirements give regulators tick-box items to check, and so external auditors will not want to leave any unchecked instances behind for a subsequent regulatory inspection to find.  This could be an area that provides many avoidable Minor Non-compliances.  Be sure you are not caught out.

    And if you are a manufacturer of a Class 1 device in Europe, expect your self-declaration of conformity to CE Mark Regulations also to be checked. The same applies to the UKCA Mark under UK Regulations.


    ISO Internal Auditor Course summary


    6. Increased Design Controls, Environment Controls, and Manufacturing Controls for you and your Suppliers 

    There are generally more detailed requirements in these areas.  Carefully reading the Standard combined with a knowledge of your business is necessary to get a good result here. 

    If you are using the services of a consultant to implement or upgrade your Medical Device Management System (MDMS), you are strongly advised to study the Standard yourself to make sure that no detailed requirement is missed.  An ISO 13485:2016 Implementation Course would be a good way of gaining knowledge of both the Standard and its interpretation.

    7. Ensure the additional Requirements from the EU Regulations are included in your QMS

    Regulators participated in numbers in the Technical Committee that drew up the ISO 13485 revision in 2016.  The greatly increased number of additional, specific requirements ensued.  You may need to develop checklists for use in internal audits to help ensure that no applicable ones get missed in future audits.

    And I hope it's quite clear that a re-badged ISO 9001 Quality Manual with the same old processes and procedures is just totally inadequate for the requirements here.

    Note also that the Annexes to the EN (European Union Harmonised) edition of the 2016 Standard have been updated with the issue of Amendment 11 to the Standard. This Amendment, which identifies where ISO 13485 requirements are inadequate in meeting the 2017 MDD and IVDR regulations, now applies.  So, compliance with the ISO 13485 Standard does not ensure compliance with EU Regulations. Be careful to audit your MDMS against the Amendment 11 Annexes.

    You must ensure that all additional requirements from the EU Regulations are included in your MDMS.  As such, they form part of your MDMS, and external Auditors will include regulatory compliance in the scope of their audit.  You have now been forewarned!

    Best of luck!

    New call-to-action


    Related Articles


    deGRANDSON Global is an ISO Certified Educational Organization

    New call-to-actionIn October 2021, we secured certification to three education-related ISO Standards.  We now have a university-grade management system in place conforming to the requirements of  …

    • ISO 21001, Educational Organizational Management System,
    • ISO 29993, Learning Services outside formal Education,  and
    • ISO 29994, Learning Services – additional requirements for Distance Learning.

    We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which in our opinion are commercially compromised), it is based on independent third-party assessment.  It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.


    Written by Dr John FitzGerald

    Director & Founder of deGRANDSON Global. Spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems
    Find me on:

    Subscribe to Email Updates

    Recent Posts