News & Commentary on ISO Management System Standards

    ISO 13485 - What Suppliers to the Medical Device Sector Need to Know
    ISO 13485 - What Suppliers to the Medical Device Sector Need to Know

    MedDev Assortment-2-1-1


    Many organizations with the potential to supply components, packaging, and other goods and services (incl. logistics) to the Medical Device Sector are scared off by talk of CE Marking, Notified Bodies, regulatory inspections, unannounced/surprise audits, and the like.

    It's all nonsense (well, almost all). You don't believe me? Then read on.  There could be a lot of high-margin business that you're missing out on.

    In this article, we’ll consider nine frequently asked questions:

    1.  Are medical device suppliers obliged to have ISO 13485:2016 certification?
    2. Is ISO 9001 certification enough to supply medical devices?
    3. ISO 13485 just an add-on to ISO 9001?
    4. Is ISO 13485 compliance relevant to providers of products and services to the Medical Device Supply Chain?
    5. Do we have to get CE marking of components?
    6. Do medical device suppliers have to comply with a lot of regulations?
    7. Do medical device suppliers have to comply with a lot of Guideline requirements?
    8. Is it true that medical component suppliers will be subject to Surprise Audits?
    9. Can we have a combined ISO 9001/ISO 13485 audit and save on costs?
    10. Is addressing risks in our ISO 9001 QMS enough to also satisfy ISO 13485 requirements? 

    Let’s get started.

    ISO 13485 and Supplying to the Medical Device Sector

    1. Is ISO 13485:2016 certification mandatory for supplying medical devices?

    We're considering the position of component and packaging (including labeling) manufacturers and logistics/distribution companies. The former input materials and services to medical device manufacturers and the latter provide distribution and other services for the finished product.

    To answer the question: ISO 13485 is designed and intended for use by the entire medical device supply chain. And what tends to happen is that those evaluating potential suppliers have a tendency to ask about ISO 13485. 

    Indeed, some manufacturers mandate it as a prerequisite requirement.  So, it can only help to have such certification. Surprisingly, it is not necessary to be a supplier to the medical device sector to get ISO 13485 certification.

    Yes, you can get certified as a medical device component manufacturer without manufacturing any components.

    2. Is ISO 9001 certification alone enough to supply medical devices?

    Path to ISO 13485 Certification Infographic

    There are many suppliers to the sector with ISO 9001 certification alone where additional requirements are dealt with in a Sales Contract or SLA (service level agreement).

    It gets a bit more complex for distributors. Some regulatory bodies (e.g. Ireland HPRA) have guidelines that mention ISO 13485 certification. Regulators of the pharma and medical device sectors have a long history of treating guidelines as ‘holy writ’. They will audit/inspect against guidelines as if they were mandatory.

    While it is far from certain, many CBs (certification bodies) expect ISO 13485 certification to become the norm for distributors and prospective distributors in the near future.

    So, if customers are happy with ISO 9001 certification, don’t change.  But, if you want to add to your list of medical device customers, or enter the sector, ISO 13485 certification is necessary.

    3. Is ISO 13485 just an add-on to ISO 9001?

    No, it’s not. There are two significant differences between ISO 9001 and ISO 13485

    1. ISO 9001 uses the new HLS structure, while ISO 13485 retains the structure of ISO 9001:2000.
    2. ISO 9001 is not prescriptive, while ISO 13485 has up to 139 requirements for documentation. These include a quality manual, a documented management representative, and preventive action, among other things. All of which are no longer needed for ISO 9001 certification.

    An integrated management system is often suggested here. But this is not a practical proposition. These are two distinctive standards requiring two management systems, albeit ones that are compatible with one another and have shared processes/procedures (e.g., a combined internal audit program and a single nonconformance procedure).

    4. Is ISO 13485 compliance relevant to providers of products and services to the Medical Device Supply Chain?

    A definite "Yes."

    The auditing standard, ISO 19011, brings Supply Chain risks and other issues to the ISO Auditors’ attention. The 2016 version of the ISO 13485 Standard was written with this in mind (see Section 1). Here are some of the key Medical Device Supply Chain issues arising:

    Component Manufacturer:

    Component quality can (critically) affect, for example,

    • service life,
    • performance and
    • end-of-life disposal of medical devices.

    Logistics Providers:

    Relevant warehousing, handling, storage, and delivery issues include ...

    • temperature control,
    • FIFO,
    • storage and treatment of defective,
    • damaged or returned product,
    • lot traceability can also be critical to ensuring the safety and effectiveness of medical devices.

    Service and maintenance organizations:

    The vast range of services here includes...

    • servicing,
    • maintenance and
    • calibration of theatre equipment, including measuring devices.

    You'll need a Service Level Agreement (SLA) as well as an ISO 13485 Certificate

    It makes sense that Manufacturers define their requirements in SLAs (service level agreements) developed in consultation with Suppliers so that hazards and threats to patient/user safety and the effective and efficient operation of medical devices can be best assured.

    These threats and hazards can then be reviewed and documented, and ongoing agreements to maintain the necessary controls and precautions can be managed in the context of an MDMS and ISO 13485 Certification.

    5. Do we have to get CE marking of components?

    No. While you may be asked by a customer to affix a CE mark to a component, you will be doing so on the ‘manufacturer’s’ behalf.

    Regulations under ISO standards define the ‘manufacturer’ as the entity that holds the marketing authorization/license. Only ‘manufacturers’ need to engage in the protracted and (usually) expensive process of getting a CE Mark for a medical device or an IVDMD.

    Suppliers to manufacturers (including distributors) do NOT require CE Marks.


    View Our ISO 13485 Lead Implementer Course


    6. Do medical device suppliers have to comply with a lot of regulations?

    Again, no. Regulatory requirements will be defined in the contract (or SLA) by the ‘manufacturer’. There are no regulations that you would be subject to directly.

    7. Do medical device suppliers have to comply with a lot of Guideline requirements?

    Yet again, no. Regulatory guidelines, to the extent applicable, will remain the responsibility of ‘manufacturers’ and will be reflected, where necessary, in contracts and SLAs.

    8. Will medical component suppliers be subjected to surprise audits?

    As a component manufacturer and supplier to the medical device sector, you will only be subject to Unannounced Audits (a.k.a. Surprise Audits) if your customer - the ‘manufacturer’ - has designated your company as a ‘crucial supplier’ or a ‘critical subcontractor ‘in paperwork submitted in pursuit of CE marking.

    Your contract or SLA with the ‘manufacturer’ will advise you of the designation, if applicable. If it doesn’t, ask them in writing (an email will suffice) about your status.

    It is more likely that distributors will be subject to Unannounced Audits because of the critical role they play in maintaining the integrity of product identification and traceability.

    9. Can we have a combined ISO 9001/ISO 13485 audit and save on costs?

    A combined audit is not a practical proposition; the two standards are very different. ISO 9001 focuses on customer satisfaction and ISO 13485 focuses on the product (quality, performance, traceability, market feedback, et cetera).

    Of course, audit fees are always negotiable. If requesting back-to-back audits against the two standards, you should expect a significant discount.

    10. Does addressing risks in our ISO 9001 QMS also satisfy ISO 13485 requirements?

    In a word, no. Risk (and opportunity) in ISO 9001 Clause 6.1 is focused on business risks, while risk in ISO 13485 Clause 7.1 addresses patient/end-user safety.

    To conclude - you need to get into this high-margin Sector

    I hope these answers have encouraged you. The market for medical devices and in-vitro devices is growing at an astonishing rate. There are more than 10,000 different types of devices registered globally. And the compound rate of market growth is in excess of 14% per annum by value.

    In seeking new suppliers, ‘manufacturers’ place a far higher priority on quality and on-time delivery than on price. You need to get into this high-margin sector. As a basic confirmation of your capability, you need ISO 13485 Certification.

    What are you waiting for?


    New call-to-action

    Related Courses

    Related Articles


    deGRANDSON Global is an ISO Certified Educational Organization

    In October 2021, we secured certification to three education-related ISO Standards.  We now have a university-grade management system in place conforming to the requirements of  …

    • ISO 21001, Educational Organizational Management System,
    • ISO 29993, Learning Services outside formal Education,  and
    • ISO 29994, Learning Services – additional requirements for Distance Learning.

    We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which, in our opinion, are commercially compromised), it is based on independent third-party assessment.  It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.

    We provide Courses for ISO 9001, ISO 13485, ISO 14001, ISO 17025, ISO 27001, ISO 45001, Dada Protection, Risk Management, and more.


    Written by Dr John FitzGerald

    Director & Founder of deGRANDSON Global. Spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems
    Find me on:

    Subscribe to Email Updates

    Recent Posts