Preparing for your first ISO 13485 Certification Audit

Team of auditors having a meeting

Your old Quality Management System 'dolled up' with the language of the 2016 Standard is not going to be adequate.

When you are first audited against ISO 13485:2016  the Auditors, whether a Notified Body or Certification Body, will, as usual, be seeking objective evidence of your compliance with the Standard. Being an audit against ISO 13485, a different style of Quality Management System standard, the extent of the implementation and maintenance of new or changed requirements versus ISO 9001:2015, will be of particular interest. 

What's different about ISO 13485:2016?

There are six key areas with changed or new requirements that whose requirements you can expect them to concentrate on.

1. Unfamiliar Definitions in ISO 13485:2016

Be sure to include a review of the definitions in Part 3 of the Standard in the development, or migration, of your Quality Management System (QMS). We draw your attention in particular to these:

  • Advisory notice - covers changes in the use, modification, return or destruction of a medical device and regulatory requirements also apply.  If your organization holds the marketing authorisation/licence, don't ignore the requirements here.
  • Clinical evaluation - the verification of clinical safety and of performance is now included in expanded EU Regulations - check it out.
  • Complaint - definition differs from ISO 9000.
  • Labelling - as in Regulations, the definition includes instructions for use.
  • Manufacturer - the definition now includes seven explanatory Notes.
  • Medical device - the definition here is different from that in EU or FDA Regulations and you will need to reconcile your QMS against both.
  • Post-market surveillance - because of the emphasis Regulators place on feedback from the market, especially after the launch of new products, expect external auditors also to emphasise requirements here.

Path to ISO 13485 Certification Infographic


2. Expanded Requirements for Risk Management in ISO 13485:2016

By now we are familiar with risk-based thinking as required by ISO 9001.  But risk gets a different treatment in ISO 13485.  While ISO 9001 is concerned with business risk and consequential effect on customer satisfaction,

ISO 13485 focuses on the medical device itself and the risks in use, and misuse, to patients and end-users' safety.  A fully-featured risk management process is needed where risks are analysed, evaluated and, where a reduction in risk is needed, a risk treatment plan is developed, which must also be implemented and reviewed.

Providers of goods and services to the medical device sector (e.g. component manufacturers and logistics companies) are not excused from requirements here and, for lack of support and information from the medical device manufacturers, may struggle with this one.

3. Resource Management with Special Attention to People

The provision of adequate resources, and in particular the human resource, needs special attention.  The work environment (e.g. cleanroom) and contamination control (e.g. staff attire, behaviour and habits) will be focused on.  The use of temporary staff will get much attention.  Staff will be interviewed about contamination control.

4. Different saet of Management Responsibilities in ISO 13485:2016

Quality Objectives and plans to achieve them will be examined. Responsibilities and authorities will be checked to ensure that all responsibilities for regulatory requirements have been assigned and that authorities - especially regarding the release of the product - are defined.

Internal communication will get renewed attention as it is key to ensuring that the good intentions documented in the MDMS get implemented and are maintained. 

5. Focus on Documentation - Procedures and Records -where up to 139 Instances May Apply

There are now 139 (sic) instances in the 2016 Standard where documentation is mentioned,  In developing your system a careful check needs to be made to ensure that all applicable mentions of documentation are acted upon. 

These requirements give regulators tick-box items to check and so external auditors will not want to leave any unchecked instances behind for a subsequent regulatory inspection to find.  This could be an area that provides many avoidable Minor Non-compliances.  Be sure you are not caught out.

And if you are a manufacturer of a Class 1 device in Europe expect your self-declaration of conformity to CE Mark Regulations also to be checked.



View ISO 13485 Internal Auditor Course


6. Increased Design Controls, Environment Controls and Manufacturing Controls for You and Your Suppliers 

There are generally more detailed requirements in these areas.  Carefully reading the Standard combined with a knowledge of your business is necessary to get a good result here. 

If you are using the services of a consultant to implement or upgrade your Medical Device Management System (MDMS), you are strongly advised to study the Standard yourself to make sure that no detailed requirement is missed.  An ISO 13485:2016 Transition Course would be a good way of gaining knowledge of both the Standard and its interpretation.

7. Ensure the additional Requirements from the EU Regulations are Included in Your QMS

Regulators participated in numbers in the Technical Committee that drew up the ISO 13485 revision in 2016.  The greatly increased number of additional, specific requirements ensued.  You may need to develop checklists for use in internal audits to help ensure that no applicable ones get missed in future audits.

And I hope it's quite clear that a re-badged ISO 9001 Quality Manual with the same old processes and procedures is just totally inadequate for the requirements here.

Note also that the Annexes to the EN (European Union Harmonised) edition of the 2016 Standard refer to obsolete Regulations. The 2017 MDD and IVDR regulations now apply.  As before, compliance with the ISO 13485 Standard does not ensure compliance with EU Regulations. 

You must ensure that all additional requirements from the EU RegulatioClass 1 devicens are included in your MDMS.  As such they form part of your MDMS and external Auditors will include regulatory compliance in the scope of their audit.  You have now been forewarned!

Best of luck!

New call-to-action


Related Articles


deGRANDSON Global is an ISO Certified Educational Organization

New call-to-actionIn October 2021 we secured certification to three education-related ISO Standards.  We now have a university-grade management system in place conforming to the requirements of  …

  • ISO 21001, Educational Organizational Management System,
  • ISO 29993, Learning Services outside formal Education,  and
  • ISO 29994, Learning Services – additional requirements for Distance Learning.

We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which in our opinion are commercially compromised), it is based on independent third-party assessment.  It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.


Written by Dr John FitzGerald

Director & Founder of deGRANDSON Global. Spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems
Find me on:

Subscribe to Email Updates

Recent Posts