Quality management system
Establishing and maintaining documented processes that define how your organisation controls every aspect of the device lifecycle, from design inputs to disposal.
Our ISO 13485 consulting services help medical device manufacturers and suppliers across Europe build effective quality management systems and achieve certification. We handle the complexity so you can focus on running your business.
For organisations operating in the medical device sector, ISO 13485 certification is rarely optional. Under the EU Medical Device Regulation (MDR 2017/745) and the In Vitro Diagnostic Medical Devices Regulation (IVDR 2017/746), placing a device on the European market requires a documented, controlled quality management system. In practice, ISO 13485:2016 is the standard that notified bodies and competent authorities expect to see as evidence that a medical device QMS meets those regulatory obligations.
The pressure extends beyond regulators. Large device manufacturers, hospital procurement bodies, and distributors routinely require ISO 13485 certification from their suppliers as a condition of doing business. If you supply components, contract manufacturing, software, or sterilisation services, your customers are passing their own regulatory obligations down to you — and they will ask to see your certificate.
Source: ISO Survey 2024
ISO 13485 provides the framework to meet these requirements systematically — not through ad hoc compliance exercises, but by building a documented, auditable quality management system that demonstrates how your organisation designs, manufactures, and controls medical devices to consistent standards.
ISO 13485 is the international standard for Quality Management Systems (QMS) in the medical device industry. Published by the International Organisation for Standardisation and currently in its 2016 edition — referred to as ISO 13485:2016 — it applies to any organisation involved in the design, development, production, installation, or servicing of medical devices, including suppliers of components, software, and services that form part of a device's lifecycle.
It is not a general quality standard. While ISO 13485 shares structural roots with ISO 9001, it diverges in ways that matter for regulated industries. ISO 9001 places significant emphasis on continual improvement as a management philosophy. ISO 13485 places primary emphasis on regulatory compliance and on demonstrating consistent conformity to applicable requirements. Where ISO 9001 gives organisations flexibility to define their own improvement targets, ISO 13485 mandates specific controls — over design, production, traceability, sterility, and post-market surveillance — that align with what regulators and notified bodies require.
The standard is structured around five interconnected areas:
Establishing and maintaining documented processes that define how your organisation controls every aspect of the device lifecycle, from design inputs to disposal.
Requiring senior leadership to demonstrate active commitment to the QMS, set quality objectives, conduct regular management reviews, and maintain clear accountability for regulatory compliance.
Ensuring the organisation provides the competent personnel, infrastructure, and controlled work environment necessary to produce safe medical devices consistently, including any contamination control requirements relevant to your product.
Covering the full device lifecycle: design and development controls, purchasing and supplier management, production and process validation, traceability, sterility controls, and post-market surveillance obligations aligned with EU MDR and IVDR requirements.
Embedding monitoring, internal audit, corrective and preventive action (CAPA), and customer feedback mechanisms that keep the QMS effective, compliant, and responsive to field data.
An ISO 13485 certificate is issued by an accredited, independent certification body after a two-stage audit. The certificate is valid for three years, subject to annual surveillance audits.
The certificate matters. What sits behind it is what makes your business defensible to regulators, customers, and notified bodies.
ISO 13485 certification is the primary evidence that a medical device QMS meets the requirements of the EU MDR and IVDR. In Canada, Australia, Japan, and Brazil, it is recognised under national medical device frameworks. Without it, market access is constrained. With it, you hold an independently audited proof point that answers the first question regulators and notified bodies ask.
Notified bodies scrutinise QMS documentation as part of their technical file and conformity assessment work. A well-implemented ISO 13485 system reduces requests for additional evidence, shortens the back-and-forth during assessment, and demonstrates that your quality controls are integrated into operations rather than assembled for the audit.
A functioning QMS gives you documented traceability, controlled nonconforming product procedures, and a CAPA process that addresses root causes rather than symptoms. Post-market surveillance requirements embedded in ISO 13485 align directly with MDR obligations, reducing the risk of regulatory action and the consequences of a field safety corrective action or competent authority inspection.
Device manufacturers are required to control their suppliers under both ISO 13485 and the MDR. They do this by requiring documented evidence of QMS capability — typically ISO 13485 certification. If you supply components, contract manufacturing, software, or sterilisation services, your customers will ask for it.
ISO 13485 and ISO 9001 are structurally compatible. If you already hold ISO 9001 certification, the gap analysis typically focuses on the medical device-specific requirements that ISO 9001 does not address — you are extending an existing system rather than building a parallel one. HEIC consults on both standards and can plan an integrated approach from the outset.
Every organisation starts from a different position. Some already have elements of a quality system in place — validation records, technical files, or documented procedures inherited from an ISO 9001 programme. Others are building from scratch. We meet you where you are and guide you through a structured certification process that reaches the outcome without unnecessary complexity.
We begin by understanding your operations: the devices or services you provide, the markets you supply, and any existing QMS documentation you hold. We then conduct a structured gap analysis, mapping your current position against ISO 13485:2016 requirements and identifying what is missing, incomplete, or not yet implemented.
ISO 13485 requirements do not exist in isolation from the regulatory environment. We review the applicable regulatory context — EU MDR and IVDR requirements, national regulations in your target markets, and notified body expectations relevant to your device classification — and design a QMS architecture that satisfies ISO 13485 while remaining coherent with those broader obligations.
With the design confirmed, we work with your team to implement the controls, procedures, and monitoring processes required by the standard. We develop quality manuals, standard operating procedures, work instructions, validation protocols, and post-market surveillance frameworks that reflect how your organisation actually operates — not generic templates that will not survive scrutiny in a real audit.
Before external auditors arrive, we conduct a full internal audit — reviewing your QMS against ISO 13485:2016 with the same rigour your certification body will apply. We identify any remaining gaps, help you close them, and prepare your team for the Stage 1 documentation review and Stage 2 implementation audit that follow.
The timeline depends on the size of your organisation, the complexity of your devices and processes, and how much is already documented. For most organisations, the full journey from gap analysis to certification audit runs between five and twelve months. We provide a project timeline at the outset of each engagement so you know what to expect.
The total cost has two parts: consulting fees for the gap analysis, QMS design, implementation support, and audit preparation, and the certification audit fee charged by the certification body you choose. Both vary with organisation size, device complexity, and scope. We provide a scoped cost estimate after an initial assessment — there is no single figure that applies to all organisations.
While both are QMS standards, ISO 13485 is designed specifically for the medical device sector and contains requirements with no equivalent in ISO 9001. These include controls for sterile product, product traceability, design and development documentation specific to medical devices, and post-market surveillance obligations that align with regulatory requirements. ISO 9001 certification does not satisfy the requirements of ISO 13485. Many organisations hold both, particularly where they produce medical devices alongside non-medical product lines, and the two can be integrated into a single system.
ISO 13485 certification is not itself a legal requirement under EU law — the MDR and IVDR require manufacturers to have a quality management system in place, but do not mandate a specific certification scheme. In practice, however, notified bodies and competent authorities expect ISO 13485 certification as the primary evidence that a QMS meets MDR and IVDR requirements. Without it, demonstrating compliance becomes significantly more resource-intensive and carries greater risk during conformity assessment.
ISO 13485:2016 was developed in parallel with the EU MDR and maps closely to the QMS requirements set out in Annex IX and Annex XI of that regulation. A certified ISO 13485 QMS provides the foundation for MDR conformity, but does not automatically guarantee it — specific MDR obligations, such as the appointment of a Person Responsible for Regulatory Compliance (PRRC) and post-market clinical follow-up requirements, sit outside the standard and must be addressed alongside it.
Yes, and for many organisations this is the most efficient approach. If you already hold ISO 9001 certification, a significant portion of your QMS infrastructure — documented processes, internal audit programme, management review, corrective action procedures — already exists. The gap analysis focuses on the medical device-specific requirements that ISO 9001 does not address. We can scope and deliver the ISO 13485 work as an extension of your existing system rather than a parallel build.
A Corrective and Preventive Action (CAPA) process is a mandatory requirement of ISO 13485 and one of the areas certification auditors and notified bodies examine most closely. It is the mechanism by which your organisation identifies the root cause of nonconformities, implements corrections, verifies their effectiveness, and prevents recurrence. A poorly implemented CAPA process is one of the most common sources of major nonconformities at certification audits. We build and test your CAPA process as part of the implementation phase.
Whether you are pursuing ISO 13485 certification for the first time, updating your QMS to align with EU MDR requirements, or integrating medical device quality management with an existing ISO 9001 system, we can help you get there. Speak to one of our consultants about your situation. We will tell you honestly where you stand, what the certification journey looks like for your organisation, and how long it will realistically take.
We'll get back to you within one business day.