ISO 13485

Design and Manufacture of Medical Devices

Medical and Pharmaceutical


  1. Introduction
  2. Overview
  3. Global adoption
  4. Benefits
  5. Auditing
  6. Choosing a registrar
  7. Route to registration
  8. Costs
  9. Contributing editor


The ISO 13485:2003 Standard relates to quality management systems in the field of Medical Devices, including IVD (In Vitro Diagnostic). The standard can be used by an organization for the design, development, production, installation and servicing of medical devices as well as for the design, development and provision of related services.

ISO 13485 can also be used by internal and external parties, including certification bodies, to assess the organization’s ability to meet customer and regulatory requirements. The standard is published by ISO, the International Organization for Standardization, and is available through National Standards Bodies.

It is important to note that the same ISO 13485:2003 Standard, designated as EN ISO 13485:2003, is a “Harmonized Standard” that means a standard prepared under a specific mandate given to CEN by the European Commission, to support the Essential Requirements of the EU Medical Device Directives and the “CE marking“ of the product (90/385/EEC for Active Implantable Medical Devices, 93/42/EEC for “Medical Devices”, and 98/79/EEC for “In Vitro Diagnostic”).

In other words, and in this specific case, it means a quality system that satisfies the requirements contained in the EN ISO 13485 standard is “presumed to be in conformity” with the quality system requirements specified by the European Medical Device Directives.

On the other hand, it is important to clarify that (EN) ISO 13485:2003 Standard is -and remains- a standard applicable on a voluntary base.

To avoid any doubt or misunderstanding it is also important to clarify that the current version of the standard is a “stand alone” standard meaning that a company can apply it without the support of any other quality system standard (i.e. the support of ISO 9001).

It was not the same in the past. In fact, when the standard was initially created (in 1995 and under the name of “EN 46001” and then again in the first version under the new name of “ISO 13485” ), it contained only the “additional requirements” to be used in addition to the ISO 9001 quality system requirements in order to “adapt” the use of ISO 9001 into the specific world of medical devices.

The current format of the ISO 13485:2003 replicates the format of the ISO 9001:2008 Standard and the clause numbering is aligned between the two standards, with evident convenience for the users in the medical device community, especially if an organization chooses to apply both the standards.

Moreover, similarly to ISO 9001, a company can exclude any clause of section 7 that results to be “not applicable” to the business run, also including the clause 7.3 related to Design and Development.


The ISO 13485:2003 Standard is a “stand alone” Standard, based on the ISO 9001:2008 structure. The ISO/TR 14969:2004 is a Technical Report intended to provide a guidance on the application of ISO 13485:2003. The guidance is useful to better understand the requirements of ISO 13485 and to learn some of the different methods and approaches available to meet ISO 13485 requirements.

ISO 9000:2005 contains the “Fundamentals and Vocabulary” of Quality Management Systems and is indispensable in the application of ISO 13485:2003, as it introduces the user to the concepts behind the management systems and specifies the terminology used; additional and specific “Terms and Definitions” are also given in Chapter 3 of the ISO 13485:2003 Standard.

Is ISO 13485 relevant to your organization?

ISO 13485 is suitable for all the organizations involved in the medical device lifecycle and looking for an improvement in the way it is operated and managed. In recent years, ISO 13485:2003 has become the worldwide reference standard for the companies dealing with medical devices.

In fact, the Standard is commonly used by medical device design organizations, medical devices manufacturing facilities, service organizations (i.e. for medical device packaging, medical device sterilization, stocking, warehousing, distribution, installation, servicing), manufacturers of raw materials for medical devices, and designers and/or manufacturers of semi-finished materials or components etc.

With particular reference to medical device manufacturers (in the sense of the physical or legal person having the legal responsibility of the product on the market, according to the specific local regulations), in the last ten years the ISO 13485:2003 Standard became more and more the common instrument used to build a documented system able to support and facilitate the reaching and keeping of compliance with most of the Medical Device Regulation around the world (European MD Directives, Canadian MDR / SOR98-282, Australian TGA, Japanese GMP, Taiwanese Regulation, Mercosur Regulation, FDA) and in making it simpler to provide evidence of such compliance. Thanks must be attributed to the continuous effort of the Global Harmonization Task Force (GHTF) that has been in operation since 1992.

It is important to note that, as with all quality system standards, ISO 13485 is designed to be implemented throughout the whole organization rather than for a particular activity or within a single department or division. In addition, ISO 13485:2003 is closely aligned to other management standards such as ISO 9001, ISO 14001 (Environmental) and OHSAS 18001 (Occupational Health and Safety), providing a great opportunity for integration and synergy with other quality systems.

It often happens that an organization with ISO 9001:2008 certification will decide to upgrade its quality system to ISO 13485:2003, maintaining the ISO 9001 certificate. In this case the upgrade, if correctly designed and planned, does not represent a big step in terms of required resources and documentation. Considering the common base of the two systems and the overlap of certain requirements, a very efficient and effective integration can be accomplished.

Global adoption

Following the ISO Survey of Certifications done in 2009, there are about 17,000 certificates in issue for ISO 13485 across 90 countries. An increase of 24% between 2008 and 2009 confirms the ongoing growth and popularity of the standard and its adoption within the global medical device supply chain and regulatory compliance support.


  • Implementing a Quality Management System, in general, helps to motivate staff and provide a better definition of roles and key responsibilities.
  • Implementing a Quality Management System specifically tailored for the medical devices industry helps the organization to demonstrate its ability to systematically provide medical devices and services that consistently meet customer requirements, meet applicable regulatory requirements (compliance) and safety standards.
  • Cost savings can be made through improved efficiency and productivity, as product or service deficiencies will be highlighted and corrected.
  • Improvements can be developed on a systematic and monitored base, resulting in less waste, less inappropriate or rejected work, and fewer complaints.
  • Provides a systematic approach to risk management.
  • Systematic, smoother, transparent and documented handling of activities required by regulation such as post-marketing follow-up and surveillance, complaints handling, CAPA implementation, field actions or product recall handling, vigilance and competent authorities reporting, and clinical experience enrichment.
  • Systematic incorporation, at an early stage and within the design and development process, of the regulatory requirements impacting on the product itself and its technical features.
  • Help creating a systematic vision embracing the medical device lifecycle, medical device packaging, its labeling, its installation, its servicing, and its usability. This includes the information provided together with the medical devices, the commercial claims, the unspoken user expectations, the feedback from users or patients, the risks associated with use, the benefits brought to the single patient and to the Community, the costs and the disposal of the medical device.

In other words the real benefit that should be pursued and that can be gained by the use of ISO 13485:2003 is the creation of a company’s culture based on the understanding that the regulatory compliance of a medical device is "within" the medical device, intrinsically bound to the “physicality” of the medical device from the moment it is conceived (designed) until it is manufactured.

A medical device is simply an object; it can be material (tube, scalpel or machine) or immaterial (software). It is important to understand that such an object becomes a medical device, acquires the dignity of a medical device because it answers to a certain definition given by a regulation, the same regulation that gives the requirements the medical device must satisfy.

It is the authors viewpoint that the biggest benefit ISO 13485:2003, especially to manufacturers of medical devices, is the contribution that standard requirements provide in creating awareness -at all levels- that the company will create medical devices, and not only create devices that someone else will need to turn into a medical device. This demonstrates their compliance to regulation as a separate, scholastic exercise.


Auditing activity is typically intended to be shared across the 3 following levels:

  • 1st part audits are done by internal or outsourced staff, trained and qualified for the process. The aim is a continual process of review and assessment, to verify that the system is working as it is meant to, to find improvements, to assess the compliance with regulatory requirements, and to correct or prevent problems. It is required that internal auditors audit outside their usual management line in order to add a degree of impartiality to their judgment.
  • 2nd part audits are typically done by a customer’s QA/RA specialist and is typically focused on both the system and the product line object of the collaboration agreement.
  • 3rd part audits are typically done by an external certification body or registrar strictly related to the ISO 13485:2003 Standard, or by a notified body if the ISO 13485 certification is part of a product regulatory compliance assessment process according to European Medical Device Directives.

Note: A notified body, in the European Union, is a certification body that has been accredited and notified (to the European Commission) by the Member State where it is based, to act with reference to a specific European Directive.

Also with reference to auditing and 3rd part certification, the combination of the two schemes (ISO 9001 and ISO 13485) provides advantages in terms of logistics, the assessing of time and certification costs. The assessing of time of a combined ISO 9001 and ISO 13485 Quality System is about two thirds of the time required by the 2 schemes considered separately, meaning a saving of approximately 40-45% on total costs if audits are combined.

Moreover, the certification body’s assessor is almost always qualified for both ISO 13485 and ISO 9001, meaning the assessing team can handle both standards during the same audit session (one team, one opening meeting, one closing meeting, one report), minimizing the burden for the company and streamlining the certification process.

Choosing a registrar

There are over 1000 certification bodies globally though not all of them are accredited for ISO 13485:2003. It is important to select an approved certification body and follow these precautions:

  • The certification body is accredited to ISO/IEC 17021:2006, and the certification body accreditation is issued by a recognized competent body
  • Receive quotations from several certification bodies
  • Do not select the cheapest as their auditing or service may be below standard
  • Ensure the certification body is recognized by your customers and it has relevant sector experience for your industry sector

Important Note: If ISO 13485.2003 is required for a specific regulatory purpose, it is important to verify that the registrar is also accredited/approved for that specific regulation; in this case it is important to make clear to the registrar, at the early commercial discussion, that the ISO 13485 certificate is needed for that purpose. For example, if an ISO 13485 certificate is required to apply to Health Canada for a “Device Licence”, it is important to choose a registrar that participates in the specific Canada Medical Device Conformity Assessment System (CAMDCAS) and a specific ISO 13485:2003 certificate “under CMDCAS” needs to be issued. A “simple” ISO 13485:2003 certificate even issued by the same registrar will not be valid to obtain a Device License. To obtain an ISO 13485:2003/CMDCAS certificate, the company needs to implement and satisfy all the applicable additional requirements stipulated by the Canadian Medical Device Regulation.

Route to registration

There are various phases to registration:

  1. Stage 1 assessment
    • Check documentation with Lead Auditor
      The Lead Assessor will review the Quality System documentation and will generally have a facility tour. This will ensure that all documented procedures are in place to cover the applicable requirements of ISO 13485:2003.
    • Determine date of assessment
      Together with your Lead Auditor it will be determined the best timetable for the registration and agree on a date for initial assessment. During the stage 1 the duration of the stage 2 assessment -determined into the commercial quotation- will be also verified and confirmed or, if duly motivate, modified.
  2. Stage 2 assessment
    • An initial assessment covering all the applicable sections of the Standard will be conducted by the auditor. Details about the audit will be explained and clarified during the “Opening Meeting” and Company will be formally informed of his recommendation/nonconformities and following steps at the closing meeting.
  3. Registration Confirmation
    Following your auditors recommendation, your registration will be confirmed by the technical reviewers.
    • Certificate Issued
      Your certificate of registration will arrive soon after your registration has been confirmed.
  4. Continued Assessment
    After registration, the nominated assessor will visit the Client organization every 6 months or annually to ensure that the management system continues to meet the requirements of ISO13485:2003.
  5. Reassessment
    Your registrar is required to perform a reassessment of the management system every 3 years. This is normally 2/3 of the initial assessment duration.


The global answer on costs depends on a number of factors. There are costs both to implement and to maintain the certification. Typically the costs to be considered belong to 3 main categories:

  1. Internal costs: Quality Manager costs, costs of people involved in the project for setup/writing/implementing the procedures, training costs, translation costs, calibration of instruments, improvement and/or validation of processes. Note: Costs for ISO 13485:2003 may vary in the event of an upgrade from an existing ISO 9001 certification.
  2. Consultancy costs/external trainings costs: A good solution is usually to have a group of people (typically from QA, Design, Production, Purchasing) attend a tailored training course on ISO 13485 run by a professional trainer/consultant. This allows you to focus on the specific needs of the company and the peculiarity of the business in order to optimize time and training efficacy costs.
  3. Certification costs: Typically, assessments are quoted in man days and based on the number of company employees in the organisation. International standards apply to this process in order to minimize fluctuation in man day estimations between different registrars. A quotation is provided by the registrar to the company and may include travel and accommodation arrangements, invoiced as additional costs.

In terms of costs to implement the standard, if the company chooses a full “do-it-yourself” approach, the only real costs will be human resources in terms of time spent for document preparation/review/upgrade, training, procedure implementation and verification. If you have a little experience with ISO 13485, or have limited internal resources, you might choose to get some outside professional help through a management system consultant. There are several advantages by recruiting a consultant and, moreover, you are able to guarantee your registration within a given period.

Costs of registration are dependent on the size of your organization. Most registrars charge a certain rate per day to be on-site at your facility. This day rate will vary depending on your country, the typical day rate for ISO 13485:2003 in Europe will vary between 800 and 1,500 Euros per audit day, depending on the registrar. Small companies with less than 20 staff could expect one auditor on site for 1-3 days; Large companies can expect several auditors on site for up to up to 10-15 days.

Other fees include application fees, certificate fees or annual licence fees. To maintain your certification, the registrar must return annually to audit a portion of your system. These costs will be less than the original visit, since the time spent will be shorter. Once every three years, the registrar, according to international standards, must return to audit your entire system.

Contributing editor

Dr. Ing. Gianluca Mosca, Ph.D.
Founder and senior consultant, QB Quality in Biomedical srl – Milan, Italy

Gianluca graduated from Politecnico of Milano University in 1991 as a biomedical engineer. He started in the R&D of sterile medical devices and active medical equipment for heart surgery, dialysis and intensive care, taking part in international projects involving well known multinational companies in the medical device sector.

Between 1995 and 1998 he was deeply involved in the most vivid change in the medical device industry over the last 30 years: the start of the “new approach” European Medical Devices Directives, the common European market, the transition from a local (Member States) approval system to the European Notified Bodies and CE marking. Throughout those years he accrued considerable international experience within quality and regulatory affairs that bloomed into international consultancy.

Since 2004 Gianluca has been a qualified Notified Body Lead Assessor for BSI Healthcare in the UK, and he has been a qualified auditor for Health Canada under the CMDCAS programme since 2005.

Find a Standard

Find a Consultant