Glocal Insight

ISO 13485 — Medical Devices Quality Management Systems

ISO 13485 consulting for US medical device, digital health, and software-as-a-medical-device companies.

We build medical device quality management systems aligned with ISO 13485:2016 and the FDA's Quality Management System Regulation (QMSR, 21 CFR Part 820), with MDSAP-ready scoping when international markets matter. From design controls through post-market surveillance, with risk management woven through the lifecycle — not bolted on.
Start a conversation Explore all services

Why this matters

ISO 13485 sits at the foundation of medical device commercialization globally. EU CE marking under MDR requires it. MDSAP — the single audit recognized by FDA, Health Canada, ANVISA, TGA, and PMDA — is built on it. And as of February 2, 2026, the FDA's QMSR incorporates ISO 13485:2016 by reference, so US law and the international standard are now substantially the same system. Most US device companies hold ISO 13485 certification regardless, because international customers, partners, and contract manufacturers expect it.

The QMS for a medical device company is not the same as the QMS for an industrial manufacturer. Design controls are deeper. Risk management is connected to design and post-market surveillance as one continuous discipline rather than three separate ones. Supplier controls carry FDA inspection weight. Software-as-a-medical-device introduces IEC 62304 lifecycle requirements that look more like engineering practice than traditional process validation. The QMS has to reflect all of this without becoming an obstacle to actually designing and shipping products.

Our engagements with medical device companies — from pre-revenue startups preparing for first 510(k) submission to mature manufacturers recovering from FDA warning letters — share one principle: the QMS is designed for how your engineering, regulatory, and operations teams actually work. Design history files are built as design happens, not reconstructed before submission. Risk management is a living artifact, not a document refreshed once a year. CAPA is short, defensible, and feedback-loop-closed. That's what passes audits, satisfies regulators, and lets the company actually ship.

What's included

A full ISO 13485 engagement covers scope, design controls, risk management, supplier controls, process validation, CAPA, and audit support through certification. Component engagements are available — design control coaching, FDA inspection prep, MDSAP readiness, post-market surveillance setup — when that fits better than full implementation.

  • QMS scope definition & device classification

    Crisp scoping of your QMS by product family, intended use, and regulatory class (Class I, II, III; FDA class and risk; EU MDR class). The scope statement that frames every subsequent design and documentation decision.

  • Design controls & design history file

    Design and development procedures aligned with ISO 13485:2016 Section 7.3 and FDA 21 CFR 820.30. Design History File structure that satisfies both FDA inspection and ISO 13485 audit. Especially critical for software-as-a-medical-device and connected device companies.

  • Risk management per ISO 14971

    Risk management file integrated with design controls and post-market surveillance. Hazard analysis, risk evaluation, risk control measures, and residual risk acceptability — the artifact regulators and notified bodies audit most aggressively.

  • Supplier controls & purchasing procedures

    Supplier qualification, monitoring, and re-evaluation procedures aligned with FDA expectations for medical device manufacturers. Critical for contract manufacturers, distributors, and companies with complex supply chains.

  • Process validation, sterilization & manufacturing controls

    IQ/OQ/PQ frameworks, process validation protocols, sterilization validation (where applicable), and manufacturing controls. Tailored to your product technology — software validation differs significantly from sterile device manufacturing.

  • CAPA, complaint handling & post-market surveillance

    Corrective and preventive action procedures, complaint handling, MDR/eMDR adverse event reporting, post-market surveillance, and trending. The closed-loop system that demonstrates ongoing product safety after market entry.

  • Notified body / FDA / MDSAP audit support

    Preparation and on-site support for ISO 13485 certification audits, MDSAP audits (US, Canada, Australia, Brazil, Japan), and FDA inspections (typically as informal observers, since the consultant role during FDA inspection is limited). Pre-inspection readiness reviews and post-inspection response support.

How we work

ISO 13485 engagements tend to run longer than ISO 9001 or 14001 because design controls, risk management, and post-market surveillance carry more depth and more regulatory weight. Length scales with device complexity, scope (single product line vs corporate QMS), and starting baseline.

  1. 01

    Scope, gap analysis & regulatory strategy (3–6 weeks)

    Define QMS scope, classify your devices in each target market (FDA, MDSAP, EU MDR), map current state against ISO 13485:2016 and FDA 21 CFR 820, and confirm regulatory strategy. Output: prioritized roadmap with effort estimate and a regulatory submission timeline if FDA clearance or EU CE marking is also in scope.

  2. 02

    Build & implement (4–8 months)

    QMS documentation suite, design controls, risk management, supplier controls, process validation, CAPA infrastructure. Training rollout for the team. Mock audits to harden the system before notified body or registrar arrives. Length varies significantly with device complexity and starting baseline.

  3. 03

    Certify (2–3 months)

    Stage 1 audit (documentation review). Address findings. Stage 2 audit (operational and design control review across full QMS scope). Address any non-conformities. Receive ISO 13485:2016 certificate. If pursuing MDSAP, the MDSAP audit replaces standard ISO 13485 certification with a single audit recognized across five jurisdictions.

  4. 04

    Sustain (ongoing)

    Surveillance audits, post-market surveillance reviews, design change controls, complaint trending, CAPA effectiveness verification, recertification at year three. For active product development companies, ongoing design control coaching is often the highest-value retainer activity.

Where this fits in the US compliance landscape

ISO 13485 lives in a dense regulatory ecosystem. The standard itself is the QMS backbone; specific regulations (FDA, MDR, MDSAP partners) layer specific requirements on top, and adjacent standards (risk, software, security) integrate into the design and lifecycle work.

FDA 21 CFR Part 820 — Quality Management System Regulation (QMSR)

The FDA's quality system regulation for medical device manufacturers. As of February 2, 2026, the QMSR replaced the former Quality System Regulation and incorporates ISO 13485:2016 by reference — so the FDA's requirements and the international standard are now substantially the same system, with FDA-specific additions (device labeling, UDI, and certain records and complaint-handling provisions). We design a single QMS that satisfies the QMSR and ISO 13485 together, with the FDA-specific elements built in.

MDSAP (Medical Device Single Audit Program)

Single audit recognized by FDA, Health Canada, ANVISA (Brazil), TGA (Australia), and PMDA (Japan). For companies marketing in multiple jurisdictions, MDSAP replaces what would otherwise be multiple separate regulatory audits. We scope MDSAP-ready implementations from the start when commercial geography justifies it.

EU MDR & IVDR

European Medical Device Regulation and In Vitro Diagnostic Regulation set the QMS requirements for CE marking in the EU. ISO 13485 certification is effectively prerequisite. We coordinate with EU notified bodies and integrate MDR-specific requirements (post-market surveillance reports, periodic safety update reports) into the QMS design.

ISO 14971 — Risk Management

The medical device risk management standard. ISO 13485 explicitly requires ISO 14971-compliant risk management throughout the product lifecycle. We treat risk management as a connected discipline with design controls and post-market surveillance — not three separate exercises.

IEC 62304 — Medical Device Software

Software lifecycle processes for medical device software, including software-as-a-medical-device (SaMD). Particularly relevant for digital health, AI/ML diagnostics, connected devices, and any device with embedded firmware. Integrated with design controls and risk management.

ISO 27001 — Information Security

For connected medical devices, digital health platforms, and AI-driven diagnostics, ISO 27001 increasingly pairs with ISO 13485. FDA cybersecurity premarket guidance, MDR cybersecurity requirements, and customer (hospital) procurement security reviews all require demonstrable information security posture.

FDA cybersecurity guidance

For connected medical devices, FDA premarket and postmarket cybersecurity guidance defines specific design and documentation expectations beyond ISO 13485. We integrate cybersecurity controls into design controls and CAPA when device connectivity is in scope.

Who we serve

ISO 13485 applies to any organization in the medical device lifecycle. Our active engagements span:

  • Class II and Class III medical device manufacturers (active and passive devices)
  • In vitro diagnostic (IVD) manufacturers
  • Software-as-a-medical-device (SaMD) and digital health platforms
  • Contract manufacturers and contract development organizations
  • Medical device distributors and importers
  • AI and machine learning diagnostic and decision-support companies
  • Connected device companies — wearables, remote monitoring, implantables
  • Early-stage device startups preparing for first FDA submission or CE marking

Frequently asked

Common questions about ISO 13485

What's the practical difference between ISO 13485 and the FDA QMSR (21 CFR Part 820)?

ISO 13485 is an international consensus standard for medical device QMS, used as the basis for CE marking in the EU, MDSAP certification, and most non-US regulatory regimes. The FDA's Quality Management System Regulation (QMSR) — 21 CFR Part 820 — is US law, enforced during FDA inspections. As of February 2, 2026, the QMSR incorporates ISO 13485:2016 by reference, so the two are now substantially aligned rather than merely similar, though the QMSR adds FDA-specific requirements (device labeling, UDI, and certain records and complaint provisions). For a US manufacturer, the QMSR is the legal requirement; ISO 13485 certification is voluntary but increasingly expected by customers, and effectively required for international markets. We design a QMS to satisfy both from the same documentation set.

We're a pre-FDA-clearance startup. When should we start the QMS work?

Early — but scoped to where you are. FDA design controls (820.30) apply from the moment you begin design and development of a device intended for commercial distribution. Waiting until pre-submission means recreating the design history file retrospectively, which auditors and reviewers can detect. The right pattern is a lean QMS at company formation that satisfies design controls, then expands to full ISO 13485 scope as you approach commercialization. We've designed many such phased rollouts for venture-backed medical device startups.

We're a software-as-a-medical-device company. Does ISO 13485 fit, or is this overkill?

It fits — and is increasingly required. FDA classifies most SaMD as medical devices subject to the QMSR (21 CFR Part 820). ISO 13485 with IEC 62304 (software lifecycle) integrated is the right QMS framework for SaMD companies. The implementation looks different from a sterile device manufacturer — design history file emphasis is on software requirements, architecture, testing, and verification rather than process validation and sterilization — but the management-system structure is the same.

Should we pursue MDSAP from the start or just ISO 13485?

Depends on geography. If your commercial plan includes Canada, Brazil, Australia, or Japan in the medium term, MDSAP is the strategic choice — one audit covers all five jurisdictions (including the US, where MDSAP audits substitute for routine FDA inspections for participating manufacturers). If you're US-only with no near-term international plans, standalone ISO 13485 certification is faster and cheaper. We'll help you decide based on your commercial roadmap.

How long does ISO 13485 certification take?

For a pre-revenue medical device company with no existing QMS, six to twelve months is typical from kickoff to Stage 2. The variables that drive duration: device complexity (SaMD moves faster than sterile manufacturing), starting baseline (some teams already have engineering and design discipline that maps to design controls), scope (single product family vs full corporate QMS), and audit body availability. We give you a calibrated timeline after the gap analysis — committing to a date before that would be irresponsible.

How does FDA inspection differ from ISO 13485 audit, and how do you support both?

FDA inspections are unannounced regulatory inspections enforcing US law (the QMSR at 21 CFR Part 820 and related regulations). Inspectors arrive on-site and issue Form 483 observations or warning letters. With the QMSR effective February 2, 2026, the FDA moved from its long-standing QSIT approach to an updated inspection program aligned with the ISO 13485-based regulation. ISO 13485 audits, by contrast, are scheduled certification audits by an accredited registrar, focused on the standard's requirements. They differ in legal authority, methodology, and consequence. We prepare clients for both: mock FDA inspections including 483 response drills, ISO 13485 audit prep with the actual registrar's audit plan, MDSAP audit prep when in scope. During actual FDA inspections, our role is limited (the inspector talks to your people, not us); we are present as observers and post-inspection response advisors.

What does ISO 13485 consulting typically cost?

ISO 13485 engagements tend to be larger than ISO 9001 or 14001 engagements because device complexity, design control depth, and risk management discipline all add real scope. Gap analysis for a small medical device startup runs in the low to mid five figures. Full implementation through Stage 2 certification for a single product family ranges considerably higher depending on device complexity. Notified body or registrar fees add $15,000 to $50,000 for initial certification depending on scope and audit days. MDSAP audit fees are higher. We don't publish rate cards; reach out and we'll walk through honest scope.

Can you help us recover from an FDA Form 483 or warning letter?

Yes. Form 483 responses and warning letter remediation are a substantial portion of our ISO 13485 work, especially for first-generation manufacturers who underestimated the QMS infrastructure required for sustained compliance. We bring in fresh assessment, identify root cause beyond the specific observations, design and implement systemic corrections, and prepare the response submission. Timeliness matters here — early engagement reduces escalation risk significantly.

Other standards we cover

ISO 27001

Information security

Learn more ISO 9001

Quality management

Learn more ISO 17025

Testing & calibration labs

Learn more

Ready to scope your ISO 13485 engagement?

Send a short note describing your current state, your target, and your timeline. We respond within one business day with clarifying questions and a path to a no-pressure scope call.

Start a conversation Explore all services

Last reviewed May 2026