ISO 13485

ISO 13485:2016 (Medical devices — Quality management systems — Requirements for regulatory purposes) specifies requirements for a quality management system where an organization needs to demonstrate its ability to provide medical devices and related services that consistently meet customer and applicable regulatory requirements. Unlike ISO 9001 (which focuses on customer satisfaction and continual improvement), ISO 13485 is explicitly regulatory-compliance-oriented — the standard acknowledges that regulatory requirements may prevent some ISO 9001 elements (like continual improvement) from applying. The standard covers the full supply chain: not just manufacturers but also distributors, importers, and service providers who store, install, or service devices. Key requirements include design and development controls (Clause 7.3) with design input, design output, design review, design verification, design validation, design transfer, and design changes; risk management integration referencing ISO 14971; complaint handling; corrective and preventive action (CAPA); and post-market surveillance. ISO 13485 certification by an accredited registrar is required for CE marking under EU MDR/IVDR.

The engineering implications of ISO 13485 are most acute in software-intensive medical device companies where development velocity conflicts with the standard's process documentation expectations. Clause 7.3 design controls apply to software changes, not just initial development — every software update that affects safety or performance characteristics requires documented design change control including impact assessment, reverification/revalidation as appropriate, and regulatory submission review. This creates an obligation to classify every software release by its risk impact and route it through the appropriate design change process. Companies frequently underestimate the scope of Clause 7.5.9 (traceability), which requires the ability to trace each device unit to the software version, manufacturing records, and incoming inspection records for all components — this demands device history records that are often inadequately designed in early product development.

ISO 13485:2016 and the FDA's Quality Management System Regulation (QMSR, effective February 2026) are now structurally aligned, with FDA adopting ISO 13485 as the technical basis for 21 CFR Part 820 requirements. However, FDA-specific requirements remain: FDA requires Medical Device Reporting (MDR) per 21 CFR Part 803, device registration and listing per 21 CFR Part 807, and unique device identification (UDI) per 21 CFR Part 830. Companies serving both US and EU markets can align their QMS to ISO 13485 and layer FDA-specific procedures on top. The EU MDR/IVDR additionally requires a Post-Market Clinical Follow-Up (PMCF) plan and Periodic Safety Update Reports (PSUR), which have no direct FDA equivalent. For SaMD companies specifically, the interaction of ISO 13485 with ITSM and DevOps tooling is the critical integration challenge — service management processes (incident, change, problem) must map to QMS procedures.

We design ISO 13485-compliant QMS implementations as living systems integrated with engineering toolchains rather than paper-based parallel processes. Our design control procedures use templated design history file structures in document management systems (Confluence, Veeva Vault, or Jama Connect) with automated workflow routing for design change classification and review. We map ITSM change management processes to ISO 13485 Clause 7.3.9 design change procedures, ensuring every production deployment passes through appropriately scoped quality gate checks without blocking non-design changes.

Compliance-Native Architecture Guide

Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.