5 mins read

Avoiding the Common Pitfalls to Successfully Implementing ISO 13485

Congratulations – maybe it was driven by legal/regulatory because you’re a finished device manufacturer, or maybe it was a sales/marketing decision to further contract manufacturing capabilities – your organization has made the decision to certify to ISO 13485:2016.

Here we present key points to be aware of as you are navigating the standard and implementing the QMS in your organization. Their awareness will help you avoid the common pitfalls to successfully implementing ISO 13485:2016.

What ISO 13485 is (and isn’t):

  • It is based on ISO 9001 – but there are important differences

The quality management system requirements given in ISO 9001: 2015 are applicable to any organization, regardless of its type or size, or the products and services it provides. On the other hand, the requirements given in ISO 13485:2016 are applicable to medical devices, and as noted in the title of the standard, for regulatory purposes. For any QMS, an understanding of the seven quality management principles is foundational.



  • ISO 13485:2016 follows the High-Level Structure (HLS) of the Management System Standards (MSS)
  • Though technically a voluntary standard, it has (mostly) achieved “regulatory status”
  • There are other regulations. In other words, gaining ISO 13485 certification is one of the components of satisfying medical device regulations
  • Similarly, there are other standards that may need to be applied, for example, ISO 14644, ISO 14971 and more

Precisely define your scope:

  • Understand what’s the scope of certification

Precisely defining your scope will not only help your implementation of the standard, but it is also a critical consideration point when your organization is audited.

  • Understand what’s the scope on the certification

ISO 13485 certification requires a clear scope.

An organization “shall not exclude part of processes, products, or services from the scope of certification when those processes, products or services have an influence on the safety and quality of products” (IAF MD 9:2017)

On-Demand Webinar
Learn more about the common pitfalls to successfully implementing ISO 13485

Management and organization culture alignment

  • Perfunctory versus lived

Regardless to say, management should not treat their role in the organization’s continued certification perfunctorily. Like the effect that ethical leadership has on the rest of the organization, the tone at the top will drive the adaption of ISO 13485 in the organization. A helpful analogy is comparing the requirements in clause 5 (Management Responsibility) to individual health. If the Quality Policy is the goal, Quality Objectives are the vitals, Management Reviews are regular checkups, and ensuring resource availability is ensuring proper nutrition.

Under-documenting or over-documenting:

  • “Shall”s are requirements
  • Understand the documents your organization needs
  • The standard requires a Quality Manual and 32 areas covered in procedures

    0. quality manual

    1. control of documents

    17. installation AS NEEDED

    2. control of records

    18. servicing AS NEEDED

    3. management review

    19. validation (of e-QMS, processes, sterilization, monitoring systems)

    4. competence / training / awareness

    20. identification

    5. infrastructure

    21. traceability

    6. maintenance

    22. preservation of product

    7. work environment

    23. monitoring and measurement

    8. control of contaminated product / sterile devices – AS NEEDED

    24. customer feedback

    9. risk management

    25. complaint handling

    10. product realization

    26. regulatory notification

    11. customer communication

    27. internal audits

    12. design and development

    28. product release

    13. change control

    29. non-conforming product

    14. purchasing / receiving

    30. analysis of data

    15. production controls AS NEEDED

    31. corrective actions

    16. product cleanliness / controlsAS NEEDED

    32. preventive actions

    The standard requires 40 types of records and 3 device specific files/records (as applicable)

    In the language of the FDA, the 3 device specific files/records are:
    a. DMR (Device Master Record) reference clause 4.2.3.
    b. DHF (Device History File) reference clause 7.3.10.
    c. DHR (Device History Record) reference clause 7.5.1.
    And the 40 types of required records (as applicable) are as follows:

    1. management review
    2. HR (training, etc.)
    3. PM
    4. risk management activities
    5. requirements met
    6. customer order reviewed
    7. D&D plan
    8. D&D inputs
    9. D&D outputs
    10. D&D reviews
    11. D&D verification
    12. D&D validation plan
    13. D&D validation
    14. D&D transfer
    15. ECO
    16. supplier evaluation
    17. purchasing information
    18. receiving
    19. installation
    20. servicing
    21. sterilization parameters
    22. validation of processes, sterilization/sterile barrier
    23. traceability
    24. customer property disposition
    25. preservation condition
    26. calibration
    27. validation of computer software used in monitoring/measurement
    28. feedback
    29. complaint handling
    30. reporting to regulations
    31. internal audit
    32. product release
    33. NCR
    34. advisory notice actions
    35. rework
    36. data analysis
    37. corrective actions
    38. preventive actions
    39. DCO
    40. validation of e-QMS

    Risk-based approach

    • Critical for medical devices

    Risk-based thinking was a key change in the 2015 revision of ISO 9001.

    ISO explained that “by considering risk throughout the system and all processes, the likelihood of achieving stated objectives is improved, output is more consistent, and customers can be confident that they will receive the expected product or service.”

    Maintaining ISO 13485

    • The last pitfall to avoid is thinking you are “done” after implementation and initial certification

    Implementation should really be considered as just the start of the journey. As the standard explains, continued certification is an ongoing process in terms of following and continually improving your processes and making the product as safe and effective as possible.



    Certification and re-certification audits cover the entire standard, while surveillance audits include at minimum a review of internal audits, management review, actions taken on previous audit non-conformances, complaints handling, effectiveness of achieving quality objectives, progress of improvement activities, continuing operational control, and any organizational changes.

    Still have questions? We’re here to help.

    Speak to an expert to find out more.

    Building trust, integrity and profit through our comprehensive range of solutions to match your business needs. Benefit from our expertise and experience in providing superior audit, certification and training services.