In the medical technology sector, quality is inseparable from safety. Devices used in clinical settings must perform reliably, consistently and in full compliance with regulatory expectations. For organisations involved in the lifecycle of such products, from design to post-market service, a functioning quality management system (QMS) is not optional. ISO 13485:2016 sets the global standard for how that system must look and function. The standard represents essential knowledge and is both a regulatory and operational requirement.
This article outlines the key elements of ISO 13485, explains its role in regulatory compliance, and explores how staff training and general quality awareness are essential to ensuring the system works in practice.
The requirements of ISO 13485 are recognised by regulatory authorities around the world. While certification is not mandatory in most markets, countries such as Australia, Japan and Brazil have long accepted audits under the Medical Device Single Audit Program (MDSAP), which is based on the standard.
In the United States, the Food and Drug Administration (FDA) is currently replacing its long-standing Quality System Regulation (21 CFR Part 820) with a new Quality Management System Regulation (QMSR) that incorporates ISO 13485 by reference. From February 2026, compliance with the 2016 version of the standard will be a condition for US market access, though formal certification will not be required.
Health Canada already mandates ISO 13485 certification for medical device manufacturers. And in the European Union, the standard is harmonised under both the Medical Device Regulation (MDR) and the In Vitro Diagnostic Regulation (IVDR). Certification provides a presumption of conformity with key QMS obligations under Annex IX and Article 10 of these regulations.
For manufacturers of medium- and high-risk devices, certification is effectively a prerequisite for entering regulated markets. Without it, access is limited, regardless of product quality or innovation.
ISO 13485 applies to any organisation that designs, manufactures, distributes, services or refurbishes medical devices. This includes not only producers but also authorised representatives, importers, subcontractors and sterilisation providers.
At its core, the standard describes how to build a robust QMS. It defines how processes should be structured, documented and monitored. It also outlines the roles and responsibilities needed to manage product safety and regulatory compliance across the entire product lifecycle.
Compared to more general standards like ISO 9001, ISO 13485 places heavier emphasis on risk management, traceability, and documentation. Processes must be repeatable, verifiable and clearly linked to quality outcomes. Risks must be identified, evaluated and controlled, from design and production through to post-market monitoring. Organisations must also maintain full oversight over any outsourced process, even when tasks are delegated.
Key requirements include:
The foundation of a compliant QMS is its documentation. Procedures, templates, checklists and forms must be not only available but also applied. They serve as objective evidence that the organisation is doing what it claims to do, and that it can prove this during audits or inspections.
Among the required documents are:
A central tenet of ISO 13485 is that quality is a shared responsibility. It is not confined to the quality assurance department but extends to everyone whose work affects the product directly or indirectly. That includes assembly workers, engineers, warehouse staff, field service technicians, and especially management.
Leadership sets the tone. This starts with a corporate quality policy. Management is expected to integrate quality objectives into its planning and decision-making. But implementation relies on broad participation. Staff should be able to:
This shared ownership model supports a culture in which quality becomes embedded in daily operations, not imposed from above.
For staff to meet these expectations, they must be trained. Not just once, but regularly. ISO 13485 section 6.2 requires organisations to ensure that employees are competent, based on education, training, skills and experience. This includes understanding the QMS, as well as knowing how one’s role supports quality and compliance.
Organisations must establish a documented process to identify training needs, deliver appropriate training, and evaluate its effectiveness. That process should be ongoing, responsive to changes in procedures, technologies or responsibilities.
Training formats may include:
Training needs are often mapped through a matrix linking job roles to required competencies. Evaluation methods may involve knowledge tests, observations or peer feedback. The goal is not only to confirm that training occurred, but that it was understood and applied.
Many organisations now use electronic quality management systems (eQMS) to streamline training. These platforms offer digital tracking, automated alerts, and audit-ready records, supporting compliance with ISO 13485 and with US FDA electronic recordkeeping rules under 21 CFR Part 11.
ISO 13485 is the central standard for quality management in the medical technology sector. Without alignment to its requirements, bringing a medical device to market is, in most cases, no longer viable. For those operating in this field, adherence to the standard is non-negotiable.
What sets ISO 13485 apart is its clarity: it requires not only formal procedures and documentation, but also competence, accountability and transparency at every organisational level. Training and internal quality awareness are not add-ons, they are essential for regulatory compliance and for ensuring that systems operate as intended. Without them, even the best-documented procedures risk falling short in practice.
Got a question? Submit these to Anne via email microconsulting@johner-institute.nz