Understanding ISO 13485: A Practical Guide for Small Medical Device Companies

What exactly is ISO 13485 and what does it require?

ISO 13485, titled Medical Devices – Quality Management Systems – Requirements for Regulatory Purposes, addresses exactly this. It outlines specific requirements for a quality management system through which organisations must consistently demonstrate their capability to manufacture safe, effective, and compliant medical devices.

A Quality Management System (QMS) in this context means structured processes that manage product quality and regulatory compliance systematically. The QMS encompasses how organisations plan, document, control and continually improve their activities, from product development to complaint handling and risk mitigation.

Why ISO 13485 is important for all companies including startups

While ISO 13485 certification is generally not mandatory in many jurisdictions, most regulatory systems require compliance. Countries such as Australia, Japan, and Brazil have long accepted audits under the Medical Device Single Audit Program (MDSAP), and regulators such as the US FDA and the European Union have aligned their regulations with the standard.

ISO 13485 is therefore relevant for organisations of every size, including startups and small enterprises. Without adherence to the standard, access to regulated markets is virtually impossible, particularly for medium to high risk products. For startups, however, ISO 13485 is especially about building trust with regulators, users, patients, and business partners. Certification serves as proof of control, responsibility, and accountability, essential for establishing credibility.

While larger companies might have extensive resources dedicated solely to quality management, startups typically work with fewer resources and fewer staff. The key difference lies in the practical application of ISO 13485 by smaller companies, who use leaner systems and simpler structures while maintaining the same level of transparency and accountability.

How smaller companies should approach ISO 13485: Six essential questions

For smaller companies, having the right approach to implementing ISO 13485 is crucial for the optimal allocation of resources. Rather than memorising detailed clauses, you should approach ISO 13485 by answering six essential questions:

‍

‍

1. ‍Do you know what your product must do and who it is for?
   Clearly define user needs, intended use, and requirements early.

2. Can you demonstrate how your product was designed, tested, and validated?
   Keep clear documentation of your design decisions, testing processes, and validation results to demonstrate product reliability.

3. Do you control how your product is made and who you work with?
   Ensure consistent production methods, clearly document manufacturing steps, and maintain oversight over all suppliers and external partners.

4. Can you prove your product performs consistently and safely?
   Establish clear, repeatable testing procedures and documented evidence of consistent product quality and performance.

5. Do you have a clear plan for what happens if something goes wrong?
   Have robust complaint handling processes and corrective action procedures to respond swiftly and effectively when issues arise.

6. Are you consistently learning from problems and improving?
   Continuous improvement is essential. Regularly review and refine your processes to reduce risks and prevent recurring issues.

Answering these questions helps translate the ISO 13485 standard into practical system elements such as clearly documented procedures, integrated risk management, defined design control, structured training and competence development, effective supplier management, and systematic complaint handling.

For detailed requirements, see our article: ISO 13485 – Introduction, General Understanding and the Role of Training in the Medical Technology Sector.

Practical implementation steps for smaller companies

What does practical implementation look like for smaller companies? ISO 13485 concerns management, teams, documentation, risk and traceability.

• Leadership’s role under ISO 13485
  Management has a central role in ISO 13485, which goes far beyond merely signing policies. Leaders must actively define quality policies and objectives, allocate sufficient resources, and conduct regular reviews of the system. In startups, founders or executives typically fulfil this function directly, setting the tone for organisational culture around quality.

• Team requirements and responsibilities
  You do not necessarily require a large quality assurance department. However, defined responsibilities are crucial. Even when one person handles multiple roles, for example, the CEO might also lead regulatory and quality assurance efforts, the organisation must still clearly document each person's responsibilities, ensure their competence (through training, education, or experience), and keep clear records of key decisions and quality related actions.

• Required documentation under ISO 13485
  ISO 13485 requires companies to clearly document processes, decisions, and activities. Essentially, you must "document what you do and do what you document". This does not mean lengthy manuals, but clear, concise documentation is necessary. Key documents include a quality manual, straightforward procedures for quality processes, records of design and decision making, training logs, internal audits, and corrective actions (CAPAs). Anyone reviewing your documentation should be able to quickly understand your decisions and verify product safety.

• Risk management and product traceability
  Risk management is integral to ISO 13485, not just product risks, but also process and decision risks. The standard requires systematic identification, evaluation, and control of these risks across the entire lifecycle. Traceability, the ability to follow product requirements through design, testing, implementation, and approvals, is equally essential. Even for software only products (SaMD), detailed traceability remains a central regulatory requirement.

Key points for smaller medtech companies

ISO 13485 is fundamentally scalable. Smaller companies can meet all its requirements effectively through smart, lean, and practical systems. Importantly, ISO 13485 makes quality everyone's responsibility, even in very small teams. It is about creating a sustainable, repeatable, and accountable approach to delivering safe and effective medical products.

Ultimately, ISO 13485 promotes continuous improvement, encouraging companies not just to correct mistakes but to learn and grow from them, embedding quality deeply into everyday operations. And that is important, because a functioning quality management system is essential for patient safety, no matter how big or small the company producing the product may be.

‍

Got a question? Get in touch with Anne via email microconsulting@johner-institute.nz

“This article is part of the QMS Series from the HealthTech Activator, in partnership with the Johner Institute New Zealand.

Over 12 months, this practical and flexible program builds your understanding of ISO 13485 quality management requirements. The series features blog articles, webinars, white papers, and optional assessments. Each quarter focuses on a key area—starting with general awareness and implementation of strategies, then progressing through risk management and ending with audit preparation.”

‍