Understanding QMS Requirements Under ISO 13485:2016

Core Requirements of ISO 13485

The core requirements of ISO 13485 include:

• Quality Manual

• Standard Operating Procedures (SOPs)

• Risk Management

• Internal Audits

• Feedback, Complaints, and Post-Market Surveillance

• Quality Management Representative (QMR)

Some requirements of ISO 13485, such as those relating to SOPs, are only briefly outlined in this article, in the interest of focus and clarity.

The Core Document: The Quality Manual

Every certified QMS begins with a quality manual. It defines how the company approaches quality, describes the scope of the QMS, and sets out quality policy and objectives.

The manual should include:

• The scope of the QMS and any justified exclusions

• References to key documents, such as standard operating procedures (SOPs)

• A clear outline of the process structure and their interactions

• An overview of the organisational structure and roles

Although it’s possible to embed SOPs directly into the quality manual, most companies opt to keep these documents separate for ease of maintenance and clarity during audits.

Process Control Through Standard Operating Procedures (SOPs)

SOPs form the procedural core of ISO 13485. These documents define how key activities must be performed to ensure consistency and compliance. They are required for areas such as:

• Document control (Clause 4.2.4–4.2.5): Covers document creation, approval, distribution, revision, withdrawal, and retention timelines.

• Management review (Clause 5.6): Requires top management to regularly review the effectiveness and alignment of the QMS with regulatory and business objectives.

• Validation of software used in the QMS and measurement activities (Clauses 4.1.6 and 7.6): Software tools critical to quality must be validated before use.

• Supplier management (Clause 7.4): Involves qualifying, monitoring, and controlling suppliers through agreements, audits, and ongoing evaluations.

• Control of monitoring and measuring equipment (Clause 7.6): Instruments must be suitable for use, regularly calibrated, and traceable to standards.

• Validation of special processes (Clause 7.5.6): Any process where the output cannot be verified post-production, such as sterilisation, must be validated beforehand.

• Internal audits (Clause 8.2.4): Must follow a planned programme, covering all QMS areas over time with documented outcomes and corrective actions.

• Corrective and preventive actions (Clauses 8.5.2–8.5.3): Focus on identifying root causes and eliminating them, as well as taking proactive steps to prevent potential issues.

‍

SOPs must be trained, followed, and periodically reviewed for effectiveness. Employees should be able to demonstrate knowledge of the procedures relevant to their roles.

Risk Management

One of the defining features of ISO 13485 is the integration of risk management into all QMS processes, not just product development. This is not optional. Risk-based thinking must underpin decisions around:

• Process design and validation

• Handling of complaints and nonconformities

• Supplier qualification

• Post-market surveillance

Clause 4.1.2 requires manufacturers to apply a risk-based approach to control the appropriate processes needed for the QMS. This expectation ties directly into ISO 14971 for product risk, but also applies to quality and organisational risks.

Internal Audits

Regular internal audits (Clause 8.2.4) are an essential part of ISO 13485 and a basic requirement for QMS certification. These audits are structured reviews, conducted by trained auditors, to assess whether processes are being implemented as intended. As the name suggests, internal audits are conducted within the organisation, in contrast to external audits, which are carried out to demonstrate formal compliance. Internal audits help prepare for those external assessments, but they also play a critical role in identifying weaknesses early, preventing errors, and improving processes in a focused and systematic way.

Audits are conducted according to a defined audit programme that ensures all relevant areas of the QMS are reviewed within a given timeframe. The frequency depends on both risk and significance: processes that have a greater impact on safety or regulatory compliance require more frequent review. Each audit must be thoroughly planned and documented, including the audit method, evaluation criteria, individuals involved, and outcomes. Any nonconformities identified feed directly into the CAPA process and serve as a key input for management review.

To ensure meaningful results, audits must be carried out by qualified and independent personnel who do not evaluate their own work and who avoid a purely procedural approach. Where necessary, internal audits may also be conducted by external professionals, provided they understand the organisation’s context and operate without conflict of interest.

Feedback, Complaints, and Post-Market Surveillance

The QMS must include formalised processes for gathering and analysing feedback and complaints (Clause 8.2.1–8.2.3). This is essential for identifying both actual and potential nonconformities.

Post-market surveillance data, such as clinical feedback or adverse event reports, must feed into:

• Corrective and preventive action processes

• Risk management updates

• Design changes and labelling updates

Under the MDR, the QMS must also support Post-Market Clinical Follow-Up (PMCF) and Periodic Safety Update Reports (PSURs), activities that go beyond ISO 13485 alone but rely on its structure.

Quality Management Representative (QMR)

According to ISO 13485, every organization must appoint a quality management representative (QMR) (Clause 5.5.2). This person, positioned at management level, is responsible for ensuring that the quality management system (QMS) is properly implemented. Their responsibilities include meeting regulatory requirements and making sure that employees understand quality management and their specific roles within it.

The QMR must be part of the management team, but does not need to belong to top management. However, they must have sufficient authority to act independently and without any conflicts of interest. It is not necessary for quality management to be their sole area of responsibility, they may hold additional roles within the organisation. While day-to-day tasks can be delegated, the QMR remains ultimately accountable for the integrity and performance of the QMS. They must have excellent knowledge of the QMS and a deep understanding of the company’s products. Strong communication and leadership abilities are also essential for the role.

Exclusions and "Not Applicable": Know the Difference

ISO 13485 allows certain clauses to be excluded, but only if they clearly do not apply to the company’s activities. For example:

• A contract manufacturer with no design responsibility may exclude Clause 7.3 (Design and Development).

• A company producing non-sterile products may declare sterilisation validation as "not applicable".

In both cases, these decisions must be documented with a clear justification in the quality manual. Auditors will expect to see this reasoning during reviews.

Aligning with Global Regulations and Standards

ISO 13485 is designed to be compatible with other regulatory systems. It requires companies to identify and integrate relevant legal and technical standards into their QMS. Examples include:

• EU MDR/IVDR: Manufacturers must ensure their QMS supports clinical evaluation, post-market surveillance, and vigilance reporting, especially under Annex IX of the MDR.

• FDA 21 CFR Part 820: In the US, ISO 13485 is being adopted as the basis for the revised Quality Management System Regulation (QMSR).

• IEC 62304: For software-based medical devices, development and maintenance processes must follow this software lifecycle standard.

These external requirements must be actively integrated into the QMS. Simply complying with ISO 13485 is not enough if additional obligations from the device’s target market are not addressed.

Building Quality Is Just the Beginning

Meeting the requirements of ISO 13485 is one thing, putting them into practice is another. That’s why this article is part of a broader series developed for New Zealand’s HealthTech sector, aimed at helping teams turn regulatory expectations into working systems.

The QMS Series is brought to you by the HealthTech Activator, in partnership with the Johner Institute New Zealand.

Over 12 months, this series explores ISO 13485 in four parts: from first steps and system setup to risk management and audit readiness. Each quarter combines practical content with interactive workshops to support implementation in real-world settings. Next in the series: ISO 13485 Compliance – What You Need to Know Before Your Next Audit.

‍

Got a question? Get in touch with Anne via email microconsulting@johner-institute.nz