Quality Management System & ISO 13485

The ISO 13485 is a harmonized standard, which lays down the requirements for quality management systems (QMS) for medical devices.

Medical device manufacturers have to therefore, above all, according to ISO 13485 be certified, because according to Appendix II of the Medical Device Directive MDD they can explain the compliance of their products themselves. For medical devices which incorporate software or standalone software, the IEC 62304 also demands a QMS and recommends an ISO 13485.

The validity of the quality management system will be examined by external auditors ( usually notified bodies ) and internal audits.

Additional Information

Read more about the changes introduced by the latest version of ISO 13485 (ISO 13485:2016).

FAQ "ISO 13485 and QM-System"

Question 1: Do I need a (certified) quality management system?

If your product is NOT in class I, you most probably need a certified QM-system. Only conformity assessment procedures based on MDR Annex IV (EC verification) respectively MDR Annex XI part B do not require a certified QM-system. However, this approach is rather the exception.

If your product is in class I, there is QM-system demanded by MDR and by IEC 62304. But this QM-system does not have to be certified.

Question 2: I already have a ISO 9001 certificate. Is this sufficient?

No. If you need a certified QM-system (see question 1), only a ISO 13485 certification is sufficient to prove compliance with regulatory requirements.

Question 3: Who may certify my QM-system?

Only notified bodies my certify your QM-system. They have to have the accreditation for "Annex Certificates".


Pay attention that you do not pick a certification body that "only" may certify ISO 13485 compliance

Both, the EU but also national authorities publish lists of "accredidated" notified bodies as for example the German ZLG.

Question 3: How long does it take to establish and certify a QM-System?

Typically it takes between six and nine months between project start and audit respectively certification. Currently the availability of notified bodies is an issue.

Small and medium sized companies have to invest 30 to 50 person days. However, operating a quality management system requires continuous efforts to audit, to improve and to re-certify the processes respectively the system. 

Question 4: How does the Johner Institute support the certification process

The Johner Institut is specialized on establishing, improving and preparing QM-systems for audits. All of our customers, we are talking about hundreds, successfully passed audits. With no exception!

Requirements by ISO 13485:2016

ISO 13485:2016 is the (only) standard to prove compliance with regulatory requirements related to quality management systems.

In order to establish such a quality management system you must:

  1. Describe your organization including quality policy, goals, and hierarchy
  2. Describe the processes of your organization. Among others these processes have to cover
    1. Development
    2. Production
    3. Service delivery
    4. Risk management
    5. Document control
    6. Internal audits
    7. Management reviews
    8. Corrective and preventive actions
    9. Handling of resources (human resources, infrastructure, equipment, locations)
    10. Communication with customers
  3. Allocate financial and human resources including quality management deputy
  4. Live these processes accordingly and prove this by documenting what you did

Additional information

Download our Starter-Kit, that contains high resolution mindmaps of ISO 13485 and other standards (all hierarchical levels).

Establish an ISO 13485 compliant quality management system

The Johner Institut recommends the following steps to fast and systematically establish a quality management system that complies with regulatory requirements such as MDD, MDR, ISO 13485 and 21 CFR part 820.

1. Step: Define scope

Dependent on your activities you define the scope your quality management system:

  • Development: y/n, type of products
  • Production: y/n, type of production e.g. including sterilization, circuit board production
  • Service: y/n, type of service e.g. installation, maintenance, hotline, training
  • Legal manufacturer versus service provider
  • Interfaces to customers (end user, other company) and to suppliers

2. Step: Select notified body

Currently there is a high demand for notified bodies, as many notified bodies lost their accreditation. Therefore it is important to pick early in the process your notified body. 

Additional information

Read here more about notified bodies.

3. Step: Establish quality management system

Now you start defining your "rules" in terms of standard operating procedures, work instructions, templates, forms, checklists etc.:

  • Identify all processes (derived from 1. step)
  • Identify inputs and outputs for all processes
  • Describe interdependencies between processes
  • Describe / model processes (process steps, inputs and outputs for each process step, roles and responsibilities)
  • Define methods and instructions how to perform each process step. Optionally extract these requirements in a work instruction. Define how these process steps have to be documented e.g. using templates, checklists or computer systems.

Make sure that you cover all processes as demanded by regulatory requirements in particular by ISO 13485:2016 respectively 21 CFR part 820.

4. Step: Work according to your quality management system

Your company now start working according to these process descriptions (SOP) and work instructions (WI). It generates "records" proving compliance. E.g. your team fills out forms, templates and checklists or works with computer systems as instructed.

5. Step: Prepare audit

Before the final audit verify that everything is prepared:

  • Internal audit took place
  • Management performed a review of the quality management system
  • Team worked according to SOPs and WIs
  • External suppliers have been audited
  • Computerized systems have been validated

6. Step: Get audited and celebrate

Your notified body will audit your company for two to ten (or even more) days depending on the size of your organization. 

If you passed the audit successfully you will obtain the certificate(s). Don't forget to celebrate your success.

If you need any help in this road, just contact us. We are specialized to support companies to fast and efficiently pass audits. We never had a customer (we are talking about hundreds) that did not pass the audit!

Contact the Johner Institute now!

Dos and Don'ts of Quality Management

The most relevant success factors are

  • Management commitment
  • Aspiration to improve the organization and not just to pass a audit
  • Common approach: Every process owner describes the processes herself
  • Intelligent people with common sense
  • Understanding of risk management
  • Awareness that a quality management system lives (forever)

We disencourage:

  • Documenting retrospectively
  • "Re-use" of templates that do not exactly fit your (desired) way acting
  • Assigning responsibility for the QM system (exclusively) to the quality management deputy
  • Top-down order e.g. dictating SOPs

Have questions on what the Johner Institute can do for you?


Contact us

Find out what Johner Institute can do for you

A quick overview: Our


Learn More Pfeil_weiß

Always up to date: Our


Learn More Pfeil_grau

Privacy settings

We use cookies on our website. Some of them are essential, while others help us improve this website and your experience.