ISO 13485:2016 — Thirteen Boxes to Tick on the Path to Certification

ISO 13485 is the international standard for Quality Management Systems (QMS) in the medical device industry. Achieving certification demonstrates that your organisation consistently designs, develops, and maintains medical devices that meet regulatory and customer requirements.

In this ebook, we dive into the ISO 13485:2016 standard through a series of key checkboxes you can tick on your path to certification. The goal is to help you understand what ISO 13485:2016 is all about, why it matters, and how to take the practical steps needed to achieve certification for your digital health solution.

The thirteen boxes

1. Quality Management System scope

Define and document the boundaries of your QMS — which products, processes, and organisational units it covers, and any exclusions with justification.

2. Quality policy and objectives

Establish a documented quality policy appropriate to your organisation’s purpose, with measurable quality objectives at relevant functions and levels.

3. Management responsibility

Demonstrate top management commitment through defined roles, responsibilities, and communication. Management review must be conducted at planned intervals.

4. Resource management

Ensure you have — and can demonstrate — the human resources, infrastructure, and work environment necessary to achieve product conformity.

5. Competence, training, and awareness

Define required competencies for staff affecting product quality, maintain training records, and evaluate the effectiveness of training provided.

6. Document and record control

Implement controlled procedures for creating, reviewing, approving, distributing, and retiring documents. Records must be legible, retrievable, and retained for defined periods.

7. Risk management

Per ISO 14971, establish a documented process for identifying hazards, estimating and evaluating risks, controlling risks, and monitoring risk control effectiveness throughout the product lifecycle.

8. Product realisation planning

Define the processes, resources, verification activities, and acceptance criteria needed to realise each product — captured in a Quality Plan or equivalent.

9. Customer-related processes

Determine and review product requirements (including regulatory), establish processes for customer communication, and handle customer feedback including complaints.

10. Design and development controls

Plan and control the design process: inputs, outputs, reviews, verification, validation, and change management. Design history files (DHF) must be maintained.

11. Purchasing and supplier controls

Evaluate and select suppliers based on their ability to meet requirements. Define purchasing information clearly, and verify incoming product where required.

12. Production and service provision

Control production and service delivery processes — including validation of processes where output cannot be verified by monitoring alone (sterile barrier, software validation, etc.).

13. Monitoring, measurement, and improvement

Collect and analyse data on QMS performance (including customer feedback, audits, process monitoring), implement corrective and preventive actions (CAPA), and drive continual improvement.

Why this matters for digital health

For software-first medtech companies, ISO 13485 can feel like a standard built for hardware manufacturers. This ebook specifically addresses the digital health context — explaining how each requirement translates when your “device” is a cloud-connected app or SaMD platform.