CA-14 · ISO sectorial · sanitario

ISO 13485

The benchmark standard for medical device manufacturers and distributors in the EU. Without it, CE marking under the MDR Regulation (EU 2017/745) is not possible.

StandardISO 13485:2016
RegulationMDR · EU 2017/745
Competent authorityAEMPS

ISO 13485:2016 is the quality management system designed specifically for the medical device sector. Unlike ISO 9001, it does not focus on generic continuous improvement but on rigorous compliance with regulatory requirements: full lifecycle traceability, technical documentation, risk management in accordance with ISO 14971, and post-market surveillance. If your company manufactures, distributes, imports or installs medical devices in Europe, this system is not optional: Regulation EU 2017/745 (MDR) and Regulation EU 2017/746 (IVDR for in-vitro diagnostics) require an equivalent quality management system as a precondition for CE marking.

Implementation goes far beyond drafting procedures. It requires mapping the design and development process, defining validation and verification plans, establishing controls for critical suppliers, and building the technical file that the Notified Body will audit. From gap analysis through to certification audit, Summum Calidad accompanies every stage: we design the system, train the responsible team, coordinate the Stage 1 and Stage 2 audits with the chosen Notified Body, and keep the system active after certification through periodic internal audits. The certificate is issued by an accredited third party (AENOR, Bureau Veritas, SGS, TÜV, BSI…); Summum is the consultancy that takes you there.

The medical device sector in Spain operates under the supervision of AEMPS (Spanish Agency for Medicines and Medical Devices), the competent authority for post-market surveillance and for managing the Alert and Information System (SARPES). ISO 13485 is also required or valued in markets outside the EU: Canada (Health Canada, ISO 13485:2016 since 2019), Australia (TGA), Japan (MHLW JISQ 13485) and several Latin American countries adopt it directly or as the basis for their national regulation. Holding the certificate opens doors to exporting beyond the EU without having to start from scratch for each market.

The ISO 13485 process.

The process · four stages
01

Gap analysis

We audit the current situation against the requirements of ISO 13485:2016 and the MDR. We identify documentation gaps, uncontrolled processes and unmanaged risks. The outcome is an implementation plan with milestones, owners and a realistic effort estimate.

02

System design and technical documentation

We build the quality manual, standard operating procedures (SOPs), traceability records, the risk management plan (ISO 14971), the MDR technical file and post-market surveillance plans (PMS plan, PSUR). Each document is tailored to the actual size and activity of the company, without over-documentation.

03

Training and operational implementation

We train the quality manager and the technical team on the standard's requirements, on the use of records, and on the management of non-conformities, corrective actions (CAPA) and customer complaints. We support the operational roll-out until the system runs autonomously.

04

Internal audit and coordination with the Notified Body

We carry out the closing internal audit to verify that the system is mature. We coordinate the selection of the accredited Notified Body (AENOR, Bureau Veritas, SGS, TÜV, BSI…), prepare the organisation for the Stage 1 audit (document review) and Stage 2 audit (implementation audit), and manage the resolution of any non-conformity raised by the external auditor.

What is included

What ISO 13485 includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • Documented gap analysis

    Gaps report against ISO 13485:2016 and the MDR with an action plan prioritised by regulatory risk.

  • Quality management system (QMS)

    Quality manual, SOP procedures, work instructions and record formats tailored to the medical device sector.

  • Risk management ISO 14971

    Risk management plan, FMEA analysis, residual risk register and documented acceptability criteria.

  • MDR technical file

    Full Technical File / Design Dossier structure in accordance with Annexes II and III of Regulation EU 2017/745, including the clinical evaluation plan.

  • UDI traceability and post-market surveillance

    Implementation of the unique device identification (UDI) system, PMS plan, incident register and communication with AEMPS.

  • Periodic internal audits

    Annual internal audit programme to keep the certificate current, manage CAPA and prepare triennial renewals with the Notified Body.

Frequently asked questions about ISO 13485.

Is ISO 13485 mandatory to market a medical device in Spain?

It is not the standard itself that creates the legal obligation, but Regulation MDR (EU 2017/745), which requires an equivalent quality management system as a precondition for CE marking. ISO 13485:2016 is the de facto standard recognised by Notified Bodies to demonstrate that compliance. Without the system implemented and audited, the Notified Body will not issue the MDR certificate and AEMPS will not authorise the commercialisation of class IIa, IIb or III devices.

How long does it take to implement ISO 13485 from scratch?

The typical timeline ranges from 8 to 18 months, depending on the device class, the level of prior documentation maturity and the complexity of the design process. A company that already has ISO 9001 in place can shorten the timeline because part of the documentary framework is already built, although ISO 13485 adds specific requirements that ISO 9001 does not: ISO 14971 risk management, stricter design and development requirements, and post-market surveillance.

Does Summum certify our company in ISO 13485?

No. Summum Calidad is a consultancy, not a Notified Body or certification entity. Our work is to implement the system, prepare the technical documentation and accompany you through to the certification audit. The certificate is issued by a third party accredited by ENAC or recognised by the European Commission (AENOR, Bureau Veritas, SGS, TÜV Rheinland, BSI, among others). We help you select the most suitable one based on your sector, target market and timelines.

What is the difference between ISO 13485 and the MDR Regulation?

ISO 13485 is a management standard: it defines how to organise processes, documentation and product lifecycle control. The MDR (Regulation EU 2017/745) is binding European legislation: it defines the essential safety and performance requirements for the device, the risk classification, the conformity assessment procedures and the post-market surveillance obligations. Both are complementary: ISO 13485 is the management framework that demonstrates your company can meet the MDR systematically.

Does ISO 13485 apply to distributors or only to manufacturers?

The MDR extends obligations to importers and distributors as well, although with a different scope than for manufacturers. A distributor who repackages, relabels or adapts the product takes on manufacturer responsibilities. For others, ISO 13485 is equally advisable because it covers supplier control, lot traceability and complaint management: processes that the Notified Body audits in the manufacturer's supply chain.