ISO 13485 is the medical-device sector QMS. Unlike AS9100 or IATF, ISO 13485 deliberately departs from ISO 9001’s 2015 revision, retaining the older Annex L structure to stay aligned with regulatory expectations (FDA, MDR, MDSAP).
Any organisation seeking a baseline QMS.
Medical device manufacturers, contract manufacturers, sterilisation services, software-as-medical-device (SaMD) developers, and component suppliers in the medical supply chain.
All ten dimensions head-to-head:
| Aspect | ISO 9001 | ISO 13485 |
|---|---|---|
| Industry scope | Universal | Medical devices only |
| Structure | Annex SL 10 clauses (2015 revision) | Older 8-clause structure (intentionally) |
| Risk management | Risk-based thinking | ISO 14971 device risk management mandatory |
| Process validation | Where output cannot be verified | Mandatory for any process affecting product |
| Document control | Lighter (any controlled documents) | Heavy — Device Master Record, DHR, design history file |
| Regulatory link | No explicit regulatory link | Aligned with FDA QSR, EU MDR, MDSAP |
| Post-market surveillance | Not required | Mandatory — vigilance, complaints, recalls |
| Sterile/implant | Not addressed | Dedicated clauses for sterile and implantable devices |
| Software in devices | Not addressed | Aligned with IEC 62304 software lifecycle |
| Cost (cert) | £3k–£15k SME | £8k–£20k SME |
Choose ISO 9001 if you have no plans to manufacture, design, distribute or service medical devices.
Choose ISO 13485 if you are anywhere in the medical-device value chain — it is required by virtually every regulator (UK MHRA, EU notified bodies, FDA via MDSAP, Health Canada).
You can hold both, but unlike IATF/AS9100 the structures differ — 13485 is NOT a superset of ISO 9001:2015. Many organisations hold both for the corporate (ISO 9001) and product (13485) sides.
Regulators (notably FDA) requested ISO retain the older structure to keep alignment with existing regulatory frameworks (21 CFR 820, EU MDR). ISO 13485:2016 deliberately did not adopt the Annex SL 10-clause format.
Not directly — it’s voluntary — but it satisfies the QMS requirements of most medical-device regulators worldwide. MDSAP audits cover 13485 plus FDA, Health Canada, TGA, ANVISA, MHLW.
Yes — SaMD (Software as a Medical Device) products fall under 13485 and are also commonly aligned with IEC 62304.
ISO 14971 is the device risk-management standard explicitly referenced by 13485. You cannot pass 13485 without an ISO 14971-compliant risk file per product.
Both standards have free interactive gap-analysis tools — no sign-up, no install.