ISO 13485 and MDR: What a Compliant QMS Actually Looks Like

Why ISO 13485 is the starting point

Almost every MDR compliance obligation feeds back into the quality management system. Your technical documentation, risk management file, clinical evaluation, post-market surveillance — none of these live in isolation. They are outputs of processes, and those processes need to be controlled, documented, and demonstrably working. ISO 13485 is the framework that holds all of that together.

The standard is not a checklist you complete once. It describes a system — a set of interrelated processes that a manufacturer maintains continuously. If your QMS exists only on paper, a Notified Body auditor will find it quickly. The tell is usually that procedures don't match what people actually do, or that records can't be produced for activities the procedures describe.

Where ISO 13485 and ISO 9001 diverge

Many teams come to ISO 13485 from an ISO 9001 background and assume the transition is mostly administrative. It isn't. The medical device standard is more prescriptive in several areas that matter under MDR.

The biggest differences in practice: ISO 13485 requires documented procedures for processes that ISO 9001 leaves to the manufacturer's judgment. Sterile device manufacturers face additional requirements. Risk management must be integrated into product realisation — not treated as a separate file created at the end. Design controls are mandatory and must be demonstrably applied throughout development. And the concept of "customer satisfaction" in ISO 9001 is replaced by a much more specific framework around complaint handling, vigilance, and post-market data.

One thing that catches a lot of teams off guard: ISO 13485:2016 already incorporated many MDR-era expectations around risk-based thinking and post-market feedback. If your QMS genuinely meets the standard, a significant portion of your MDR obligations are already addressed at the process level.

What MDR adds on top

MDR does not require ISO 13485 certification by name — but Article 10 sets out quality system requirements that closely mirror the standard, and Annex IX (the most common conformity route) requires a full QMS audit by a Notified Body. In practice, ISO 13485 certification from a recognised certification body is the normal way to demonstrate Article 10 compliance.

What MDR adds beyond the standard: a stronger emphasis on post-market surveillance integration, specific obligations around the Person Responsible for Regulatory Compliance (PRRC), and explicit requirements to maintain the QMS as a living system — not just to have it certified. Notified Bodies conducting Annex IX audits will look for evidence that the QMS is actually driving decisions, not just documenting them after the fact.

What auditors focus on

Notified Body QMS audits under Annex IX are not a document review. Auditors interview staff, walk through actual processes, and look for evidence of real implementation. Common findings cluster around a few areas: management review that is too thin to demonstrate strategic QMS oversight; CAPA processes that close corrective actions without verified effectiveness; design history files that don't trace requirements through to verification; and post-market data that isn't feeding back into risk management updates.

Getting your QMS ready for a Notified Body audit means being able to walk an auditor through your processes end-to-end, producing records on request, and demonstrating that the system responds to what it finds — that nonconformities drive real changes, and that management is engaged with QMS performance as a business matter, not just a compliance exercise.

Where to go from here

The other resources in this category cover the specific processes that sit inside the QMS: risk management under ISO 14971, CAPA and design controls, conformity assessment route selection, and post-market integration. Start here for orientation; go deeper in those resources for the process detail.