Ten Easy To Miss ISO 13485:2016 Requirements-and how to avoid them

The accreditation auditor asked Joel a question regarding the initial competence review for a new medical device auditor. Joel responds with confidence showing a training record that is signed off by a competent auditor verifying completion. That is not what I asked responds the accreditation auditor “where is the documented evidence that a competent evaluator observed the auditor conducting the initial audit.” Suddenly Joel realizes he misinterpreted a requirement and panic sets in; will this be a minor issue or a significant finding?

In the world of medical device quality management, this moment can carry weight. ISO 13485:2016 places a strong emphasis on regulatory compliance, risk management, and ensuring the effectiveness of the Quality Management System (QMS) throughout the product lifecycle. Unlike ISO 9001, ISO 13485 requires more extensive documentation and clearly defined processes. Certain requirements are frequently misunderstood or overlooked which can lead to audit findings, nonconformities, or even regulatory penalties.

Easy to miss tip #1. Feedback Beyond the Customer (Clause 8.2.1)

When thinking of feedback many organizations focus on complaints or positive affirmation when collecting information. ISO 13485 requires a feedback system that gathers external and internal feedback which could include information derived from production and post-production activities such as rework records, service reports, or returned products. This broader scope of feedback must feed into your risk management and continuous improvement processes.

Easy to miss tip #2. Documented Software Validation for QMS Applications (Clauses 4.1.6 & 7.5.6)

When people hear “software validation,” they often think of equipment used directly in production or testing. ISO 13485 goes further, it requires validation of any software that impacts your quality management system. That includes your QMS software such as your ERP, training platforms, document control systems, and CAPA tools. Validation records are required for both types. Be cautious of automatic updates; these firms can introduce changes without your notification. Documentation of re-validation may not be adequately maintained in these situations.

Easy to miss tip #3. Risk-Based Supplier Evaluation (Clause 7.4.1)

Not all suppliers carry the same risk. ISO 13485 requires that your supplier evaluation criteria be scaled to the potential impact on the safety and performance of the medical device. A generic, blanket approach won’t cut it. Your documented process must clearly define risk categories and tailor evaluation methods accordingly at both initial and ongoing evaluation. High-risk suppliers demand closer scrutiny.

Easy to miss tip #4. Risk-Based Control of Processes (Clause 4.1.2)

ISO 13485 requires organizations to apply a risk-based approach to controlling quality management system processes. This means evaluating each process's impact on product safety and performance and scaling controls accordingly such as implementing traceability, monitoring, or containment. Tools like FMEA (Failure Modes and Effects Analysis) can help formalize this evaluation.

Easy to miss tip #5. Notification of Changes by External Providers (Clause 7.4.2)

Process changes can have a significant impact on the quality of the product if not properly validated. The standard requires strict internal controls over process changes, not just within your own operations, but across your supply chain. That means your purchasing agreements must clearly state: suppliers and subcontractors are required to notify you before making any changes that could impact product conformity.

Easy to miss tip #6. Clarifying Roles vs. Responsibilities (Clause 4.1.2)

While roles outline functions, responsibilities are the specific tasks assigned to those roles.  ISO 13485 demands clear accountability by specifying which function is responsible for what action. It’s not enough to imply involvement. Clarity helps prevents confusion and ensures compliance.

. 

Easy to miss tip #7. Maintaining a Medical Device File (Clause 4.2.3)

It’s easy to confuse device records with the requirement for a Medical Device File. You’re required to maintain a dedicated file for each device or device family, and it must include critical documentation like specifications, manufacturing procedures, labeling, instructions, packaging and storage instructions. Think of it as your device’s technical blueprint, a living file that proves safety, performance, and compliance from development through end of life.

Easy to miss tip #8. Quality Manual Requirements (Clause 4.2.2)

Too many quality manuals are just copy-paste versions of the ISO 13485 standard; vague, generic, and rarely used. But your manual should be a functional tool, not a formality. ISO 13485 requires it to either contain or clearly reference all applicable documented procedures. If procedures aren’t included directly, the manual must link to them through cross-references, an index, or a matrix. The goal is to create a manual that serves as a road map for the quality management system.

Easy to miss tip #9. Removal of Process Agents During Manufacture (Clause 7.5.2)

Clause 7.5.2 goes beyond product sterilization; it covers any process where agents are used and removed.  If process agents such as coolants, lubricants, or solvents are used and removed during manufacturing, your process must define and control those cleanliness requirements.

Easy to miss tip #10. Proper Control of Document Changes (Clause 4.2.4)

ISO 13485 requires that document changes be reviewed and approved by the original approving function or by someone with equivalent knowledge and expertise. Changes involve risk so personnel must have sufficient background knowledge to make an informed decision.  If the original approvers are no longer available, replacements must have the background to make those informed decisions.

Final Thoughts

ISO 13485:2016 isn’t difficult in principle but its rigor lies in the level of precision and documentation it demands, especially concerning safety, performance, and regulatory obligations. It extends far beyond general quality assurance by requiring a proactive, risk-based, approach. Staying compliant means addressing not only the obvious requirements but also recognizing and preparing for the subtle ones that often fly under the radar. By shining a light on these overlooked areas, organizations can avoid unnecessary audit findings.

By:  Joel Pecoraro is the Director of Operations at the American Certification Group. He has been an auditor and trainer in quality management system development for over thirty years.