ISO 13485:2016 specifies quality management system requirements for organizations involved in one or more stages of the medical-device lifecycle. ISO IRAQ supports scope definition, risk-based process controls, documentation, training, internal audits, and certification readiness in Iraq.
Who ISO 13485 applies to
The standard can be relevant to medical-device manufacturers and organizations involved in design, development, production, storage, distribution, installation, servicing, technical support, or related outsourced activities. Critical component and service suppliers may also use ISO 13485 when customer or regulatory requirements make it appropriate.
The certification scope should reflect the organization’s real activities and responsibilities. A distributor, contract manufacturer, software provider, sterile packaging supplier, and device designer will not need identical processes or evidence.
Risk management throughout the lifecycle
ISO 13485 expects risk-based controls across quality processes. Product risk management is commonly aligned with ISO 14971 where applicable, while the QMS should also apply proportionate controls to suppliers, complaints, changes, validation, corrective action, and outsourced processes. Risk files should connect to design inputs, production controls, post-market information, and changes.
Design and development controls
Organizations responsible for design need a controlled process covering planning, inputs, outputs, review, verification, validation, transfer, and changes. Records should show that requirements were defined, reviews involved appropriate functions, outputs can be verified, and the finished device meets its intended use where validation applies.
Supplier qualification and outsourced processes
Supplier controls should reflect the effect of the supplied product or service on device quality. Evidence may include selection criteria, initial qualification, quality agreements, incoming controls, performance monitoring, re-evaluation, change notification, and action when performance is unacceptable. Outsourcing an activity does not remove the organization’s responsibility to control it.
Traceability and identification
The organization should define identification and traceability controls appropriate to the device, regulatory requirements, and risk. Records may need to connect materials, components, batches or lots, production history, inspections, release, distribution, installation, and service activities. The required depth varies by product and market.
Process validation
Processes whose output cannot be fully verified by later monitoring or measurement need validation. Depending on scope, this may include sterilization, packaging, sealing, welding, software used in production or the QMS, cleanroom processes, or other special processes. Validation should define protocols, acceptance criteria, equipment, personnel, results, revalidation triggers, and retained records.
Complaint handling, reporting, and CAPA
Complaint handling should ensure timely review, investigation, evaluation for reportability, communication, and linkage to risk management and corrective action. Corrective and preventive action (CAPA) records should distinguish immediate correction from root-cause action, assess risk, verify implementation, and confirm effectiveness without creating adverse effects.
Required evidence and records
| Process | Typical evidence |
|---|---|
| QMS scope and regulatory role | Products, activities, sites, exclusions, applicable requirements, and responsibilities. |
| Document and record control | Approval, revision, distribution, retention, protection, and access controls. |
| Risk management | Plans, analyses, controls, residual-risk evaluation, production data, and review after changes. |
| Design and change control | Inputs, outputs, reviews, verification, validation, transfer, change assessment, and approvals. |
| Supplier management | Qualification, agreements, monitoring, re-evaluation, incoming controls, and issue follow-up. |
| Production and validation | Work instructions, acceptance criteria, environment, equipment, process validation, and release records. |
| Traceability | Material, batch, device-history, distribution, installation, servicing, and status records where applicable. |
| Feedback and complaints | Intake, investigation, reporting evaluation, trend review, risk linkage, and closure. |
| CAPA and improvement | Containment, root cause, action, verification, effectiveness, and management oversight. |
| System assurance | Training, internal audit, management review, data analysis, and corrective-action follow-up. |
Internal audit requirements
The internal audit program should cover the QMS scope and critical processes based on status, risk, previous findings, complaints, supplier performance, and changes. Auditors need independence from the work being audited and sufficient competence to evaluate both the documented system and actual implementation.
Typical implementation stages
- Scope and gap review: confirm products, lifecycle activities, sites, regulatory roles, outsourced processes, and current controls.
- QMS design: establish the process map, responsibilities, risk controls, document structure, records, and quality objectives.
- Implementation: train teams, operate procedures, qualify suppliers, complete validations, and collect objective evidence.
- Internal assurance: perform internal audits, analyze data, investigate gaps, complete CAPA, and hold management review.
- Certification readiness: verify scope, records, staff understanding, open actions, and readiness for the independent certification-body audit.
Realistic timelines
A limited-scope distributor with mature controls may need a shorter project than a manufacturer designing devices, validating special processes, or controlling multiple suppliers and sites. Many projects require several months of implementation evidence before certification. Regulatory approvals and product registrations are separate from ISO 13485 certification and can follow different authorities and timelines.
Common readiness gaps
- The QMS scope does not match the organization’s actual regulatory or lifecycle role.
- Supplier files show purchase history but no risk-based qualification or monitoring.
- Design changes are implemented without documented review of risk, verification, or validation.
- Special processes lack approved validation protocols or revalidation criteria.
- Complaint trends are not connected to risk files, reporting decisions, or CAPA.
- Traceability records cannot connect materials, production, release, and distribution.
- Internal audits check procedures but do not sample technical records or process performance.
Certification remains independent
ISO IRAQ provides implementation, documentation, training, internal-audit, and certification-readiness support. The selected certification body independently conducts the certification audit and makes the certification decision.
Plan an ISO 13485 readiness review
Send your product type, role in the device lifecycle, number of sites, outsourced activities, current QMS status, and target audit date.
Request a Medical-Device QMS ReviewContent reviewed: 18 June 2026.