The complete guide to passing ISO 13485 audits


    ISO 13485 audits are a vital quality and compliance hurdle for medical device companies to tackle.

    Understanding the ISO 13485 audit process, both for 'real deal' third-party audits and your own internal audit preparations, is essential for international medical device market success.

    We've built this audit guide to get you confident, compliant and ready for that knock on the door.


    Table of Contents

    1. What is an ISO 13485 audit?
      1. ISO 13485 audit requirements
    2. How to prepare for an ISO 13485 audit
      1. ISO 13485 audit questions and answers
      2. ISO 13485 audit checklist
    3. How to conduct an ISO 13485 audit
      1. Internal audits
      2. Supplier audits
      3. External audits
    4. Conducting an ISO 13485 internal audit
      1. ISO 13485 internal audit schedule
      2. ISO 13485 internal audit checklist
      3. ISO 13485 internal audit training
    5. ISO 13485 audit report sample
    6. Pass your ISO 13485 audits easily



    What is an ISO 13485 audit?


    ISO 13485 audits are, in short, an examination of your company to see if it conforms to modern expectations of medical device quality management.

    A quality management system (QMS) is the way your organization directs and controls those activities that are related, either directly or indirectly, to achieving your intended operational results.

    It consists of your organization’s structure together with the planning, processes, resources, documents and records that you use to hit your quality objectives.

    ISO 13485 is the industry standard for medical device quality management.




    If you want an internationally recognized stamp of approval for your medical device QMS,  you can work towards conformance with ISO 13485 as a documented set of interrelated processes, including any forms or templates, that establish, implement, and maintain the requirements of the standard.

    This is with the aim of meeting customer and regulatory requirements for businesses operating in the medical device sector. These processes and their interactions are also subject to improvement as directed by senior management to achieve quality objectives. 

    An audit is:


    '... a systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled...'


    ISO 13485 audits, then, are an examination of your company's quality management system processes to assess the extent to which you're meeting the requirements of the ISO 13485:2016 standard.


    ISO 13485 vs. ISO 9001: key differences



    ISO 13485 audit requirements


    The objective of ISO 13485 audits is to determine if all applicable requirements of ISO 13485:2016 have been implemented in your company. 

    The audit objectives specifically include evaluation of: 

    • The effectiveness of your QMS in incorporating the applicable regulatory requirements

    • Product/process-related technologies 

    • Adequate product technical documentation in relation to relevant regulatory requirements

    • Your ability to comply with these requirements


    As part of achieving these ISO 13485 audit objectives, the auditor will verify that your organization maintains sufficient and reliable objective evidence to demonstrate your devices meet essential principles of safety, performance and effectiveness. 

    The auditor will expect that your documentation and records are maintained to demonstrate continued compliance with regulatory requirements during the post-market phase of the device lifecycle. 

    And you'll need to prove an effective risk-based approach is in place.

    Implementing a risk-based approach is an integral aspect of a medical device organization’s quality management system, and it's the responsibility of top management to provide the necessary commitment and resources for this effort.  

    Effective implementation of the risk-based approach usually starts in conjunction with the design and development process, proceeds through product realization (including the selection of suppliers), considers feedback from post-market monitoring, and continues until the time your device is decommissioned.  

    Risk-based decisions occur throughout the various quality management system processes, and each medical device organization must implement the risk-based approach as well as risk management in product realization with a determination of how much residual risk is acceptable to ensure their medical devices meet requirements for safety, performance and regulatory requirements. 


    The 8 best ISO 13485 training programs in 2023


    How to prepare for an ISO 13485 audit


    In an external third-party ISO 13485 audit, your medical device organization needs to demonstrate its ability to provide medical devices that consistently meet customer and regulatory requirements.  

    The failure to fulfil any of the requirements in ISO 13485:2016, or portion of the requirements listed in the audit activities and tasks, means audit failure, delay or reversal of your ISO 13485 accreditation, and a significant backward step in your medical device company's operational plans.


    7 ways to fail an ISO audit in 2023



    ISO 13485 audit questions and answers


    Like any test or examination, knowing the questions you'll be asked, and how you'll answer them, is the key to success for ISO 13485 audits.

    The next section of this post will provide a detailed ISO 13485 checklist outlining every clause-by-clause question that will be asked of your medical device QMS.

    But particular attention should also be paid to the potential interrelationship of processes in your company that may lead to significant nonconformity in an ISO 13485 audit.

    The output of one process often directly forms the input of other processes, and the activities of a supporting process can be relevant to other processes. 

    For example, during an ISO 13485 audit the auditor could find non-conformances in both your purchasing controls and your acceptance activities.

    Individually, 'failing' one of these questions on your audit may amount to a minor nonconformity.

    But together they indicate a significant nonconformity, because control over suppliers and the products they supply depends on an effective mix of both these activities, and deficiencies in both will affect the quality of your finished device.

    A zero-sum 'question-and-answer' approach can only get you so far in your ISO 13485 audit preparations.

    The interaction between areas of your medical device QMS is as significant as the individual strength of each ingredient.


    Download an ISO 13485 risk management plan template




    ISO 13485 audit checklist


    With that caveat out of the way, we recognize that often the best way to prepare for an ISO 13485 audit is a reassuring, tick-by-tick 'shopping list' approach as you assess your medical device QMS for weaknesses.

    As such, the Qualio+ team has assembled a comprehensive ISO 13485 audit checklist to help you prepare.


    Download ISO 13485 audit checklist



    How to conduct an ISO 13485 audit


    How should your business conduct an ISO 13485 audit, then?

    That depends on the type of audit we're discussing.

    It's worth familiarizing yourself with the different types of audits before we start digging deeper:


    ISO 13485 audit types


    ISO 13485 audits


    Internal audits


    An internal or first-party ISO 13485 audit is  your 'dry run' practice audit, and the best way to prepare for a real third-party regulatory audit.

    We'll dig into how to conduct an ISO 13485 internal audit in detail a little further down.

    But it's worth noting here that you should always ensure your internal auditing meets the expectations or 'principles' of modern auditing as laid out in ISO 19011:


    1. Integrity
    2. Fair presentation
    3. Due professional care
    4. Confidentiality
    5. Independence
    6. Evidence-based approach


    A useful component of internal auditing is its ability to enforce standardization. By pinpointing areas of variation and difference that threaten your ISO 13485 compliance, you can take corrective action to fix those issues and make your company work in a more standardized way.


    Watch our guidance video!

    Audits & inspections: how to drive a standardization strategy that sticks



    Supplier audits


    A supplier audit can cut both ways: either your customer audits you as a supplier to check your ISO 13485 compliance, or you audit one of your own suppliers.

    Remember that your ISO 13485 compliance can hinge upon what your suppliers do: failing to onboard suppliers properly, and introducing defective parts and materials into your own company will stop you getting accredited to ISO 13485, even if it's your supplier's 'fault'.


    Download the essential guide to life science supplier management



    External audits


    The big one. An external, third-party regulatory ISO 13485 audit is your company's formal assessment to secure or maintain your ISO 13485 compliance.

    External audits can be stressful events that take months to prepare for.

    Some key things to consider to prepare for an ISO 13485 external audit include:


    1. Prepare documents in compliance with all ISO 13485 requirements
    2. Implement the documents as fully traceable, recorded processes
    3. Identify and conduct training
    4. Conduct a gap assessment of all SOPs and processes
    5. Develop and implement a comprehensive risk assessment program
    6. Ensure employees are trained on their ISO 13485 requirements
    7. Ensure employees are competent and able to fulfil their ISO 13485 requirements
    8. Ensure each employee knows:
      1. Where to find the quality policy
      2. What the quality policy says
      3. Who the management representative is
      4. Their job description/responsibilities
      5. How they contribute to maintaining the quality of the devices delivered to the customer
      6. Where the SOPs/QMS documents are located
      7. Which SOPs are applicable to their job
      8. Where their training records are
      9. How to handle nonconforming products/results
      10. Quality objectives



    Conducting an ISO 13485 internal audit


    Of the three types discussed above, first-party internal audits are the most important to master. Nail those, and passing a second- or third-party ISO 13485 audit becomes much, much easier.

    There are three main areas to consider: structuring your internal audit with a clear schedule of activity, following a checklist to ensure nothing's missed, and ensuring your audit team is properly trained and competent.


    ISO 13485 internal audit schedule


    An ISO 13485 internal audit schedule should include space for all key audit activities, including:


    1. Audit prep
    2. Conducting document review
    3. Conducting onsite audit activities
    4. Preparation, approval and distribution of audit report
    5. Completing the audit
    6. Follow-up audit(s)
    7. Addressing findings


    Your schedule should include a robust ISO 13485 audit plan, covering:

    • Audit objectives
    • Audit criteria and reference documents
    • Scope, including identification of organizational units
    • Date and time of audit activities
    • Audit team responsibilities
    • Allocation of resources
    • Auditee representatives
    • Assigning work to audit team members
    • Preparation of working documents
    • Provision of checklists & forms for recording


    ISO 13485 internal audit checklist


    The detailed checklist provided above could serve as a suitable ISO 13485 internal audit checklist.

    However, you may not want to dig into so much detail in every single internal audit - and a careful balance should be struck between audit neglect and overkill that exhausts your team members.

    Although clause-by-clause tickbox activity can be helpful, you should also be cognisant of the topline 'buckets' of activity to check up on in individual internal audits.

    They look like this.


    ISO 13485 requirement Key ingredients
    General requirements
    •  Documentation
    • Regulatory and risk-based approach
    • Outsourced processes
    • Change management
    • Validation of software (if applicable)
    • Quality manual
    • Medical device file
    • Controls related to document and record amendment, security and integrity
    Management responsibility
    • Focus on regulatory requirements
    • Documented procedures for management review
    • Documented planned intervals
    • Documented processes for competence, awareness and training
    • Risk-based training effectiveness
    • Processes for preventing product mix-up
    • Information systems infrastructure
    • Maintenance intervals for production or monitoring equipment
    Work environment & contamination control
    • Documentation requirements for work environment
    • Contamination controls for sterile medical devices
    Planning of product realization
    • Processes for risk management
    • Requirements for storage, handling, distribution and traceability
    Customer-related processes
    • Requirement and availability for any user training
    • Documented processes for communicating with stakeholders, including regulatory authorities
    Design & development
    • Traceability of design inputs to outputs
    • Required resources, including competence of personnel involved in design projects
    • Additional details and documentation for verification and validation plans, including statistical techniques, sampling
      rationale and representative product and records
    • Documented procedures for design transfer and design change
    • Design and development files
    • Increased focus on supplier monitoring and risk
    • Documented agreements for prior notification of changes to supplied product
    • Linkage between verification of purchased product and change control
    Production & service provision
    • Qualification of infrastructure
    • Analysis of service records
    • Documented procedures for validation including statistical techniques, sampling rationale, revalidation
    • Validation requirements for processes that cannot or are not subsequently monitored
    • Procedures for risk-based software validation
    • Documented procedure for product identification/status during production; this may be Unique Device Identification (UDI)
    • Validation of sterile barrier systems
    • Suitability of packaging systems
    • Recording of measuring equipment adjustments
    Monitoring & measurement
    • Linkages from customer feedback into risk management
    • Documented processes for ascertaining whether customer requirements have been met
    • Procedures for complaint handling
    • Processes for informing third parties of complaints
    • Plans for internal audits at defined intervals
    • Processes for the identification of test equipment
    Control of nonconforming product
    • Processes for communication with external parties regarding non-conforming product
    • Controls for managing concessions
    • Linkages between rework and regulatory requirements
    Analysis of data
    • Sources of data for analysis, such as service records and audits
    • Procedures that cover the application of statistical techniques
    • Linkages between the analysis and improvement processes
    • Actions are taken without undue delay
    • Evaluation of actions for adverse effects on regulatory requirements and product safety and performance



    ISO 13485 internal audit training


    Training yourself and your team for an internal ISO 13485 audit means mastering the key operational steps you'll need to take before, during and after the session.

    These include ensuring:

    • Your audit team knows how to check if your QMS conforms with all ISO 13485 requirements
    • Those performing the audits have no direct responsibility for what is being audited
    • Dates and results of audits are documented
    • Audits are performed at defendable intervals
    • Findings that require action are handled appropriately (i.e. CAPAs)



    Download audit success playbook



    ISO 13485 audit report sample


    The audit report is the most important (and visible) tool of the ISO 13485 audit.

    Communicating audit results effectively requires both knowledge of the subject and the audience.


    Remember the reader of your audit report could be:

    • Auditee (team lead/function/department head)
    • Newly assigned
    • Various personnel from the function/department
    • Executive management
    • ISO auditor
    • Quality management
    • Quality personnel
    • The next generation of auditors!


    Take the reader who may not be familiar with the subject along a journey.

    Begin with function and department responsibilities, procedures and how they fit into the overall company process(es), then describe the best practices and follow though with any identified audit findings or opportunities for improvement.

    End the journey with clear, actionable persuasion and encouragement to act on the opportunities for improvement, or react to the observations (issues) that threaten your ISO 13485 compliance. 

    Here's a sample of an ISO 13485 audit report to help you prepare this key ingredient of your ISO 13485 audits.


    Audit report


    Audit Date:

    Scope of Audit:

    Audited by:

    Auditee Contact:

    Auditee Team:

    Opening meeting was conducted on —-----


    Closing meeting was conducted on —---


    Introduction: (mention the company and device details here!)



    Audit findings:



    Opportunities for improvement:





    Pass your ISO 13485 audits easily


    Needless to say after this comprehensive tour, passing ISO 13485 audits is tough and complex.

    Our recent life science quality trends report found that 49% of life science companies continue to rely on paper to manage their critical quality processes.

    Paper and spreadsheets clutter and complicate your medical device quality management, making it more difficult to spot compliance weaknesses and embed repeatable processes.

    More and more medical device companies like TriMed are turning to ISO 13485 compliance software to simplify and accelerate their journeys.

    Book a demo with Qualio to see how digital ISO 13485 audit success works!