🏥 ISO 13485

ISO 13485:2016 Inspection & Quality Suppliers for Medical Devices

Medical device buyers learn quickly that an inspection record is not just a quality artifact, it is a regulated document that may be pulled during an FDA inspection or a notified-body audit. ISO 13485:2016 reframes the entire quality system around risk and regulatory compliance, and that reframing changes how a contract inspection supplier must run measurement, validation, and recordkeeping. Here is what the standard requires inside the inspection function and how it threads into 21 CFR 820 and the EU MDR.

ISO 13485ISO 9001ISO 14971

How ISO 13485 reshapes inspection compared with ISO 9001

ISO 13485:2016 shares structural DNA with ISO 9001 but diverges in philosophy and in several clauses that directly govern inspection. It deliberately retains a prescriptive, documentation-heavy approach and drops ISO 9001's continual-improvement and customer-satisfaction emphasis in favor of maintaining the effectiveness of a regulated quality system. For an inspection supplier, the most consequential divergence is clause 7.5.6, validation of processes for production and service provision, which extends to any inspection or measurement process whose output cannot be fully verified by subsequent monitoring. In practice that pulls measurement-system validation and software validation squarely into scope. Clause 7.6 (control of monitoring and measuring equipment) parallels ISO 9001's gage control but adds the medical expectation of documented records tied to device risk. Clause 4.1.6 requires validation of computer software used in the quality system, which captures CMM software, inspection-data systems, and statistical packages. And clause 7.5.8/7.5.9 on identification and traceability is stricter: for implantable devices, traceability requirements reach component and material lot level so that any inspected lot can be tied to a specific device and patient exposure if a recall occurs. The upshot is that ISO 13485 inspection is built around demonstrable control and reconstructable records rather than measurement throughput. A shop can be excellent at ISO 9001 dimensional work and still be unprepared for the validation, software-control, and lot-traceability demands a medical buyer must flow down.

The regulatory web: 21 CFR 820, EU MDR, and how inspection records feed it

ISO 13485 is the de facto international quality-system standard for medical devices, and it interlocks with two major regulatory frameworks. In the United States, FDA 21 CFR Part 820 (the Quality System Regulation, transitioning toward the QMSR that harmonizes with ISO 13485) governs device quality. Subpart I, 820.80 on receiving, in-process, and finished-device acceptance, and 820.250 on statistical techniques, are the inspection-relevant teeth: every acceptance activity must be documented, and acceptance status must be identifiable throughout. Inspection records become part of the Device History Record (DHR) under 820.184, which means your contract inspection data may be examined directly during an FDA 483 inspection. In the European market, the EU MDR (Regulation 2017/745) requires technical documentation and post-market surveillance that lean on conformity evidence, and a notified body can audit the manufacturer's suppliers, including inspection houses. Risk management under ISO 14971 also flows into inspection because the criticality of a measured characteristic is risk-driven: a dimension controlling a luer-lock seal or a bone-screw thread carries different acceptance rigor than a cosmetic feature. For the buyer, the practical consequence is that the inspection supplier's records must be audit-ready, attributable, and retained for the device's required retention period. Confirm the supplier understands DHR contribution, can support a notified-body or FDA audit at their site, and aligns acceptance sampling and statistical methods with 820.250 rather than ad hoc judgment.

Verifying the certificate and the records you must receive

Verify an ISO 13485 certificate much as you would ISO 9001, but with medical-specific scrutiny. Confirm the certification body is accredited (ANAB, BSI, TUV, DEKRA, or similar) and recognized for medical certification, then check the scope statement explicitly covers inspection, metrology, or quality services for medical device components. A scope tied only to a device-design or sterile-manufacturing activity will not cover a standalone inspection contract. Check the three-year cycle and recent surveillance audit, and ask whether the certificate is recognized under the MDSAP (Medical Device Single Audit Program) if you need access to multiple regulatory markets at once. The records you should receive go beyond a generic inspection report. Expect a Certificate of Conformance with lot or serial traceability to the device-master-record requirements, dimensional and functional inspection results tied to validated methods, calibration evidence for the gages used, and, where the process required validation, the validation documentation (IQ/OQ/PQ for the inspection process or test method). For implantable or high-risk components, expect component-level lot traceability adequate to support a recall. Watch two traps. First, a supplier holding ISO 9001 but not ISO 13485 cannot give you the regulated traceability and validation discipline a medical buyer must flow down, even if their measurements are accurate. Second, a lapsed or scope-mismatched certificate is a finding waiting to happen during your own audit, so verify currency and scope before the first lot ships.

Frequently Asked Questions

You can use an ISO 9001 shop only when your part is genuinely non-regulated or when you keep all regulated-record obligations inside your own quality system. The risk is that ISO 13485 imposes controls ISO 9001 does not, and your own FDA or notified-body auditor will expect those controls to flow down to suppliers performing acceptance activities. Specifically, ISO 13485 requires validation of inspection and measurement processes that cannot be fully verified afterward (clause 7.5.6), validation of computer software used in the quality system including CMM and inspection-data software (clause 4.1.6), and stricter lot-level traceability for implantable and high-risk components. It also aligns acceptance and statistical techniques with regulated expectations under FDA 21 CFR 820.80 and 820.250, where inspection data becomes part of the Device History Record and can be examined during an FDA inspection. An ISO 9001 shop may produce accurate dimensions but typically lacks the documented validation, software control, and traceability rigor a medical buyer must demonstrate. If your device is regulated, source an ISO 13485 supplier or be prepared to absorb the entire compliance burden internally, which is rarely worth it.
Under FDA 21 CFR Part 820, acceptance activities are regulated. Clause 820.80 requires documented receiving, in-process, and finished-device acceptance, and acceptance status must be identifiable throughout production. The results of those acceptance activities become part of the Device History Record under 820.184, which documents that each device or lot was manufactured in accordance with the Device Master Record. When you outsource inspection, the inspection results, acceptance decisions, and supporting traceability feed directly into your DHR. That means a contract inspection supplier's records can be reviewed during an FDA inspection, and a gap such as an undocumented acceptance decision or a missing calibration record can produce a 483 observation against you. The FDA is also transitioning to the Quality Management System Regulation (QMSR), which harmonizes 820 with ISO 13485, further tightening the alignment between the standard and the regulation. Practically, require your inspection supplier to deliver attributable, retained, audit-ready acceptance records with lot or serial traceability, validated measurement methods, and statistical techniques consistent with 820.250, so the data drops cleanly into your DHR without rework or risk.
MDSAP, the Medical Device Single Audit Program, allows a single regulatory audit of a manufacturer's quality system to satisfy the requirements of multiple participating regulators, currently including the US FDA, Health Canada, Australia's TGA, Brazil's ANVISA, and Japan's PMDA/MHLW. For Canada, MDSAP certification is mandatory for most medical devices. When you source inspection for devices sold in those markets, a supplier or partner operating within an MDSAP-recognized framework reduces audit burden and signals maturity beyond baseline ISO 13485. For a pure contract inspection house, MDSAP is less commonly held than ISO 13485 itself, since MDSAP audits target manufacturers rather than service subcontractors. So the realistic ask is that the inspection supplier hold a current ISO 13485:2016 certificate with a scope covering your inspection work, and that they understand and can support your MDSAP obligations during an audit. If you specifically need a supplier whose own system is MDSAP-aligned, confirm it explicitly, because it is an uncommon attribute for a standalone inspection provider and you should not assume it from ISO 13485 alone.
ISO 13485 inspection generally costs more than the ISO 9001 equivalent on the same part because the documentation and validation overhead is higher, not because measurement is slower. The main drivers are process and method validation (IQ/OQ/PQ where the inspection process cannot be fully verified afterward), software validation for measurement systems, and lot-level traceability records. A moderate-complexity medical dimensional report commonly runs comparable per-hour CMM rates of roughly 90 to 175 USD, but the surrounding validation and traceability documentation can add meaningfully to a first-article or new-process setup. Expect 3 to 7 business days for a documented first-article package once parts and material certs arrive, and longer if a new inspection method requires validation before the lot can be released. The first time a method is validated is the expensive step; subsequent lots run faster because the validation is already in place. Budget extra calendar time for any new high-risk or implantable component, where lot traceability and risk-driven acceptance criteria require more setup. The premium buys regulated, audit-ready records that protect your FDA and EU MDR position, which is the actual deliverable.

Last updated: July 2026

Find ISO 13485-Certified Quality & Inspection Suppliers

Search verified quality & inspection shops that hold ISO 13485.

No logins. No email gates. Just results.