ISO 9001 is the general quality management standard for any industry; ISO 13485 is the quality management standard for medical devices. ISO 13485 keeps the ISO 9001 framework but adds heavy regulatory, risk, design-control, and documentation requirements, and it drops ISO 9001's emphasis on continual improvement and customer satisfaction in favor of consistently meeting regulatory requirements.
They look like cousins because ISO 13485 grew out of ISO 9001, but they are built for different jobs. ISO 9001 wants a business to keep getting better and keep customers happy. ISO 13485 wants a medical device maker to be provably safe, traceable, and compliant, every single time, whether or not the process is "improving." Understanding where they diverge saves you from certifying to the wrong one, or from assuming your ISO 9001 system already covers what a device regulator will demand.
What is the difference between ISO 9001 and ISO 13485?
The core difference is purpose. ISO 9001 (ISO 9001:2015) is a generic framework for a quality management system that any organization can use to improve performance and satisfy customers. ISO 13485 (ISO 13485:2016) applies that framework specifically to organizations that design, produce, install, or service medical devices, and it is written to align with medical device regulations around the world.
That difference in purpose drives every other difference. ISO 9001 is flexible and improvement-driven. ISO 13485 is prescriptive and safety-driven. Where ISO 9001 says "continually improve," ISO 13485 more often says "maintain the effectiveness of" the system, because in a regulated device context, an unvalidated "improvement" is a risk, not a win. ISO 13485 also stayed on the older structure rather than adopting the high-level Annex SL structure that ISO 9001:2015 uses, so the two do not map clause-for-clause.
Where does ISO 13485 add requirements?
ISO 13485 takes the shared QMS and layers on the controls a regulator expects of anyone making a device that goes in, on, or near a patient. The big additions:
- Regulatory requirements throughout. ISO 13485 repeatedly requires you to meet applicable regulatory requirements, and to keep the QMS documentation aligned with them. Regulatory compliance is woven into nearly every clause, not treated as a side topic.
- Risk management across the product realization. Risk is applied to product safety and to processes throughout the lifecycle, typically implemented alongside ISO 14971, the medical device risk standard. ISO 9001 addresses risk at a higher, strategic level (risk-based thinking) but does not demand this depth.
- Formal design and development controls. Design planning, design inputs and outputs, design reviews, verification, validation, design transfer, and a design history file. ISO 9001 has design and development requirements, but far lighter, and they can be excluded if the organization does not design.
- Process and software validation. Processes whose output cannot be fully verified must be validated, including sterilization and software used in the QMS or in production.
- Cleanliness, contamination control, and traceability. Requirements for controlled environments, product cleanliness, and record retention and traceability that let you trace components through to the finished device, and for implantable devices, down to the individual unit.
- Post-market surveillance and complaint handling. Structured systems to collect field data, handle complaints, report adverse events to regulators, and feed issues back into the QMS.
What does ISO 13485 drop or change from ISO 9001?
ISO 13485 is not simply "ISO 9001 plus." It deliberately steps back from two of ISO 9001's signature ideas. First, continual improvement: ISO 9001 makes it a central obligation, while ISO 13485 asks you to maintain the effectiveness of the QMS and improve where needed, but does not push continual improvement as an overarching goal. Second, customer satisfaction: ISO 9001 treats it as a key measure, while ISO 13485 focuses on meeting customer and regulatory requirements and on feedback as a safety signal rather than a satisfaction metric.
The logic is safety, not indifference. In a device context, chasing improvement or satisfaction without regulatory discipline can introduce uncontrolled change. So ISO 13485 trades some of ISO 9001's flexibility for predictability and documented control. This is also why ISO 13485 leans harder on documentation: more required procedures, more required records, tighter document and record control.
A useful way to feel the gap: in ISO 9001, if your team finds a better way to run a process, you can often just adopt it and document the change. In ISO 13485, that same change may require a risk assessment, updated design or process validation, regulatory review, and a controlled change record before it can go live. Neither approach is wrong; they are tuned for different stakes. When the failure mode is an unhappy customer, speed and improvement win. When the failure mode is a patient injury, control and evidence win.
| Dimension | ISO 9001:2015 | ISO 13485:2016 |
|---|---|---|
| Scope | Any industry or organization | Medical device design, production, and service |
| Primary aim | Improve performance, satisfy customers | Meet regulatory requirements, ensure device safety |
| Continual improvement | Central requirement | Maintain effectiveness; improve where needed |
| Customer satisfaction | Required measure of performance | Feedback treated as a safety and quality signal |
| Risk management | Risk-based thinking, strategic level | Product and process risk throughout (ISO 14971) |
| Design controls | Lighter; excludable if no design | Formal, mandatory design and development file |
| Validation | General process control | Process, sterilization, and software validation |
| Documentation | Flexible, less prescriptive | Heavier, more required procedures and records |
| Structure | Annex SL high-level structure | Older ISO 9001-based structure |
Do you need both ISO 9001 and ISO 13485?
Most medical device manufacturers certify to ISO 13485 alone, because it is what regulators, notified bodies, and device customers ask for. You generally do not need ISO 9001 on top of it; ISO 13485 already contains a full QMS. Some companies that serve both device and non-device markets hold both certificates, and a supplier that makes components for device makers but also for other industries might use ISO 9001 as its base and add ISO 13485 for the device line.
If you make devices, ISO 13485 is almost always the right target. If you make components for device makers, ask your customers: many will accept ISO 9001 with additional controls, while others flow down ISO 13485 requirements. The two share enough DNA that a strong ISO 9001 system, especially its internal audit and corrective action discipline, is a solid foundation to build ISO 13485 on.
One caution: holding an ISO 9001 certificate does not mean you are close to ISO 13485. The shared framework gets you the plumbing, but the regulated-device layers, design controls, risk files, validation protocols, and post-market systems, are real work that ISO 9001 never asked for. Teams that assume their existing certificate covers most of the gap tend to underestimate the design-control and validation effort most of all.
How do you decide which standard to certify to?
Use this short decision sequence:
- Identify what you make. If any product meets the regulatory definition of a medical device, ISO 13485 is on the table. If not, ISO 9001 is your baseline.
- Ask your customers and regulators. Device customers and notified bodies usually require ISO 13485. Non-device customers usually require ISO 9001. Let the people who buy from you and regulate you set the target.
- Check whether you design. If you design devices, you need ISO 13485's full design controls. If you only manufacture to someone else's design, confirm which controls they flow down to you.
- Assess your regulatory exposure. The more your product can harm a patient, the more the risk management, validation, and traceability of ISO 13485 matter. Higher-risk devices make ISO 13485 non-negotiable, and a notified body will expect the full design and validation record before it grants the certificate.
- Decide on one or both. Pure device makers pick ISO 13485. Mixed-market suppliers may hold both. Build whichever you choose on the shared QMS core so you are not maintaining two disconnected systems.
The standards in numbers
Reference points from the issuing body:
- ISO 9001:2015 is the world's most widely used quality management standard, applicable to organizations of any size or sector (ISO 9001:2015).
- ISO 13485:2016 is the QMS standard developed specifically for the medical device industry, emphasizing regulatory compliance, risk management, and process validation (ISO 13485:2016).
- Both are audited using the guidance in ISO 19011:2018 the international guideline for auditing management systems.
Whichever standard applies, the operational headache is the same: keeping controlled records, traceability, and evidence straight without drowning the floor in paperwork, which is especially punishing under ISO 13485's documentation load. Harmony's part is narrow: capture quality checks and production records digitally at the station, keep them searchable and traceable, and surface the patterns, working alongside your QMS and existing systems rather than replacing them. No rip-and-replace. If you build devices or components for them, our notes on medical device manufacturing and supplier quality go deeper, and you can see the digitization approach in a plant at our features overview. Pick the standard your product and customers demand, then build one clean QMS underneath it.