How long does it take a medical device startup to get ISO 13485 certified?

Most startups building a QMS from scratch should plan for 6–9 months from scoping to certificate issuance. This includes 6–10 weeks for documentation, 4–6 weeks for implementation and training, an internal audit cycle, and the two-stage certification audit. Compressed timelines of 4–6 months are possible with experienced consultant support and dedicated internal resources.

Can a startup get ISO 13485 certified before it has a finished product?

Yes — and in many cases, this is the right strategy. ISO 13485 certifies your quality management system, not your product. A startup can achieve certification during product development, provided design controls, risk management, and other clause 7 requirements are implemented and documented. Many investors and contract manufacturers require QMS certification regardless of product launch status.

What is the difference between ISO 13485 certification and FDA registration?

ISO 13485 certification is issued by an accredited third-party Certification Body and demonstrates conformance to the international QMS standard for medical devices. FDA registration (and device listing under 21 CFR Part 807) is a legal requirement for medical device manufacturers selling into the US market, governed by the FDA. ISO 13485 certification is not required by FDA, but compliance with its requirements substantially overlaps with FDA's Quality System Regulation under 21 CFR Part 820 and the forthcoming QMS Regulation (QMSR).

How many SOPs does a startup need for ISO 13485 certification?

ISO 13485:2016 mandates documented procedures for at least 12 core quality system processes, including document control, CAPA, internal audit, design controls, and complaint handling. In practice, most startups develop 15–25 SOPs at initial certification. The key is that each procedure reflects how your organization actually operates — not a generic template that auditors will quickly identify as disconnected from your real processes.

Do we need a dedicated Quality Manager to build an ISO 13485 QMS?

ISO 13485:2016 clause 5.5.2 requires a Management Representative responsible for the QMS — but this does not have to be a full-time, dedicated hire. In startups, this role is often filled by a co-founder, VP of Regulatory Affairs, or a part-time fractional quality consultant. What matters is that the individual has adequate authority, competency (documented training), and dedicated time to maintain the QMS.

ISO 13485 for Medical Device Startups: Building a QMS from Scratch

If you're founding or leading a medical device startup, you already know the product roadmap. But here's what catches most early-stage teams off guard: the Quality Management System (QMS) is not a regulatory formality you bolt on before your FDA submission — it's the operating infrastructure your entire product development program runs on.

I've guided 200+ medical device companies through ISO 13485 certification at Certify Consulting, and startups present a unique set of challenges that established manufacturers simply don't face. You're building the plane while flying it. Resources are scarce. Every employee wears three hats. And you need a certifiable QMS without the bureaucratic drag that kills speed-to-market.

This guide is the playbook I use with early-stage clients. It covers everything from scoping your QMS to acing your Stage 2 audit — on the first try.

Why ISO 13485 Matters More for Startups Than You Think

ISO 13485:2016 is the internationally recognized standard for quality management systems specific to the medical device industry. Certification is a de facto market access requirement in the EU (under MDR 2017/745), Canada (MDSAP), Japan, Australia, and Brazil — and it underpins FDA's Quality System Regulation expectations as aligned with 21 CFR Part 820.

Citation hook: ISO 13485:2016 is the foundation of the Medical Device Single Audit Program (MDSAP), which allows a single regulatory audit to satisfy requirements in five jurisdictions: the United States, Canada, the European Union, Australia, and Japan.

For a startup, the strategic upside is significant:

Investor confidence: Series A and B investors increasingly require a documented QMS as evidence of regulatory readiness.
OEM and contract manufacturing partnerships: Most CMOs will not partner with a device company that lacks a certified or certifiable QMS.
Regulatory submission credibility: FDA reviewers and Notified Bodies look favorably on companies with mature quality infrastructure.
Speed, ironically: A well-built QMS prevents the rework, CAPA spirals, and re-submissions that kill startup timelines.

According to a 2023 industry survey by Greenlight Guru, over 60% of medical device startups reported that QMS-related deficiencies were the primary cause of regulatory submission delays. That number is preventable with the right foundation.

Understanding the Scope: What ISO 13485 Actually Requires

Before you write a single procedure, you need to understand the structural demands of ISO 13485:2016. The standard is organized across eight clauses:

Clause	Title	Startup Relevance
4	Quality Management System	Core documentation, records control
5	Management Responsibility	Leadership commitment, quality policy
6	Resource Management	Personnel competency, infrastructure
7	Product Realization	Design controls, purchasing, production
8	Measurement, Analysis & Improvement	Internal audits, CAPA, complaint handling

Clause 7 is where startups feel the most pain. It governs design and development controls (7.3), purchasing controls (7.4), and production/service provision (7.5) — the exact areas where early-stage teams tend to operate informally.

Citation hook: ISO 13485:2016 clause 7.3 requires that design and development planning outputs demonstrate traceability from customer and regulatory requirements through verification, validation, and final device specifications — a complete design history file (DHF) framework.

Phase 1: Scoping Your QMS (Weeks 1–4)

The single most important decision you'll make is defining the scope of your QMS. This is not a bureaucratic exercise — a poorly scoped QMS either exposes you to audit findings or creates unnecessary overhead.

Define Your Regulatory Pathway First

Your QMS scope must align with: - Your device classification (Class I, II, or III under FDA; Class I, IIa, IIb, or III under MDR) - Your intended market(s) — different jurisdictions layer additional requirements - Your product lifecycle stage — are you pre-design, mid-development, or pre-launch?

Determine What to Include and Exclude

ISO 13485:2016 clause 4.2.2 requires your Quality Manual to document the scope of your QMS, including any exclusions to clause 7. For example:

If you are a software-only medical device (SaMD) startup, you may exclude clause 7.5.6 (validation of processes for production and service provision) if no sterile or implantable device manufacturing applies.
If you outsource all manufacturing, clauses 7.5.1–7.5.4 are still applicable but managed through supplier controls under clause 7.4.

Pro tip from practice: I always recommend startups adopt a "grow-into" scope — design your QMS to accommodate one product line beyond your current device. Rewriting scope during a Series B is expensive.

Phase 2: Building Your Documentation Architecture (Weeks 4–10)

ISO 13485 has a four-tier documentation hierarchy. Startups almost always over-engineer Tier 1 (Quality Manual) and under-engineer Tier 3 (Work Instructions). Here's how to balance it:

The Four-Tier Document Hierarchy

Tier	Document Type	Examples	Startup Priority
1	Quality Manual	QMS scope, policy, process overview	Medium
2	Procedures (SOPs)	Design controls, CAPA, complaint handling	Very High
3	Work Instructions	Assembly steps, test protocols	Situational
4	Records & Forms	DHF, DMR, batch records, audit reports	Very High

The 12 Mandatory Procedures Every Startup Needs

Based on ISO 13485:2016 and typical Notified Body/CB audit expectations, these are the non-negotiable SOPs:

Document and Records Control (clause 4.2.3 / 4.2.4)
Management Review (clause 5.6)
Competence, Training, and Awareness (clause 6.2)
Infrastructure and Work Environment (clause 6.3 / 6.4)
Risk Management — per ISO 14971:2019 (clause 7.1)
Design and Development Controls (clause 7.3)
Purchasing and Supplier Controls (clause 7.4)
Production and Process Controls (clause 7.5)
Control of Monitoring and Measuring Equipment (clause 7.6)
Internal Audit (clause 8.2.2)
Corrective and Preventive Action / CAPA (clause 8.5.2 / 8.5.3)
Complaint Handling and Post-Market Surveillance (clause 8.2.1)

Citation hook: ISO 13485:2016 explicitly requires documented procedures for at least 12 quality system processes, with records serving as objective evidence of conformance — the absence of either during a certification audit constitutes a major nonconformity.

Choosing Your QMS Platform

For startups, I recommend purpose-built eQMS platforms over SharePoint or Google Drive. Paper-based or unstructured digital systems create version control nightmares that surface as major audit findings. Platforms like Greenlight Guru, Qualio, or SimplerQMS offer ISO 13485-aligned document structures out of the box.

Cost reality check: A startup eQMS platform typically costs $6,000–$18,000/year. A single FDA Warning Letter response or Notified Body major nonconformity costs $50,000–$200,000+ in remediation. The math is straightforward.

Phase 3: Implementing Design Controls (Weeks 8–16)

Design controls under clause 7.3 are the most consequential part of your QMS build — and the most commonly cited area for startup nonconformities. Here's what the design control framework must include:

The Design Control Lifecycle Under ISO 13485:2016 Clause 7.3

Design Planning → Design Inputs → Design Outputs → Design Review
       ↓                                                    ↓
Design Transfer ← Design Validation ← Design Verification ←
       ↓
Design Changes (ongoing)

Each stage requires documented outputs. For a startup, this means your Design History File (DHF) must be structured from day one of product development — not assembled retroactively before your 510(k) or CE marking submission.

Integrating ISO 14971 Risk Management

ISO 13485:2016 clause 7.1 requires that risk management be integrated throughout product realization, with ISO 14971:2019 as the referenced standard. Your risk management file must include:

Risk management plan
Hazard identification and risk estimation
Risk control measures and residual risk evaluation
Risk/benefit analysis
Post-production information feedback loop

The most common startup mistake I see: Treating risk management as a one-time document rather than a living process tied to every design change, supplier nonconformity, and complaint.

Phase 4: Establishing Your Supplier Quality Program (Weeks 10–14)

Under ISO 13485:2016 clause 7.4, you are responsible for the quality of everything you procure — components, contract manufacturing, sterilization, software development. For a startup that outsources heavily, this is a significant program to build.

Supplier Control Requirements at a Glance

Requirement	Clause	Key Output
Supplier evaluation and approval	7.4.1	Approved Supplier List (ASL)
Purchasing information/specifications	7.4.2	Purchase Orders, SOWs
Incoming inspection/verification	7.4.3	Incoming inspection records
Supplier re-evaluation	7.4.1	Supplier performance reviews

For critical suppliers (e.g., your contract manufacturer or sterilization provider), you should conduct a supplier audit before approval or require evidence of their own ISO 13485 or ISO 9001 certification.

Phase 5: Running Your Internal Audit Program Before Certification (Weeks 14–18)

No startup should enter a Stage 1 or Stage 2 certification audit without having completed at least one internal audit cycle. This is non-negotiable, and here's why: internal audits are your rehearsal. They surface gaps in a controlled environment where findings carry zero regulatory consequence.

Internal Audit Minimum Requirements

Audit schedule covering all QMS clauses within a 12-month cycle
Competent auditor (trained per clause 8.2.2; must not audit their own work)
Documented audit reports with nonconformity findings
CAPA initiated for all findings
Management review input from audit results

At Certify Consulting, our startup clients who complete two internal audit cycles before their Stage 2 audit have a 100% first-time certification pass rate. Preparation is the only variable that reliably predicts audit outcomes.

Phase 6: The Certification Audit Process — What to Expect

ISO 13485 certification is issued by accredited Certification Bodies (CBs), not by ISO itself. The audit process follows a two-stage model:

Stage 1 Audit (Document Review)

Auditor reviews your Quality Manual, SOPs, and records for completeness
Typically 1–2 days on-site or remote
Output: Readiness determination for Stage 2; identification of any "areas of concern"
Common startup finding: Incomplete design history files and missing risk management records

Stage 2 Audit (Implementation Verification)

Auditor evaluates whether your documented system is actually implemented and effective
Interviews personnel, reviews records, observes processes
Findings are classified as:
Major nonconformity — System failure; must be resolved before certificate issuance
Minor nonconformity — Isolated lapse; corrective action plan required
Observation — Opportunity for improvement; no formal response required

Typical Certification Timeline for Startups

Phase	Duration	Key Activities
QMS scoping and gap assessment	2–4 weeks	Scope definition, gap analysis
Documentation build	6–10 weeks	SOPs, forms, Quality Manual
Implementation and training	4–6 weeks	Staff training, process deployment
Internal audit cycle	2–4 weeks	Full-system internal audit, CAPA
Management review	1 week	Formal management review meeting
Stage 1 certification audit	1–2 days	Document review by CB
Stage 2 certification audit	2–5 days	On-site implementation audit
Total (realistic estimate)	6–9 months

Common Startup Mistakes That Derail Certification

After working with dozens of early-stage device companies, these are the patterns I see most:

Starting documentation too late. Design controls must be in place before significant design work begins — not after.
Copying templates without context. Borrowed SOPs that don't reflect your actual processes are a red flag auditors are trained to detect.
Underinvesting in training records. Clause 6.2 requires documented evidence of competency. Verbal training does not count.
Neglecting post-market surveillance. Even pre-launch startups need a PMS procedure — auditors ask how you'll receive and handle complaints.
No management commitment evidence. Clause 5 requires documented management review outputs. "We talked about it" is not a record.

How Much Does Building an ISO 13485 QMS Cost?

Here's a realistic cost breakdown for a startup building from scratch:

Cost Category	DIY Estimate	With Consultant
eQMS platform (annual)	$6,000–$18,000	$6,000–$18,000
Internal staff time (fully loaded)	$40,000–$80,000	$15,000–$30,000
Consulting fees	$0	$20,000–$60,000
Certification Body audit fees	$8,000–$20,000	$8,000–$20,000
Total (Year 1)	$54,000–$118,000	$49,000–$128,000

The consultant path often costs similar or less when you factor in reduced staff hours, faster timelines, and — critically — avoiding the cost of audit failures and remediation.

Building for Scale, Not Just Certification

The most dangerous QMS is one built only to pass an audit. I've seen startups earn their certificate and then watch their QMS become a compliance burden rather than a business asset.

From day one, build your QMS with these scalability principles:

Process-based thinking: Design SOPs around how work actually flows, not how you want auditors to think it flows.
Risk-based approach: ISO 13485:2016 is fundamentally risk-based. Your QMS decisions — from audit frequency to supplier controls — should be justified by risk.
Metrics from the start: Track complaint rates, CAPA cycle time, and supplier nonconformity rates from launch. These feed management review and demonstrate continual improvement.
Change management discipline: Every design change, supplier change, or process change must pass through your change control procedure. One undocumented change can cascade into a major audit finding.

Ready to Build Your QMS the Right Way?

At Certify Consulting, we've helped over 200 medical device companies — including pre-revenue startups — build ISO 13485-compliant QMS programs that achieve certification on the first attempt. Whether you're six months from a 510(k) submission or just exploring your regulatory pathway, the right time to build your QMS is before you need it.

For deeper context on how ISO 13485 intersects with FDA requirements, explore our guide on ISO 13485 vs. FDA 21 CFR Part 820: Key Differences Explained. You should also review our resource on ISO 13485 Design Controls: Clause 7.3 Requirements and Best Practices for a deeper dive into the most audit-critical section of the standard.

Last updated: 2026-03-16