Key takeaways
- ISO 9001 = generic quality; ISO 13485 = medical devices, aligned to regulatory requirements.
- ISO 13485 emphasizes risk management, traceability, design controls and documented procedures.
- A contractor should prove a certified or compliant ISO 13485 quality system, not just ISO 9001.
- Demand deliverables that feed your DHF (design history) and DMR (device master record).
- A 9001-only vendor can still help — but you carry the medical-grade documentation burden yourself.
The core difference
ISO 9001 sets out a general framework for a quality management system that fits any industry. ISO 13485 takes that idea and rebuilds it for medical devices: it is explicitly tied to regulatory requirements, mandates risk management across the product realization process (linking to ISO 14971), and demands rigorous documentation, traceability and design controls. The two share DNA, but their intent diverges where patient safety and regulators enter the picture.
| Dimension | ISO 9001 | ISO 13485 |
|---|---|---|
| Scope | Any industry, general quality | Medical devices specifically |
| Primary driver | Customer satisfaction, continual improvement | Regulatory compliance and safety |
| Risk management | Risk-based thinking, general | Required across realization; ties to ISO 14971 |
| Documentation | Flexible, lighter | Extensive, controlled, traceable records |
| Design controls | Encouraged | Mandatory; feed DHF and DMR |
| Regulatory link | None inherent | Recognized by FDA 21 CFR 820, EU MDR, Health Canada |
What a contractor must actually prove
A medical-grade quality system
Ask for evidence of an ISO 13485 certified or compliant quality system — certificate, scope statement, and recent audit status. ISO 9001 alone signals general competence but does not cover the medical-specific controls regulators expect. If a partner only holds 9001, you can still work together, but you absorb the medical documentation responsibility in-house.
Design controls and the deliverables you receive
The contractor’s work has to slot into your regulatory file. That means structured, controlled outputs — not just working firmware. Concretely, expect deliverables that populate:
- Design History File (DHF): design inputs, plans, reviews, verification and validation records, and the traceability matrix that proves you built what you specified.
- Device Master Record (DMR): the recipe to produce the device — specifications, build/configuration, and the documents needed for consistent manufacture.
These feed directly into FDA 21 CFR 820 (Quality System Regulation), the EU MDR technical file, and a Health Canada Medical Device Licence dossier.
Lifecycle and risk records
Because ISO 13485 ties to risk, the contractor should also deliver records aligned to IEC 62304 for software and ISO 14971 for risk — the same artifacts an FDA 510(k) reuses.
A checklist for vetting a development partner
- Is there a current ISO 13485 certificate, and does its scope cover your device type?
- Can they show design-control procedures and a sample DHF index?
- Do they produce traceability from requirement to verification as a standard output?
- Do they support risk management (ISO 14971) and software lifecycle (IEC 62304) records?
- For connected devices, do they handle FDA 524B cybersecurity evidence (SBOM, signed firmware)?
Why this matters to your submission
Regulators do not accept ‘our vendor built it’ as a substitute for documentation. The DHF and DMR are your obligation, assembled from your partner’s outputs. Choosing a contractor whose quality system already speaks ISO 13485 means the records arrive in the right shape — saving the expensive reconstruction that 9001-only engagements often trigger. This holds across North American and global markets; the compliant medical IoT hub shows how one well-run engineering file serves multiple jurisdictions.
Where Fundamentum fits
An ISO 13485 contractor must hand you records that feed your DHF and DMR — including how firmware is built, secured and delivered. Fundamentum, our Canadian IoT platform, supplies the connected-device side: signed firmware, governed OTA and an audit trail in a SOC 2 Type II perimeter, so the deployment evidence arrives in the right shape. It can interface with AWS, Azure or Google Cloud if your architecture requires it. See the platform →
Frequently asked questions
What’s the core difference between ISO 13485 and ISO 9001?
ISO 9001 is a general quality-management standard for any industry. ISO 13485 rebuilds that framework for medical devices: it is tied to regulatory requirements, mandates risk management across product realization, and demands extensive controlled documentation, traceability and design controls.
Is ISO 9001 enough for a medical device contractor?
Usually not. ISO 9001 alone signals general competence but omits the medical-specific controls regulators expect. You can still work with a 9001-only partner, but you then absorb the medical documentation burden in-house. For a medical device, look for an ISO 13485 certified or compliant quality system.
What is a DHF and a DMR?
The Design History File (DHF) holds design inputs, plans, reviews, verification and validation records and the traceability matrix — proof you built what you specified. The Device Master Record (DMR) is the recipe to produce the device: specifications, build/configuration and the documents for consistent manufacture. Both are your obligation, assembled from your contractor’s outputs.
What deliverables should I demand from a development partner?
Structured, controlled outputs that populate your DHF and DMR: design inputs, reviews, V&V records, a requirement-to-verification traceability matrix, ISO 14971 risk records and IEC 62304 software lifecycle records. For connected devices, also FDA 524B cybersecurity evidence such as SBOM and signed firmware.
Does ISO 13485 satisfy FDA and other regulators directly?
It aligns closely with FDA 21 CFR 820, the EU MDR and Health Canada expectations, and is widely recognized — but certification is not automatic clearance. Regulators still require your own DHF, DMR and submission. A 13485 contractor makes those records arrive in the right shape across North American and global markets.
Related reading
Talk to an IoT engineer — free
Book a FREE 30-minute consultation with our team. No slides, no obligation — a working session on your connectivity, platform or compliance questions.
