Assyro AI
Editorial illustration for ISO 13485 Software: How to Choose, Validate, and Use QMS Tools for Medical Device Quality.

ISO 13485 Software: How to Choose, Validate, and Use QMS Tools for Medical Device Quality

ISO 13485 software is software used to run the processes and records of a medical device quality management system: document control, training, CAPA, supplier quality, audits.

Assyro Team
Published July 8, 2026

Overview

ISO 13485 software is software used to run the processes and records of a medical device quality management system: document control, training, CAPA, supplier quality, audits, and change control. It supports compliance but does not create it. Your organization still owns its procedures, its validation of the software itself, and its audit evidence. The right choice depends on your intended use, risk profile, and existing tool landscape.

ISO 13485 is an internationally recognized standard that sets out the requirements for quality management systems in the medical device industry, as Scilife's guide to common ISO 13485 mistakes summarizes. The standard requires organizations to maintain extensive records covering everything from design and development to post-market surveillance, and mandates that risk-based thinking be applied to all QMS processes, according to Smithers' review of certification challenges. Software makes those obligations manageable at scale, which is why most evaluations for "ISO 13485 software" are really evaluations of eQMS platforms and adjacent tools.

This article covers the full decision path: what the category includes and excludes, the capabilities that matter, a decision matrix across tool categories, how to validate ISO 13485 QMS software, where 21 CFR Part 11 and FDA QMSR fit, implementation and migration planning, cost drivers, and the mistakes that most often surface during certification audits.

What ISO 13485 software is and what it is not

The term covers several overlapping categories, and buyers regularly conflate them. ISO 13485 QMS software (usually called an eQMS) manages controlled documents, quality records, and quality workflows. General quality management software does similar work without medical device specifics such as design history structures or complaint handling aligned to regulatory reporting. Document repositories store files but rarely enforce approval workflows or training linkage. Requirements management tools manage design inputs and traceability, not the full QMS record layer.

Getting the boundary right matters because it determines your validation scope, your audit evidence strategy, and your budget. A team that buys a document repository expecting CAPA workflow support will end up rebuilding processes in spreadsheets. A team that buys a full eQMS to solve only a document control problem will carry configuration and validation burden it never needed.

ISO 13485 software supports the quality system, not certification by itself

Software can control document approvals, preserve change histories, assign and track training, route CAPAs, and retrieve evidence on demand. What it cannot do is write your procedures, define your risk-based processes, or answer an auditor's questions about why a decision was made. Certification is a judgment about your quality system as implemented, not about the tool you licensed.

This distinction shows up in real audit outcomes. Smithers identifies inadequate resource allocation, poor documentation and record-keeping, and insufficient risk management processes among the top certification challenges for suppliers, and none of those are solved by purchasing a platform. Treat the software as infrastructure for a quality system you still have to design, staff, and maintain.

QMS software is different from SaMD and embedded device software

Software used to run your quality system is not the same as software that is itself a medical device or part of one. Software as a Medical Device (SaMD) and embedded device software follow product lifecycle expectations, commonly IEC 62304, and risk frameworks such as the IMDRF's four-level risk categorization for SaMD, referenced in Expandable's ISO 13485 software validation guide.

Your eQMS never touches a patient, so it does not need design controls as a product. It does, however, need computer system validation proportionate to its role in your quality system. Keep the two validation tracks separate in your planning, because they answer to different clauses, different reviewers, and different evidence expectations.

Core capabilities ISO 13485 software should support

The practical question when comparing platforms is not "does it mention ISO 13485" but "which QMS processes can it run as controlled workflows with retrievable evidence." Every capability below should produce records you can pull during an audit without reconstructing history by hand.

A short worked example shows what that looks like in practice. Suppose a complaint arrives about intermittent alarm failure on an infusion accessory. In a well-configured eQMS, the complaint record is logged with a unique ID and an owner. Triage determines it meets your CAPA threshold, so the system opens a linked CAPA record. The investigation identifies a supplier component drift as the root cause, which links the CAPA to the supplier's quality record and triggers a change to the incoming inspection procedure. That procedure revision routes through document control: the owner drafts revision C, two approvers sign electronically with timestamps, the effective date is set, revision B is automatically obsoleted, and affected operators receive a training assignment they must complete before the new revision governs their work. Twelve months later, an auditor asks how you handled that complaint. You retrieve one linked chain: complaint, CAPA, root cause, supplier record, procedure revision, approvals, training completions, and the effectiveness check. No folder archaeology, no email forensics. That linked chain is the core value of the category.

Document control and controlled records

Document control is the backbone capability. Look for enforced approval routing, version control with revision history, effective dates, controlled obsolescence of superseded versions, defined retention, and access restrictions by role. ISO 13485 requires organizations to maintain extensive records across the product lifecycle, per Smithers, so retrieval speed matters as much as storage.

Evaluate the system with a concrete test: ask the vendor to show you every revision of a procedure, who approved each one, when each became effective, and who was trained on which revision. If that takes more than a few minutes in a demo, it will take longer under audit pressure.

Training, roles, and process ownership

Auditors routinely check whether personnel were trained on the current revision of the procedures they execute. Software should assign training automatically when a document revision becomes effective, track completion with dates and signatures, and report gaps by role or department. Role-based access control belongs in the same evaluation, since it defines who can author, approve, or administer records.

Ownership is the quieter requirement. Every workflow, document, and quality record should have a named owner in the system, because unowned records are the ones that go stale and generate findings.

CAPA, nonconformance, complaints, and change control

These workflows share a common shape: intake, evaluation, investigation, action, approval, and effectiveness verification. Strong ISO 13485 software connects them rather than treating each as an isolated form. A nonconformance should be able to escalate to a CAPA, a CAPA should be able to trigger a document change, and a complaint should link to both when relevant, as in the worked example above.

When you evaluate this area, test the links, not just the forms. Ask how a closed CAPA references the document revisions it caused, and whether effectiveness checks can be scheduled and enforced rather than remembered.

Supplier quality, audits, and management review evidence

ISO 13485 requires organizations to establish and maintain rigorous controls over their supply chain, according to Smithers, so supplier records, evaluations, and approved supplier lists belong in the controlled environment, not in a spreadsheet on a shared drive. Audit management should cover plans, findings, and follow-up actions with owners and due dates.

Management review is often the weakest evidence area in practice. Software helps by aggregating inputs (CAPA trends, complaint volumes, audit results, supplier performance) and preserving outputs and action items as records. Scilife lists skipped internal audits among the most common ISO 13485 mistakes, and internal audit programs are far easier to sustain when scheduling and findings live in a system with reminders and escalation.

Traceability across requirements, risk, verification, and approvals

Design controls create a traceability need that spans requirements, ISO 14971 risk records, verification evidence, and approvals. Some eQMS platforms cover this natively; others expect a requirements management tool to hold the design-side trace while the eQMS holds the quality records. Neither approach is wrong, but you should decide deliberately where each trace lives and how the two systems reference each other.

The audit-readiness test is simple: given a design change, can you show which requirements, risks, verification results, and approvals were affected, and in what order? If the answer requires exporting from three tools and reconciling by hand, your traceability is a project, not a capability.

ISO 13485 software decision matrix

Most buying mistakes in this category are boundary mistakes: using a tool outside its intended role and discovering the gap during an audit. The matrix below compares the common tool categories against the roles they actually fill in an ISO 13485 context, including validation burden and the audit evidence each can realistically produce.

Tool category

Intended use in an ISO 13485 context

Best fit

Key limits

Validation burden

Audit evidence it produces

eQMS

Controlled QMS workflows and records (documents, training, CAPA, suppliers, audits)

Companies running the full quality system in one place

Configuration effort; may not cover design-side traceability

Moderate to high, driven by configuration

Approval histories, training records, CAPA chains, change histories, access logs

Document management

Controlled document storage, versioning, basic approvals

Document control as a first step or alongside other tools

No CAPA, training, or supplier workflows

Moderate

Version histories and approvals for documents only

Requirements management / ALM

Design inputs, traceability, verification linkage

Design controls and IEC 62304 development traces

Not a QMS record system

Moderate

Requirement-to-verification trace matrices

PLM

Product structure, BOMs, engineering change

Manufacturers with complex product data

Quality workflows are usually secondary

Moderate to high

Engineering change records, BOM histories

ERP / MES

Production, inventory, manufacturing execution

Production and device history record data

Not designed for QMS document or CAPA workflows

High where quality-impacting

Production records, lot traceability

Spreadsheets / shared drives

Ad hoc logs and lists

Very small, low-complexity, pre-commercial scope

No enforced approvals, weak audit trails, fragile access control

High relative to value if quality-impacting

Minimal; history is easy to overwrite

Use the matrix as a scoping tool, not a ranking. Most organizations end up with an eQMS at the center and one or two adjacent systems handling design traceability or production data, with clear procedures defining which system is the record of truth for each process.

When an eQMS is the right fit

An eQMS earns its cost when you have multiple interconnected quality processes that need enforced workflows: document control feeding training, complaints feeding CAPA, CAPA feeding change control, suppliers feeding incoming inspection. If you are approaching certification, scaling headcount, or managing more than a handful of controlled procedures, the coordination cost of manual systems usually exceeds the platform cost.

The fit is strongest when your team can name the workflows it wants to control and the evidence it needs to retrieve. If you cannot yet describe your processes, fix that first; configuring an eQMS around undefined processes produces an expensive mirror of your confusion.

When document management or spreadsheets are not enough

Shared drives and spreadsheets fail quietly. They lack enforced approval routing, so a procedure can be edited after approval with no trace. They lack training linkage, so you cannot prove who was trained on which revision. They lack reliable audit trails, so change history depends on file-naming discipline. Each gap is survivable alone; together they make audit evidence reconstruction a recurring emergency.

The turning point is usually volume and interconnection. When a document change needs to trigger training, or a complaint needs to link to a CAPA, spreadsheets force a human to be the workflow engine, and humans under deadline pressure skip steps.

Where requirements management, ALM, PLM, ERP, and MES fit

These systems handle real quality-relevant data (design inputs, product structures, production records) but they were not built to be the QMS record layer. A requirements tool gives you excellent design traceability and nothing for CAPA. An ERP holds lot data but not controlled procedures. Treating any of them as your ISO 13485 system leaves workflow gaps that spreadsheets end up filling.

The defensible pattern is explicit scoping: document in your quality manual which system holds which records, how they reference each other, and which is authoritative when they disagree. Auditors accept multi-system landscapes; they do not accept ambiguity about where the record of truth lives.

How to validate ISO 13485 QMS software

Validation is where the category gets underestimated. ISO 13485 has relatively stringent demands here: at least 8 clauses in the standard carry specific requirements related to software validation, according to both Ideagen's community walkthrough and Expandable's step-by-step guide. The expectation is validation proportionate to risk, which means your effort should scale with the software's impact on product quality and record integrity, not with the vendor's price tier.

Start with intended use and risk

Define what the software is for in your quality system before writing a single test. The same eQMS module can warrant deep validation at one company and light validation at another, depending on whether it governs release decisions, holds regulatory records, or merely tracks internal tasks. Intended use drives everything downstream: which requirements you write, which functions you test, and which failures you must design against.

Document the risk assessment explicitly. A statement like "document control failure could allow an obsolete work instruction to be used in production" justifies rigorous testing of obsolescence controls, while a low-impact reporting dashboard can be validated with a brief rationale and minimal testing. Proportionality only defends itself when it is written down.

Build validation evidence around configured workflows

Vendor validation packages describe the software as shipped, not as you configured it. Your evidence should cover your user requirements, your configured workflows, your access roles, and your migrated data. In practice that means user requirement specifications, configuration test scripts tied to those requirements, migration verification checks, access-control tests, and documented approvals of the results.

Educational visual for Build validation evidence around configured workflows in ISO 13485 Software: How to Choose, Validate, and Use QMS.
Educational visual for Build validation evidence around configured workflows in ISO 13485 Software: How to Choose, Validate, and Use QMS.

A useful discipline is one-to-one traceability: every requirement maps to at least one test, and every test maps back to a requirement. This keeps test plans lean and makes the validation summary defensible when an auditor asks why a given function was or was not tested.

Maintain the system in a validated state

Initial validation is a snapshot; the audit risk accumulates afterward. Cloud vendors push updates, administrators change configurations, integrations get added, and each change can silently invalidate assumptions your original testing relied on. A lifecycle approach treats validation as an ongoing control, with change evaluation built into your change control procedure.

Common revalidation triggers worth defining in advance include:

  • Vendor releases that change validated functions or workflows
  • Configuration changes to approval routes, roles, or record structures
  • New integrations, APIs, or data migrations into or out of the system
  • Access model changes, such as new user roles or permission schemes
  • Periodic review findings indicating drift between procedures and system behavior

Not every trigger demands full regression testing. A documented impact assessment that concludes "no validated function affected, no retest required" is itself evidence of control, and it is far cheaper than either untracked change or reflexive full revalidation.

ISO 13485 software rarely operates against a single framework. Depending on your markets, the same system may need to satisfy electronic records expectations, align with FDA quality system requirements, and interlock with risk management and product software standards. The point of this section is boundaries: knowing which framework adds which expectations, so you neither over-scope nor assume coverage you do not have.

When 21 CFR Part 11 matters

Part 11 concerns electronic records and electronic signatures in FDA-regulated contexts. Whether it applies to your eQMS depends on whether the records it holds fall within FDA requirements and whether you rely on electronic signatures for those records. It is not a blanket requirement for all ISO 13485 software, and vendors claiming "Part 11 compliant" are describing capabilities, not your compliance.

When Part 11 is in scope, evaluate the controls it implies: secure, computer-generated audit trails; unique user credentials and access controls; signature manifestation with name, date, and meaning; and record retention that preserves integrity over time. These are worth evaluating even outside Part 11 scope, because they are the same controls that make audit evidence trustworthy.

How FDA QMSR changes the context but not the software decision alone

The FDA released a final rule in January 2024 amending 21 CFR Part 820, and FDA medical device quality requirements will line up with ISO 13485 when the new regulation takes effect on February 2, 2026, per Expandable's summary of the QMSR transition. For companies selling into the US, this convergence reduces duplicate framework maintenance, since an ISO 13485-aligned quality system moves closer to FDA expectations.

It does not, however, change the software decision by itself. Alignment between ISO 13485 and QMSR does not mean an ISO 13485-aligned tool automatically satisfies FDA expectations; interpretive differences remain, and your procedures and validation evidence still carry the compliance weight. Treat QMSR as context that strengthens the case for a single well-run quality system rather than as a feature checkbox.

How ISO 14971, IEC 62304, EU MDR, and MDSAP relate

ISO 14971 governs risk management for medical devices, and its records (hazard analyses, risk controls, residual risk evaluations) need a controlled home, whether in the eQMS or a linked requirements tool. IEC 62304 applies to medical device software lifecycles, meaning your product software, not your QMS platform. EU MDR adds market-access documentation and post-market surveillance expectations that your QMS records must support. MDSAP is an audit program under which a single audit covers multiple jurisdictions, which raises the bar for evidence retrieval because one audit can probe your entire system.

The practical implication for software selection: prefer systems that make cross-references explicit. When a risk control maps to a verification record, and a post-market signal maps back to a risk file update, your system is doing the connective work these frameworks all assume.

Implementation planning: migration, ownership, and rollout

Most implementation pain comes from underestimating the state of existing records. Teams moving from paper, spreadsheets, or shared drives discover duplicate documents, unclear ownership, missing approvals on legacy records, and folder structures that never mapped to a document hierarchy. The software project is usually the smaller half; the records cleanup is the larger half.

Plan the migration before configuring workflows

Inventory your documents and records before touching configuration. Decide the document hierarchy (quality manual, procedures, work instructions, forms), identify which legacy documents are current, which are obsolete, and which lack approvals. Define metadata (owners, document types, review cycles) before import, because retrofitting metadata across hundreds of migrated records is slow and error-prone.

Migration itself needs verification. Sample-check migrated documents against source, confirm version histories carried over or were deliberately reset with a documented rationale, and record the migration as a controlled activity with its own approval. A migration you cannot evidence is a gap an auditor can find.

Assign owners for validation, quality records, and system administration

Three ownership roles need names before go-live: someone owns the validation state (change impact assessments, periodic review), someone owns quality records and their procedures, and someone administers the system (access, configuration, vendor relationship). In small companies one person may hold all three, but the responsibilities should still be written down separately, because they diverge as the company grows.

Multi-site organizations need extra care here. When one site configures the system and another site merely uses it, validation records and responsibilities fragment unless a procedure assigns them explicitly. Unclear ownership is a common root cause behind documentation findings, consistent with the resource allocation and record-keeping challenges Smithers identifies.

Use phased rollout when risk or change burden is high

A big-bang migration of every QMS process at once concentrates risk: validation load peaks, training load peaks, and any configuration error affects everything simultaneously. A phased rollout, typically document control and training first, then CAPA and complaints, then supplier quality and audits, lets each phase stabilize before the next adds load.

Phasing also gives you real evidence early. After phase one, you can already demonstrate controlled documents and training records under audit, even while later processes still run on interim procedures. Document the interim state so the transition itself is controlled.

Cost drivers to evaluate before buying

License price is the most visible number and rarely the largest one. Total ownership effort for ISO 13485 software spans configuration, validation, migration, and ongoing change management, and two companies buying the same platform can experience very different total costs depending on these drivers.

Evaluate each of the following before comparing vendor quotes:

  • User count and roles: how many people need authoring, approval, or read-only access, and how licensing treats each tier
  • Module scope: whether you need document control alone or the full CAPA, supplier, audit, and complaint set
  • Configuration depth: how far your workflows diverge from the vendor's defaults
  • Validation effort: risk classification, requirements, test scripts, and approval cycles for your configured system
  • Data migration: volume, cleanup effort, and verification of legacy records
  • Integrations: connections to ERP, PLM, or requirements tools, each adding validation scope
  • Training and adoption: initial training, ongoing training on revisions, and administrator upskilling
  • Vendor change cadence: how often updates arrive and how much impact assessment each one costs you
  • Audit timeline pressure: compressed schedules raise cost through parallel work and external help

None of these has a universal price, which is why credible budgeting starts with your own scoping rather than a market benchmark. A narrow, well-defined scope with clean legacy records is consistently cheaper than a broad scope layered over messy data.

Software costs are only one part of the decision

The recurring pattern across implementations is that internal effort exceeds license spend, especially in validation and migration. A company with strong procedures and a designated validation owner absorbs a new eQMS quickly; a company buying software to compensate for undefined processes pays twice, once for the tool and again for the process definition work it deferred.

When comparing vendors, ask each to break out implementation support, validation documentation support, and migration services separately from license fees. The comparison becomes meaningful only when the effort you must supply is visible next to the effort the vendor supplies.

Educational visual for Software costs are only one part of the decision in ISO 13485 Software: How to Choose, Validate, and Use QMS Tools.
Educational visual for Software costs are only one part of the decision in ISO 13485 Software: How to Choose, Validate, and Use QMS Tools.

Common mistakes when choosing ISO 13485 software

Selection mistakes tend to surface late, during validation or during the certification audit, when they are most expensive to fix. The three failure modes below account for a large share of the rework in this category, and each is avoidable with decisions made before signing.

Treating vendor validation packages as complete evidence

Vendor validation documentation describes testing of the product as built, under the vendor's assumptions. It does not know your intended use, your configuration, your risk assessment, your migrated data, or your procedures. Relying on it alone creates a false sense of coverage: the paperwork exists, but it answers questions no auditor is asking about your system.

Use vendor packages as leverage, not substitute. They can reduce your testing of core platform functions, letting you concentrate your own scripts on configuration, workflows, access controls, and migration. Your validation summary should state explicitly what the vendor evidence covers and what your testing adds.

Choosing features before defining requirements

Feature-first selection produces demos that impress and requirements that never existed. Without user requirements, you cannot build a traceable test plan, so validation either balloons (testing everything) or hollows out (testing what is easy). Weak requirements also cascade into poor adoption, because workflows get configured around vendor defaults rather than how your team works.

Write user requirements first, even briefly: the processes to control, the records to produce, the evidence to retrieve, the roles to enforce. Then score vendors against those requirements. This single discipline shortens selection, shrinks validation, and gives your traceability matrix an anchor.

Ignoring integrations, macros, middleware, and legacy tools

The eQMS is rarely the only software touching quality records. Excel templates with calculation macros, label-printing logic, data-transfer scripts between systems, API middleware, and legacy databases can all materially affect product quality or release decisions while sitting outside anyone's validation scope. These edge cases are where proportionate-to-risk scoping earns its keep.

Apply the same intended-use-and-risk lens to each supporting tool. A macro that computes an acceptance result belongs in validation scope; a formatting template probably does not, and a documented rationale for excluding it is itself a control. Contract manufacturers using customer-supplied software face the same question and still need their own evidence of suitability under their ISO 13485 certificate.

How Assyro AI fits adjacent regulated workflow needs

If your team also prepares regulatory submissions, the workflow problems look familiar: version drift, rework, and manual status reporting across regulatory, quality, and submission teams. That is the adjacent space Assyro AI works in. Assyro provides an AI regulatory submission workspace for pharma, biotech, and medical device teams, where regulatory, quality, and submission teams review against the same version with shared comments, owners, and traceability.

To be clear about the boundary: a submission workspace is not an eQMS and does not replace ISO 13485 QMS functions such as CAPA, supplier quality, or training management. It addresses the submission-cycle coordination layer, which sits alongside the quality system and depends on the same disciplines of controlled versions, named owners, and retrievable history.

Submission workflows still need controlled documents and traceability

The controls this article describes for QMS records apply equally to submission documents: a single current version, visible ownership, review comments preserved in context, and a history you can reconstruct. Assyro's document management capability keeps source documents synced with version history across systems, and its regulatory submission software handles the shared drafting, routing, and readiness-check workflow. For teams working in eCTD format, the eCTD validator provides a concrete readiness check before submission, and lifecycle management supports the deadline-driven cadence of submission cycles.

If your organization is evaluating ISO 13485 software and also carries submission responsibilities, evaluate the two layers together. The evidence disciplines are shared even when the tools are not, and a team that has internalized controlled versioning and traceability in one layer adopts it faster in the other.

Frequently asked questions about ISO 13485 software

The questions below come up in nearly every ISO 13485 software evaluation. Each answer is bounded by what the standard and the evidence actually support, rather than what vendor pages imply.

Is ISO 13485 software required to get certified?

No. Certification assesses your quality management system, not your tooling. Organizations can be certified using different systems, including partially manual ones, if their QMS processes and records are controlled and effective. Software becomes practically necessary as record volume, interconnection between processes, and headcount grow, because manual control stops scaling long before the standard's record-keeping expectations do.

Can a startup use spreadsheets for ISO 13485?

For a limited, low-complexity, pre-commercial scope, spreadsheets and disciplined file management can work. The problems arrive with growth: no enforced approvals, fragile audit trails, no training linkage, and a validation burden that is high relative to the value delivered once spreadsheets become quality-impacting. Most startups that begin on spreadsheets plan a migration to an eQMS around their first certification push, and the migration is easier the earlier records are kept clean and owned.

What audit evidence should ISO 13485 software generate?

The system should let you retrieve, on demand, the records that demonstrate your processes ran as written. Typical examples include:

  • Controlled documents with full approval and revision history
  • Training records tied to specific document revisions
  • CAPA records with investigation, actions, approvals, and effectiveness checks
  • Complaint records linked to related CAPAs and changes
  • Supplier evaluations and approved supplier status history
  • Internal and external audit findings with follow-up actions and owners
  • Management review inputs, outputs, and action tracking
  • Access logs and change histories for the system itself

The retrieval test matters more than the storage test. Evidence you cannot find within minutes during an audit functions, in practice, like evidence you do not have.

How long does implementation take?

There is no supportable universal timeline; the honest answer is that duration follows the same drivers as cost. Scope (how many modules), migration complexity (how clean your legacy records are), configuration depth, validation rigor, integration count, training load, and any fixed audit deadline together determine the schedule. A narrow document-control-first rollout with clean records moves fastest; a full-suite migration over messy legacy data under audit deadline pressure moves slowest. Scope the phases, name the owners, and let the timeline follow from the plan rather than the other way around.

About the author

Assyro Team

Expert regulatory operations consultants helping pharmaceutical companies navigate complex compliance challenges.

Demos available this week