ISO 13485 Software: A Clause-by-Clause Map of eLeaP QMS Capabilities for Medical Device Manufacturers

There is no shortage of content explaining what ISO 13485:2016 requires. Greenlight Guru has built a substantial regulatory glossary covering the standard in definitional terms. SimplerQMS holds partial positions in the ISO 13485 software cluster. What is harder to find is a page that maps each ISO 13485 clause directly to specific software capabilities and explains precisely how those capabilities satisfy the regulatory requirement — the evaluation layer rather than the definitional layer.

This page covers the ISO 13485:2016 clause structure from a software evaluation perspective: what each clause requires operationally, what eLeaP delivers to satisfy it, and where the QMSR alignment means that an ISO 13485-compliant quality system is, in substance, also a QMSR-compliant quality system for US medical device manufacturers. It is written for quality engineers, regulatory affairs managers, and quality system managers evaluating ISO 13485 software, not for readers looking for a regulatory introduction to the standard.

QMSR Alignment: Why ISO 13485 Compliance Is Now Effectively QMSR Compliance

In January 2024, the FDA published the Quality Management System Regulation, effective February 2026, replacing the prior 21 CFR Part 820 and aligning the US medical device quality system regulation with ISO 13485:2016 by incorporation by reference. The practical consequence for US medical device manufacturers is that the quality system architecture required by the QMSR is the ISO 13485 architecture. A manufacturer whose quality system satisfies ISO 13485:2016 satisfies the QMSR’s foundational requirements. FDA’s supplemental requirements in the QMSR — complaint handling under 21 CFR Part 820.198, MDR evaluation, and certain records requirements — extend beyond the ISO 13485 baseline but do not contradict it.

For manufacturers who had previously maintained separate quality system architectures for FDA compliance under the prior Part 820 and for international market access under ISO 13485, the QMSR eliminates the structural divergence. A single ISO 13485-aligned quality system satisfies both. eLeaP’s QMS is structured around ISO 13485:2016 across all functional modules. The clause-by-clause capability map below covers the full standard. Manufacturers transitioning from the prior Part 820 framework will find the QMSR transition documentation package, which maps QMSR requirements to ISO 13485 sections, available as part of the eLeaP implementation support resources.

ISO 13485:2016 Clause-by-Clause Software Capability Map

The following section maps each major ISO 13485:2016 clause to the specific eLeaP capability that addresses its requirement. Clauses that do not have a direct software capability counterpart — principally management responsibility clauses in Section 5 that address organisational commitment rather than documented procedures — are noted where relevant but not mapped.

Section 4.2 — Documentation Requirements

ISO 13485 Section 4.2 requires that the quality management system documentation include a quality manual, documented procedures required by the standard, documents required for effective planning, operation, and control of processes, and records required by the standard. Section 4.2.4 requires that documents be controlled: approved before issue, reviewed and updated as necessary, identified with revision status, available at points of use, and legible and identifiable. Section 4.2.5 requires that records required by the standard and by applicable regulatory requirements be established and maintained to provide evidence of conformity and be protected, retrievable, retained for a defined period, and disposed of in a controlled manner.

eLeaP capability: the document control module manages the full controlled document lifecycle with version control, approval workflows, electronic signatures, controlled distribution, and automatic supersession. Every document in the system has a current revision status. Prior versions are archived but retrievable. Documents are accessible only to authorised roles. The quality records module maintains all records required by the standard with defined retention periods, access controls, and audit trails satisfying the Section 4.2.5 requirements.

Section 6.2 — Human Resources and Competency

ISO 13485 Section 6.2 requires that personnel performing work affecting product quality be competent on the basis of appropriate education, training, skills, and experience, that the organisation determine the necessary competence for such personnel, provide training to achieve and maintain competence, evaluate the effectiveness of training, ensure personnel are aware of the relevance and importance of their activities, and maintain records of education, training, skills, and experience.

eLeaP capability: the integrated LMS delivers the training management infrastructure that Section 6.2 requires. The training matrix defines required competencies by role. Training assignments are created automatically when a new employee is assigned to a role or when a controlled document is revised. Training completion records link to the specific document version on which the employee was trained, satisfying the Section 6.2 requirement that records demonstrate training on current procedures. Effectiveness evaluation is configurable per training item: assessment scores, observation checklists, or post-training performance data. The training record for each employee is accessible from within the QMS for quality system audits and regulatory inspections without navigating to a separate system.

Section 7.3 — Design and Development

ISO 13485 Section 7.3 is the most extensive clause in the standard for device manufacturers in the development phase. It covers design and development planning (7.3.2), inputs (7.3.3), outputs (7.3.4), review (7.3.5), verification (7.3.6), validation (7.3.7), transfer to production (7.3.8), control of design and development changes (7.3.9), and design and development files (7.3.10). Together, these requirements constitute the Design History File obligation: the DHF must contain or reference the records that demonstrate the device was designed and developed in accordance with the approved design plan.

eLeaP structures design control as a connected record set rather than a folder of documents. The design and development plan is a controlled document that defines the review, verification, and validation activities and their responsible parties. Design inputs are captured as structured records with the source of each input (regulatory requirement, user need, or risk assessment) documented. Design outputs link to the inputs they address, maintaining the traceability required for design verification. Each design review, verification activity, and validation study is a quality record linked to the design phase it covers. Design changes under Section 7.3.9 route through the change control workflow with impact assessment against prior verification and validation, with re-verification or re-validation required where the impact assessment indicates. The Design History File in eLeaP is a navigable record structure, not a document collection, with each element of the Section 7.3 requirements accessible from the device record view.

Section 7.4 — Purchasing and Supplier Controls

ISO 13485 Section 7.4 requires that the organisation establish documented criteria for evaluating and selecting suppliers based on their ability to meet the organisation’s requirements, maintain records of evaluations and resulting actions, and monitor and re-evaluate suppliers at defined intervals. Section 7.4 also requires that purchasing information describe the product or service to be purchased with sufficient clarity to allow verification upon receipt, and that the organisation verifies that purchased products meet specified purchase requirements.

eLeaP capability: the supplier quality module maintains supplier qualification records, including initial evaluation, qualification status, approved supplier list membership, audit history, and SCAR history. Supplier performance scorecards aggregate incoming inspection reject rates, SCAR closure rates, and audit finding trends. Supplier re-evaluation at defined intervals is scheduled within the system and generates notifications when re-evaluation is due. Incoming inspection records link to purchase orders and supplier records, providing the verification evidence required under Section 7.4.3. Supplier SCARs link to the incoming inspection nonconformances that triggered them and to the supplier record, maintaining the traceability chain required for Section 7.4 compliance.

Section 7.5 — Production and Service Provision

ISO 13485 Section 7.5 covers production controls (7.5.1), cleanliness of product (7.5.2), installation activities (7.5.3), servicing activities (7.5.4), particular requirements for sterile medical devices (7.5.5), validation of processes for production and service provision (7.5.6), particular requirements for validation of sterile device processes (7.5.7), identification and traceability (7.5.8), customer property (7.5.9), and preservation of product (7.5.10). Section 7.5.8 specifically requires that Device History Records be maintained for each manufactured unit or batch to demonstrate that the device was manufactured in accordance with the Device Master Record.

eLeaP capability: production records in eLeaP link each DHR to the DMR version in effect at the time of production, the equipment qualification records for equipment used, the incoming inspection acceptance records for materials used, and the in-process and final acceptance test records. Process validation documentation for Section 7.5.6 is organised within the product record structure, with validation protocols and reports linked to the production process they validate. When a production process change occurs under Section 7.5.6, the change control record identifies the revalidation requirement and tracks the revalidation to completion. Unique Device Identifier capture in production records supports the traceability requirement of Section 7.5.8.3 for implantable devices.

Section 8.2 — Monitoring and Measurement

ISO 13485 Section 8.2 covers feedback (8.2.1), complaint handling (8.2.2), reporting to regulatory authorities (8.2.3), internal audit (8.2.4), monitoring and measurement of processes (8.2.5), and monitoring and measurement of product (8.2.6). Section 8.2.1 requires that the organisation gather and monitor information relating to whether the organisation has met customer requirements, including analysis of complaint data and post-market surveillance data as a feedback input to the quality system. Section 8.2.2 requires documented complaint handling procedures, including MDR evaluation.

eLeaP capability: the complaint management module captures complaints with mandatory intake fields required by 21 CFR Part 820.198 and ISO 13485 Section 8.2.2. MDR evaluation is a structured workflow stage in the medical device complaint record. Complaint trending reports surface patterns by device model, failure mode, and complaint type, satisfying the Section 8.2.1 feedback requirement. Internal audit management under Section 8.2.4 configures annual audit schedules, manages checklist assignment, captures findings with classification, routes findings to responsible owners, and links major findings to CAPAs. Audit finding trends by clause and process area are available in the audit management dashboard for management review.

Section 8.3 — Control of Nonconforming Product

ISO 13485 Section 8.3 requires that the organisation ensure that a product that does not conform to product requirements is identified and controlled to prevent unintended use or delivery. The standard requires documented procedures for nonconforming product control, including provisions for defining responsibilities and authorities for reviewing, disposing of, and recording nonconforming product, and for notifying customers and regulatory authorities when required. Section 8.3.4 requires that all accepted nonconforming products be traceable to authorised personnel who accepted them.

eLeaP capability: nonconformance records capture the device identification, the nature of the nonconformity, the quantity affected, and the detection point. Material Review Board disposition — use as-is, rework, scrap, return to supplier — routes through a configured approval workflow with the required authorisation for each disposition type. Rework instructions link to the nonconformance record. Accepted nonconforming product records carry the identity of the authorising personnel and the documented rationale, satisfying Section 8.3.4. Notification records for customer or regulatory authority notification, where required,d are linked to the nonconformance record. Nonconformance trends by product, process, and defect type are available for analysis and CAPA input.

Section 8.5 — Improvement Including CAPA

ISO 13485 Section 8.5 covers general improvement (8.5.1), corrective action (8.5.2), and preventive action (8.5.3). Section 8.5.2 requires documented procedures for corrective action that include reviewing nonconformities, determining their causes, evaluating the need for action to prevent recurrence, determining and implementing action needed, recording results of investigation and action taken, and reviewing the effectiveness of corrective action. Section 8.5.3 requires equivalent procedures for preventive action on potential nonconformities.

eLeaP capability: the CAPA management module satisfies Section 8.5.2 and 8.5.3 through a structured closed-loop workflow. Root cause analysis documentation supports 5-Why, fishbone, and FMEA methods as native record entries. Corrective actions link explicitly to the root causes they address. Effectiveness verification criteria are required fields defined before corrective action implementation, preventing retrospective criteria selection. The CAPA cannot advance to closed status without documented effectiveness verification. CAPA records originate from all ISO 13485-relevant input sources: nonconformances, complaints, audit findings, management review outputs, and trending analysis.

Section 7.3 Design Controls in Depth: The Design History File as a Connected Record Set

Section 7.3 deserves expanded treatment because it is the clause most commonly evaluated during Notified Body audits of medical device manufacturers, and because the Design History File requirement is the one most frequently misunderstood as a document folder obligation rather than a record traceability obligation. The DHF is not a SharePoint folder containing PDFs of design documents. It is a set of records, each connected to the others in a way that allows an auditor to trace from a user need to the device specification that addresses it, to the design verification that confirms the specification was met, to the design validation that confirms the device meets the user need, and through any design changes to the re-verification or re-validation that confirmed the change did not compromise conformity.

eLeaP structures the DHF as a navigable record network. The device record is the root. Design and development planning records, design input records, design output records, design review records, verification records, validation records, and transfer records all attach to the device record with explicit linkages that support the traceability audit. Each design review captures the participants, the documents reviewed, the review findings, and the decisions taken. Verification records reference the design output specifications they verify, the verification method, and the results. Validation records reference the user needs they validate against and the validation study data.

Design changes under Section 7.3.9 are the most audit-sensitive element of the Section 7.3 compliance picture. A design change that was not assessed for impact on prior verification and validation, or that was implemented without the required re-verification, is a finding in every Notified Body audit of a device manufacturer that has made post-clearance design changes. In eLeaP, the design change control record includes a verification and validation impact assessment field. A determination that re-verification or re-validation is required generates mandatory action items in the change control record. The design change cannot be closed until those action items are completed and the updated verification or validation records are linked to the change record.

Section 6.2 Competency in Practice: How eLeaP’s QMS+LMS Integration Satisfies the Training Requirement

ISO 13485 Section 6.2 is a training management requirement embedded within a quality management standard. The requirement is not satisfied by maintaining training records in a separate LMS that the QMS cannot query. It requires that the quality system demonstrate, for any personnel performing work affecting product quality, that they are competent — that their training records reflect training on the current versions of the procedures governing their work, that their competency has been evaluated, and that their training is current.

In a quality system where the QMS and LMS are separate platforms, satisfying this requirement during an audit requires pulling the employee’s training record from the LMS, identifying the relevant procedure from the QMS, confirming the procedure version the employee was trained on matches the current effective version, and presenting both records to the auditor. That reconciliation is manual, error-prone, and time-consuming.

In eLeaP, the Section 6.2 demonstration is a single system query. The training record for any employee in any role shows the required training profile for that role, the completion status for each item, the document version each completion record references, whether any items are overdue or approaching their retraining interval, and the effectiveness evaluation result, where applicable. A Notified Body auditor asking whether a specific production operator is trained on the current version of the work instruction governing their assigned process receives a response in seconds from a single system that contains both the quality record and the training record.

Evaluating ISO 13485 Software: Six Clause-Referenced Questions

ISO 13485 software evaluations should test clause-level capability rather than general feature presence. Greenlight Guru’s content depth on ISO 13485 definitional content is substantial. The questions below test the software layer that their content does not reach.

• Section 4.2.4 — Does the document control system enforce revision status identification, provide access only to authorised roles, and automatically supersede prior versions on the effective date of a new revision, or does version control depend on user discipline in following naming conventions?
• Section 6.2 — Are training completion records linked to the specific document version on which the employee was trained, and is the training record accessible from within the QMS for audit demonstration without navigating to a separate system?
• Section 7.3.9 — When a design change is initiated, does the change control record include a verification and validation impact assessment field, and does a ‘re-verification required’ determination generate mandatory action items that prevent change closure until completed?
• Section 7.5.8 — Does the Device History Record link to the Device Master Record version in effect at the time of production, to the equipment qualification records for equipment used, and to the training records for operators who performed each production step?
• Section 8.2.2 — Does the complaint handling workflow include a structured MDR evaluation stage with documented rationale for the reportability determination, and does the system track the submission date and status against the applicable 30-day or 5-day reporting window?
• Section 8.5.2 — Are effectiveness verification criteria a required field defined before corrective action implementation, is the verification scheduled as a system task at a defined interval after implementation, and is CAPA closure structurally prevented without a completed verification sign-off?

eLeaP’s answers to all six questions are yes, demonstrable in a clause-referenced platform walkthrough. The demo covers the Section 7.3 Design History File record structure, the Section 6.2 training matrix demonstration, and the Section 8.5.2 CAPA effectiveness gate — configured for the buyer’s device type and regulatory market. Request a scoped ISO 13485 software demo at eleapsoftware.com.

Related resources:

• Medical Device QMS Software — production-phase quality system for cleared devices
• Medical Device Quality Management Software
• FDA Design Controls — Section 7.3 in the US regulatory context
• CAPA Management Software — Section 8.5 corrective and preventive action