ISO 13485 Software: A Clause-by-Clause Map of eLeaP QMS Capabilities for Medical Device Manufacturers

ISO 13485 software is a quality management system built to satisfy the documentation, process control, training, design control, and post-market surveillance requirements of ISO 13485:2016 — the international standard for quality management systems in medical device manufacturing. Unlike a generic QMS that can be configured to approximate compliance, ISO 13485 software is structured around the clause architecture of the standard from the outset: each functional module maps to specific clause requirements, each record type supports specific audit evidence obligations, and the integrated training management system satisfies the Section 6.2 competency requirements that a standalone LMS cannot.

There is no shortage of content explaining what ISO 13485:2016 requires at the definitional level. What is harder to find is a page that maps each clause directly to specific software capabilities and explains precisely how those capabilities satisfy the regulatory requirement — the evaluation layer rather than the definitional layer. This page covers the ISO 13485:2016 clause structure from a software evaluation perspective: what each clause requires operationally, what eLeaP delivers to satisfy it, and where the QMSR alignment means that an ISO 13485-compliant quality system is, in substance, also a QMSR-compliant quality system for US medical device manufacturers. It is written for quality engineers, regulatory affairs managers, and quality system managers evaluating ISO 13485 software, not for readers looking for a regulatory introduction to the standard.

QMSR Alignment: Why ISO 13485 Compliance Is Now Effectively QMSR Compliance

The Quality Management System Regulation (QMSR), effective February 2, 2026, replaced the prior 21 CFR Part 820 and aligned the US medical device quality system regulation with ISO 13485:2016 by incorporation by reference. The practical consequence for US medical device manufacturers is that the quality system architecture required by the QMSR is the ISO 13485 architecture. A manufacturer whose quality system satisfies ISO 13485:2016 satisfies the QMSR’s foundational requirements. FDA’s supplemental requirements in the QMSR — complaint handling, MDR evaluation, and certain records and traceability requirements that extend beyond the ISO 13485 baseline — do not contradict the ISO 13485 framework; they add specificity to it.

For manufacturers who previously maintained separate quality system architectures for FDA compliance under the prior Part 820 and for international market access under ISO 13485, the QMSR eliminates the structural divergence. A single ISO 13485-aligned quality system satisfies both. eLeaP’s QMS is structured around ISO 13485:2016 across all functional modules. The clause-by-clause capability map below covers the full standard. Manufacturers transitioning from the prior Part 820 framework will find the QMSR transition documentation, which maps QMSR requirements to ISO 13485 sections, available as part of the eLeaP implementation support resources.

For manufacturers selling into EU markets, ISO 13485 certification is also the quality system foundation required by EU MDR (2017/745) and IVDR (2017/746). Notified Body audits under EU MDR have become substantially more rigorous since the regulation’s full application, with deeper technical documentation review and more granular post-market surveillance data requirements. ISO 13485 software that supports EU MDR compliance must address not only the standard’s clause requirements but also the MDR-specific obligations that sit above them — particularly the technical documentation requirements of MDR Annex II and III, the post-market clinical follow-up requirements of Annex XIV, and the periodic safety update report obligations. The sections below address EU MDR alignment where relevant to the clause being mapped.

ISO 13485:2016 Clause-by-Clause Software Capability Map

The following maps each ISO 13485:2016 clause to the eLeaP capability that addresses its requirement. Clauses that do not have a direct software capability counterpart — principally the management commitment and quality policy elements of Section 5.1 through 5.4 that address organizational intent rather than documented procedures — are noted but not mapped. All clauses that impose documented procedure, record, or workflow requirements are mapped.

Section 4.1 — General Requirements and Computerized System Validation

ISO 13485 Section 4.1 requires that the organization establish, document, implement, maintain, and continually improve the effectiveness of its quality management system. Section 4.1.6 specifically requires that when computer software is used in the quality management system, the software be validated for its intended use prior to initial use and as appropriate after changes to such software or its application.

eLeaP capability: Section 4.1.6 applies to eLeaP itself as the computerized system supporting the QMS. eLeaP provides a validation support package that supports the customer’s 21 CFR Part 11 and ISO 13485 Section 4.1.6 validation obligations. The package includes Installation Qualification (IQ) protocol and report, Operational Qualification (OQ) protocol and documentation, system design and architecture documentation supporting the customer’s risk assessment, 21 CFR Part 11 compliance mapping, and advance notification of system updates with impact assessment documentation supporting the customer’s change control evaluation. The customer is responsible for Performance Qualification (PQ) in their specific configured environment and the validation summary report signed by their quality unit. For manufacturers applying a GAMP 5 risk-based approach to computerized system validation, eLeaP is typically classified as Category 4 configured software, focusing customer validation effort on the configured environment and intended use rather than re-testing vendor-qualified infrastructure.

Section 4.2 — Documentation Requirements

ISO 13485 Section 4.2 requires that the QMS documentation include a quality manual, documented procedures required by the standard, documents needed for effective planning, operation, and control of processes, and records required by the standard. Section 4.2.4 requires that documents be controlled: approved before issue, reviewed and updated as necessary, identified with revision status, available at points of use, and legible and identifiable. Section 4.2.5 — the medical device file requirement — requires that records required by the standard and by applicable regulatory requirements be established and maintained to provide evidence of conformity, and be protected, retrievable, retained for a defined period, and disposed of in a controlled manner.

eLeaP capability: the document control module manages the full controlled document lifecycle — authoring, review, approval, electronic signature, effective date, controlled distribution, and automatic supersession of prior versions. Every document carries a current revision status. Prior versions are archived and retrievable but not accessible as current through the active document library. Documents are accessible only to authorized roles as defined in the access configuration. The quality records module maintains all records required by the standard with configured retention periods, access controls, and audit trails satisfying the Section 4.2.5 requirements. The medical device file structure links device design records, production records, and post-market records to the device record, supporting the complete Section 4.2.5 evidence set.

Section 5 — Management Responsibility

ISO 13485 Section 5 covers management commitment (5.1), customer focus (5.2), quality policy (5.3), planning (5.4), responsibility, authority, and communication (5.5), and management review (5.6). Sections 5.1 through 5.5 address organizational commitment, quality policy, and responsibility structures that are not directly addressed by QMS software — they require management action and governance decisions that cannot be automated. Section 5.6 is the exception: management review is a documented quality system activity with defined inputs and outputs that QMS software can support directly.

eLeaP capability for Section 5.6: management review in eLeaP is a structured quality record with defined input fields covering all mandatory Section 5.6.2 inputs — CAPA status and trend data, audit results, complaint data and feedback, process performance metrics, product conformance data, status of preventive actions, follow-up from prior management reviews, changes affecting the QMS, and regulatory and customer requirements. Input data draws from the quality system records already in eLeaP — CAPA trend reports, audit finding summaries, complaint analytics, nonconformance trends — without manual compilation from separate systems. Section 5.6.3 outputs — decisions and actions related to improvement, resource needs, and product requirements — are captured as action items with assigned owners and due dates, linked to the management review record.

Section 6.1 — Resource Management

ISO 13485 Section 6.1 requires that the organization determine and provide the resources needed to implement the QMS, maintain its effectiveness, and meet applicable regulatory and customer requirements. Section 6.1 is largely an organizational decision-making clause with limited direct software capability. eLeaP supports the documentation of resource decisions — infrastructure qualification records, facility maintenance records, and equipment qualification records — within the quality system.

Section 6.2 — Human Resources and Competency

ISO 13485 Section 6.2 requires that personnel performing work affecting product quality be competent on the basis of appropriate education, training, skills, and experience. The organization must determine the necessary competence for such personnel, provide training to achieve and maintain competence, evaluate the effectiveness of training, ensure personnel are aware of the relevance and importance of their activities, and maintain records of education, training, skills, and experience. Section 6.2 is not a training administration requirement — it is a quality system competency requirement with direct audit evidence obligations.

eLeaP capability: the integrated LMS delivers the training management infrastructure that Section 6.2 requires. The training matrix defines required competencies by role. Training assignments are created automatically when a new employee is assigned to a role or when a controlled document is revised — closing the interval between a document revision reaching effective status and the workforce being trained on it. Training completion records link to the specific document version on which the employee was trained, satisfying the Section 6.2 requirement that records demonstrate training on current procedures. Effectiveness evaluation is configurable per training item: knowledge assessment scores, observation checklists for hands-on procedures, or post-training performance data. The training record for each employee is accessible from within the QMS for Notified Body audits and regulatory inspections without navigating to a separate system.

Section 6.3 and 6.4 — Infrastructure and Work Environment

ISO 13485 Sections 6.3 and 6.4 cover the infrastructure (buildings, workspace, equipment, support services) and work environment conditions required to achieve product conformity. These are primarily documented procedure and record requirements. eLeaP supports equipment qualification records (IQ, OQ, PQ) and calibration records linked to equipment records, work environment monitoring records linked to production records, and change control records for infrastructure changes that affect qualified states.

Section 7.1 — Planning of Product Realization

ISO 13485 Section 7.1 requires that the organization plan and develop the processes needed for product realization, determining quality objectives, the need to establish processes and documentation, and the required verification, validation, monitoring, inspection, and test activities specific to the product — as well as the records needed to provide evidence that the realization processes and resulting product meet requirements. Section 7.1 also requires that risk management be addressed throughout product realization per ISO 14971.

eLeaP capability: product realization planning is supported through the design and development planning module (Section 7.3.2), which defines the activities, responsibilities, review points, and verification and validation requirements for each product. ISO 14971 risk management integration in eLeaP supports traceability linkage between risk management records — hazard analyses, risk control measures, and residual risk evaluations — and the design control records that implement and verify those controls. Risk control measures identified in the risk management process link to the design inputs that implement them, and design verification records link to the specific risk controls they confirm. Changes to design outputs or production processes trigger risk management impact assessment as part of the change control workflow, ensuring that risk management records remain current through product lifecycle changes.

Section 7.2 — Customer-Related Processes

ISO 13485 Section 7.2 requires that the organization determine requirements related to the product (7.2.1), review those requirements before commitment to supply (7.2.2), and maintain documented communication arrangements with customers regarding product information, inquiries, complaints, and advisory notices (7.2.3). Section 7.2.3 complaint communication requirements connect directly to the complaint handling procedures of Section 8.2.2.

eLeaP capability: customer requirement documentation is managed within the product record structure. Complaint communication and customer feedback are managed through the complaint management module, which captures the customer communication record as part of the complaint record — maintaining the Section 7.2.3 communication requirement within the same record structure as the Section 8.2.2 investigation requirement.

Section 7.3 — Design and Development

ISO 13485 Section 7.3 is the most extensive clause in the standard for device manufacturers in the development phase. It covers design and development planning (7.3.2), design inputs (7.3.3), design outputs (7.3.4), design review (7.3.5), design verification (7.3.6), design validation (7.3.7), transfer to production (7.3.8), control of design and development changes (7.3.9), and design and development files (7.3.10). Together, these requirements constitute the Design History File obligation: the DHF must contain or reference the records that demonstrate the device was designed and developed in accordance with the approved design plan.

eLeaP structures design control as a connected record set rather than a folder of documents. The design and development plan is a controlled document that defines the review, verification, and validation activities and their responsible parties. Design inputs are captured as structured records with the source of each input — regulatory requirement, user need, or risk assessment — documented and linked to the risk management records that informed them. Design outputs link explicitly to the inputs they address, maintaining the traceability required for design verification. Each design review, verification activity, and validation study is a quality record linked to the design phase it covers, with independent reviewer enforcement at the review assignment stage. Design transfer records under Section 7.3.8 link final design output records to the corresponding DMR documents, confirming that each design output has a corresponding production specification achievable with available production methods.

Design and development files under Section 7.3.10 — the DHF — are maintained in eLeaP as a navigable record network rooted in the device record. Each element of the Section 7.3 requirements is accessible from the device record view. An auditor can follow any traceability path — from user need to design input to design output to verification to validation to production specification — within the quality system without assembling documents from multiple locations. Design changes under Section 7.3.9 route through the change control workflow with a verification and validation impact assessment. A determination that re-verification or re-validation is required generates mandatory action items that prevent change closure until completed and the updated records are linked to the change record.

Section 7.4 — Purchasing and Supplier Controls

ISO 13485 Section 7.4 requires that the organization establish documented criteria for evaluating and selecting suppliers based on their ability to meet requirements, maintain records of evaluations and resulting actions, and monitor and re-evaluate suppliers at defined intervals. Section 7.4.2 requires that purchasing information describe the product or service with sufficient clarity to allow verification upon receipt. Section 7.4.3 requires that the organization verify purchased products meet specified requirements.

eLeaP capability: the supplier quality module maintains supplier qualification records including initial evaluation, qualification status, approved supplier list membership, audit history, and supplier corrective action request (SCAR) history. Supplier performance scorecards aggregate incoming inspection reject rates, SCAR closure rates, and audit finding trends for re-evaluation. Supplier re-evaluation at defined intervals is scheduled within the system and generates notifications when due. Incoming inspection records link to purchase orders and supplier records, providing the Section 7.4.3 verification evidence. Supplier SCARs link to the incoming inspection nonconformances that triggered them and to the supplier record, maintaining the traceability chain.

Section 7.5 — Production and Service Provision

ISO 13485 Section 7.5 covers production controls (7.5.1), cleanliness of product (7.5.2), installation activities (7.5.3), servicing activities (7.5.4), particular requirements for sterile devices (7.5.5), validation of processes for production and service provision (7.5.6), particular requirements for validation of sterile device processes (7.5.7), identification (7.5.8), traceability (7.5.9), customer property (7.5.10), and preservation of product (7.5.11). Section 7.5.9 requires that the organization define the extent of traceability in accordance with applicable regulatory requirements and the records to be maintained. Section 7.5.9.2 imposes particular traceability record requirements for implantable devices, including the identity of components, materials, and work environment conditions, to the extent required to enable investigation of complaints.

eLeaP capability: production records in eLeaP link each production record to the DMR version in effect at the time of production, the equipment qualification records for equipment used, the incoming inspection acceptance records for materials used, and the in-process and final acceptance test records. Process validation documentation for Section 7.5.6 is organized within the product record structure, with validation protocols and reports linked to the production process they validate. When a production process change occurs, the change control record identifies the revalidation requirement and tracks it to completion. Unique Device Identifier capture in production and complaint records supports the traceability requirements of Section 7.5.9 and Section 7.5.9.2 for implantable devices and other devices requiring UDI traceability under applicable regulatory requirements.

Section 8.1 — Measurement, Analysis, and Improvement: General

ISO 13485 Section 8.1 requires that the organization plan and implement the monitoring, measurement, analysis, and improvement processes needed to demonstrate product conformity, ensure QMS conformity, and maintain QMS effectiveness. This includes determination of applicable methods, including statistical techniques, and the extent of their use. Section 8.1 is primarily a planning requirement, but its execution generates the trending and analysis data that feeds into management review, CAPA input, and continual improvement.

eLeaP capability: quality trend data across all major quality event types — nonconformances, CAPAs, complaints, audit findings, supplier SCARs, and deviations — is available for analysis within the quality system without manual data compilation. Trend reports can be configured by product, process, time period, defect type, and other parameters. Management review input data draws from these trend analyses directly. The data aggregation that Section 8.1 requires for quality system effectiveness evaluation is a system function, not a manual reporting exercise.

Section 8.2 — Monitoring and Measurement

ISO 13485 Section 8.2 covers feedback (8.2.1), complaint handling (8.2.2), reporting to regulatory authorities (8.2.3), internal audit (8.2.4), monitoring and measurement of processes (8.2.5), and monitoring and measurement of product (8.2.6). Section 8.2.1 requires that the organization gather and monitor information relating to whether it has met customer requirements, including complaint data and post-market surveillance data as feedback inputs to the quality system. Section 8.2.2 requires documented complaint handling procedures, including evaluation for Medical Device Reporting (MDR) and vigilance report obligations.

eLeaP capability: the complaint management module captures complaints with mandatory intake fields required by ISO 13485 Section 8.2.2 and applicable MDR/vigilance reporting requirements. MDR evaluation is a structured workflow stage in the medical device complaint record, with documented rationale for the reportability determination and tracking of submission date and status against applicable reporting windows. Complaint trending reports surface patterns by device model, failure mode, and complaint type, satisfying the Section 8.2.1 feedback requirement. Internal audit management under Section 8.2.4 configures annual audit schedules, manages checklist assignment, captures findings with classification, routes findings to responsible owners, and links major findings to CAPAs. Audit finding trends by clause and process area are available in the audit management dashboard for management review input.

Section 8.3 — Control of Nonconforming Product

ISO 13485 Section 8.3 requires that the organization identify and control product that does not conform to product requirements to prevent unintended use or delivery. The standard requires documented procedures for nonconforming product control, including provisions for defining responsibilities and authorities for reviewing, disposing of, and recording nonconforming product, and for notifying customers and regulatory authorities when required. Section 8.3.4 requires that all accepted nonconforming products be traceable to authorized personnel who accepted them.

eLeaP capability: nonconformance records capture the device identification, the nature of the nonconformity, the quantity affected, and the detection point. Material Review Board disposition — use as-is, rework, scrap, return to supplier — routes through a configured approval workflow with the required authorization for each disposition type. Rework instructions link to the nonconformance record. Accepted nonconforming product records carry the identity of the authorizing personnel and the documented rationale, satisfying Section 8.3.4. Customer or regulatory authority notification records, where required, are linked to the nonconformance record. Nonconformance trends by product, process, and defect type are available for analysis and CAPA input.

Section 8.4 — Analysis of Data

ISO 13485 Section 8.4 requires that the organization determine, collect, and analyze appropriate data to demonstrate the suitability and effectiveness of the QMS and to evaluate where continual improvement can be made. The data analyzed must include data generated from monitoring and measurement activities and from other relevant sources, and must provide information relating to feedback, conformity to product requirements, characteristics and trends of processes and products including opportunities for preventive action, and suppliers.

eLeaP capability: the data analysis requirement of Section 8.4 is addressed through the quality system’s integrated reporting across all record types. Feedback data from complaints, nonconformance trend data, supplier performance data, and CAPA effectiveness data are all available within a single system for analysis without requiring manual export and compilation from separate platforms. Management review input data, Section 8.4 analysis data, and CAPA input data all draw from the same quality record set, ensuring consistency and eliminating the data reconciliation risk that arises when QMS data is maintained across multiple separate systems.

Section 8.5 — Improvement Including CAPA

ISO 13485 Section 8.5 covers general improvement (8.5.1), corrective action (8.5.2), and preventive action (8.5.3). Section 8.5.2 requires documented procedures for corrective action that include reviewing nonconformities, determining their causes, evaluating the need for action to prevent recurrence, determining and implementing action needed, recording results of investigation and action taken, and reviewing the effectiveness of corrective action taken. Section 8.5.3 requires equivalent documented procedures for preventive action on potential nonconformities.

eLeaP capability: the CAPA management module satisfies Section 8.5.2 and 8.5.3 through a structured closed-loop workflow. Root cause analysis documentation supports 5-Why, fishbone, and FMEA methods as native record entries. Corrective actions link explicitly to the root causes they address. Effectiveness verification criteria are required fields that must be defined before corrective action implementation, preventing retrospective criteria selection. The CAPA cannot advance to closed status without documented effectiveness verification. CAPA records originate from all ISO 13485-relevant input sources: nonconformances, complaints, audit findings, management review outputs, feedback data, and trending analysis. Preventive action records under Section 8.5.3 follow the same workflow structure with the additional requirement that the potential nonconformity and its risk basis be documented at initiation.

Section 7.3 Design Controls in Depth: The Design History File as a Connected Record Set

Section 7.3 deserves expanded treatment because it is the clause most rigorously evaluated during Notified Body audits, and because the Design History File requirement is the one most frequently misunderstood as a document folder obligation rather than a record traceability obligation. The DHF is not a SharePoint folder or a drive location containing PDFs of design documents. It is a set of records, each connected to the others in a way that allows an auditor to trace from a user need to the device specification that addresses it, to the design verification that confirms the specification was met, to the design validation that confirms the device meets the user need, and through any design changes to the re-verification or re-validation that confirmed the change did not compromise conformity.

eLeaP structures the DHF as a navigable record network. The device record is the root. Design and development planning records, design input records, design output records, design review records, verification records, validation records, transfer records, and design change records all attach to the device record with explicit system-maintained linkages that support the traceability audit. Each design review captures the participants, the documents reviewed, the review findings, and the decisions taken. Verification records reference the design output specifications they verify, the verification method, and the results. Validation records reference the user needs they validate against and the validation study data. Transfer records confirm that each design output has a corresponding production specification in the DMR.

Design changes under Section 7.3.9 are the most audit-sensitive element of the Section 7.3 compliance picture under both ISO 13485 and the QMSR. A design change that was not assessed for impact on prior verification and validation, or that was implemented without the required re-verification or re-validation, is a finding in Notified Body audits and FDA inspections. In eLeaP, the design change control record includes a verification and validation impact assessment. A determination that re-verification or re-validation is required generates mandatory action items in the change control record. The design change cannot be closed until those action items are completed and the updated verification or validation records are linked to the change record. Post-market design changes that require FDA submission assessment include a regulatory submission field that routes to the regulatory affairs function and tracks submission status within the design change record.

Section 6.2 Competency in Practice: How eLeaP’s QMS+LMS Integration Satisfies the Training Requirement

ISO 13485 Section 6.2 is a training management requirement embedded within a quality management standard. The requirement is not satisfied by maintaining training records in a separate LMS that the QMS cannot query during an audit. It requires that the quality system demonstrate, for any personnel performing work affecting product quality, that they are competent — that their training records reflect training on the current versions of the procedures governing their work, that their competency has been evaluated, and that their training is current.

In a quality system where the QMS and LMS are separate platforms, satisfying this requirement during a Notified Body audit requires pulling the employee’s training record from the LMS, identifying the relevant procedure from the QMS, confirming the procedure version the employee was trained on matches the current effective version, and presenting both records to the auditor. That reconciliation is manual, error-prone, and time-consuming — and any gap between the document revision date and the training completion date is visible in the gap between the two systems.

In eLeaP, the Section 6.2 audit demonstration is conducted within a single integrated platform. The training record for any employee in any role shows the required training profile for that role, the completion status for each item, the document version each completion record references, whether any items are overdue or approaching their retraining interval, and the effectiveness evaluation result where applicable. A Notified Body auditor asking whether a specific production operator is trained on the current version of the work instruction governing their assigned process can retrieve both the quality record and the training record from the same platform, with document version status and training completion status visible in the same interface — without navigating to a separate system or manually assembling evidence from multiple sources.

ISO 13485 Software and EU MDR/IVDR Compliance

ISO 13485 certification is the quality system prerequisite for CE marking of medical devices and in vitro diagnostic devices under EU MDR (2017/745) and EU IVDR (2017/746). However, ISO 13485 certification alone does not satisfy all EU MDR/IVDR compliance obligations. The regulations impose requirements above the ISO 13485 baseline — particularly in technical documentation, post-market clinical follow-up, post-market surveillance, and periodic safety update reporting — that require quality system capabilities beyond what the standard alone specifies.

eLeaP supports EU MDR/IVDR compliance in the following specific areas: post-market surveillance data collection through the complaint and feedback management modules, which feed the post-market surveillance plan and post-market surveillance report data requirements; data aggregation supporting Periodic Safety Update Report (PSUR) preparation by compiling export-ready post-market complaint trends and quality data — the PSUR narrative remains the responsibility of the manufacturer’s clinical and regulatory team; serious incident and field safety corrective action (FSCA) management through the complaint and change control workflows; regulatory submission window tracking under Section 8.2.3 for MDR 30-day and 5-day reporting obligations and EU vigilance report timelines, with submission status tracked within the complaint record; and Unique Device Identifier (UDI) traceability in production and complaint records as required by EU MDR Article 27. For manufacturers with devices on the EU market, the ISO 13485 clause map above covers the QMS foundation; EU MDR-specific documentation requirements are addressed in the implementation configuration for EU MDR customers.

Evaluating ISO 13485 Software: Six Clause-Referenced Questions

ISO 13485 software evaluations should test clause-level capability rather than general feature presence. The questions below are structured by clause reference so that evaluation responses can be mapped directly to the audit evidence requirements the clause imposes.

Section 4.1.6 — Does the Platform Provide a Validated System Package Supporting ISO 13485 Computerized System Requirements?

Does the software vendor provide IQ, OQ, and supporting validation documentation aligned to ISO 13485 Section 4.1.6 and 21 CFR Part 11 requirements — and do they provide advance notification of system changes with impact assessment documentation supporting the customer’s change control obligation for maintaining a validated state? ISO 13485 Section 4.1.6 applies to eLeaP itself as the computerized system supporting the QMS. A vendor that does not provide validation documentation is transferring the full validation burden to the customer.

Section 4.2.4 — Does Document Control Enforce Revision Status and Automatically Supersede Prior Versions?

Does the document control system enforce revision status identification, provide access only to authorized roles, and automatically supersede prior versions on the effective date of a new revision — or does version control depend on user discipline in following naming conventions? Manual version control in shared drives or document management systems without automatic supersession creates the access-to-superseded-document risk that generates Section 4.2.4 findings in Notified Body audits.

Section 6.2 — Are Training Records Linked to Document Versions and Accessible Within the QMS?

Are training completion records linked to the specific document version on which the employee was trained, and is the training record accessible from within the QMS for audit demonstration without navigating to a separate system? A training record that shows completion of a procedure without identifying the document version cannot demonstrate currency. A training system that requires cross-system navigation during an audit creates reconciliation risk.

Section 7.3.9 — Does the Design Change Record Include a V&V Impact Assessment with Mandatory Re-verification Action Items?

When a design change is initiated, does the change control record include a verification and validation impact assessment field, and does a determination that re-verification or re-validation is required generate mandatory action items that prevent change closure until completed and updated records are linked? A design change workflow that does not enforce V&V impact assessment produces the most common Section 7.3.9 finding in Notified Body audits of manufacturers with post-clearance design changes.

Section 8.2.2 — Does the Complaint Workflow Include a Structured MDR Evaluation Stage with Reporting Window Tracking?

Does the complaint-handling workflow include a structured MDR evaluation stage with a documented rationale for the reportability determination, and does the system track the submission date and status against the applicable 30-day or 5-day reporting window? An MDR evaluation that is documented outside the complaint record, or a complaint system that does not enforce reportability determination as a workflow stage, creates the traceability gap that generates Section 8.2.2 and MDR compliance findings.

Section 8.5.2 — Are Effectiveness Verification Criteria a Required Pre-Implementation Field, and Is CAPA Closure Structurally Prevented Without Verification Sign-Off?

Are effectiveness verification criteria a required field defined before corrective action implementation, is the verification scheduled as a system task at a defined interval after implementation, and is CAPA closure structurally prevented without a completed verification sign-off with documented evidence? A CAPA workflow that allows criteria to be defined retrospectively, or that allows closure without documented effectiveness verification, does not satisfy the Section 8.5.2 requirement that the effectiveness of corrective action taken be reviewed.

eLeaP’s answers to all six questions are yes, demonstrable in a clause-referenced platform walkthrough. The demonstration covers the Section 7.3 Design History File record structure, the Section 6.2 training matrix, the Section 8.5.2 CAPA effectiveness gate, and the Section 4.1.6 validation support package — configured for the buyer’s device type and regulatory market. Request a scoped ISO 13485 software demonstration at eleapsoftware.com.

ISO 13485 Software Implementation: What Structured Around the Standard Means in Practice

For a mid-market medical device manufacturer standing up an ISO 13485-compliant QMS — or transitioning from a spreadsheet and SharePoint-based system — “structured around ISO 13485” needs to mean something concrete in the implementation timeline and configuration approach, not just in the marketing positioning.

eLeaP deploys with pre-configured workflows aligned to ISO 13485 clause requirements: document control workflows pre-configured with ISO 13485 Section 4.2.4 controls; CAPA workflows pre-configured with Section 8.5.2 root cause, action, and effectiveness verification stages; complaint intake workflows pre-configured with Section 8.2.2 and MDR evaluation stages; design control record structures pre-configured with the Section 7.3 design input, output, review, verification, validation, and transfer record types. The implementation does not require building ISO 13485 workflow logic from scratch in a generic platform — it requires configuring the pre-built ISO 13485 architecture to the manufacturer’s product lines, device types, and organizational structure.

For manufacturers transitioning from the prior 21 CFR Part 820 framework to the QMSR, eLeaP provides a transition documentation package that maps existing Part 820 quality system elements to the corresponding ISO 13485 sections and QMSR requirements. The package supports the gap assessment and remediation planning that QMSR transition requires, with the quality system records already structured to demonstrate QMSR compliance through ISO 13485 conformity.

Frequently Asked Questions: ISO 13485 Software

What is ISO 13485 software?

ISO 13485 software is a quality management system built to satisfy the documented procedure, record, training, design control, post-market surveillance, and CAPA requirements of ISO 13485:2016 — the international standard for QMS in medical device manufacturing. It differs from a generic QMS in that its functional modules are structured around the clause architecture of ISO 13485 from the outset, rather than being configured to approximate compliance from a generic workflow base. For US medical device manufacturers, ISO 13485 software is now also QMSR software — the QMSR (effective February 2, 2026) incorporates ISO 13485:2016 by reference, making ISO 13485 clause compliance the foundation of QMSR compliance.

What is the relationship between ISO 13485 and the QMSR?

The Quality Management System Regulation (QMSR), effective February 2, 2026, replaced 21 CFR Part 820 as the FDA quality system regulation for medical device manufacturers. The QMSR incorporates ISO 13485:2016 by reference as its base quality management framework, meaning that a manufacturer whose QMS satisfies ISO 13485:2016 satisfies the QMSR’s foundational requirements. FDA’s supplemental QMSR requirements — covering complaint handling, MDR evaluation and reporting, and certain traceability obligations — extend beyond the ISO 13485 baseline but do not contradict it. For manufacturers who previously maintained separate QMS architectures for FDA and international compliance, the QMSR eliminates that structural divergence.

Which ISO 13485 clauses are the most important for QMS software to address?

From a software evaluation perspective, the clauses that most directly require documented procedure, workflow enforcement, and record management capabilities are: Section 4.2 (document control and records), Section 6.2 (training and competency), Section 7.3 (design and development controls and DHF), Section 7.4 (supplier controls), Section 7.5 (production and traceability records), Section 8.2 (complaint handling and MDR evaluation), Section 8.3 (nonconforming product), Section 8.4 (data analysis), and Section 8.5 (CAPA). Section 5.6 (management review) and Section 4.1.6 (computerized system validation) are also directly software-addressable. Sections 5.1–5.5 cover management commitment and policy that require organizational action rather than software workflow enforcement.

How does ISO 13485 Section 6.2 differ from standard LMS training management?

Standard LMS training management tracks training completion. ISO 13485 Section 6.2 requires that the quality system demonstrate competency — which means training records must show completion of the current version of the procedure, not just completion of a training program. When procedures are revised, Section 6.2 requires that retraining be conducted and recorded on the new version before personnel work under it. An LMS that operates outside the QMS document control system cannot automatically generate training assignments when procedures are revised, cannot link completion records to specific document versions, and requires manual reconciliation between training records and document version history during Notified Body audits. An integrated QMS+LMS platform eliminates that reconciliation requirement.

What does the Design History File need to contain under ISO 13485 Section 7.3?

The Design History File under ISO 13485 Section 7.3.10 must contain or reference the records necessary to demonstrate that the device design was developed in accordance with the approved design plan. Required DHF content includes the design and development plan (7.3.2), design input records (7.3.3), design output records (7.3.4), design review records (7.3.5), design verification records (7.3.6), design validation records (7.3.7), design transfer records (7.3.8), and design change records (7.3.9). The critical compliance requirement is not just that these records exist — it is that the traceability relationships between them are demonstrable: each design input must be traceable to the design output that addresses it, to the verification test that confirms the output meets the input, and to the validation study that confirms the device meets the user need.

What is required for ISO 13485 Section 4.1.6 computerized system validation?

ISO 13485 Section 4.1.6 requires that when computer software is used in the QMS, it be validated for its intended use prior to initial use and as appropriate after changes to the software or its application. For eLeaP as the QMS platform itself, this means the customer must complete computerized system validation before using eLeaP for ISO 13485-required records. The vendor provides IQ and OQ documentation, system design documentation, and 21 CFR Part 11 compliance mapping. The customer is responsible for Performance Qualification in their specific environment and the validation summary report. Manufacturers applying a GAMP 5 risk-based approach typically classify eLeaP as Category 4 configured software, focusing validation effort on the configured environment rather than re-testing vendor-qualified infrastructure.

How does ISO 13485 CAPA differ from a general corrective action process?

ISO 13485 Section 8.5.2 imposes specific structural requirements that distinguish CAPA from a general corrective action process: root cause analysis must be documented as a formal determination; corrective actions must link explicitly to the root causes they address; effectiveness verification criteria must be defined before corrective action implementation (not retrospectively); the effectiveness of corrective action taken must be reviewed at a defined interval; and records of investigation, action, and effectiveness review must be maintained. Section 8.5.3 adds equivalent requirements for preventive action on potential nonconformities. A general corrective action workflow that does not enforce these structural requirements does not satisfy Section 8.5 — it manages action items, not quality system improvement.

Does ISO 13485 apply to EU MDR and IVDR compliance?

ISO 13485 certification is the quality system prerequisite for CE marking under EU MDR (2017/745) and EU IVDR (2017/746) — Notified Bodies require ISO 13485 certification as the foundational QMS audit. However, ISO 13485 certification alone does not satisfy all EU MDR/IVDR compliance obligations. The regulations impose requirements above the ISO 13485 baseline, including more detailed technical documentation requirements (MDR Annex II and III), post-market clinical follow-up obligations (MDR Annex XIV), periodic safety update reporting, and post-market surveillance reporting. ISO 13485 software supporting EU MDR compliance must address these additional requirements through the complaint, feedback, and post-market surveillance modules in addition to the core clause requirements.

ISO 13485 Software: Terminology and Search Synonyms

ISO 13485 software is referenced by several terms across regulatory guidance, certification bodies, and quality management software categories. The following synonyms and related terms describe capabilities covered on this page.

ISO 13485 QMS Software / ISO 13485 Quality Management Software

“ISO 13485 QMS software” and “ISO 13485 quality management software” are direct synonyms, describing the same platform from the quality management system frame. The functional scope is identical to ISO 13485 software: clause-mapped QMS capabilities covering documentation, design controls, supplier quality, production records, complaint handling, and CAPA — structured for ISO 13485:2016 certification and QMSR compliance.

Medical Device QMS Software / Medical Device Quality Management System

“Medical device QMS software” and “medical device quality management system” are the category-level synonyms that describe the same platform for buyers who search by industry vertical rather than standard name. ISO 13485 is the governing standard; medical device QMS is the industry context. A medical device QMS that is not structured around ISO 13485:2016 clause requirements does not satisfy the certification baseline for international market access or QMSR compliance for US market access.

QMSR Software / QMSR Compliance Software

“QMSR software” and “QMSR compliance software” are the US-specific terms that have emerged since the QMSR’s effective date of February 2, 2026. Because the QMSR incorporates ISO 13485:2016 by reference, QMSR software is, in substance, ISO 13485 software with FDA supplemental requirements addressed — specifically MDR evaluation workflows, complaint handling traceability, and certain records requirements. Buyers searching “QMSR software” are typically US manufacturers evaluating whether their current ISO 13485 system fully addresses the QMSR’s supplemental requirements.

Design History File Software / DHF Software

“Design history file software” and “DHF software” refer specifically to the Section 7.3 design control and DHF management capability within ISO 13485 software. The DHF requirement is the most audit-sensitive element of ISO 13485 for device manufacturers in the development phase. Software marketed specifically as DHF software typically addresses design controls as a bounded development-phase activity; ISO 13485 software addresses design controls as a continuous lifecycle obligation that extends through every post-market design change.

ISO 13485 Certification Software / ISO 13485 Compliance Software

“ISO 13485 certification software” refers to software used to build and maintain the quality system required for ISO 13485 Notified Body certification. The certification audit evaluates whether the QMS demonstrates conformity to each clause of the standard. ISO 13485 compliance software is evaluated by the same clause-reference framework — which clauses does the software address, how does it produce audit evidence for each requirement, and can the quality team demonstrate conformity quickly and completely during an audit.

Medical Device Document Control Software / Medical Device CAPA Software

“Medical device document control software” and “medical device CAPA software” are module-level synonyms that describe specific capabilities within ISO 13485 software. Document control software for medical devices must satisfy Section 4.2.4 controls — automatic supersession, authorized access, electronic signatures, revision history. Medical device CAPA software must satisfy Section 8.5.2 structural requirements — root cause linkage, pre-implementation effectiveness criteria, closure prevention without verification. Module-level searches often come from buyers evaluating specific gap areas rather than replacing their entire QMS.

About eLeaP QMS

eLeaP is a quality management and learning management platform built by Telania, LLC, founded in 2002. The platform serves medical device manufacturers, pharmaceutical companies, biotech, CDMO/CRO, food and beverage, cannabis, and aerospace organizations requiring a fully integrated QMS and LMS in a single validated system. For medical device manufacturers, the core differentiator is native QMS+LMS integration: document revisions automatically trigger training assignments for affected roles, design-change-driven document revisions are gated on training completion before the change can close, and CAPA-triggered training enforces corrective action effectiveness. eLeaP is designed for mid-market manufacturers (50–500 employees) who require full ISO 13485 and QMSR compliance capability without enterprise QMS implementation complexity or cost.

Related resources:

• Medical Device QMS Software — production-phase quality system for cleared devices
• Medical Device Quality Management Software
• FDA Design Controls — Section 7.3 in the US regulatory context
• CAPA Management Software — Section 8.5 corrective and preventive action