ISO 13485 defines the quality management system requirements for medical device manufacturers. At its core, it demands that you can demonstrate control over your design and development process - and that starts with requirements management.
This guide covers the practical requirements management aspects of ISO 13485 compliance: what auditors actually look for, where teams commonly fall short, and how to set up a system that keeps you audit-ready without creating unnecessary overhead.
What ISO 13485 Actually Demands for Requirements
ISO 13485, together with IEC 62304 (software lifecycle) and ISO 14971 (risk management), creates a framework where requirements must be:
- Documented and controlled: Every requirement must be captured in a controlled system with version management (Section 4.2.4)
- Traceable: You must demonstrate linkage from user needs â design inputs â design outputs â verification/validation activities (Section 7.3)
- Reviewed and approved: Design inputs must be reviewed for adequacy and approved before proceeding (Section 7.3.3)
- Change-controlled: Every modification must be evaluated for impact, reviewed, and approved before implementation (Section 7.3.9)
- Verified and validated: You must show evidence that design outputs satisfy design inputs, and that the final device meets user needs (Sections 7.3.5, 7.3.6)
Design Controls: The Requirements Backbone
The FDA's Design Controls framework (21 CFR Part 820.30) maps directly to ISO 13485's design and development requirements. The V-model is the most common way to visualize this:
The V-Model in Medical Device Development
User Needs ------------------- Validation
Design Inputs ------------------- Verification
Architecture ------------------- Integration Testing
Detailed Design ------------------- Unit Testing
Each horizontal pair requires traceability. Auditors will ask you to demonstrate these links.
The key principle: every level on the left side must trace to a corresponding verification or validation activity on the right side. Your requirements management system must make these connections visible and maintainable.
Where Teams Commonly Fail Audits
Based on FDA warning letters and audit findings in the medical device industry, the most common requirements-related non-conformities are:
Gap 1: Incomplete Traceability
Teams can show individual requirements and individual test cases, but cannot demonstrate the chain connecting them. "Orphan" requirements (no downstream links) and "dangling" test cases (no upstream requirement) are red flags that auditors specifically look for.
Gap 2: Missing Change Impact Analysis
A requirement changed in version 3.2, but nobody evaluated whether the linked test cases, risk controls, and design outputs still adequately address the updated requirement. The change was made, but the impact wasn't traced.
Gap 3: No Baseline Snapshots
Auditors may ask to see the requirements baseline at the time of a specific design review. If your system only shows the current state and not the state at a previous milestone, you cannot demonstrate what was reviewed and approved at that point in time.
Gap 4: Informal Review Records
Requirements were reviewed in a meeting, but the only evidence is meeting minutes that say "requirements discussed." There's no record of who specifically reviewed and approved each requirement, what version they approved, or what comments were resolved.
Setting Up Your Requirements Management System for ISO 13485
Structure Your Project Hierarchy
Organize your requirement sets to mirror the V-model. A typical medical device project structure:
- User Needs - What the user/patient/clinician needs the device to do
- Design Inputs - Measurable, verifiable requirements derived from user needs
- Design Outputs - Specifications, drawings, and software architecture that implement design inputs
- Risk Controls - Mitigations from your ISO 14971 risk analysis, linked to the requirements they protect
- Verification Test Cases - Tests that verify design outputs satisfy design inputs
- Validation Test Protocols - Protocols that validate the final device meets user needs
Establish Traceability Links Early
Don't wait until audit preparation to create traceability links. Establish them as you develop requirements. Every design input should trace to at least one user need. Every design input should trace to at least one verification activity. The trace matrix should be a living artifact, not a last-minute deliverable.
Configure Approval Workflows
Set up structured approval workflows that match your organization's review process. At minimum, design inputs should require sign-off from quality, engineering, and regulatory stakeholders before the design moves to the next phase.
Use Baselines at Key Milestones
Create locked snapshots at each design review milestone (Concept Review, Design Input Review, Design Output Review, Design Verification, Design Validation). These baselines provide the historical evidence auditors need.
Audit Preparation Checklist
When preparing for an ISO 13485 audit, your requirements management system should enable you to produce the following within minutes, not weeks:
- A complete trace matrix from user needs design inputs design outputs verification validation
- A list of all orphan requirements (no downstream traces) and dangling items (no upstream traces)
- The change history for any specific requirement, including who changed it, when, and the approval record
- The baseline snapshot at any previous design review milestone
- Coverage reports showing which requirements have been verified/validated and which are still open
- Risk control traceability showing which requirements mitigate which identified risks
Choosing the Right Tool
For ISO 13485 compliance, your requirements management tool should support configurable project hierarchies matching the V-model, full traceability with automated orphan/dangling detection, formal approval workflows with electronic signatures, baselines that lock snapshots at milestones, complete audit trail with timestamped change history, and role-based access control to enforce separation of duties.
Tools like TraceCloud, Jama Connect, and IBM DOORS all support these capabilities. The right choice depends on your team size, budget, and existing tool ecosystem.