Last Updated on September 25, 2025 by Melissa Lazaro

Introduction: Why Documentation Is the Backbone of ISO 13485

When it comes to ISO 13485, one thing becomes clear fast: documentation can make or break your certification. You can have great processes, skilled people, and a strong product—but if you can’t prove it on paper (or digitally), auditors won’t give you a pass.

Here’s what I’ve noticed working with medical device companies: most teams struggle not because they don’t follow good practices, but because they’re overwhelmed by the sheer amount of documents ISO 13485 touches. Quality Manual, mandatory procedures, records, design history files, training logs…the list feels endless.

The good news? You don’t need to reinvent the wheel. With the right documentation toolkit, you can cover all the essentials, keep them organized, and walk into audits with confidence.

In this guide, I’ll give you the full breakdown of what goes into an ISO 13485 documentation system—what’s mandatory, what auditors expect in practice, and how to manage it all without drowning in paperwork. I’ll also link you to detailed supporting guides for each piece so you can dig deeper where you need to.

By the end, you’ll know exactly how to build and maintain a documentation toolkit that not only keeps you compliant but also makes your QMS easier to run day to day.

ISO 13485 Documentation Requirements at a Glance

Before we dive into the details, let’s step back and look at the big picture. ISO 13485 documentation isn’t just a random pile of files—it’s structured into different levels, each serving a purpose in your Quality Management System (QMS).

Here’s the simple breakdown:

1. Quality Manual – The high-level roadmap of your QMS.

2. Procedures & SOPs – The “how-to” documents for key processes.

3. Records – The proof that activities were carried out (training logs, calibration certificates, audit reports).

4. Supporting Documentation – Things like risk management files, design history files, and technical documentation required by regulators.

ISO 13485 itself explicitly requires certain documented procedures and records. But here’s the catch: in practice, auditors often expect more than the bare minimum. For example, while the standard lists six mandatory procedures, most auditors will also look for complaint handling, supplier control, and risk management documentation.

Think of documentation as the foundation of your QMS: without it, even strong processes can collapse under audit. With it, you can demonstrate compliance, consistency, and control across your entire organization.

Now that you’ve seen the big picture, let’s zoom in on each essential piece of documentation—starting with the mandatory ISO 13485 procedures.

Mandatory ISO 13485 Procedures (The Core Six + More)

ISO 13485 is very clear: there are a handful of procedures you must document. These are the backbone of your Quality Management System, and if even one is missing, you’ll likely face a major nonconformity.

The six core mandatory procedures are:

1. Document Control – How you approve, update, and distribute documents.

2. Record Control – How you identify, store, and retain records.

3. Internal Audit – How you plan, conduct, and follow up on audits.

4. Control of Nonconforming Product – How you handle defective or suspect products.

5. Corrective Action (CA) – How you address issues after they’ve occurred.

6. Preventive Action (PA) – How you identify and address risks before they cause problems.

In practice, auditors also expect to see procedures for:

• Risk Management (aligned with ISO 14971).

• Complaint Handling (especially important for post-market surveillance).

• Supplier Evaluation & Control (to show you’re managing outsourced processes properly).

Supporting guide: For a deeper dive into each of these, see our article: [ISO 13485 Mandatory Procedures List].

Together, these procedures ensure your QMS is controlled, traceable, and capable of continuous improvement.

Next, let’s look at another cornerstone document—the Quality Manual.

The ISO 13485 Quality Manual

Think of the Quality Manual as the roadmap to your QMS. It doesn’t need to be long or complicated—in fact, the best ones I’ve seen are short, clear, and easy to navigate. Its role is to help auditors (and your own team) understand how your system is structured.

A solid Quality Manual usually includes:

• Scope of the QMS – what’s covered, and any justified exclusions.

• Quality Policy & Objectives – your high-level commitment to quality and compliance.

• Process Interactions – a diagram or description of how your key processes connect.

• References to Procedures & Records – pointing to where details are documented.

• Roles & Responsibilities – who’s responsible for what at a high level.

Supporting guide: Check out our detailed article: [ISO 13485 Quality Manual Example] for a template you can adapt.

Bottom line: the Quality Manual shouldn’t be a 100-page binder nobody reads. It should be a clear, high-level reference that makes your QMS easy to understand.

Now that we’ve covered the manual, let’s talk about how long you actually need to keep records under ISO 13485.

Record Retention & Control Rules

If your procedures are the “instructions” of your QMS, then records are the proof that those instructions were followed. ISO 13485 (Clause 4.2.5) requires you to have a documented procedure for controlling records—but what often trips companies up is how long they need to keep them and how they should be managed.

What the Standard Requires

Your record control procedure must explain how records are:

• Identified (so you know what they relate to).

• Stored and protected (both paper and digital).

• Retained for a defined period.

• Retrieved quickly when requested.

• Disposed of securely at the end of the retention period.

Auditors will check not just that you have these rules, but that your team follows them consistently.

How Long Should You Keep Records?

ISO 13485 itself doesn’t specify exact timeframes—it leaves that up to you, guided by regulatory requirements. Here are the typical expectations:

• Design & Development Records – For the lifetime of the product plus required regulatory years (often 10–15 years in the EU).

• Production & Device History Records – At least the expected lifetime of the device, but not less than 2 years (FDA minimum).

• Training Records – While the employee works with the QMS, plus a buffer (often 2–5 years after).

• Complaints & CAPA Records – For the product lifetime plus 2 years (FDA) or up to 15 years (EU for implantables).

• Supplier Records – Retention depends on supplier risk level and product lifecycle.

Supporting guide: For a detailed breakdown, see our article: [ISO 13485 Record Retention & Control Rules].

Why It Matters

Records are often where audits are won or lost. You can tell an auditor you did training or a complaint investigation, but if you can’t produce the signed record, it’s as if it never happened. I’ve seen companies run into serious findings simply because a training record was missing one signature or a complaint file was purged too early.

Pro Tip: Create a Retention Matrix (record type vs. retention period vs. regulatory reference). It not only keeps your team aligned, it also shows auditors you’ve thought this through carefully.

Next, let’s look at a document that often causes anxiety for design teams—the Design History File (DHF).

Design History File (DHF)

The Design History File (DHF) is one of the most critical sets of documents in ISO 13485—especially if you’re also under FDA oversight. In simple terms, it’s the evidence that your device was designed under a controlled process. Without it, both auditors and regulators will question whether your product is safe and compliant.

What Goes Into a DHF

ISO 13485 and FDA QSR (21 CFR 820.30) expect your DHF to include records showing:

• Design & Development Plan – objectives, responsibilities, and timelines.

• Design Inputs – requirements such as user needs, functional specs, and regulatory criteria.

• Design Outputs – drawings, specifications, manufacturing instructions.

• Design Reviews – documented checkpoints where progress was evaluated.

• Verification Results – evidence that outputs meet inputs.

• Validation Results – proof that the device meets user needs and intended use.

• Design Transfer Records – showing the product was handed over to manufacturing properly.

• Design Changes – documentation and justification for any modifications.

Supporting guide: For a detailed template, see our article: [ISO 13485 Design History File Template].

Why the DHF Matters

The DHF isn’t just “paperwork.” It’s the storyboard of your product’s design journey. A well-structured DHF lets auditors quickly trace how your team moved from concept to validated product. If it’s sloppy or incomplete, it almost always leads to audit findings.

A Real-World Example

I worked with a startup that was gearing up for their first FDA inspection. They were nervous about their DHF, so we spent weeks organizing it: creating clear sections, indexing test reports, and linking design reviews with CAPA records. When the FDA inspector arrived, they asked for a validation report—the team found it in less than 5 minutes. The inspector smiled and said, “That’s how it should be.” They passed with no design-related observations.

Pro Tip: Don’t wait until the end of development to assemble your DHF. Add documents as you go. Auditors can always tell when a DHF was rushed together last minute.

Document Control Systems – Paper vs. Electronic

If there’s one area that consistently creates findings in ISO 13485 audits, it’s document control. Auditors want to see that your SOPs, work instructions, and forms are properly approved, version-controlled, and easy to access. The challenge? Doing this effectively as your company grows.

Paper-Based Systems

Some smaller companies still manage document control with binders, spreadsheets, or shared drives. This can work at the beginning, but it comes with serious risks:

• Multiple “latest” versions floating around.

• Delayed approvals because of manual signatures.

• Outdated SOPs accidentally used on the production floor.

• Auditors losing confidence when staff can’t quickly find the right document.

Electronic Document Management Systems (eDMS)

More and more organizations are moving to electronic document control systems because they solve most of these pain points. An ISO 13485-compliant eDMS typically offers:

• Automatic version control so only the current SOP is available.

• Electronic signatures that are compliant with FDA 21 CFR Part 11.

• Audit trails showing who made changes and when.

• Fast retrieval with search functionality.

• Integration with training, CAPA, and risk management modules.

Supporting guide: For a deep dive, check out our article: [ISO 13485 Electronic Document Control Systems].

Which Should You Choose?

ISO 13485 doesn’t require you to go electronic. A paper-based system can still pass an audit—but as soon as you grow, the risks outweigh the benefits. An eDMS makes compliance faster, smoother, and less stressful for both your team and auditors.

Pro Tip: If you do go electronic, pilot it with one area first (like SOP approvals) before rolling it out across the company. That way, employees adopt it gradually, and you avoid overwhelm.

How to Build Your ISO 13485 Documentation Toolkit

By now, we’ve covered each of the core pieces of documentation individually—Quality Manual, mandatory procedures, records, DHF, and document control systems. But the real value comes when you bring them together into a complete toolkit that’s organized, consistent, and audit-ready.

The Core Toolkit Components

Your ISO 13485 documentation toolkit should include:

1. Quality Manual – the roadmap of your QMS.

2. Mandatory Procedures – the six required by ISO 13485 plus the “expected” ones like risk management and complaints.

3. Records – retention rules and retrieval systems that prove compliance.

4. Design Documentation – including the Design History File and links to risk management.

5. Document Control System – whether paper or electronic, with clear version control.

Suggested Toolkit Structure

To keep it manageable, organize your documentation in layers:

• Level 1: Quality Manual (high-level overview).

• Level 2: SOPs and mandatory procedures.

• Level 3: Work instructions and forms.

• Level 4: Records and evidence (training logs, CAPA reports, device history records).

This “layered” approach makes it easy for auditors—and your own staff—to navigate the system.

Templates and Systems

• Use templates for recurring documents like SOPs, CAPA forms, and training logs.

• Build a retention matrix for records so everyone knows how long to keep each type.

• Decide early if you’ll stay paper-based or transition to an eDMS, and set consistent rules.

Why This Matters

When all these pieces are linked together, your QMS feels less like a pile of paperwork and more like a structured system. It helps your team work more consistently, reduces mistakes, and builds trust with auditors.

Supporting guides:

• ISO 13485 Mandatory Procedures List

• ISO 13485 Quality Manual Example

• ISO 13485 Record Retention & Control Rules

• ISO 13485 Design History File Template

• ISO 13485 Electronic Document Control Systems

FAQs – ISO 13485 Documentation

Q1. What documents are mandatory under ISO 13485?

ISO 13485 explicitly requires six documented procedures: document control, record control, internal audits, control of nonconforming product, corrective actions, and preventive actions. In practice, auditors also expect additional procedures like risk management, complaint handling, and supplier control.

Q2. Do I need separate documentation for ISO 13485 and FDA QSR?

Not necessarily. While the FDA requires a Design History File (DHF) and ISO 13485 emphasizes design and development records, a well-structured documentation toolkit can cover both. The key is aligning your system so that one set of documents satisfies both ISO and FDA requirements.

Q3. Can I use templates for ISO 13485 documentation?

Yes—templates are a great starting point, especially for SOPs, manuals, and CAPA forms. But auditors will spot copy-paste documents quickly. Templates must be customized to reflect how your company actually operates.

Conclusion: Turn Documentation Into a Strength

ISO 13485 documentation doesn’t have to be overwhelming. Yes, there are a lot of moving parts—manuals, procedures, records, design files, and control systems—but when you bring them together into a structured toolkit, the whole system starts to feel manageable.

Here’s the big takeaway:

• The Quality Manual gives your QMS direction.

• Mandatory procedures (and a few extra ones auditors expect) form the backbone.

• Records provide proof that your processes actually work.

• The Design History File (DHF) demonstrates controlled development.

• And a solid document control system keeps it all consistent and accessible.

When these pieces are aligned, your documentation stops being “paperwork for the auditor” and becomes a living system that builds confidence—inside your team and with regulators.

In my experience, companies that treat documentation as a tool for clarity and improvement (rather than a burden) not only pass audits more easily but also run smoother day to day.

Next step: Download the ISO 13485 Documentation Toolkit Checklist to map out your own system and explore the supporting guides linked throughout this article for step-by-step help.