Last Updated on September 25, 2025 by Melissa Lazaro

Introduction: Making ISO 13485 Jargon Simple

Here’s what I’ve noticed after years of helping medical-device companies with ISO 13485: the biggest hurdle isn’t always the audits or the paperwork—it’s the language. The standard is full of acronyms and technical terms that can feel overwhelming, especially if you’re new to compliance.

In my experience, once teams understand the terms in plain English, everything else starts to click. Suddenly, the requirements don’t feel like random checkboxes—they make sense as part of building safer, higher-quality products.

That’s exactly why I put together this glossary. It’s a straightforward, no-nonsense guide to the most common ISO 13485 terms. Each definition is explained in plain language, with quick examples so you can see how it applies in real life.

By the end, you’ll be able to read an audit report or a certification checklist without getting lost in jargon. More importantly, you’ll be able to explain these terms clearly to your team, which makes compliance a lot less intimidating.

Now, let’s start with the basics—the core concepts that form the foundation of ISO 13485.

Core Concepts

ISO 13485

Plain-English Definition: The international standard for quality management systems in the medical device industry.
Why it matters: It proves your company can consistently design, make, and deliver safe medical devices.
Example: If you want to sell a new diagnostic device in Europe, regulators will expect you to have ISO 13485 certification.

QMS (Quality Management System)

Plain-English Definition: A structured way of organizing your processes so quality is consistent every time.
Why it matters: It’s the backbone of ISO 13485—without a QMS, you can’t get certified.
Example: Written procedures for design, production, and complaint handling are all part of your QMS.

Regulatory Compliance

Plain-English Definition: Meeting the legal requirements in the markets where you sell devices.
Why it matters: ISO 13485 is designed to align closely with laws like the FDA’s requirements in the U.S. or the EU MDR in Europe.
Example: If your device doesn’t meet regulatory rules, it can’t legally be sold—even if it works perfectly.

Documentation & Records

DHF (Design History File)

Plain-English Definition: A collection of records that shows how your device was designed.
Why it matters: Auditors use it to confirm you followed proper design controls.
Example: Test reports, design reviews, and risk analyses for a surgical tool all go into the DHF.

DMR (Device Master Record)

Plain-English Definition: The recipe for making your medical device.
Why it matters: It ensures every unit is built exactly the same way.
Example: Assembly instructions, drawings, and material specifications for a pacemaker belong in the DMR.

DHR (Device History Record)

Plain-English Definition: Proof that each device was made according to the DMR.
Why it matters: It connects the instructions (DMR) to the actual production run.
Example: Production logs and inspection results for each batch of catheters are part of the DHR.

CAPA (Corrective and Preventive Action)

Plain-English Definition: A system for fixing problems and stopping them from happening again.
Why it matters: Regulators want to see you don’t just fix mistakes—you prevent repeats.
Example: If a supplier delivers faulty parts, a CAPA might involve switching suppliers and tightening incoming inspections.

SOP (Standard Operating Procedure)

Plain-English Definition: A step-by-step instruction for how to do a specific task.
Why it matters: It makes sure everyone does critical tasks the same way every time.
Example: An SOP might explain exactly how to sterilize surgical instruments before packaging.

Risk & Safety

Risk Management

Plain-English Definition: A structured way to spot, evaluate, and control risks that could harm patients.
Why it matters: ISO 13485 requires you to build safety into every stage of a device’s life cycle.
Example: If you’re designing an insulin pump, risk management might identify battery failure as a hazard and require a backup system.

ISO 14971

Plain-English Definition: The international standard that explains exactly how to do risk management for medical devices.
Why it matters: ISO 13485 points to ISO 14971 as the go-to guide for handling risks.
Example: A company making diagnostic tests uses ISO 14971 to decide how to handle the risk of false negatives.

Traceability

Plain-English Definition: The ability to track every part and process of a device back to its source.
Why it matters: If a defect is found, traceability helps you pinpoint which batch, supplier, or process step caused it.
Example: If a batch of syringes fails testing, traceability lets you link it back to the supplier who provided the faulty plastic.

Audits & Compliance Activities

Internal Audit

Plain-English Definition: A self-check your company does to see if you’re following ISO 13485 properly.
Why it matters: It helps you catch problems before an external auditor does.
Example: Your quality team reviews training records and finds missing signatures—fixing it before certification day.

External Audit / Certification Audit

Plain-English Definition: An independent check by a certification body (or notified body in the EU) to verify compliance.
Why it matters: Passing this audit is what earns you your ISO 13485 certificate.
Example: An external auditor reviews your CAPA system and confirms you’re handling product complaints correctly.

Nonconformity

Plain-English Definition: When something doesn’t meet a requirement in ISO 13485 or your own QMS.
Why it matters: Nonconformities have to be documented and corrected to maintain certification.
Example: An SOP says equipment must be calibrated every 6 months, but one machine went 8 months without calibration—that’s a nonconformity.

Surveillance Audit

Plain-English Definition: A follow-up audit (usually annual) to make sure you’re still compliant.
Why it matters: Certification isn’t a one-time event—you have to keep proving your system works.
Example: Each year, your auditor comes back to check if CAPA, training, and documentation are still being maintained.

Roles & Stakeholders

Notified Body

Plain-English Definition: An independent organization in the EU that checks whether your devices and QMS meet regulatory requirements.
Why it matters: Without their approval, you can’t place certain medical devices on the EU market.
Example: A German notified body reviews your ISO 13485 QMS and issues the CE certification for your device.

Regulatory Authority

Plain-English Definition: A government agency that enforces medical device laws in its country or region.
Why it matters: They control market approvals, monitor safety, and can pull products if risks are found.
Example: The FDA (U.S.), Health Canada, and the MHRA (UK) are all regulatory authorities.

Supplier Controls

Plain-English Definition: Processes to make sure your suppliers consistently meet your quality and safety standards.
Why it matters: A weak supplier can cause product failures—even if your own processes are perfect.
Example: You audit a sterilization provider before approving them as a supplier, to make sure they meet ISO 13485 requirements.

FAQs: ISO 13485 Glossary

Q1. Do I need to memorize all these ISO 13485 terms for an audit?

No. Auditors don’t expect you to recite definitions. What they do expect is that you understand how the terms apply in your company’s processes and can show real evidence when asked.

Q2. What’s the difference between DHF, DMR, and DHR?

Think of it like this:

• DHF = how the device was designed (the design story).

• DMR = how to make the device (the recipe).

• DHR = proof you followed the recipe for each product batch.

Q3. How much technical detail is expected from smaller companies or startups?

Auditors expect the same core compliance, but smaller companies don’t need the complexity of big corporations. The key is consistency and traceability—even a startup can meet ISO 13485 by keeping things simple but thorough.

Conclusion: Turning Jargon into Clarity

ISO 13485 can feel intimidating when you first read through it—acronyms everywhere, technical terms that sound abstract, and auditors who seem to speak their own language. But once you strip the jargon down to plain English, it all starts to make sense. These aren’t just “compliance words”—they’re practical tools to help you design, build, and deliver safe medical devices with confidence.

Here’s what I’ve noticed after training teams: the moment people stop getting lost in the terms, they start actually using the system. Audits go smoother, documentation feels less like a chore, and compliance becomes part of how the company works day-to-day.

So, keep this glossary handy—whether you’re preparing for certification, onboarding new team members, or just trying to make sense of an audit report. When you understand the language of ISO 13485, you’re not just speaking compliance—you’re speaking the language of patient safety and trust.