Introduction: Why ISO 13485 Matters
If you're developing medical software in Denmark, you've likely encountered the ISO 13485 certification requirement. But what does it actually mean, and why is it so critical?
ISO 13485 is the international standard for [Quality Management Systems] (QMS) specifically designed for the medical device industry. In Denmark and the rest of the EU, this certification is often essential for obtaining approval for medical software under [MDR] (Medical Device Regulation) and IVDR (In Vitro Diagnostic Regulation).
In Denmark, Lægemiddelstyrelsen oversees compliance with MDR/IVDR requirements. For medical software classified as a Medical Device or [Software as a Medical Device] (SaMD), documented evidence of a robust quality management system is required - and ISO 13485 is the recognized standard.
Who Needs ISO 13485 Certification?
Not all medical software requires ISO 13485 certification - it depends on how your software is classified under MDR/IVDR regulations.
Software as a Medical Device (SaMD)
If your software diagnoses, treats, monitors, or prevents diseases, it's likely classified as a medical device. Examples include:
- Diagnostic software analyzing medical images
- Treatment recommendation algorithms
- Apps monitoring patients' vital signs
- Clinical decision support systems
Risk Classification
[MDR] classifies medical devices into Class I, IIa, IIb, and III based on risk level. Understanding your classification is crucial for determining certification requirements.
| Class | Risk Level | ISO 13485 Required | Notified Body |
|---|---|---|---|
| Class I | Low | Voluntary (recommended) | No (except sterile/measuring) |
| Class IIa | Medium-low | Required | Yes |
| Class IIb | Medium-high | Required | Yes |
| Class III | High | Required | Yes (extensive audit) |
ISO 13485 Requirements for Software Development
ISO 13485 establishes specific requirements for how you design, develop, validate, and maintain medical software. Here are the core elements:
1. Quality Management System (QMS)
Your QMS must document:
- Quality policy and objectives
- Organizational structure and responsibilities
- Document control (versioning, approval)
- Change control processes
- Risk management procedures
2. Design Controls
Software development must follow a structured process with clear phases:
Design Input
- Functional requirements (what should the software do?)
- Non-functional requirements (performance, security, compatibility)
- Regulatory requirements ([MDR], [GDPR], ISO 14971)
- User needs (from end users and patients)
Design Output
- Software architecture documentation
- Detailed design specifications
- [Source Code] with code reviews
- Unit test documentation
3. Risk Management (ISO 14971)
ISO 13485 requires compliance with ISO 14971 for risk management. Your risk assessment must include:
- Hazard identification (what could go wrong?)
- Risk analysis (probability × consequence)
- Risk evaluation (acceptable/unacceptable)
- Risk control measures (how do we mitigate?)
- Residual risk evaluation
4. Software Validation
Validation proves that software meets user requirements under actual conditions. This includes:
- Validation protocol with test cases
- Acceptance criteria
- Production-like test environment
- Representative test data
- Validation report with traceability matrix
The Certification Process: Step-by-Step
Obtaining ISO 13485 certification is a structured process. Here's what to expect:
Step 1: Gap Analysis (2-4 weeks)
Identify differences between current practices and ISO 13485 requirements. Output: Gap Analysis Report with prioritized actions.
Estimated cost: 50,000-100,000 DKK
Step 2: QMS Implementation (3-6 months)
Implement missing processes and documentation. Create QMS documents, design control processes, risk management procedures, and train your team.
Estimated cost: 200,000-500,000 DKK (consultant assistance) + 200-500 hours internal resources
Step 3: Internal Audits (1-2 months)
Verify that QMS works in practice before external audit. Conduct internal audits, document findings, and implement corrective actions.
Step 4: Choose Certification Body (2-4 weeks)
Select an accredited Notified Body to certify you. Popular options in Denmark/Europe include TÜV SÜD, BSI, DNV GL, SGS, and DEKRA.
Estimated cost: 100,000-300,000 DKK for initial certification
Step 5: Stage 1 Audit (Document Review)
Certification body reviews your QMS documentation and identifies any gaps before proceeding to Stage 2.
Step 6: Stage 2 Audit (On-site Verification)
Verify that QMS implementation matches documentation through on-site audit, interviews, and process observations. Duration: 2-5 days depending on organization size.
Step 7: Certification & Surveillance
Receive your ISO 13485 certificate (valid for 3 years). Annual surveillance audits maintain certification. After 3 years, full re-certification audit is required.
Realistic Timeline and Costs
- Quick track (existing robust processes): 6-9 months
- Typical (moderate documentation gap): 12-18 months
- From scratch (minimal documentation): 18-24 months
Total cost estimate: 500,000-1,450,000 DKK for initial certification, with annual surveillance costs of 50,000-100,000 DKK.
Choosing an ISO 13485 Experienced Software Partner
If you work with an external software development partner, their ISO 13485 experience is critical. Here are key questions to ask:
- Do you have ISO 13485 certification?
- How many medical software projects have you delivered?
- How do you integrate QMS into your development process?
- What documentation do you deliver?
- How do you handle changes after validation?
- Can you support the entire lifecycle from development to post-market surveillance?
Why Bon.do for ISO 13485 Projects
We have 10+ years of experience with life science software, delivering certified medical software for Danish and international clients with deep expertise in both software engineering and regulatory compliance.
Our approach: Quality by Design with QMS integrated from day 1, Agile-compatible iterative development within design control framework, and transparent documentation where you own all IP.
Contact us for an obligation-free discussion about your ISO 13485 project.
FAQ - Frequently Asked Questions
Common questions about ISO 13485 certification for medical software
Total cost for initial certification typically ranges from 500,000-1,450,000 DKK depending on organization size, existing QMS maturity, use of external consultants, and choice of certification body. Annual maintenance (surveillance audits) costs 50,000-100,000 DKK/year.
Realistic timeline: With existing robust processes 6-9 months, with moderate documentation gaps 12-18 months, from scratch without QMS 18-24 months. Critical factors include available internal resources, team experience with QMS, software complexity, and certification body's schedule.
Not necessarily, but it helps enormously. If your partner is certified, they have implemented QMS in their processes, making audits easier and delivering higher quality outputs. If not certified, you need stronger supplier management and must audit their processes more thoroughly.
ISO 9001 is general quality management for all industries, while ISO 13485 is specific to medical devices. ISO 13485 aligns with MDR/IVDR requirements, requires ISO 14971 compliance for risk management, has extensive documentation requirements, and addresses regulatory reporting (post-market surveillance, vigilance). ISO 9001 is not sufficient for medical software.
Yes, but it requires careful handling. ISO 13485 calls third-party software (including open source) SOUP (Software of Unknown Provenance). You must identify all SOUP components, perform risk assessment for each, pin exact versions, validate behavior in your system, and document update procedures.
ISO 13485 and Agile are fully compatible with thoughtful integration. Use iterative design phases, continuous validation through automated testing, living documentation in tools like Confluence, and sprint-level change control. The key is including QMS requirements in your Definition of Done.
Conclusion: Take Control of Your ISO 13485 Journey
ISO 13485 certification is a significant investment in time and resources, but it's essential for bringing medical software to market in Europe. With the right approach and partner, the process can be less painful - and provide real value to your organization.
Key takeaways: Start early by implementing QMS from day 1, document continuously, choose an experienced partner with ISO 13485 expertise, see it as value rather than overhead, and plan realistically (12-18 months and 800,000-1,200,000 DKK for most companies).
Need help with ISO 13485 certification or medical software development? Contact Bon.do for a free consultation. We've helped numerous Danish life science companies navigate the certification process and deliver compliant, high-quality medical software.