Regulatory Assist
Quality Systems 15 min read

Gap Analysis Checklist for Medical Device QMS (ISO 13485:2016)

A comprehensive, clause-by-clause assessment you can use to evaluate your Quality Management System against ISO 13485:2016, FDA QSR/QMSR, EU MDR, and MDSAP requirements.

Why Perform a QMS Gap Analysis?

A Quality Management System (QMS) gap analysis is the single most effective way to understand your current state of regulatory compliance. Whether you're preparing for your first ISO 13485 certification audit, transitioning from MDD to EU MDR, expanding into SFDA or Health Canada markets, or responding to audit findings, a structured gap analysis provides:

  • A clear picture of your compliance maturity level
  • A prioritized roadmap of what to fix first
  • Cost and timeline estimates for remediation
  • A baseline to measure improvement over time

How to Use This Checklist

For each clause below, rate your organization's compliance as:

  • Compliant — Fully meets the requirement with objective evidence
  • Partially Compliant — Some processes or documentation exist but are incomplete
  • Non-Compliant — No evidence of the requirement being met
  • N/A — Not applicable to your organization with documented justification

Clause 4: Quality Management System

4.1 General Requirements

  • Is the QMS documented and implemented as required by ISO 13485?
  • Are the processes needed for the QMS identified, including outsourced processes?
  • Are the criteria and methods for effective operation of these processes determined?
  • Are regulatory requirements applicable to your device(s) identified and documented?

4.2 Documentation Requirements

  • Does a Quality Manual exist that includes the scope, justified exclusions, and documented procedures?
  • Is there a device file (DHF / Technical File) for each device or device family?
  • Are document control procedures in place (approval, review, revision, distribution)?
  • Are records controlled with defined retention periods that meet regulatory requirements?

Clause 5: Management Responsibility

  • Has top management demonstrated commitment to the QMS?
  • Is there a documented Quality Policy that is appropriate and communicated?
  • Are quality objectives measurable and consistent with the quality policy?
  • Is management review conducted at planned intervals with required inputs and outputs?
  • Is a Management Representative appointed with defined authority?

Clause 6: Resource Management

  • Are resources adequate to maintain the QMS and satisfy regulatory requirements?
  • Are personnel competent based on education, training, skills, and experience?
  • Are training records maintained, including training effectiveness evaluations?
  • Is the infrastructure (work environment, equipment, utilities) adequate and documented?
  • Are work environment requirements (cleanliness, contamination control, ESD) documented where applicable?

Clause 7: Product Realization

7.1 Planning

  • Are quality plans or device development plans documented for each product?
  • Is risk management applied throughout product realization per ISO 14971?

7.2 Customer-Related Processes

  • Are product requirements (regulatory, customer, statutory) determined and reviewed?
  • Are customer communication processes established and maintained?

7.3 Design and Development

  • Are design and development plans established with defined stages, reviews, and responsibilities?
  • Are design inputs defined and reviewed for adequacy?
  • Are design outputs traceable to design inputs?
  • Are design reviews, verification, and validation performed at appropriate stages?
  • Is design transfer documented and verified?
  • Are design changes controlled and assessed for impact on product and regulatory status?
  • Is a Design History File (DHF) maintained for each device?

7.4 Purchasing

  • Are suppliers evaluated, selected, and monitored based on their ability to meet requirements?
  • Do purchasing documents adequately describe the purchased product requirements?
  • Is incoming inspection/verification performed as appropriate?

7.5 Production and Service

  • Is production carried out under controlled conditions?
  • Is product identified throughout production, and is traceability maintained?
  • Are unique device identifiers (UDIs) assigned as required?
  • Are validation and process validation records maintained for special processes?
  • Are sterilization processes validated (if applicable)?
  • Is servicing documented and controlled per regulatory requirements?

7.6 Monitoring and Measuring Equipment

  • Is monitoring and measuring equipment identified, calibrated, and maintained?
  • Are calibration records retained with standards traceable to international standards?

Clause 8: Measurement, Analysis, and Improvement

8.2 Monitoring and Measurement

  • Is customer feedback (including complaints) collected and analyzed?
  • Are internal audits conducted at planned intervals with qualified auditors?
  • Are products inspected at appropriate stages with defined acceptance criteria?

8.3 Control of Nonconforming Product

  • Is nonconforming product identified, documented, evaluated, and dispositioned?
  • Are advisory notices and field safety corrective actions managed?

8.4 Analysis of Data

  • Is data from quality objectives, complaints, audits, and processes analyzed for trends?
  • Is post-market surveillance data incorporated into improvement decisions?

8.5 Improvement

  • Is a CAPA process established with root cause investigation, correction, and effectiveness verification?
  • Are CAPAs documented and verified for effectiveness?

Multi-Regulatory Considerations

Beyond the core ISO 13485 clauses, if you are submitting to multiple markets, your gap analysis should also check for:

  • FDA (21 CFR 820 / QMSR): MDR/MDR-related reporting requirements, 510(k) submission readiness, UDI compliance
  • EU MDR: Technical documentation requirements per Annex II/III, clinical evaluation, PMS/PMCF plans, Economic Operator obligations
  • SFDA: Arabic labeling, GHAD system readiness, MDMA renewal timelines, KSA-specific device classification
  • Health Canada: MDSAP audit readiness, MDEL licensing, incident reporting per SOR/98-282

Next Steps

This checklist provides a starting point, but a thorough gap analysis requires experienced eyes that understand not just the letter of the standard, but how auditors interpret it. Our team has conducted hundreds of QMS gap analyses across all major regulatory jurisdictions.

Schedule a free consultation to discuss your specific QMS needs, or explore our Gap Analysis & Remediation services.

Related Articles

Risk Management

How to Prepare ISO 14971 Risk Files for SFDA Registration

Step-by-step guide for SFDA-compliant risk management.

 SFDA

Top 10 Common Risk File Issues in SFDA Submissions

Frequent deficiencies and practical fixes.

Need Help With Your QMS Gap Analysis?

Our experienced engineers conduct clause-by-clause assessments tailored to your target markets — FDA, EU MDR, SFDA, Health Canada, and MDSAP.

Schedule Free Consultation