Reality check · ISO-13485
Your ISO 13485 audit determines whether you can ship medical devices. Walk the floor first.
A pre-audit walk for medical device manufacturers certified to ISO 13485:2016. We find the gap between your QMS documentation and your floor before your Notified Body or FDA does.
ISO 13485 is the QMS standard the medical-device industry runs on. Where ISO 9001 cares whether your QMS is effective, ISO 13485 cares whether your device will hurt a patient. The clause language enforces that distinction. So does the auditor. The Reality Check exists because most certified medical device shops we walk through have a design-controls program that passes paper review and a CAPA program that closes faster than it should, and the auditor finds both in the same week.
Quick answer
The ISO 13485 Reality Check is a pre-audit walk for medical device manufacturers certified or seeking certification to ISO 13485:2016, or preparing for FDA QSR / 21 CFR 820 inspection. Brass & Bench partners come onsite for four to six days, walk the QMS against the floor reality with attention to the medical-device-specific clauses (design controls, risk management, CAPA, complaint handling, traceability), and deliver a bound gap-matrix report. Pricing is $35,000 to $60,000 all-inclusive depending on facility size, device classification, and whether the audit is by a Notified Body, FDA, or a customer. Most clients use this engagement four to twelve weeks ahead of an audit or after a 483 / Form 5 nonconformance.
By Lorrie Lynn · Founding Partner. Operations, Manufacturing & International Contracts · Updated May 14, 2026The gap
What the registrar finds that your internal audit missed.
ISO 13485 gaps cluster in seven places.
Design controls (Clause 7.3). Design inputs, design outputs, design reviews, design verification, design validation, design transfer, and design changes. The auditor traces one device family through all seven sub-clauses. Common gap: design verification documentation is thinner than design validation documentation, or design transfer to manufacturing lacks the validated work instructions, training records, and tooling qualifications the clause requires.
Risk management (ISO 14971 integration). ISO 13485 requires ISO 14971-compliant risk management across the device lifecycle. The Hazards & Risks file (often called the Risk Management File) needs to be current and traceable to the design controls. Common gap: the Risk Management File was completed at initial submission and has not been re-walked against post-market data, complaint trend, or design changes. Auditor cross-checks the Risk Management File against the complaints log.
CAPA (Clause 8.5.2). Corrective and preventive action with documented root-cause analysis, effectiveness checks, and trend analysis. Common gap: CAPAs get closed without effectiveness verification, or the trend analysis is qualitative when the clause expects quantitative. FDA QSR 820.100 reads even tougher than ISO 13485 on this. Auditors universally read the CAPA log first.
Complaint handling (Clause 8.2.2). Complaints must be documented, evaluated for MDR / Vigilance reportability, investigated, and trended. Common gap: complaints get routed to engineering for resolution but the reportability evaluation is missing or perfunctory. MDR-reportable events get logged late. The 30-day reporting window is a hard FDA threshold.
Traceability (Clause 7.5.9, 8.3). Forward and backward traceability from raw material lot to finished device serial to customer to complaint. Common gap: the traceability works in the documented direction (lot to device) but not in the reverse direction (complaint back to lot back to supplier). Auditors test traceability by picking a complaint and asking you to trace to the originating raw-material supplier.
Sterilization or special process validation (where applicable). Sterilization, packaging, environmental controls, and software development lifecycle (for SaMD or device software) all qualify as special processes. Common gap: the validation was performed at initial qualification and has not been revalidated against process changes. Auditors read the change control log against the revalidation log.
Management with executive responsibility (Clause 5.5.1). ISO 13485 requires named executive responsibility for the QMS, including a Management Representative with documented authority. Common gap: organizational changes have made the named Management Representative obsolete, or the executive responsibility is delegated to someone without the authority the clause requires.
The path
How we close the gap before the audit.
The Reality Check is structured around device-classification-specific risk and the audit body in scope.
Day zero. Remote intake. Your QMS manual, procedures, work instructions, design history files for the device families in scope, Risk Management Files (ISO 14971), twelve months of CAPAs, twelve months of complaints with reportability evaluations, supplier-management procedure with supplier qualification records, validation reports for sterilization or other special processes, the last two audit reports (Notified Body, FDA, or customer), and any post-market surveillance data.
Day one. Design controls and Risk Management File. Lorrie Lynn and one supporting partner trace one or two device families through Clause 7.3 end-to-end. The Risk Management File is cross-checked against design controls and the live complaints trend.
Day two. CAPA and complaints walk. Twelve months of CAPAs reviewed for root-cause depth, effectiveness verification, and trend analysis. Complaints log reviewed for MDR reportability evaluation timing. Where the audit body is FDA, the QSR 820.100 lens is applied additionally.
Day three. Traceability test. The team picks two or three complaints and traces them backward to raw-material lots and forward to all affected serial numbers. Where the trace breaks, the gap is logged.
Day four. Special-process validation. Sterilization, packaging, or software-lifecycle validation reviewed for revalidation discipline against the change-control log.
Day five. Findings build. Bound gap-matrix report built in real time, sequenced to the audit calendar.
Day six (if needed). Multi-site, multi-product-family, or pre-FDA-inspection scenarios.
The bound report ships within forty-eight hours of onsite wrap. We have direct experience with Notified Body audits, FDA QSR inspections, and customer audits from major medical-device OEMs.
ISO-13485 audit coming up? Let's find the gap first.
The first call is a thirty-minute conversation. We tell you whether the Conformance Reality Check is the right product, or whether you need something different.