---
title: Combine ISO 13485 and MDR Annex IX Audits: The Efficient Approach
description: How to combine ISO 13485 and MDR Annex IX audits into one efficient assessment, what overlaps, and the gap items only MDR covers.
authors: Tibor Zechmeister, Felix Lenhard
category: Quality Management Under MDR
primary_keyword: combine ISO 13485 MDR Annex IX audit
canonical_url: https://zechmeister-solutions.com/en/blog/combine-iso-13485-mdr-annex-ix-audits
source: zechmeister-solutions.com
license: All rights reserved. Content may be cited with attribution and a link to the canonical URL.
---

# Combine ISO 13485 and MDR Annex IX Audits: The Efficient Approach

*By Tibor Zechmeister (EU MDR Expert, Notified Body Lead Auditor) and Felix Lenhard.*

> **You can combine an EN ISO 13485:2016+A11:2021 certification audit and an MDR Annex IX Chapter I QMS assessment into a single, jointly scoped on-site audit when the same Notified Body holds both scopes. The overlap is large — most of the ISO 13485 clauses map directly to Annex IX Chapter I QMS requirements — but the two assessments are not identical. A combined audit saves audit-days, travel, preparation effort, and calendar time, provided the founder understands which items only the MDR side covers and plans the scope with the Notified Body up front. This post maps the overlap, flags the gap items, gives a realistic combined-audit timeline, and explains how to prepare once rather than twice.**

**By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.**

---

## TL;DR

- When the same Notified Body is accredited for both EN ISO 13485:2016+A11:2021 certification and MDR Annex IX Chapter I conformity assessment, the two audits can and usually should be run as a single combined assessment.
- The overlap is dominant: most ISO 13485 clauses map directly to the MDR Annex IX Chapter I QMS requirements, because ISO 13485 is the harmonised standard that supports presumption of conformity with MDR Article 10(9).
- The gap items — things only the MDR side covers — include PRRC obligations, PMS and PMCF system integration, vigilance processes linked to MDR Articles 87–92, UDI and Eudamed processes, and the technical documentation assessment that Annex IX pairs with QMS assessment.
- A combined audit typically cuts total on-site time and preparation effort versus running two separate audits back to back, and it removes the risk of contradictory findings from two different auditor teams.
- Scope must be agreed in writing with the Notified Body before the audit plan is issued. "We assumed it was combined" is not a scope.
- Unannounced audits under Annex IX still land independently of surveillance audits and cannot be merged into the combined schedule.

---

## Why founders ask this question

A founder hits this question the moment they realise they are staring down two audits that look almost identical. The certification body sales team quoted an ISO 13485 audit. The Notified Body contract covers an MDR Annex IX QMS assessment. Both want two auditor-days on site. Both want the same SOPs, the same records, the same management review minutes, the same CAPA file. The founder does the maths and asks the obvious question. "Can we just do this once?"

The answer is yes, if the Notified Body holds both scopes and the combined audit is planned properly. The answer is no, if the founder assumes it happens automatically. This post is the operational version of that answer.

For the certification path itself, see the MDR QMS certification walkthrough. For the Notified Body selection decision that sits behind this, see the ISO 13485 certification body choice post. For the underlying Annex IX QMS conformity assessment structure, see the Annex IX QMS conformity assessment post.

## What the MDR actually says

Conformity assessment procedures for Class IIa, IIb, and III devices under the MDR route through Annex IX (or Annex X/XI for specific alternatives). The QMS assessment element of Annex IX is set out in Chapter I. (Regulation (EU) 2017/745, Article 52 and Annex IX, Chapter I.)

Article 52 of the MDR sets out the conformity assessment procedures available to manufacturers of devices other than custom-made and investigational devices, with Annex IX being the default full quality management system route. (Regulation (EU) 2017/745, Article 52.)

Article 53 sets out the general rules on involvement of Notified Bodies and permits combined audit scopes where the same Notified Body is responsible for multiple relevant assessments. (Regulation (EU) 2017/745, Article 53.)

EN ISO 13485:2016+A11:2021 is the harmonised standard for QMS requirements for regulatory purposes. Its A11:2021 amendment adds annexes that map the ISO clauses to the MDR (and IVDR) requirements, which is the formal mechanism that makes a combined audit coherent.

> *"The applicable QMS standard referenced by MDR Article 10(9) is EN ISO 13485:2016+A11:2021."* — EN ISO 13485:2016+A11:2021, harmonised version.

The practical consequence is that when the auditor assesses a clause of ISO 13485, they are simultaneously assessing the matching Annex IX Chapter I requirement — provided the scope of the audit has been defined to include both.

## Where ISO 13485 and MDR Annex IX Chapter I overlap

The overlap is the reason combined audits exist. A very large portion of what an Annex IX Chapter I QMS assessment looks at is already covered by a correctly implemented ISO 13485 QMS. The A11:2021 amendment to EN ISO 13485:2016 makes this mapping explicit in its informative annexes, which is what allows a Notified Body to use a single audit team, a single audit plan, and a single set of audit evidence for both assessments.

Areas where the overlap is effectively complete:

- Management responsibility, management review, and the quality policy and objectives.
- Resource management, infrastructure, work environment, and competence and training.
- Document control and records control.
- Design and development planning, inputs, outputs, review, verification, validation, transfer, and change control.
- Purchasing and supplier controls.
- Production and service provision, including process validation where required.
- Control of monitoring and measuring equipment.
- Internal audit programme.
- Control of nonconforming product.
- Analysis of data, improvement, corrective and preventive action.
- Customer-related processes, including feedback handling.

If an auditor assesses these clauses under ISO 13485 and finds them conformant, the matching Annex IX Chapter I QMS requirements are assessed in the same motion. There is no second audit of the same ground.

## Where the gap sits — items only the MDR side covers

The overlap is dominant but not total. A founder who prepares only for an ISO 13485 audit and assumes the MDR side is automatic will fail the Annex IX Chapter I assessment on the gap items. These items exist because the MDR imposes obligations that ISO 13485 does not — or imposes them with specific MDR-defined scope that the general standard does not reach.

Gap items to plan for explicitly:

- **Person Responsible for Regulatory Compliance (PRRC).** MDR Article 15 establishes the PRRC role. ISO 13485 has no equivalent. The auditor will check the designation, the competence evidence, and the reporting line.
- **Post-market surveillance (PMS) system.** MDR Articles 83 to 86 and Annex III define the PMS system and plan. ISO 13485 covers feedback and post-delivery activities but not the specific MDR PMS architecture including the PMS plan, PSUR where applicable, and PMCF plan linked to the clinical evaluation.
- **Vigilance.** MDR Articles 87 to 92 define serious incident reporting, field safety corrective actions, trend reporting, and Eudamed submission obligations. ISO 13485 references regulatory reporting in general terms; the MDR defines the specific mechanics and timelines.
- **Clinical evaluation and PMCF integration with the QMS.** MDR Article 61 and Annex XIV require the clinical evaluation to be a living process fed by PMS and PMCF data. Annex IX Chapter I checks that the QMS actually does this integration.
- **UDI assignment and Eudamed processes.** MDR Article 27 and related provisions define UDI and Eudamed obligations. The QMS procedures that govern these have no ISO 13485 clause of their own.
- **Technical documentation procedures linked to Annex II and III.** The QMS must define how the technical documentation is built, reviewed, updated, and released. Annex IX Chapter I checks these procedures against the MDR Annex II and III requirements.
- **Article 10(9) specific subparagraphs.** MDR Article 10(9) lists specific QMS aspects the manufacturer must address, including resource management specifically for the PRRC, PMS system, risk management, and clinical evaluation. The Annex IX audit works through these.
- **Technical documentation assessment itself.** This is the other half of Annex IX that is not QMS at all. Annex IX Chapter II is the technical documentation assessment. It runs in parallel with QMS assessment for Class IIa and IIb on a sampling basis and on a full basis for Class III and implantables. ISO 13485 does not touch it.

The gap is not large in pages but it is decisive. A combined audit that ignores these items is not a valid MDR Annex IX assessment.

## Notified Body scope — the precondition

A combined audit is only possible when one organisation holds both the ISO 13485 certification scope (as a certification body) and the MDR Annex IX conformity assessment scope (as a designated Notified Body) for the relevant device type. Many Notified Bodies do. Some do not. A pure certification body that is not MDR-designated cannot issue the MDR certificate no matter how well they audit the QMS.

Before scoping a combined audit, confirm three things in writing:

1. The Notified Body is designated under the MDR for the specific device codes that cover your product.
2. The same legal entity is also accredited to issue EN ISO 13485:2016+A11:2021 certificates.
3. The contract explicitly covers both certificates and the audit plan will be written as a combined plan.

"We assume our Notified Body will do both" is not a scope. It is a finding waiting to happen.

## Combined audit timeline — what a realistic plan looks like

A combined audit for a Class IIa startup with one site and one device family, planned properly, typically runs as follows.

**Application and contract** — scope confirmed in writing for both certificates. Device codes and standard clauses listed. Audit-day estimate issued by the Notified Body including both scopes.

**Stage 1 documentation review** — the Notified Body reviews the QMS documentation against both ISO 13485 clauses and Annex IX Chapter I requirements in one pass. Gap letter issued referring to both sets of requirements.

**Remediation window** — typically weeks, not months. The founder closes gaps from the Stage 1 letter. A second documentation review may be needed if the gap was structural.

**Stage 2 on-site audit** — a single visit, a single audit team, a single audit plan. The plan explicitly identifies which sessions cover ISO 13485 clauses, which cover the MDR-only gap items, and which cover both. On-site time for a combined Stage 2 is typically a small number of days longer than a pure ISO 13485 Stage 2, not double. The saving is real.

**Findings resolution** — a single findings log covering both scopes. Each finding is tagged to the ISO clause, the MDR article or Annex IX section, or both. Closure evidence is submitted once.

**Certificate issuance** — two certificates are issued by the Notified Body. One EN ISO 13485:2016+A11:2021 certificate and one MDR Annex IX certificate. The certificates are independent legal documents even though the audit that supports them was combined.

**Surveillance cycle** — the same combined logic applies at each annual surveillance audit. Unannounced audits under MDR Annex IX still land independently and cannot be combined with planned surveillance.

## The Subtract to Ship playbook — preparing once, not twice

The Subtract to Ship discipline applied to combined audit preparation produces four operational rules.

**Rule 1 — build the QMS against both standards at once.** Do not build an ISO 13485 QMS and then retrofit the MDR gap items. Build the procedures knowing from day one which clauses serve ISO 13485, which serve MDR Annex IX Chapter I, and which serve both. The A11:2021 annexes give you the map. Use them.

**Rule 2 — maintain a single traceability matrix.** One document that lists every QMS procedure and maps it to (a) the relevant ISO 13485 clause, (b) the relevant MDR article or Annex IX section, and (c) the relevant internal audit evidence. The auditor reads this document in the first hour of Stage 1. It is the single strongest signal of QMS maturity a startup can produce.

**Rule 3 — close the MDR gap items explicitly.** PRRC, PMS system, vigilance, UDI and Eudamed, clinical evaluation integration — these get dedicated procedures with dedicated evidence, not a footnote in a general SOP. The auditor will look for them by name.

**Rule 4 — confirm the scope in writing before the audit plan is issued.** The combined scope is a commercial and technical agreement with the Notified Body. Get it in writing. Read the audit plan when it arrives. If the plan does not explicitly cover both scopes, raise it before day one, not at the closing meeting.

## Reality Check — Where do you stand?

1. Is your Notified Body designated under MDR for the specific device codes of your product, and also accredited to issue EN ISO 13485:2016+A11:2021 certificates?
2. Does your contract with the Notified Body explicitly cover both the ISO 13485 certificate and the MDR Annex IX certificate, or are you relying on verbal assumption?
3. Do you have a single traceability matrix that maps each QMS procedure to both the ISO clause and the MDR Annex IX requirement it satisfies?
4. Have you designated your PRRC formally, with competence evidence that would survive an auditor question?
5. Is your PMS system built with an MDR Annex III PMS plan, not just an ISO 13485 feedback process?
6. Are your vigilance procedures written to the specific timelines and scope of MDR Articles 87 to 92?
7. Do you have procedures governing UDI assignment and Eudamed registration processes under document control?
8. Has the Notified Body issued an audit plan that identifies sessions by standard clause and MDR reference, so you know what is being assessed when?

## Frequently Asked Questions

**Can I combine an ISO 13485 certification audit with an MDR Annex IX Chapter I QMS assessment?**
Yes, when the same Notified Body holds both scopes. The EN ISO 13485:2016+A11:2021 amendment includes informative annexes mapping the standard to the MDR, which is what lets a single auditor team cover both assessments in one audit plan. The scope has to be agreed with the Notified Body in writing before the audit plan is issued.

**How much audit time does a combined audit save versus two separate audits?**
A combined audit typically runs only a small number of days longer than a pure ISO 13485 Stage 2 for the same scope, rather than adding a full second audit. The saving is meaningful, including auditor-days, travel, internal preparation, and calendar time. The biggest saving is often avoidance of contradictory findings from two separate auditor teams seeing the same evidence differently.

**What items only the MDR side covers and not ISO 13485?**
The main gap items are the PRRC role under MDR Article 15, the PMS system under MDR Articles 83 to 86 and Annex III, vigilance under MDR Articles 87 to 92, clinical evaluation and PMCF integration into the QMS under MDR Article 61 and Annex XIV, UDI and Eudamed processes, and the specific subparagraphs of MDR Article 10(9). The technical documentation assessment under Annex IX Chapter II is also separate and is not covered by ISO 13485 at all.

**Does a combined audit produce one certificate or two?**
Two. The Notified Body issues an EN ISO 13485:2016+A11:2021 certificate and an MDR Annex IX certificate as independent legal documents, even though the audit that supports them was a single combined assessment. The certificates have different scopes, different durations, and different legal bases.

**Can unannounced audits under MDR Annex IX be combined with annual surveillance?**
No. Unannounced audits under Annex IX are specifically designed to land without advance notice and cannot be merged with planned surveillance audits. Budget them as a separate event that can happen at any point in the certificate cycle.

**What happens if the Notified Body is not designated under MDR?**
A certification body that is not an MDR-designated Notified Body can issue the ISO 13485 certificate but cannot issue the MDR Annex IX certificate. In that case a combined audit is not possible and the MDR conformity assessment has to be run by a different, designated Notified Body. Confirm designation before signing any certification contract.

## Related reading

- [MDR QMS Certification: Using ISO 13485 from Application to Certificate](/blog/mdr-qms-certification-iso-13485) — the certification path this combined audit runs inside.
- [Choosing an ISO 13485 Certification Body for MDR](/blog/iso-13485-certification-body-choice) — how to pick a body that holds both scopes.
- [MDR Annex IX QMS Conformity Assessment Explained](/blog/mdr-annex-ix-qms-conformity-assessment) — the structure of the Annex IX Chapter I assessment this post combines with ISO 13485.
- [MDR QMS Compliance Costs: What ISO 13485 Certification Actually Costs Startups](/blog/mdr-qms-compliance-costs) — where the combined audit saving shows up in the budget.
- [Preparing for the ISO 13485 Stage 2 On-Site Audit](/blog/stage-2-iso-13485-onsite-audit) — how to prepare the operational evidence once for both scopes.

## Sources

1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 10, paragraph 9 (QMS obligation on manufacturers), Article 15 (PRRC), Article 52 (conformity assessment procedures), Article 53 (involvement of Notified Bodies), Articles 83 to 86 and Annex III (post-market surveillance), Articles 87 to 92 (vigilance), and Annex IX Chapter I (assessment of the quality management system) and Chapter II (assessment of the technical documentation). Official Journal L 117, 5.5.2017.
2. EN ISO 13485:2016+A11:2021 — Medical devices — Quality management systems — Requirements for regulatory purposes. The harmonised standard that supports presumption of conformity with MDR Article 10(9), with A11:2021 informative annexes mapping ISO clauses to MDR (and IVDR) requirements.

---

*This post is part of the Quality Management Under MDR cluster in the Subtract to Ship: MDR blog. Authored by Tibor Zechmeister and Felix Lenhard. EN ISO 13485:2016+A11:2021 and MDR Annex IX Chapter I were designed to be assessed together. The efficient path is to prepare once, build one traceability matrix, and walk one auditor team through one audit that produces two certificates.*

---

*This post is part of the [Quality Management Under MDR](https://zechmeister-solutions.com/en/blog/category/quality-management) cluster in the [Subtract to Ship: MDR Blog](https://zechmeister-solutions.com/en/blog). For EU MDR certification consulting, see [zechmeister-solutions.com](https://zechmeister-solutions.com).*