ISO 13485 KPIs: Example Key Performance Indicators For Your ISO 13485 Processes

Dr. Oliver Eidel
Updated May 8, 2024

KPIs are like scorecards for organizations, helping them track how well they’re doing and if they’re moving closer to their goals. In the world of ISO 13485 (Section 4.1.3 and Section 8.2.5), process KPIs are important to be compliant. They are the metrics by which the health of our processes is measured.

The perfect opportunity for a health check-up of your process is the Management Review pursuant to ISO 13485:2016 Section 5.6. Of course we also have a template for the Management Review SOP and the Management Review Report. In the Management Review you’ll look at every process and evaluate whether it performs well. To approach it systematically, you need a metric that shows if the process achieved what it is meant to do: those metrics are your KPIs.

You can either define the KPIs for every process in the respective SOPs themselves, and/or you can keep an overview of the KPIs in the template for the Management Review Report.

While the standard does not require a certain number of KPIs, a common number for startups would be to have one or two KPIs per process. But any number higher than 0 is acceptable. This is also depending on the maturity of your QMS. The KPIs will evolve in the course of the Management Reviews and over the years. When you deem some metrics to yield no insights, you are well advised to change them for the upcoming term or even throughout the year.

Following the S.M.A.R.T approach, it makes sense to define a target for your KPIs (goal). That makes the assessment easier in the Management Review, as you can easily determine whether the outcome is acceptable or not.

In case you have no idea which KPIs you could use for your processes, here’s a list of examples:

CAP-SOP: Corrective and Preventive Action

  • Quick completion of root cause analysis and definition of action plan (goal: within 1 week)
  • Average time for completing action plans (goal: < 1 month)

CERT-SOP: Product Certification and Registration

  • Unsuccessful attempts of Notified Body assessment due to incomplete documentation (goal: zero)
  • The regulatory requirements for every relevant market are regularly monitored (goal: yes)

CEV-SOP: Clinical Evaluation

  • PMCF activities are conducted on time and as planned (goal: yes)
  • Information relevant to the risk-benefit-profile of medical devices is taken into account no later than in the same PMCF cycle in which it was made publicly available (goal: yes)

CHM-SOP: Change Management

  • No nonconformities due to incomplete change documentation or contested change evaluation

CSV-SOP: Computerized System Validation

  • No use of software prior to initial validation (goal: yes)
  • Validation schedule adherence: all (re-)validation activities are completed within the planned schedule (goal: yes)

DPL-SOP: Deployment

  • No deployment without prior integration evaluation (goal: yes)
  • No activation of user access without successful integration validation (goal: yes)
  • No outdated entries in the List of Medical Devices (goal: yes)

DRC-SOP: Document and Record Control

  • No major nonconformities during audits related to this process (goal: zero)

SWD-SOP: Integrated Software Development

(Includes Usability Evaluation and Risk Management)

  • Non-conformities due to incomplete / insufficient risk management (goal: 0)
  • Deficiencies discovered during usability testing which require new development work (goal: <3)

FBM-SOP: Feedback Management

  • Short initial response time to feedback (goal: one day)
  • Swift initial action (i.e. initial documentation and classification; goal: 3d)

HRA-SOP: Human Resources Administration

  • All employee training is conducted on time (goal: 100%)

IAU-SOP: Internal Auditing

  • Audit program covers at minimum all applicable paragraphs of ISO 13485 over the course of three years (goal: yes)
  • Audit program is implemented as planned (goal: yes)

MGR-SOP: Management Review

  • Percentage of action items defined in previous management reviews that have been completed (goal: 100%)

PCH-SOP: Purchasing

  • No purchases from critical suppliers for which no supplier evaluation has been conducted yet (goal: 100%)
  • Average response time of suppliers (goal: <=1 work day)

PMS-SOP: Post-Market Surveillance

  • All post-market surveillance activities are conducted on time (goal: 100%)

PRS-SOP: Problem Resolution

  • Quick completion of root cause analysis and decision (goal: within 2 work days)

URG-SOP: Update of Regulations

  • Identify and implement regulatory updates (goal: within three months of publication)

VIG-SOP: Vigilance

  • Incidents are always reported within legal reporting deadlines (goal: 100%)


There is (almost) no right or wrong when it comes to KPIs. Especially when you’re setting up your QMS from scratch, you likely don’t know (yet) what’s the most important metric for your processes. The KPIs listed above give you a good headstart. Thoughout the years, you will look at these metrics at least once per year in the Management Review. Some of them will prove as helpful, some you might need to replace in order to measure the right things and to keep improving. The quality of your KPIs will be proportional to the maturity of your QMS (hopefully).

Keep in mind that KPIs should facilitate an assessment of the performance of the process. When we take the example of the CAPA process, you might think that measuring the number of CAPAs per year makes sense. However, it is not a good indicator for the process. A lot of CAPAs doesn’t mean that the process is bad while few CAPAs likewise doesn’t say anything. Maybe not all CAPAs are reported, maybe you’re opening a CAPA for too many minor issues. The goal of the KPI is to indicate whether the CAPA process does what it should do when you need it.

Likewise, the goal with KPIs is not to always achieve the goal that you’ve set yourself, but rather to actually paint a comprehensive picture of the quality of your products, services and organizational structure. You can always say you’ve achieved your goal if your goal is to “have a product”. It’s not valuable though. If you set out to have zero customer complaints, it’s way harder, but this metric is more likely to show you whether you’re on the right path.

In this regard, the 13485 requirement to measure your processes can actually be helpful for your business. So thanks for requiring this, 13485.

On a slighty different note: You want to get your medical software certified under MDR but don’t know where to start? No worries! That’s why we built the Wizard. It’s a self-guided video course which helps you create your documentation yourself. No prior knowledge required. You should check it out.

Or, if you’re looking for the most awesome (in our opinion) eQMS software to manage your documentation, look no further. We’ve built Formwork, and it even has a free version!

If you’re looking for human help, did you know that we also provide consulting? We’re a small company, so we can’t take on everyone – but maybe we have time for your project? We guide startups from start to finish in their medical device compliance.

Congratulations! You read this far.
Get notified when we post something new.
Sign up for our free newsletter.


Leave the first comment