ISO-13485QMSRvalidationmedical-deviceIQ-OQ-PQprotocol-generation

How to Generate ISO 13485 Validation Protocols

Valiqa Team|July 5, 2026|5 min read|
How to Generate ISO 13485 Validation Protocols

For a medical device manufacturer, an ISO 13485 validation protocol is not a special document type. It is an IQ, OQ, or PQ protocol that is grounded in the right clause of the standard, scoped to risk the way the standard expects, and traceable enough to satisfy both an ISO 13485 auditor and, for anyone selling in the US, an FDA investigator working from the Quality Management System Regulation. Generating one quickly is entirely possible. Generating one that holds up requires knowing what the standard actually asks for.

This guide covers exactly that. What ISO 13485 expects from process and equipment validation, how the FDA QMSR changes the picture for US manufacturers, how to ground a protocol in the standard rather than gesturing at it, and how to generate defensible IQ, OQ, and PQ drafts without hand-building every table. We will also be honest about where a generator fits and where it does not.

If you want to produce one now, you can generate a structured, ISO 13485-grounded IQ, OQ, or PQ protocol from your equipment context and review what it produces. Start at /signup, or read the model first.

What ISO 13485 actually expects from validation

ISO 13485:2016 is the international consensus standard for medical device quality management systems. Its validation expectations sit mainly in the clauses on production and service provision. The standard requires you to validate processes for production and service provision where the resulting output cannot be verified by subsequent monitoring or measurement, and where deficiencies become apparent only after the product is in use. It also expects you to qualify the equipment and infrastructure those processes depend on.

In practice that means the standard drives the same IQ, OQ, and PQ structure medical device teams already use, plus process validation for the processes that cannot be fully verified downstream. The standard does not prescribe a specific protocol template. It sets expectations: validation is planned, criteria are defined in advance, results and conclusions are recorded, and revalidation is triggered by change. A protocol that meets those expectations, grounded in the relevant clause, is an ISO 13485 validation protocol. We cover the underlying qualification structure in IQ vs OQ vs PQ and what actually goes in each one.

A diagram linking ISO 13485 production and service provision clauses to equipment qualification IQ OQ PQ and to process validation, with a note that outputs not verifiable downstream must be validated

How the FDA QMSR changes the picture

If you sell in the US, ISO 13485 is not a separate world from FDA. Under the Quality Management System Regulation final rule, 21 CFR Part 820 now incorporates ISO 13485:2016 by reference, with FDA-specific additions for areas such as traceability, complaints, and recordkeeping. This matters for how you ground a protocol.

For a US medical device manufacturer, think of the predicate regulation as 21 CFR Part 820, with ISO 13485 incorporated, and 21 CFR Part 11 layered on where electronic records and signatures are involved. A protocol grounded only in the ISO clause, with no acknowledgment of the predicate regulation an FDA investigator enforces, is weaker than one that cites both. Generating a protocol that carries the right predicate reference alongside the ISO clause is part of making it defensible on both sides of that relationship.

How to ground a protocol in ISO 13485, not gesture at it

The weak version of an ISO 13485 protocol has a line at the top saying "this protocol complies with ISO 13485" and nothing else. An auditor reads that as decoration. The strong version grounds each part of the protocol in the specific expectation it satisfies.

Plan and define criteria in advance. ISO 13485 expects validation to be planned and acceptance criteria defined before execution. The protocol should show approved, measurable acceptance criteria, tied to specifications and design inputs, approved before the first execution date. Vague criteria are the fastest way to a finding, as we detail in how to write acceptance criteria that won't get flagged in an audit.

Scope to risk. ISO 13485 is explicit that a risk-based approach runs through the quality system, and ISO 14971 is the recognized standard for medical device risk management. The protocol should scope its testing to the risks the equipment or process presents, with a documented rationale, not test everything to the same depth.

Trace requirements to tests to evidence. The QMSR emphasis on traceability, and the general expectation of defensible validation, means each requirement should map to a test and a recorded result. A built-in traceability matrix is how you show it. The method is in the traceability matrix in validation.

Record results, conclusions, and approvals. The standard expects recorded results, a conclusion stating what was and was not validated, and documented approvals. The protocol needs a clean approval block, with quality among the approvers, before execution, and a review of results after.

Trigger revalidation on change. ISO 13485 expects revalidation when changes affect the validated state. The protocol and its surrounding process should make that trigger explicit. We cover the decision in revalidation: when do you actually need to redo IQ/OQ/PQ.

Generating the protocol without hand-building every table

Once you know what the standard expects, generating a protocol that meets it is a matter of getting the structure, criteria, traceability, and regulatory grounding right, quickly and consistently. You can do this with hardened Word templates and a disciplined engineer, and good teams do. A generator changes the arithmetic by making the repetitive parts free.

A protocol generator takes your equipment or process context and produces a structured IQ, OQ, or PQ draft with measurable acceptance criteria tied to specifications, a built-in requirements-to-tests-to-evidence traceability matrix, regulatory scaffolding that references the ISO 13485 clause and the predicate Part 820 basis, a risk-informed test plan, and an audit-ready export. It is a draft. Your qualified engineer reviews it, confirms the tests and criteria are right, adjusts the risk scope using their judgment, and approves it inside your quality system. Regulators and ISO auditors alike expect a qualified person to sign the protocol, and that accountability stays with your team.

A split view: on one side a blank ISO 13485 template being hand-filled table by table, on the other a generated draft with criteria, matrix, and clause references already populated for an engineer to review, labeled review not rebuild

Where a generator fits, and where it does not

A generator fits when you have a working ISO 13485 quality system, a focused set of validation engineers who own review and approval, and a backlog of equipment and process qualifications that needs defensible documentation faster. That describes a lot of mid-market device manufacturers: teams with real quality functions but not a large standalone validation department, who need to move without a multi-quarter software procurement.

A generator is honestly not the answer in a few cases. If you need native controlled execution of test steps with electronic data capture and review-by-exception inside one system, that is an enterprise validation lifecycle platform, and our comparison pages are the honest place to weigh those. If you need native deviation and CAPA linkage from the executed protocol into your quality system, that is enterprise or a QMS-centered platform. And if you run one qualification a year with a single engineer and strong template discipline, you may not need a tool yet. The category-level breakdown is in how to choose validation software for equipment qualification.

Valiqa is a self-serve protocol generator built for the fit case above. You sign up, enter your equipment context, and get an ISO 13485-grounded IQ, OQ, or PQ protocol draft with measurable acceptance criteria, a built-in traceability matrix, the right clause and predicate references, and an audit-ready export, reviewed and approved by your qualified engineer inside your own quality system. Pricing is public at /pricing, you can generate your first protocol without a sales cycle at /signup, and you can start from your equipment type with the protocol selector. If you want an honest read on whether a generator or a different category fits your team, take the self-scoring at /evaluate.

Frequently Asked Questions

Ready to automate your validation documentation?

Generate audit-ready IQ/OQ/PQ protocols in minutes, not weeks.

Get Started

We use essential cookies for authentication and security. With your consent, we also use Microsoft Clarity on our marketing pages to understand how visitors navigate the site. Learn more.