Building a QMS (Quality Management System) for Medical Device

Bringing a medical device to market requires more than innovative design and clinical excellence, it demands a robust, compliant Quality Management System (QMS). ISO 13485:2016 and various regional regulations, such as the FDA’s new Quality Management System Regulation (QMSR), mandate structured documentation, risk management, and continuous quality improvement to ensure patient safety and product efficacy. In this blog, we outline the foundational components of a QMS for medical devices, providing clear guidance to help your organization build a compliant and efficient system ready for regulatory scrutiny and market success.

First step is determining where the medical device will be marketed and which regulations need to be followed:

• For USA – FDA Regulation: 21CFR part 820- Ensures the safety, effectiveness and quality of medical device throughout their lifecycle; Revised part 820 is now titled Quality Management System Regulation (QMSR) and incorporates by reference the quality management system requirements of ISO13485:2016; The FDA will enforce the QMSR requirements upon the effective date of February 2, 2026.
• For European Union – EU Medical Device Regulation MDR: Is a set of regulations (officially known as Regulation (EU) 2017/745) that govern safety and performance requirements for medical devices in the European market.

Next step, start developing your QMS documentation.

Quality Documents Required per ISO 13485 Clause, 4.2.1: 

Quality Policy– Top level document that must be established by management, emphasizing their commitment to quality and the effectiveness of the QMS. 

• The Policy must include a commitment to comply with applicable regulatory requirements and to maintain the QMS’s effectiveness. It must be  communicated to everyone in the organization.
• The policy should provide a framework for setting quality objectives and driving quality  improvement efforts. 
• It should focus on continuous improvement, risk management and customer satisfaction. 
• The quality policy should be regularly reviewed to ensure it remains relevant and aligned with the organization’s direction

Organizational Chart-Defines the authorities and interrelations of all personnel;  It also ensures employees have defined and documented authorities and responsibilities.

Quality Goals/Objectives– These are mandatory in ISO13485. A  medical device company cannot meet customer and regulatory requirements, continue improvements, or enhance customer satisfaction without quality goals/objectives.

Quality Manual– Describes the scope of your company’s QMS. Should include the following items:

• The scope of the quality management system, including details of and justification for any exclusion or non-application.
• The documented procedures for the quality management system, or reference to them.
• A description of the interaction between processes of the quality management system.
• An outline of the structure of documentation used in the quality management system.

Additional items recommended for a Quality manual, include the following:

• A brief description of the company, its mission, and vision.
• Your quality policy, which is a formal statement of the company’s commitment to quality and continuous improvement within their QMS.
• A list of any definitions or abbreviations used in the quality manual.
• A list of the regulations and standards you are following. (This is especially important if your products are sold in multiple markets.)

Documents & Records Control:

Per Section 4.2.4 of ISO 13485 Document Control must be established over all internal documents and those of external origin, covering their preparation, issuance, adequacy, approval, re-approval, revision, retrieval, availability, legibility, archival and destruction. The SOP should include following items:

• Document Identification
• Change to Documents
• How & where to store documents

Mandatory documents and  records for ISO13485:2016 include: 40  documents and 47 records. Syner-G can assist with the development of this documentation.

Design & Development, section 7.3.2 of ISO13485:

Product Development Plan – This plan should address design inputs, outputs, verification, validation, and the overall development process, which includes development stages and determining the necessary resources and responsibilities.

Design Inputs – Specify the requirements that a medical device must meet to address the needs of users, patients, and other stakeholders. These inputs include performance requirements, safety and regulatory requirements, and user needs. This includes features, performance characteristics, materials, and any other applicable specifications.

Design outputs – These are the tangible results of the design process, such as drawings, specifications, and manufacturing instructions. ISO 13485 requires that these outputs be documented and reviewed to ensure they meet the design inputs and are suitable for manufacturing, testing, and quality control processes.

Design Verification: Perform testing and analysis to ensure that the design outputs meet the design input requirements. This includes activities like inspections, laboratory testing, and performance evaluations. It is important to document the results of these verification activities to show due diligence and proof of process.

Design Validation: Validate the medical device design to ensure it meets the intended use and user needs. This may involve clinical evaluations, usability studies, and other relevant assessments. Documenting the validation activities and results is an important part of the process.

Design Changes: The standard requires a systematic approach to managing design changes, including documenting, reviewing, and approving any modifications made to the device design. All change reviews must evaluate the effect on existing products, risk management, and product realization activities.

Technical File of the Medical Device, typically includes following:

1. General Information: This section provides an overview of the medical device, including its intended use, indications, and classification.
2. Device Description:  Information in detail about the device’s design, components, and specifications is provided. This includes technical drawings, schematics, and material specifications.
3. Manufacturing Process: The documentation outlines the manufacturing process, including quality control measures, testing procedures, and any relevant certifications or standards followed.
4. Risk Management: Addresses the assessment and mitigation of potential risks associated with the device, including risk analysis, hazard identification, and risk control measures.
5. Performance Evaluation: Documentation should include data and test results demonstrating the device’s performance, safety, and efficacy. This may involve clinical studies, usability testing, and other performance evaluations.
6. Labeling and Instructions for Use: Includes labeling information, such as product labeling, packaging information, and instructions for use, ensuring proper handling and administration of the device.

Competence & Training ISO 13485 Clause 6.2:

Training Matrix- Also known as a skills matrix is a visual  tool to plan, track and manage employee training.

Per ISO 13485, Personnel performing work affecting product quality shall be competent based on appropriate education, training, skills, and experience.

Training Program:  Everyone involved with the company should have some level of training and that training will differ depending on their function & job description. Provided Training can be via an eQMS, standalone training software or using a paper based document management system.

Training Records per ISO 13485 :

• Job description which ensures defined, documented and communication of a person’s responsibilities. Should be signed by hiring manager and employee to document their awareness  of the job’s responsibilities and they have been communicated to the employee
• Training requirements for each role (or training matrix)
• Evidence of company-specific training
• Evidence of outside training or education
• Criteria for evaluating the effectiveness of training

• Evidence that the effectiveness of training was evaluated (Effectiveness can be evaluated via Written/ Multiple choice tests, Employee Interviews or by Evidence of Successful work on the job)

Control of Production and service provision, ISO 13485 Clause 7.5.1:

This clause contains general requirements for the production and service provision process. It requires the organization to plan, conduct, monitor and control the production and service provision process to ensure a product that conforms to specification:

• Documentation of procedures and methods for the production control 
• Qualification of infrastructure
• Implementation of monitoring and measuring process parameters and product characteristics 
• Availability and use of monitoring and measuring 
• Implementation of defined operations for labeling and packaging 
• Implementation of product release, delivery, and post-delivery activities 
• Cleanliness of the product

• Installation activities

• Servicing activities

• Particular requirements for sterile medical devices

• Validation of process for production and service provision

• Particular requirements for validation of processes for sterilization and sterile barrier systems

• Identification and traceability

• Customer property

• Preservation of product

Purchasing & Suppliers Management, ISO 13485 Clause 7.4.1: 

This clause covers supplier selection, evaluation & monitoring

Suppliers List- Includes every supplier that affects your QMS or medical device

Supplier’s qualifications- Can the supplier produce the product you need and do they meet your organization’s requirements. You need to define your purchased product quality requirements. A Supplier Checklist should be created for every supplier on your Supplier List.

When defining product requirements use a risk-based approach based on criticality of the product & supplier. Establish quality controls for the purchased products and for supplier audits.

Monitoring includes checking whether you are a receiving the product that you required. Monitoring also includes tracking if the supplier is delivering the quality you expect for the purchase product. 

ISO 13485 Clause 8: Measurement, Analysis, and Improvement

All organizations are required to create a plan and then apply it to the monitoring, measurement, analysis, and improvement processes needed to meet the conformity needs of the product, to ensure the conformity of the QMS, and maintain the effectiveness of the QMS.

Each organization is required to monitor and measure a variety of information to improve their process and meet customer needs this includes: Customer Feedback, Complaint Handling, Reporting to Regulatory Authorities, Internal Audits and Monitoring & measuring processes and products.

Organizations are required to react to any product that is not conforming to product requirements. Organizations need to identify and control these products to ensure that they are not used and distributed further. This process needs to be documented and maintained. The Corrective and Preventive Action (CAPA) processes help to correct non-conformances and address the issue to correct and prevent it from recurring.

Organizations need to collect and analyze appropriate data to determine the efficiency of their QMS. The procedures to determine this need to include data collection and analysis, including statistics to help understand the extent of the QMS productivity. The analysis needs to include at a minimum: feedback; conformity to product requirements; characteristics and trends of processes and products; suppliers; audits; service reports.

Organizations need to identify and implement any changes necessary to maintain the QMS effectiveness, and the medical device safety and performance. Organizations need to do this by their quality policy, quality objectives, audit results, post-market surveillance, analysis of data, corrective actions, preventive actions, and management review.

Syner-G’s QMS Solutions for Medical Device Companies:
At Syner-G, we understand that navigating regulatory expectations can be overwhelming. Our team of industry experts offers tailored support to help medical device companies develop, optimize, and maintain compliant Quality Management Systems.

Here’s how we can help:

• Comprehensive Gap Assessments: Evaluate your current systems against ISO 13485:2016 and FDA QMSR requirements to identify compliance gaps.
• QMS Development & Transition Planning: Build or enhance your QMS with actionable, structured transition plans that address your unique operational needs.
• Customized Documentation Support: Receive draft Standard Operating Procedures (SOPs) and essential QMS documentation tailored to your device type and market strategy.
• Regulatory Audit Preparation: Prepare for inspections with audit services that assess readiness and pinpoint critical improvements.
• Risk Management Program Enhancement: Strengthen your risk management processes to meet regulatory expectations and improve patient safety outcomes.
• Supplier Quality Audits: Ensure supply chain compliance through independent audits and supplier oversight.

Ready to strengthen your Quality Management System?
Partner with us to build a compliant, efficient, and inspection-ready QMS tailored to your medical device needs. Contact us today to learn more about our customizable support solutions.