Maintaining a QMS after MDR certification means running four interlocking cycles on a fixed calendar: management review at least annually, internal audits covering every applicable clause over a defined cycle, Notified Body surveillance audits at least every twelve months under MDR Article 56 and Annex IX, and post-market surveillance under MDR Article 83 feeding findings back into the QMS. The certificate is not a finish line. It is a licence to keep operating a living system, and the Notified Body will verify the system is alive the next time they walk in the door.

By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.

TL;DR

  • MDR Article 10 obligations do not stop at certification. The manufacturer must continuously operate the QMS, update it for changes, and keep it proportionate to the risk class of the device.
  • MDR Article 56 and Annex IX require the Notified Body to carry out surveillance assessments at least once every twelve months for QMS certificates issued under the Annex IX route. Missing or failing a surveillance audit can lead to suspension or withdrawal of the certificate.
  • MDR Article 83 requires a post-market surveillance system that actively and systematically gathers data on the device in use. The PMS system is not a side process. It feeds directly into risk management, clinical evaluation, CAPA, and the QMS itself.
  • Management review is an Article 10(9) QMS obligation, performed at planned intervals as required by EN ISO 13485:2016+A11:2021 clause 5.6. For most certified startups this means at least once per year with a defined input set and documented decisions.
  • Recertification under Annex IX is a full reassessment, not a surveillance audit. Plan it backwards from the certificate expiry date, not forwards from panic.

Why the day after certification is more dangerous than the day before

There is a quiet trap that catches MedTech startups in the weeks following their first successful QMS audit. The certificate arrives. The team has been running full-tilt for months. Everyone exhales. Calendars clear. The shared drive folder where the QMS lives gets opened less and less. Three months later, the first real change request comes in for the device, and nobody can quite remember which procedure covers it. Six months later, the Notified Body emails to schedule the surveillance audit, and the team realises the internal audit programme that looked so crisp at certification has not actually run a single cycle since.

That is the failure pattern. Not a dramatic breach, not fraud, not a blow-up — just the slow decay of a system that everyone has stopped running. By the time the surveillance auditor arrives, the gap between what the procedures say the company does and what the company actually does has widened enough to generate major non-conformities.

The fix is not more effort. It is rhythm. A QMS that survives the first year after certification is a QMS that has a visible, predictable, calendar-driven cadence. Each process fires at its planned time, produces its records, feeds the next process in the chain, and leaves behind a trail the next auditor can follow.

MDR Article 10 lays out the manufacturer's general obligations. Article 10(9) requires the QMS to be established, documented, implemented, maintained, kept up to date, and continually improved. That obligation continues for as long as the manufacturer places the device on the market. Certification does not reduce the scope of Article 10(9); it adds the external surveillance layer on top.

Article 56 of the MDR, together with Annex IX, governs the validity, surveillance, and renewal of QMS certificates. Under Annex IX, the Notified Body carries out surveillance assessments at least once every twelve months to verify that the manufacturer duly applies the approved QMS and the post-market surveillance plan. Surveillance assessments may include unannounced audits under Annex IX and can trigger suspension, restriction, or withdrawal of the certificate if significant non-conformities are found and not corrected. Certificates issued under Annex IX have a maximum validity of five years and require a full reassessment before renewal.

Article 83 sets the PMS obligation. The manufacturer must plan, establish, document, implement, maintain, and update a post-market surveillance system proportionate to the risk class and appropriate for the type of device. The system must actively and systematically gather, record, and analyse relevant data on the quality, performance, and safety of a device throughout its entire lifetime. MDCG 2025-10 provides the current guidance on how the PMS system interacts with clinical evaluation, risk management, vigilance, and the QMS. That interaction is not optional — PMS findings must flow back into the QMS, not sit in a separate folder.

The standard that operationalises these obligations is EN ISO 13485:2016+A11:2021. Its requirements for management review, internal audit, CAPA, document control, and continual improvement apply for the life of the certificate. If the clauses are not being satisfied in practice, the Annex IX certificate is at risk regardless of how well the initial audit went.

The four interlocking cycles

A post-certification QMS runs on four cycles that interlock. Each one has its own frequency, its own owner, and its own record. The common failure is running one or two well and letting the others slide.

Management review. The input set is defined by EN ISO 13485:2016+A11:2021 clause 5.6 and includes audit results, customer feedback, process performance, product conformity, CAPA status, follow-up from previous reviews, changes affecting the QMS, recommendations for improvement, applicable new or revised regulatory requirements, and post-market data. The review runs at planned intervals — for most startups this means at least annually, with a quarterly light-touch check on the high-movement inputs. The output is documented decisions: resource needs, improvements, and any changes to the QMS or the product. A management review without documented decisions is not a management review. For a deeper walkthrough of the inputs and outputs, see the management review post for startups.

Internal audits. Under clause 8.2.4 of EN ISO 13485:2016+A11:2021, the manufacturer must conduct internal audits at planned intervals to determine whether the QMS conforms to the planned and documented arrangements and is effectively implemented and maintained. For a certified startup, the practical interpretation is an internal audit programme that covers every applicable clause across a defined cycle — usually annual, sometimes on a rolling two-year cycle for larger scopes — with more frequent audits on high-risk processes. The findings feed CAPA. See internal audits for startups under MDR for how a small team can run this without drowning.

Surveillance audits by the Notified Body. Under Article 56 and Annex IX, these happen at least once every twelve months. The Notified Body checks that the QMS is still running, that PMS data is being handled correctly, that significant changes have been notified, that CAPAs are closed with evidence, and that the management review actually occurred. Unannounced audits are possible under Annex IX and Annex XI depending on the conformity assessment route and are explicitly allowed by the Regulation. The surveillance audit is the external heartbeat check. If you cannot show a year of genuine QMS operation, the audit will find that out.

Post-market surveillance. Under Article 83 and Annex III, the PMS system runs continuously. Data comes in from complaints, field performance, trend analysis, literature, vigilance reports, and PSURs or PMS reports depending on risk class. That data does not stay inside PMS — it feeds risk management updates, clinical evaluation updates, CAPAs when a trend warrants it, and the management review input set. PMS is the tissue connecting the device in the field to the QMS on paper. MDCG 2025-10 describes this interaction in detail and is the current authoritative guidance.

When the four cycles interlock correctly, each one hands evidence to the next. PMS data lands in management review. Management review decisions trigger internal audit focus areas. Internal audit findings become CAPAs. CAPA closures become inputs to the next management review. The surveillance auditor walks in and sees a loop that actually moves.

The year-by-year picture — what the first three post-certification years look like

Year 1. The certificate is fresh. The first surveillance audit is roughly twelve months away. The team must run at least one full management review cycle, at least one full internal audit cycle, and produce a first round of PMS data even if the device is new to the market. CAPAs from the certification audit (if any were opened) must be closed with evidence, not just marked closed on paper. Any significant change to the device or the QMS must be notified to the Notified Body per Annex IX. The surveillance audit at month twelve is the first external check that the system is alive.

Year 2. The rhythm is established. A second management review, a second internal audit cycle, a second surveillance audit. PMS data has enough volume to start showing real trends — this is the year the PMS-to-risk-management feedback loop starts to matter. If the device's clinical evaluation needs updating based on PMS findings, this is when it happens. CAPAs from Year 1 findings should all be closed; new CAPAs come from internal audit and PMS sources.

Year 3. Recertification planning starts. The Annex IX certificate has a maximum validity of five years, so recertification is not yet imminent, but the evidence base that will support renewal is being built now. Year 3 is the year to audit the QMS against any new harmonised standard editions, any new MDCG guidance published since certification, and any significant changes in the device or its intended purpose. The surveillance audit in Year 3 is often the one where the Notified Body probes deeper — the novelty has worn off, the system should be mature, and sloppy maintenance shows.

Ship — the QMS maintenance calendar playbook

This is the calendar that keeps a certified QMS alive. Adjust the frequencies to the risk class and scope of your specific certificate, but do not cut the list.

Weekly (15 minutes). Triage of incoming complaints, feedback, and field reports into the PMS system. Confirm vigilance reporting deadlines for anything that could qualify as a serious incident.

Monthly. Review open CAPAs and their due dates. Close anything with evidence; escalate anything overdue. Trend check on PMS data against the PMS plan thresholds.

Quarterly. Light-touch management review check on the high-movement inputs: complaints, CAPAs, supplier performance, any regulatory changes. This prevents the annual review from turning into a last-minute reconstruction.

Per internal audit slot (on the programme). Audit one or two process areas against the procedures and the applicable clauses. Document findings, open CAPAs, agree closure dates.

Annually. Full management review with documented decisions. Full PMS report or PSUR as required by Article 86 for the device's risk class. Confirm clinical evaluation update schedule. Review document control register for procedures that need re-issue. Run the Notified Body surveillance audit when scheduled — it lands within the twelve-month window set by Article 56 and Annex IX.

On change events. Any significant change to the device, its intended purpose, or the QMS itself triggers a change control record and, where required by Annex IX, a notification to the Notified Body before implementation.

Months 48 to 54 from certification. Start recertification planning. Gap assessment, evidence package assembly, scheduling with the Notified Body. Recertification is a full reassessment under Annex IX, not an extended surveillance audit.

The discipline is to actually run this calendar. A QMS maintenance calendar that lives in a file nobody opens is not a calendar; it is a document. The people responsible for each slot must know their slot is theirs.

Reality Check — Where do you stand?

  1. Do you have a named owner for each of the four cycles (management review, internal audit, surveillance audit liaison, PMS) and does each owner know the owner status?
  2. When was your last management review, and can you produce the minutes with documented decisions within five minutes of being asked?
  3. Has every applicable clause of EN ISO 13485:2016+A11:2021 been covered by your internal audit programme in the current cycle, or do gaps exist?
  4. Does PMS data actually flow into your risk management file, your clinical evaluation update, and your management review input set — or does it sit in a parallel folder?
  5. Are all CAPAs from your certification audit closed with evidence, not just marked closed?
  6. Have any significant changes to the device or QMS occurred since certification that should have been notified to the Notified Body under Annex IX but were not?
  7. Do you know the exact expiry date of your Annex IX certificate and have a recertification plan that works backwards from that date?

Frequently Asked Questions

How often will my Notified Body audit me after certification? Under MDR Article 56 and Annex IX, the Notified Body must carry out surveillance assessments at least once every twelve months for QMS certificates issued under the Annex IX route. In addition, unannounced audits are permitted under Annex IX and Annex XI and do not count against the scheduled surveillance cycle. The exact mix depends on the conformity assessment route and the Notified Body's surveillance plan for your device.

Is an annual management review enough? For most certified startups, annually is the minimum floor and is acceptable if the inputs are genuinely processed and the decisions are documented. In practice a quarterly light-touch check on high-movement inputs prevents the annual review from becoming a last-minute reconstruction. EN ISO 13485:2016+A11:2021 clause 5.6 requires planned intervals — you define the interval and must be able to justify it.

What happens if we fail a surveillance audit? A surveillance audit that uncovers significant non-conformities can lead the Notified Body to suspend or restrict the certificate under MDR Article 56, and in severe cases to withdraw it. Non-conformities that are not corrected within agreed timeframes escalate quickly. The path back is always the same: open CAPAs, execute them, produce evidence, close them. Ignoring findings is the only fatal response.

Does PMS data really need to feed the QMS, or can we run them separately? They must be linked. MDR Article 83 and MDCG 2025-10 describe the PMS system as part of the QMS, with explicit links to risk management, clinical evaluation, CAPA, and vigilance. A PMS system running in isolation from the QMS is a non-conformity waiting to be found — and once it is found, the rework to integrate it is larger than integrating it correctly from the start.

When should we start planning for recertification? Start concrete planning roughly twelve to eighteen months before the certificate expiry date. Annex IX certificates have a maximum validity of five years, so for most manufacturers that means beginning in Year 3 or early Year 4. Recertification is a full reassessment, not an extended surveillance audit, so the preparation load is similar to the original certification effort — lighter only because the QMS already exists.

Sources

  1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 10 (general obligations of manufacturers, including Article 10(9) on the QMS), Article 56 (validity, surveillance, withdrawal of certificates), Article 83 (post-market surveillance system of the manufacturer), Annex IX (conformity assessment based on a quality management system and on assessment of technical documentation), and Annex XI (conformity assessment based on product conformity verification). Official Journal L 117, 5.5.2017.
  2. EN ISO 13485:2016+A11:2021 — Medical devices — Quality management systems — Requirements for regulatory purposes. Clauses 5.6 (management review), 8.2.4 (internal audit), 8.5 (improvement).
  3. MDCG 2025-10 — Guidance on post-market surveillance of medical devices and in vitro diagnostic medical devices. December 2025.

This post is part of the Quality Management Under MDR series in the Subtract to Ship: MDR blog. Authored by Felix Lenhard and Tibor Zechmeister. The MDR is the North Star. EN ISO 13485:2016+A11:2021 is the tool. Every element of the post-certification rhythm traces back to a specific obligation in MDR Article 10, Article 56, Article 83, or Annex IX.