The minimum viable QMS is the smallest quality management system that fully satisfies MDR Article 10(9) and EN ISO 13485:2016+A11:2021 for your specific device and risk class. It is not a trimmed-down template and it is not a "lite" version of someone else's system. It is a complete QMS in which every process, procedure, and record exists because a specific clause or article requires it for your product, and nothing exists because a template author thought it might be useful for someone else.

By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.

TL;DR

  • MDR Article 10(9) requires every manufacturer to establish, document, implement, maintain, keep up to date, and continually improve a QMS proportionate to the risk class and type of device.
  • Proportionate means smaller scope is legally allowed for lower-risk devices, but every ISO 13485 clause still has to be addressed, even if the answer for a given clause is "not applicable and here is why."
  • A minimum viable QMS is not a template. A QMS built from a generic template without adaptation is the most common QMS non-conformity pattern found at first audits.
  • Three people with a lean, device-specific QMS routinely pass notified body audits with zero non-conformities. The team size does not cause findings — the discipline does.
  • Before your first notified body audit you need roughly 15 to 25 controlled documents, a full set of records demonstrating the QMS has actually been used, and a management review on file. Not more. Not less.

What "minimum viable" actually means under MDR Article 10(9)

Felix coaches startups to ship under constraints. The pattern repeats in every domain: the founder who tries to build everything ships nothing, and the founder who ruthlessly strips scope to what the regulation actually demands gets to market. MDR is no different. But minimum viable in a regulated context has a specific technical meaning, not a vibes-based one, so the first move is to anchor it in the text of the regulation itself.

Article 10(9) of Regulation (EU) 2017/745 sets the obligation:

"Manufacturers of devices other than investigational devices shall establish, document, implement, maintain, keep up to date and continually improve a quality management system that shall ensure compliance with this Regulation in the most effective manner and in a manner that is proportionate to the risk class and the type of device." — Regulation (EU) 2017/745, Article 10, paragraph 9.

The operative phrase is proportionate to the risk class and the type of device. The MDR explicitly anticipates that a Class I reusable surgical instrument and a Class III implantable cardiac device do not need identical QMS footprints. Proportionality is built into the law. It is not a loophole and it is not a favour a notified body can extend on mood — it is a legal requirement of the QMS itself.

Article 10(9) then lists, non-exhaustively, the elements that the QMS must address, including a strategy for regulatory compliance, identification of applicable GSPRs, responsibility of the management, resource management, risk management, clinical evaluation, product realisation, verification of UDI assignments, post-market surveillance, communication with competent authorities, notified bodies and other economic operators, and processes for monitoring and measurement of output.

In practice every one of those elements has a corresponding clause or section in EN ISO 13485:2016+A11:2021, which is the harmonised standard for QMS under the MDR. If you satisfy EN ISO 13485:2016+A11:2021 for your device, and your QMS output actually reflects your device, you have built what Article 10(9) requires.

Minimum viable QMS, in one sentence: every clause of EN ISO 13485:2016+A11:2021 addressed, every required process documented at a depth proportionate to your device's risk, every record generated as the process runs, and nothing else.

The core ISO 13485 clauses every QMS must address

There is no shortcut past the clause structure. A minimum viable QMS still has to address all of Clauses 4 through 8 of EN ISO 13485:2016+A11:2021 — general requirements, management responsibility, resource management, product realisation, and measurement, analysis and improvement. A notified body auditor working under Annex IX of the MDR will walk through the standard clause by clause and ask to see either the evidence or a justified exclusion.

The clauses that cannot be excluded for any MDR device, regardless of class, include document and record control (Clause 4.2), management commitment, quality policy and management review (Clause 5), competence, training and infrastructure (Clause 6), risk management as a process integrated across the product lifecycle (Clause 7.1 plus EN ISO 14971 as the referenced method), design and development controls (Clause 7.3), purchasing controls for critical suppliers (Clause 7.4), CAPA (Clause 8.5.2), internal audits (Clause 8.2.4), and monitoring and measurement of processes and product (Clause 8.2).

You will see founders ask whether they can "skip design controls because the product is already designed." No. The design and development file has to exist for the device that you are actually certifying, even if large parts of it are written retrospectively from engineering work that already happened. That is not a paperwork exercise — it is the evidence a notified body uses to judge whether the device was built under control.

What can be lighter at lower risk classes

Proportionality is real and it matters. For a Class I non-sterile, non-measuring device a minimum viable QMS can legitimately be significantly leaner than for a Class IIa active device, and much leaner than for a Class IIb or III implantable. Specifically:

  • The depth of supplier controls scales with how much of your device's safety depends on supplier output. A Class I manufacturer buying a single commodity component can control that supplier with a short qualification record. A Class IIb manufacturer whose critical subassembly comes from one external vendor cannot.
  • The volume of design verification and validation testing scales with the GSPRs that actually apply. A non-active Class I device has a much shorter list of applicable standards than an active, software-driven Class IIa device.
  • Post-market surveillance intensity is calibrated by MDR Article 83 and Annex III to risk class. The PMS plan for a Class I device is a few pages. For a Class IIb implantable it is a live, data-driven program with PSURs.
  • Internal audit frequency and the depth of management review follow the same scaling logic. A three-person company does not need quarterly full-system audits; it needs a meaningful annual internal audit and a meaningful management review.

None of this is an invitation to skip. It is an invitation to scale. Every clause is addressed; the depth is proportional.

What cannot be cut regardless of class

Some things are non-negotiable for any MDR device and any company size:

  • A named and available PRRC (Article 15), or a documented arrangement when the micro-enterprise exception applies.
  • A documented risk management process that runs the full lifecycle per EN ISO 14971, not a risk register built once and forgotten.
  • A technical documentation file structured to MDR Annex II and II-A that an auditor can navigate without a guide.
  • Document and record control with versioned, controlled documents and records that prove the QMS was actually executed, not just written.
  • A post-market surveillance system with a PMS plan and a mechanism to feed findings back into risk management and design.
  • A vigilance process that can actually report a serious incident within the MDR deadlines.
  • A complaint handling process that works from Day 1.
  • An internal audit that has genuinely happened before the certification audit.
  • A management review that has genuinely happened before the certification audit.

If any of these are absent, the QMS is not minimum viable. It is incomplete. There is no class, no company size, and no budget that removes them.

The Berlin template anti-pattern

A Berlin startup Tibor was called in to assess had bought a full ISO 13485 template package online. Hundreds of documents. Beautifully formatted. The founder was proud — he believed the QMS was "basically done" and the company just had to "fill in the details" before the first audit.

Tibor opened the quality manual. The device described in the manual was a generic class II device from a completely different product area. The roles referenced a 30-person organisation. The supplier controls assumed a multi-site manufacturing operation. The clinical evaluation procedure referenced a clinical investigation that the startup had never run and could not afford. Large sections referenced paper records in filing rooms. The founder had changed the logo and the company name at the top of every document. Nothing else.

Tibor's assessment, which he still quotes, was that the QMS was roughly 0.1 percent complete — and worse than zero, because it actively misrepresented the company's processes. If this QMS had gone into a notified body audit, every auditor interview would have exposed the gap between the written process and the actual process, and every document would have been a non-conformity waiting to happen. The company would have failed the audit and then had to unwind hundreds of documents they did not understand.

The lesson is not that templates are bad. A clean, authoritative template is a sensible starting point. The lesson is that a template without ruthless adaptation is the single most common QMS disaster pattern at first audits. Buying a QMS does not mean you have one.

The Lower Austria 3-person proof point

The counter-example sits in Lower Austria. A three-person company, single Class IIa device, extremely limited budget, went through a full notified body QMS audit under Annex IX with zero non-conformities. No major findings. No minor findings. No observations worth naming.

What did they have? A quality manual that was maybe 15 pages long. A QMS with roughly 20 controlled procedures, each between one and four pages. A risk management file that was clearly traceable back to the actual device hazards, not a copy-paste register. A design and development file that followed the real sequence of how the device had been developed, with gaps filled retrospectively but honestly. A PMS plan appropriate to a Class IIa device with a realistic data collection approach. Records demonstrating that internal audit, management review, CAPA, and complaints handling had actually run at least once before the certification audit. Every document fit the device and the company. Nothing was there for show.

The auditor did not find non-conformities because there was nothing to find. The QMS described what the company actually did, the company actually did what the QMS described, and the device-level evidence was traceable and complete. Three people, zero findings, minimum viable done right.

The Vienna QA manager Tibor worked with earlier in his career set the pattern the Lower Austria team followed: take a good framework, then strip everything that does not fit the specific device. The starting point can be a template, a consultancy's baseline package, or another company's QMS — the discipline is the editing pass that follows, where every clause is reviewed against the real device, the real processes, and the real team, and everything that does not fit is cut or rewritten.

The document set you actually need before a first audit

For a typical resource-constrained MedTech startup with a Class I, Class IIa, or lower Class IIb device, the minimum viable document set before a first notified body audit is roughly:

  1. Quality manual (or equivalent top-level QMS description).
  2. Document and record control procedure.
  3. Management review procedure and at least one completed management review record.
  4. Training and competence procedure and training records for the team.
  5. Internal audit procedure and at least one completed internal audit report.
  6. CAPA procedure and an (empty or populated) CAPA log.
  7. Supplier evaluation and purchasing control procedure plus approved supplier list.
  8. Risk management procedure referencing EN ISO 14971 and the complete device risk management file.
  9. Design and development control procedure and the device design history file.
  10. Product realisation / production control procedures appropriate to the device.
  11. Labelling and UDI assignment procedure.
  12. Post-market surveillance procedure and PMS plan.
  13. Vigilance and serious incident reporting procedure.
  14. Complaint handling procedure.
  15. Clinical evaluation procedure and the clinical evaluation report/plan.
  16. Declaration of Conformity (draft).
  17. Technical documentation file structured to MDR Annex II and II-A.
  18. PRRC appointment and job description or the documented micro-enterprise arrangement.

That is roughly 15 to 18 controlled documents plus the technical file, plus the records showing each of them has actually been used. It is not a short list, but it is a finite list, and every item traces to a specific MDR article or ISO 13485 clause. Anything beyond this list exists only because the specific device demands it.

The Subtract to Ship angle

Subtract to Ship says that every document, process and procedure has to earn its place by pointing to a specific MDR article, an ISO 13485 clause, or a harmonised standard that applies to the device. If it cannot, it comes out. Applied to the QMS, the rule is simple: if you cannot name the clause or article that requires a document, the document does not belong in the QMS.

This is not the same as running a dangerously light QMS. Every clause is still addressed. The subtraction is against bloat — against the template document on "sterile packaging validation" that the non-sterile device manufacturer inherited from a template pack, against the "clean room monitoring procedure" at a software company, against the 200-page quality manual that nobody on the team has read.

Done right, subtraction produces a QMS that the whole team can actually hold in their heads. That is the real criterion. A QMS nobody on the team understands is not a QMS, no matter how many documents are in it.

Reality Check — Where do you stand?

Work through these honestly.

  1. For every controlled document in your current QMS, can you name the MDR article, the ISO 13485 clause, or the harmonised standard that requires it for your specific device? If the answer for any document is "I do not know," that document is bloat.
  2. If you interviewed a random team member and asked them to describe how a process in your QMS actually runs, would their answer match the written procedure? If not, the procedure is fiction.
  3. Has every core QMS process (internal audit, management review, CAPA, complaints, training, design review) run at least once, generating real records, before your first notified body audit? If any is untouched, the process does not yet exist in practice.
  4. Does your quality manual describe your real company, your real device, and your real team — or a hypothetical company that matches a template?
  5. Can you find any document in your technical file or QMS within 30 seconds? If not, the structure is failing the auditor test.
  6. Is your PRRC genuinely available and competent, or is the role nominally assigned to someone who has never opened Article 15?
  7. Can you show a risk management file that was clearly written for your device, not adapted from a generic hazard list?

A no on any of these is a finding waiting to happen. Fix them before the auditor arrives, not during.

Frequently Asked Questions

How small can a QMS legally be under MDR Article 10(9)? Article 10(9) requires the QMS to be proportionate to the risk class and type of device, which means the scope can shrink for lower-risk devices, but every element of the QMS listed in Article 10(9) — and every clause of EN ISO 13485:2016+A11:2021 — still has to be addressed. Smaller scope, not fewer elements.

Can a three-person startup really pass a notified body audit? Yes, and Tibor has personally seen it done with zero non-conformities. Team size does not cause audit findings. Misalignment between the written QMS and the actual processes causes findings, and that problem is worse in large companies with bloated QMS than in small disciplined ones.

Are QMS templates dangerous? Templates are fine as starting points. Templates are dangerous when they are used as finished products. A QMS adopted without adapting every document to the specific device, team, and risk profile is the most common QMS disaster Tibor has encountered at first audits.

Do I need EN ISO 13485:2016+A11:2021 certification before my MDR audit? Not necessarily as a separate certification, but your QMS must satisfy the standard because it is the harmonised standard giving presumption of conformity with MDR QMS obligations, and the notified body will audit against it under MDR Annex IX.

What is the absolute minimum number of controlled documents? There is no magic number, but for a typical Class I to lower Class IIb device the minimum viable document set is roughly 15 to 18 controlled procedures plus the technical file and the records. Fewer and you are likely missing a clause. Many more and you are likely carrying bloat.

When do I need to have my first management review before the certification audit? Before. A management review that has not yet happened at the time of the certification audit is a finding. The same applies to the first internal audit. Both must have produced real records, with real inputs and real outputs, before the auditor arrives.

Sources

  1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices. Consolidated text on EUR-Lex. Article 10, paragraph 9; Article 15; Annex II; Annex II-A; Annex III; Annex IX.
  2. EN ISO 13485:2016+A11:2021 — Medical devices — Quality management systems — Requirements for regulatory purposes. Current harmonised edition.
  3. EN ISO 14971:2019+A11:2021 — Medical devices — Application of risk management to medical devices. Current harmonised edition (referenced for the risk management process integrated into the QMS).

This post is part of the Quality Management Under MDR series in the Subtract to Ship: MDR blog. Authored by Tibor Zechmeister and Felix Lenhard. If the complexity of your specific QMS build exceeds what a blog post can cover — and it probably will, because every device is different — Zechmeister Strategic Solutions has walked 50+ companies through this exact problem.