---
title: QMS Documentation Templates for Startups: The Essential Document List
description: The essential QMS documentation templates startups need for MDR: the document list mapped to Article 10(9) and EN ISO 13485:2016+A11:2021 clause 4.2.
authors: Tibor Zechmeister, Felix Lenhard
category: Quality Management Under MDR
primary_keyword: QMS documentation templates startups MDR
canonical_url: https://zechmeister-solutions.com/en/blog/qms-documentation-templates-startups
source: zechmeister-solutions.com
license: All rights reserved. Content may be cited with attribution and a link to the canonical URL.
---

# QMS Documentation Templates for Startups: The Essential Document List

*By Tibor Zechmeister (EU MDR Expert, Notified Body Lead Auditor) and Felix Lenhard.*

> **The essential QMS documentation template set for a startup under MDR is a fixed list of roughly 15 to 18 controlled documents that together satisfy MDR Article 10(9) and the documentation requirements of EN ISO 13485:2016+A11:2021 clause 4.2: a quality manual, the six procedures the standard explicitly demands, the device-specific work instructions, and the records that prove the QMS has actually run. Templates are a legitimate starting point for every one of these. Templates are a disaster when they are used as finished products.**

**By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.**

---

## TL;DR

- MDR Article 10(9) requires a documented QMS proportionate to risk class. EN ISO 13485:2016+A11:2021 clause 4.2 tells you the four layers that QMS documentation must contain: quality manual, documented procedures, work instructions and forms, and records.
- The essential document list for a startup is roughly 15 to 18 controlled documents plus the technical file and the records. Not more, not less.
- Clause 4.2.1 of EN ISO 13485:2016+A11:2021 explicitly requires a quality manual, a medical device file per product, and documented procedures for the processes the standard names.
- Templates are a legitimate starting point. Templates copied without ruthless adaptation to your actual device, team and processes are the single most common first-audit failure pattern.
- Priority order for a resource-constrained startup: document control first, then the spine procedures (management review, internal audit, CAPA, training), then the product-realisation procedures that fit your device, then the records.

---

## Why this list exists — and why most startups get it wrong

The first time a founder opens a commercial QMS template pack they usually feel two contradictory things at once. Relief, because there is finally a concrete list of documents someone is promising will "get you through an audit." And panic, because the list has 200-plus files and every file is 15 pages long.

Both reactions are wrong. The relief is wrong because the template pack will not get you through an audit — the device-specific content inside each document gets you through an audit, and the template supplies none of it. The panic is wrong because the actual list of documents a lean MedTech startup needs is finite, knowable, and much shorter than the template vendor wants you to believe.

What a startup actually needs is the list. Not the template files themselves — those are interchangeable and available in dozens of places. The list. The twenty-odd documents that every MDR startup has to produce, the clauses they map to, and the order in which to build them so that the early ones unblock the later ones.

That is what this post is. A list, mapped to MDR Article 10(9) and to EN ISO 13485:2016+A11:2021 clause 4.2, in the order you should actually build it.

## The MDR text — what Article 10(9) requires

Article 10, paragraph 9 of Regulation (EU) 2017/745 sets the legal obligation:

> *"Manufacturers of devices other than investigational devices shall establish, document, implement, maintain, keep up to date and continually improve a quality management system that shall ensure compliance with this Regulation in the most effective manner and in a manner that is proportionate to the risk class and the type of device."*
> — Regulation (EU) 2017/745, Article 10, paragraph 9.

Article 10(9) then lists the elements the QMS has to address — regulatory strategy, GSPR identification, management responsibility, resource management, risk management, clinical evaluation, product realisation, UDI verification, post-market surveillance, vigilance, and the communication processes with competent authorities and notified bodies. Every one of those elements has to exist as something documented. The law does not tell you what the document should look like — it tells you the thing has to be there, in writing, for your device.

The harmonised standard that tells you what the documentation has to look like is EN ISO 13485:2016+A11:2021. Clause 4.2 of the standard, "Documentation requirements," is the single most important clause for answering the question "what documents do I need?"

## EN ISO 13485:2016+A11:2021 clause 4.2 — the four layers

Clause 4.2 of EN ISO 13485:2016+A11:2021 describes QMS documentation in four layers. A startup's essential document list fills all four.

**Layer 1 — Quality manual (clause 4.2.2).**
One document. It describes the scope of the QMS, the processes, their sequence and interaction, and any permitted clause exclusions with justification. For a startup this is typically 10 to 20 pages. Not 80. The manual is a map, not a novel.

**Layer 2 — Medical device file (clause 4.2.3).**
For each device or device family, a file that contains or references the product description, intended use, labelling, IFU, manufacturing procedures, measurement and monitoring procedures, and installation/servicing if applicable. In MDR terms this sits alongside the technical documentation under Annex II and II-A.

**Layer 3 — Documented procedures.**
The standard explicitly requires documented procedures for defined activities. These are the spine of the QMS. The procedures you cannot avoid writing as a startup include document control (4.2.4), record control (4.2.5), management review (5.6), training and competence (6.2), risk management (7.1), design and development (7.3), purchasing (7.4), production and service controls appropriate to your device (7.5), control of monitoring and measuring equipment where applicable (7.6), internal audit (8.2.4), control of nonconforming product (8.3), CAPA (8.5.2 and 8.5.3), complaint handling (8.2.2), and reporting to regulatory authorities (8.2.3).

**Layer 4 — Records.**
Clause 4.2.5 requires records that demonstrate conformity to requirements and effective operation of the QMS. Records are the evidence that the QMS has actually been used. A QMS with pristine procedures and no records fails its first audit before the coffee is poured.

That is the architecture the list has to fill. Now the list itself.

## The essential document list — 15 to 18 controlled documents

For a typical resource-constrained MedTech startup with a Class I, Class IIa, or lower Class IIb device, the essential documents are:

1. **Quality manual** — the top-level QMS description. Clause 4.2.2.
2. **Document and record control procedure** — the procedure that controls every other document. Clauses 4.2.4 and 4.2.5.
3. **Management review procedure** — plus the first completed management review record. Clause 5.6.
4. **Training and competence procedure** — plus training records for every team member. Clause 6.2.
5. **Internal audit procedure** — plus the first completed internal audit report. Clause 8.2.4.
6. **CAPA procedure** — plus a CAPA log, even if empty at the start. Clauses 8.5.2 and 8.5.3.
7. **Supplier evaluation and purchasing procedure** — plus an approved supplier list. Clause 7.4.
8. **Risk management procedure** — referencing EN ISO 14971, plus the complete device risk management file. Clause 7.1 and MDR Annex I GSPRs.
9. **Design and development control procedure** — plus the device design and development file. Clause 7.3.
10. **Production and process control procedures** — device-specific work instructions for manufacturing, packaging, labelling. Clause 7.5.
11. **Labelling and UDI assignment procedure** — MDR Article 27, Annex VI, and the labelling requirements of Annex I Chapter III.
12. **Post-market surveillance procedure and PMS plan** — MDR Article 83 to 86 and Annex III.
13. **Vigilance and serious incident reporting procedure** — MDR Article 87 to 92.
14. **Complaint handling procedure** — clause 8.2.2.
15. **Clinical evaluation procedure** — plus the clinical evaluation plan and report. MDR Article 61 and Annex XIV.
16. **Nonconforming product procedure** — clause 8.3.
17. **PRRC appointment and job description** — MDR Article 15, or the documented micro-enterprise arrangement.
18. **Declaration of Conformity (draft)** — MDR Article 19 and Annex IV.

Plus, alongside the QMS itself:

- **The technical documentation file** structured to MDR Annex II and II-A.
- **The records** that demonstrate each of the above procedures has actually run at least once.

That is the list. Every item traces to a clause or article. Every item is necessary. Nothing on the list is optional for any MDR device. Anything a template vendor adds beyond this list has to earn its place by pointing to a clause or article that applies to your specific device — otherwise it is bloat.

## The Berlin template lesson

A Berlin startup Tibor was called in to assess had bought a full ISO 13485 template package online. Hundreds of documents, beautifully formatted. The founder believed the QMS was "basically done."

Tibor opened the quality manual. The device described in the manual was a generic Class II device from an unrelated product area. The roles referenced a 30-person organisation. The supplier controls assumed a multi-site manufacturing operation. The clinical evaluation procedure referenced an investigation the startup had never run. Whole sections referenced paper records in filing rooms the company did not have. The founder had changed the logo and the company name at the top of every document. Nothing else.

Tibor's assessment was that the QMS was roughly 0.1 percent complete — and worse than zero, because it actively misrepresented the company's processes. Every auditor interview would have exposed the gap between the written procedure and the actual practice. Every document would have been a non-conformity waiting to happen.

The lesson is not that templates are bad. The lesson is that a template without adaptation is fiction, and fiction fails audits.

## The Lower Austria counter-example

A three-person Lower Austria startup with a single Class IIa device and an extremely limited budget passed a full notified body QMS audit with zero non-conformities. Their document set was, as a count, roughly what the list above describes: a 15-page quality manual, about 20 controlled procedures each between one and four pages, a device-specific risk management file, a design and development file that followed the real development sequence with gaps filled retrospectively and honestly, and a PMS plan appropriate to a Class IIa device.

Every procedure described what the company actually did. The company actually did what every procedure described. The device-level evidence was traceable and complete. Three people, zero findings, because the document set was built from the list above and ruthlessly fitted to the specific device, not the other way round.

Both startups used templates as a starting point. One of them did the adaptation work, one did not. That is the entire delta.

## The build order — priority for a resource-constrained team

You do not build 18 documents in parallel. You build them in an order where each one unblocks the next.

**Phase 1 — the spine (weeks 1 to 3).**
Document and record control first. Without it, every document you write afterwards is uncontrolled and has to be rewritten. Then the quality manual skeleton. Then the four spine procedures that every auditor asks about first: management review, internal audit, CAPA, training.

**Phase 2 — product realisation (weeks 3 to 6).**
Risk management procedure and the device risk file. Design and development procedure and the design history file. Supplier and purchasing procedure plus the approved supplier list. Production and process controls for the specific device.

**Phase 3 — market-facing processes (weeks 6 to 9).**
Labelling and UDI. Post-market surveillance plan. Vigilance. Complaint handling. Clinical evaluation plan and report.

**Phase 4 — evidence generation (weeks 9 to 12).**
Run the processes. Produce real records. Hold the first real management review. Run the first real internal audit. Close the first real CAPAs. Train the team and record it. Fill the complaint log with whatever is actually there, including "nothing yet."

At the end of that sequence you have a document set that fits your device, a records set that proves the procedures have run, and a team that has actually used the QMS. That is what the notified body audits. Nothing less will pass.

## The Subtract to Ship angle

The Subtract to Ship rule for QMS documentation is simple: every document must point to a specific MDR article, an ISO 13485 clause, or a harmonised standard applicable to your device. If it cannot, it comes out.

Applied to templates, the rule becomes even sharper. You start with a clean template pack. You open every file. For each file you ask: which clause of EN ISO 13485:2016+A11:2021 does this satisfy, and does that clause actually apply to my device? If the answer is "none" or "this clause is excludable for my device," the file is cut. If the answer is "this clause applies," the file is rewritten end to end against the real device, the real team, and the real processes. No document is kept because it looks impressive.

Done right, you will delete more template files than you keep. That is correct. The goal is a QMS the three of you can hold in your heads — not a QMS that impresses a template vendor.

## Reality Check — Where do you stand?

Work through these honestly.

1. For every document in your current QMS, can you name the MDR article or the EN ISO 13485:2016+A11:2021 clause that requires it for your specific device? If not, the document is bloat.
2. Open your quality manual. Does it describe your real company, your real device, and your real team — or a generic company that matches a template?
3. Pick three procedures at random. Would a team member's description of how that process actually runs match the written text? If not, the procedures are fiction.
4. Is your document and record control procedure the first thing you built, or an afterthought? If it is an afterthought, every other document is uncontrolled.
5. Have the spine procedures (management review, internal audit, CAPA, training) actually run at least once, with real records, before your first audit?
6. If a notified body auditor asked you to find any document in your QMS in under 30 seconds, could you?
7. If you handed your template vendor's file list to Tibor, how many of those files would survive the "which clause and article require this for my device" test?

A no on any of these is a finding waiting to happen. Fix it before the auditor arrives.

## Frequently Asked Questions

**What is the minimum number of documents in a startup QMS under MDR?**
There is no legally mandated number, but for a typical Class I to lower Class IIb device the essential set is roughly 15 to 18 controlled documents plus the technical file and the records. Fewer and you are likely missing a clause of EN ISO 13485:2016+A11:2021. Many more and you are likely carrying template bloat.

**Are commercial QMS templates safe to use?**
Templates are a legitimate starting point when every file is adapted to your specific device, team and processes. Templates become dangerous the moment they are treated as finished products. The most common first-audit failure pattern is a template pack with the logo changed and nothing else.

**Which document should a startup write first?**
Document and record control. Every other document in the QMS has to be controlled under it, so writing anything else first means rewriting those documents once the control procedure is finalised. The quality manual comes second, as a skeleton that grows as the other procedures are built.

**Do I need a separate quality manual if I have all the procedures?**
Yes. Clause 4.2.2 of EN ISO 13485:2016+A11:2021 explicitly requires a quality manual that describes the scope of the QMS, the processes, their sequence and interaction, and any permitted exclusions with justification. It does not have to be long — 10 to 20 pages is typical for a startup — but it has to exist.

**How do I know which ISO 13485 clauses I can exclude?**
Clause 1 of EN ISO 13485:2016+A11:2021 permits exclusions only for requirements in clauses 6, 7 and 8 that are not applicable due to the activities undertaken or the nature of the device. Every exclusion has to be justified in the quality manual. Clauses 4 and 5 are never excludable.

## Related reading

- [The Minimum Viable QMS: What You Need Before Your First Audit](minimum-viable-qms) — the document list in this post, framed as the full minimum-viable QMS approach.
- [Document Control for Startups](document-control-startup) — the first procedure you should write, treated in depth.
- [How to Build a Lean QMS for an MDR Startup](build-lean-qms-mdr-startup) — the build-sequence companion to this document list.

## Sources

1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices. Consolidated text on EUR-Lex. Article 10, paragraph 9; Article 15; Article 19; Article 27; Articles 83 to 92; Annex II; Annex II-A; Annex III; Annex IV; Annex VI; Annex XIV.
2. EN ISO 13485:2016+A11:2021 — Medical devices — Quality management systems — Requirements for regulatory purposes. Current harmonised edition. Clause 4.2 (Documentation requirements), clauses 5 through 8.
3. EN ISO 14971:2019+A11:2021 — Medical devices — Application of risk management to medical devices. Current harmonised edition (referenced by the risk management procedure).

---

*This post is part of the Quality Management Under MDR series in the Subtract to Ship: MDR blog. Authored by Tibor Zechmeister and Felix Lenhard. If the complexity of adapting a template pack to your specific device exceeds what a blog post can cover — and it often does, because every device is different — Zechmeister Strategic Solutions has walked 50+ companies through this exact adaptation problem.*

---

*This post is part of the [Quality Management Under MDR](https://zechmeister-solutions.com/en/blog/category/quality-management) cluster in the [Subtract to Ship: MDR Blog](https://zechmeister-solutions.com/en/blog). For EU MDR certification consulting, see [zechmeister-solutions.com](https://zechmeister-solutions.com).*