A QMS maturity model for MDR startups describes how a quality management system evolves after it first satisfies MDR Article 10(9) and EN ISO 13485:2016+A11:2021. The model has five levels — minimum compliant, documented, monitored, improving, and strategic — and each level is tied back to specific ISO 13485 clauses. The model is commentary, not a regulatory requirement. MDR requires the floor; the model describes the growth path above it.

By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.

TL;DR

  • MDR Article 10(9) and EN ISO 13485:2016+A11:2021 define the compliance floor. Nothing below that floor is legal. Everything above it is maturity.
  • A five-level maturity model helps startups see where they stand without drifting into bloat: Level 1 minimum compliant, Level 2 documented, Level 3 monitored, Level 4 improving, Level 5 strategic.
  • The model is not an MDR requirement. It is a lens for deciding what to add next without over-building the QMS before the company can absorb it.
  • Most startups at first certification sit at Level 1 or Level 2. That is fine. Level 3 is a reasonable target within 12 months post-certification. Level 4 and 5 take years and real PMS data.
  • Skipping levels produces fragile QMS. A Level 2 company pretending to be a Level 4 company fails audits because the written system and the real processes diverge.

Why a maturity model, and why this one is commentary

MDR is unambiguous: the QMS has to satisfy Article 10(9), and in practice that means satisfying EN ISO 13485:2016+A11:2021 for the device in question. Article 10(9) is the legal obligation:

"Manufacturers of devices other than investigational devices shall establish, document, implement, maintain, keep up to date and continually improve a quality management system that shall ensure compliance with this Regulation in the most effective manner and in a manner that is proportionate to the risk class and the type of device." — Regulation (EU) 2017/745, Article 10, paragraph 9.

Notice the verbs: establish, document, implement, maintain, keep up to date, continually improve. The MDR explicitly writes continual improvement into the legal obligation. It does not, however, tell you how to improve, at what pace, or what "mature" looks like. It leaves that to the manufacturer and, by reference, to EN ISO 13485:2016+A11:2021, which embeds the Plan-Do-Check-Act loop through Clauses 4 to 8.

A maturity model fills the gap between "the QMS is legal" and "the QMS is excellent." It is a planning tool, not a regulatory one. Every level below still has to meet the floor of Article 10(9). Nothing in the model is an excuse to defer a required process. The model is explicitly commentary — a way of sequencing improvements so that startups do not either stall after certification or over-build their QMS before the company can live up to it.

The version below is the one used by the Subtract to Ship playbook: five levels, each tied back to the ISO 13485 clause structure, each framed around what a resource-constrained startup can actually do.

Level 1 — Minimum Compliant

Definition: The QMS satisfies every applicable clause of EN ISO 13485:2016+A11:2021 and every element of MDR Article 10(9). It passes a first notified body audit under Annex IX. Nothing more.

ISO 13485 anchor: Every clause from 4 to 8 addressed, with non-applicable clauses justified in writing. Document and record control (Clause 4.2) in place. Management review (Clause 5.6) has happened at least once. Risk management per EN ISO 14971:2019+A11:2021 integrated into design control (Clause 7.1, 7.3). CAPA (Clause 8.5.2) and internal audit (Clause 8.2.4) have produced at least one real record each.

What it looks like: Roughly 15 to 20 controlled procedures. A quality manual that fits the device and the team. A set of records that proves the QMS has actually been run, not just written. The minimum-viable-qms pattern.

What is missing: Trend data. Metrics. Feedback loops that change anything. The QMS is alive, but it runs on the minimum required cycle. For first certification, that is enough. It is also the honest starting position for most first-time certifiers.

Level 1 is not a pejorative label. A disciplined Level 1 QMS beats a bloated Level 3 QMS every audit, every time. The Berlin template anti-pattern discussed in minimum-viable-qms is what happens when a company claims maturity it has not earned.

Level 2 — Documented

Definition: Every process in the QMS has a written procedure that matches what the team actually does, and every required record is being generated as the process runs. The gap between written process and real process has closed.

ISO 13485 anchor: Clause 4.2.3 (control of documents) and Clause 4.2.5 (control of records) are genuinely working. Clause 6.2 (human resources) has training records that reflect the actual team, not a template roster. Clause 7.5 (production and service provision) is described honestly.

What it looks like: Every member of the team could be interviewed by an auditor and describe their process in the same terms as the SOP. Records are stored in a way that can be retrieved in under 30 seconds. The quality manual is a document people on the team have actually read.

What changes from Level 1: Mostly rigor, not scope. A Level 1 QMS might pass an audit with last-minute document polishing. A Level 2 QMS is audit-ready every day. This is the realistic target for the first 6 to 12 months after certification.

Level 3 — Monitored

Definition: The QMS generates enough data that the company can see how it is performing. CAPA trends, complaint patterns, audit findings, nonconformity rates, supplier performance, training compliance — all measured, all visible.

ISO 13485 anchor: Clause 8.2 (monitoring and measurement) running in full, not just on paper. Clause 8.4 (analysis of data) producing real analyses that feed management review (Clause 5.6.2 inputs). PMS data under MDR Article 83 flowing into the QMS as actual inputs, not as a file on a shared drive that nobody opens.

What it looks like: A monthly or quarterly quality dashboard. Management review meetings that look at numbers, not impressions. CAPA investigations triggered by trend data, not only by individual complaints. Suppliers ranked by real performance metrics.

What changes from Level 2: The QMS starts to tell the company something. Up to this point the QMS has been a compliance asset. From Level 3, it becomes an operational asset. Most startups can reach Level 3 within 12 to 18 months of certification if they designed their records structure with analysis in mind from Day 1. If they did not, Level 3 requires a rework of the record structure before the data becomes analyzable.

Level 4 — Improving

Definition: The QMS closes loops. Data from PMS, complaints, CAPA, and audits actually changes the product, the processes, and the procedures. The improvement actions are traceable from root cause to verified effectiveness.

ISO 13485 anchor: Clause 8.5 (improvement) running end to end — Clause 8.5.1 (general, continual improvement), Clause 8.5.2 (corrective action with verified effectiveness), Clause 8.5.3 (preventive action). Risk management under EN ISO 14971:2019+A11:2021 updated based on real post-market data, not only pre-market assumptions.

What it looks like: CAPA effectiveness checks that actually confirm the problem went away. Design changes driven by PMS findings. A PMS plan updated based on what the last cycle revealed. Internal audit findings that visibly reduce over time because the system is learning.

What changes from Level 3: Level 3 sees problems. Level 4 fixes them systemically. This takes real PMS data, which takes real time on the market. A company cannot credibly claim Level 4 in its first year post-certification because the feedback loop has not had time to close. Two to three years of honest operation is a more realistic horizon.

Level 5 — Strategic

Definition: The QMS is a strategic asset. Quality data informs product strategy, roadmap, and risk appetite. The company uses its QMS to move faster, not slower — faster design iteration because change control is fluent, faster market response because vigilance and PMS are embedded, faster supplier qualification because the process is routine.

ISO 13485 anchor: Clause 5.4 (planning) and Clause 5.6 (management review) becoming inputs to business planning, not just regulatory planning. Clause 7.3.9 (control of design changes) handled as a routine operational capability rather than an exceptional event. The full Clause 8 loop (monitoring, analysis, improvement) integrated with commercial and clinical strategy.

What it looks like: The QMS is a source of competitive advantage, not a cost center. Regulatory change handling is a rehearsed capability. Notified body audits are uneventful. Management uses quality data to make product decisions.

What changes from Level 4: Level 5 is culture, not just process. It is years of Level 4 discipline, plus a leadership team that actually reads the management review output. Very few startups are at Level 5 within five years. That is not a failure; it is the normal timeline.

The Subtract to Ship view of the model

Subtract to Ship uses the maturity model as a sequencing tool, not a scoring tool. The question is never "what level are we?" for its own sake. The question is "what is the next clause of EN ISO 13485:2016+A11:2021 that we can genuinely live up to, and what do we need to do to get there?" Every upgrade in the QMS has to earn its place by pointing back to a specific ISO 13485 clause or MDR article. Maturity is not about adding more documents; it is about making the existing ones bite harder.

The failure mode this prevents is the startup that buys a "Level 4" template package the week after first certification, implements none of it, and walks into the surveillance audit with a written QMS that describes a company that does not exist. The Level 1 company that honestly operates at Level 1 is stronger than the Level 2 company that claims Level 4 on paper.

Reality Check — Where do you stand?

Answer these honestly. The goal is not to score high; it is to know where you actually are.

  1. Can every team member describe the process they own in the same terms as the written SOP? If not, you are below Level 2.
  2. Has every core QMS process (internal audit, management review, CAPA, complaints, training, design review) run at least once with real records? If not, you are below Level 1 and you are not ready for certification.
  3. Does your last management review look at numbers (trend data) or only at anecdotes? Numbers put you at Level 3 or above. Anecdotes keep you at Level 2.
  4. Can you name a single product or process change in the last 12 months that was driven by PMS data? If yes, you are approaching Level 4. If no, you are at Level 3 or below.
  5. Does leadership read the management review output and let it influence strategy, or is the management review a regulatory ritual? Only the former earns Level 5.
  6. For every document in your QMS, can you name the ISO 13485 clause or MDR article that requires it? If not, you have bloat — and bloat is not maturity.
  7. Is your written QMS ahead of what your company actually does? If yes, drop a level on paper until the reality catches up. That is the single healthiest move you can make.

Frequently Asked Questions

Is the QMS maturity model required by MDR? No. MDR Article 10(9) requires a QMS proportionate to the risk class and type of device, and EN ISO 13485:2016+A11:2021 is the harmonised standard for satisfying that obligation. The maturity model is commentary — a planning tool for how a QMS grows after it first meets those requirements. Level 1 (minimum compliant) is the legal floor; the higher levels are voluntary.

What maturity level should a startup target for first certification? Level 1. A clean, honest, minimum compliant QMS that satisfies every applicable clause of EN ISO 13485:2016+A11:2021 is the right target for first certification. Trying to reach Level 3 or above before certification typically produces a bloated QMS that the team cannot actually live up to.

How long does it take to move from Level 1 to Level 3? Roughly 12 to 18 months of disciplined operation after first certification, assuming the record structure was designed with analysis in mind from the start. Companies that built their records ad hoc usually need an additional rework pass before Level 3 data becomes usable.

Can you skip maturity levels? Not credibly. A company can claim Level 4 on paper, but the gap between the written QMS and the real processes will surface at the next surveillance audit as nonconformities. Maturity levels are descriptions of how the company actually operates, not labels to apply to documents.

Does a higher maturity level reduce audit findings? Not directly. A disciplined Level 1 QMS can pass with zero nonconformities. A sloppy Level 3 QMS can accumulate findings. What reduces findings is the alignment between the written system and the real processes — and that alignment is the actual content of every maturity level.

What happens to maturity after a major regulatory change? Regulatory changes (new MDCG guidance, revised standards, transitional provisions) reset parts of the QMS. A Level 4 company that absorbs a significant standards update well is still Level 4. A Level 4 company that ignores it falls back to Level 2 in the affected area until the change is handled.

Sources

  1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices. Consolidated text on EUR-Lex. Article 10, paragraph 9; Article 83; Annex IX.
  2. EN ISO 13485:2016+A11:2021 — Medical devices — Quality management systems — Requirements for regulatory purposes. Current harmonised edition. Clauses 4 through 8.
  3. EN ISO 14971:2019+A11:2021 — Medical devices — Application of risk management to medical devices. Current harmonised edition.

This post is part of the Quality Management Under MDR series in the Subtract to Ship: MDR blog. Authored by Tibor Zechmeister and Felix Lenhard. The QMS maturity model presented here is commentary, not a regulatory requirement — MDR Article 10(9) and EN ISO 13485:2016+A11:2021 are the binding obligations. If the complexity of your specific QMS growth path exceeds what a blog post can cover — and it probably will, because every device and every team is different — Zechmeister Strategic Solutions has walked 50+ companies through this exact problem.