EN ISO 13485:2016+A11:2021 clause 5.3 requires top management to establish a documented quality policy, and clause 5.4.1 requires quality objectives that are measurable and consistent with that policy. MDR Article 10(9) makes the surrounding quality management system a legal obligation. For a startup, the quality policy is a one-page document signed by the CEO or founder that states, in the organisation's own voice, what the company is committed to — compliance with the MDR, the safety and performance of its devices, the effectiveness of the QMS, and continual improvement. The quality objectives are a short, honest list of measurable targets at the functions and levels where the work actually happens. Neither document has to sound corporate. Both have to be real.

By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.

TL;DR

  • Clause 5.3 of EN ISO 13485:2016+A11:2021 mandates a documented quality policy established by top management, appropriate to the purpose of the organisation, with a commitment to comply with requirements and maintain the effectiveness of the QMS.
  • Clause 5.4.1 mandates quality objectives that are measurable and consistent with the quality policy, established at relevant functions and levels of the organisation, including those needed to meet applicable regulatory requirements.
  • MDR Article 10(9) makes "responsibility of the management" one of the mandatory QMS aspects, which is the legal anchor underneath clauses 5.3 and 5.4.1.
  • A startup quality policy should be one page, signed by the CEO or founder, written in the company's own voice, and recitable by the team. A templated policy that could belong to any company is a red flag for Notified Body auditors.
  • Quality objectives should be a handful that actually matter — not twenty that decorate a slide deck. Each one needs a metric, a target, an owner, and a review cadence that ties into management review under clause 5.6.

Why this matters before you write a single line

A startup that is preparing for its first Notified Body audit will sit down one afternoon and write a quality policy because someone on the team said it is required. Often the draft is copied from a template, the word "excellence" appears three times, the founder signs it, it gets hung on the wall or dropped into the QMS folder, and nobody ever reads it again. Twelve months later the Notified Body auditor asks the CTO to describe the company's commitments to quality. The CTO freezes. The auditor asks the RA lead. Same result. The auditor writes a note, and the note becomes a finding because the policy is a document in the folder but not a commitment in the company.

This is the failure mode to avoid. The quality policy and the quality objectives are the two places where top management tells the organisation, in writing, what matters. If the writing is theatre, the organisation learns that quality is theatre. If the writing is honest, the organisation learns that quality is how decisions actually get made. A Notified Body auditor can tell the difference within five minutes of asking two people in the room to explain what the policy means.

The good news is that writing a real quality policy and a real set of quality objectives for a startup is not hard. It takes a couple of hours of honest thinking, a founder willing to sign something they actually believe, and a team small enough that everyone can name the commitments without rehearsing. The length is not the point. The authenticity is.

What clause 5.3 actually requires

EN ISO 13485:2016+A11:2021 clause 5.3 places six explicit obligations on top management in relation to the quality policy. Top management shall ensure that the quality policy is appropriate to the purpose of the organisation, includes a commitment to comply with requirements and to maintain the effectiveness of the quality management system, provides a framework for establishing and reviewing quality objectives, is communicated and understood within the organisation, and is reviewed for continuing suitability.

Read each of these obligations as a separate test the document has to pass.

Appropriate to the purpose of the organisation. A quality policy written for a Class III implant company and pasted into a Class I SaMD startup fails this test. The policy has to sound like the company that wrote it, with commitments that reflect what the company actually does. If you can swap the company name for another MedTech name and the policy still reads the same, it is not appropriate to the purpose of the organisation.

Commitment to comply with requirements. "Requirements" here means applicable regulatory requirements — MDR, harmonised standards, applicable national law — and customer requirements where they apply. The policy states the commitment explicitly. Phrases like "we strive to comply" are weaker than "we comply." Notified Body auditors notice.

Commitment to maintain the effectiveness of the QMS. Not just "have" a QMS. Maintain its effectiveness. The word effectiveness is load-bearing — it means the QMS actually produces the outcomes it is supposed to produce, not just that it exists on paper.

Framework for quality objectives. The policy provides the umbrella under which the quality objectives live. This is what makes clauses 5.3 and 5.4 a matched pair. A policy that talks about "patient safety and regulatory compliance" must be followed by quality objectives that measure something about patient safety and regulatory compliance. If the policy says one thing and the objectives measure something unrelated, the framework is broken.

Communicated and understood. The standard does not just require the policy to be communicated — it requires it to be understood. The test of understanding is whether the people in the organisation can explain what it means. A Notified Body auditor will test this by asking random employees what the policy says.

Reviewed for continuing suitability. The policy is reviewed periodically — typically as an input or output of management review under clause 5.6 — and updated if the organisation, the devices, or the regulatory environment have changed in ways that make the policy stale.

A startup quality policy that satisfies all six tests is one page, signed, honest, and alive in the organisation. Everything else is decoration.

What makes a real quality policy

A real quality policy for a startup has three features that templated policies lack.

First, it is written in the company's own voice. The founder speaks in certain ways about the product, the mission, and the team. The quality policy should sound like the founder, not like a QMS template vendor. This does not mean the language is casual — it means the language is the company's. If the founder says "we build X for patients who need Y," the policy should use those words. Authenticity is the single strongest anti-template signal for a Notified Body auditor.

Second, it names the device type and the organisation's purpose specifically. A policy that says "our medical devices" is weaker than a policy that says "our [specific device category] intended for [specific intended user] to [specific benefit]." Specificity forces the policy to be about this company, not any company.

Third, it commits to the things that are actually hard for this company. Every MedTech company can write "we comply with applicable regulations" because every MedTech company legally must. A stronger policy names the specific commitments that matter most given the device type and the team — for example, software safety, clinical evidence quality, usability, or supply chain control — and states that the organisation prioritises these areas. The prioritisation itself is a signal that someone thought about what this particular company does.

A clean structure for a one-page startup quality policy is: a short statement of what the organisation does and for whom; the commitment to comply with applicable regulatory and customer requirements; the commitment to maintain the effectiveness of the QMS; the specific areas of focus that matter most for this device and this organisation; and a statement that quality objectives will be set, tracked, and reviewed to give the policy teeth. Sign it, date it, and review it at a documented cadence.

What clause 5.4.1 actually requires

Clause 5.4.1 of EN ISO 13485:2016+A11:2021 requires top management to ensure that quality objectives — including those needed to meet applicable regulatory requirements and requirements for the product — are established at relevant functions and levels within the organisation. The objectives must be measurable and consistent with the quality policy.

Four words in that clause are load-bearing.

Measurable. An objective without a metric and a target is not an objective under clause 5.4.1. "Improve quality" is not measurable. "Close 90 percent of CAPAs within 60 days of opening" is measurable. The metric and the target must both be specified. If you cannot say yes or no at the review point about whether the objective was met, the objective is not measurable.

Consistent with the quality policy. The objectives have to trace back to the commitments in the policy. If the policy commits to patient safety, there should be objectives that measure something related to patient safety — complaint severity, CAPA effectiveness, field action rates, risk control verification. If the policy commits to regulatory compliance, there should be objectives that measure something related to compliance activity — audit non-conformity closure, training completion, regulatory update review cadence.

At relevant functions and levels. This means the objectives cannot all live at the company-wide level. Relevant functions — engineering, RA, QA, clinical, operations — each have objectives that relate to the work they do. In a three-person startup where every function is done by the same person, this collapses to a single set. In a twenty-person startup, it does not — each function owns objectives at its own level, and the sum of those objectives rolls up to the organisation's policy commitments.

Including those needed to meet applicable regulatory requirements. At least some of the objectives must relate to regulatory obligations — MDR articles, harmonised standard clauses, PMS obligations, vigilance reporting. The objectives are one of the ways top management demonstrates that the regulatory obligations are being tracked, not just assumed.

How to write measurable objectives without inventing theatre

The trap is to write too many objectives because more looks like more rigour, then to track none of them because tracking twenty objectives across a ten-person team is impossible. The opposite trap is to write three objectives that are so vague they cannot be tested. Neither failure mode survives a Notified Body audit.

A working pattern for a startup is four to eight objectives total, each one with a metric, a target, an owner, a data source, and a review cadence. The objectives cover the areas where the company is most exposed — typically CAPA closure, complaint response, PMS data completeness, internal audit completion, training completion, and design review sign-off. The objectives are reviewed at management review under clause 5.6 and updated when the data shows the target was the wrong one or the priority has shifted.

Concrete examples for a pre-certification startup: close 80 percent of CAPAs within 90 days of opening. Acknowledge every complaint within five working days. Complete 100 percent of planned internal audits within the audit plan quarter. Close every critical internal-audit non-conformity within 60 days of identification. Achieve 100 percent mandatory QMS training completion for every employee within 30 days of hire. These are measurable, they are tied to real QMS processes, they each have a clear data source, and they each have a named owner.

The objectives do not all have to be about percentages. An objective can be a binary — "publish a documented PMS plan for each device before first placing on the market" — as long as there is a clear yes/no answer at the review point. What matters is that the answer is unambiguous.

Communication: how the policy and objectives actually land

Clause 5.3 requires the policy to be communicated and understood within the organisation. Clause 5.5.3 adds the broader requirement for internal communication about QMS effectiveness. In a startup, "communicated" does not mean a 50-slide deck. It means the team knows the policy exists, knows where it lives, and can explain what it means.

Three practical patterns work.

Onboarding. Every new hire reads the quality policy on day one as part of QMS onboarding and signs an acknowledgement that becomes part of the training record. The onboarding conversation explains what the commitments mean in the context of the work the new hire will do.

Visible placement. The policy lives in a place everyone uses — the QMS landing page, the team wiki, the welcome page for the engineering tooling. Not buried in a folder nobody opens.

Reference in decision-making. When a decision has to be made that touches a commitment in the policy, the decision-maker references the policy out loud. Over time this turns the policy from a document into a shared reference point, which is what "understood" looks like in practice.

The test of whether communication has worked is the one the Notified Body auditor will run: ask a random employee to describe the company's commitments to quality. If the employee can answer coherently, the communication worked. If not, the communication did not work, no matter how many training slides exist.

Review and update

Clause 5.3 requires the policy to be reviewed for continuing suitability. Clause 5.6.2 lists changes that could affect the QMS as a required management review input. Taken together, the policy and the objectives should be revisited at every management review — at minimum to confirm they are still appropriate, and in practice to update them when the device portfolio, the regulatory environment, or the organisation have changed materially.

The default cadence for a startup is to review the policy and the objectives at least once a year as a formal agenda item at a management review, with a shorter check-in at each intermediate management review. Updates are documented in the QMS change control process, and the updated version is re-signed by top management and re-communicated to the organisation.

Review does not mean rewriting. Most reviews will conclude that the policy is still appropriate and the objectives are still correct. What matters is that the review happened, was documented, and was honest. A policy that has not been reviewed in three years, for a company that has grown from five people to twenty-five and added a second device, is almost certainly stale — and the Notified Body auditor will notice that the document predates the current organisation.

Common mistakes

  • The templated policy. A document that could belong to any MedTech company, full of generic commitments to excellence, continuous improvement, and patient-centricity. Fails the "appropriate to the purpose of the organisation" test on the first reading.
  • The un-recitable policy. Nobody in the company can explain what it says. Fails the "communicated and understood" test.
  • Objectives with no metrics. "Improve quality" or "enhance compliance." Fails clause 5.4.1's measurability requirement.
  • Objectives disconnected from the policy. A policy that talks about safety and effectiveness, with objectives that only track training completion. The framework is broken.
  • Objectives that never get reviewed. The same four bullets in every management review deck for eighteen months, untouched, with no updated data.
  • Policy and objectives that contradict the real priorities. The policy promises rigorous clinical evidence; the team is under pressure to ship and cuts clinical work first when the runway gets tight. A Notified Body auditor reading the minutes of decisions will see the gap.

The Subtract to Ship angle

Subtract to Ship applied to the quality policy and objectives produces a short checklist.

Keep: one signed page of policy, four to eight measurable objectives with owners and review cadence, a clear communication path into onboarding, and a review item on the management review agenda. These are required by clauses 5.3 and 5.4.1, and each item is verifiable by an auditor in minutes.

Cut: the multi-page policy with nested aspirations, the twenty-objective scorecard nobody updates, the templated language that could belong to any company, and the once-and-done sign-off that is never revisited. None of these trace to a real obligation at a depth the Notified Body will recognise. They are theatre. See the Subtract to Ship framework for MDR for the underlying discipline.

Reality Check — Where do you stand?

  1. Is your quality policy one page, signed by the CEO or founder, and dated within the last twelve months?
  2. Can two random people in your company explain, in their own words, what the quality policy commits the company to?
  3. Does your policy contain language specific to your device type and your organisation, or could it belong to any MedTech company?
  4. How many quality objectives do you have, and can you name the metric, target, owner, and data source for each one without looking?
  5. Do your quality objectives trace clearly to the commitments in your quality policy, or are they a disconnected list?
  6. When was the last time you updated the objectives based on real data, and what changed?
  7. At your next Notified Body audit, if the auditor asks to see the quality policy, the objectives, and the evidence the objectives are being tracked — can you produce all three within five minutes?

Frequently Asked Questions

How long should a startup quality policy be? One page is the right target. The standard does not specify a length, but clause 5.3 requires the policy to be appropriate to the purpose of the organisation and to be understood within it. A one-page document in the company's own voice meets both requirements far better than a multi-page document written in template language.

How many quality objectives does a startup need under clause 5.4.1? Four to eight is a defensible working range for most startups. The standard requires objectives at relevant functions and levels, and each objective must be measurable and consistent with the quality policy. Fewer than four rarely covers the relevant functions; more than eight is hard for a small team to track honestly.

Who signs the quality policy? Top management. In a startup, that is the CEO or the founder who has the authority to allocate resources and set direction. The signature is not ceremonial — it is the evidence of top-management commitment required by clause 5.1 and operationalised through clause 5.3.

Can we copy a quality policy from another MedTech company? No. Clause 5.3 requires the policy to be appropriate to the purpose of the organisation, and a copied policy almost never is. A Notified Body auditor can spot templated policies in under a minute because the language does not match how anyone in the company actually talks about the work. Write the policy yourself, in your own voice.

Do the quality objectives have to be quantitative? They have to be measurable, which usually means quantitative, but a binary yes/no objective can qualify if the answer at the review point is unambiguous. The test is whether you can say clearly at the review date whether the objective was met.

How often should the quality policy and objectives be reviewed? At least annually as a formal review item, with lighter check-ins at each management review under clause 5.6. Clause 5.3 requires the policy to be reviewed for continuing suitability, and in a startup the organisation changes fast enough that anything less than annual review risks the policy becoming stale between audit cycles.

What does a Notified Body auditor look for when reviewing the policy and objectives? Whether the policy is specific to the organisation, whether the team understands it, whether the objectives are measurable and consistent with the policy, whether they are being tracked with real data, and whether management review has actually looked at them and made decisions. Templated language, un-recitable policies, and unmeasured objectives are all standard findings.

Sources

  1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 10 (general obligations of manufacturers, including paragraph 9 on the quality management system and "responsibility of the management"). Official Journal L 117, 5.5.2017.
  2. EN ISO 13485:2016+A11:2021 — Medical devices — Quality management systems — Requirements for regulatory purposes. Clause 5.3 (Quality policy) and clause 5.4.1 (Quality objectives), within clause 5 (Management responsibility).

This post is part of the Quality Management Under MDR cluster in the Subtract to Ship: MDR blog. Authored by Tibor Zechmeister and Felix Lenhard. The MDR is the North Star. EN ISO 13485:2016+A11:2021 clauses 5.3 and 5.4.1 are the tools. A real quality policy and a real set of quality objectives are one page and a handful of measurable targets — not a template and not a decoration.