A quality management system (QMS) for medical devices is the set of documented processes a manufacturer uses to ensure, consistently and verifiably, that its devices meet the requirements of Regulation (EU) 2017/745. MDR Article 10(9) is the legal obligation: every manufacturer must establish, document, implement, maintain, keep up to date, and continually improve a QMS that is proportionate to the risk class and type of device. EN ISO 13485:2016+A11:2021 is the harmonised standard that, when followed, gives presumption of conformity with that obligation. The MDR is the North Star. ISO 13485 is the tool.

By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.

TL;DR

  • A medical device QMS is the legally required management system that turns "we build safe devices" into a set of documented, repeatable, auditable processes a Notified Body can inspect.
  • The legal obligation lives in MDR Article 10(9). The harmonised standard that provides presumption of conformity with that obligation is EN ISO 13485:2016+A11:2021.
  • The QMS is not an ISO 13485 project. It is an MDR project that uses EN ISO 13485:2016+A11:2021 as one of its tools.
  • "Proportionate to the risk class and type of device" is the single most important phrase in Article 10(9). A Class I QMS and a Class III QMS are not the same system.
  • The main QMS processes are: management responsibility, document and record control, design and development controls, purchasing and supplier control, production and service provision, CAPA, internal audits, management review, PMS linkage, and risk management linkage.
  • A bought template with the company name replaced is not a QMS. A QMS is the real processes the company actually runs, written down accurately.

Two companies, two QMS

Two startups, both building Class IIa devices, both preparing for their first Notified Body audit under MDR. Same device class. Same standards. Two completely different outcomes.

The first company was based in Berlin. The founders had raised money, hired engineers, and knew they needed a QMS for certification. Someone told them QMS templates were available online. They bought a set, opened the first document, and used find-and-replace to swap the placeholder company name for their own. They repeated this across every procedure, every form, every work instruction. A few hundred documents, all "done" in an afternoon. They submitted the result as their QMS for the Notified Body review.

The auditor came back with an assessment that should have ended the project right there. The QMS was evaluated as approximately 0.1 percent complete. Not 10 percent. Not "needs work." Zero-point-one. Because what they had submitted was not a QMS at all. It was a pile of procedures describing the processes of a company that did not exist. None of the documents matched how the real company actually operated. Document control referenced a system they did not have. Design controls described a workflow they did not use. Supplier controls mentioned vendors they had never heard of. The auditor was not fooled for a second.

The second company was in Vienna. The QA manager they hired had built a QMS before, at a previous employer. She brought a basic framework with her — not the documents themselves, but the structure and the logic of how a QMS fits together. Then she did the work. She sat down with every process in that framework and walked through it against the actual operations of the new company. Every procedure got interrogated. Did this company actually have a purchasing function? What did it look like in practice? How was design review actually happening — over a shared whiteboard, over Jira, over GitHub pull requests? Where were the real records? What needed to be added? What needed to be cut?

The result was lean. Nothing extra. Nothing missed. Every document described a real process that the real company actually ran. When the Notified Body came in, the audit was uneventful in the best possible way. There were no big gaps, because the system was built around the truth of the company, not around a template.

Same class. Same regulation. Same standard. Two fundamentally different conceptions of what a QMS is.

This post is about the correct conception.

What a QMS actually is

Strip away the jargon. A quality management system for medical devices is the answer to a simple question that a Notified Body auditor will ask you, in some form, many times during an audit: "How do you know?"

How do you know this device meets the general safety and performance requirements? How do you know the software you shipped is the software you tested? How do you know the supplier who provided that sensor has not changed their process? How do you know the complaint you received last month is being properly investigated? How do you know the risk assessment you did two years ago still applies to the version you are selling today?

A QMS is the set of documented processes that let you answer every one of these "How do you know?" questions with evidence — not with assertion, and not with good intentions. The evidence is the documents, records, and traces that your processes produce as they run.

Every medical device manufacturer on the EU market runs on this logic, from the smallest Class I startup to the largest Class III implant manufacturer. The scale differs. The underlying move — turn the work into processes, turn the processes into documented procedures, turn the execution into records — is the same.

A QMS is not a binder. A QMS is not a SharePoint folder. A QMS is not a set of templates. Those things are the artefacts a QMS produces. The QMS itself is the way the company operates.

The MDR obligation — Article 10(9)

Here is where we fix the relationship between the Regulation and the standard, because this is the single most misunderstood point in startup regulatory work.

The legal obligation to have a QMS does not come from ISO 13485. The legal obligation comes from the MDR. Specifically, it comes from Article 10(9) of Regulation (EU) 2017/745, which sits in the chapter on manufacturer obligations. Article 10 lists the obligations of a manufacturer of medical devices across fourteen paragraphs. Paragraph 9 is the QMS paragraph.

Article 10(9) requires manufacturers of medical devices to establish, document, implement, maintain, keep up to date, and continually improve a quality management system that ensures compliance with the MDR in the most effective manner and in a manner proportionate to the risk class and type of device. The paragraph then lists the aspects the QMS must address, at a minimum — the strategy for regulatory compliance, identification of applicable general safety and performance requirements, responsibility of management, resource management (including supplier control), risk management, clinical evaluation including post-market clinical follow-up, product realisation (planning, design, development, production, service provision), verification of UDI assignments, setup, implementation and maintenance of the post-market surveillance system, handling of communication with competent authorities, notified bodies, other economic operators, customers, and other stakeholders, processes for reporting of serious incidents and field safety corrective actions in the context of vigilance, management of corrective and preventive actions, and processes for monitoring and measurement of output, data analysis, and product improvement. (Regulation (EU) 2017/745, Article 10, paragraph 9.)

Read that list. Every process your startup runs under its QMS label must trace back to one of those items, and every one of those items must be covered somewhere in your QMS. If something in your QMS does not trace to Article 10(9) or to another specific MDR obligation, it is waste. If something required by Article 10(9) is missing from your QMS, it is a non-conformity waiting to happen.

Note what Article 10(9) does NOT say. It does not say "your QMS must comply with ISO 13485." It does not name the standard at all. The MDR specifies the obligation. How you meet that obligation is a separate question.

How EN ISO 13485:2016+A11:2021 fits in

Here is where the harmonised standard enters.

Under MDR Article 8, compliance with a harmonised standard whose reference has been published in the Official Journal of the European Union gives presumption of conformity with the corresponding MDR requirements. EN ISO 13485:2016+A11:2021 is the harmonised standard for QMS. When your QMS conforms to EN ISO 13485:2016+A11:2021, the regulatory authorities and Notified Bodies presume that your QMS meets the corresponding MDR requirements, unless there is specific evidence to the contrary.

This is an enormous practical advantage. Without the harmonised standard, a manufacturer would have to build a QMS from scratch, describe it in detail, and argue from first principles that it satisfies Article 10(9). With the harmonised standard, the manufacturer builds a QMS that follows the standard's structure, applies the standard's requirements, and inherits a presumption of conformity that makes the Notified Body assessment dramatically more efficient.

But — and this is the critical point — EN ISO 13485:2016+A11:2021 is not the law. It is a tool for meeting the law. The law is MDR Article 10(9). If you follow the standard, you have a strong, efficient path to conformity. If you follow the standard but miss an MDR-specific requirement that the standard does not fully cover — and there are several of these — you still have a non-conformity against the MDR itself.

The Annex A and Annex B of EN ISO 13485:2016+A11:2021 (the "Z annexes" in the harmonisation terminology) map the standard's clauses against MDR articles to show exactly which MDR requirements are covered by conformity with the standard. The manufacturer is responsible for the gaps.

A startup that treats EN ISO 13485:2016+A11:2021 as "the rules for our QMS" is making a subtle but important error. The MDR is the rules. The standard is the tool. Orient the team around the Regulation; use the standard to satisfy it efficiently. That ordering matters, and it shows up in audits.

Proportionate to risk class and type of device

The phrase "proportionate to the risk class and type of device" in Article 10(9) is the single most important phrase for a startup to understand, and the single most commonly misapplied one.

"Proportionate" does not mean "as big as the consultant suggests." It does not mean "as small as we can get away with." It means the QMS covers every process the Regulation requires for the specific device being placed on the market, at a depth appropriate to the risk the device presents and the complexity of the manufacturing operation.

A Class I non-sterile, non-measuring, non-reusable surgical instrument made by a three-person startup requires a QMS that covers every Article 10(9) aspect, but at a depth that matches the modest risk of the device and the small scale of the operation. A Class III implantable device requires a QMS that covers the same aspects but at a depth that matches catastrophic risk and complex production. Both QMSs are "complete" in the sense that every required process is there. They look nothing alike in practice.

The proportionality principle is what allows a lean startup QMS to be legally compliant. It is also what creates the failure mode where a startup either over-builds (copying a large-company QMS structure they do not need) or under-builds (leaving out processes the Regulation requires regardless of size). Getting proportionality right is a judgment call that depends on reading Article 10(9) carefully, reading the relevant annex for your conformity assessment route (Annex IX, Annex X, or Annex XI), and understanding what "ensures compliance with the MDR in the most effective manner" actually looks like for your specific device.

Annex IX of the MDR — the full QMS and technical documentation assessment route used for most higher-class devices — gives explicit detail about what the Notified Body will assess in your QMS. Annex IX is worth reading in full if your device sits in Class IIa, IIb, or III. It tells you, in the Regulation's own words, what your QMS will be tested against.

The main QMS processes

Every medical device QMS, regardless of class or size, has to cover a common set of processes. The depth differs. The presence does not. Here are the core processes a startup QMS must address, each with a brief description and its MDR anchor.

Management responsibility. Top management must define the quality policy, set measurable quality objectives, allocate resources, assign responsibilities, and conduct management reviews. This is not ceremonial. The Notified Body will check that top management is genuinely engaged — through management review minutes, signed policies, and traceable resource decisions. Article 10(9) lists "responsibility of management" as a required QMS aspect. Deep dive: see post 284 on management responsibility under MDR.

Document and record control. The QMS must control which documents are current, which versions are obsolete, who approved them, and how records are stored, retrieved, and protected. This is the boring spine of the system. Every audit finding about documentation ultimately traces to a weakness in document or record control.

Design and development controls. For manufacturers who design their own devices, the QMS must include a documented design and development process covering planning, inputs, outputs, review, verification, validation, transfer, and change control. This connects to the technical documentation required under Annex II of the MDR. A clean design control process produces most of the technical documentation as a byproduct. A messy one produces mountains of retroactive paperwork.

Purchasing and supplier control. The QMS must ensure that components, materials, and services obtained from suppliers meet specified requirements. Supplier qualification, supplier monitoring, and change notification from suppliers all sit here. Article 10(9) explicitly calls out "resource management, including selection and control of suppliers and sub-contractors."

Production and service provision. The QMS must control production processes so that devices are consistently manufactured to specification, with appropriate process validation where output cannot be fully verified by subsequent inspection and testing. For software-only devices, this translates to build pipeline and release control.

Corrective and preventive action (CAPA). When something goes wrong — a complaint, an internal audit finding, a non-conforming product, a deviation — the QMS must have a process to investigate, determine root cause, take corrective action, and (where appropriate) preventive action. Article 10(9) lists "management of corrective and preventive actions" as a required QMS aspect. Deep dive: see post 307 on CAPA under MDR and ISO 13485.

Internal audits. The QMS must audit itself on a planned schedule to verify that the processes are being followed and are effective. Internal audit findings feed CAPA. Deep dive: see post 311 on internal audits under MDR.

Management review. Top management must periodically review the QMS — audit results, CAPA status, complaints, PMS data, supplier performance, resource needs, improvement opportunities — and take decisions based on what they see. Management review is where the QMS closes its own loop.

Post-market surveillance linkage. The QMS must include processes for setting up, implementing, and maintaining the PMS system required under MDR Articles 83–86 and Annex III. PMS is not a separate thing that lives outside the QMS. It is a QMS process that happens to operate after the device is on the market. Article 10(9) lists "setting up, implementation and maintenance of a post-market surveillance system" explicitly.

Risk management linkage. The QMS must link to the risk management process — because risk management, under the harmonised standard EN ISO 14971:2019+A11:2021, runs throughout the product lifecycle. Risk management feeds design inputs, validation protocols, CAPA, and PMS. Article 10(9) lists "risk management as set out in Section 3 of Annex I" as a required QMS aspect.

Vigilance and communication with authorities. The QMS must cover the processes for reporting serious incidents and field safety corrective actions, and for handling communication with competent authorities, Notified Bodies, distributors, and customers. Article 10(9) calls these out specifically.

PRRC and personnel. Under MDR Article 15, every manufacturer must have at least one Person Responsible for Regulatory Compliance (PRRC) within their organisation, with defined qualifications. Micro and small enterprises may have the PRRC permanently and continuously at their disposal under Article 15(2) rather than internally employed. The QMS documents who the PRRC is, their qualifications, and their role in the quality system.

Every one of these processes shows up in EN ISO 13485:2016+A11:2021 as well. The standard provides the detailed clauses. The MDR provides the legal obligation. A startup builds each process to satisfy the MDR requirement, using the standard's clauses as the practical blueprint.

The Subtract to Ship discipline applied to QMS

The Subtract to Ship framework (post 065) applied to QMS work produces a specific discipline.

The default failure mode in startup QMS work is not that founders forget to include a required process. The default failure mode is that they include ten copies of every process, at a level of detail appropriate to a 500-person company, for operations that have never been run and may never exist in the form the documents describe.

Subtraction in QMS work means: every procedure, every form, every work instruction, every record template must describe a process that the company actually runs (or is committed to running immediately). If a procedure describes a fictional process, it must come out. If two procedures describe overlapping processes, they must be merged. If a form collects data the company will never use, it must come out. If a document exists only because "ISO 13485 usually has one," it must be tested against the actual clauses of EN ISO 13485:2016+A11:2021 and the actual requirements of MDR Article 10(9). If it does not map to either, it comes out.

This is not a recipe for a smaller QMS. It is a recipe for an honest QMS. A Class III implant manufacturer that applies Subtract to Ship will still have a large QMS, because the Regulation requires a lot for Class III and the device is complex. A Class I startup that applies Subtract to Ship will have a small QMS, because the Regulation does not require more and the operations do not justify more. In both cases, nothing in the QMS is theatre.

Two practical moves. First: before you write any QMS document, write down what the corresponding real process looks like today in your company — as one paragraph of honest description. Then write the procedure to match. Second: when you finish a draft of any QMS document, have the person who actually runs the process read it and answer one question: "Is this what you actually do?" If the answer is no, the document is wrong, not the process. See posts 280 and 281 on building a lean QMS and on the minimum viable QMS for startups for the full operational playbook.

Real QMS versus template QMS

Return to the two companies from the opening.

The Berlin company had a template QMS. The documents existed. They were formatted correctly. They had the right section headings. They contained the right ISO 13485 clauses. They were, from a distance, indistinguishable from a real QMS. Up close, they were useless — because none of them described what the Berlin company actually did. The Notified Body's 0.1 percent assessment was not an exaggeration for effect. The QMS literally did not govern the company's operations. The company was running without a QMS, with a set of documents nearby that happened to use the company's name.

The Vienna company had a real QMS. The documents might have been shorter. The structure might have been simpler. The language might have been less polished. But every procedure described a real process that a real person was actually running, and every record was a trace of that process running. The Notified Body had something to audit — a real system, with real outputs, connected to the real device.

Tibor has seen both patterns enough times to make the distinction diagnostically. When he walks into a QMS review and asks "where is the record of the last management review?" and the answer is "let me find it in the folder," that is one signal. When he asks "when did you last conduct a design review?" and the answer is "here is the meeting notes file, it was last Tuesday," that is a different signal. The second company has a QMS. The first has documents.

The single best diagnostic a founder can apply to their own QMS is this: if you stopped maintaining the documents for a week, would the company still know how to operate? If yes, the documents reflect how the company actually works, and the QMS is real. If no — if the documents are the only place the process exists, and no one would follow them without the document in hand — then the QMS is fiction, and the auditor will find out.

Reality Check — Where do you stand?

  1. Can you point to MDR Article 10(9) in your own copy of the Regulation and name the specific aspects it requires your QMS to cover? Can you match each one to a corresponding process in your QMS?
  2. If you had to answer "how do you know?" for every claim about your device's compliance, could you produce a record from your QMS for each answer?
  3. For each document in your QMS, do you know whether the process it describes is actually being run today, by a named person?
  4. Is your QMS proportionate to your risk class and type of device — or is it sized for a different company's problem?
  5. Did you build your QMS by taking a template and replacing the company name, or by walking through every process against your actual operations?
  6. Does your team understand that MDR Article 10(9) is the legal obligation and EN ISO 13485:2016+A11:2021 is the harmonised standard that provides presumption of conformity — or do they think "ISO 13485 is the law"?
  7. If a Notified Body auditor arrived tomorrow, could you walk them from any MDR Article 10(9) requirement to the corresponding QMS process and then to a live record from the last thirty days?

If any of these questions produced a "not yet," that is where the work is.

Frequently Asked Questions

Is ISO 13485 legally required for medical devices in the EU? No. The legal requirement is MDR Article 10(9), which requires a QMS proportionate to the risk class and type of device. EN ISO 13485:2016+A11:2021 is the harmonised standard that gives presumption of conformity with that requirement. A manufacturer can in principle meet Article 10(9) without following EN ISO 13485:2016+A11:2021, but in practice the standard is the efficient path and is what Notified Bodies expect.

Do I need a QMS before I start design work? In practice, yes. MDR Article 10(9) requires the QMS to cover design and development, and the records of the design process become part of the technical documentation that the Notified Body will assess. Starting design work without basic QMS processes in place (at minimum: document control, design controls, risk management) means retroactively reconstructing records later, which is painful and often impossible. See post 052 on when to start MDR regulatory work and post 051 on the two-phase development approach.

Can a small startup really have a compliant QMS with a two- or three-person team? Yes, for lower-risk devices. The proportionality principle in Article 10(9) allows the QMS to scale with the risk class and type of device. A Class I startup with a small team can have a genuinely compliant QMS if every required process is present and honestly run. Under MDR Article 15(2), micro and small enterprises can have the Person Responsible for Regulatory Compliance permanently and continuously at their disposal rather than internally employed. See post 281 on the minimum viable QMS.

What is the difference between ISO 13485 and ISO 9001? ISO 9001 is the general quality management standard for any industry. ISO 13485 is the QMS standard specific to medical devices, with additional requirements around risk management, regulatory compliance, design controls, and traceability that ISO 9001 does not include. For MDR purposes, EN ISO 13485:2016+A11:2021 is the harmonised standard that provides presumption of conformity. ISO 9001 alone does not. See post 279 on ISO 13485 versus ISO 9001.

Will the Notified Body audit my QMS? Yes, in most cases. Under MDR Annex IX, the full QMS and technical documentation assessment includes a detailed review of the QMS, on-site audits, and surveillance audits at planned intervals. Annex X and Annex XI cover other conformity assessment routes with different QMS scope. For Class IIa, IIb, and III devices in the full QMS route, expect a thorough Notified Body audit of every process described above. See post 278 on Article 10(9) and Annex IX QMS requirements.

What happens if my QMS has gaps when the Notified Body arrives? Non-conformities are raised, categorised (minor or major), and must be addressed before certification can be issued. Minor non-conformities typically require a corrective action plan. Major non-conformities can block certification entirely until they are closed. The worst outcome — the one the Berlin template company experienced — is when the QMS is so hollow that the audit essentially cannot proceed. Prevent this by building a real QMS from the start.

Sources

  1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 10 (general obligations of manufacturers, including paragraph 9 on the quality management system), Article 15 (person responsible for regulatory compliance), Annex IX (conformity assessment based on a quality management system and on assessment of technical documentation). Official Journal L 117, 5.5.2017.
  2. EN ISO 13485:2016 + A11:2021 — Medical devices — Quality management systems — Requirements for regulatory purposes. The harmonised standard providing presumption of conformity with MDR Article 10(9) when its clauses are correctly applied.

This post is the pillar for the Quality Management Under MDR cluster in the Subtract to Ship: MDR blog. Authored by Tibor Zechmeister and Felix Lenhard. The MDR is the North Star. EN ISO 13485:2016+A11:2021 is the tool. Everything in this cluster follows that ordering, and every deeper-dive post in the cluster traces back to a specific requirement of MDR Article 10(9) or a related MDR provision.