Medical Device +46(0) 70 58 60 200 Medical Device Medical Device Follow us

8 Key QMS Considerations when Implementing ISO 13485

Sofie Petersson
By Sofie Petersson

Senior Quality and Regulatory Advisor and Acting Quality and Regulatory Manager, Management Representative and PRRC in Medical Device Industry.


Are you in a medical device company that doesn’t have a QMS compliant to ISO 13485? Maybe you are a start-up company that has just realized your product is a medical device or perhaps you are an existing company that just recently decided to get into the medical device world.

Whatever your motivation for thinking about implementing ISO13485, here are my best tips and tricks, that I think are absolutely key when setting up or adapting your QMS to ISO13485.

See how MedQdoc helped MedTech start-up Aidee achieve ISO 13485 certification within 12 months >

01. Ensure top Management and company commitment

ISO 13485 QMS

A common misbelief that I often encounter when working with medical device customers is that the QMS is something that the Quality Director handles, a bunch of documents to be shown for auditors, and that everyday operation is something performed on the side.

If you feel that this is true for your company you must start by educating your colleagues on what it really means to implement a QMS according to ISO13485, and also explain the benefits to your product quality and your business as a whole.

Start with the management team to get them completely on board first and then continue throughout your company.

Make sure the company management and all staff involved are committed, engaged, and truly believe in the benefits of a QMS.

02. Allocate Resources – knowledge and competence

ISO 13485 QMS

Resources are important from two aspects. You need to have enough resources allocated for an ISO13485 QMS project but also ensure that the correct knowledge and competence is present.

A general rule is that all management and most staff must set time aside for an ISO13485 QMS project and ring-fence some resources dedicated to this project for a period of time. Make sure that it is not only people representing the Quality department (the management representatives, QA specialists and/or quality consultants) that have allocated time.

Ensuring competence will look different from company to company. Maybe you already have experienced ISO13485 experts within your organisation? Maybe you have allocated resources but they need a boost/training in ISO13485? Maybe you need to use expert consultants. If the latter is the case, a clever way to keep competence within the company and avoid over-dependence on consultants, is to appoint a person (the management representative) within your company that will be responsible over time to work alongside the hired expert. That way you can gradually phase out expert consultants when your in-house resources are ready and retain all the knowledge within your company.

03. Plan and define your order of actions

When to start? Where to start? How to start? Questions are many, the answers can be different from company to company and planning is crucial.

3.1 When?

Ask anyone who has been a part of ISO13485 QMS implementation project and we would all say,” the sooner the better” and there are good reasons for that. As soon as you are 100% sure your product is a medical device and you have classified it you should start building or adapting your QMS to ISO13485. Need help classifying your device? – Read our blog

It is important to understand that, in the medical device world, if an action such as a meeting or a verification test of your product is not documented, (i.e. no properly signed and saved record) it never happened!

To understand why you should start early and the consequences if you don’t, let us imagine that you do the opposite, which would be to fully design and develop your product first. You will then have a finished product, which you cannot take to market until you have gone back and retro fitted design and development records according to your QMS. This is both time consuming and inefficient compared to following a compliant design and development procedure when creating your product.

Furthermore, by following a compliant design control and product risk management procedure, you will design a safer medical device. You will probably also avoid some extra time-consuming detours, by thinking before doing and ensuring no crucial parts of your product are left behind, such as labelling and packaging.

3.2 Where?

If you are starting from a current QMS, possibly an ISO9001 system or an old ISO13485 system that has not been maintained properly I would start by doing a gap analysis of your current system towards ISO13485:2016. That way, you’ll get a good foundation for your project plan focussing on filling out the current gaps.

If you are starting from scratch, the key process required to allow you to proceed is a document control procedure, including record management. From then on everything you create will either be a controlling document (a process/procedure description), or a record (documented proof that an activity within a process is done).

With that complete, where to start depends on how far you have come with your product and also what type of business you are.

Let us assume that you are reading this when design and development is only in concept phase. Then I recommend you start building design control, product risk management and supplier control procedures, and move on to production control and monitoring and measuring procedures later.

If you already have finished your design and are in the middle of selecting suppliers then I would start with supplier control SOPs. Make sure to follow those as soon as possible and then maybe design control can wait a little, since you are already too late and will have to do catch-up recording.

3.3 How?

It is important to let the people responsible for the process, and the ones who are actually working according to the process, be in charge of documenting how they work or how they plan to work. Then a QA person or someone with deeper knowledge and training of ISO13485:2016 also needs to be involved to ensure regulatory compliance. For example, a perfect sub-team to create the Supplier Control procedure would be the Sourcing Manager responsible for the whole process, a Sourcing specialist who will perform day-to-day work and a QA Specialist.

If you find it difficult to start from scratch it can be a good idea to use a template created by a medical device QMS specialist. A template can be a good inspiration and also a help to ensure compliance. But, remember that a template is only a suggestion, a guide, and in the end, you need to describe your unique procedure and ensure it follows applicable regulations. Read the full list of QMS templates available with MedQdoc.

Depending on the size of your company I would either appoint an allocated project leader that works very close with the company’s management representative, or, if you are very small, appoint the management representative as the project leader and drive the implementation as a project with clear goals and timelines.

04. Take the time you need

ISO 13485 QMS

Take the time you need to set up the processes you will follow. Preferably describe what you are already doing and make sure to involve your ISO13485 trained resources to ensure all necessary steps are included.

In this context – faster isn’t always better. It will be far more beneficial in the long run to involve the people who will be responsible for and working according to the procedures, than to have an outside consultant just write a procedure document. By involving the staff who will be working in the QMS, you are implementing your QMS while creating it. So, if they don’t have much time to spare, it may be a longer project, but you’ll end up with a functioning QMS.

Don’t believe anyone that states that they can help you go from nothing to a compliant ISO13485 QMS in 30 days. You will most probably will end up with a paper-product and not an established QMS.

05. Consider other applicable regulations and standards

ISO 13485 QMS

If you are in the medical device industry, there will be more regulations and standards to consider than just ISO13485. Both ISO14971 – regarding risk management to medical devices -and EN 62366 – covering usability engineering to medical device – will almost always apply and should be integrated in your QMS.

If you are planning to market your product in Europe, you must at least consider Article 10 Chapter 9 in MDR regarding QMS. But it is also beneficial to integrate some of the other topics within your QMS, for example post-market surveillance and clinical evaluation.

If you are planning to market your product in USA, you must follow 21 CFR 820 (QSR).

My recommendation, whether you are an American or a European company, or from elsewhere, is to implement a QMS that is both compliant to QSR and ISO13485. The differences are so small that it is hardly any extra effort, and chances are you might expand your markets sooner than you think.

06. Choose between electronic or paper-based QMS

ISO 13485 QMS

There are multiple benefits of implementing an electronic QMS and I’ll list just a couple below. My opinion and experience tell me that the cost of an eQMS will soon be paid back in the form of company efficiency, fewer audit remarks to handle and fewer resources working with easy but time-consuming administrative tasks.

The increase in remote working combined with the strict document control regulations in the medical device world, mean that obtaining signatures from multiple persons/functions within the organisation for every document could take days, or even weeks with a paper-based system. With an eQMS, it can be done within a minute.

Paper-based documents, requiring handwritten signatures, also need to be archived in a fire-proof physical archive, with strict version control so only the current version of the document is distributed within the organisation. All of this is done automatically in an eQMS and can be done while working from a home office or while travelling.

The situations described above often give reason for hesitation before updating/changing processes in the paper based QMS, since they involve time-consuming administrative routes, and thereby create obstacles to continuous improvements of your QMS. A paper based QMS risks becoming just a pile of papers that is never used to create efficiency in your business and improve quality of your medical device.

It is most often a good decision to implement an eQMS at the same time as your ISO13485 compliant QMS. This way you don’t have to move your paper-based QMS at a later stage – you can do it as one project instead of two.

If you do decide to implement an eQMS, I would strongly recommend using a system adapted for medical devices. With an eQMS solution you can either buy a set of templates for the processes and records you need, or a few of them provide it as an included feature. Such templates and structures are often a valuable help when setting up your processes and can really help shorten your ISO13485 compliance project. An example of an eQMS solution adapted to the medical device industry and regulations with integrated templates is MedQdoc.

Learn how we helped medical device company Inossia move away from their paper-based document system. Read the case study >

07. Start using your processes

ISO 13485 QMS

One of my best pieces of advice to medical device companies is not to wait until processes are perfect before starting to use them. It is better to release a first attempt and try to follow that. This is the best way to figure out what processes are working for your company and not.

Continuous improvements and risk management of processes are part of a well-functioning QMS and the best way to set up well functioning processes, that increase the quality of the end-product as well as achieving regulatory compliance. A QMS with several processes with a high version/revision number is often a sign of a healthy, well-maintained system.

So, start following your processes at a very early stage and don’t be afraid to change them. Update them continuously when you figure out better and more streamlined ways of working.

08. Conduct Management review and Internal audits

Independent of what the status of your QMS as a medical device company is, two key processes that you really want functioning well are your management responsibility, including management review procedure, and internal audit process. If these two processes are used and followed as intended by ISO13485 and QSR, they will drive and improve your QMS and increase business efficiency as well as the quality of your medical device in the long run.

8.1 Management review

Don’t hesitate to perform your first Management review according to your new process at an early stage – even if a lot of the topics are covered quickly. Getting in the habit of regularly overviewing your QMS, and the product and process data will benefit you later.

If you are new to performing ISO13485 compliant management reviews, I would suggest you do them at least twice a year to get used to and comfortable with the process.

ISO 13485 QMS

8.2 Internal audit

I advise you to see and use your internal audit process as a tool for continuous improvements, as well as your compliance check procedure.

Don’t create a climate where the internal audit process is about finding and hiding faults. See it as a guide, by using fresh eyes and minds, identify improvement possibilities and errors you might have overlooked; it is easy to become blind to your own flaws.

Similarly to the management review, don’t hesitate to perform early internal audits according to your new process, for two reasons; first to practice and find improvement possibilities within the internal audit process itself, and second to improve and push all other processes within the QMS forwards.

A well thought out strategy and project plan will go a long way toward helping you build your ISO13485/QSR compliant QMS. You reading this is a very good sign you are on the right track.

So, in conclusion, start by training and educating yourself, your management and all staff; aim to achieve a common understanding that you need a well-functioning QMS. Allocate time and resources. Start building, documenting and using your processes and get into the habit of reviewing and constantly improving your QMS through management review and internal audit process.

If you get stuck, don’t hesitate to reach out to me or my colleagues at MedQdoc for more help and support.

Explore More Blogs