Quality management for medical devices: ISO 13485

The quality management system is an essential component of a medical device manufacturer. The European Medical Device Regulation (EU) 2017/745 (MDR) has increased the importance of quality management even further. Manufacturers of class I medical devices are now also strictly required to have a quality management system. Many other regulatory requirements are directly linked to quality management.

What distinguishes quality management?

The aim of quality management is to achieve defined quality goals in a reproducible manner. For this, an organization systematizes all work, defines processes and documents them. The quality management system (QMS) consequently comprises all work processes of an organization including their documentation.

A QMS is not static. The aim is to achieve continuous improvements in quality and to meet the requirements of all stakeholders. The organization must therefore continuously monitor the processes and implement improvement measures. The model of the PDCA cycle, which describes a cycle of Plan – Do – Check – Act, plays an important role here.

The QMS considers 3 types of processes:

  • management processes
  • core processes
  • support processes.

The core processes include the value-adding processes. This is where the organization plans, develops, produces and markets its products or services. The support processes relate e.g. on material procurement or corrective and improvement measures. In particular, the management processes set the quality goals, provide resources and infrastructure and communicate the quality philosophy to the organization.

ISO 9001 is the internationally recognized standard for quality management systems. It focuses on improving customer satisfaction. In the case of medical devices, however, this is not the only decisive requirement. The quality target of patient safety is particularly important here. For this reason, the ISO 13485 standard expands the requirements for a QMS when it comes to the provision of medical devices and related services.

Which legal requirements apply to a quality management system?

According to the MDR, manufacturers of medical devices must have a quality management system. This shall ensure that the products meet the requirements of the MDR. In the section “General obligations of manufacturers” (Article 10), the MDR describes which aspects must be mapped in the QMS:

The QMS comprises all elements of a manufacturer’s organization that are related to product quality. It must be continuously maintained, updated and improved.

What is the relationship between the quality management system and the conformity assessment procedure?

Every medical device marketed in Europe must be conform to the general safety and performance requirements of the MDR (at least after the transition period has ended). The conformity assessment procedure serves as proof of conformity. The MDR describes several possible conformity assessment procedures that can be used by a manufacturer to prove the conformity of a product with the regulatory requirements.

Choosing the most suitable procedure depends on many factors. The manufacturer must weigh these individually. The risk class of the product plays an important role. The risk class, in turn, depends on the product design and the intended purpose. Generally spoken: the higher the risk class of a product is, the more demanding and therefore more complex the conformity assessment procedure should be.

The QMS plays a central role in the various conformity assessment procedures. In the simplest case, i.e., in the case of a class I device, it is sufficient if the manufacturer has a “basic QMS” that includes the above-mentioned requirements of the MDR. In this case, neither a certification of the QMS nor a control by a notified body are required.

In the case of products of the classes Is, Ir, Im, IIa, IIb or III, manufacturers usually choose the conformity assessment procedure with a complete QMS certified according to ISO 13485. The manufacturer sets up a complete QMS here (if he does not already have one) and has it certified by a notified body including the respective technical documentation of a product. By this, the manufacturer ensures compliance with the MDR by implementing the QMS.

An alternative conformity assessment procedure for products of classes Is, Ir, Im and IIa is the production quality assurance. This is also accompanied by a certified QMS, but only for the production part. This procedure can also be used for class IIb and III products, however only in connection with a type examination. This is also a prerequisite for a further conformity assessment procedure for products of classes IIb and III, the product verification, in which each individual product is tested.

As part of all conformity assessment procedures, the manufacturer issues an EU declaration of conformity. The manufacturer then applies the CE mark to the product. If a notified body is involved, the CE mark must contain a 4-digit identification number of the notified body.

What does the ISO 13485 standard describe?

ISO 13485 specifies requirements for a quality management system in organizations that offer medical devices or related services. These must meet both customer requirements and legal requirements. The standard can also be used by suppliers who provide products or related services to the organizations.

The 2016 version of the standard is currently available and has been harmonized by the EU as EN ISO 13485:2016, i.e., it supports the general requirements of EU directives 90/385/EEC on active implantable devices, 93/42/EEC on medical devices and 98/79/EC on in vitro diagnostics. Regrettably, the EU has not yet harmonized the standard with the new EU regulations for medical devices (MDR) and in-vitro diagnostics (IVDR), even though they will apply on May 26, 2021 at the latest.

ISO 13485 describes the following essential aspects:


The management of an organization defines, monitors and is responsible for the quality objectives, provides the necessary resources and defines roles and (partial) responsibilities. This includes the appointment of a quality management representative.

There is a written quality policy, from which measurable quality goals are derived, and whose follow-up is the basis for corrective measures. The management of an organization continuously evaluates the quality objectives as part of the management review.

The management of an organization ensures that the employees involved are appropriately qualified and can provide evidence of this. If the QMS is certified by a notified body, it monitors the QMS via audits. The organization therefore regularly undertakes internal audits of its QMS in order to convince itself of its suitability in practical operation.


A new medical device starts with its development. The organization must plan the development and link it to the regulatory requirements with a view to the intended purpose or intended use at an early stage. The development results are continuously evaluated, the procedure changed if necessary, documented (development file) and passed on to production.

The organization must ensure that every product manufactured meets the product requirements or – if that is not possible – the manufacturing process is validated. Transport and storage as well as delivery or installation on site must be considered. If suppliers are involved, the organization must also monitor the quality and performance of materials, components or trades.


The organization must set up a suitable feedback system, record complaints and monitor a product on the market. The feedback system must meet the requirements of the MDR for post-market surveillance and have a process with which serious incidents are reported to the responsible authorities for vigilance.

Overall, it is the responsibility of the organization to ensure that all available and relevant data on the use of a product on the market are collected and evaluated. These are both the basis for continuous product improvement for the benefit of customers and for continuous improvement of the safety and performance of a product for the benefit of patients and the legislator.


The organization closes the PDCA cycle by drawing conclusions from the data on product usage in the market and initiating improvement measures. These measures are known as corrective actions and preventive actions (CAPA). In order to get suitable or appropriate CAPAs, it is advisable to deeply analyze the product or application errors using a detailed Root Cause Analysis (RCA). The organization continuously adapts its QMS to the new findings.

What documentation is required?

The focus of the documentation is the quality management manual, which describes the whole QMS. This includes procedural instructions that document the actual process implementation. There are also other applicable documents, such as job descriptions, forms or work instructions.

These specification documents are supplemented by evidence documents that confirm that activities have been carried out in accordance with the specification documents. Both specification documents and evidence documents are part of the document control. The product-related evidence documents form the medical device files.

The practical implementation of a QMS according to ISO 13485 varies greatly from case to case. Questions in this context are, for example:

  • Is there a QMS or are components of a QMS already in place?
  • How pronounced is the organization’s understanding of quality?
  • What role does the organization play within a value chain?
  • What range of products or services does the organization have?
  • Are there conditions being specified by the IT infrastructure?
  • Which products or services are involved in the specific case?
  • Which risk class apply?
  • Which conformity assessment procedure is in place?

In addition, there is also the question of how a QMS should be technically implemented. The spectrum ranges from paper-based files to special web-based cloud solutions and license-based on-premises software.


The European regulations on medical devices (MDR) and in vitro diagnostics (IVDR) increase the requirements for the quality management system of medical device manufacturers and suppliers. In addition to the aspects already discussed, there is another requirement. The newly introduced person responsible for regulatory compliance according to Article 15 MDR is also expressly responsible for ensuring that the conformity of the products with the quality management system is checked.

Despite the complex regulatory requirements, the focus of a QMS should not be to follow processes rigidly. The focus is on patient well-being and product-related quality goals. Compliance then results from this. This conclusion cannot be drawn the other way round.

Despite all legal and normative requirements, the introduction of a QMS is an individual process and requires a tailor-made solution for the respective requirements of a company. We would be happy to support you with this.