ISO 13485 and FDA QSR: A Step-by-Step Guide to Complying with Medical Device QMS Requirements

January 4, 2016

ISO 13485 and FDA QSR A Step-by-Step Guide to Complying with Medical Device QMS Requirements

Medical device companies, listen up. There is zero excuse for not complying with medical device quality system regulations.



FDA has published and makes available ALL regulations required for medical device companies. Look them up by searching 21 CFR Part 820.

And for outside U.S., you can easily obtain  ISO 13485 for a relatively small investment. Make the purchase--it’s worth it. If you want a free resource to help along the way, check out our free Ultimate Guide to ISO 13485 here.

Guess what else? In addition to knowing what regulations you need to follow as a medical device company, regulatory bodies also provide you a ton of guidance on how they will inspect and audit your QMS.

FDA does so via the “Guide to Inspections of Quality Systems,” often referred to QSIT or quality system inspection techniques.

This is more valuable than gold to your medical device company. It’s like knowing all the questions on the test and being provided an answer key.

For an ISO audit, you should review audit guidance documents available via International Medical Device Regulators Forum (IMDRF).

Let me direct you to “Guidelines for Regulatory Auditing of Quality Management Systems of Medical Device Manufacturers – Part 2: Regulatory Auditing Strategy”.

And here is one more freebie for you: I’ve developed a QMS audit checklist that combines requirements from FDA 21 CFR part 820 and ISO 13485. It’s free--all you have to do is click below.

Use all these guides, guidances, checklists, etc. as tools to help you with your QMS efforts. They should all help you identify gaps and issues in your QMS and can be used to structure your internal auditing program.

I share more about internal auditing and how to use the QSIT and IMDRF guides later in this guide. For now, understand that the way FDA inspectors and ISO auditors use a system approach when reviewing a QMS.  


Of course having all this information is useless if you don’t actually take action to establish and implement a QMS.

In this piece, I’ll guide you through the steps of building your QMS. Keep in mind that the order in which I suggest implementing your QMS is a just that--a suggestion. You will need all the parts and pieces at some point in time in the genesis of your QMS. And the order may vary slightly depending on your product and company.

Know this. Pleading ignorance of ISO 13485 and FDA QSR is unacceptable. Pretending QMS regulations and requirements somehow are not applicable to your company is a mistake.

Realize and accept you need a QMS. Here are 5 reasons why:

  1. QMS Aligns with Regulations

  2. QMS is a Framework

  3. QMS Defines Expectations & Deliverables

  4. Design Controls + Risk Management

  5. Evolution of QMS

Regardless if your company has an established QMS or if you are just beginning this journey, I encourage you to spend the next 20 minutes reviewing this guide. And if nothing else, be sure to take advantage of the QMS audit checklist I have developed for you.

BONUS CONTENT: Risk Management Plan Template to use when implementing ISO 14971. Click here for instant access to the free PDF. 

QMS Philosophy

There are a few cornerstones you should understand about my QMS philosophy. Let me share these with you now.

  • Bootstrap your QMS

  • Keep your QMS simple

  • Right-size your QMS


Bootstrap your QMS

Think about a medical device startup. It starts with an idea. Chances are some funding is likely required. And bootstrapping capital is often a tactic to get to that next milestone. Keep adding value as you go. Build your product and company as you progress from one milestone to the next.

Think of your QMS in a similar fashion. Bootstrap your QMS and build it as you go. And the QMS you construct should be commensurate with the product / company milestones.

For example, if you are in early stage product development, establishing QMS elements applicable for production and post-production may not be the best use of your time. Instead, focus QMS efforts on the processes applicable for the milestones you are tackling.


Keep your QMS simple

Make sure to keep your QMS as simple as possible. The QMS must align with FDA and ISO regulations and requirements. Reviewing 21 CFR part 820 and ISO 13485 will take less than 30 minutes.

If you simply regurgitate the QMS requirements, this will add little to no value to your company. Expect to spend between 4 - 8 hours per QMS procedure. And when doing so, keep three things in mind.

  1. Does this meet the regulations?

  2. Is this as simple as possible?

  3. How does this impact the business?

Yes, I realize conventional wisdom suggests implementing a QMS may be somewhat disruptive to the business and may be viewed as not adding value.

I assure you that starting your QMS early and always keeping it as simple as possible will add a significant amount of value to your company. In the present case, having a QMS will help ensure that your company is generating expectation documentation and objective evidence. Also consider the future impact. Consider the positive impacts on your valuation. Consider what will happen during a FDA inspection or ISO audit.


Right-size your QMS

Make sure your QMS is built to suit your company size. Your QMS needs to be the right size to align with your company.

I learned about right-sizing a QMS the hard way about 10 years ago when I first started consulting. I was brought in to help a startup finish their QMS. The process was well underway when I joined. My job was to finish implementing the QMS.

The first thing I did was review the QMS efforts to date. I read through each procedure, comparing to FDA and ISO. All good.

Then I compared the established procedures against the actual company practices. Not good.

The procedures, as written, while compliant with the regulations, were overly burdensome for the startup. Too complicated to follow and not built in a way that aligned with the company.

I knew from this point on that a QMS must always be kept as simple as possible and evolve to meet the company size, personnel, and maturity.


Evolution of a QMS

Let me share with you a roadmap for constructing your QMS. I will break down what to do and when to do it based on the stage of your product lifecycle.

  • Product Development

  • Transfer to Manufacturing

  • Go to Market

  • Post-Market


QMS needs during Product Development

By now, you should know my view on bootstrapping a QMS. This should start while in the early stages of product development.

Basically, at the point when you have funds and are pursuing design and development of a medical device, you need to establish the first phase of your QMS. This first phase should include:

  • Design Controls

  • Risk Management

  • Document Control & Records Management

  • Supplier Management


Design Controls

Design Controls are defined in FDA 21 CFR 820.30 and in section 7.3 of ISO 13485. Design Controls are a systematic framework for capturing key aspects of medical device product development to prove your product meets user needs and is safe and effective.


Risk Management

Risk Management is defined per ISO 14971. There are references to risk management in FDA 820.30 and ISO 13485. And regulatory bodies around the world are expecting you to establish risk management processes that align with ISO 14971. Risk management is a systematic application of management policies, procedures, and practices to the tasks of analyzing, evaluating, controlling, and monitoring risks related to your products.


Document Control & Records Management

Document Control & Records Management is laced throughout all FDA 820 and ISO 13485. Consider this: If it is not documented, then it didn’t happen. Establishing when documents and records are required and who needs to review and approve is vital. While in product development, required documentation relates primarily to design controls and risk management.

But as your company evolves, document control and records management will be critical to your overall success. Establishing a sound methodology early, which can scale as your product gets to market is necessary. Every step along the way will result in documents and records that will serve as the supporting evidence to prove you did what was expected.


Supplier Management

Chances are you rely heavily on suppliers for vital goods and services relating to your medical device. Supplier Management is about ensuring you are properly qualifying, evaluating, and monitoring your suppliers. Think of your suppliers as an extension of your company. And it’s not good enough to assume that since the supplier is FDA registered and/or ISO certified, that this is all you have to do.

You need to conduct due diligence to demonstrate that your suppliers are able to meet your needs and requirements. You need records to demonstrate that you have implemented supplier controls commensurate with the criticality of the goods and services provided.


QMS needs during Transfer to Manufacturing

Your objective is to navigate through product development and ultimately into the market. In order to achieve this, at some point you will begin transitioning from development into manufacturing.

In a design controls sense, this generally starts to happen when you are entering Design Verification and Design Validation. Transferring to manufacturing is the time when prototypes and pilot production begins. This is the time when your product is about to be put through formal testing and analysis. If you are conducting simulated use studies, animal studies, and/or clinical investigations, then your product should be transitioning to manufacturing prior to these events.

When entering this phase, your QMS efforts also need to evolve to address these growing needs. You need to establish QMS procedures for:

  • Training

  • Purchasing

  • Device Master Record

  • Production & Process Controls

  • Labeling & Packaging

  • Receiving, Incoming, In-Process, Final Inspection

  • Identification & Traceability / Device History Record

  • Change Management

  • Nonconforming Material

  • CAPA

  • Management Responsibility


Training is a key process as your QMS evolves. You need to make sure all your resources are properly trained. The training procedure should identify training requirements for your personnel. Managing training can definitely be tricky. You have to make sure that training is sufficient in order to demonstrate resources are proficient with skills required to perform daily functions.



Purchasing procedures shall describe minimum criteria required to buy goods and materials. Purchasing should go hand in hand with supplier management. Specifically, good and services should be purchased from approved suppliers.


Device Master Record

Device Master Record (DMR) includes all the drawings, specifications, manufacturing instructions, etc. required to manufacture your medical device. Think of the DMR as the recipe required for the medical device.

This recipe first gets established during product development. The design outputs you define during design controls are the preliminary DMR.


Production & Process Controls

Production & Process Controls is related to your DMR. You need to establish necessary controls regarding your manufacturing processes. The purpose is to ensure reproducibility and repeatability.

Process validation may be necessary for any processes where you do not or cannot verify the outcome 100%.


Labeling & Packaging

Labeling and packaging for your medical device must be defined. These are also part of your DMR. Depending on your product, labeling specifications and packaging specifications may be very important. This is especially the case for sterilized products.


Receiving, Incoming, In-Process, Final Inspection

At all steps from receiving goods through all steps of the manufacturing process, there are steps where inspections should be established. You need to establish inspection criteria in order to confirm that your specifications and acceptance criteria are met.


Identification & Traceability / Device History Record

When you manufacture products, you need to establish identification and traceability. Identification relates to the materials and components required for the device, often captured in a bill of materials (BOM). Depending on the type of device will dictate the level of traceability required for your product. Identification and traceability pertains to your ability to know where products are, and in the case of a recall, your ability to retrieve product.

The results of your identification and traceability are captured in a Device History Record (DHR).


Change Management

Changes to documents, records, goods, and materials are going to happen. In part, document control should describe how to manage revisions to approved documents and records. Beyond this, change management should be formally established for changes to your product.


Nonconforming Material

Nonconforming material relates to any goods, materials, and products that fail to meet established specifications. Nonconforming relates to inspections. If an inspection fails, this should be captured as nonconforming material.



From time to time, you are likely to identify issues that require a formal investigation in order to fix. These investigations should be captured as a CAPA, or Corrective and Preventive Action.


Management Responsibility

A key part of establishing your QMS is to ensure management has oversight and awareness. At least once per year, your company needs to conduct a management review to review all aspects of your quality system. You also need to name a management representative. This person serves as the face of the company during FDA inspections and ISO audits.


QMS needs to Go to Market

Prior to going to market, you need to establish and implement the last parts of your QMS.

  • Process Validation

  • Software Validation

  • Calibration

  • Preventive Maintenance

  • Handling, Storage, Distribution, & Installation

  • Servicing

  • Complaint Handling

  • Adverse Event Reporting / MDR

  • Corrections & Removals

  • Customer Feedback

  • Analysis of Data

  • Quality Manual


Process Validation

Process validation is required for any processes where you are not able to verify the results 100%. It is also required in cases where you can verify 100% yet choose not to for business reasons.


Software Validation

Software validation is required for any software used in your company for managing aspects of your business impacting quality. This can include QMS software, manufacturing inspection software, etc.



Calibration relates to any gauges and equipment used to take measurements of product during manufacturing processes. The gauges shall be certified to recognized standards and updated periodically to ensure gauges continue to measure accurately and precisely.


Preventive Maintenance

Preventive maintenance applies to routine actions required to keep gauges and equipment operating as expected.


Handling, Storage, Distribution & Installation

Your product may need to have specifications defined regarding product handling, storage, and distribution. This can include temperature and humidity requirements.

Your product may also require installation at point of use. If so, this needs to be defined.



Servicing relates to any activities required to keep your product functioning and operational. This generally applies to reusable products and not usually for single-use devices.

All servicing activities shall be document and records included with the original product DHR.


Complaint Handling

Any time a customer provides any written, electronic, or oral communication that alleges deficiencies related to the identity, quality, durability, reliability, safety, effectiveness, or performance of a device after it is released for distribution fits the official FDA definition of a complaint. You need to establish complaint handling procedures, including how you will investigate and address complaints.


Adverse Event Reporting / MDR

In the event that a complaint results in, or has the potential to result in serious injury, this is a complaint. More than that, this fits the criteria of an adverse event and may need to be reported to FDA (and other regulatory bodies). For FDA, the mechanism for reporting is known as a Medical Device Report or MDR. Your procedures need to address adverse event reporting.


Corrections & Removals

Although you never plan to have a field correction or removal (otherwise known as “recall”), you have to establish procedures to deal with this possible scenario.


Customer Feedback

A complaint is a type of customer feedback. Complaints are generally reactive: you learn about the issue after it has occurred. ISO expects that you establish customer feedback processes where you solicit feedback on the use of your products in a proactive fashion.


Analysis of Data

All of your QMS processes result in documentation and records. Ideally, you also establish key performance indicators (KPIs) and metrics to monitor your QMS performance. Analysis of data is one means to measure your QMS performance.

Note that any data you analyze shall be done so with proven statistical techniques.


Quality Manual

A quality manual is an overview of your QMS. A quality manual briefly describes your company quality policy and brief descriptions of all the required quality system elements.


QMS needs Post Market

Once you are in the market and you have established your QMS, you need to define your internal auditing processes. You set the schedule and frequency for internal audits. It is important to make sure that personnel conducting internal audits have been appropriately trained to conduct audits. Often times, internal audits are outsourced.

Internal auditing is a very important function. This is a way to monitor whether your company is following established procedures. Internal audits should be used as means for continuous improvements.

I mentioned FDA QSIT and IMDRF guidances earlier in this guide. Both FDA and ISO use a system approach when conducting inspections and audits of your QMS.

When establishing your internal audit program, I recommend structuring this in a way that mimics a system approach, as well as conducting individual process audits too.

Looking for an all-in-one QMS solution to advance the success of your in-market devices and integrates your quality processes with product development efforts? Click here to take a quick tour of Greenlight Guru's Medical Device QMS software →


Jon Speer is a medical device expert with over 20 years of industry experience. Jon knows the best medical device companies in the world use quality as an accelerator. That's why he created Greenlight Guru to help companies move beyond compliance to True Quality.

A Step-by-Step Guide to Complying with ISO 13485 & FDA QSR
Download Now
(cover) QSR FDA-ISO
Search Results for:
    Load More Results