Skip to content

Medical device QMS – understanding the basics

Published by Isabella Greenock, Medical Device Paralegal on

Establishing an effective quality management system (QMS) is a key requirement across a number of industries, from aerospace engineering to hospitality. The concept of a QMS is especially important in the medical device sector, where product safety and quality standards are understandably high. Failure to adhere to these standards may result in serious injury or death for patients, as well as significant financial and reputational losses for device manufacturers. 

As well as being a legal requirement for medical device manufacture, QMS requirements help to mitigate these risks by ensuring manufacturers adopt formal processes, procedures and responsibilities to uphold regulatory compliance. At a high level, a medical device QMS should define the rules that are to be followed by an organisation when designing, developing and manufacturing medical devices.

In this post, we explore the medical device QMS  requirements in the EU and UK, as well as the United States. We also discuss different approaches for obtaining QMS certification in these jurisdictions, including ISO 13485 and the Medical Device Single Audit Program (MDSAP).

QMS in the EU and UK

Establishing a medical device QMS is a legal requirement in both the EU and UK. In the EU, Article 10(9) of the Medical Device Regulation (MDR) states that manufacturers must have a quality management system that covers, at a minimum:

  • the regulatory compliance strategy (including GSPR compliance), 
  • management responsibility, 
  • resource and risk management, 
  • clinical evaluation, 
  • product realisation (including planning, design, development, production and service provision), 
  • UDI assignment verification,
  • post-market surveillance and the implementation of corrective/preventative actions, 
  • external communication (with regulatory bodies, companies, customers, etc.),
  • adverse incident reporting,
  • the monitoring/measurement of output, data analysis and product improvement.

For devices in Class IIa and above, the QMS will be assessed by an EU notified body to ensure that it effectively covers each of the above elements. This will typically involve an on site inspection of the manufacturing facilities and a review of all technical documentation relating to the device.

Class I devices, on the other hand, generally do not have to undergo a notified body conformity assessment or any inspection of their medical device QMS. However, it is still a requirement for manufacturers to have an effective QMS in place which they are able to demonstrate meets the minimum requirements of the MDR.

A slightly different approach is taken in the UK regulations, where the requirement for a QMS is only mentioned in the context of the need for a UK approved body conformity assessment. Since Class I devices are not subject to this level of approved body oversight, there is technically no legal requirement for manufacturers to implement a QMS for such devices, except in relation to procedures for post-market surveillance. Nevertheless, most manufacturers still choose to do so as a means of upholding the quality of their products and improving the efficiency of their processes.

The role of ISO 13485

ISO 13485 is the international standard for medical device QMS. It adopts a risk-based approach whereby the QMS implemented should be proportionate to the level of risk associated with each process. So, for example, while ISO 13485 requires that the QMS is reviewed by management at planned intervals, it does not specify what those intervals should be. Instead, it is up to the manufacturer to determine their appropriate review frequency based on the associated risks. 

ISO 13485 has an elevated importance in both the EU and UK where it has been identified as providing a presumption of conformity against the regulatory requirements (such standards are referred to as “harmonised” in the EU and “designated” in the UK). This means that any manufacturer who is certified against ISO 13485 will automatically be deemed to have complied with the QMS requirements of the medical device regulations. 

Despite this, it is important to note that there is no legal requirement to apply ISO 13485 in the EU and UK. It is simply a voluntary standard that many manufacturers choose to apply as an indication of best practice and their commitment to achieving regulatory compliance.

QMS in the US

Establishing an effective QMS is also a legal requirement for the majority of devices in the US under the Quality System (QS) Regulations. Similar to the approach taken in the EU and UK, the US QS Regulations are not prescriptive. Instead the regulations provide a framework of basic requirements which the manufacturer can decide how best to apply. This allows the regulations to cover the vast range of devices which are sold and distributed in the US.

The US currently does not recognise ISO 13485 as a consensus standard, meaning it has no direct bearing on compliance with the QS Regulations. However, in reality ISO 13485 and QS Regulations cover essentially the same areas, from supply chain controls to management and personnel. The FDA has also proposed a rule to further harmonise its QS Regulation with ISO 13485, particularly as it relates to the risk-based approach. Once adopted, this rule will bring the US QMS requirements into closer alignment with the EU and UK. This means that, while there are still no plans to formally accept ISO 13485 certifications for US regulatory purposes, manufacturers who do have an ISO 13485 compliant QMS should find it relatively easy to align their system with the US regulations as well (and vice versa).

The Medical Device Single Audit Program (MDSAP)

While the US is currently an outlier in the international community through its refusal to recognise ISO 13485, it has made other steps towards regulatory harmonisation. Notably, the FDA is a full member of the Medical Device Single Audit Program (MDSAP) which allows recognised Auditing Organisations to conduct a single regulatory audit covering multiple jurisdictions. The goal of MDSAP is to minimise the audit and inspection burden for manufacturers looking to sell their medical devices in multiple jurisdictions. Current MDSAP members are: 

  • Australia - Therapeutic Goods Administration (TGA)
  • Brazil - Agência Nacional de Vigilância Sanitária
  • Canada - Health Canada
  • Japan - Ministry of Health, Labour and Welfare and the Pharmaceuticals and Medical Devices Agency
  • US - Food and Drug Administration (FDA).

Each member uses MDSAP differently. The FDA has stated that it will accept MDSAP audit reports as a substitute for routine inspections (which occur every two years). However, the FDA does not intend to apply MDSAP in relation to ‘for cause’ inspections (i.e. inspections to investigate a specific problem which has come to the FDA’s attention) or for any pre/post-approval inspections required as part of PMA applications. Nevertheless, MDSAP can still be a powerful tool for manufacturers looking to market their products globally. The program is expected to grow rapidly in the coming years as more countries become active members.

How we can help

As we have discussed in this post, the requirements for medical device QMS differ between countries. Furthermore, the approaches for demonstrating QMS compliance also vary, with ISO 13485 – the preferred method in the EU and UK – not yet being recognised in the US.

Regtik, our healthcare regulatory explorer tool, can help you navigate this legal maze by walking your product through a series of simple questions designed to determine which rules and regulations are applicable. It is able to provide results for various jurisdictions (the US, EU, UK and Australia) in one single assessment and can be used multiple times on different versions of your product.

If you are interested in learning more about Regtik or would like to request a demo, please contact any member of our team or register your interest below.