Everything you need to know about Quality Management Systems - Pt 1

QMS. Three simple letters that often instil fear and dread into healthtech developers’ minds. It needn’t be that way! A well-designed Quality Management System will not only ensure your company is compliant with the relevant legislation, it will actually enhance and improve your internal processes so that your whole team feels in control of the quality of your products. In this first part of a two-part series on Quality Management Systems, we’ll introduce the QMS concept and dispel any misconceptions. Then, the second instalment will focus on more practical insights into management and logistics.

Part 1: Understanding the fundamentals of quality management systems

Channelling Kipling's six honest men

In the intricate world of medical devices, there are several important concepts for anyone working in the medical device space to understand when it comes to quality management systems (QMS). Yet, amidst the essential knowledge, common misconceptions often arise that warrant clarification. To shed light on this topic, I’m borrowing Rudyard Kipling’s six honest serving men:

• What is a QMS and what it is not?

• Why is a QMS required and by whom?

• Who are the stakeholders involved in a QMS?

• Where are the activities covered by the QMS?

• When to start and finish setting up a QMS

• How to store and retrieve ‘documented information’

What is a QMS (and what it is not)

Let’s begin by defining a QMS in accordance with the international standard ISO 9000:2015 QMS – Fundamentals and Vocabulary, specifically from its section 3. To start, let's look at some definitions according to ISO 9000:

• Quality management system – Management system to direct and control an organisation with regard to quality.

• Management system – A system to establish policy and objectives and to meet those objectives.

• System – A set of interrelated or interacting elements.

• Organisation – A group of people and facilities with an arrangement of responsibilities, authorities, and relationships.

• Quality – The degree to which a set of inherent characteristics fulfils requirements.

• Requirement – A need or expectation that is stated, generally implied, or obligatory.

In simpler terms, a QMS is a structured system of procedures and processes that covers all aspects of running an organisation. Think of it like an operating manual, which, if it is well written and clear, your whole team can use whenever they have a question about ensuring quality. In this case, we’re particularly focused on organisations involved in medical device development and deployment, including software as a medical device (SaMD), artificial intelligence as a medical device (AIaMD) and programmable election medical systems (PEMS) / software in a medical device (SiMD).

It's just as important to understand what a QMS is not. Misunderstandings about what it takes to establish and maintain a QMS can lead to confusion.

An eQMS is not a QMS

An eQMS is typically a cloud-based software platform designed to support the implementation of a QMS. It provides workflows, policies, procedures and templates; these templates need customising for the specific needs of an organisation. Additionally, an eQMS platform may require a company to adapt its practices to the way the eQMS works, which can be limiting. It can also be expensive and challenging to switch systems later.

For SaMD/AIaMD manufacturers as organisations, workflow management can be implemented in tools already familiar to software developers such as Atlassian Jira, Linear and others. You can even start on paper (if you’re really old-fashioned), or in an online document drive like Google Drive or Microsoft Teams. The format of the QMS is not important, as long as it works for you and how you like to work.

An eQMS is not a medical device file (MDF), device master record (DMR), design history file (DHF) or device history record (DHR).

These are documentation sets for specific products or product groups, created using QMS procedures. The QMS itself provides the policies, procedures and templates used to create the MDF/ DMR/ DHF/ DHR - basically all of the actual documentation you will need to produce. Each artefact is a result of applying the QMS correctly.

An eDMS is not a QMS

An eDMS (electronic document management system) is a platform for controlling and organising documents, which applies the controls defined in the QMS. An eDMS can be bought as SaaS, from a company specialising in eDMS, or solutions can be built using tools such as Google Workspace or Microsoft SharePoint, and even collaboration platforms like Atlassian Confluence or Notion. Again, you get to choose what works for you!

So, what does a QMS contain?

A typical QMS, as outlined in Hardian Health’s reference model (designed for startup and scaleup SaMD and PEMS/SiMD manufacturers), consists of a quality manual and around 20 procedures. These procedures are divided into six subsystems:

1. Management subsystem
   This includes the quality manual, quality policy, objectives, and key performance indicators (KPIs). It also covers management responsibilities, reviews, and document control procedures. This is where you’ll find key information on how to use any eQMS or eDMS. Procedures for human resources, infrastructure, and the work environment are also included, covering both physical and digital elements. You get to write these policies so they align with your way of working - and we can help ensure that they align with the relevant standards where necessary. 

2. Measurement, analysis, and improvement subsystem
   This subsystem includes internal and external audit procedures, corrective and preventive actions (CAPA), and the use of statistical techniques. You’ll find that these processes will become more fleshed out over time as you and your team use them, so think of them almost as an internal ‘wiki’ on how to perform certain tasks. An engaged team should feel free to make suggestions and initiate changes to these procedures (following a change control procedure of course).

3. Design and development subsystem
   This section covers design control procedures and clinical or performance evaluations for medical devices. The first device you bring to market will require writing these procedures from scratch, but don’t worry, we have plenty of experience with various SaMD and AIaMD devices so we can help advise on how to tackle setting up these procedures so they fit how you perform design control and clinical evaluation.

4. Production and service subsystem
   Procedures here include software validation, production control, installation, servicing, nonconformance, and data protection. This subsystem addresses supplier management and purchasing control - and will often be surfaced to third parties that you do business with.

5. Customer management subsystem
   This subsystem addresses customer management including receiving, acknowledging and fulfilling customer orders; for digital devices it also covers the mutual responsibilities for data storage and protection.

6. Device marketing authorisation and registration; adverse events and reporting subsystem
   This is where jurisdiction-specific procedures are included, such as for the UK, EU, USA, Australia, and Canada. Your marketing team should be involved in this subsystem to ensure marketing claims align with regulatory claims.

The procedures in our reference model QMS are designed to meet the requirements of all the major regulatory jurisdictions - the EU/UK, the USA, and global markets. At the core of this is the international standard ISO 13485. However, for the EU (including the UK), the QMS requirements are actually specified in the Medical Device Regulation (MDR) and the In Vitro Diagnostic Medical Device Regulation (IVDR). This means that the EU’s modified version of ISO 13485, EN ISO 13485:2016+A11:2021, must be used. This version contains important mappings between ISO 13485 and the MDR/IVDR, found in Annexes ZA and ZB.

In the USA, the situation is slightly different. The current Quality Systems Regulation (QSR), in place until February 2026, is distinct from but similar to ISO 13485. From February 2026 onwards, the Quality Management Systems Regulation (QMSR) will replace the QSR. This update will bring the USA more in line with the EU and global standards by incorporating ISO 13485 by reference. The mapping for this will be found in a separate document known as TIR102, with the US version of ISO 13485 being ANSI/AAMI/ISO 13485:2016 (R2019).

It is often the case that a QMS based on ISO 13485 is insufficient for the specific needs of the organisation, and additional standards are required to develop an Integrated Management System (IMS). This is especially true for software devices, or those with an IVD component:

• ISO 27001, Information Security Management System (ISMS) – This standard is especially relevant for SaMD manufacturers, as sensitive personal data, such as patient information, may be handled. ISO 27001 is also referenced in the NHS Digital Technology Assessment Criteria (DTAC), which suppliers to the NHS must comply with.

• ISO 9001, general Quality Management System – In some cases, a manufacturer may offer services that fall outside the scope of EU MDR, IVDR, or USA QSR/QMSR regulations, such as core laboratory services or software for supporting clinical trials of investigational medical devices (CTIMP). While these could be covered under an ISO 13485 QMS, the less stringent ISO 9001 may be more appropriate.

ISO 15189, Laboratory Management – For organisations that develop and deploy in vitro diagnostics (IVDs), including SaMD or AIaMD IVDs, and then run assays in their own lab using those IVDs, ISO 15189 accreditation is required for labs in the UK or EU (or CLIA accreditation for labs in the USA).

In our Hardian Health reference model QMS, we have approximately 140 templates that we use to construct a QMS. Depending on the specific needs of the organisation, some templates will be included and others excluded, with all templates customised to the organisation’s unique requirements. The foundation of the QMS or IMS, however, always remains ISO 13485.

Why is a QMS required and by whom?

A QMS is required by law in many regions, and the specific regulations depend on the jurisdiction:

• In the UK, QMS requirements are outlined in the Medical Device Regulations, which support the Medicines and Medical Devices Act.

• In the EU, QMS requirements come from the Medical Device Regulation (MDR) and the In Vitro Diagnostic Medical Device Regulation (IVDR).

• In the USA, the Quality Systems Regulation (QSR) is used, and from February 2026, this will be replaced by the Quality Management Systems Regulation (QMSR), aligning more closely with international standards.

Other countries, such as Australia and Canada, have similar laws and regulations.

Who needs a QMS depends on whether you’re classified as a manufacturer

The EU’s MDR Article 2(30) defines a manufacturer as anyone who designs, manufactures, or refurbishes a medical device and markets it under their own name or trademark. In the USA, similar definitions exist under regulation 21 CFR 820.3(o).

If you’re developing software with a medical purpose (SaMD or SiMD) or hardware running this software, you’re considered a medical device manufacturer and must implement a QMS. This applies to companies, individuals, NHS trusts, universities, and more. Even if you’re buying hardware from another company and installing medical software on it, you may still be classified as the manufacturer, depending on how the hardware is used.

If you as a company or an individual create a marketplace or app store to distribute medical device software algorithms, or some sort of public platform that algorithms can plug into, then you are possibly classed as a medical device manufacturer – see EU MDR Article 16 and US 21 CFR 820.3(o).

How Hardian Health can support you

At Hardian Health we can support you through establishing and maintaining your QMS, including developing the regulatory strategy that will define which QMS and IMS elements are mandatory or desirable; we can also support you through establishing and maintaining Medical Device Files (MDFs) documented under the procedures in the QMS. We can help you train your staff to use and maintain the QMS, so that you and your team feel confident in moving forward. And of course, we can help prepare you for your audit, with our team of certified lead auditors.

Hardian Health is a clinical digital consultancy focused on leveraging technology into healthcare markets through clinical strategy, scientific validation, regulation, health economics and intellectual property.