Developers - Planning for management systems, including a quality management system (QMS)

If you’re developing medical devices, you’re legally required to implement a quality management system (QMS). If you’re developing non-medical devices, implementing a QMS is not legally required, but is essential to market access.

Build and certify management systems

To show compliance with regulations, you need to build management systems. You also may need to certify them.

These are internal processes and policies that ensure:

• robust documentation management
• tracking of key decisions and
• clear routes for sign off

The breadth and extent of your management systems depend on your specific objectives. For example:

• when developing a medical device, you may have the objective of achieving high device quality and can work towards this using a QMS 
• when working with sensitive data, you may use an Information Security Management System (ISMS) to manage your objectives for data security and handling

What is a quality management system?

When developing medical devices, you’re legally required to implement a Quality Management System (QMS). A QMS outlines processes that minimise the risks associated with the production, deployment and surveillance of medical devices. A robust QMS provides structure for key company processes around device safety and efficacy. 

Adopters may ask you for proof of certification by an approved or notified body against a relevant standard. This will increase assurance that you meet the standard. For example, when developing medical devices, you should be able to provide an up to date and in-scope certificate against ISO 13485 to prove a conforming QMS.

As a medical device developer, you are legally required to have this QMS and do activities which, depending on scope, may include: 

• design and development
• evidence generation
• post market surveillance

A QMS built to ISO 13485 requirements provides:

• document management (version control, long-term storage and standardised structure)
• risk assessment
• sign-off procedures
• decision records

Your QMS is as much a way of working as it is a tool for compliance. It should evolve in line with company aspirations and throughout the lifecycle of the technology. 

Setting up a Quality Management System

Review all relevant ISO standards when designing and building your systems and processes, and determine which ones are useful for your specific needs. 

You may decide to implement several management systems or combine their attributes to meet different needs. For example, using a manufacturing quality system for a medical device or an information security system for data management.

The core principles in many management systems are similar but they focus on different aspects, and some need higher levels of rigour and evidence during auditing. 

Consider using a consultancy service to support you in designing, building and auditing your management systems.

Use your management systems throughout the whole lifecycle of your technology and audit them frequently. If you have a quality management system (QMS), it will be periodically reviewed by the approved body.

Management systems can take significant time and personnel to set up, certify and operate. So, make sure you set up your QMS during technology conceptualisation and wider strategic planning. For medical devices, a QMS needs to be in place and certified before you finish developing your device.

Resources:

Review the relevant standards for creating a QMS, including:

ISO 13485 medical devices

ISO 14971 application of risk management to medical devices

ISO/IEC 27001 information security management

BSI Standards catalogue

IEEE SA Standards

IEC Standards

This information is not intended to replace formal statutory guidance regarding legal requirements. For an authoritative view of what regulations require beyond this digest, please see the relevant gov.uk web pages pertaining to the MHRA.