Oops! Something went wrong while submitting the form.

Intro to QMS

Overview of a Quality Management System

This content is now available in the Enzyme Community!



Your company is developing an innovative product, and you want to get it to market as soon as possible. Most products, whether they are drugs, medical devices or diagnostics, need some form of approval (or clearance) from the FDA or your region’s regulatory body. As part of your submission, you must show compliance of both your product and your company’s internal business processes to all applicable FDA or your region’s requirements.

This guide provides an overview of how to get started with a Quality Management System. Our other guides will provide an overview of the FDA and EU regulations and product classifications.


What is a Quality Management System (QMS) ?

A Quality Management System (QMS) is a formalized system that documents business and product processes, procedures, and employee responsibilities toward achieving the company quality policy and objectives. A QMS helps coordinate and direct an organization’s activities to meet market and regulatory requirements and improve its effectiveness and efficiency on a continuous basis.

The core processes of the QMS should be established once your company has developed a prototype.


Why do companies need a QMS?

Manufacturers must establish and follow defined quality system requirements to help ensure products consistently meet applicable regulatory requirements and product performance, safety and efficacy claims. A quality management system is necessary to achieve company goals. The quality systems for FDA-regulated products (food, drugs, biologics, and devices) are significant components of overall Current Good Manufacturing Practices (CGMP’s).

“The key advantage regarding quality systems is that they represent a preventive approach to assuring medical device quality versus the previous reactive approach by inspection and rejection at the end of the manufacturing line. Prevention has been proven to be more efficient and cost effective in controlling manufacturing processes and maintaining medical device quality.

- Medical Device Regulations: Global overview and guiding principles; World Health Organization; 2003

Establishing a QMS early in your first product life cycle, aids in organizing documentation and ensuring appropriate processes are being followed. Ensuring that the process is implemented (written, approved, released, trained to, and being followed correctly) helps your company produce a consistent product and prevent and mitigate mistakes, thereby reducing cost and getting your product to market faster.  

Setting up the QMS early can help your company, especially startups, gain credibility with FDA (or your country’s equivalent), customers, and potential acquirers.

Also, establishing a QMS early will help you avoid high consultant fees during the submission process. The QMS includes a system of organizing your documentation such that a consultant is not needed to piece information together.

“FDA recognizes: that a small manufacturer may not need the same amount of documentation that a large manufacturer does in order to achieve a state-of-control; and, that some of records maintained to fulfill the GMP requirements for written procedures may not be as long and complex for a small manufacturer.”

- Medical Device Quality Systems Manual: A Small Entity Compliance Guide; FDA Center for Devices and Radiological Health (CDRH)

Keep in mind, launching your first product without a QMS in place is illegal, and can lead to failing your first audit. With the FDA, failing an audit results in significant extra work to avoid receiving further sanctions including and up to the seizure of your product.


What are the regulations that apply?

In the US, FDA is responsible for ensuring the safety and efficacy of products. While the core concepts of the regulation are the same for all medical products, there are specific rules for some types of products. Medical device and in vitro diagnostic devices are overseen by the Center for Devices and Radiological Health (CDRH). Current Good Manufacturing Practices (CGMPs) requirements for devices 21 CFR Part 820 is the primary minimum standard applicable to medical device companies that market and sell products in the US.

CDRH defines a “medical device” as “any healthcare product that does not achieve its principal intended purposes by chemical action or by being metabolized.” Devices are therefore everything from tongue depressors, to pacemakers, to MRIs and digital (app) therapeutics.

To market a product outside the United States (‘OUS’), there are several agencies to which you will need to submit depending on your desired marketing geography.    

CE marking is a certification mark which indicates that your device conforms to the health, safety and protection standards outlined by the European Economic Area (EEA) and is granted by one of numerous possible authorized Notified Body agencies. Your company contracts with one of these Notified Bodies to complete ISO certification audits such ISO13485 Quality Management Systems for Medical Devices and ISO 14971 Risk Management for Medical Devices as well as to review and approve your device submission all prior to marketing your device in an EU state.

Health Canada is the regulatory body that ensures the safety of drugs and devices available in Canada. The China Food and Drug Administration (CFDA) is responsible for supervising the safety of food, cosmetics, drugs, and devices in mainland China. Many other countries have specific agencies for themselves as well.

All regulatory organizations have guidance documents available on their websites. Read our FDA and Notified Body 101 Guide to learn more.


International Organization for Standardization (ISO)

If your company markets a product OUS, you will also have to follow the local regulations as well as applicable ISO standards. Compliance with applicable ISO standards is often seen as the first step in achieving compliance with European regulatory requirements. One of the regulations, ISO 13485 is a globally accepted standard (recognized by FDA) and provides a way to comply with general quality management system requirements.

FDA also recognizes many such standards which then can aid you in designing and developing your product for the US market as well. Demonstrating compliance to an applicable international standard aids FDA in evaluating whether your product was designed and developed according to current best practices.


How do they regulate?

The FDA and the international governmental agencies want companies to demonstrate the safety and efficacy of their product.

FDA regulates product approvals and routine business processes

The FDA and Notified Bodies conduct inspections, here are a few examples:

  • FDA inspects manufacturers or processors of FDA-regulated products to verify that they comply with relevant regulations.
  • Foreign manufacturing and processing sites for FDA-regulated products that are sold in the United States

The also evaluate Device Approvals, Denials and Clearances

FDA has explicit requirements for various types of regulatory submissions prior to commercializing a product as well as the various business processes that comprise your QMS.


How are products classified?

Device classification depends on the intended use of the device and also upon its indications for use. Devices are classified based on their level of risk and categorized as Class I, Class IIa, Class IIb or Class III, each with increasing risk, requirements and scrutiny. The device classification determines the type of submission required to market and sell it. Read our Product Risk Classification Guide to learn more about how products are classified.

Regardless of the device classification, all medical devices/diagnostics are required to have a QMS (21 CFR Part 820) at the time of submission.


When should I establish a QMS?

The QMS of a startup is comprised of over a dozen sub-parts which can be implemented the first time at various stages of initial product development. For your company’s second and all future products, the QMS will already fully be in place.

Ideally it’s best to start establishing a QMS once you are in the design and development phase, minimally once you achieve design “freeze” (or frost).

Outlines of the main subparts needed during product development

During each phase, primary subparts are what you will be using the most, and the secondary  subparts should be established for use as needed.


What are the subparts?

Let’s take a closer look at some selected subparts. View the full regulation.

Document Controls [21 CFR 820.40]

Document Control focuses on document distribution, changes, and approvals.

Through Document Control, companies establish procedures and processes to store documents and records and record changes/revisions and approvals; this system can be either paper-based or electronic. It stores the “single source of truth” of regulated documentation - and the history of that documentation; this is accessed and used by nearly all employees.

Before submission, companies must demonstrate that their Document Control process is in place.

Training [
21 CFR 820.25(b)]

The goal of the Training is to ensure that all employees in the company are trained on their responsibilities and the applicable QMS elements and procedural requirements prior to conducting activities within the QMS (being trained to do work before they do the work).

In addition, manufacturers must provide procedures for identifying training needs and making sure that employees are trained accordingly.

Design Control [21 CFR 820.30]

The goal of Design Control is to ensure that the product development process produces products that meet user needs, company-defined specifications, and fulfills the designed intended uses.

Design control begins with early prototype development and documenting user needs and requirements, and continues through final design information and throughout all design testing. Design control does not end with the transfer of a design to production. Design control applies to all changes to the device, including those occurring long after a device has been introduced to the market.

Design control is the single most misunderstood aspect of medical device regulation. Startups can streamline the design control process by matching it to the needs of their company. Regulations are written loosely enough such that a variety of agile and waterfall workflows are acceptable to follow; there are basic documentation requirements that are easy to follow.

Design Control Process

You must establish and maintain procedures necessary for the implementation of design controls for your product. Here are some of the aspects that need to be implemented:

  1. Document design and development planning activities
  2. Gather and document all the user needs and design inputs ranging from  engineering/business/regulatory requirements
  3. Integrate risk management and Human factors into the design control process
  4. Document the design outputs
  5. Conduct design reviews
  6. Verify that design output meets the design inputs
  7. Validate that your final product meets the user needs under the intended use conditions.
  8. At completion of your activities, conduct a design transfer
  9. Update the design history file
  10. Continuously document the design change process

As part of the FDA submission, you have to demonstrate that your Design Control process is in place.

Risk Management

Risk Management is an important part of an effective QMS. It enables the identification of sources of risk and assesses those risks to prioritize efforts to control and mitigate them.

"While the requirement for the conduct of risk analysis appears in Section 820.30(g) Design Validation, a firm should not wait until they are performing design validation to begin risk analysis. Risk analysis should be addressed in the design plan and risk should be considered throughout the design process. Risk analysis must be completed in design validation."
Guide to Inspections of Quality Systems: Quality Systems Inspections Techniques [QSIT]; FDA

Therefore, Risk Management begins when you start establishing your user needs and requirements. As your design evolves, you can identify new risks and the controls to mitigate them. As a result, unacceptable risks can be identified and mitigated early in the design process and help reduce rework and cost.

Risk Management Flow

Risk Management is an ongoing process that is tied into various other subparts of the QMS, most importantly the product design, development and manufacturing processes.

Management Responsibility [21 CFR 820.20]

Management Responsibility is an important element of the QMS for senior leadership. Company management is ultimately responsible for establishing policies, objectives and an organizational structure. They must ensure adequate, trained, resources are made available to implement and maintain the QMS.

Management’s responsibility is to:

  1. Establish and maintain the company’s quality policy
  2. Maintain adequate organizational structure
  3. Establish a QMS and regularly review its effectiveness, history of nonconformances (NCs) and Corrective and Preventive Actions (CAPAs), and results of recent audits
  4. Assign at least one Quality Management Representative who ensures the QMS is working effectively and that management swiftly acts on any deficiencies
  5. Ensure that employees have the adequate education, background, and training to complete their jobs  

Read the FDA’s guidelines for more details. When you submit to the FDA, they evaluate if management has all the documentation and processes in place to implement the QMS.

Production and Process Control

Production and Process Control ensures that the products your company manufactures consistently meet specifications, and are validated as outlined in your documentation.

Companies must be able to demonstrate:

  1. Production processes consistently conform to specifications
  2. Equipment used in production and testing is qualified and maintained
  3. Processes are monitored and evaluated for whether they remain in a state of control
  4. Statistical techniques are used to validate the process and ensure they are adequate

Production and Process Controls must be in place before you submit to the FDA.

Corrective and Preventive Action (CAPA)

The purpose of a CAPA process is to detail how your company deals with product and process quality issues, preventing their recurrence/occurrence.

Through CAPA, regulatory organizations view company documentation on:

  1. How you analyze a problem (determine root cause)
  2. Develop an action plan and verify and validate the solution
  3. Implement the solution and document the changes
  4. Verify the effectiveness of those actions
  5. Communicate the changes to management and those affected

CAPA must be established before your company submits to your regulatory organization. Also, CAPA is an auditor’s main insight into your company’s internal processes. Every single audit (except maybe your first) will involve a review of your CAPAs.  

In 2014, most of the warning letters (which are made public) that FDA issued were due to poorly implemented or executed CAPAs/CAPA systems.


What about Software as a Medical Device (SaMD) ?

The use of software medical devices is increasing and extends beyond traditional hardware and software.

"SaMD is defined as software intended to be used for one or more medical purposes that perform these purposes without being part of a hardware medical device."

Software medical devices (and mobile apps) are identified as SaMD products if they meet the definition of a medical device including whether they are:

  1. Software-only-based in-vitro diagnostic devices
  2. Software capable of running on non-medical computing platforms
  3. Software that does not require hardware to reach its intended medical purpose
  4. Software that can be used in conjunction with hardware to reach its intended medical purpose

In order to develop SaMD that are safe, you have to identify risks, establish measures/features to control and mitigate those risks, and demonstrate confidence that the residual risks are acceptable. Simply testing the software is not enough; risk management principles should be built into the software to assure its safety. You must also establish a design and development process, post market surveillance and change control; in other words, SaMD products are treated the same as traditional medical devices throughout the product life cycle.

SaMD products follow the same medical device product classification system. For details, refer to the section 'How are products classified?'

FDA is evaluating alternative approaches to regulating SaMD products, including basic quality system regulations as well as submission requirements under a new program called Digital Health Software Precertification (Pre-Cert) Program.

Contact info@enzyme.com for more information.




Current Good Manufacturing Practices
China Food and Drug Administration
Conformité Européenne
Center for Devices and Radiological Health
Corrective and Preventive Action
Code of Federal Regulations Title 21 (United States)
Software as a Medical Device
Quality Management System (medical devices): the system of business processes implemented to conform business activities to meet the Quality System Regulation 21 CFR 820 for medical devices
Nonconformance (or nonconformity): the nonfulfillment of a specified requirement, often in reference to nonconforming product
International Organization for Standardization
International Medical Device Regulations Forum
Food and Drug Administration - United States Federal Agency within the Federal Department of Health and Human Services (HHS)
European Commission, oversees Medical Device market in Europe

Reference Materials


Special controlsSaMD GuidelinesQSIT GuideSoftware Level of ConcernSummary of Canadian RequirementsGeneral ControlsFDA Product ClassificationFDA GuidelinesEU RegulationsCFDA GuidelinesCE Certification


Basic provisions of the FDA through which the FDA regulates devices to ensure their safety and effectiveness
Database outlining a list of medical devices and their associated classification and product
FDA’s guidelines for devices
Guidelines on European regulations
China Food and Drug Administration's regulatory
Conformité Européene
Special controls are regulatory requirements for Class II devices
Guidelines set by IMDRF for SAMD products. These guidelines have been referenced by the FDA while they work on creating their own SaMD guidance (see Digital Health)
Quality System Inspection Technique used by FDA inspectors to evaluate a company’s QMS
Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices
Information about Canadian Medical Device Requirements

FDA General Business Process List of Regulations


21 CFR 830
View a comprehensive list of medical device-specific subparts. View to learn how the Code of Federal Regulations is organized in general for all products regulated by FDA (including food, drugs, cosmetics and medical devices).
21 CFR 82221 CFR 82121 CFR 82021 CFR 81421 CFR 81221 CFR 80921 CFR 80721 CFR 80621 CFR 80321 CFR 80121 CFR 11


In-Vitro Diagnostic Products
Establish Regulatory and Device Listing for Manufacturers and Initial Importers of Devices
Medical Devices - Reports of Corrections and Removal
Medical Device Reporting
Labeling - Medical Device
Electronic Records
Unique Device Identification
Post-market Surveillance
Medical Device Tracking Requirements
Quality System Regulations
Premarket Approval of Medical Device
Investigational Device Exemptions
Start with Enzyme today
info@enzyme.com or