Building Your First QMSR-Compliant QMS from Scratch
If you're a medical device startup building your first quality management system, you have an advantage: you can build it right from the start. You're not transitioning from QSR to QMSR—you're starting fresh with QMSR requirements as your foundation.
Reading time: 15 minutes | Last updated: December 2025
If you're a medical device startup building your first quality management system, you have a significant advantage: you can design it from the ground up to align with the Quality Management System Regulation (QMSR) and ISO 13485:2016, instead of having to retrofit a legacy system. QMSR incorporates ISO 13485:2016 by reference and becomes fully effective on February 2, 2026, replacing most of the existing Quality System Regulation (QSR) in 21 CFR 820.
However, until that effective date, FDA still enforces the current QSR, and even after QMSR's effective date you must comply with other FDA requirements (e.g., UDI, MDR, corrections/removals). Your goal is to build a QMS that is dual-aligned: ISO 13485 / QMSR-ready and compatible with QSR expectations during the transition.
Building a QMS from nothing can feel overwhelming. Where do you begin? What do you truly need? How do you design a system that will withstand FDA inspection without over-engineering it for a small team?
This guide provides practical, step-by-step advice for startups and small companies to build a QMSR-aligned, inspection-ready QMS from scratch.
In this article:
- What you actually need (and don't need) at each stage
- Minimum viable QMS for early-stage companies
- Scaling your QMS as you grow
- Common startup QMS mistakes
- Timeline and resource planning
Start with the End in Mind
Before creating procedures and documents, clarify what "success" looks like for your QMS.
A QMSR-aligned QMS must:
- Meet ISO 13485:2016 requirements, including documented procedures for document control (4.2.4), record control (4.2.5), and medical device files (4.2.3).
- Address FDA-specific QMSR additions, notably:
- §820.10 incorporating ISO 13485 and ISO 9000 definitions.
- §820.35 Control of Records, strengthening expectations for record availability, retention, and integrity.
- §820.45 Device Labeling and Packaging Controls, reinforcing label accuracy checks and packaging controls beyond ISO 13485.
- Support your regulatory submissions, manufacturing, and post-market activities (including Part 803 MDR, Part 806 corrections/removals, and UDI requirements).
- Scale with company growth without needing a complete redesign.
- Pass FDA inspections under the new QMSR inspection model.
It does NOT need to:
- Look like a Fortune 500 company's QMS.
- Include every conceivable procedure and form "just in case."
- Address requirements that are clearly not applicable to your products/activities (with documented justification).
- Be perfect on day one—FDA expects continuous improvement, not static perfection.
- Rely on ISO 13485 certification; FDA does not require certification, and certification does not exempt you from FDA inspections.
The objective is a functional, risk-based system that meets requirements for your current stage and can be scaled without rework.
Key QMSR Note: Under QMSR, FDA can review records that were previously exempt from inspection under QSR §820.180(c), including management reviews, internal audits, and supplier audits. Build your QMS with inspection readiness in mind from day one: assume these records will be reviewed and ensure they are complete, risk-justified, and defensible.
Phases of QMS Development
Phase 1: Foundation (Pre-Product Development)
When: Before formal design and development begins (i.e., before you initiate controlled design activities).
Core objective: Put minimal but robust QMS infrastructure in place so design work is controlled from the start and can survive inspection.
What you need:
Document & Record Control (ISO 13485 Clauses 4.2.4 and 4.2.5)
A basic system to control documents and records is mandatory before you generate controlled content. Initial implementation can be a shared drive with:
- Document control procedure (approval, revision, distribution, obsolescence).
- Document numbering and naming convention.
- Master document list or index.
- Record control procedure (identification, storage, protection, retrieval, retention, and disposition).
Quality Manual & Medical Device File Framework (Clauses 4.2.2 and 4.2.3)
- Quality manual: concise description of QMS scope, exclusions/justifications, key processes, and interaction.
- Define the structure for medical device files (MDFs) even if products are not finalized; this will later house specs and procedures for each device family.
Management Responsibility (Clause 5)
- Assign top management responsibility for QMS effectiveness, quality policy, and objectives.
- Establish a management review procedure and schedule (quarterly is reasonable for startups).
- Even in a small team, clearly define who owns quality, regulatory, and risk management.
Training and Competence (Clause 6.2)
- Define competence requirements per role and document training/qualification.
- Implement a simple training procedure and records (matrix + training logs).
Basic Nonconformity & CAPA Framework (Clauses 8.3, 8.5.2, 8.5.3)
Even pre-product, issues will occur (e.g., procedural nonconformities, supplier issues, internal audit findings). Implement lightweight nonconforming product/issue and CAPA procedures early so you can show functioning systems if FDA inspects during development.
You can defer in Phase 1:
- Full design control procedure details (but do not start formal design work until some level of design control is in place).
- Detailed production procedures.
- Complaint handling and MDR reporting (until you are close to market), while still understanding future obligations.
Phase 2: Design and Development (Product Development)
When: Once you begin controlled design work on your medical device.
Core objective: Ensure design controls, risk management, and supplier controls are robust, traceable, and inspection-ready.
What you need:
Design Controls (ISO 13485 Clause 7.3; legacy QSR §820.30)
- A design control procedure that covers: planning, inputs, outputs, reviews, verification, validation, design transfer, and design changes.
- For startups, all of these can be managed in a single integrated design control SOP with subsections.
- Ensure design reviews, verification, and validation are documented and traceable to risk and user needs.
Risk Management (ISO 13485 Clause 7.1 and references to ISO 14971)
ISO 13485 requires risk management to be applied throughout product realization and explicitly links to ISO 14971. At minimum:
- Risk management procedure aligned with ISO 14971 principles.
- Risk management plan template.
- Defined analysis methods (e.g., FMEA, fault tree).
- Risk file structure integrated with design documentation.
Design and Development File / DHF Structure
ISO 13485 uses the medical device file concept; FDA historically used Design History File (DHF). Define a structure organizing:
- Design plans, inputs, outputs.
- Design review minutes.
- Verification and validation protocols/reports.
- Risk management file.
- Design transfer evidence.
Supplier Qualification & Controls (Clause 7.4)
Evaluating and selecting suppliers/contractors based on their ability to meet requirements is mandatory. Implement:
- Supplier evaluation/approval procedure.
- Supplier classification (e.g., critical vs non-critical).
- Quality agreements where appropriate (especially for critical outsourced processes).
Early CAPA Usage
Use CAPA to address systemic design-phase issues, recurring deviations, or significant supplier problems, not just post-market complaints.
Typically deferred (if not yet applicable):
- Full production process validation (7.5.6), detailed work instructions.
- Complaint handling workflow (but design your architecture so complaints later integrate with CAPA and risk files).
Phase 3: Production Preparation (Pre-Launch)
When: Design is "frozen," and you are preparing for or piloting manufacturing.
Core objective: Make production, labeling, traceability, and records robust enough for commercial manufacture and inspection.
What you need:
Production and Process Controls (Clause 7.5; QMSR expectations)
- Product-specific manufacturing procedures.
- Work instructions for critical operations.
- In-process and final inspection/testing procedures.
- Equipment maintenance and calibration controls.
Process Validation (Clause 7.5.6)
For processes where output cannot be fully verified (e.g., sterilization, certain software, or welding), perform and document validation.
- Implement a process validation procedure and create IQ/OQ/PQ protocols and reports for each special process.
Medical Device File (MDF) (ISO 13485 Clause 4.2.3)
For each device or device family, maintain an MDF that includes or references:
- Device specifications and intended use.
- Production specifications and process parameters.
- Quality assurance/testing requirements.
- Packaging and labeling specifications.
- Installation/servicing instructions if applicable.
Labeling and Packaging Controls (ISO 13485 Clause 7.5.1; QMSR §820.45)
FDA explicitly retained and strengthened labeling/packaging requirements, including inspection for accuracy prior to release, similar to QSR §820.120(b). Your labeling procedure should:
- Require label content verification against approved master artwork/specifications.
- Require documented inspection of a representative sample (including UDI, lot/serial, product code, and critical text) before release.
- Control storage and segregation to avoid mix-ups.
Purchasing and Receiving (Clause 7.4)
- Purchasing procedure covering selection, evaluation, and re-evaluation of suppliers.
- Incoming inspection/testing procedures with defined acceptance criteria for critical materials/components.
- Supplier monitoring records (e.g., performance, issues, corrective actions).
Traceability and Device History Records (Clause 7.5.9; QSR-style expectations)
- Implement traceability procedures appropriate to device class and risk (including UDI and, if applicable, requirements under 21 CFR 821 for device tracking).
- Define your Device History Record (DHR) or equivalent record set that shows each batch/lot/unit was manufactured per requirements.
CAPA System – Fully Operational (Clauses 8.5.2–8.5.3)
By this stage, CAPA should be fully defined and used to address:
- Manufacturing nonconformities.
- Complaints and post-market issues (once launched).
- Audit findings and process performance trends.
Internal Audit (Clause 8.2.4)
- Internal audit procedure, risk-based audit schedule, and auditor qualification criteria.
- Under QMSR, internal audit reports will be available for FDA review, so ensure findings and follow-up actions are traceable and justified.
Phase 4: Commercial Operations (Post-Launch)
When: Devices are in distribution or clinical/commercial use.
Core objective: Close the loop between field performance, risk management, and continuous improvement.
What you need:
Complaint Handling (ISO 13485 Clause 8.2.2; link to 21 CFR 803/806)
- Complaint handling procedure covering intake, evaluation, investigation, and decision-making.
- Clear criteria for reportability under MDR (21 CFR 803) and for corrections/removals under 21 CFR 806, with linkages to regulatory/clinical functions.
Customer Feedback and Post-Market Surveillance (Clauses 8.2.1, 8.2.3)
- Procedures for collecting, analyzing, and feeding back information from customers, distributors, and service teams.
- Integration with management review, risk management updates, and CAPA.
Customer Communication (Clause 7.2.3)
- Procedure for handling orders, inquiries, product information, and complaints/returns in a controlled manner.
Servicing (Clause 7.5.4, if applicable)
- Servicing procedure, service records, and linkage from service findings back to complaints, CAPA, and risk management.
Nonconforming Product (Clause 8.3)
- Procedure for detection, segregation, disposition, and rework/re-inspection of nonconforming product.
- Ensure nonconforming product records are linked to CAPA and risk management for significant or recurring issues.
Minimum Viable QMS: What You Actually Need
For a resource-constrained startup, the minimum to credibly support development and inspections is:
Core Procedures (Phase 1 / Early Phase 2):
| Procedure | ISO 13485 Reference |
|---|---|
| Document Control Procedure | 4.2.4 |
| Record Control Procedure | 4.2.5 |
| Quality Manual + QMS Scope | 4.2.2 |
| Management Review Procedure | Clause 5 |
| Training & Competence Procedure | 6.2 |
| Design Control Procedure | 7.3 |
| Risk Management Procedure | 7.1 + ISO 14971 |
| Nonconforming Product Procedure | 8.3 |
| CAPA Procedure (combined or separated CA/PA) | 8.5.2 and 8.5.3 |
Additional Procedures (Before Manufacturing / Phase 3):
| Procedure | ISO 13485 / QMSR Reference |
|---|---|
| Supplier Qualification & Purchasing Procedure | 7.4 |
| Production and Process Control Procedure | 7.5 |
| Process Validation Procedure | 7.5.6 |
| Internal Audit Procedure | 8.2.4 |
| Complaint Handling Procedure | 8.2.2, linked to MDR/Part 803 |
| Labeling and Packaging Control Procedure | QMSR §820.45 + 7.5.1 |
| Traceability / DHR Procedure | 7.5.9 + QMSR expectations |
You can defer (until truly applicable and justified):
- Servicing procedures (if you do not service products).
- Sterilization procedures (if products are non-sterile or outsourced with appropriate supplier controls).
- Installation procedures (if products require no installation).
- Highly specific test procedures (develop as products and processes mature).
Important: Document any exclusions/non-applicability decisions with risk-based rationale in your quality manual and procedures.
Scaling Your QMS
From 5 to 20 Employees:
- Formalize a training matrix and update organizational chart with clear deputies/backups.
- Maintain quarterly management reviews, potentially increasing frequency when major changes or issues occur.
- Delegate quality responsibilities (e.g., document control owner, CAPA coordinator).
- Consider lightweight eQMS tools for document control, training, and CAPA as volume grows.
From 20 to 50 Employees:
- Establish at least one dedicated quality professional (QA/RA lead).
- Implement measurable quality objectives (complaint rates, NC rates, CAPA closure time, on-time training, audit findings).
- Mature CAPA tracking: trend analysis, risk-based prioritization, and effectiveness checks.
- Expand internal audit scope and frequency, including process and supplier audits.
- Put quality agreements in place with critical suppliers/CMOs.
- Consider ISO 13485 certification to support EU MDR and other global submissions.
50+ Employees:
- Build a structured quality organization (e.g., QA operations, QA systems, supplier quality, compliance).
- Train multiple internal auditors with cross-functional coverage.
- Implement statistical process control (SPC) and data-driven process capability monitoring for critical characteristics.
- Deploy more sophisticated supplier management (scorecards, periodic audits, risk-based segmentation).
- Use a full-featured eQMS platform to manage documents, training, CAPA, complaints, and audits.
- Plan for regular third-party assessments and MDSAP/ISO audits where strategically beneficial.
Common Startup QMS Mistakes
1. Copying Big-Company QMS Structures
Over-complex systems (multi-level review boards, 20-page forms) suffocate a small team. Build lean processes that reflect what you actually do, but design them to scale.
2. Delaying QMS Setup
Starting design work without document control, design control, or risk management leads to reconstruction of history and gaps in DHF/MDF. Establish core QMS infrastructure before formal design begins.
3. Over-Documenting Everything
Too many procedures and overly complex forms lead to non-compliance in practice. Focus on clear, usable procedures that are consistently followed and auditable.
4. Treating Risk Management as a Silo
Risk management must connect to design decisions, process controls, CAPA, complaints, and management review. Ensure risk files are living documents updated with post-market data.
5. Not Designing for QMSR Inspections
Under QMSR, FDA can inspect management reviews, internal audits, and supplier audits, which must be complete and defensible. Build with inspection in mind: clear rationales, risk-based decisions, and organized records.
Timeline for Building a QMS from Scratch
If You Have ~6 Months:
Months 1–2 (Foundation):
- Quality manual, document control, record control, training, basic CAPA/nonconformance, management review.
Months 2–4 (Design Controls):
- Design control procedure, risk management, supplier qualification, DHF/MDF structure.
Months 4–6 (Production Preparation):
- Production procedures, process validation strategy, labeling controls, traceability, internal audit, complaint procedure.
If You Have ~3 Months (Accelerated):
Weeks 1–4:
- Quality manual, document/record control, design control, risk management, nonconformance/CAPA.
Weeks 5–8:
- Supplier qualification, training, internal audit framework, labeling control structure.
Weeks 9–12:
- Production procedures, complaint handling, customer feedback, management review implementation.
If You Have <3 Months:
Prioritize:
- Document and record control.
- Design control and risk management (to protect your design history).
- Labeling/traceability basics if close to manufacturing.
- Whatever is strictly needed for your regulatory submission and near-term inspections.
Strongly consider external QMS/QMSR assistance to avoid structural gaps.
Resource Planning
Internal Resources:
| Level | Description |
|---|---|
| Minimum | A named quality owner (even part-time) accountable for QMS implementation and maintenance. |
| Recommended | A quality engineer or QA/RA generalist with ISO 13485 and FDA device experience. |
| Optimal | Dedicated QA/RA lead with experience in ISO 13485, QSR/QMSR, and your device type. |
External Support Options:
QMS/QMSR consultants for:
- Procedure development and tailoring to your risk profile.
- Design control, risk management, and DHF/MDF structuring.
- Pre-inspection readiness and mock audits.
Regulatory (RA) support for:
- Submission strategy that aligns with your QMS maturity and evidence.
Training providers for:
- ISO 13485 / QMSR / MDR / UDI requirements.
QMS software vendors for:
- Document control, training management, CAPA, complaints, and audit tracking.
Budget Considerations (Typical Ranges):
| Approach | Estimated Cost |
|---|---|
| Minimal | Internal development using templates and basic tools – roughly $5,000–15,000 in direct costs, plus internal time. |
| Moderate | Targeted consultant assistance for key procedures and implementation – typically $20,000–50,000. |
| Comprehensive | Full consultant support plus eQMS implementation – often $50,000–100,000+ depending on scope and complexity. |
Related Resources
- Quality Management System Regulation (QMSR) – FDA Final Rule Overview
- ISO 13485:2016 – Medical devices — Quality management systems
- QMSR Transition Insights and Enforcement Expectations
Building your first medical device QMS?
You can create a right-sized, inspection-ready QMS that aligns with QMSR and ISO 13485 without over-engineering. The key is sequencing, risk-based prioritization, and documentation that reflects your actual practices.
QMS.Coach helps startups build quality management systems that meet QMSR requirements without unnecessary complexity. Our QuickStart package provides the foundation you need to begin.
Book a Free 15-Minute Consultation →
QMS.Coach LLC | neel@qms.coach