Start Your QMS Early (But Keep It Startup-Sized)

Most MedTech startups delay their QMS because it sounds like bureaucracy.

But under EU MDR, the QMS isn’t a “later” thing. It’s the operating system that proves you build, change, and release your device in a controlled way.

The trick is not to build a big-company QMS. It’s to build a startup-sized QMS that’s audit-ready and grows with you.

If you’re new to MDR, start with the overview first:

What a QMS is 

A Quality Management System is simply:

  • How you control documents and records

  • How you control design and changes

  • How you manage suppliers

  • How you handle issues (complaints, CAPA)

  • How you prove you did what you said you would do

A good QMS makes your company faster because it reduces rework and “tribal knowledge.”

Why “we’ll do QMS later” gets expensive

Delaying QMS usually creates these problems:

  • You can’t reconstruct decisions (why a requirement changed, who approved it)

  • Your test evidence becomes hard to trust (no version control, unclear inputs)

  • Supplier and cloud risks are unmanaged

  • You end up rewriting documents to match what you actually did

In other words: you pay twice.

The startup-sized QMS: what to implement first

You don’t need 40 SOPs. You need a minimum viable set of processes that match your stage.

1) Document & record control (non-negotiable)

Deliverables:

  • Document template + numbering convention

  • Version control rules (draft vs approved)

  • Simple approval workflow (who signs what)

  • A single source of truth (SharePoint/Drive/Notion/quality tool)

Definition of done:

  • Anyone can find the latest approved document in under 60 seconds.

2) Design & development controls (build this around your product workflow)

Deliverables:

  • Design plan (who does what, key reviews)

  • Design inputs (requirements)

  • Design outputs (specs, architecture, drawings)

  • Design review records

  • Design change process

Definition of done:

  • You can trace: requirement → risk → test → result.

3) Risk management integration (don’t keep it in a separate universe)

Deliverables:

  • Risk management plan + file (ISO 14971 aligned)

  • Link risks to requirements and verification

Definition of done:

  • Risk controls are implemented and verified, not just listed.

4) Supplier controls (especially for software + cloud)

Most startups outsource something critical: development, hosting, libraries, manufacturing, sterilization, etc.

Deliverables:

  • Approved supplier list

  • Supplier evaluation criteria

  • Quality agreements where needed

  • Change notification expectations

Definition of done:

  • You can explain why each critical supplier is “under control.”

5) CAPA + nonconformities (keep it lightweight, but real)

CAPA doesn’t have to be scary. It’s just a structured way to fix issues and prevent repeats.

Deliverables:

  • Simple log for issues/nonconformities

  • Root cause approach (basic is fine)

  • CAPA records (actions + effectiveness check)

Definition of done:

  • When something goes wrong, you can show you handled it systematically.

6) Complaint handling + PMS basics (plan now, even pre-market)

Even before launch, you should define how you’ll collect and handle feedback.

Deliverables:

  • Complaint definition + intake process

  • Feedback channels (support email, form, distributor)

  • PMS plan outline

Definition of done:

  • You’re ready for real-world data the moment you ship.

SaMD/AI quick callout: your QMS must cover software realities

If you build software, your “startup-sized QMS” should explicitly cover:

  • Release management (what changed, what version is live)

  • Cybersecurity updates and patching

  • Third-party libraries and dependencies

  • Cloud configuration changes

You don’t need enterprise tooling. You need clear rules and records.

What “startup-sized” looks like in practice

A good early QMS often looks like:

  • 8–15 core SOPs/work instructions (not 50)

  • Templates that make compliance easy (not a writing exercise)

  • A monthly quality rhythm (30–60 minutes)

  • One owner (even if it’s part-time)

Common mistakes (so you can avoid them)

  • Copy-pasting a generic ISO 13485 QMS: it won’t match how you work.

  • Writing SOPs no one follows: auditors can spot this instantly.

  • Treating risk management as a document: it must drive design decisions.

  • Ignoring suppliers: your weakest link is often outside your company.

A simple “start this week” plan

  1. Pick your single source of truth for documents

  2. Create 5 templates (SOP, plan, report, log, record)

  3. Freeze your document control rules

  4. Start design inputs + change control now

  5. Create a supplier list and mark “critical” suppliers

Want a startup-sized QMS plan in 60 minutes?

If you want to set up a QMS that’s lean, audit-ready, and aligned with how your team actually builds, book a free 60-minute MDR Strategy Call.

Book here: https://calendly.com/niko-mangold-consultants/30min

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert