Regarding “Heavy” Quality Management Systems

Medical device manufacturing and distribution must be fundamentally based on ISO 13485. Particularly when placing medical devices on the market, compliance with regulatory requirements in each jurisdiction is a prerequisite.

The author has developed and commercialized a template for QMS compliant with ISO 13485, offering both sales and consulting services. However, each time a client company modifies the established QMS, a concerning trend emerges: the QMS becomes increasingly complex and the number of documents multiplies. This phenomenon is what we call a “heavy QMS.”

While the causes are multifaceted, many non-specialized medical device manufacturers have built their QMS systems based on ISO 9001 from the outset. This is frequently a source of “heavy QMS” development.

ISO 9001 is a quality management standard applicable not only to manufacturing but also to service industries. Its objective is to continuously improve processes in order to enhance customer satisfaction. Consequently, ISO 9001 takes a process-oriented approach, requiring detailed definition and documentation of processes from the perspective of “how to operate processes efficiently.”

In contrast, ISO 13485 prioritizes ensuring the safety of medical devices. Beyond meeting customer requirements, it mandates compliance with regulatory requirements from regulatory authorities such as the FDA, PMDA, MHRA, and the European Commission (for example, risk management requirements under EU MDR and IVDR, validation of algorithms incorporating artificial intelligence and machine learning, and so on). Based on the principle that medical devices must be safe, ISO 13485 adopts a results-oriented approach. In other words, it is not necessary to define processes in meticulous detail as ISO 9001 requires; rather, what matters is being able to ultimately demonstrate and prove that the product is safe and effective.

This distinction is particularly evident in the difference between “design” and “design control.” What ISO 13485 requires is not the act of “design” itself, but a systematic approach called “design control.” Design control encompasses design planning, input (clarification of requirements), output, review, verification, change management, and traceability.

Many companies are proficient in “design” as a technical skill, yet fail to implement “design control” adequately. In particular, design review is critically important. During design review, personnel with appropriate expertise and experience must rigorously review the design content, objectively verifying the safety, effectiveness, and regulatory compliance of the medical device. Rather than a purely formal review, substantive examination from an independent perspective is required.

Moreover, with recent regulatory developments, establishing a QMS involves considerations beyond the basic framework. First, for medical devices incorporating artificial intelligence and machine learning, validation of algorithms and change management are now subject to increasingly stringent requirements. Second, data integrity requirements—specified in FDA 21 CFR Part 11, EU GMP, and other regulatory frameworks—have been strengthened. Third, cybersecurity requirements have been clarified in international standards such as IEC 62304 and IEC 81001-5-1. Rather than addressing these elements retroactively, integrating them from the initial stages of QMS design leads to the development of an “effective QMS.”

Medical device companies should not approach QMS development by simply “adding on” to ISO 9001 within ISO 13485. Instead, they must deeply understand the fundamental differences between ISO 9001 and ISO 13485, and construct a QMS that faithfully adheres to the objective of ensuring medical device safety. Rather than mere “compliance” with regulatory requirements, the development of an “effective QMS” that continuously assures the safety and effectiveness of medical devices is what should be pursued.

A “heavy QMS” increases company burden and does not lead to actual quality improvement or enhanced safety. Conversely, an “effective QMS” is concise yet capable of substantiating medical device safety with supporting evidence, and facilitates smooth regulatory interactions. Understanding the original intent of ISO 13485 and constructing a simple and practical QMS tailored to one’s own medical devices and business model ultimately becomes the most efficient and sustainable approach.