Building an ISO 13485:2016 QMS from Scratch: A Realistic Guide for MedTech Startups
Quick answer: A certifiable ISO 13485:2016 quality management system for a MedTech startup typically takes 4–9 months to build, depending on device complexity and how much design history already exists. The critical path is not writing procedures — it is generating the objective evidence (records) that the procedures have actually been operated before your Stage 2 certification audit. Template-only QMS kits routinely fail at exactly this point.
What ISO 13485:2016 actually asks for
ISO 13485:2016 is the QMS standard harmonised for EU MDR conformity assessment and required, in practice, for any device above Class I self-certified. Its core demands:
Documented QMS — quality manual, documented procedures, and records (Clause 4)
Management responsibility — quality policy, objectives, management review (Clause 5)
Resource management — competence, training, infrastructure, work environment (Clause 6)
Product realization — design and development controls, purchasing, production, traceability (Clause 7)
Measurement and improvement — complaint handling, internal audit, nonconformity, CAPA (Clause 8)
Under EU MDR, Article 10(9) makes a quality management system a legal obligation for manufacturers — ISO 13485 is the recognised way to satisfy it.
The build sequence that works
Phase 1 — Scoping (weeks 1–2). Define QMS scope against your device portfolio and regulatory strategy. Decide what is excluded (e.g., Clause 7.5.5 sterile devices, if not applicable) and justify it.
Phase 2 — Core documentation (weeks 3–10). Quality manual, document and record control, management responsibility, training, then the Clause 7 procedures shaped to how you actually design and manufacture. Design controls should mirror your real development workflow, or engineers will route around the QMS — the most common root cause of audit findings.
Phase 3 — Operation and evidence (weeks 8–20). Run the system: hold a management review, execute supplier evaluations, open and close a CAPA, process a (real or simulated) complaint, complete design reviews. Certification bodies expect records demonstrating operation, typically including at least one full internal audit and management review cycle.
Phase 4 — Internal audit and Stage 1/2 (weeks 16–30+). A full internal audit against all applicable clauses, findings closed, then the certification body's Stage 1 (documentation review) and Stage 2 (implementation audit).
Why template kits fail
Purchased QMS templates fail Stage 2 audits for predictable reasons: procedures describing processes the company doesn't run; design control documentation retro-fitted after development; no genuine management review; internal audits done by the person who wrote the procedures, against ISO 19011 independence expectations. A QMS is infrastructure, not paperwork — it has to be operated by people who audit systems for a living, or at least built by one.
Integrating EU MDR requirements from day one
Building ISO 13485 without MDR integration means rework. Bake in from the start: post-market surveillance procedures (MDR Articles 83–86), vigilance (Articles 87–91), UDI and EUDAMED registration workflows, PRRC verification points (Article 15), and technical documentation structure aligned to Annexes II and III. QLE Group builds QMS systems with these integration points as first-class citizens, because the same practitioner holds PRRC mandates and audits QMS systems against notified body criteria.
Realistic cost drivers
QMS cost scales with complexity, not device class: number of devices and variants, design maturity, manufacturing model (in-house vs. contract), software involvement (IEC 62304), and sterility. Beware fixed-price "certification guaranteed" offers — no consultant controls a certification body's decision.
Frequently asked questions
How long does ISO 13485 certification take end-to-end? Typically 6–12 months from first procedure to certificate, driven mostly by how fast you can generate operational records.
Can we self-certify ISO 13485? No — certification requires an accredited certification body. For EU MDR conformity above Class I, your notified body assesses the QMS as part of CE certification.
Do Class I manufacturers need ISO 13485? Certification is not mandatory for Class I self-certified devices, but Article 10(9) still requires a QMS — ISO 13485 is the sensible framework.
eQMS software or documents? Either can pass. Choose the tool your team will actually use; auditors assess operation, not software.
About QLE Group
QLE Group designs, builds, and operates ISO 13485:2016 quality management systems for MedTech companies from Brussels. Systems are built by Radoslav Milkov — DEKRA-certified ISO 13485 Lead Auditor, Exemplar Global-accredited Medical Device Management Systems Lead Auditor, 21 CFR 820 parallel-track experience, and Belgian national expert on the NBN quality management standardization committee. Complexity-indexed pricing is published at qle.be.
Starting your QMS? Book a scoping call or email info@qle.be.