Medical Software Development according to Medical Device Regulation (MDR) – part 3: Quality management system

Dentist's chair

This blog series discusses the Medical Device Regulation (MDR) in brief and how it affects software development for medical devices. This part discusses the effects of the MDR on your Quality Management System (QMS).

In the previous parts we have looked at:

Checklist for Medical Software Development (3/4) 

The key points to consider regarding the Quality Management System:

  • Define and implement a Quality Management System based on ISO 13485
  • Use the relevant harmonized standards, or the latest version if one is not harmonized
  • Draw up the technical documentation and keep it updated
  • Ensure the competence and training of people including all economic operators
  • Be prepared for audits by a Notified Body, including unannounced audits

Quality Management System

The ISO 13485 standard is generally accepted throughout the world as “state of the art” with respect to Quality Management System (QMS) requirements. Most companies apply ISO 13485:2016 to pave the road to regulatory compliance. It must be noted that even though device certificates may be valid till 2024, all QMS must meet the MDR regulations by 26-May-2020. The audits after this date will be made against the MDR. 

MDR requirements for QMS

MDR Article 10 defines the general obligations of manufacturers. Much is already covered by ISO 13485:2016, but there are several QMS requirements that are not explicit in it, including:

  • Technical documentation content and formatting, and document storage retention
  • Strategy for regulatory compliance, including the person responsible for regulatory compliance
  • General safety and performance requirements
  • Clinical evaluation and investigation
  • UDI, labeling and interaction with Eudamed database
  • Resource management, supply chain and economic operators
  • Post-Market Surveillance system (PMS), including PMS plan, periodic safety update report, post-market clinical follow-up and performance follow-up
  • Vigilance criteria and timescales, incidents and field safety corrective actions

Use of standards

Web developerOne of the key standards for medical software development is IEC 62304: Medical device software – Software life-cycle processes.

MDR Article 8 defines the use of harmonized standards. However, only a few standards are harmonized for the MDR by the date of its application. As the MDR requires “state of the art”, manufacturers are instructed to follow the most current version of a standard, even if it has not been harmonized under the MDR. The use of standards helps fulfill the general safety and performance requirements defined in MDR Annex I. There will not be new standards for the MDR, instead there will be supplement Z annexes to the standards to support the regulatory aspect.

The key standards for medical software development include:

  • ISO 13485: Medical devices – Quality management systems – Requirements for regulatory purposes
  • ISO 14971: Medical devices – Application of risk management to medical devices
  • IEC 62304: Medical device software – Software life-cycle processes
  • IEC 62366: Medical devices – Application of usability engineering to medical devices
  • IEC 82304-1: Health software – Part 1: General requirements for product safety

MDR Article 9 defines the introduction of common specifications (CS) as a set of technical and/or clinical requirements where no harmonized standard exists, or where the harmonized standard is not considered sufficient. Manufacturers shall comply with the CS in a timely manner unless they can justify that they have adopted solutions that ensure a level of safety and performance that is at least equivalent thereto.

Surveillance audits

Your Notified Body will audit and assess the QMS and PMS processes at least on a yearly basis. In addition, the Notified Body will perform unannounced audits of the manufacturer and of the manufacturer’s suppliers or subcontractors at least once every five years.

Audits typically include assessment of technical documentation, taking samples from the production process and analyzing samples from the market. Where the manufacturer uses a harmonized standard or CS related to the QMS, conformity with those standards or CS is assessed.

Download our free guide: Medical Device Regulation on Software Development – Key points to consider 


Pinja Welfare and Health Technology QMS is certified in accordance with ISO 13485:2016 covering both the product development of medical software and services and related continuous service provision.


ISO 13485:2016
Medical Device Regulation (EU) 2017/745

Read more

Medical Software Development according to Medical Device Regulation (MDR) – Part 1: Software Qualification and Classification
Medical Software Development according to Medical Device Regulation (MDR) – Part 2: Conformity assessment route, software modules and impact of changes
Guide: Medical Device Regulation and Software Development – Key points to consider
Evondos success story
Synoste success story
BioMediTech success story
Welfare and health technology

Juha Sippola

Juha Sippola

I work as a software developer and quality control manager in the health and wellness technology unit at Pinja. I’m very interested in quality control, and I have over 15 years of experience in tasks related to mobile devices and health tech. In my free time, I exercise by skiing, cycling and going to gym, among other things.

Read more from this author