What’s the simplest QMS your medical device startup can implement and still be compliant?


quality level

Implementing a Quality Management System (QMS) for a medical device startup is not just an exercise in regulatory compliance; it’s a foundational step to ensure the safety, efficacy, and consistency of your product.  Startups, with their innate agility and resource constraints, face the unique challenge of needing to establish a robust QMS without the luxury of large teams or budgets.  However, there is an effective way to bridge this gap; implement only the necessary elements of a QMS in-house, while relying on the expertise and infrastructure of development and contract manufacturing partners for more complex components. This approach not only balances the need for a robust system against the constraints of a young company but also represents a simplified mechanism toward establishing a QMS that remains compliant.  Here’s a basic outline of the simplest QMS your medical device startup can implement to achieve compliance:

Quality Agreement

A quality agreement is a crucial document between you and your development or contract manufacturing partner. This document outlines the roles and responsibilities of each party concerning quality and regulatory compliance.  A well-crafted Quality Agreement helps ensure product safety, efficacy, and compliance with relevant authorities by defining the organizational roles and responsibilities for things like which QMS is used and how, audit support, change control policy, and regulatory compliance.  

Document Control

Every QMS starts with proper documentation. Ensure that you have a system in place to:

  • Create and approve documents.
  • Revise and review documents when necessary.
  • Control the distribution of documents to prevent outdated or unauthorized usage.

Quality Manual, Quality Policy, and Objectives

A Quality Manual is a formalized document that describes your company’s quality management system and outlines your approach to quality assurance and process improvement.  It acts as a roadmap for how your company produces your medical device to ensure that it meets consistent quality standards.  It also may serve to identify which elements of the ISO 13485 standard your organization is subject to versus those you outsource to your development or contact manufacturing partners.  As part of your quality manual, it will be important for you to draft a clear quality policy reflecting your commitment to compliance, safety, and efficacy.  This policy should be supported by measurable quality objectives. 

Management Review

Your QMS should incorporate regulatory management review meetings to assess the suitability, adequacy, and effectiveness of your QMS.  These reviews are intended to ensure continuous improvement and alignment with regulatory changes and should be formally documented.  

Risk Management

Medical devices must undergo risk assessment to ensure patient safety.  Implementing a simple risk management process to identify, evaluate, control, and monitor risks associated with your device throughout its lifecycle is necessary to demonstrate that your QMS incorporates a risk-based approach. 

Supplier Controls

Your QMS should ensure that any components, materials, or services used in the development or manufacturing of your product are from verified suppliers.  By qualifying your development and manufacturing partners, you may leverage their supplier evaluation, selection, and monitoring process.  This could simplify (but not remove) your supplier qualification process, saving both time and money.  


Maintaining a system for training your employees to be aware of their roles and responsibilities in the QMS is required.  Your procedure should define training requirements needed to ensure that your employees are equipped to follow procedures correctly to maintain the effectiveness of your QMS.  Training records are needed to demonstrate that employees have been properly trained to carry out their assigned tasks. 

Nonconformance and CAPA (Corrective and Preventive Action)

A process to identify, document, and address nonconformities is required.  This process should tie into your CAPA system that corrects these issues and prevents their recurrence.  

Internal Audits

Even a simple QMS requires periodic internal audits to ensure processes are followed and to identify areas for improvement.  It is important that your internal audit be conducted by someone who is not directly responsible for the area being audited.  In a small organization, this can be difficult.  But with a reasonable Supplier Control process in place, your organization should be able to identify and qualify a third-party auditing agency to conduct an independent review of your QMS. 

Feedback and Complaint Handling

Once your product has hit the market, having an established and streamlined process for collecting feedback and handling complaints is a must to ensure that customer satisfaction is maintained and to address potential safety concerns promptly.  Certain types of reported events have reporting timelines associated with them.  Understanding these requirements and having an effective process to manage these activities at the ready is the key to success in this area.  


It is essential to remember that, while the above outlines a basic QMS, “simplicity” should not compromise effectiveness or compliance.  As your startup grows, the QMS should evolve to meet your company’s changing needs.  Collaboration with experienced quality and regulatory consultants or professionals can also provide guidance tailored to your specific device and marketing, ensuring that even the simplest system is both compliant and effective. 


5 reasons FDA will refuse your 510(k) application due to cybersecurity deficiencies

Over the past decade, the FDA has steadily increased the degree of scrutiny applied to cybersecurity aspects of submissions.  From the guidance issued on this topic in 2014, followed by extensive additions on the 2018 guidance and most recently the 2022 guidance, the FDA has made it clear that cybersecurity management needs to be carefully considered within 510(k) applications.  In the latest update that has become effective as of March 29, 2023, the FDA now reserves the right to refuse your 510(k) application due to cybersecurity deficiencies under certain circumstances.

Refusal Reasons:

#1 : The application does not include an adequate plan to address post market cyber security vulnerabilities in a reasonable time.  A plan like this would include how such vulnerabilities are identified, monitored and disclosed.

#2: The application does not contain evidence that the medical device design and development has followed processes and procedures that provide reasonable assurance that the device is cyber secure.

#3: The medical device within the application does not have the means to be updated postmarket to address discovered cyber security threats.  These updates would be required either on a reasonably justified regular cycle or possibly out of cycle to address a critical vulnerability.

#4: The application does not contain an appropriate software bill of materials that includes any open source software as well as commercial software used within the medical device.

#5: The application does not comply with any additional requirements that the FDA may impose through regulation to demonstrate with reasonable assurance that the medical device is cybersecure.


Ultimately, if your medical device has software and has connectivity to the Internet, it has now become a prime target for outright refusal of a 510(k) submission for lack of adherence to the rapidly evolving FDA regulations in this area.  Driven mainly by new laws as a result of the Consolidated Appropriations Act of 2023, specifically section 3305 titled “Ensuring Cybersecurity of Medical Devices” and subsequent amendments to the Federal Food, Drug and Cosmetic Act (FD&C Act) section 524B, these new cybersecurity regulations need to be seriously considered in any 510(k) submission to avoid costly delays.

At Bold Type we have always taken cyber security concerns seriously and incorporated extensive measures to address these concerns as part of our ISO 13485 compliant processes and procedures.  We have been prepared for the inevitable and well deserved increase in 510(k) scrutiny over cybersecurity threats, fundamentally addressing such concerns in our software architectures as well as within our 510(k) submissions.  For us, cybersecurity of connected Medical devices is foundational which is why we make sure we are well positioned to comply with the evolving FDA regulations in this space.

When it comes to safeguarding your connected Medical Devices to ensure a smooth FDA submission and avoid costly mistakes, Bold Type is the team to rely on.  Contact us today.

Reference: Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems UnderSection 524B of the FD&C Act, March 30, 2023


Why avoiding Q-subs (presubmissions) to FDA is a terrible idea

In the realm of medical device development, ensuring the safety, effectiveness, and regulatory compliance of products is paramount. The United States Food and Drug Administration (FDA) serves as the gatekeeper, evaluating and approving medical devices before they reach the market. One crucial step in this process is the presubmission, which allows manufacturers to seek valuable feedback and guidance from the FDA. However, there is a concerning trend among some companies who opt to bypass this essential step in an attempt to expedite their product development. In this blog, we will delve into why avoiding FDA presubmissions for medical devices is not only ill-advised but also poses significant risks to patients and businesses alike.

Patient Safety as the Foremost Priority

Medical devices directly impact the lives of patients. Without engaging in FDA presubmissions, manufacturers risk overlooking crucial safety considerations and potential risks associated with their devices. Patient safety should always be the primary concern in the development and commercialization of medical devices. By bypassing presubmissions, companies increase the likelihood of introducing devices with unaddressed safety concerns, potentially endangering patients’ well-being and undermining public trust in the medical device industry.

Ensuring Regulatory Compliance

Adhering to FDA regulations is a fundamental requirement for medical device manufacturers. Presubmissions provide a crucial opportunity for companies to seek regulatory guidance and clarification, ensuring that their devices meet the necessary standards for market approval. Skipping this step significantly heightens the risk of non-compliance, which can result in delays, costly remediation efforts, and even the rejection of a product altogether. By actively participating in presubmissions, manufacturers can address regulatory concerns early on, thereby increasing their chances of successful product development and market entry.

Accelerating Product Development

Presubmissions foster a collaborative environment between manufacturers and regulatory experts. Seeking early feedback from the FDA allows companies to identify potential roadblocks, refine their development plans, and streamline the path to market approval. Engaging in presubmissions can help accelerate product development by addressing potential issues upfront, optimizing designs, and making informed decisions based on expert insights. By avoiding this critical step, companies risk encountering unforeseen obstacles, delays, and costly iterations later in the development process.

Building Market Confidence

Successfully navigating the FDA regulatory pathway enhances market confidence and increases the likelihood of product adoption. By actively participating in presubmissions, manufacturers demonstrate their commitment to quality, safety, and regulatory compliance. This engagement instills trust among healthcare providers, patients, and investors, who rely on the FDA’s rigorous evaluation process as an assurance of a device’s reliability and efficacy. Companies that choose to forgo presubmissions may face skepticism from stakeholders, impeding market acceptance and hindering potential reimbursement efforts.


The decision to avoid FDA presubmissions for medical devices has far-reaching consequences that extend beyond short-term expediency. By recognizing the importance of this topic, we understand that patient safety, regulatory compliance, and long-term business success are at stake. Engaging in presubmissions allows manufacturers to leverage valuable regulatory guidance, identify and mitigate risks, accelerate product development, and build market confidence. Prioritizing these aspects should be the cornerstone of any responsible and successful medical device development endeavor.


Why ISO 13485 Certification Matters in Product Development

Bold Type achieved ISO 13485 certification this year. And if you’re a medical device company looking for a product development partner, that certification can mean the difference between a successful 510K submission and a rejected one.

As I explained to Paul Enderle of BayCross Capital,  ISO 13485 certification means that we have a full quality management system in place, compliant with both FDA and CE mark requirements.

It means that we’re documenting our design inputs, outputs, design verification and validation testing in accordance with the requirements, and that we’re storing and maintaining those documents appropriately.

This greatly reduces risk for manufacturers, especially when the FDA auditors come around and find the design history file and all other associated documentation is just as it should be.