Building an ISO 13485 Compliant QMS: 4 Effective Strategies

4 ways to build ISO 13485 compliant QMS

Are you looking for ways to build and maintain the most efficient, ISO 13485 compliant QMS as your company continues to scale? You may be considering an array of options, including sticking with a tried and tested ‘paper based’ system.  But what are the pros and cons of each approach?

Paper, DIY digital or an eQMS - what are the pros and cons?

The paper based approach - a manual QMS

A paper-based QMS may be how your business has been operating since the start.  You may even have gained ISO 13485 through a physical audit of your paper system.  Your manual processes and SOPs may be well understood and working relatively well - albeit slowly.

But these manual processes may now be so entrenched and meticulously observed by everyone in your team, that you fear you’ll fatally disrupt  them by shifting to a digital alternative.

See why the Cognidox DMS is the robust, flexible solution to create your eQMS

Sticking with a paper-based QMS might on the face of it, seem a less complex and risky option than establishing an all new digital system. Real world paper, folders and files safely stored in real world filing cabinets can often seem the most manageable and least expensive option for those trying to keep costs and complexity down.  


  • Reduced technical complexity  - no worries about servers, software or cybersecurity.
  • Your paper-based system may be long-established and well understood by your team
  • Reduced cost - no expensive digital configuration, set up fees or annual charges
  • No, complex technical training requirements


  • Paperwork is only going to increase in volume and become more unmanageable
  • Manual change control can overwhelm available resource as you grow
  • Updating, printing out and filing paperwork is time-consuming
  • Chasing ‘wet signature’ approvals for official sign off can be slow and stall progress
  • Lack of automation for processes can kill velocity
  • Manual processes increase the risk of omissions and mistakes
  • Audits can be long and arduous

The reality is most medical device developers using a paper-based system will be thinking about digital alternatives.  As you plan to scale up your team to hit tough delivery targets and retain the confidence of investors - your manual processes will quickly seem unequal to the task.  Without automation you can be easily outpaced by competitors.  There is the risk of dangerous gaps emerging in the way you work, from missing vital approval steps of key documentation, to Corrective and Preventive Actions (CAPAs) not being effectively followed through.

And yet, the potential disruption of a full digital migration, the risk of getting it wrong and losing the confidence of your team is still holding you back from taking the digital leap.

Digital hybrid eQMS - a frankensystem

So, why not take a DIY digital approach? Why not use Google Docs, DropBox and DocuSign to stitch together a functional QMS?

The truth is, a DIY approach can be a ‘Frankenstein’s monster’. A living, breathing miracle of creation, but an unholy mess. It’ll work (after a fashion) but it’s not going to be pretty and it might all end in disaster.

Many developers choose to improvise an eQMS in this way using email for notifications and reminders to animate workflows. These solutions are often supported with plug-ins for advanced functionality like e-signatures.  But as a DIY solution, will they meet the letter of the regulation in 21 CFR Part 11?  

Sprawling, unindexed and often kept compliant with regulation through labyrinthine ‘workarounds’ they can quickly become chaotic, confused and inefficient.


  • No cost and low-cost tools reduce long term financial commitments
  • Using familiar tools like Google Drive and MS office minimises training needs
  • Flexibility to use plug-ins to extend functionality (like e-signatures) as and when required


  • A fragmented approach risks mistakes and omissions
  • Workarounds to support required regulatory workflows can be messy
  • Unexpected costs for storage, seats on new platforms often arise
  • Hidden costs such as 3rd party e-signing solutions (eg DocuSign)
  • Increased risk of duplicated documentation and effort
  • They can fuel the development of organisational silos
  • Onboarding and training requirements are constantly changing
  • Without a ‘single source of truth’ audits can be complex and confusing

A 'heavy-duty' eQMS

Many developers choose heavy duty eQMS options. The kind favoured by pharma and med-tech giants to help them meet their regulatory obligations. These are robust, but often controlling and inflexible. Typically built for companies with thousands of employees and developed for the market over decades - they can be prescriptive and inflexible without good reason.

A one-size-fits-all all approach to system design means there’s a distinct lack of customisation. New customers will often have to rework their processes to fit with suppliers’ way of working which may not even by required by the regulation.


  • Experience and reputation should equal a reliable supplier
  • They’re built by large corporations who can invest heavily in the latest tech
  • Best-in-breed solutions offer among the most robust compliance templates


  • Annual costs can start at > £10K
  • Hidden charges mount up for data storage, bespoke changes etc
  • Extra costs for modules you can’t do without e.g. CAPA, Complaints, NCR's etc
  • Can require lengthy, on-premise installation by consultants
  • Installation can take weeks or months to complete
  • Training can be long winded and expensive
  • They can be highly bureaucratic
  • They will not adapt to the way you work

The ‘canned’ templates that these solutions offer for non-conformances, engineering change control and CAPA might be a compliant solution ‘straight out of the box’, but that’s because they require you to operate in the way of their choosing.  

You don’t want to have to down tools for 6 months while you rework your business process to meet the requirements of a QMS supplier, when the way you were doing things in the first place may have been more efficient and compliant with the regulation, anyway,

What is it the supercomputer says to his human ‘operator’ in 2001 A Space Odyssey:

"This mission is too important for me to allow you to jeopardize it."

When your QMS software is telling you how you have to structure your business and operations - you are not in control of your solution.

It’s a fact that none of these approaches really meet the needs of businesses that are scaling up in the med dev space.  They’re either too weak and fragmented in the controls they offer throughout the process, or too restrictive to be workable for a fast growing business to implement.  

Ready to take control? Download our Document Control guide for semiconductor  companies

What’s the answer?  

Medical device developers need to choose a partner that can help you build and (migrate to) a Lean, digital Quality Management System that exactly answers your needs.  Look for a solution that:

  • Provides a digital framework for ISO 13485 compliance, but one that you can easily adapt and populate with your own content to create a customised QMS.
  • Uses simple ‘non-coder’ tools, Word, Excel, Powerpoint and Visio for you to edit and refine the supplied framework (it shouldn’t be complicated to configure and edit).
  • Comes with customisable forms as standard for nonconformances, complaints, engineering change control and other key activities.
  • Takes a graphical approach to help you define and document processes in a way everyone in the business can access, review and understand.
  • Provides tools for training attestation that can support LMS requirements.
  • Comes with integrated e-signatures to create robust approval sequences.
  • Is underpinned by a powerful document control system to help you build out workflows and design controls that work for you.

The right digital QMS solution should liberate you from the extra work and risk of a DIY solution without imposing the straitjacket of a typical med tech eQMS. Choose carefully and you can avoid the curse of ‘over-processing’ - while imposing the controls that really count.

How to build your medical device eQMS


Tags: Quality Management System

Joe Byrne

Written by Joe Byrne

Joe Byrne is the CEO of Cognidox. With a career spanning medical device start-ups and fortune 500 companies, Joe has over 25 years of experience in the medical device and high-tech product development industries. With extensive experience in scaling businesses, process improvement, quality, medical devices and product development, Joe is a regular contributor to the Cognidox DMS Insights blog where he shares expertise on scaling and streamlining the entire product development cycle, empowering enterprises to achieve governance, compliance, and rigour.

Related Posts

10 Steps for Seamless EQMS Data Migration

Transferring data to a new electronic Quality Management System (eQMS) can seem like a daunting ...

Mastering Non-Conformance Reports: A Guide for Quality Management

How do you log and deal with non-conformities so that faulty products don't end up in the hands of ...

The Vital Role of ALCOA Principles in Data Integrity for Life Sciences

Data integrity is central to the safe development and manufacturing of every life-science product ...