Quality & Risk Management
Quality & Risk Management Knowledge Check
ISO 13485 and MDR: What a Compliant QMS Actually Looks Like
A practical introduction to ISO 13485 as the quality management backbone under EU MDR — what it requires, where it differs from ISO 9001, and what auditors focus on.
Building Your Risk Management File Under ISO 14971
A step-by-step guide to structuring a risk management file that satisfies ISO 14971 and stands up to MDR scrutiny — from hazard identification through residual risk acceptance.
Connecting Risk Management to GSPR Traceability
How to link your ISO 14971 risk management process to the General Safety and Performance Requirements in Annex I — a practical guide to traceability that auditors and reviewers actually check.
Choosing Between Annex IX and Annex XI: Conformity Assessment Route Selection
A practical guide to selecting the right conformity assessment route under MDR — what Annex IX and XI each involve, which device classes they apply to, and how the choice shapes your certification timeline.
CAPA and Design Controls in a Functioning QMS
How corrective and preventive action processes and design controls actually work in a medical device QMS — what auditors look for, where teams go wrong, and how to build processes that hold up under scrutiny.
IEC 62366 Usability Engineering: Formative vs. Summative Evidence
What usability engineering under IEC 62366-1 actually requires — the difference between formative and summative testing, what Notified Bodies have been scrutinising since 2021, and how to build a usability file that holds up.
ISO 10993 Biocompatibility: Risk-Based Evaluation vs. the Checkbox Report
How to approach ISO 10993 biocompatibility evaluation under MDR — why the old checkbox-style report no longer satisfies reviewers, what MDCG 2020-18 actually requires, and how to structure a risk-based biological evaluation that holds up.
Closing the Loop: How PMS Outputs Feed Back Into Your Risk Management File
How post-market surveillance outputs are supposed to connect back to your ISO 14971 risk management file — what triggers a risk file update, what the feedback loop looks like in practice, and where it tends to break down.
Preparing for an Annex IX Audit: What to Have Ready
A practical preparation guide for Annex IX QMS audits under MDR — what design review records, CAPA evidence, and management review outputs auditors expect to see, and the gaps that most commonly generate findings.
Management Review Under ISO 13485: What MDR Auditors Actually Look For
What makes a management review under ISO 13485 satisfy MDR auditors — the inputs and outputs that must be documented, the common gaps that generate findings, and how to run a review that demonstrates genuine leadership engagement.
Quality management and risk management sit at the centre of everything MDR requires. Your QMS is the operating system that makes the rest of compliance possible — clinical evaluation, technical documentation, post-market surveillance — all of it depends on documented processes, controlled outputs, and evidence that what you said you would do is what you actually did. ISO 13485 is the harmonised standard, and Annex IX and XI to MDR define the conformity assessment routes that require a certified QMS. If your QMS has gaps, those gaps tend to show up everywhere else at once.
One thing that catches a lot of teams off guard is the depth of QMS scrutiny under MDR versus what MDD Notified Body audits typically looked like. Under MDR, auditors are not just checking that procedures exist — they're looking for evidence of execution. Design reviews, CAPA records, management review outputs, complaint handling decisions — these need to show a functioning system, not a paper trail assembled for the audit. Teams that built lightweight QMS documentation under MDD often find the gap is significant when they face a full Annex IX audit.
Risk management under ISO 14971 is tighter under MDR than many manufacturers expected. The regulation requires that your risk management file directly supports your GSPR demonstration in Annex II. Residual risks documented under ISO 14971 must connect to the benefit-risk assessment in your technical file — they're not separate exercises. Getting this wrong means one of the most common audit findings: a risk management file that is internally consistent but disconnected from the rest of the technical documentation. If the connection between risk and GSPR is not traceable on paper, it will be found.
Usability engineering (IEC 62366) and biocompatibility (ISO 10993) live within the QMS world for most manufacturers. IEC 62366 is often underweighted — teams do summative evaluation but skip the formative evidence that shows how use errors were identified and addressed during design. Notified Bodies have become more rigorous here since 2021. ISO 10993 biological evaluation is similarly often treated as a checkbox: a biocompatibility report referencing a standard rather than a genuine risk-based evaluation of the materials used. Both areas have specific MDCG guidance that is worth reading before an audit.
The resources in this category cover ISO 13485 implementation and audit preparation, how to build a risk management file that satisfies both ISO 14971 and MDR's GSPR traceability requirement, conformity assessment route selection (Annex IX versus XI), usability engineering evidence under IEC 62366, and biological evaluation under ISO 10993. Whether you're preparing for a Notified Body audit for the first time or reviewing what you have ahead of a surveillance audit, start with the QMS and risk management file — those are the areas where most of the systemic issues are found.
AI Participation & Regulatory Notice
The content on this page may be partially assisted by Artificial Intelligence (AI) to improve readability and ensure clarity.
While our team audits this content, please be aware:
- Accuracy: AI-assisted interpretations may contain nuances that differ from official MDCG guidance.
- Timeliness: Medical Device Regulations (MDR) are subject to updates. Always verify critical information against the official EUR-Lex database.
- Liability: MDR Academy provides these resources for educational purposes only. They do not constitute legal advice.