ISO 13485 for start-ups: 3 realistic approaches

1. Introduction - ISO 13485: an Everest for start-ups?

Creating a medical device is already a challenge. But when you consider the scale of the regulatory and standards requirements, the climb can seem like an Everest. And among these requirements, ISO 13485 is a must.

Often perceived as inaccessible for a young company, the standard can make you want to put it off... just a little longer. But that would be a mistake. Because quality, properly thought out, becomes a gas pedal, not a burden.

But you still need to know where to start, and with what ambition.

This article presents 3 realistic approaches to ISO 13485, depending on your start-up's strategy, funding and maturity.

2. Quick reminder: what ISO 13485 (really) covers

ISO 13485 is the international standard that defines the requirements for a quality management system (QMS ) applicable to medical device manufacturers.

In particular, it covers :

• Development and design → § 7.3
• Document management → § 4.2
• Traceability → § 7.5.9
• Control of suppliers (service providers, subcontractors, distributors) → § 7.4
• Post-market surveillance (complaints, material vigilance, corrective actions) → § 8.2.2 to 8.5.3
• Internal audits and non-conformity management → § 8.2.4 to 8.3

It is strongly recommended to prepare for CE marking (MDR 2017/745) and often required for access to markets outside Europe (e.g. Canada, Japan, Australia... and of course FDA).

3. Approach n°1 - The ultra-minimalist, evolutionary QMS

Who's it for? Start-ups in the seed, POC or pre-funding phase.

The aim is not to "do ISO 13485" for the sake of it, but to structure a minimal, scalable quality framework from the outset, adapted to the reality of a small team.

In concrete terms:

• Formalize the 5 basic processes (see checklist below)
• Use simple tools: TraceX, Excel, Notion, Google Drive, DocuSign
• Set up a monthly QMS review, often with an external consultant

Checklist - Top 5 processes to formalize :

1.Document management (creation, approval, distribution)

2.Design

3.User requirements management

4.Supplier control

5.Risk analysis and management ("light" level with qualitative approach)

Case study:

A start-up develops a connected patch for cardiac monitoring. Even before raising funds, it structured a light QMS with the help of a consultant. The result: clear documentation from the very first iterations, reassuring investors.

4. Approach n°2 - The "Design Control only" QMS, development-oriented

Who's it for? Start-ups in an active development phase, with a precise CE roadmap.

Here, the challenge is not yet ISO 13485 certification, but the rigorous documentation required by Annex II of the MDR.

This implies :

• Formal design reviews
• Two-way traceability between requirements, risks and tests
• Rigorous change management

Case study:

A MedTech company raises €2 million in Series A financing. It builds a QMS focused on design, without immediately aiming for certification. This strategy enables the company to build up a solid technical file for marketing authorization, while retaining flexibility.

5. Approach 3 - Pre-market certification

Who is it for? Start-ups in the industrialization phase, or in advanced discussions with a manufacturer or distributor.

Here, obtaining ISO 13485 certification becomes an objective in itself, often imposed by a strategic partner or to gain access to certain calls for tender.

This approach requires :

• A complete gap analysis
• A 6-9 month compliance plan
• Expert support or in-house QARA recruitment
• A mock audit

Case study :

A start-up finalizes an agreement with a German manufacturer to co-develop its product. The partner requires ISO 13485 certification within 9 months. The start-up implements a complete QMS and obtains certification with the help of CSDmed.

6. Mini FAQ - ISO 13485 and start-ups: frequently asked questions

Is it possible to obtain ISO 13485 certification without yet being on the market?

Yes, certification can be obtained from a QMS set up for the development or validation phase, as long as the requirements are well covered, a management review and internal audit have been carried out, and the QMS includes sufficient records to be audited.

Is a non-certified QMS sufficient for CE marking?

Yes, provided it complies with the requirements of Annex IX of the MDR. ISO 13485 is a powerful tool, but not a legal obligation.

How much does it cost to implement ISO 13485?

Between €15K and €80K, depending on the strategy chosen, the size of the team, the level of outsourcing, and the ambition of the QMS.

Is it necessary to recruit an in-house Quality Manager?

Not necessarily at first. Well-structured external support will enable you to progress effectively up to a certain level.

Is it possible to outsource all or part of the QMS?

Yes, especially in the early stages. But you need to keep control of critical decisions in-house.

7. The important thing is to get off to an intelligent start

There's no one right way to approach ISO 13485, but the one that matches your maturity, your challenges and your constraints.

A small, living QMS is better than a large, static one.

At CSDmed, we help start-ups choose the right quality path, without dogmatism.

To lay the first building blocks, secure design reviews, aim for certification... when the time is right.

Are you just starting out? in full development? preparing a series B?

Let's talk about it. And together, we'll build a QMS that's right for you.

8. Related resources

• What is good regulatory support for a start-up?
• ISO 14971 and start-ups: how to get started on risk analysis without getting lost