Published On: 26. February 2026

MedTech Compliance: From chaos to structure with the right document management

The medical technology sector is fundamentally different from other industries. A software error in a consumer app is annoying, but the same error in a medical device can cost lives. For QA/RA managers, product developers and founders of medtech start-ups, this means that documentation, traceability and audit readiness are essential for survival.

The central challenge: How can teams manage the complexity of global regulations without getting bogged down in paper chaos? This is exactly where structured compliance management systems come in. Find out exactly how this works in our blog post.

When does a product become a medical device?

The boundary between a wellness tracker and a medical device does not run along the hardware, but along the intended use. The decisive factor is the intended use, i.e. what the manufacturer communicates about its product. A fitness tracker that counts steps remains a consumer product. However, as soon as it claims to detect cardiac arrhythmia, it becomes a regulated medical device.

This purpose is not only defined by the instructions for use, but also by all claims on the website, in social media posts or in marketing materials. An ill-considered post about off-label applications can have significant regulatory consequences. For marketing teams, this means that every claim must be coordinated, documented and approved by Regulatory Affairs.

The ecosystem of a MedTech company

Successful medical technology products are created through the interaction of specialized teams: Quality Assurance ensures that processes are adhered to and that the company is audit-ready. Regulatory Affairs navigates through approval processes and communicates with authorities. Clinical Affairs provides clinical evidence through studies and post-market clinical follow-ups. R&D transforms ideas into prototypes with documented design decisions and structured design controls. Marketing and Sales are responsible for each claim, which must be backed by clinical data.

The added value of a central tool: When all teams work in one system, it becomes transparent who is working on which document, which approvals are pending and which dependencies exist between requirements, risks and tests.

The regulatory framework: FDA and MDR at a glance

Global medical technology does not follow a uniform standard. However, two systems dominate: the US FDA and the European MDR.

  • FDA: Class I to Class III

The FDA divides medical devices into three risk classes. Class I includes products with minimal risk, such as oral spatulas. Class II describes products with a medium risk, such as infusion pumps. A 510(k) approval is usually required for this class. Manufacturers must prove that their new device is essentially equivalent to an already approved comparable product. The process takes 90 to 180 days.

Class III includes high-risk products such as pacemakers. These require premarket approval (PMA) with comprehensive clinical studies. The costs can reach millions and the process takes years. The De Novo process exists for novel devices without a predicate.

  • EU Medical Device Regulation (MDR)

MDR 2017/745 distinguishes between four risk classes (I, IIa, IIb, III) and requires more extensive technical documentation and stricter post-market surveillance. The position of Responsible Person in accordance with Article 15 MDR, who is responsible for compliance with all regulatory requirements, is new.

  • Central standards

ISO 13485:2016 is the international standard for quality management systems in medical technology. An important milestone: from February 2026, the FDA will adopt this standard as the basis for its own quality requirements (Quality Management System Regulation, QMSR). This means that the requirements between the USA and Europe will be largely harmonized for the first time – a major advantage for manufacturers operating in both markets.

ISO 14971:2019 regulates risk management over the entire product life cycle. Unlike a simple FMEA, the standard requires the continuous assessment of the risk-benefit ratio and comprehensive documentation. IEC 62304 regulates the software life cycle, 21 CFR Part 11 defines requirements for electronic signatures and audit trails.

Design controls: From chaos to a comprehensible structure

Design controls structure the path from the initial idea to the market-ready product. The process begins with user needs, i.e. the actual needs of the users, determined through interviews and observations. This results in design inputs, i.e. quantifiable requirements. “The device should be easy to use” is not a design input. “Operation must involve a maximum of three steps and 95% of users must perform these correctly without training” is valid.

The design outputs describe the technical implementation through drawings, specifications and code. Design verification checks whether the outputs correctly implement the inputs (“Have we built the product correctly?”). Design Validation uses clinical studies or usability tests to check whether the product meets user needs (“Have we built the right product?”).

A critical mistake: Many companies only document design controls backwards shortly before submission. The development team was creative, but there is no evidence of traceability. The solution: work in a structured way right from the start. A traceability matrix shows the connections between all elements. If a requirement changes, it is immediately clear which tests and documents are affected.

Risk management as a continuous process

ISO 14971 requires a structured six-step approach over the entire product life cycle: risk management planning, risk analysis (not only technical errors, but also use errors and off-label risks), risk assessment, risk control, assessment of the overall residual risk and continuous post-production monitoring.

For example, a software bug in an infusion pump could lead to incorrect dosing (technical risk). A usability problem could cause nursing staff to operate the device incorrectly under stress (use error). And a marketing video about off-label use could be problematic from a regulatory perspective. All three risks must be identified, assessed and documented.

Post-market surveillance: the work continues

Regulatory responsibility does not end with approval. The MDR requires systematic data collection on complaints, adverse events, field corrective actions, social media feedback and scientific literature. This information flows back into risk management and leads to Corrective and Preventive Actions (CAPA).

How BAYOOSOFT Themis makes complexity manageable

The biggest challenge in medical technology is not that regulations exist, but that they are so complexly interwoven. A change to a design input affects risk assessments, tests, clinical data and possibly also the instructions for use. Without a structured system, this leads to Excel islands, Word templates in different versions and email ping-pong between departments.

BAYOOSOFT Themis is a document management and compliance system specially developed for these requirements:

  • Central traceability: requirements, risks, tests and clinical data are linked with each other. Changes become transparent and the effects on downstream documents are immediately visible.
  • Templates and workflows: Instead of starting from scratch every time, Themis provides structured templates for SOPs, Risk Management Files, Design History Files and other regulatory required documents. Workflows ensure that the right people are involved at the right time.
  • Role models for multidisciplinary teams: QA, RA, Clinical Affairs and R&D work on the same product from different perspectives. Themis maps this distribution of roles and shows each team only the information that is relevant to them.
  • Audit trail and electronic signatures: To comply with 21 CFR Part 11 and ISO 13485, it is possible to trace who changed or approved which document and when. Themis documents every step in an audit-proof manner.
  • Support for ISO 13485, ISO 14971 and MDR: The system is structured in such a way that it directly supports the requirements of these standards. During audits, teams can quickly prove that processes have been defined, adhered to and documented.

A concrete scenario: without a structured system, an incoming risk report would be forwarded by email to various departments. RA, QA and other parties involved would have to manually check which requirements, measures and documents (e.g. Instructions for Use) are affected, and in the end it is often unclear whether everyone involved has seen and approved the final, agreed version.

With BAYOOSOFT Themis, the risk report is created as a document in the system, automatically linked to the relevant requirements, measures and associated documents, and a workflow ensures that all necessary assessments and approvals have been made before changes are implemented.

Conclusion: Quality through structure, not by chance

MedTech companies are under enormous pressure: regulatory requirements are becoming stricter, approval processes more complex and the competition is not sleeping. At the same time, the expectations of patients, doctors and payers in terms of product quality and safety are increasing.

The difference between successful and failed medical devices often lies not in the technology, but in the ability to manage complexity. Establish design controls at an early stage, implement risk management consistently, ensure traceability from the outset: These are not hurdles, but success factors.

A structured documentation management system like BAYOOSOFT Themis turns the regulatory burden into a competitive advantage. Teams work more efficiently, audits are stress-free, and an overview is maintained in the event of changes. Instead of getting bogged down in paper chaos, developers, QA managers and RA experts can focus on what really matters: building safe, effective products that improve lives.

This is how we support you

With BAYOOSOFT Themis, you can digitize linked processes and sustainably reduce documentation costs while minimizing redundant data. This allows you to keep track of your required evidence and documents when it comes to performance evaluation and thus comply with the regulations.

BAYOOSOFT Themis

FAQ: Frequently asked questions about medical device compliance and quality management

ISO 13485:2016 is the international standard for quality management systems in medical technology that is recognized worldwide. The US regulation 21 CFR Part 820 (Quality System Regulation, QSR) was the US-specific equivalent. Since February 2026, the former Quality System Regulation (QSR) has been replaced by the Quality Management System Regulation (QMSR), which integrates the requirements of ISO 13485:2016. This significantly harmonizes the requirements between the USA and the rest of the world.
No, ISO 13485 certification is not mandatory. The MDR requires a functioning QMS, but does not specify the form. However, ISO 13485 is the only QMS standard included in the EU list of harmonized standards. In practice, most manufacturers therefore use ISO 13485 as a framework, as Notified Bodies expect and recognize this structure.
Design controls are structured procedures for controlling product development as defined in 21 CFR 820.30 and ISO 13485. They apply to Class II and Class III medical devices and to certain Class I devices in the USA. Design controls include planning, design inputs, design outputs, design review, verification, validation, design transfer and design changes. The aim is to ensure that products meet user needs and are safe.
A 510(k) premarket notification is required for Class II devices and is based on evidence that the new device is substantially equivalent to an already approved predicate device. The process takes 90-180 days and usually does not require clinical studies. A PMA (Premarket Approval) is required for Class III high-risk devices and requires comprehensive clinical studies that independently demonstrate safety and efficacy. The FDA has a 180-day review period, but the overall process can take years.

FMEA (Failure Mode and Effects Analysis) is often mistakenly understood as a complete risk analysis, but is primarily a tool for preventive quality assurance. It focuses on the technical causes and consequences of errors in order to avoid product or process errors. A comprehensive risk analysis in accordance with ISO 14971, on the other hand, considers potential hazards and their actual effects on users and patients throughout the entire product life cycle and therefore goes well beyond the focus of an FMEA.

A medical device document management system (DMS) must support version control, approval workflows, audit trails and electronic signatures in accordance with 21 CFR Part 11. It should enable traceability between requirements, risks, tests and clinical data, control access based on roles and be able to quickly provide all relevant documents for audits.

BAYOOSOFT Themis is not just a document management system, but a specialized solution for technical documentation management in the medical device sector. The software digitizes and links technical documentation in accordance with MDR and IVDR, supports risk management in accordance with ISO 14971 and provides a “single source of truth” for requirements, risks and associated evidence, including versioning, approval workflows and audit trail.

Traceability refers to the ability to seamlessly track every step of product development – from user needs, design inputs and outputs to verification, validation and post-market data. ISO 13485 and FDA regulations explicitly require traceability. It is crucial in order to prove during audits that all requirements have been met, to evaluate the effects of product changes and to be able to react quickly in the event of recalls.

The Design History File (DHF) is the collection of all records that show that a device was developed according to the approved design plan. This includes: Design Plans, User Needs, Design Inputs and Outputs, Risk Analyses, Verification and Validation Reports, Design Reviews, Design Changes and Traceability Matrices. The DHF is central to audits and regulatory submissions.

Post-market surveillance is the systematic monitoring of a medical device after it has been launched on the market. The MDR requires all manufacturers to have a PMS system that continuously collects and evaluates complaints, adverse events, scientific literature and field data. The aim is to identify new risks at an early stage, initiate corrective actions and keep the clinical evaluation up to date. PMS data is included in the annual PSUR (Periodic Safety Update Report).

Is your company looking for a strong partner for management software solutions?

Contact us now and we will introduce you to our products without obligation.

Klingt spannend? Teilen Sie diesen Beitrag doch mit Ihrem Netzwerk.

Is your company looking for a strong partner for management software solutions?

Contact us now and we will introduce you to our products without obligation.