Core QMS Requirements

Overview

The SFDA requires all medical device manufacturers, importers, distributors, and Authorized Representatives to implement a QMS that meets ISO 13485:2016 (or SFDA.MD/GSO ISO 13485). This page outlines the core QMS elements the SFDA expects to find in place. See ISO 13485 Overview for the certification requirements and SFDA CABs for certification body selection.

Management responsibility

Senior management must demonstrate commitment to the QMS:

Establish and communicate a quality policy aligned with the organisation's purpose
Set quality objectives — measurable, monitored, and reviewed
Define and communicate roles, responsibilities, and authorities throughout the organisation
Conduct regular management reviews of QMS performance, including PMS data, audit results, CAPA status, and regulatory changes
Ensure sufficient resources — personnel, infrastructure, and work environment — are allocated to QMS activities

Design and development controls

For manufacturers (not distributors or importers), the QMS must include documented design controls covering:

Design and development planning — phases, reviews, verification and validation activities
Design inputs — intended use, performance and safety requirements, regulatory requirements
Design outputs — device specifications, manufacturing requirements, acceptance criteria
Design review — formal reviews at defined stages with records
Design verification — confirming outputs meet input requirements (testing)
Design validation — confirming the finished device meets user needs and intended use (including clinical evaluation)
Control of design changes — assessment and approval process for any change to design, materials, or manufacturing

Document and record controls

The QMS must maintain:

A documented procedure for approving, reviewing, and updating controlled documents
Version control ensuring only current, approved versions are in use
Record retention — defined retention periods for all quality records, including technical file documents, manufacturing records, complaints, and CAPA records
Legible, identifiable, and retrievable records

Purchasing controls

For components, materials, and services that affect product quality:

Documented supplier evaluation and approval process
Supplier monitoring — ongoing performance assessment
Documented purchasing specifications for all critical inputs
Incoming inspection or supplier certificate acceptance procedures

Production and process controls

Manufacturing must be performed under controlled conditions:

Work instructions — clear, documented instructions for all production steps
Process validation — for processes where output cannot be fully verified by inspection (e.g. sterilisation, injection moulding, welding)
Traceability — ability to trace each device from raw materials through production to distribution
Equipment maintenance and calibration — documented preventive maintenance and calibration of production and measuring equipment
Environmental controls — cleanrooms, temperature, humidity as required by device type

Corrective and Preventive Action (CAPA)

CAPA is one of the most closely scrutinised QMS elements during SFDA inspections:

Documented procedure for investigating and resolving non-conformities
Root cause analysis — systematic determination of the cause of the non-conformity
Corrective actions — actions to eliminate the root cause and prevent recurrence
Preventive actions — proactive actions to prevent potential non-conformities
Verification of effectiveness — confirming that actions taken have resolved the issue
CAPA records must be complete, timely, and linked to the originating event

SFDA inspection focus

CAPA records are frequently the first documents requested during an SFDA inspection. Incomplete, delayed, or superficial CAPAs are a common finding. Ensure every CAPA record includes a genuine root cause analysis, not just a surface-level description.

Complaint handling and vigilance interface

The QMS must include:

A documented complaint handling procedure covering receipt, logging, evaluation, investigation, and response
A process for determining whether a complaint is a reportable adverse event under MDS-REQ 5 (NCMDR reporting threshold)
Trend analysis — monitoring complaint frequency and patterns to detect safety signals
Linkage between the complaint handling system and the CAPA process for systemic issues
Interface with the AR for adverse events requiring NCMDR reporting in Saudi Arabia

Servicing

If the device requires after-sale servicing or installation:

Documented servicing procedures
Service records for each service event
Process for determining whether servicing activities reveal new safety information requiring reporting

Internal audits

The QMS must include a programme of internal audits:

Planned audit schedule covering all QMS processes
Qualified auditors independent of the area being audited
Audit reports documenting findings
CAPAs raised for all significant findings
Management review of audit results

Overview​

Management responsibility​

Design and development controls​

Document and record controls​

Purchasing controls​

Production and process controls​

Corrective and Preventive Action (CAPA)​

Complaint handling and vigilance interface​

Servicing​

Internal audits​

Further reading​