Here’s a scenario that will feel familiar to anyone who has ever worked in quality: you’ve built a solid QMS. The procedures are written. The records are kept. The nonconformances get documented and closed. And yet, somehow, the organization still operates as though quality is something that happens in a binder in the quality department while everyone else gets on with the real work.
The problem, almost always, is §5.1. Or rather, the lack of it.
Section 5.1 of ISO 13485:2016 is called “Management Commitment,” and it exists because ISO and every regulator who has ever audited a medical device company knows the same uncomfortable truth: a quality management system is only as strong as leadership’s actual investment in it. Not their signature on the quality policy. Their actual, demonstrated, ongoing investment.
What §5.1 Actually Requires
The section is brief, which is either reassuring or alarming depending on your perspective. Top management — and this means the people at the top, not the quality manager, not the RA director, but the executives who run the organization — must provide evidence of their commitment to the QMS. Not intent. Not goodwill. Evidence.
Specifically, the standard requires top management to:
- Communicate to the organization the importance of meeting both customer requirements and applicable regulatory requirements. This has to actually happen — not via a framed quality policy on the wall that no one reads, but through visible, ongoing communication that makes clear quality is a real organizational priority.
- Establish the quality policy. Top management owns this. It doesn’t get delegated to someone who drafts it and then hands it up for a signature. (More on the quality policy in §5.3.)
- Ensure quality objectives are established. Again, owned at the top. The objectives should be real, measurable, and connected to actual business priorities — not recycled year over year because nobody got around to updating them.
- Conduct management reviews. Not delegate them. Not send a proxy. Conduct them. The management review (§5.6) is one of the clearest windows auditors have into whether management commitment is real or performative.
- Ensure the availability of resources. The QMS needs people, infrastructure, and time to function. Top management is responsible for making sure those things exist.
That’s it. Five bullets. The section is short because the concept is simple: management has to be in this. The hard part isn’t understanding what’s required — it’s actually doing it.
What This Looks Like in Real Life
The most common failure mode for §5.1 isn’t outright ignorance — it’s the appearance of compliance without the substance. Management signs the quality policy at the annual review. They attend the management review meeting (or send someone who takes notes and reports back). They approve the QMS budget. And then they return to running the business, leaving quality to the quality team.
Auditors know this pattern cold. When they ask to speak with top management during a surveillance audit and the CEO sends in the quality manager instead, that’s a finding waiting to happen. When the management review minutes are a templated fill-in-the-blank document with no evidence of actual discussion or decision-making, that’s another. When “ensure resources are available” has translated in practice to “the quality department makes do with what it has,” that’s a third.
What genuine management commitment looks like is not that complicated: leadership talks about quality in terms that aren’t just regulatory box-ticking; the quality team’s resource requests get addressed rather than perpetually deferred; management reviews involve real discussion, not a perfunctory read-through of a pre-written summary; and quality objectives are tracked with the same seriousness as financial targets.
None of this requires management to become quality experts. It requires them to treat the QMS as a real system that needs real attention — which, in a medical device company, it absolutely does.
A Note on “Top Management”
ISO 13485:2016 uses the term “top management” throughout Section 5, and it’s worth being clear about what that means. The standard defines top management as the person or group of people who directs and controls an organization at the highest level. In a small company, that might be the founder and CEO. In a larger organization, it might be the executive leadership team.
What it is not: your quality director, acting on behalf of leadership. What it is not: whoever happened to be available when the auditor showed up. If your organization’s structure means quality genuinely reports to a C-suite executive who is actively involved, great — document that clearly. But the responsibilities in §5.1 can’t be entirely sub-delegated away. Someone at the top has to own them.
The Bottom Line
§5.1 is the section that sets the tone for everything that follows in Section 5 — and, frankly, for the entire QMS. A quality system that has genuine leadership support is a fundamentally different beast from one that exists because someone decided the company needed ISO 13485 certification and handed the project to the quality team.
If you’re a quality professional trying to build or improve your organization’s QMS, §5.1 is also your best friend and your most useful lever. When management commitment is real, almost everything else gets easier. When it isn’t, no amount of procedure-writing is going to fill that gap.
Get leadership in the room. Get them engaged. Get them to understand that this isn’t bureaucracy for its own sake — it’s the system that stands between your products and patient harm. That conversation is harder than writing a procedure, but it’s the one that matters most.
Work with Red Hen Admin
Ready to put this into practice?
Whether you need an independent quality system audit or hands-on QMS consulting, Red Hen Admin can help — remote and on-site in Southern California.