Picture this: an auditor walks into your facility and asks your receptionist to describe the company’s quality policy. The receptionist — six years on the job, knows where everything is — stares back with the expression of someone asked to explain quantum entanglement in Portuguese.
“We care about quality?” she offers hopefully. The auditor writes something down.
This scene plays out at facilities across the regulated industry, and it is entirely preventable. §5.3 of ISO 13485:2016 has a clear job: make sure your quality policy is real, meaningful, communicated, and understood. Not just a poster. Not just a sentence buried in your quality manual. An actual policy that means something to the people working under it.
What §5.3 Actually Requires
Top management must establish a quality policy. That part is simple. But the standard goes further — the quality policy must:
- Be appropriate to the purpose of the organization — it should say something about what you actually do
- Include a commitment to complying with applicable requirements and maintaining the effectiveness of the QMS — not just a warm feeling about quality, but a stated commitment to the rules
- Provide a framework for establishing and reviewing quality objectives — meaning it needs to set a direction, not just a vibe
- Be communicated and understood within the organization — this is the requirement that gets companies in trouble
- Be reviewed for continuing suitability — it can’t be written once in 2009 and never touched again
Five requirements. Not twelve. Not forty. Five. And yet.
What “Appropriate to the Purpose” Actually Means
“We are committed to quality and customer satisfaction” is not appropriate to the purpose of a medical device manufacturer. It could apply to literally any company in any industry. It could apply to a bakery. A car wash. A very earnest lemonade stand.
A quality policy that meets §5.3 should reflect what you make, why it matters, and who depends on it. That doesn’t require a paragraph of dense technical language — but it should signal that your organization makes products affecting patient health, and that everyone here understands that. Something like: “We design and manufacture [product category] that meet customer and applicable regulatory requirements so that patients receive safe, effective devices.” It’s not literature, but it does the job.
The policy also needs to provide a framework for your quality objectives — more on that in a moment. If your policy is so generic it couldn’t possibly connect to any specific measurable goal, that’s a problem.
The Framework for Quality Objectives
This is the requirement most people forget. Your quality policy isn’t just a statement of values — it’s supposed to provide a framework for your quality objectives (covered in §5.4.1, coming up in this series).
Think of it as a hierarchy: the quality policy is the strategic direction, and the quality objectives are the measurable targets you set to demonstrate you’re moving in that direction. If your policy says you deliver devices that meet clinical needs, your quality objectives might include on-time delivery rates, complaint response times, or CAPA closure metrics. The policy and the objectives need to connect. If they don’t, auditors will notice. They always do.
Communicated and Understood: The Hard Part
This is where quality policies go to die. It is shockingly common to find a quality policy that:
- Exists only in the quality manual, which nobody reads
- Is printed on a laminated card that lives in a binder in the QA office
- Was recited at exactly one all-hands meeting in 2017 and never mentioned since
- Is posted in the break room in six-point font, wedged between the fire evacuation diagram and the open-enrollment benefits summary
“Communicated and understood” means employees — not just QA, but production staff, engineering, purchasing, receiving — know the quality policy exists, know roughly what it says, and understand how their work connects to it. You don’t need everyone to recite it verbatim. But if an auditor asks a random employee what the company stands for from a quality perspective, the answer shouldn’t be a blank stare followed by “something about patients?”
Include it in onboarding. Reference it at management reviews. Post it somewhere people actually look. Re-communicate it when it changes. None of this is complicated. It just requires doing it.
Reviewed for Continuing Suitability
Your quality policy needs to be reviewed at planned intervals — most organizations fold this into the management review process. The question isn’t “does it still sound nice?” The question is whether it still accurately reflects your organization’s purpose and direction. If you’ve expanded into a new product category, entered a new regulatory market, or significantly restructured your business, your quality policy may need updating.
The review doesn’t have to produce a change every time. But it has to happen, and it has to be documented. “We reviewed the quality policy and it remains appropriate” in your management review minutes is perfectly fine. “Quality policy? We wrote that in 2011” is not.
The Bottom Line
§5.3 is one page in the standard and a genuinely quick win if you approach it with any care at all. The problem isn’t complexity — it’s the temptation to treat it as a box-checking exercise and write something so blandly inoffensive it communicates nothing. Generic quality policies exist because writing a specific one requires thinking about why your organization exists and what quality means in your context. That’s real work, but it’s worth doing.
Write the policy. Make it specific to your organization and your products. Make sure people know about it. Review it. That’s it. Go forth and frame accordingly — just make sure whatever ends up on that wall actually says something.
Work with Red Hen Admin
Ready to put this into practice?
Whether you need an independent quality system audit or hands-on QMS consulting, Red Hen Admin can help — remote and on-site in Southern California.