ISO 13485:2016

General requirements
applicable regulatory requirements & Compliance, In accordance with ISO 13485 or applicable
regulatory requirements
Document for the roles undertaken by the organization under the applicable regulatory requirements -
sub-clause 4.2.5. Identify the roles undertaken by the organization (manufacturer, distributor or
representative of the manufacturer)
process risks, their levels, their impact on the safety and performance of the product. Justification of
the chosen degree of risk control
Determine the sequence and interaction of these processes – Process flow chart
Criteria and methods to ensure process effectiveness and control
Evaluation record of impact of changes on the medical devices produced under this QMS
Cf. sub-clause 7.3.9
List of outsourced processes & its Monitor and control -That may affect compliance with
requirements. List of outsourced processes, associated risk levels
Document procedures for the validation of software used in the QMS
Cf. sub-clause 4.2.4
Validate software applications prior to initial use and after any change
List of validated software used in the QMS
Keep validation and revalidation activities proportionate to the risk associated with the use of the
software
For each software used, justify the validation approach in relation to the level of risk
Documentation requirements
MDQMS manual and quality objectives and
Cf. sub-clauses 4.2.4 and 4.2.5 . Quality policy and objectives are formalized
documented procedures and records required by the standard ISO 13485
Establish and maintain a file containing documents to demonstrate conformity to the requirements of
the standard ISO 13485 and applicable regulatory requirements
file a description included of the medical device, intended use and labelling
product specifications included Cf. sub-clause 7.2.1
Control of documents
Ensure that documents of external origin are identified and their distribution controlled
Prevent deterioration or loss of documents
Including electronic files (regular backups)
Prevent the unintended use of obsolete documents -
Outdated (obsolete) documents are identified, stored, archived, locked or destroyed so that they
cannot be used normally
Ensure that changes to documents are reviewed and approved by authorised persons
Either by the original approving function or by a person with pertinent information
Define the period for which obsolete documents will be retained
Cf. sub-clause 4.2.5

Ensure a period for which documents will be retained at least equal to the lifetime of the medical
device, but no less than the retention period as specified by applicable regulatory requirements
List of mandatory documented procedures:

1
  Validation of software applications (sub-clauses 4.1.6, 7.5.6 and 7.6)
 Control of documents (sub-clause 4.2.4)
 Control of records (sub-clause 4.2.5)
 Management review (sub-clause 5.6.1)
 Control of the working environment (sub-clause 6.4.1)
 Design and development (sub-clause 7.3)
 Design and development transfer (sub-clause 7.3.8)
 Control of design and development changes (Sub-Clause 7.3.9)
 Purchasing (sub-clause 7.4)
 Control of production (sub-clause 7.5)
 Process validation (sub-clauses 7.5.6 and 7.5.7)
 Identification and traceability (subclauses 7.5.8 and 7.5.9)
 Product preservation (sub-clause 7.5.11)
 Control of monitoring and measuring equipment (sub-clause 7.6)
 Feedback (sub-clause 8.2.1)
 Claims handling (sub-clause 8.2.2)
 Reporting to regulatory authorities (sub-clause 8.2.3)
 Internal audit (sub-clause 8.2.4)
 Control of nonconforming product (sub-clause 8.3.1)
 Advisory notices (sub-clause 8.3.3)
 Rework (sub-clause 8.3.4)
 Data analysis (sub-clause 8.4)
 Corrective action (sub-clause 8.5.2)
 Preventive action (sub-clause 8.5.3)

Define and apply methods for protecting confidential health information -

In accordance with the applicable regulatory requirements
Keep records legible, readily identifiable and retrievable -
Each record is clear, easy to understand, easy to categorize including electronic files
Keep changes to records identifiable
Rules to apply (e.g. name, signature, date, justification)
Retain records at least at least equal to the lifetime of the medical device –
In accordance with the requirements of the company or applicable regulatory requirements but more
than 2 years after the distribution of the medical device.
List of mandatory records:

 Role of the organization (sub-clause 4.1.1)

 Process control (subclauses 4.1.3 e and 4.2.1 d)
 Validation of software applications (sub-clause 4.1.6)
 General QMS documentation (sub-clause 4.2.1)
 Regulatory requirements (sub-clause 4.2.1 e)
 Medical device file (sub-clause 4.2.3)
 Control of records (sub-clause 4.2.4)
 Responsibilities, authorities and independence (5.5.1)
 Management review (sub-clauses 5.6.1 and 5.6.3)
 Competence of staff (sub-clause 6.2 e)
 Maintenance of infrastructure (sub-clause 6.3)
2
  Working environment (sub-clause 6.4.1)
 Control of contamination (sub-clause 6.4.2)
 Risk management (sub-clause 7.1)
 Production planning (sub-clause 7.1)
 Compliance of processes and product (sub-clause 7.1 d)
 Review of product requirements (sub-clause 7.2.2)
 Communication with the customer (sub-clause 7.2.3)
 Design and development inputs (sub-clause 7.3.3)
 Design and development outputs (sub-clause 7.3.4)
 Design and development review (sub-clause 7.3.5)
 Design and development verification (sub-clause 7.3.6)
 Design and development validation (sub-clause 7.3.7)
 Design and development transfer (sub-clause 7.3.8)
 Design and development changes (sub-clause 7.3.9)
 Design and development files (sub-clause 7.3.10)
 Control of suppliers (sub-clause 7.4.1)
 Purchasing information (sub-clause 7.4.2)
 Verification of the purchased product (sub-clause 7.4.3)
 Verification and approval of medical devices before release (sub-clause 7.5.1)
 Installation and verification of medical devices (sub-clause 7.5.3)
 Servicing activities (sub-clause 7.5.4)
 Process validation (sub-clause 7.5.6)
 Unique identification (sub-clause 7.5.8)
 Traceability (sub-clause [Link])
 Customer property concern (sub-clause 7.5.10)
 Preservation of product (sub-clause 7.5.11)
 Calibration and verification of measuring equipment (sub-clause 7.6)
 Validation results of monitoring and measuring software (sub-clause 7.6)
 Feedback (sub-clause 8.2.1)
 Complaint handling (sub-clause 8.2.2)
 Reporting to regulatory authorities (sub-clause 8.2.3)
 Internal audits (sub-clause 8.2.4)
 Monitoring and measurement of the product (sub-clause 8.2.6)
 Nonconformities (sub-clause 8.3.1)
 Authorization of concession (sub-clause 8.3.2)
 Advisory notices (sub-clause 8.3.3)
 Rework (sub-clause 8.3.4)
 Analysis of data (sub-clause 8.4)
 Corrective action undertaken (sub-clause 8.5.2)
 Preventive action undertaken (sub-clause 8.5.3)

Quality Policy
Establish the quality policy-
Quality objectives

3
Establish quality objectives at relevant functions within the organization
Including those needed to meet applicable regulatory and product requirements. Cf. sub-clause 7.1
Ensure measurable quality objectives
Cf. sub-clause 7.1
Define, document and communicate responsibilities and authorities
Cf. sub-clause 4.2.5. Clear and internally available job descriptions (also organization chart,
competency matrix)
Determine and provide the resources needed to implement and maintain the effectiveness of the QMS
Identify and ensure current and future resource needs:

 staff (competencies)
 infrastructure (buildings, workspaces, facilities)
 process equipment (software, hardware)
 support services (logistics, communication)

Determine the necessary competence-

For personnel performing work affecting product quality
Provide training -
Or take other actions to achieve or maintain the necessary competence
Evaluate the effectiveness of the training -
The method is proportionate to the risk associated (Impacts on safety and regulatory conformity of
medical devices)
Retain records of education, training, skills and experience-
Cf. sub-clause 4.2.5
Infrastructure
List of Equipment/server and maintenance of these equipment
Retain records on maintenance activities
Cf. sub-clause 4.2.5
product realization
Plan the processes needed for product realization-
Cf. sub-clause 4.2.5. These are all processes that meet customer needs and expectations (from quote
request to after-sales service). A process mapping can clarify the overall image of product realization
Document the risk management processes throughout product realization-
Cf. sub-clause 4.2.4. More information in ISO 14971 (Medical devices - Application of risk
management to medical devices)
Retain records of risk management activities-
Cf. sub-clause 4.2.5
Determine the verification, validation, monitoring, measurement, inspection and test, handling,
storage and distribution activities -
And traceability activities specific to the product
Determine requirements specified by the customer, including those for delivery and post-delivery
activities-
Identify and apply customer needs and expectations to internal product requirements (realization,
delivery and post-delivery)
Determine requirements for intended use-
Identify and apply implicit client needs and expectations (lifetime warranty, exemplary reliability,
simple maintenance)
4
Determine applicable regulatory requirements-
Identify all applicable requirements related to the product (including recycling and disposition) and
implement a legal watch
Plan and document arrangements for communicating with customers in relation to advisory notices
Cf. sub-clauses 8.3.3 and 4.2.4
Prepare procedures for design and development –
-Planning
-Design and development inputs
- design and development outputs
- design and development Review
- design and development verification
- design and development validation
- Document procedures for transfer of design and development outputs to manufacturing
- Document procedures to control design and development changes

Maintain a design and development file for each medical device type or family

Document procedures to ensure that purchased product conforms to specified purchasing information
Cf. sub-clause 4.2.4. Information is internal requirements
Establish criteria for the evaluation and selection of suppliers-
The purchasing process includes the criteria for on-going (monthly or quarterly) evaluation of
suppliers (% of purchased nonconforming products detected in reception, production and post-
production inspection)
Verification of purchased product
Establish and implement inspection activities-
To ensure that purchased product meets specified purchasing requirements. The purchasing process
includes the identification and implementation of both reception and in-process inspections
Servicing activities
Document servicing procedures, reference materials and reference measurements-
For performing servicing activities and verifying that product requirements are met. Cf. sub-
clause 4.2.4. If the servicing activities of the medical device constitute a specified requirement (such
as maintenance)
Identification
Document procedures for product identification
Cf. sub-clause 4.2.4
Identify product by suitable means
Throughout product realization
Traceability
Document procedures for traceability
Cf. sub-clause 4.2.4. Product preservation includes all stages of the product's life cycle (receiving,
producing, handling, storing, delivering)
Retain traceability records Cf. sub-clause 4.2.5
Customer property
Identify, verify, protect and save guard customer property provided for use or incorporation into the
product
When customer property is under the control of the organization or being used
Retain records of the results of calibration and verification
5
Cf. sub-clause 4.2.5
Feedback
Customer feedback process the review of the experience from post-production activities
If it is required by applicable regulatory requirements
Complaint handling
Document procedures for complaint handling
Cf. sub-clause 4.2.4. Within appropriate time limits in accordance with applicable regulatory
requirements
Reporting to regulatory authorities
Document procedures for providing notification to the appropriate regulatory authorities about
complaints that meet specified reporting critéria of adverse events or issuance of advisory notices
Cf. sub-clause 4.2.4. If applicable regulatory requirements require it
Retain records of reporting to regulatory authorities
Cf. sub-clause 4.2.5
Internal audit
Conduct internal audits at planned intervals
To determine whether the QMS conforms to planned and documented arrangements, to requirements
of ISO 13485 standard, to QMS requirements and to applicable regulatory requirements
Monitoring and measurement of processes
Ensure that nonconforming product is identified and controlled
To prevent its unintended use or delivery
Document a procedure to define the controls of nonconforming product
Cf. sub-clause 4.2.4. Determine the related responsibilities and authorities, identification,
documentation, segregation, evaluation and disposition of nonconforming product
Rework
Verify the reworked product
To ensure that it meets applicable criteria and regulatory requirements
Retain records of rework
Cf. sub-clause 4.2.5