2005 Green Medical Devices - IsO 13485-2000 and ISO 9001-2000

Medical Devices:
ISO 13485 and ISO 9001
Dr Dennis Green
The right of Dr Dennis Green to be identified as author of this work has been asserted in accordance with the
Copyright, Designs and Patents Act 1988.
© British Standards Institution 2005
Copyright subsists in all BSI publications. Except as permitted under the Copyright, Design and Patents Act 1988,
no extract may be reproduced, stored in a retrieval system or transmitted in any form or by any means – electronic,
photocopying, recording or otherwise – without prior written permission from BSI. If permission is granted, the terms
may include royalty payments or a licensing agreement. Details and advice can be obtained from the Copyright Manager,
BSI, 389 Chiswick High Road, London W4 4AL, UK.
Great care has been taken to ensure accuracy in the compilation and preparation of this publication. However, since it is
intended as a guide and not a definitive statement, the author and BSI cannot in any circumstances accept responsibility for
the results of any action taken on the basis of the information contained in this publication nor for any errors and omissions.
This does not affect your statutory rights.
BSI reference: BIP 2071

ISBN 0 580 45644 7
Typeset by Typobatics Ltd

Printed by The Charlesworth Group
Preface
The idea of writing a book on the latest version of the medical devices quality management
systems standard, ISO 13485:2000, arose shortly after I began to study the standard. At one
stage in my career I had been involved with the use of a wide range of such devices after I
had been appointed Assistant Regional Physicist in the Department of Clinical Physics and
Bio-Engineering of the Greater Glasgow Health Board. It became the biggest department of its
kind, certainly in the United Kingdom, if not in the world, with over 200 staff, which included
about 80 physicists, other scientists and many technicians. Later in my career, by invitation,
I became a director and board member of a company manufacturing medical devices, which
gave me further insight into this industry.
On examination of ISO 13485 it immediately became apparent that the standard is very closely
linked to ISO 9001, both in format and content. The emphasis of this book is on
the requirements of ISO 13485, but each corresponding clause of ISO 9001 is also considered.
Thus, any differences between the two standards are readily and easily identified.
The first edition of the medical devices standard, ISO 13485, was published in 1996.
Its title was:
Quality systems – Medical devices – Particular requirements for the application of ISO 9001
The second edition of ISO 13485 published in 2003 has a revised title:
Medical devices – Quality management systems – Requirements for regulatory purposes
The ISO 9001 quality management systems standard was published in December 2000.
It was the culmination of several years’ work by the international Technical Committee 176,
of the International Organization for Standardization (ISO), which had met at regular intervals
following the publication of the last revision of the standard in 1994. The revision of standards
is a routine procedure and committees responsible for revisions always consider any feedback
from users of an existing standard. In the case of ISO 9001:2000, the standard that replaced
three of the 1994 standards (9001, 9002 and 9003), this was reflected in committee drafts
(CD1, CD2 and CD3) and these draft international standards were widely circulated for
comments. There was also a final draft international standard, which had limited circulation.
The end result was not a perfect revised standard, but many people appear to agree that
ISO 9001:2000 is an improvement on its precursors.
There is one important difference between ISO 13485 and ISO 9001. The prime requirement
of ISO 13485 is to ensure that medical devices and related services are provided to consistently
satisfy customer requirements as well as any applicable regulatory requirements. The customer
xi
Medical Devices: ISO 13485 and ISO 9001
in the case of medical devices is in most cases not the end user or recipient of the medical
device, but an intermediary, namely, a doctor, scientist or technologist, technician or a nurse.
The prime customer might also be a general medical practitioner. Aside from regulatory
requirements being met, another important objective of ISO 13485 is the promotion of
international harmonization of medical products.
Satisfying customer requirements, both intermediate users and/or end users and regulatory
requirements, applies just as much to ISO 9001, but the promotion of harmonization of
products and services is not within its scope. It does, however, require top management to
strive to enhance customer satisfaction through the effective application and continual
improvement of its quality management system. It is important to realize that the continual
improvement in the quality management system does not mean continual improvement in a
product, although some improvements might occur as a result of improvements in the quality
management system. This is not a requirement of ISO 13485 and a manufacturer of medical
devices, or an organization that services medical devices, does not have to strive to enhance
customer satisfaction through the effective application and continual improvement of the
quality management system (see Chapter 4).
Chapter 1 gives the historical background to quality and quality assurance and the basis of
quality management systems. There is a difference between quality and quality assurance.
Many people use the term quality without really understanding what it means. The term
quality assurance is a little better understood, especially amongst manufacturers.
Chapter 2 shows how quality assurance standards were pursued after the First World War up
to and including the 1994 series of standards, although the emphasis of the later standards
did change a little. For instance, the concept of management principles was introduced in 1994
and in ISO 9001:2000, ‘management’ was included in its title.
Chapter 3 gives general background information on ISO 13485, Medical Devices and
ISO 9001:2000. Both standards place great emphasis on processes and two process
diagrams, or flow sheets, are included in this book as examples.
Chapters 4, 5, 6, 7 and 8 are the requirement clauses. These must be addressed for
compliance with the two standards.
Clause 6, on resource management, refers for the first time in any of the quality management
system standards to competence (clause 6.2.2). Its introduction by the international committee
that drafted the quality management standards is commendable. Perhaps the increasingly wide
adoption of the latest quality management system standards will result in organizations
investing in training to improve staff competence. This should lead to increased organizational
competence in all sectors.
Clause 7, in both standards, is an exceptional one in that parts of it need not be addressed,
provided any exclusion can be justified and the exclusion is explained in the quality manual.
Clause 7.3, design and development, is one example of possible exclusion. Because there is
evidently some confusion over possible exclusion of this important clause, Chapter 9 is
devoted to this matter.
Chapter 10 provides typical guideline audit questions, which are relevant to both process
auditing and compliance auditing against the standards. There is much common ground
between the two standards, but to help the reader, where there are differences the
requirements for ISO 13485 are printed in italics, whereas the corresponding ISO 9001
requirements are printed in bold.
xii
Preface
In some cases a question is printed only once when there are only a few extra words to be
added to comply with the additional requirements of ISO 13485. These additional words in
a question are also printed in italics.
Appendix 1 includes the mandatory procedures for ISO 9001. It is recommended that any
other procedures, mandatory or otherwise, follow the same format.
This book should be of special interest to those:
• who manufacture and/or service medical devices and who wish to seek accredited
certification only to ISO 13485; and
• who manufacture and service medical devices, but also other products, so that both
the standards can be applicable.
It is hoped that this book will benefit many different kinds of managers. First and foremost I
hope that it will be of interest to (what the standards refer to as) top management. These are
people who direct and control organizations. In accordance with ISO 9001:2000, an external
auditor from a certification body is now expected to determine whether there is a commitment
by top management to its quality management system. A committed top manager is more
likely to create a new culture in which corporate competence and individual competence are
in the forefront of the minds of all workers.
The book should also be of interest to professionals and those who aspire to become
professionals. This includes auditors of all kinds: internal auditors, second-party and third-party
auditors.
The views expressed in this book are those of the author. The author is confident that if the
guidelines included in this book are followed in interpreting the five requirement clauses of
ISO 13485 and ISO 9001 any organization is likely to achieve certification at the first attempt
for either or both standards.
It would be impossible to thank personally all those who have made the writing of this book
possible. Much of the book is based on my experience as an auditor, mainly auditing against
the quality management standards on behalf of certification bodies. I should like to express my
thanks to these certification bodies, which have provided me with many opportunities for
third-party auditing. I should also like to thank the people in many organizations who I have
subjected to the rigours of third-party auditing. All these people whom I have met at different
levels within such organizations have, without exception, received me kindly into their
organizations to enable me to carry out my duties. Without such acceptance, auditing would
have become an unwelcome task and one that I would have abandoned a long time ago.
xiii
Table of Contents
Preface xi
Chapter 1: Brief historical background to quality assurance 1
Home production 1
Factory production 1
Mass production and quality inspectors 1
Association of Inspectors 1
Disadvantages of using quality inspectors 2
Quality control 2
Meeting requirements of a contract 2
Quality 2
Quality assurance 3
Chapter 2: Quality standards 5
The birth of the modern technological age 5
Military standards 5
The first non-military standard (1979) 6
ISO 9001, 9002 and 9003 (1987) 6
The ISO 9000:1994 series of quality assurance standards 6
Eight management principles 6
BSI Benchmark on the eight management principles 8
Latest revision of the 1994 series of quality standards 9
Numbers of ISO 9001 certificates worldwide 9
Chapter 3: ISO 13485 Medical Devices and ISO 9001 11
Core terms and definitions 11
ISO 13485 and ISO 9001 12
vii
ISO 13485 12
ISO 9001 13
Format of ISO 13485 and ISO 9001 13
Process models 13
Continual improvement in the effectiveness of
the quality management system (ISO 9001 only) 15
Chapter 4: Quality management systems (clause 4) 19
General requirements 19
Documentation requirements 20
Chapter 5: Management responsibility (clause 5) 31
Management commitment 31
Customer focus 31
Quality policy 32
Planning 33
Responsibility, authority and communication 36
Management review 37
Chapter 6: Resource management (clause 6) 45
Provision of resources 45
Human resources 45
Infrastructure 46
Work environment 47
Chapter 7: Product realization (clause 7) 49
Planning of product realization 49
Customer-related processes 50
Design and development 52
Purchasing 56
Production and service provision 59
Control of monitoring and measuring devices 67
Chapter 8: Measurement, analysis and improvement (clause 8) 73
General 73
Monitoring and measurement 74
Control of nonconforming product 79
Analysis of data 81
Improvement 82
viii
Table of Contents
Chapter 9: Justification for exclusion of design and development 87

Introduction 87
Manufacturing organizations 87
Service organizations 88
Outsourcing of design and development work 89
Example - Hospitals 89
Example - Legal companies 90
Other Cases 94
Chapter 10: Guideline audit questions 95
Introduction 95
Quality management system (clause 4) 97
Management responsibility (clause 5) 101
Resource management (clause 6) 107
Product realization (clause 7) 109
Measurement, analysis and improvement (clause 8) 125
Appendix 1: Quality management system mandatory procedures 133
PC 101 – Control of Documents 135
PC 102 – Control of Records 145
PC 103 – Internal Audit 149

PC 104 – Control of Nonconforming Product 159
PC 105 – Corrective Action 165
PC 106 – Preventive Action 171

Appendix 2: Compliance with European Union Directives: Medical Devices 177
Appendix 3: References 179
Figures and Forms
Figure 3.1 – A simple process 15
Figure 3.2 – A process showing consecutive activities 15

Figure 3.3 – Example flow diagram (1) 16
Figure 3.4 – Example flow diagram (2) 17
Figure 4.1 – Quality management system documentation 29

Figure 5.1 – Organizational chart 40
Quality Policy 41
Quality Objectives 42/43
ix
FM 101 – Control of Framework Documentation 140
FM 102 – Acceptance of Documentation 141

FM 103 – Register of Framework Documentation 142
FM 104 – Change Request 143
FM 105 – Changes to Framework Documentation 144
FM 121 – Internal Audit Schedule 153

FM 122 – Register of Internal Audits 154
FM 123 – Internal Audit Questionnaire 155
FM 124 – Nonconformity or Observation Form 156

FM 125 – Internal Audit Report 157
FM 131 – Register of Nonconformities 163

FM 132 – Nonconformity Form 164
FM 141 – Register of Complaints 169

FM 142 – Complaint Form 170
x
Chapter 1:
Brief historical background to quality assurance
Home production
In the past, when making an object, a skilled craftsman would examine the object carefully at
each stage of its construction. When it was completed, the craftsman would check it in detail
to ensure that it was acceptable according to the craftsman’s standards. A second item of the
same type would probably not be exactly the same, but would have been produced to the
same high standards.
Factory production
When standard items began to be produced in factories, a worker was appointed to oversee
the work of others. This ensured, as far as was possible, that similar items were identical in
all respects.
Mass production and quality inspectors

Later, military requirements demanded mass production of goods and a high level of accuracy
in their production. Quality inspectors were introduced to maintain the standards of accuracy
required, by ensuring that any items that did not achieve the required specification were
detected and prevented from reaching the Armed Forces.
Association of Inspectors
In 1919, an Association of Inspectors was formed at the Woolwich Arsenal in London and
this association was the predecessor of the Institute of Quality Assurance, IQA, which was
established on 20 June 1972. This institute is now recognized as the professional body for
quality practitioners, with the vision, ‘We lead in quality’.
1
Disadvantages of using quality inspectors

There are a number of disadvantages in using quality inspectors to ensure that all products of
a given design have been made to the same specification. Inspection of all products made
increases costs. As mass production techniques improved, the rate at which products were
made increased and the number of inspectors had to be increased accordingly. Ensuring that
substandard products did not reach customers, by identifying faulty products at the end of a
production line and thereby preventing them from being despatched, was beneficial to all
parties. However, the cost of the rejected products had to be absorbed into the charges made
for the accepted products. The findings of inspections were often available only after many
other products had been manufactured. Other unacceptable products might have been
produced before corrective action was taken. The feedback could be used only to correct
products that were at earlier stages of production. This feedback would have been of some
benefit because it might have resulted in a tighter manufacturing specification with tighter
controls at more frequent stages in the manufacturing process. It soon became apparent that,
because of human error, inspection of every item did not detect all faults. The monotony of
the inspection tasks resulted in faulty products being missed, and when many inspectors were
involved with the same product line, there was often a wide variation in the products that
were accepted.
Quality control
These difficulties in mass production led to a new concept of quality control, in which faults
were detected at every stage of production, rather than only at the end of a production line.
A quality controlled process is one in which monitoring and measurements are made
at appropriate points during major and supplementary processes. The monitoring and
measurements can be made manually, although now they are often done automatically,
either continuously or continually. Any measurements made are compared with the required
measurements at that particular point, and data are then fed back. This procedure allows
corrections to be made earlier in the process, so that the required output specification is
obtained. Thus, quality control can be defined as all the monitoring and measurements that
are made to control major and supplementary processes so that the product or service meets
the specified requirements.
Meeting requirements of a contract

All of these quality inspections and quality controls had the same objective, namely, to give
confidence to customers that a product would meet the requirements of a contract. In other
words, the product would be quality assured.
Quality
It is important to differentiate between quality and quality assurance. Quality is used in many
situations. There are at least 15 definitions of ‘quality’ in print. The following definition of
quality is preferred here.
‘Quality: excellence as perceived by a customer or a stakeholder’ [1].
2
Brief historical background to quality assurance
Quality assurance
Quality assurance can be defined as a pledge to a customer that the quality (as seen,
demonstrated, defined, or agreed and accepted) will be maintained for a particular product
or a particular service.
3
Chapter 2:
Quality standards
The birth of the modern technological age

Anyone born after 1945 has grown up in a world of rapidly increasing scientific knowledge and
unprecedented technological changes. The driving force behind most of the technological
changes that began in the immediate post-war era was the need of Western governments to
build new weapons as a defence against the communist threat to the West. Shortly after the
end of the Second World War, the Cold War began. The North Atlantic Treaty Organization
(NATO) was formed in 1949 and this led to orders for new and highly sophisticated defence
equipment and to the first national military quality systems standard on quality assurance.
Military standards
In 1959, the first military national standard, MIL-Q-9858-A, was issued by the American
Department of Defense. Later, some of the European NATO countries started to re-arm
and NATO equipment had to be built to the same agreed design specifications. There was a
need to ensure that all equipment made to the same design specification really was the same,
i.e. was quality assured, whether it was made in one factory, or in ten factories, and whether
it was made in the UK or elsewhere. Thus, NATO prepared design and manufacturing
specifications for military equipment. These were first published in 1968 and were known
as Allied Quality Assurance Publications, or AQAPs.
In 1973, the British Ministry of Defence changed the AQAP documents, when it was
considered necessary, to place greater emphasis on design. This was done with the support
of the industry. The changed AQAP documents were published as Defence Standards in the
05 series: 05 21, 05 24 and 05 29.
In November 1972, the British Standards Institution published BS 4891, A guide to quality
assurance. In 1974, they published BS 5179, A guide to the operation and evaluation of quality
assurance systems.
By 1979, the British Ministry of Defence (MOD) had selected 3,000 companies, which it
believed would be able to provide quality assured products under future defence contracts
and reduced its number of inspectors from 16,500 to 3,000.
5
The first non-military standard (1979)

In 1976, Sir Frederick Warner, the Chairman of the British Standards Institution, recommended
in a report to the government that all purchasing organizations in the UK should use a common
quality assurance standard. Rear Admiral D. G. Spickernell, who was later to become a
Director General of BSI, strongly recommended that the newly appointed committee should
adhere to the Defence Standards as closely as possible; otherwise, the UK would have separate
criteria for defence and non-defence contractors.
In 1979, the first Quality Systems Standard, a British Standard, BS 5750, was published.
This was a generic manufacturing standard that was based on the earlier military standards.
Within a short time, many major purchasers in the UK who had modified their purchasing
arrangements in accordance with the new standard had adopted it.
At about this time, the British Standards Institution proposed to the International Organization
for Standardization (ISO) based in Geneva, Switzerland, that a technical committee should be
set up to harmonize the existing quality systems standards in various countries and in various
industries. A Technical Committee, TC 176, was designated this task. (Incidentally, the
International Organization for Standardization is not represented by the acronym IOS, but by
ISO, which is derived from the Greek word ‘isos’ meaning ‘equal’.)
ISO 9001, 9002 and 9003 (1987)

In March 1987, the first international quality systems standards, ISO 9001, ISO 9002
and ISO 9003 were published by the International Organization for Standardization.
These standards were based on BS 5750 with some modifications. In May 1987, BSI
modified their 1979 standard so that it was aligned with the quality systems standards,
ISO 9001, ISO 9002 and ISO 9003 (which were also published by the European
Committee for Standardization (CEN) as EN 29001, EN 29002 and EN 29003).
The ISO 9000:1994 series of quality assurance standards

In 1994, there were further changes. BS 5750 was withdrawn and superseded by BS EN ISO
9001, BS EN ISO 9002 and BS EN ISO 9003. The international standards were directly
adopted by both CEN and BSI.
All three ISO standards are compatible. ISO 9002 and ISO 9003 are in fact subsets of ISO
9001. None was better than the other two, they were merely applicable in different situations.
Eight management principles
General
The 1994 standards refer to eight management principles that are considered to be essential for
the successful management of any organization
The concepts embodied in these principles form the foundation of a quality management
system based on the ISO 9000:1994 series of standards
6
Quality standards
Principle No. 1. Customer-focused organization

Commercial organizations need to understand the needs and expectations of their customers
so that they can meet those needs and also strive to exceed their expectations. Even non-
commercial organizations, such as government departments and other non-profit organizations,
are expected to satisfy the needs and expectations of their customers in terms of competence
and efficiency.
The need to achieve customer satisfaction permeates ISO 9001:2000 and it contains a specific
requirement to monitor customer satisfaction (ISO 9001, 8.2.1).
Principle No. 2. Leadership

Leaders establish unity of purpose and direction for an organization. They should create
and maintain an environment in which people can become fully involved in achieving the
objectives of the organization.
There are many kinds of leadership. ISO 9001:2000 encourages empowerment of employees
through openness of management and trust, as exemplified by a quality policy, quality
objectives, internal auditing, management reviews, and other measures. Such leadership does
not support a ‘no blame culture’, but instead promotes a ‘responsibility culture’ at all levels
within an organization.
Principle No. 3. Involvement of people

The involvement and fulfilment of people at all levels are important for good management of
an organization. The full involvement of all employees enables their abilities to be used for the
benefit of the organization, whilst at the same time providing increased employee satisfaction.
Employees are made responsible for their actions and are encouraged to be involved in some
decision making. Employees are encouraged to take on more responsibilities, after appropriate
training if necessary.
The application of ISO 9001:2000 should result in an integrated quality management system
in which everyone is striving to achieve customer satisfaction. Internal auditing, for example,
if conducted properly, offers opportunities for employees to make detailed suggestions to an
auditor on improvements to working practices. Management review meetings, if conducted
properly, also encourage feedback from all levels on possible improvements. Quality objectives
are required to be set at different levels and all employees can be encouraged to participate in
the setting of such objectives for the areas of work in which they are involved. There are many
opportunities for involving employees.
Principle No. 4. Process approach

All organizations are more likely to achieve success in their operations if they focus on
processes leading to the final objectives of satisfying the needs and expectations of customers.
All organizations have at least one major process, which is why any organization exists
(see Chapter 5 and Figure 5.1). ISO 9001:2000 focuses on processes. Top management is
responsible for ensuring that processes are properly managed from beginning to end by:
• determining customer requirements;

• providing adequate resources (staff, equipment, environment);
7
• ensuring supplementary processes interact with major processes;
• monitoring and measuring throughout the major processes;

• collecting and analysing data so that continual improvements in the effectiveness of
the quality management system can be made; and
• setting and achieving measurable objectives.
Principle No. 5. Systems approach to management

An organization is likely to become more effective and more efficient in a systems approach
to management in which the interrelated processes are identified, understood and managed
so as to achieve a given objective.
In any successful operation of a major process, there is a need to recognize the importance
of supplementary processes and how they interact with a major process. Third-level processes
also make a contribution. It is this recognition, identification, understanding and control of
such a system of interrelated processes for a given objective that improves the effectiveness
and efficiency an organization.
Principle No. 6. Continual improvement

Continual improvement should be a permanent overall aspiration of any properly managed
organization.
More specifically in connection with ISO 9001:2000, there is a requirement for continual
improvement in the effectiveness of the quality management system. It is a requirement that
is repeated many times in the different clauses of ISO 9001:2000.
Principle No. 7. Factual approach to decision making

Good management decisions should always be based on the systematic collection and analysis
of data and first-class information.
The ISO 9001:2000 standard requires data to be collected and analysed. Such objective data
provides evidence of what has happened. The collation and analysis of the data will enable
rational decisions to be made based on facts.
Principle No. 8. Mutually beneficial supplier relationships

An organization and its suppliers are interdependent and a mutually beneficial relationship
enhances the ability of both to add value to their products and services.
ISO 9001:2000 encourages the creation and maintenance of good relationships between an
organization and its suppliers. A good working relationship between an organization and its
suppliers enables problems to be tackled honestly, which contributes to the mutual satisfaction
of both parties.
BSI Benchmark on the eight management principles

BSI is currently pioneering a benchmark that enables organizations to measure their performance
against the eight management principles. During the first stage, top management reviews its
management system against the eight management principles. The findings of the review are
8
Quality standards
independently examined by BSI to determine whether what has been claimed actually happens
at lower levels within the organization. The organizations receive award certificates (bronze,
silver, gold or platinum) depending on their final score. BSI claims that what is more important,
however, is that the report identifies opportunities for improvement and progression.
Latest revision of the 1994 series of quality standards

In December 2000, as explained in the Preface, the ISO 9000:1994 series of standards
(comprising of ISO 9001, ISO 9002 and ISO 9003) was replaced by one standard:
ISO 9001:2000, Quality management systems – Requirements.
ISO 9001:2000 does not mention the eight management principles, but the companion
ISO 9004:2000, published simultaneously with ISO 9001:2000, does. It provides guidance
on the interpretation of the new ISO 9001:2000.
Organizations that were certified against the 1994 version were given three years, until
15 December 2003, to conform to the requirements of the revised standard. Otherwise,
their certification lapsed.
Numbers of ISO 9001 certificates worldwide

The latest data, up to the end of 2003, were published in September 2004 and include
both non-accredited and accredited certificates.
The survey shows that by the end of 2003, over half a million ISO 9000 certificates
(old and new versions) had been awarded in over 100 countries [2].
9
Chapter 3:
ISO 13485 Medical Devices and ISO 9001
Core terms and definitions

medical device (from ISO 13485)
any instrument, apparatus, implement, machine, appliance, implant, in vitro reagent or
calibrator, software, material or other similar or related article, intended by the manufacturer to
be used, alone or in combination, for human beings for one or more of the specific purpose(s) of:
• diagnosis, prevention, monitoring, treatment or alleviation of disease;
• diagnosis, monitoring, treatment, alleviation of or compensation for an injury;

• investigation, replacement, modification, or support of the anatomy or of a
physiological process;
• supporting or sustaining life;

• control of conception;
• disinfection of medical devices;
• providing information for medical purposes by means of in vitro examination of

specimens derived from the human body;
and which does not achieve its primary intended action in or on the human body by
pharmacological, immunological or metabolic means, but which may be assisted in its
function by such means
sterile medical device (from ISO 13485)

category of medical device intended to meet the requirements for sterility
NOTE The requirement for sterility of a medical device might be subject to national or regional regulations or standards.
active implantable medical device

active medical device that is intended to be totally or partially introduced, surgically or
medically into the human body or by medical intervention into a natural orifice and which is
intended to remain after the procedure
11
active medical device
medical device that relies for its functioning on a source of electrical energy or any
other source of power other than that directly generated by the human body or gravity
advisory notice
notice issued by an organization, subsequent to delivery of the medical device, to provide

supplementary information and/or to advise what action should be taken, subject to regional
and national regulations concerning:
• the use of a medical device;
• the modification of a medical device;
• the return of the medical device to the organization that supplied it;
• the destruction of a medical device.

Both ISO 13485 and ISO 9001 are intended to be generic and applicable to all kinds of
organization, regardless of type or size. Because ISO 13485 specifies a sector specific quality
management system based on ISO 9001, certification to both standards can be coordinated
with relative ease.
It is accepted that all the requirements of both standards may not be applicable to some
organizations, so that in certain circumstances it will be possible to justify exclusion from some
of the requirements of Clause 7 of both ISO 13485 and ISO 9001 provided such exclusions do
not affect the organization’s ability, or responsibility, to provide a product, or deliver a service,
that meets customer and any applicable regulatory requirements.
As will be explained later, many of the requirements of ISO 13458 are applicable to ISO 9001
(see Chapters 4, 5, 6, 7 and 8). Where there are differences between the standards, these
will be noted. In addition, if ISO 13485 has additional requirements to those required by
ISO 9001, these will be addressed under the relevant clauses.
ISO 13485
ISO 13485 is applicable to organizations manufacturing medical devices or providing related
services.
The requirements of a quality management system based on ISO 13485 can be used as
a foundation for the design and development, production, installation and servicing of
medical devices. The quality management system based on ISO 13485 must satisfy specific
requirements:
This International Standard specifies requirements for a quality management system
where an organization needs to demonstrate its ability to provide medical devices
and related services that consistently meet customer requirements and regulatory
requirements applicable to medical devices and related services.
ISO 13485 is focused on reflecting the current regulations and thereby encourages the
harmonization, i.e. worldwide agreement on medical device regulations.
12
Note that the terms, ‘if appropriate’ and ‘where appropriate’ mean that the requirement
is deemed to be ‘appropriate’ unless the organization can justify otherwise. Some of the
requirements of this standard apply only to named groups of medical devices.
Any requirements in Clause 7 that cannot be applied to medical devices and related services
can be excluded from the quality management system. Clause 7.3 can be justifiably excluded
from the quality management system if regulatory requirements allow such exclusions,
although the same regulation might impose alternative regulations that must be addressed in
the quality management system.
ISO 9001
ISO 9001 is applicable to all organizations that manufacture products or provide services
of any kind.
A quality management system based on ISO 9001 must satisfy specific requirements:
• it needs to demonstrate its ability to provide a product, or deliver a service that
consistently satisfies customer requirements and any applicable regulatory
requirements for such products and services;
• it must aim to enhance customer satisfaction through the effective application and
continual improvement of the quality management system.
Format of ISO 13485 and ISO 9001

Only five requirement clauses have to be addressed in both standards.
These clauses are:
Clause 4: Quality management system;

Clause 5: Management responsibility (in effect top management responsibilities);
Clause 6: Resource management;
Clause 7: Product realization;

Clause 8: Measurement, analysis and improvement.
Many clauses in the two standards are identical, though with some additions and omissions.
Some requirements are less prescriptive and are written in broader terms. In all cases of exact
correlation the basic intent is the same. There are, however, some additional requirement
clauses to be addressed and these are highlighted when they occur.
Process models
The new emphasis in ISO 9001 is on processes because of the wish to align the revised
standard with the environmental management systems standard, ISO 14001. Alignment is
a useful step for organizations that might wish to integrate their quality management system,
their environmental management system, and any other systems such as health and safety
into one comprehensive system. However, integration of these systems will not be achieved
in the near future.
13
Since ISO 13485 is based on ISO 9001, it also places great emphasis on processes.
A process is simply a number of serial and/or parallel activities that are carefully planned and
executed to achieve the desired objectives. All organizations have at least one process, which
is why any organization exists.
Any process is initiated through some form of input, and the activities that follow will result
in some form of output. In its simplest form, a process consists of an input, one activity and
an output that arises from the activity being applied to the input (Figure 3.1). In practice,
many processes consist of a series of consecutive activities resulting in the required output
(Figure 3.2). Such a series of processes (Figures 3.3 and 3.4) can be referred to as a major
process or a core process. Figures 3.3 and 3.4 are preliminary flow diagrams that will be
modified and improved.
Often a number of supplementary processes (sometimes called secondary processes, or
lower-level processes) have to take place so that a major process can proceed to a satisfactory
conclusion. For example, supplementary processes have to be established in order to purchase
the required materials that have to be ‘fed-into’ the major process at appropriate stages.
Many organizations have more than one major process. One manufacturer might have
a number of different product lines, whereas another organization might provide several
different services, hence several major processes.
One of the lower-level processes that impacts directly on a major process will be
measurements that are taken at certain defined times as the major process proceeds.
Management will have decided at the planning stage which measurements have to be taken,
and when. It will also have decided which instruments need to be calibrated. If calibration is
deemed necessary, the calibration of measuring devices will be undertaken as planned.
It is also important to emphasize that for each first-level process and the associated second-
level processes that impact directly on the first-level process, there may be other background
activities occurring for one or more of the lower-level processes. There is another clear
distinction between second-level processes and third-level processes that concerns timing.
Second-level processes are essential and must be carried out as planned, at given times, so
that a major process can proceed, as planned, to its completion. Third-level processes will
have been deemed desirable by management, but a failure to execute such a process at a
specific time will not impact directly on a major process. For example, the failure to recalibrate
a device as scheduled after one year does not mean that the device has suddenly gone
‘out-of-calibration’ and can no longer be used to make measurements.
Another third-level process might concern cleanliness and tidiness in the production area or
in an office. Any failures in this connection are less likely to have any immediate impact on
the major process; and the timing of cleaning up and tidying up is not likely to have any
immediate impact on a major process. (In extreme circumstances, however, an auditor might
comment that the work environment is not being managed properly and that product or
service requirements are being placed in jeopardy - see page 47)
The preparation of flow diagrams such as those in Figures 3.3 and 3.4 can help organizations
to rationalize their major processes with the minimum amount of textual documentation.
Lower-level processes can also be shown by means of flow diagrams, notes, procedures,
work instructions, forms, and other material can then be added as is deemed necessary to
ensure effective and efficient operation of the major processes. Software is now available that
enables such process diagrams to be drawn easily.
14
Continual improvement in the effectiveness of the

quality management system (ISO 9001 only)
The explicit requirement in ISO 9001 for continual improvement in the effectiveness of the
quality management system appears a number of times in the standard. Many people have
interpreted this incorrectly to mean continual improvement in the products or services of an
organization. The emphasis is in fact on continual improvement in the effectiveness of the
quality management system. Improvements in the quality management system may result in a
better product or a better service. There are, however, limits to the changes that can be made
to improve a product or a service. If customers are satisfied with what is being provided, they
may not want any changes, particularly if the product or service will cost more. However,
improvements in the effectiveness of the quality management system may result in improved
efficiency, reduced costs and fewer nonconformities, which will benefit the organization and
possibly the customers as well.
Input Activity 1 Output
Figure 3.1 A simple process
Input Activity 1 Activity 1 Activity 1 Output
Figure 3.2 A process showing consecutive activities
15
Enquiry
received
Invitation to Invitation to
manufacture submit tender
Tender
Design dept. requirements
considered
Yes
Meeting with
potential
customer Submit
tender?
Specification
finalized
No
Outline design
agreed
Tender
submitted
Detailed design begins Yes Tender

(Clause 7.3 is applicable) successful?
No
Liaison: Liaison: Liaison:
purchasing manufacturing R and D Documents filed for
future reference
Final design agreed internally.

Presented and agreed with customer.
Verification and validation terms agreed with customer.
Payment terms agreed.
All documents finally agreed:

Clearance for
computerized drawings; procedures;work instructions;
manufacturing to begin
calibration of instruments, etc.
Manufacturing commences
Figure 3.3 Example flow diagram (1)
16
Full traceability of instruments at every stage
Placement Sterilization
Collection of of instruments Sealed packages
Washing of instruments Packaging placed in steam
instruments Placed in trays. Instrument trays placed in washer with Instruments packed and sterilizer in
Three times Source of instruments detergent. Steam cleaned. packages heat sealed accordance with
each day clearly identified by disks Procedure PC 101.
placed in the trays Controls set in
accordance with
Sterilization
same procedure.
Department Return of instruments Fast steam sterilization
Instruments covered with sterile Unwrapped instruments sterilized
cloth and returned to sender as over five minutes
soon as possible
Return journeys
Sterilized sealed packages returned to
Department three times each day.
Sterilizer Records

Daily: records maintained
Sterilizer Records
Sterilization Weekly: records maintained
Records Sterilizer Records
Monthly: records maintained
Planned preventative maintenance

From a computer print-out, cards are produced for staff to carry out routine maintenance on sterilizers.
Essential Similarly, quarterly and annual electrical checks are listed on the computer.
Sterilizer
Work
Calibration of instruments on sterilizers Microbiologist

Carried out by an accredited calibration company Routine checks on the effectiveness of the sterilizers
17
Figure 3.3 Example flow diagram (2)

Chapter 4:
Quality management systems (clause 4)
General requirements (clause 4.1)

Any organization preparing for an accredited certification to both ISO 13485 and ISO 9001
must establish, document, implement and maintain a quality management system that first
and foremost addresses current regulations on medical devices and related services so as to
produce safe and effective medical products and/or related services (ISO 13485), and yet,
without prejudice to this prime requirement, is continually trying to improve the effectiveness
of the quality management system (ISO 9001).
Quality management system documentation can conveniently be divided into three kinds.
The first group is the core documentation, or framework documentation, such as the quality
manual and quality policy. The second group includes working documents that control all the
activities of an organization that are necessary to support all the processes that are required to
achieve the objectives of the organization. The third group includes all quality management
system records, referred to henceforth as QMS records, or simply, records. These are records
that are derived from both the framework documentation and from working documents
(Figure 4.1).
Management can claim to have a quality management system in place when it believes that
all its quality management system documentation has been established, documented,
implemented and is being maintained and that all employees are endeavouring to work in
accordance with the requirements of the documentation.
The organization must clearly identify its major processes (first-level processes), the sequence
and interaction of any such processes and any associated lower-level processes to ensure that
they will result in products or services, or both, that achieve planned results. In the case of
ISO 13485, this means safe and effective medical products or related services and in the
case of ISO 9001, products or services that are safe and satisfy the needs and expectations
of customers.
Top management must ensure that adequate resources are made available and that relevant
information and documentation is always available at appropriate stages during any of the
processes. Above all, management has to ensure that the sequence of activities proceed in
ways that achieve the planned results in the most efficient manner. At the planning stage the
19
satisfactory operation and control of first-level processes and any associated lower-level
processes will have been determined beforehand by the identification of the test criteria
to be used at specific stages in the processes. At these stages appropriate monitoring and
measurements will be made. Any data that are collected will be collated and analysed.
Such monitoring and measurements might result in corrective actions being taken. All these
activities also provide opportunities to ensure that any resulting medical devices and related
services are safe and effective and/or that products and services, in general, satisfy the
requirements of customers. In the case of ISO 9001, there is an overriding requirement to
promote continual improvement in the effectiveness of the quality management system.
Outsourcing is the use of resources outside an organization to carry out tasks on its behalf.
If an organization does subcontract (outsource) any processes that could affect product or
service conformity with requirements, then the organization must maintain close control over
such contracts. Any such outsourced products or services must be clearly identified and the
means by which they are tightly controlled must be evident from the quality management
system documentation of the organization.
An organization should consider outsourcing an activity:
• when it is not a major process of the company;

• when the organization does not have the specialized knowledge and skills that are
necessary to carry out certain processes. Whilst these could be acquired in-house it
might be prohibitively expensive to do so.
There are two critical components of a good outsourcing agreement. Firstly, the focus must be
on achieving the needs of the organization that has subcontracted the work, and secondly,
both parties to the outsourcing agreement must be satisfied that the contract between them is
satisfactory.
Documentation requirements (clause 4.2)
General (clause 4.2.1)

The documentation associated with the quality management system can be conveniently
divided into three main categories: the framework documentation, working documents and
records (see Figure 4.1). The records are derived from both the framework documentation and
from the working documents. The framework documentation is the core documentation on
which the quality management system is based. Working documents control all the day-to-day
activities in an organization and these activities would perhaps be taking place in a different
way, if a quality management system was not in place. An organization can claim only that it
has a quality management system in place when the framework documentation and the
working documents exist and all employees are working in accordance with the planned
arrangements as a result of the implementation of the quality management system.
An organization can decide for itself what other documentation is necessary to control the key
aspects of the quality management system. It can also, within the limitations imposed by any
external regulations and standards, decide what other documentation is required.
Records are also required to be kept and maintained as explained below (see procedure
PC 102, Control of Quality Records).
20
The framework documentation
The framework documentation is the core documentation required to establish and maintain
the quality management system. All documents (with the exception of the quality manual)
can be numbered from, for example, 101 upwards, so that new quality management system
documents can be readily identified and distinguished from pre-QMS documents. This does
not mean that documents with numbers below 100 are no longer relevant. These existing
documents should continue to be used until the new quality management system has been
established. Consideration can then be given to withdrawing any documents that have been
superseded by the new quality management system documents or, if changes have to be made
to existing documents, they can perhaps be recoded and numbered in accordance with the
new quality management system.
The quality management system documentation will include:
1. a quality management system manual;
2. quality management system process diagrams;
3. thirteen mandatory quality management system procedures.
ISO 13485 also requires the following mandatory procedures:
• validation of the application of computer software (and changes to such software
and/or its application) (see clause 7.5.2.1);
• validation of sterilization processes (see clause 7.5.2.2);
• identification of returned medical devices (see clause 7.5.3.1);
• preservation of product (with limited shelf-life or requiring special storage)
(see clause 7.5.5);
• monitoring and measuring devices (see clause 7.6);
• feedback on quality problems and corrective and preventive action processes
(see clause 8.2.1);
• monitoring and measurement of product (see clause 8.2.4.1).
In connection with ISO 9001, these are:
• control of documents (see clause 4.2.3);
• control of quality records (see clause 4.2.4);
• internal audit (see clause 8.2.2);
• control of nonconforming product (see clause 8.3);
• corrective action, including customer complaints (see clause 8.5.2);
• preventive action (see clause 8.5.3).
Some organizations might prefer to combine several procedures into a single
document, e.g. correction and preventive action.
4. quality management system policies;
5. quality management system forms;
6. quality management system external documents;
7. quality management system external forms.
21
A quality policy statement is also required and quality objectives must be set for all levels
within the organization. With ISO 13485 when it specifies that a requirement, procedure,
activity or special arrangement be ‘documented’, it must in addition be implemented and
maintained. (This is implicit in ISO 9001.)
In addition, ISO 13485 requires that for each type or model of medical device, the
organization must establish and maintain a file either containing or identifying documents
that define product specifications and are in accordance with current regulations and quality
management system requirements. These documents must define the complete manufacturing
process and, if applicable, installation and servicing.
With both standards, an organization is completely free to introduce any other documentation it
deems desirable to ensure the effective planning, operation and control of all its first-level and
lower-level processes. Such controls may be in the form of additional procedures, work
instructions, forms, external documents and external forms. Records are also required as
explained on page 27.
Working documents
There is another important part to any quality management system namely, working
documents. Working documents are all the essential documents that are necessary to ensure
that orders, contracts, and other day-to-day activities are dealt with in ways that satisfy the
needs and expectations of customers. All such documents need to be under proper control.
These are the working documents that an organization considers necessary for the planning,
operation and control of all its processes. These are likely to be referred to in the organization’s
major and lower-level process diagrams, such as procedures, work instructions, forms, external
documents and external forms (see Figure 4.1).
In connection with ISO 13485, external documents must include any national or regional
medical device regulations associated with the manufacture of safe and effective medical
devices or provision of related services.
Organizations will not necessarily have all the above categories of documentation. For instance,
some organizations may decide that work instructions are not necessary; others will find that
they do not have external documents (other than the standard itself); and many will not have
any external forms. On the other hand, management may decide that some other additional
form of documentation is required in order to achieve the planned results.
The extent of the quality management system documentation can be decided by the
organization itself, depending on the:
• type of activities;
• size of the organization;
• complexity and interaction of the processes;
• competency of personnel.
Large complex organizations with many employees will probably find it necessary to have a
lot of documentation, whereas a very small organization will require much less documentation.
In addition, an organization that consists of mainly highly qualified professional people will
probably require less documentation than one with few professional people.
The organization can decide for itself whether the documentation is to be in hard copy
throughout, or available electronically on a computer network.
22
Reference letters, numbers and issue numbers
All documents should be given a reference letter, a number and an issue number to identify
them uniquely. The reference letters listed below are merely suggestions:
QM Quality manual;
PD Process diagrams;
PL Policies;
PC Procedures;
WI Work instructions;
FM Forms;
ED External documents;
EFM External forms.

Each document is given a unique reference number, e.g. 101, which is placed immediately
after the reference letters. In some cases blocks of numbers, e.g. 101 to 110 can be allocated to
certain associated activities. Numbers over 100 are used for new documents that are
introduced when the quality management system is being established. Whenever any existing
documents that are incorporated into the new quality management system are revised the new
identification system can be introduced for such documents.
The identification letters and the associated number, e.g. PD 101, should be followed by
an issue number, 1 or 2, etc. Forms do not have revision numbers, only issue numbers.
External documents and external forms are listed in a logical manner by the quality manager.
Quality manual (clause 4.2.2)

The organization must establish and maintain a quality management system manual.
The quality manual must address the five main requirement clauses of ISO 13485 and/or
ISO 9001. These are:
Clause 4. Quality management system;
Clause 5. Management responsibility;
Clause 6. Resource management;
Clause 7. Product realization;
Clause 8. Measurement, analysis and improvement.

Management can decide on the format of the quality manual. A quality policy statement is
required and this needs to be a controlled document but it does not need to be included in
the manual. It is usually signed and dated by the chief executive. An example quality policy
statement is given on page 41.
Management has to ensure that quality objectives are set at relevant functions and levels within
the organization. These quality objectives must be measurable and can also be formally issued
as a policy document an example is provided on pages 42/43. Again, this ensures proper
control and updating is facilitated. There must be a framework in place to ensure that quality
objectives are systematically reviewed. Such reviews provide opportunities for management to
23
demonstrate its commitment to continual improvement in the effectiveness of its quality

management system.
An organization chart is required. These frequently change and can best be controlled as a
policy document (see Figure 5.1).
Scope and permissible exclusions

The quality manual must include the scope of the quality management system. All the activities
of the organization will be reflected in the scope of the quality management system
documentation and, subsequently, in the scope of ISO 13485 and ISO 9001 certificates.
The standard is intended to be generic and applicable to all kinds of organizations, regardless
of type and size, irrespective of the product being manufactured or the service being provided.
However, it is accepted that all the requirements of ISO 13485 and ISO 9001 might not be
applicable to all organizations. Clause 1 (the scope) of both standards states that exclusion can
be considered where the requirements of the standard cannot be applied due to the nature of
an organization and its product. Such exclusions are, however, limited to the contents of
Clause 7 and are permitted only if the exclusions do not affect the organization’s ability, or
responsibility, to manufacture a product or provide a service that fulfils customer and
applicable regulatory requirements. If requirements are excluded that are not permissible, or if
exclusion of requirements are not adequately justified, then conformity to both standards
cannot be claimed and an external auditor would not be able to recommend to an accredited
certification body that certificates be awarded. The exclusions must also be made clear in any
other publicly available documents, such as certification documents or marketing
documentation, so as to avoid misleading third parties such as customers and stakeholders.
With both standards organizations have to justify, rather than simply state, any exclusion from
Clause 7. Moreover, the replacement of ‘Design’ by ‘Design and Development’ in the revised
standard will probably make such justifications for exclusions even more difficult in some cases
(see Chapter 9).
Examples of justifiable exclusions
Some examples of justifiable exclusions include:
NOTE Clause numbering applies to both standards.
(a) design and development (clause 7.3) - Chapter 9 is devoted to the possible exclusion
of this clause;
(b) validation of processes for production and service provision (clause 7.5.2).
If an organization is able to demonstrate that a product or a service output can be validated by

subsequent measurements or monitoring, to prove that the planned output results have been
achieved, clause 7.5.2 can be excluded.
Note that in some cases, however, validation is not possible. In these and similar cases, proving
what has been achieved in a particular case results in the output being damaged or completely
ruined. Examples are:
• paint spraying – if paint spraying a car, checking that the required layers of paint
have actually been applied will ‘break’ the surface of the paints;
• sterilization – opening a sterilized package to check whether sterilization has actually

been achieved results in a package that has to be sterilized again before it can be
used;
24
• welding – destructive testing of a welded joint is not very helpful and it is not
generally economical or practical to X-ray each weld for imperfections.
In all such cases, sometimes referred to as special processes, validation of the processes is
necessary and clause 7.5.2 cannot be justifiably excluded. To achieve validation of such
processes, strict measures have to be in place such as specially trained practitioners, special
equipment and devices, and processes/procedures, which have to be rigidly followed to ensure
that the planned results are in fact achieved.
(c) customer property (clause 7.5.4)
If an organization does not receive any property for incorporation into the organization’s
products, or for activities relating to the organization’s products or services (this includes
intellectual property), then Clause 7.5.4 can be justifiably excluded.
(d) control of monitoring and measuring devices (clause 7.6)
An organization that does not use any monitoring and measuring devices or computer software
to provide evidence of conformity of product or service to customer requirements can
justifiably exclude the whole of this clause.
Examples of such permissible exclusions are:
• recruitment agencies;
• training organizations; and
• legal companies;
since monitoring and measuring devices are not used.
Procedures
A procedure is merely the prescribed way in which an activity is carried out. For example,
a procedure on the ‘control of documentation’ will detail how this has to be achieved.
Procedures can be in any form and format. Procedures tend to be strictly confidential to an
organization, whereas the quality manual is not.
Only 13 procedures are mandatory in the case of ISO 13485 and ISO 9001, but management
will almost certainly decide that many other procedures are required in order to satisfactorily
control its process and lower-level processes. All procedures can be included in the quality
manual, but it is common practice to keep procedures separate. Appropriate cross-references
must be made to procedures in the text of the manual and it is also good practice to list all the
procedures in an appendix.
Interactions between processes

The quality manual must also include a description of the interactions between all the first-
level and lower-level processes in the quality management system. This can perhaps be best
exemplified by one or more flow diagrams for the major processes, each of which refers to
other major processes and lower-level processes. Also any notes that are applicable or relevant
to the different stages as progress is made through the major processes towards satisfactory
completion of a product or a service.
Control of documents (clause 4.2.3)

All the documents associated with the quality management system are controlled. The
proper control of documents is essential to ensure that, for example, only the approved latest
25
documents and forms are in use, even though changes to the documentation will inevitably
be necessary from time to time. The quality manager is usually made responsible for control
of all the documents that are part of the organization’s quality management system.
The mandatory procedure PC 101 explains how this is done.
Records must be controlled differently as explained later.

Mandatory procedure
The mandatory procedure for control of documentation must:
1. review and approve documents for adequacy prior to use. (The ‘review’ part of this
requirement is implicit in ISO 9001 requirement.)
2. ensure that documents are reviewed from time to time, changed if necessary, and
reapproved prior to being reissued;
3. ensure that the latest changes on current documents are identified and that the
current revision status of documents is evident.
Changes in a document can be identified by whatever method the organization decides is

most appropriate. One way is to place an asterisk at the beginning of a sentence or paragraph
that has been changed, or added. Another way is to place a ‘vertical’ line in the left-hand
margin, alongside the changed sentences(s) or paragraph(s).
One way to ensure proper control of any changes is to give each page an issue number and
a revision number, e.g. QMS P 017/2 (Quality Management System Procedure Number 017,
Issue 2) and QMS P 17/2/Rev. 3 (Quality Management System Procedure Number 017,
Issue 2, Revision 3).
4. ensure that relevant versions of applicable documents are always available at points
of use;
5. ensure that documents remain legible and readily identifiable;
6. ensure that documents of external origin (such as documents and forms) are
identified and their distribution controlled;
7. prevent the unintended use of obsolete documents, and if any are retained for
knowledge preservation purposes or any other reason, they must be clearly marked as
being ‘obsolete’ or ‘superseded’ or by any method that clearly identifies their status.
ISO 13485 requires even tighter controls than ISO 9001 when it states that:
[With reference to list item (2)]: The organization shall ensure that changes to
documents are reviewed and approved either by the original approving
function or another designated function which has access to pertinent
background information upon which to base its decisions.
[Importantly in connection with list item (7)]: The organization shall define
the period for which at least one copy of obsolete controlled documents
shall be retained. This period shall ensure that documents to which medical
devices have been manufactured and tested are available for at least the
lifetime of the medical device as defined by the organization, but not less
than the retention period of any resulting record, or as specified by relevant
regulatory requirements.
26
Control of policy documents
As explained earlier, there are three very important policy documents that need to be carefully
controlled since they are likely to change from time to time. One is the organization chart
(QMS PC 101/1). Another policy document is the quality policy statement (see clause 5.3),
QMS PC 102/1. Yet another very important policy document is one that lists the organization’s
quality objectives, QMS PC 103/1 (see clause 5.4.1). Quality objectives will be systematically
reviewed at regular intervals and each time this is done, the new list of quality objectives can
be given the next issue number.
Any other method of effectively controlling these documents would, of course, be acceptable.
Control of the working documents
One individual, such as the quality manager, does not usually control all working documents,
as is generally the case for framework documents. However, they do need to be controlled
adequately since they will provide useful evidence, i.e. records on the effectiveness of the
quality management system. The quality manager needs to be satisfied that such documents
are properly controlled.
Control of the computerized documents and computer data
An increasing number of organizations now have at least part of their quality management
system documentation on computer. All will have some data on computer. The procedure on
‘control of documents’ must explain how computerized documents and data are controlled
and safeguarded.
Control of records (clause 4.2.4)

QMS records provide objective evidence that something has happened. Records of all kinds
are required and must be maintained to provide evidence of conformity with requirements
and the effective operation of the quality management system.
A documented procedure is required on control of records (PC 102). This must ensure
that records:
• are readily identified;

• are legible and remain legible;
• are stored appropriately;
• are protected from damage;
• can be retrieved easily.
Minimum retention times must be stated for the different kinds of records as well as explicit
arrangements for disposition of records after retention times have been exceeded.
In the case of ISO 13485 the retention time of records for medical devices are more explicit:
The organization must retain the records for a period of time at least equivalent to the lifetime
of the medical device as defined by the organization, but not less than two years from the date
of product release by the organization or as specified by the relevant regulatory requirements.
In the planning stages of the product realization process and the planning of final products or
services, decisions should be made to determine which records must be kept in order to
achieve the planned results. It might be possible to reduce the number of records that were
27
originally planned once confidence has been established in a certain product or in the
provision of a specified service. Nevertheless, some records will always be required to provide
evidence that the product realization processes and the resulting product or service, meets the
specified requirements [see 7.1(d) of both standards].

The two standards help by identifying the records that must be kept to provide objective
evidence of what has occurred. They are named in the standards as follows:
1. management review meetings (see clause 5.6);

2. competence, awareness and training (see clause 6.2.2);
3. records are required to provide evidence that the realization processes and the
resulting product/service meet requirements (see clause 7.1);
4. review of customer requirements and actions taken for the product or service
(see clause 7.2.2);
5. design and development inputs (see clause 7.3.2);

6. results of reviews and any actions taken (see clause 7.3.4);
7. results of design and development verification and actions taken (see clause 7.3.5);
8. design and development validation (see clause 7.3.6);

9. design and development changes (see clause 7.3.7);
10. evaluation of suppliers and actions taken (see clause 7.4.1);
11. validation of ‘special processes’ to achieve planned results (see clause 7.5.2);
12. identification (where appropriate) and traceability (where it is a requirement) of
product or service (see clause 7.5.3);
13. lost, damaged or unsuitable customer property (see clause 7.5.4);
14. calibration records (see clause 7.6);

15. internal auditing (see clause 8.2.2);
16. authorization for release of a product or provision of a service (see clause 8.2.4);
17. nonconformities, corrective actions and preventive actions (see clauses 8.3, 8.5.2
and 8.5.3);
18. customer complaints, corrective and preventive actions (see clauses 8.5.2 and 8.5.3).
Not all the above listing is relevant in given circumstances. The requirements are generally
in line with what many good organizations are already doing in their own interests.
Other records
Any organization, but especially those involved with medical devices and related activities,
might decide that it is in its own interests to keep many more records than is specifically
required by either ISO 13485 or ISO 9001. These could be readily identified from the required
records listed above by numbering them from, say, 101 upwards.
28
Documentation associated with a

quality management system
Framework documentation Working documents
Quality manual
Scope of quality management system;
justifiable exclusions;
Clauses 4, 5, 6, 7 and 8;
reference to procedures;
appendices
Process diagrams;
policies (including: Procedures;
quality policy; work instructions;
quality objectives; forms;
organization chart) external documents;
procedures; external forms;
forms; etc.
etc.
External forms;
external documents
Outsourcing
documentation
Records
Figure 4.1 Quality management system documentation
29
Chapter 5:
Management responsibility (clause 5)
Management commitment (clause 5.1)

Every organization has people, such as a chief executive or managing director, who are
ultimately responsible for directing and controlling the organization. In both ISO 13485 and
ISO 9001 explicit responsibilities are placed on top management. This should mean that top
management will be actively involved in the quality management system of the organization.
As a result, managers at lower levels are more likely to take a greater interest in the quality
management system.
ISO 13485 requires evidence of the commitment of top management to the development and
implementation of the quality management system and to the maintenance of its effectiveness,
whereas the emphasis of ISO 9001 is to continually improve the effectiveness of the quality
management system.
Top management is to:
• ensure that all employees are made aware of the importance of satisfying customer
needs and expectations as well as satisfying any statutory and regulatory requirements
for products and services. (In the case of ISO 13485, ‘statutory requirements’ only
means the safety and performance of medical devices.);
• establish the quality policy (see clause 5.3);
• ensure that measurable quality objectives are set, measured and reviewed from time
to time (see clause 5.4);
• conduct management reviews (see clause 5.6);

• ensure the availability of adequate resources (see clause 6).
Customer focus (clause 5.2)

Both standards state that top management is expected to ensure that customer requirements
are determined and met (see clause 5.2). ISO 9001 adds, ‘with the aim of enhancing customer
satisfaction’, but this is not an appropriate regulatory objective for medical devices. What is
31
much more important for medical devices is that the quality management system is such that
the organization can consistently produce safe and effective products.
Customer requirements are determined from the stated needs and expectations of customers,
compounded by any statutory and regulatory requirements, whether specified or not and
perhaps unknown to a customer, as well as the organization’s existing knowledge and previous
experience with identical or similar products or services. The requirements specified by the
customer will include requirements for delivery and post-delivery activities. Reputable
organizations have always done this.
Quality policy (clause 5.3)

Top management is responsible for the quality policy statement [see clause 4.2.1(a)], which is a
controlled document (see clause 4.2.3).
The quality policy must be appropriate, i.e. relevant to the purpose of the organization. It
should contain commitments that are realistic and attainable.
The policy statement must include a commitment not only to complying with the requirements
of ISO 13485, but there must also be a commitment to maintain the effectiveness of the
quality management system. (As mentioned in 5.1, the emphasis of ISO 9001 is to continually
improve the effectiveness of the quality management system.)
The quality policy statement must state that a framework exists for reviewing all measurable
quality objectives in a systematic manner.
Top management has the responsibility for ensuring that all employees (including new
employees) fully understand the quality policy statement.
Top management must review the quality policy statement in a systematic way for its
continuing suitability.
It is good practice is to have the quality policy on the standard agenda of management review
meetings as a reminder that it is to be reviewed at least once each year, for example, at the
first meeting in the year, or when the need arises because of changes within the organization.
The quality policy statement is part of the quality management system documentation [see clause
4.2.1(a) and the example quality policy statement of page 41].
There is no requirement for the quality policy statement to be included in the quality manual.
However, it is good practice for the quality policy statement to be made into a ‘stand-alone’
document and displayed at strategic points within the organization. It should be written on the
organization’s headed paper, be signed by one or more members of top management and
dated, thus signifying its importance and providing evidence to all employees and other
interested parties that top management is committed to the organization’s quality management
system.
The standard does not require a quality policy statement to be issued to all employees, but it
often is, and managers are encouraged to discuss its implications with the people for whom
they are responsible.
32
Planning (clause 5.4)

Both standards have identical requirements for this clause.
Quality objectives (clause 5.4.1)

Quality objectives [see clause 4.2.1(a)] must be established at relevant functions and levels
within the organization, including those needed for the product and/or service [see clause
7.1(a)]. Quality objectives must be measurable and consistent with the quality policy
statement. There must also be a framework for reviewing quality objectives systematically as
stated in an organization’s quality policy statement [see clause 5.3 (c)].
As top management is responsible for ensuring that quality objectives are set and measured,
quality objectives should receive a new impetus and importance.
There are two opportunities to set quality objectives:
• at the planning stages across the whole spectrum of an organization’s activities, this
includes setting quality objectives that are relevant for satisfying the requirements for
the manufacture of a product or the provision of a service;
• after implementation of the quality management system or, if this has already been
implemented, after the introduction of any new processes. Feedback from these
activities might identify the need for changes to be made to quality objectives or the
introduction of additional quality objectives.
Different organizations pursuing different activities will choose different targets to focus on
depending on what is most important to the organization.
First group of quality objectives: immediately following implementation of a quality
management system
In the first group of quality objectives the following are given as examples:
• all staff will act in a professional and courteous manner at all times; (Since all quality
objectives must be measurable, this would require a carefully worded questionnaire
to be sent to all customers, or at least to a representative sample. After completion of
the questionnaires, they must be carefully analysed to provide evidence of
professionalism and evidence of courtesy as perceived by the customers.)
• a senior manager will review all staff annually;
• during the first production runs of a new product, at least 90% will successfully pass
the final inspection tests;
• during routine servicing of equipment, a checklist will be used, and no aspect of

servicing will be ‘missed’, as confirmed by an independent inspector.
Other quality objectives will be set during the preparations for introducing a quality
management system.
Second group of quality objectives: experience based quality objectives
This group of quality objectives can only emerge following the collection and analysis of data
after implementation of the (integrated) quality management system.
Measurable quality objectives might, for instance, relate to maintaining or improving performance
in any or all of the areas referred to below. The list is not intended to be exhaustive.
33
Reduction in the number of nonconformities
Nonconformities can arise in every organization from a number of causes: management failure,
organizational failure, technical failure, and human failure. Any experienced quality
professional knows that identifying nonconformities and dealing with them effectively will
result in improved performance.
A blame-free culture is no longer acceptable. There must be no cover-ups at any level within the
organization. What is needed is first-class management, which can deal with nonconformities in
an appropriate manner. One-off nonconformities by individuals must, of course, be dealt with in
a sympathetic but effective manner.
The first task is to ensure that any nonconformity, once recognized, is documented in a
systematic manner. All nonconformities should be documented using a suitable form. This form
should clearly identify the nonconformity and in the case of failure by an individual, the person
must be clearly identified, whatever their standing within the organization. In a hospital, for
example, if a nurse fails to carry out defined tasks, the name of the nurse must be clearly
stated on the nonconformity form. The name of the person responsible for the corrective
action taken must be stated and, if possible, the date by which the corrective action is to
become effective. Any proposed preventive action taken or planned must likewise be
recorded. Verification that such actions have been carried out satisfactorily must be validated
by the management representative or someone on their behalf.
Top management will ensure that the number and nature of all such nonconformities are
discussed at planned management review meetings. Consideration will then be given to setting
new quality objectives in connection with the identified nonconformities as a means of
providing objective evidence that continual improvements in the effectiveness of the quality
management system are being sought.
The aforementioned sequence of events is really no different from what happens at present
within a good organization that has already achieved accredited certification.
Reduction in number of customer complaints
The detection of nonconformities inside an organization during all the processes should keep
the number of customer complaints to a low level. A ‘no complaints’ objective is unrealistic:
some complaints will always occur as a result of occasional human failure. More seriously,
complaints might arise if the actual product or service provided does not satisfy customer
needs and expectations for other reasons.
All customer complaints, however trivial and whether justified or not, should be recorded on a
suitable form, usually referred to as a customer complaints form. This should clearly identify
the nature of the complaint, who is complaining and when the complaint was received. The
necessary corrective actions must be taken and fully documented and, when deemed
necessary, any preventive actions should be identified to prevent similar occurrences in the
future. Once again, all actions taken need to be validated by the management representative
or another responsible person.
Top management should discuss the number and nature of customer complaints at planned
management review meetings. Consideration should always be given for setting a lower
maximum number of complaints in the ensuing year.
34
Improvements in warranty
Whatever warranty is currently on offer, there may be opportunities to improve it in some way.
Apart from any rights established in common law and statutory rights, organizations have
warranties, which fall into several categories:
Full warranty, which usually includes parts and labour, postage, etc., covered for specified
periods of time. A quality objective might be to be able to extend the lifetime of the present
full warranty in, for example, a year’s time.
A partial warranty usually excludes labour costs. The feedback from customers in connection
with the warranty will provide useful information on the quality of a product or service and on
customer satisfaction. A quality objective might be to improve this partial warranty.
Number of suppliers and subcontractors

Sometimes a simple quality objective is to reduce the number of suppliers and subcontractors
by, for example, half by the end of the next financial year. This can provide substantial savings.
Any such reduction would reduce administrative costs and would enable the organization to
focus more on the ‘quality’ of the output from the smaller number of organizations.
Delivery times and safe deliveries
There are two aspects in connection with delivery times: from receipt of an order, or having a
tender accepted, to the time of delivery to a customer.
First, data need to be collected on the delivery times for a product and/or for delivery of a
service to a customer. If delivery times are not what were expected or agreed, investigations
should be conducted with the objective of ensuring that in future such shortcomings will not
occur. Thus, a quality objective could be to ensure that all promised delivery times are adhered
to. If there is objective evidence that products are delivered on time, or a service is provided as
scheduled, then a quality objective might be to shorten the delivery times from a specified
date in the future.
Finally, are the arrangements for delivery of a product to a customer satisfactory, e.g. in terms
of damage? If there is any evidence from any source that this is not the case, data need to be
collected and analysed, with the purpose of setting targets for improvement in the safe delivery
of products and/or services. Any such target could become a quality objective.
Improvements in customer satisfaction
Many good organizations have been monitoring customer satisfaction for some time and this is
now a requirement of ISO 9001 (see clause 8.2.1). However, if customer satisfaction is to
become a quality objective, means must be found to measure customer satisfaction. This is
much more difficult and, presumably, this is the reason why measurement of customer of
satisfaction, which was included in the earlier drafts of the new standard, was finally changed
to monitoring of customer satisfaction.
Most organizations should avoid making as a quality objective, ‘measurements on customer

satisfaction’ unless sound advice has been taken on this matter and appropriate resources have
been allocated to making the measurements.
Quality management system planning (clause 5.4.2)

When planning the quality management system (see Figure 5.1), top management must ensure
that the general requirements of the quality management system are addressed as well as any
35
quality objectives such as those referred to in 5.4.1.
Top management must ensure that the integrity of the quality management system is
maintained when changes to it are planned and implemented.
Responsibility, authority and communication (clause 5.5)
Responsibility and authority

Top management must ensure that responsibilities and authorities are defined and
communicated within the organization.
ISO 13485 adds a further sensible requirement, namely that top management must also
establish the interrelation of all personnel who manage, perform and verify work affecting
quality, and must ensure the independence and authority necessary to perform these tasks.
One simple and effective method of doing this is for an organization chart to be issued. This, as
explained earlier, can be another policy document, the issue number of which can be increased
by one each time a change takes place. There is no need for names of staff to be included in
the organization chart but, within the framework of the specified organization, the
responsibilities and authorities of senior staff must be made known throughout the organization.
In the case of the manufacture of medical devices, national or regional regulations might require
the nomination of specific persons as being responsible for activities related to monitoring
experience from the post-production stage, including adverse events (see clauses 8.2.1 and 8.5.1).
Management representative (clause 5.5.2)

Top management must appoint a management representative from amongst it own staff. Other
titles may be used for management representative, such as quality manager, quality director,
and quality coordinator.
The management representative has a number of defined responsibilities:
1. to ensure that the processes needed for the quality management system are
established, implemented and maintained;
2. to report to top management on the performance of the quality management system
and any need for improvement;
3. to ensure the promotion of awareness of regulatory and customer requirements

throughout the organization. (Regulatory requirements are included in ISO 13485.
This is a common sense requirement, which the author believes will be of value in the
next revision of ISO 9001.)
A management representative might have other responsibilities as well, such as liaison with
external parties on the quality management system.
In practice, a management representative plays a key role in the quality management system of
an organization. Typical responsibilities in addition to (1), (2) and (3) above are:
4. (in consultation with others) arranging the internal audit programme, the internal
quality audits, and any consequential corrective and preventive actions;
5. dealing with nonconformities, corrective actions and preventive actions;
36
6. dealing with customer and stakeholder complaints, corrective and preventive actions;
7. approval of suppliers and subcontractors;

8. establishment and maintenance of supplier and subcontractor lists (approved supplier
and subcontractor lists, temporary supplier and subcontractor lists, non-approved list
of suppliers and subcontractors);
9. control of calibration of inspection, measuring and test equipment;
10. collection and analysis of data for presentation to the management review meetings;
11. arrangement of the management review meetings;

12. preparation and maintenance of QMS records, archiving of QMS records and data
associated with the quality management system (from the framework documentation
and working documents);
13. liaison with certification bodies and other external organizations and people on all
matters relating to the quality management system.
This list of responsibilities of the management representative is not intended to be exhaustive.
Internal communication (clause 5.5.3)

The text in ISO 13485 is no different from that in the corresponding clause of ISO 9001.
Top management needs to ensure that appropriate communication processes are established
within the organization and that communication takes place regarding the effectiveness of the
quality management system. Good internal communications are a two-way process: top-down
and bottom-up.
Top management can choose whatever methods are considered to be most effective in
establishing first-class communications with its staff on the effectiveness of the quality
management system. These might include:
• general meetings held on a regular basis with all staff, i.e. departmental meetings;
• meetings which focus on ‘feedback’ from staff through individual presentations,
written submissions or representations;
• meeting on the suggestion scheme awards, ‘merit recognition’ meetings;
• use of notice boards for imparting important information, in-house journals or

magazines.
Top management should encourage any aspect of the organization’s quality management
system to be discussed by whatever methods seem appropriate in different circumstances.
Management review (clause 5.6)

The text of clause 5.6.1 in ISO 13485 is no different from that in the corresponding clause of
ISO 9001.
Top management must review the organization’s quality management system, at planned
intervals, to ensure its continuing suitability, adequacy and effectiveness. The review must
37
include assessing opportunities for improvement and the need for changes to the quality
management system, including the quality policy and quality objectives.
There is no requirement regarding the frequency of management reviews. The organization can
decide for itself the planned interval between such reviews. However, it is evident that reviews
that are held only annually cannot be of any real value to an organization and certainly cannot
enable top management to be in control of its quality management system. Moreover, by holding
such infrequent reviews, top management is depriving itself of a most value management tool.
Extraordinary management reviews may be called at any time by top management, but the
standard agenda need not be used on such occasions. The management representative will play
a leading role in the preparations for the management reviews and in the ensuing discussions.
Management reviews must be recorded. The customary method is by means of minutes that
include the findings of the reviews, the actions to be taken and the names of persons
responsible for carrying through such actions by specified dates. Records of all management
reviews become part of QMS records (see clause 4.2.4).
The standard identifies items for inclusion in the agenda of management reviews (see clause
5.6.2) and through the output clause (see clause 5.6.3) requires decisions and corresponding
actions to be identified. Many organizations hold management review meetings based on a
comprehensive agenda, and proper minutes of the meetings are prepared in which decisions
are recorded with accompanying actions and dates for completion.
Review input (clause 5.6.2)

This clause lists items that must be included in any management reviews.
(a) results of audits;
(b) customer feedback;

(c) process performance and product conformity;
(d) nonconformities: status of preventive and corrective actions;
(e) follow-up actions from previous management reviews;
(f) changes that could affect the quality management system;

(g) recommendations for improvement;
(h) new or revised regulatory requirements (in connection with medical devices and
related services).
(It seems that (h) could be added to ISO 9001 with reference to all new or revised regulatory
requirements in general.)
The more logical sequence for a review meeting input is: (e), (a), (c), (d), (b), (g), (f) and (h) as
shown below:
(e) follow-up actions from previous management reviews;
(a) results of audits;
(c) process performance and product conformity;

(d) nonconformities: status of preventive and corrective actions;
(b) customer feedback;
38
(g) recommendations for improvement;
(f) changes that could affect the quality management system;

(h) new or revised regulatory requirements (in connection with medical devices and
related services).
Review output (clause 5.6.3)

The outputs from the management review must include decisions and actions related to:
(a) improvements needed to maintain the effectiveness of the quality management
A typical agenda for a management review meeting

A typical agenda for a management review meeting is given below.
1. Apologies for absence

2. Approval of the minutes of the previous management review meeting
3. Matters arising from the previous minutes, not covered by the agenda below
4. Internal audits: schedule, results of audits, corrective and preventive actions
5. External audits/surveillances by a certification body
6. Performance of processes: major processes, supplementary processes and third-level

processes
7. Product conformity
8. Nonconformities
• Quality management system: corrective and preventive actions

• Processes: corrective and preventive actions
• Products: corrective and preventive actions
• Customer complaints: corrective actions and preventive actions

9. Customer feedback: monitoring of customer satisfaction
10. Review of quality objectives
11. Purchasing: supplier and subcontractor lists

• Approved lists, temporary lists, non-approved lists
• Reasons for additions and deletions
12. Human resources

• Competence requirements
• Training needs
• Evaluation of training
• Skills testing
39
13. Analysis of data
14. Review of quality policy (as and when deemed necessary)

15. Recommendations for improvement
16. New or revised regulatory requirements or any other factors that could affect the
quality management system.
Looking forwards, any decisions and actions relating to:
17. Maintenance and improvements in the effectiveness of the quality management

system
18. Improvements in the effectiveness of the processes
19. Improvement of product, related to customer requirements

20. Resource needs
21. Any other business
22. Date of next meeting

Time might not permit all the items on the Agenda to be addressed at one meeting.
Items 3, 4, 6–9, 15, 16, and 17–20, must be addressed at each management review in
order to satisfy the requirements of clause 5.6 of both standards. Those not addressed can
be given some preference at the subsequent meeting.
Chief Executive;
Managing Director;
Financial Director
Chief Production Manager Head of Research

Administrator and Development
Human
Resources
Contracts; Senior Production Senior Scientists

Purchasing; Managers and
Maintenance Technologists
Management
Shift Managers Day Managers
Representative
Production
Line Staff
Figure 5.1 – Organizational chart
40
Quality Policy
Company A is a privately own company that employs about 1,000 people in a modern
factory. Many of its employees are highly qualified and work on the fringes of modern
science and technology. They are supported by a highly competent workforce. The
company produces a range of sophisticated medical equipment all of which complies with
regulatory requirements. It also provides a range of mass produced items of medical
devices, which are provided for more general care of patients in hospitals.
A short time ago top management decided to improve its image in the marketplace by
seeking accredited certification to two quality management systems standards, ISO 13485
and ISO 9001. External auditors from a certification body recently came to the factory and
at the conclusion of the visit we were advised that the company’s operations did in fact
satisfy the requirements of these standards. Top management is proud of these successes,
which would not have been achieved but for the hard work done by all employees.
All staff are fully aware of the prime importance of ensuring that our medical devices and
related services consistently continue to satisfy customer requirements as well as any
applicable regulatory requirements, as required by ISO 13485.
Since the company has also been certificated against ISO 9001 standard, subject to the
overriding requirements of ISO 13485 referred to above, the company will also strive to
continually improve the effectiveness of its quality management system and thereby
through increased efficiency, etc. enhance customer satisfaction.
The company has measurable quality objectives in place, overall quality objectives and
objectives for each department. These are reviewed on a regular basis in a systematic
manner at management review meetings.
Company A strives at all times to achieve complete customer satisfaction. Customer

satisfaction is monitored at regular intervals so that when any shortcomings are identified,
attempts can be made to rectify adverse situations arising again.
All staff, including new employees, are made aware of the quality management system and
are expected to implement, maintain and adhere to its requirements. Everyone is
encouraged to suggest ways in which the quality management system can be improved.
Company A will review this quality policy statement at least annually or earlier when
considered to be appropriate.
Date: Signed:
Chief Executive, Company A
(Page 1 of 1)
41
Quality Objectives
Company A sets measurable quality objectives that are reviewed at six monthly intervals.
Some objectives will be set for top/higher management while others will be set at lower levels.
The objectives are agreed with the staff directly responsible for achieving the objectives.
All objectives are made known to all staff shortly after the objectives have been set.
The first round of objectives have recently been set by top management and are stated on
the accompanying sheet, Page 2 of 2.
The objectives will be reviewed at a management review meeting. The individuals directly
concerned may be asked to attend the relevant part of the meeting.
Objectives are not intended to be punitive. They are intended to improve the effectiveness
of working. Sometimes objectives will not be met for reasons outside the control of an
individual. In such cases management will take appropriate measures in the hope that the
adverse events will be prevented from happening again.
Top management will be pleased to hear directly from any member of staff who would like
to suggest an objective for themselves or for their department. All suggestions will be
considered in confidence and top management will respond directly to all suggestions.
Date: Signed:
(Page 1 of 2)
42
Quality Objectives
1. Ensure that all staff act in a professional and courteous manner at all times.
2. Ensure that Senior Managers review the performance of their staff annually in
accordance with a set procedure.
3. During the first production runs of a new product, at least 90% will successfully pass
the final inspection.
4. During routine servicing of equipment, a checklist will be used, and no aspect of
servicing will be ‘missed’, as confirmed by an independent inspector.
5. Initially record the number of nonconformities raised, in different categories, over a six
month period, with a view to seeking improvements in the future
6. Initially record the number of customer complaints received over a six month period.
Other objectives will be introduced as and when considered appropriate in the light of
experience.
Date: Signed:
(Page 2 of 2)
43
Chapter 6:
Resource management (clause 6)
Provision of resources (clause 6.1)

Resources are classified as human resources (i.e. people) and physical resources (i.e.
equipment), including the organization’s work environment and infrastructure. All contribute
towards helping an organization to achieve its overall goals and specific objectives.
Management must determine and provide the resources needed:
(a) to implement the quality management system and to maintain its effectiveness;
When medical devices are being manufactured or when related services are being provided,
the prime consideration must be in the interest of safety, to ensure that the quality
management system is effective in achieving the specified objectives.
In ISO 9001, there is a need to provide resources to continually improve the effectiveness of the
quality management system. This is a desirable aim for all organizations and there should be no
difficulties in this respect provided that the prime objectives are given the necessary consideration.
(b) to meet regulatory and customer requirements.
Once again the prime requirement in (b) must be met. The ISO 9001 requirement to enhance
customer satisfaction by meeting customer requirements must take second place to the first
requirement, but the two are not incompatible.
Human resources (clause 6.2)

All employees whose duties and responsibilities may have a bearing on the quality of products
or services of an organization (or both) must be competent in the tasks that they have to carry
out as determined by their relevant education, training, skills and experience. This is an
important change in emphasis towards competence.
45
Competence, awareness and training (clause 6.2.2)

Management must determine the necessary competencies required for all personnel performing
activities that have a bearing on the quality of an organization’s products or services. Some kind
of training, or other actions, may then be necessary in order to be certain that staff have the
previously defined competencies. Any earlier education, training and experience might well
mean that, in the absence of some of the required competencies, a person could very quickly
become competent in the skills required compared with a person without this background.
There are clearly many alternative and parallel routes for staff to achieve the necessary
competencies. For instance, employees might be asked each year to undertake a self-appraisal
using a prescribed form. Afterwards, the employee could undergo an appraisal, conducted in a
prescribed manner by the employer. Both the completed prescribed forms are held as
confidential quality records, and when management needs to find people with defined
competencies, such records on appraisals are invaluable.
Once a suitable person has been chosen, training can be given in a particular task or activity.
Any training must be evaluated to determine whether the actions taken have been effective in
making an employee competent in the clearly defined tasks. Evaluation of training is a new
requirement in ISO 9001.
All employees, whatever their status in the organization, must be made aware of the relevance
and importance of the work that they are doing in contributing towards achieving the quality
objectives of the organization (see clause 5.4.1). Many good employers already do this during
the induction process for new employees when the quality management system of the
organization is explained and discussed.
Appropriate records must be maintained on all staff in terms of education, qualifications,
training, experience and competency skills, as well as the evaluation records of any training
courses undertaken. Such records are maintained as QMS records (see clause 4.2.4).
If medical devices are being manufactured, national or regional regulations might require the
organization to establish documented procedures for identifying training needs.
Infrastructure (clause 6.3)

Management must determine, provide and maintain the infrastructure needed to supply
products or provide services that satisfy the needs and expectations of customers. These
evidently include:
(a) appropriate buildings, workspace (offices, manufacturing areas) and associated
facilities, such as toilets;
(b) process equipment, including hardware and software;
(c) the necessary supporting services such as cleaners and communications services.
When medical devices are being manufactured:

(d) the organization must also establish documented requirements for maintenance
activities, including their frequency, when such activities or lack of them can affect
product quality;
(e) records of such maintenance must be maintained (see clause 4.2.4).
Both (d) and (e) could be introduced to ISO 9001 with advantage.
46
Work environment (clause 6.4)

The organization must determine and manage the work environment to achieve conformity to
product or service requirements.
Management is expected to ensure that employees work in a generally acceptable

environment that is conducive to encouraging employees to give their best in the interests of
achieving conformity of product or service, and quality objectives. Such factors include:
• safety of individuals;
• ergonomics of working;
• appropriate lighting levels;
• appropriate temperature and humidity levels;

• acceptable noise levels;
• acceptable levels of cleanliness and hygiene;
• minimum pollution levels;

• provision of appropriate protective equipment.
Many of these factors are the subject of legislation, regulation or codes of practice.
Management must clearly take into consideration any unusual requirements that are necessary
to achieve the planned results. For example, clean rooms may be required for certain
manufacturing processes. In other cases, sterile conditions are necessary. Whatever is the case,
management must make certain that appropriate controls are in place to ensure that the
planned work environment is maintained.
The following requirements must apply when medical devices or related services are being
considered.
(a) The organization must establish documented requirements for health, cleanliness and
clothing of personnel, if contact between such personnel and the product or work
environment could adversely affect the quality of the product (see clause 7.5.1.2.1).
(b) If work environment conditions can have an adverse effect on product quality, the
organization must establish documented requirements for the work environment
conditions and documented procedures or work instructions to monitor and control
these work environment conditions (see clause 7.5.1.2.1).
(c) The organization must ensure that all personnel who are required to work temporarily
under special environmental conditions within the work environment are
appropriately trained or supervised by a trained person [see clause 6.2.2 (b)].
(d) If appropriate, special arrangements must be established and documented for the
control of contaminated or potentially contaminated product in order to prevent
contamination of other product, the work environment or personnel
(see clause 7.5.3.1).
None of these requirements would be incompatible with the general requirements in clause
6.4 of ISO 9001.
47
Chapter 7:
Product realization (clause 7)
Planning of product realization (clause 7.1)

Product realization is the term used to encompass all of those activities between establishing a
customer’s needs and the eventual manufacture of a product or the provision of a service that
satisfies those needs.
A quality plan for a product or a service is the result of deliberations on what needs to be done
in a systematic manner in order to achieve the required output. The documentation resulting
from such planning can be in whatever form is most suitable for the organization’s method of
operations. In the case of a simple product or service, a quality plan might be stated on only a
few sheets of paper. In the case of complex products or services, a quality plan might require
hundreds of sheets of paper as well as many engineering drawings, etc. Alternatively, a quality
plan can be produced on a computer.
A quality plan must identify every activity that is necessary in order to meet the requirements
for a product or a service. A quality plan must state whether any design and development work
is necessary and, if this is the case, how this will be carried out and by whom. This will
culminate in a design proposal that will also need to be verified and identify the individual(s)
involved (see clause 7.3). All processes that are an integral part of the quality management
system of an organization need to be identified (see clause 4.1). Appropriate documentation
(such as flow charts, procedures, work instructions, forms, external documents, engineering
drawings and specifications) must be provided, as is considered necessary to control all the
processes. A quality plan must include measurable quality objectives that are set at relevant
functions and levels within the organization (see clause 5.4.1). Human and physical resources
(including any specific skills or facilities, e.g. software design or clean rooms) specific to the
product, or service, must be identified. Questions have to be answered as to how the product
or service will be validated within the limitations of any practicalities. What monitoring,
inspection and test activities specific to the product or service will be carried out? Which
monitoring and measuring devices need to be calibrated and their calibrations linked to
international standards? What criteria have been established for acceptance of the product, or
service, by the customer? If an organization decides to outsource any process that can have a
bearing on the quality of a product, or a service, the organization must ensure control over
such processes. Examples of outsourcing are delivery, installation, and routine servicing of a
49
product. All are often carried out by a third party on behalf of a manufacturer. Decisions are
required on the records that will be kept. Such records (QMS records – see clause 4.2.4) will
provide objective evidence that all major and lower-level processes operated as planned.
Other records will give confidence that the product, or service, satisfies the customer
requirements.
If planned changes to the quality management system are implemented, the integrity of the
quality management system must be maintained [see clause 5.4.2 (b)].
Any quality plan should be structured so that everyone is made aware of the continual need to
improve the effectiveness of the quality management system; and suggestions for such
improvements should always be welcomed through recognized channels by top management.
If medical devices are being manufactured an organization must establish documented
requirements for risk management throughout product realization. Risk management is the key
to determining the nature and amount of activity in many parts of a quality management
system in which medical devices are being manufactured.
Records arising from risk management must be maintained (see clause 4.2). See ISO 14971 for
guidance related to risk management.
Customer-related processes (clause 7.2)
Determination of requirements relating to the product (clause 7.2.1)

The text of clause 7.2.1 in ISO 13485 is identical to that in the corresponding clause of ISO 9001.
A customer’s expressed needs for a product or a service are usually different from a customer’s
requirements. A customer also has implied expectations, depending on the intended use of the
product or service that is to be provided. For instance, in the case of an electrical product, the
customer assumes that it will be electrically safe, if it is used as intended. If a device is to have
a very sharp cutting edge, it is assumed that it will be carefully designed so that it will be
unlikely to cut the user during normal use. Thus, the organization will determine what
necessary safety requirements need to be incorporated into the product. The organization will
also take into account its own experience in manufacturing similar products. There might also
be explicit statutory and mandatory regulations relevant to the product or service that have to
be addressed in connection with the proposed product. The organization must also consider
the mode of delivery of the product. Is the product to be installed for the customer?
What further support may be required or expected by the customer following delivery and
installation? It is from such considerations that a customer’s requirements are determined as
opposed to a customer’s needs and expectations.
Statutory and regulatory requirements are not an explicit requirement in ISO 9001:2000.
In practice, the majority of organizations have probably addressed statutory and regulatory
requirements in the past. For instance, chartered surveyors must carry out their work in
accordance with the requirements of the ‘Red Book’, which is published by the Institute of
Chartered Surveyors. Failure to do so would invalidate any insurance provided by the Institute
for claims by clients against surveyors for negligence.
Review of requirements related to the product (clause 7.2.2)

The organization must review product needs and consequential product requirements before
there is any commitment to supply a product or provide a service, i.e. before submission of a
50
tender, acceptance of a contract, acceptance of an order; and before acceptance of changes to

contracts or orders. The outcome of any review process must be that product or service
requirements are clearly defined, and in the case of medical devices and related services,
documented.
The requirement to document in ISO 13485 is an improvement on the ISO 9001 wording.
The requirements of any contract or order that is different from earlier agreed requirements
must be resolved to the mutual satisfaction of the customer and the organization. The
organization must be satisfied that it is able to meet any newly agreed defined requirements.
The records of the results of any review and any actions arising from the review must be
maintained (see clause 4.2.4).
In the case of verbal orders, a customer’s requirements should be explicitly agreed before
acceptance of an order. This can be achieved by reading back a customer’s requirements on
the telephone to the customer. Written evidence of what was read back is recommended,
with the signature of the person taking the order and the name of the person placing the order,
together with any other relevant information. A much better arrangement is that all the
relevant information concerning a verbal order is sent back to the customer by fax or letter
confirming the acceptance of the order. Some organizations refuse to accept verbal orders.
When product requirements are changed, all relevant documentation must be amended and
relevant personnel must be advised accordingly.
In some situations, such as straightforward sales involving perhaps hundreds or thousands of
products, formal reviews for each order are clearly impractical. In such cases, the reviews can
cover product information by reference to sales literature such as catalogues, to ensure that all
the relevant information is made known to a purchaser, so that there can be no intention of
misleading potential buyers.
Customer communication (clause 7.2.3)

The requirement for organizations to identify the channels of communication with their
customers and to adhere strictly to such channels are common sense requirements that are
already common practice in many organizations. The revised standard requires management to
determine and implement effective channels of communication between the organization and
its customers on all matters in relation to the organization’s products and services.
These include enquiries about:
(a) products or services;

(b) orders and contracts, including any subsequent amendments;
(c) feedback from customers, including complaints;
(d) advisory notices (see clause 8.5.1).
‘Advisory notices’ could also be included in ISO 9001.

Customer feedback can be either verbal, or written. It can be reactive or proactive. Customer
complaints, which are reactive to some occurrence, or non-occurrence, must be dealt with in a
systematic manner [see clause 8.5.2(a)]. An example of a proactive case is the monitoring of
customer satisfaction (see clause 8.2.1). Whatever the nature of the feedback from customers,
arrangements must be in place for dealing with it in a systematic manner.
51
In the case of large and complex contracts, mutually acceptable arrangements for
communications between the two parties are usually agreed and rigorously implemented in the
interest of both parties. Sometimes, in the case of very large organizations, e.g. a nuclear
power station, only one-to-one named contacts are permitted for all communications on large
and complex contracts.
Design and development (clause 7.3)

This clause is essentially the same as clause 4.4, design control, in ISO 9001:1994, though one
clause has been omitted:
‘4.4.3 Organizational and technical interfaces’,

but it has been incorporated into clause 7.3.1 of ISO 9001:2000, by the statement:
‘The organization shall manage the interfaces between different groups … ‘.
Note that, ‘development’ has been included. Many organizations do not carry out design work,
but some will almost certainly carry out development work on an existing design. Sometimes
development work takes place during the preparation of a new design, especially when the
design uses ideas and concepts, which have not yet been put into practice. Thus, care needs to
be exercised in excluding this clause from the scope of the quality management system (see
Chapter 9).
Design and development planning (clause 7.3.1)

The organization must establish documented procedures for design and development. In the
case of ISO 9001, there is no such requirement for documented procedures, but an
organization would probably benefit from them.
In the case of ISO 13485, all design and development activities have one ultimate aim: to
provide medical devices and related services that consistently meet regulatory requirements
applicable to medical devices and related services.
In the case of ISO 9001, all design and development activities have one ultimate aim: to satisfy
the needs and expectations of customers in connection with a proposal for the manufacture of
a new product or the provision of a new service. Management has to control all the design and
development stages to ensure that the new product or the new service does satisfy the needs
and expectations of customers. In the case of medical devices, meeting regulatory
requirements will always take precedent over satisfying the needs and expectations of
customers.
The initial specified requirements of a customer are not always reflected in their entirety in a
final design, because of changes made to requirements as a result of discussions between both
parties during the design and development stages and perhaps because of hitherto unknown
limitations imposed by technology and other factors.
In the case of any proposed new design and development work, the organization is required to
establish a design and development plan. Planning must identify:
(a) the stages of the design and development work;

(b) the review, verification, validation and design transfer activities that are appropriate at
each design and development stage;
52
(c) the responsibilities and authorities for design and development work.
Note that design transfer activities (b) during the design and development process ensure that
design and development outputs are verified as suitable for manufacturing before final
production specifications are agreed.
The interfaces between different groups of people involved in the design and development
work must be managed properly to ensure effective communication between different groups.
As each stage in the design and development progresses, staff responsible for other stages of
the design and development must be routinely informed of changes. Throughout all the design
and development stages, there must be ongoing clarification of where responsibilities begin
and end.
The design and development planning output must be documented and updated as
appropriate as the design and development evolves (see clause 4.2.3). ISO 9001 does not
specify this, but it is implied and the author believes that it would be a good idea to introduce
it at the next revision stage.
Design and development inputs (clause 7.3.2)

All input information relating to product or service requirements must be determined and
records maintained (see clause 4.2.4).
The inputs must include:

(a) functional, performance and safety requirements, according to intended use;
(The ISO 9001 requirements refer merely to functional and performance
requirements, but safety requirements are implicit in all that an organization does.)
(b) relevant statutory and regulatory requirements;
(c) any other relevant information derived from previous similar designs;
(d) any other requirements essential for design and development;
(e) output(s) of risk management (see clause 7.1)
ISO 9001 does not require output(s) of risk management to be considered.

These design input requirements relating to a product or service must be reviewed for
adequacy and then approved. ISO 9001 does not explicitly require inputs to be approved
although this is implicit in any review.
Requirements must be complete, unambiguous and not in conflict with each other.
The agreed design input specification may prove to be unsatisfactory when the details of the
design are being considered. If there is a need to deviate from the agreed design input
specification discussions must take place with all interested parties (customer, regulatory
authority, etc.) and formal approval sought and obtained for a revised design input specification.
Design and development outputs (clause 7.3.3)

The design and development outputs must:
(a) satisfy the design and development input requirements;
(b) provide appropriate information for the purchasing department, production

department and for service provision;
53
(c) include, or refer to, product or service acceptance criteria;
(d) specify the characteristics of the product or service that are essential to ensure that the
product is inherently safe, when used properly (or it is safe in the manner intended,
when the service is delivered).
The outputs from the design and development teams must be documented in a manner that
enables verification against the design and development input requirements.
Design and development output documents must be approved prior to release. Records of
design and development outputs must be maintained (see clause 4.2.4). (ISO 9001 does not
specify this requirement, but it is implicit.)
Note that such output records can include specifications, manufacturing procedures,
engineering drawings, and engineering or research log books. (ISO 9001 does not specify what
records must be kept.)
Design and development review (clause 7.3.4)

Systematic reviews of design and development must be held at suitable stages in accordance
with planned arrangements (see clause 7.3.1), as well as when decided by management at
other unplanned times.
Reviews will:
(a) evaluate the ability of the results of design and development to meet requirements;
(b) identify any discrepancies and problems and propose any necessary actions.
The reviews must include representatives of the functions concerned with the design and
development stage or stages being reviewed, as well as other specialist personnel (see clauses
5.5.1 and 6.2.1).
(In ISO 9001 there is no specific reference to other specialist personnel, but any organization
would ensure that the review would include specialist personnel, if considered appropriate.)
In complex designs, e.g. a nuclear power station, there will be many design reviews held on a
regular basis, whereas with a simple project only one final design review may be considered to
be necessary.
The findings of reviews and any subsequent follow-up actions must be recorded and
maintained (see clause 4.2.4).
Design and development verification (clause 7.3.5)

Verification must be conducted in accordance with planned arrangements to ensure that the
design and development outputs have indeed met the design and development input
requirements.
Common sense should prevail over the degree of verification that is to be undertaken. If the
design is a major one for a project involving a considerable amount of money and, perhaps,
with considerable risks in terms of health and safety, etc. then verification of the design must
be carried out by appropriate staff that have not been involved with the design hitherto. In
some cases, the verification of the design for a major project should be sought by submitting
the design to an external body. When verification had been successful it gives confidence to all
54
interested parties that the design and development requirements have been met. If no such
verification has taken place and if the design and development has not met the input
requirements then a project might be in jeopardy.
Recently there have been a few cases in which the effective application of this clause might
have prevented failures and unnecessary further expenditure.
In the case of a relatively trivial design and development of a product or provision of a service,
in which health and safety are not involved, simple checks by a colleague may be all that is
required. In such cases there may be only one final design verification.
Records must be maintained of all such design and development verifications and follow-up
actions (see clause 4.2.4).
Design and development validation (clause 7.3.6)
It is very important to emphasize that all the previous clauses of 7.3 have to be addressed
before a product is manufactured or a service is provided. Up to this stage, there is no actual
product and no service has been provided.
Design and development validation of medical devices must be performed in accordance with
planned arrangements (see clause 7.3.1) to ensure that resulting product is capable of meeting
the requirements for the specified application or intended use. Validation, if possible, must be
completed prior to delivery or implementation of the medical device. If a medical device can
be validated only after assembly and installation at the point of use, delivery is not considered
to be complete until the product has been formally transferred to the customer.
As part of design and development validation for medical devices, the organization must
perform clinical evaluations and/or evaluation of performance of the medical device, as
required by national or regional regulations. Provision of the medical device for purposes of
clinical evaluations and/or evaluation of performance is not considered to be delivery.
The requirements for validation of product in ISO 9001 are similar but are not as explicit. The
product or service must be tested in use in the specified circumstances and if multiple uses or
applications are intended, then each use or application must be checked against previously
agreed criteria and conditions.
Product validation can also be in the form of prototype testing or commissioning trials under
controlled conditions.
Design validation does not have to be carried out by the design organization. It is sometimes
impossible for a manufacturer to validate a final product so a validation has to be carried out
before a production run. For instance, a printed circuit board (PCB) manufacturer will in some
cases receive a circuit diagram from a purchaser, turn it into a prototype circuit following the
stages referred to above, and then send it to the purchaser for validation prior to the
production run. It may be impossible for the manufacturer to validate the design
independently, because the PCB is usually part of a greater design and the manufacturer does
not have the equipment, knowledge and experience. In such cases, validation by the
purchaser is perfectly acceptable.
Service validation can be testing of the service under controlled conditions. For instance, in the
case of the design of an Ambulance Service, it is not normally possible for the designers to
validate the design themselves. Only the Ambulance Service itself acting under controlled
conditions can do this.
55
The results of all validations of medical devices and subsequent follow-up actions must be
recorded and held as QMS records (see clause 4.2.4).
Control of design and development changes (clause 7.3.7)

It is recognized that it may become necessary to make changes to a design during any of the
design and development stages referred to above. Either the organization or the customer can
propose changes, provided in the case of ISO 13485 that regulations continue to be satisfied.
However, all suggestions for a change must be identified clearly, fully documented and
controlled. Any proposed changes must be authorized by previously agreed named persons
representing the customer and the organization. The proposed changes must include
evaluation of the effect of the changes on constituent parts as well as the effects on products or
services that have already been delivered. Arrangements must also be made for reverification
and revalidation, as is considered appropriate, and agreed by all interested parties before
changes to the design are approved.
The results of the review of changes and subsequent follow-up actions, including details of any
reverifications and revalidations, must be documented and held as QMS records (see clause
4.2.4).
Purchasing (clause 7.4)
Purchasing process (clause 7.4.1)

The organization must establish documented procedures to ensure that purchased products
conform to specified purchase requirements. The requirements of ISO 9001 are exactly the
same as those of ISO 13485, except that documented procedures are not mandatory for this
purpose, although in practice they might prove to be very useful.
An organization must evaluate potential suppliers and subcontractors on this basis. There are
many ways in which this can be done:
• by means of questionnaires;
• visiting the supplier or subcontractor and learning about the organization in general;
• conducting an audit on those parts of the supplier or subcontractor that are of

particular interest;
• by placing a trial order on the organization, if this is feasible;

• by asking for the opinions of others.
Organizations may choose the ways in which suppliers and subcontractors are evaluated, but
the criteria for evaluation and selection and, if necessary, re-evaluation must be defined. The
results of evaluations and selections and any subsequent follow-up actions must be recorded
and held as records (see clause 4.2.4).
After evaluation and selection many organizations generate an approved list of suppliers and
subcontractors. Some also have a temporary list. The temporary list includes suppliers and
subcontractors that are being used that will probably be transferred to the approved list in due
course. Transfer can take place after a satisfactory track record has been established, or after a
56
second-party audit has been conducted, or by whatever other means is considered

appropriate, to determine whether transfer to the approved list can be made.
Some organizations also have a non-approved list, which include suppliers and subcontractors
that have not met the required standards of the organization. The non-approved list reminds
all employees that orders must not be placed with suppliers and subcontractors on this list. The
performance of chosen suppliers should be reviewed on a regular basis and the lists should be
updated as necessary. Evidence of updating should be available.
Sometimes an organization may have to use a specific supplier or subcontractor, named by its
customer, as one of the conditions of placing an order or awarding a contract. Clearly, in such
cases the customer must accept some responsibility if the supplier or subcontractor defaults on
requirements that have a bearing on the final quality of the product, or the quality of the
service being provided.
Suppliers and subcontractors that provide products and/or services that are unlikely to have
any bearing on the quality of the product and/or service provided by the organization need not
be subjected to the same scrutiny.
Some organizations find that as a result of implementing these requirements, an opportunity is
provided to decrease the number of suppliers and subcontractors with consequential savings in
administration.
Purchasing information (clause 7.4.2)

Purchasing information must describe the product to be purchased, including where appropriate:
(a) requirements for approval of product, procedures, processes and equipment;
(b) requirements for qualification of personnel;

(c) quality management system requirements.
Purchasing orders and associated documents must always contain all the relevant information
that a supplier or a subcontractor will need in order to satisfy the organization’s requirements.
Any associated documentation referred to in the purchase order will stress any conditional
requirements of placing the order.
Verbal orders always need to be followed by documented purchase orders and perhaps
associated documentation so that both parties are fully aware of what has been ordered and
under what conditions.
Most organizations clearly describe on their purchase orders (and associated documents, if any)
what is required and have designated levels of authority to review and approve such orders.
This is not a very onerous requirement. In simple cases it is implicit that the person signing the
order has, as a minimum, looked over the order and given an approval of adequacy, as would
be the case for standard off-the-shelf items, which are unlikely to pose problems. However, in the
case of complex orders for a manufactured product or a sophisticated service, the organization
might have to impose some sort of checklist, each section of which would have to be signed-
off by named signatories, before a final signature is added by, e.g. a purchasing manager, or in
the case of very big orders by, a director of the organization. Each organization must decide for
itself what is appropriate for its own circumstances within the remit of the standard.
Where traceability is required (see clause 7.5.3.2), the organization must maintain relevant
purchasing information, i.e. documents (see clause 4.2.3) and records (see clause 4.2.4).
57
There are not explicit requirements of this sort in ISO 9001, but they can be adopted if
traceability is required.
Verification of purchased product (clause 7.4.3)

The nature and extent of the controls applied to a selected supplier or subcontractor will be
dependent on the effect the purchased product, or service provided, has on the organization’s
processes and on the final product or service. Some purchased products or services that are
regarded by the organization as being crucial to the success of its operations are likely to be
subjected to strict controls, whereas others that are much less important will undergo less
stringent controls.
The activities necessary for verification of purchased product must be identified and
implemented. The associated documents referred to earlier might specify that a supplier
provides a test certificate, in which case the supplier is confirming that the product meets the
required specification. In other cases an accredited calibration certificate might be required. In
many cases, if the supplier has an established track record with the organization, the
verification of product on receipt at the organization will be minimal. However, with a new
supplier, the organization might well impose strict verification processes, in which case, these
will be identified in advance and implemented on receipt of goods.
If verification is to be performed by the organization at the supplier’s premises, the
organization will specify the intended verification arrangements and method of product release
in the purchasing documents (i.e. in the order or contract document). The purchasing
document should state how verification would be conducted. For instance, in the case of
manufactured products, is there to be 100% testing, batch testing, or sampling, or in the case
of a service, what specified items are to be checked, or is random testing to be used. Finally,
the purchasing document should state what acceptance criteria are to be used and who is
responsible for release of product to the organization, or acceptance of the service to be
provided for the organization.
If verification is to be performed by the organization’s customer at the supplier’s premises, the
organization must specify the intended verification arrangements and method of product
release in the purchasing information. This is a common sense practice, which, if specified in
the contract, enables a customer by previous formal agreement to visit a supplier’s premises
(and perhaps the organization’s premises as well), to verify that a subcontracted product or a
subcontracted service conforms to the specification.
Any such verification by a customer must not be used by the organization as evidence that the
supplier has an effective quality management system in place for effective control of the quality
of its products or services. It could be that by devious means the supplier or subcontractor has
provided excellent quality of product or proved excellent provision of service for the visiting
customer, but the lack of proper quality control may have been hidden from the customer.
Thus, the onus remains with the organization to satisfy itself that effective quality controls are
in place.
Such verification does not in any way absolve the organization of its responsibilities to the
customer to make a satisfactory product, or provide a satisfactory service in accordance with
the specification referred to in the order placed by the customer. Moreover, it does not stop
the customer from rejecting the product supplied or stating that the service provided is not
satisfactory.
ISO 13485 additionally requires that QMS records of the verification must be maintained (see
58
clause 4.2.4). ISO 9001 imposes no such requirement. In practice, such records of verification
are imperative and in the interest of the organization.
Production and service provision (clause 7.5)
Control of production and service provision (clause 7.5.1)

In ISO 13485, clause 7.5.1 is subdivided further than the corresponding clause of ISO 9001.
General requirements (clause 7.5.1.1)

The organization must plan and carry out production and service provision under controlled
conditions.
Controlled conditions will include:
(a) the availability of information that describes the characteristics of the product;
(b) the availability of documented procedures, documented requirements, work
instructions, reference materials and reference measurement procedures as necessary;
ISO 9001 requires only the availability of work instructions, as necessary; but the
application of b) is acceptable.
(c) the use of suitable equipment;
(d) the availability and use of monitoring and measuring devices;

(e) the implementation of monitoring and measurement;
(f) the implementation of release, delivery and post-delivery activities.
Post-delivery activities might include installation and commissioning of equipment. If the

process of installation and commissioning is to be ‘outsourced’ (see clause 4.1), the means
by which installation and commissioning are to be controlled must be evident from the
quality management system documentation of the organization (see Figure 5.1). In such
cases, installation and commissioning are two important parts of an organization’s major
process (design, manufacture, delivery, installation, and commissioning) and as such they
remain the responsibility of the organization. Acceptance testing is usually a joint operation
between the manufacturer and the purchaser and is the last part of the major process.
The release, delivery and any post-delivery activities must be conducted only in
accordance with previously agreed procedures.
(g) the implementation of defined operations for labelling and packaging.

ISO 9001 does not require (g), but it is an acceptable requirement for all products and
services.
All the above activities should have been planned in accordance with clause 7.1 before
manufacture of a product or provision of a service begins. The controls should have ensured
that planned provisions have been adhered to in all respects.
Servicing and maintenance arrangements may be included as part of the original quality plan,
or they may be agreed between the two parties at a later stage. The organization must establish
and maintain a record for each batch of medical devices to provide traceability to the extent
specified in clause 7.5.3 and identify the amount manufactured and approved for distribution.
59
The batch record must be verified and approved. A batch can be a single medical device.
The last paragraph applies to medical devices but could be applied equally well under
ISO 9001 for other products, if only to provide useful information to top management.
Control of production and service provision – Specific requirements (clause 7.5.1.2)
Cleanliness of product and contamination control (clause 7.5.1.2.1)
The organization must establish documented requirements for cleanliness of product if:
(a) product is cleaned by the organization prior to sterilization and/or its use; or
(b) product is supplied non-sterile to be subjected to a cleaning process prior to

sterilization and/or its use; or
(c) product is supplied to be used non-sterile and its cleanliness is of significance in use; or
(d) process agents are to be removed from product during manufacture.

If product is cleaned in accordance with (a) or (b) above, the requirements contained in clause
6.4(a) and 6.4(b) do not apply.
The whole of clause 7.5.1.2.1 can be applied to other products under ISO 9001 if considered
applicable.
Installation activities (clause 7.5.1.2.2)
If appropriate, the organization must establish documented requirements that contain

acceptance criteria for installing and verifying the installation of the medical device.
If the agreed customer requirements allow installation to be performed other than by the
organization or its authorized agent, the organization must provide documented requirements
for installation and verification.
Records of installation and verification performed by the organization or its authorized agent
must be maintained (see clause 4.2.4)
The whole of clause 7.5.1.2.2 can be applied to other products under ISO 9001, if considered
applicable.
Servicing activities (clause 7.5.1.2.3)
If servicing is a specified requirement, the organization must establish documented procedures,
work instructions and reference materials, and reference measurement procedures, as
necessary, for performing servicing activities and verifying that they meet the specified
requirements.
Records of servicing activities carried out by the organization must be maintained (see clause 4.2.4).
Note that servicing can include, for example, repair and maintenance.
The whole of clause 7.5.1.2.3 can be applied to other products under ISO 9001, if considered
applicable.
Particular requirements for sterile medical devices (clause 7.5.1.3)
The organization must maintain records of the process parameters for the sterilization process
that was used for each sterilization batch (see clause 4.2.4). Sterilization records must be
traceable to each production batch of medical devices (see clause 7.5.1.1)
60
The whole of clause 7.5.1.3 can be applied to other products under ISO 9001, if considered
applicable.
Validation of processes for production and service provision (clause 7.5.2)

In ISO 13485, clause 7.5.2 is subdivided further than the corresponding clause in ISO 9001 .
If an organization is able to demonstrate that all of its product or service output can be
validated by subsequent measurements or monitoring to prove that the planned output results
have been achieved, clause 7.5.2 can be justifiably excluded.
The organization must validate any production and service processes when subsequent
measuring or monitoring cannot readily or economically verify the resulting output. Such
processes must be continually monitored and controlled by specially trained staff. This includes
any processes where deficiencies become apparent only after the product is in use or the
service has been delivered.
Examples in which process validation is imperative follow. In all such cases, proving what has
been achieved in a particular case will result in the output being damaged or completely
ruined.
• Paint spraying (of vehicles) – the process of checking that the required layers of paint
have actually been applied will ‘break’ the surface of the paints.
• Sterilization of products – opening a particular sterilized package to check whether
sterilization has actually been achieved results in a package which has to be sterilized
again before it can be used as intended.
• Welding – it is not generally economical or practical to X-ray each weld for

imperfections so that validation cannot be carried out directly.
Instead, strict measures are usually in place such as specially trained practitioners, special
equipment and devices, and processes/procedures that have to be rigidly followed to ensure
that the planned results are in fact achieved. Validation shall demonstrate the ability of
processes referred to above to achieve planned results.
The organization shall establish arrangements for these processes, which must include, as
applicable:
(a) the qualification of the processes, i.e. defined criteria for review and approval of
the processes;
(b) approval of equipment and qualification of personnel;
(c) use of specific methods and procedures;
(d) requirements for records;

(e) revalidation, following repeat of a process.
The organization must establish documented procedures for the validation of the application of
computer software (and changes to such software and/or its application) for production and
service provision that affect the ability of the product to conform to specified requirements.
Such software applications must be validated prior to initial use.
Records of validation must be maintained (see clause 4.2.4).
61
The last two additional paragraphs of clause 7.5.2.1 can be applied to other products under
ISO 9001.

The organization must establish documented procedures for the validation of sterilization
processes. Sterilization processes must be validated prior to initial use.
Records of validation of each sterilization process must be maintained (see clause 4.2.4).
There is no such clause in ISO 9001, but what is specified under ISO 13485 is standard
practice with sterilization of non-medical devices.
Identification and traceability (clause 7.5.3)

In ISO 13485, clause 7.5.3 is subdivided further than the corresponding clause in ISO 9001.
Identification (clause 7.5.3.1)
The organization must identify the product by suitable means throughout product realization,
and must establish documented procedures for such product identification.
The organization must establish documented procedures to ensure that medical devices
returned to the organization are identified and distinguished from conforming product [see
clause 6.4(d)].
There is no corresponding requirement in ISO 9001 for a documented procedure, but such an
inclusion in ISO 9001 would be an advantage. Likewise, the requirement for documented
procedure(s) in ISO 9001 for identification of returned products, other than medical devices,
can only be to the advantage of the organization.
Traceability (clause 7.5.3.2)

General (clause 7.5.3.2.1)
The organization must establish documented procedures for traceability. Such procedures must
define the extent of product traceability and the records required (see clauses 4.2.4, 8.3 and
8.5). Where traceability is a requirement, the organization must control and record the unique
identification of the product (see clause 4.2.4).
In the case of ISO 9001, if traceability is explicitly required, the organization must control and
record the unique identification of individual items, or batches of items, as appropriate. Whilst
traceability is paramount in some cases, it can also be useful in much less onerous
circumstances. For example, in the case of a cleaning service, an organization often considers it
useful to be able to identify what particular cleaners did on certain dates and, thereby, be able
to provide full traceability on the service provided.
An organization can similarly decide how traceability is to be achieved. It is advisable to
maintain records of all traceability data used (see clause 4.2.4). If traceability is a requirement,
the QMS records become mandatory.
Certificates of conformance
A certificate of conformance is of great importance when a product failure may have a

significant effect on the safety of people, e.g. in the aircraft industry. If an aircraft part has been
manufactured and/or inspected in accordance with the airworthiness regulations of a stated
country and/or, in the case of parts to be exported, with the approved design and notified
62
special requirements of the importing country, then the manufacturer will issue a certificate of
conformance. The certificate will give the part number, the serial or batch number, and a
reference number that enables the certificate to be linked to the approving aviation authority.
The certificate will be signed by an approved inspector and dated. A copy of the certificate will
be provided to the end-user but it does not exonerate them from their responsibilities in any
way; it merely provides full traceability back to the manufacturer in the event of any untoward
developments.
Similarly, certificates of conformance can be issued for second-hand parts in a ‘new’ condition,
which have been removed from a serviceable unit that has not previously been subjected to
excess wear or conditions of service.
A stockist will often accept responsibility that the product supplied conforms to a specification
and will issue a certificate of conformance accordingly to the customer. In the event that
doubts are raised about the product, the stockist will refer any queries back to its supplier.
Test certificates
In order to promote confidence in a manufacturer’s products, a manufacturer may issue a test
certificate with a product. One such test certificate reads:
The product described above and supplied against the defined order has been tested
in accordance with [the manufacturer’s] procedures and is verified as being
compliant with the requirements of the relevant [instrument] specification.
Details of the device are included on the test certificate along with the relevant test
measurements. Such test certificates should not be confused with calibration certificates, which
enable any measurements made to be traced back to a national standard.
Certificates of conformance are sometimes supported by test certificates. For instance, a test
certificate in the aircraft industry will include appropriate codes that give the chemical analyses
of the material of the ingots from which batches of product have been made. The codes might
also be engraved or embossed on the final end product. The test certificates often give the
mechanical properties of the material used, such as tensile strength, yield, results of impact
tests and hardness. The test certificate will refer to relevant national and international
standards. An authorized representative will sign it on behalf of the manufacturer.
There is no requirement in ISO 9001 for a documented procedure but such an inclusion in
ISO 9001 would be an advantage.
Particular requirements for active implantable medical devices and implantable medical
devices (clause 7.5.3.2.2)
In defining the records required for traceability, the organization must include records of all
components, material and work environmental conditions, if these could cause the medical
device not to satisfy its specified requirements.
The organization must require that its agents or distributors maintain records of the distribution
of medical devices to allow traceability and make them available for inspection. Records of the
name and address of the shipping package consignee must be maintained (see clause 4.2.4).
This clause is explicitly applicable to medical devices, but the more general requirements
regarding traceability are equally applicable under ISO 9001 to other high risk products, such
as aircraft parts, where full traceability is required.
63
Status identification (clause 7.5.3.3)
The organization must identify the product status with respect to monitoring and measurement
requirements.
The identification of product status must be maintained throughout production, storage,
installation and servicing of the product to ensure that only product that has passed the
required inspections and tests (or released under an authorized concession) is dispatched, used
or installed.
This would also appear to be an excellent requirement in connection with ISO 9001 activities.
Customer property (clause 7.5.4)

General
Customer property can be a part (or parts) that a customer wants the organization to
incorporate into one of its products or wants the organization to use in one of its services. It
can also be material provided by a customer for activities related to the work that the
organization is doing for the customer. This includes intellectual property such as software
provided by a customer.
The organization must ensure that due care is exercised with customer property and material
at all times whilst it is under its care or use. When they are being incorporated into the
product or services of the organization, the organization must ensure that this property or
material is identified, verified, protected and safeguarded. Likewise, when material is being
used by the organization for related activities, the same care must be taken of the customer’s
property.
Any confidential information provided by a customer must be respected. An organization is
expected to communicate immediately with a customer in the event of problems concerning
customer’s property.
Customer property for incorporation into a product or in the provision of a service
An example of customer property is when an organization receives an order to manufacture,

e.g. pencils, and the customer provides the erasers that are to be fixed to one end of the
pencils, i.e. the erasers are to be incorporated into the final product that eventually goes to the
customer. The erasers are customer property.
Once the erasers are delivered to the organization, the onus is on the organization for
controlling, identifying, verifying, storing and safeguarding the customer’s property. Questions
may be asked such as:
• Are the erasers what they are supposed to be?
• Are the arrangements for storage satisfactory and are the erasers being looked
after properly?
• Is the temperature of the store in which they are being kept too high?
Another example is the case in which an organization is manufacturing a sterilized product,

e.g. sterilized hospital gowns, and the customer provides an additional item for inclusion in the
sterilized packages. The additional item is customer property for incorporation into the
customer’s product.
64
Customer property for related activities
There are many other occasions when customer property is not incorporated into the
organization’s product, but is provided by the customer for a related activity.
In the case of a taxi or hire car, the baggage of the customer that is to be transported with the
passengers is customer property in connection with the transportation service being provided.
Another example is a garage that receives customer property, a car, so that the garage can
undertake a routine service.
Products sent to an organization for sterilizing are another example of customer property in
relation to the sterilization service being provided by the organization.
Customer property for incorporation into product and for related activities
Sometimes it might be argued that customer property can be provided for incorporation into
the organization’s products and for a related activity. For instance, with a film processing
organization, one might argue that undeveloped film is supplied for incorporation into the
organization’s products because the information stored in the film appears in the colour prints.
One might also argue that the film is provided for related activities, i.e. the provision of colour
prints. Whatever argument prevails, the undeveloped film is customer property.
Customers’ intellectual property

An organization may be given a customer’s intellectual property, e.g. design or computer
software that has been produced by the customer, which the organization needs to use or
understand in order to satisfy the customer’s needs and expectations.
All such information, designs, software and ideas must be treated by the organization in the
same way as any other physical item, which might have been provided by the organization. In
the case of intellectual property, confidentiality is particularly important and needs to be
maintained because the information might be commercially sensitive or affect the outcome of
a patent application.
In the case of ISO 9001, intellectual property might be confidential health information, if the
standard is being applied to hospitals, nursing homes, residential care homes and other
organizations.
Lost/damaged/unsuitable customer property
Any customer property that is lost, damaged or otherwise found to be unsuitable for use must
be recorded and reported to the customer. This includes intellectual property, e.g. information
provided in confidence.
Preservation of product (clause 7.5.5)

General
The organization must establish documented procedures or documented work instructions for
preserving the conformity of the product during internal processing and delivery to the
intended destination.
The organization must establish documented procedures or documented work instructions for
the control of product with a limited shelf-life or requiring special storage conditions. Such
special storage conditions must be controlled and recorded.
ISO 9001 does not require any documented procedures, or documented work instructions
65
under this clause but to do so would appear to be to the organization’s advantage.
During the manufacture of a product, an organization must preserve its conformity and any
constituent parts at each stage throughout the major process and during all subsequent stages
such as handling, packaging, storage, preservation and delivery to the intended destination.
Preservation of product is especially important in those cases in which deterioration of product

is possible under adverse conditions. Likewise, in the provision of a service similar arguments
apply as for products.
Identification
Once a product or service has been suitably identified, the identification must be preserved
until it has been delivered to the intended destination.
The methods used for identifying product, labels, any writing made directly on packages, etc.
must be suitable for their intended purpose. For example, labels must remain affixed to the
packages and any written identification must be done with indelible and waterproof pens.
Handling
The onus is on the organization to devise methods of handling that protect the product from
damage or deterioration.
Packaging
The organization must have controls in place that ensure that any packing or packaging is
adequate to prevent any damage that would result in the product being unacceptable to a
customer.
After final inspection and test, all packaging must be of a suitable nature to provide protection
against damage whilst within the confines of the organization.
Storage
Storage areas need to be systematically allocated and organized to prevent damage or
deterioration of product whilst it is awaiting use or dispatch. Stock that is likely to deteriorate
with time should be clearly marked so that it can easily be reviewed at appropriate intervals.
Product should only be received, or dispatched, when the specified documentation is
available. Any goods received without proper documentation should be rejected immediately,
i.e. not admitted to stock, or placed in a quarantine area pending further investigation by
management.
Preservation
An organization must ensure that all its products remain undamaged up to the time of their
delivery to customers. This is particularly important in the case of more vulnerable products
that can be damaged easily if the packaging is inadequate or if the storage area is unsuitable.
Consideration needs to be given to controlling environmental conditions such as temperature,
humidity, lighting, and static electricity. In the case of the presence, or possible presence, of
static electricity, these conditions may require special packaging and storage for certain
products to prevent electrostatic damage to them.
All stock must be appropriately segregated until it is used or dispatched. Similarly, incoming
stock must be carefully segregated and preserved until it is required for use.
66
Delivery
Adequate packaging must be provided against accidental damage during handling whilst the
product is in transit to a customer. Special attention must be paid to any contractual conditions
in this respect.
Outsourcing the delivery through independent delivery companies does not absolve the
organization from its responsibilities regarding safe delivery of products to its customers.
Control of monitoring and measuring devices (clause 7.6)

Measurement
There is little doubt about what is meant by measurement. Measurement is associated with the
determination of a number, length, area, volume, time, speed, velocity, acceleration or weight.
The units of measurements are usually, but not always, based on the metric system of
measurements. In some cases the accuracy of any measurements with a given measuring
device may be unimportant. For instance, when a plasterer is preparing a quotation for
plastering a wall, one of the factors to be taken into consideration is the area of the wall, which
he will probably determine from measurements made using a steel rule. An error in
measurements of a few centimetres is unimportant. In fact experienced plasterers will often not
even bother to take measurements with a steel rule. The plasterer’s eye will determine at a
glance all the information that is required to prepare their estimate of costs.
At the other extreme, organizations and sometimes customers decide that accurate
measurements are necessary. Sometimes accurate measurements are also required to satisfy
regulations, standards, and other requirements. For instance, when a window frame
manufacturer is adding a surface coating to lengths of aluminium, a minimum thickness of
coating is required, namely 50 microns (0.050 mm.) Thus, any measuring device used must be
accurate within specified limits. Whenever a thickness of less than 50 microns is found, the
coated aluminium is reworked or scrapped. In order to be confident that the measuring device
is sufficiently accurate, it is necessary to have the measuring device calibrated. This can be
done externally or verified within the organization.
Monitoring
If measuring devices are being used to monitor something, the monitoring might take place
continuously. Such measuring devices immediately identify any untoward changes occurring at
the chosen monitoring points or stages of a major process so that appropriate action can be
taken, such as stopping the process. If the changes or trends are taking place very slowly they
give early warning of problems but do not necessarily mean that a process must be stopped
immediately. For instance, if the diameters of extruded plastic rods are gradually increasing, as
indicated by a monitoring device, the rate at which the diameter is increasing will provide
valuable evidence about when the permitted tolerance on the diameter is likely to be
exceeded, before which time action must be taken or the process stopped.
An important aspect of monitoring equipment is that the measuring device being used will
have been selected on the basis of the manufacturer’s specification as being suitable, within
the accuracy of measurement specified by the manufacturer, for monitoring the parameter in
question. Somebody will nevertheless have to make a decision on whether the selected
measuring device needs to be calibrated or merely be maintained at regular intervals.
Maintenance does not necessarily include recalibration although a manufacturer carrying out
such maintenance would, as a minimum, claim that the device is functioning within their
67
specification and might well reissue a test certificate to confirm this.
Monitoring does not always involve measuring devices and need not be undertaken
continuously. For instance, ISO 13485 and ISO 9001 require an organization to monitor
customer satisfaction. This can be done without measuring devices (see page 74).
The need for monitoring and measurements

An organization must decide what monitoring and measurements are necessary to ensure that
products or services meet the specified requirements. This in turn determines what monitoring
and measuring devices are needed to provide evidence of conformity of a product or service
to previously determined requirements (see clause 7.2.1). All the measuring and monitoring
devices must always be used in such a way and be controlled so that the devices are known to
be capable of making measurements to the required degree of accuracy.
In some cases, calibration of measuring devices is unnecessary. If it is decided that no devices

need to be calibrated, a statement to that effect can be made in the quality manual together
with an explanation that justifies the exclusion. The fundamental question that needs to be
asked by the organization is whether it can be confident that the product conforms to
specification, or that the service provided is in accordance with requirements, without such
calibrations.
However, when it is decided that measuring devices need to be calibrated so as to ensure that
measurements are as accurate as required, then the devices must either be calibrated
externally or internally. The organization must establish documented procedures to ensure that
monitoring and measurement can be carried out in a manner that is consistent with the
monitoring and measurement requirements.
ISO 9001 does not require documented procedures in connection with clause 7.6, control of
monitoring and measuring devices. However, the establishment and implementation of such
procedures would appear to be in the organization’s interest.
This means that measuring devices must:
(a) be calibrated, or verified at specified intervals or prior to use, against measurement

standards traceable to international or national measurement standards; where no
such standards exist, the basis used for calibration or verification must be recorded;
(b) be adjusted or readjusted as necessary;

(c) be identified to enable calibration status to be determined;
(d) be safeguarded from adjustments that would invalidate any results;
(e) be protected from damage and deterioration during handling, maintenance

and storage.
Computer software used for measuring and monitoring of specified requirements must be
checked prior to initial use, and re-checked at appropriate specified intervals, to ensure that it
satisfies the intended application.
Once it has been decided to undertake calibration of devices it should be noted that different
devices can be calibrated at different intervals. Some devices are not used very often and are
more stable as a result. Devices that are used regularly and devices that are highly sensitive will
need to be calibrated at more frequent intervals. The same applies to any device where the
accuracy of the results is of very special significance. For instance, a tyre depth gauge that is
used frequently and usually kept in a technician’s tool box is more likely to need calibrating at
68
shorter intervals than a digital vernier that is kept in a carefully designed box and is used only a
few times each year.
Devices must be calibrated and adjusted periodically or prior to use, against devices traceable
to international or national standards. Where no such standards exist, the basis used for
calibration must be recorded.
External calibration
If a decision is made in favour of external calibration, the calibration can be carried out by an
Accredited Calibration Laboratory, which has been accredited by the United Kingdom
Accreditation Service (UKAS) or some other similar national accreditation body or by a non-
accredited calibration body. ISO 9001:2000 does not require that a UKAS (or equivalent)
calibration laboratory is used. Both standards do, however, require that calibration can be
traced to international or national measurement standards.
An external calibration laboratory will state, after calibration of a device, the accuracy (within
specified limits) of any measurements made with the device. The accuracy of the calibrated
equipment must be greater than is needed to achieve the required accuracy of measurement.
Internally calibrated equipment

When an organization has a lot of equipment that needs to be calibrated and has suitably
qualified staff available, it may decide to calibrate its own equipment using carefully selected
externally calibrated equipment as reference standards.
Equipment used as reference standards must be set aside in a safe and secure environment
and used only for internal calibrations. A number of questions have to be answered such as the
following.
• What are the acceptable limits for the calibration results for a particular instrument or
device that is to be calibrated internally?
• Is the known accuracy of the calibrated reference standard sufficiently greater than
the theoretical accuracy of the instrument or device being calibrated internally?
• Is the calibrated reference standard otherwise appropriate for the internal calibrations?
• Is the uncertainty for the calibrated reference standard low enough to ensure that the
uncertainty of calibration of the instrument or device being calibrated will be
acceptable in the circumstances in which it will be used?
• What documentation is required to ensure that all internal calibrations are carried out
in a professional and scientifically acceptable manner?
• Is the environment suitable for the calibrations being performed?
• Who is to be responsible for internal calibrations?

It is good practice to have a work instruction available for each kind of equipment that is to be
calibrated internally to ensure that all relevant matters are addressed and to ensure that the
steps to be taken in the calibration process are clearly defined.
Registers and calibration logs
It is common practice to establish and maintain calibration registers that hold all relevant
information for proper control of such equipment. These include unique identification number
of equipment, usual location of equipment, date of calibration and date of recalibration, and
69
the signature of the person responsible for maintaining the registers.
When a piece of equipment is calibrated externally, a calibration log should be established and
maintained for each piece of equipment, which gives the relevant details regarding the
calibration that has been carried out on that equipment. This should include:
• type of equipment;
• normal location of equipment;
• manufacturer of equipment;
• unique identification number of equipment;

• frequency of calibrations;
• acceptable errors and uncertainty of measurements;
• relevant environmental conditions;

• UKAS equipment number;
• UKAS certificate number;

• calibration certificate number;
• date of calibration;
• date of recalibration; and

• signature of the person responsible for maintaining the calibration log.
Likewise, when a piece of equipment is calibrated internally, a calibration log should be
established and maintained for each piece of equipment. The log should include:
• type of equipment;
• normal location of equipment;
• manufacturer of equipment;
• unique identification number of equipment;
• frequency of calibrations;
• acceptable errors (plus and minus);
• relevant environmental conditions;

• unique identification of the equipment used to calibrate the equipment, i.e. the
reference standard;
• a statement of compliance or non-compliance;

• date of calibration and date of recalibration;
• signature of the person responsible for maintaining the calibration log.
The actual readings or measurements obtained (including uncertainties of measurements),

carried out by a nominated qualified person can be stated on a supplementary sheet, or
sheets, appended to the calibration log.
All such records become part of the QMS records of the organization.
70
Some customers may insist that calibration data are made available to them in order to give
assurance that the monitoring and measuring equipment and any test software are all
functionally adequately for the processes that have to be carried out.
Identification of devices
All calibrated equipment (whether externally calibrated and internally calibrated) should be
uniquely identified by whatever means are practical.
It is common practice for each piece of calibrated equipment to have a label affixed which
states:
• the unique identification number or code for the equipment;
• the date when calibration took place;
• the date when recalibration is due;

• the initials of the person responsible for calibration.
When deemed desirable metal labels are used because these can be wiped clean, without
removing the information recorded on them.
A label that includes the date of recalibration enables the user to check that the equipment has
not passed that recalibration date without recalibration having taken place.
Only in very unusual circumstances is it impossible to place such a label on calibrated

equipment. In such circumstances, a unique identification number can be engraved on the
equipment, or the equipment can be marked with an indelible pencil, or a very small sticker
can be used which gives the equipment a unique number. Such arrangements enable the
equipment to be referred back to the calibration records.
If a piece of equipment has a calibration label affixed to it, it should mean that the equipment
when tested under agreed specified conditions is functioning in an acceptable way.
The registers and calibration logs of both externally and internally calibrated equipment should
show the normal locations of calibrated equipment so that in the event that a label is detached
from a piece of calibrated equipment its unique identification and calibration status can be
traced through a process of elimination.
Fitness for use

Some equipment is less susceptible to damage than other equipment. The organization must
exercise appropriate controls to ensure that as far as possible accuracy and fitness for use is
maintained.
Tampering with calibrations

In most cases calibrated equipment cannot unintentionally and easily be put out of calibration.
Nevertheless, the organization must take all reasonable measures to ensure that any intentional
tampering is positively discouraged, if not made very difficult.
Equipment not calibrated: used for indication only
Some monitoring and measuring devices need not be calibrated and are used for indication
only. When a lot of monitoring and measuring devices are being used, some organizations find
that it is good practice to emphasize that such devices are used for indication only. For
instance, a meter that measures the amount of oil that is poured into a car engine from a
centralized supply need not be calibrated, because all car mechanics are trained to check the
71
level of the oil that has entered the engine by means of the dipstick. The dipstick is the
definitive measure that there is sufficient oil in the engine. Thus, the oil flow meter is used only
as an indication of the amount of oil put into the engine. The flow meter can be labelled, ‘Not
calibrated: for indication only’.
Chartered surveyors use moisture meters to indicate whether there might be a damp problem
in a wall. Since a chartered surveyor would not say categorically that there is a problem, there
is no need for the moisture meter to be calibrated. The chartered surveyor would merely
recommend that the problem be referred to other experts.
Out-of-calibration equipment
When a piece of equipment is found to be out of calibration it must be removed immediately

from use. The question then arises as to how long it might have been out of calibration and
what would be the possible consequences on the quality of product or quality of service arising
from the use of equipment that is out of calibration.
The organization is required to make a judgement on the effect of any possible errors in
measurements, in actions taken, on the quality of the product or the quality of service
provided. The decisions should be documented and appropriate action must be taken.
The results of all calibrations and verifications must be recorded and maintained (see clause
4.2.4).
New equipment
There is a popular misconception that it can be assumed that a new piece of equipment is
within specification. If a manufacturer provides a valid certificate of calibration then this must
be true. Similarly, a carefully scrutinized test certificate from a manufacturer would increase
confidence in a new product. However, if there are any doubts and a specified accuracy is
crucial to the success of the organization, it might be prudent to check carefully with the
manufacturer.
Results
The results of all calibrations and verifications must be recorded and maintained (see clause
4.2.4).
72
Chapter 8:
Measurement, analysis and improvement (clause 8)
General (clause 8.1)

Management must plan and implement monitoring, measurement, analysis and improvement
processes needed:
• to demonstrate conformity of product or services;

• to ensure conformity of the quality management system with the requirements of
the standard;
• to maintain the effectiveness of the quality management system to consistently

manufacture medical products or to consistently deliver related services that are safe
and effective.
With reference to (c) above, in ISO 9001 emphasis is placed on taking action to continually
improve the effectiveness of the quality management system. This will pose no problems
provided it is understood that, when both standards are being addressed, the first and foremost
priority is to maintain the effectiveness of the quality management system to ensure the
medical devices being manufactured, or the related services being delivered, consistently
satisfy customers requirements and any applicable regulatory requirements.
All data from the monitoring and measurements are collated and analysed. The monitoring and
measurements made during the processes enable appropriate changes to be made, as and
when necessary, to ensure that each step in a process is able to achieve its intended purpose,
and to make planned checks on the evolving product during such processes to ensure that the
final product conforms to the requirements.
In planning any monitoring and measuring activities, due consideration must always be given
to deciding how the data collected shall be used, including the possible use of statistical
techniques.
In the case of ISO 13485, national or regional regulations might also require documented
procedures for implementation and control of the application of statistical techniques.
73
Monitoring and measurement (clause 8.2)

With ISO 13485 it is imperative that the organization collects objective evidence. As one of the
measurements on the performance of the quality management system, the organization must
collect factual evidence to decide whether it has met customer requirements. This is referred
to as feedback.
With ISO 9001 the organization is expected to determine a customer’s perception of whether
the customer’s requirements have been met. This is subjective information and is referred to as
customer satisfaction.
Feedback/Customer satisfaction (clause 8.2.1)

The methods for obtaining feedback and using this information must be determined. The
organization needs to establish a documented procedure for a feedback system [see clause
7.2.3(c)] to provide early warning of quality problems and for input into the corrective and
preventive action processes (see clauses 8.5.2 and 8.5.3).
If national or regional regulations require the organization to gain experience from the post-
production phase, the review of this experience must form part of the feedback system (see
clause 8.5.1).
Customer satisfaction
A documented procedure for obtaining information on customer satisfaction would appear to
have advantages in the case of ISO 9001, as is the case for feedback with ISO 13485.
Customer satisfaction data can be obtained from direct contact with customers or from their
secondary sources.
Direct contact with customers
There are a number of ways that customer satisfaction data can be obtained directly from
customers. Some examples follow.
(a) Investigation of customer complaints

All customer complaints should be logged and dealt with in a systematic manner. The
first priority should be to investigate the complaint and put right that which has
allegedly gone wrong, so that the customer is satisfied. An appropriate apology is
usually well received and restores goodwill between the organization and the
customer.
Secondly, all complaints, without exception, should be reported in full on a regular
basis to top management. At frequent intervals, an analysis of complaints should be
provided for top management.
Such information will contribute to the overall monitoring of customer satisfaction.
(b) Customer satisfaction questionnaires

Customer satisfaction questionnaires can be sent to all customers, or just a sample, to
find out whether they have been satisfied with the product that they have purchased
and the service provided. Large organizations can afford to carry out such
comprehensive surveys or alternatively arrange for specialist organizations to do the
work for them. If smaller organizations use this technique, they should use a simple
questionnaire, since analysis of more complex questionnaires can be time consuming
74
and therefore expensive.
The standard method of obtaining information from customers regarding their

satisfaction is for the organization to issue forms to customers and ask them to
complete them and return them in the prepaid envelopes provided. Such forms can
vary enormously in their complexity, but the more complex the form the less likely it
is to be completed. Sometimes incentives to complete the form are given such as
automatic entry into a draw with attractive prizes. Even public bodies such as the
Royal Mail are now using questionnaires to determine how satisfied customers are
with the service.
Organizations that do not deal directly with their customers often feel the need to
know what customers think about their products or services and about the way their
intermediaries have dealt with them. The classic case is that of car manufacturers that
sell their new cars through franchised garages. Car manufacturers often ask, through
their franchises, for all customers to complete a customer satisfaction questionnaire.
The manufacturer may offer no incentive to the customer for its completion, other
than the general desire to ensure that all customers are dealt with courteously and
efficiently, but the garage is sometimes under pressure to get the customers to
complete the questionnaires, because failure to do so can cause the bonus paid by
the manufacturer to the garage to be reduced.
Although collection of information or feedback from customers might be considered

to have been reasonably successful, the analysis of such data so that it provides a
measure of the success of the organization in satisfying its customers is difficult.
Analysing the data on a simple questionnaire can be time consuming even when there
are only a few questions.
Any attempts at analysis also highlights the importance of asking the right questions
and often after receipt of the first batch of completed questionnaires changes need to
be made to the questionnaires to improve the feedback from customers.
Small organizations should keep their questionnaires very simple with only a few
carefully thought out questions. Larger organizations can use questionnaires that have
more questions. The answers can be entered into a computer and analysed to obtain
indicators of customer satisfaction.
The successive analyses of customer satisfaction will be considered at management

review meetings when weaknesses and strengths will be highlighted and new quality
objectives can be set for the ensuing period.
(c) Telephone calls
One way to select customers for such telephone calls is to telephone customers who
have not responded to customer satisfaction questionnaires. Another way is to
telephone a given percentage of customers who have used the organization in some
way or other during the previous week or month.
Customers who have failed to make a complaint, or those who have failed to return a
questionnaire, will sometimes reveal on the telephone that they have not been fully
satisfied with the product or service provided by the organization.
Sometimes questionnaires are supplemented by telephone calls to customers who

have recently purchased products or used the organizations services, to ascertain their
levels of satisfaction. Some organizations have a declared policy of contacting each
75
week a given percentage of customers who have used the organization in some way
or other during the previous week. Such information should, of course, be logged
properly for examination by the management of the organization.
(d) Casual feedback from customers
Such opportunities arise when members of senior management meet their

counterparts for whatever reason and when sales staff routinely meet customers and
potential customers in the pursuance of further orders. It is important that all such
feedback is reported factually for inclusion in any customer satisfaction analyses.
(e) Follow-up of ‘lost’ customers

If an organization manages to retain a customer over a long period of time it is
reasonable to assume that the customer continues to be satisfied, whatever may have
happened in the interim period. Satisfied customers usually return again and again
when the next purchases are being contemplated.
The absence of customer complaints must not lead to the assumption that all
customers are entirely satisfied with an organization’s product and/or service. Before
quality systems standards were adopted, many organizations did not have a systematic
method of dealing with complaints. In other cases, even after implementation of a
quality systems standard, it is clear that only serious complaints were being
systematically recorded. This meant that the number of complaints over a given
period of time was small in relation to the output. However, relying on the number of
customer complaints to give an indication of customer satisfaction, however well
organized, is unlikely to give the complete picture as far as customer satisfaction is
concerned. A relatively small number of complaints received and recorded may be
only the tip of an iceberg as far as customer dissatisfaction is concerned.
In fact, dissatisfied customers often do not express their opinion to the organization
concerned. ‘Lost’ customers can be lost for a number of obvious reasons, but to lose a
customer because of unknown customer dissatisfaction is something that any forward
looking organization tries very hard to avoid. It is such possible loss of customers that
prompts many organizations to publicize, in various ways, their intention to satisfy the
requirements and expectations of customers in the hope that any disappointments will
be brought to their attention. Well publicized statements positively encourage
customers to express any dissatisfaction with the organization in the hope that they all
will ultimately prove to be satisfied and long-standing customers.
Every effort should be made to obtain repeat orders following disclosure of loss of
future business. A good sales force should be able to explain why repeat orders have
not been placed by a particular customer. The reasons may vary, i.e. failure to deliver
on time, unsatisfactory product or service in terms of reliability, unsatisfactory
warranty arrangements, price not competitive and so on. Whichever is the case, the
findings must be documented so that factual information can be analysed for inclusion
in any customer satisfaction analyses.
(f) Poor administration
Comments about perceived poor administration and apparent incompetence of

organizations are frequently heard. Such comments may concern relatively trivial
matters (trivial in the sense it would require little effort to make an enormous
improvement) such as automated telephone services or the incompetence of
76
individuals who do not do what they promise to do so that a repeat call is necessary.
If a customer’s perception of an organization is adversely influenced by such
experiences, they are more likely to go elsewhere with their enquiry. Customers and
potential customers should therefore be asked at every opportunity whether they are
satisfied with the administrative arrangements. Their factual comments must be
recorded for future analysis and included in customer satisfaction reports.
Secondary sources of information from customers
Customer satisfaction data can also be obtained from the secondary sources of customers, such
as the following.
(a) Consumer research and reports
Two well established secondary indicators of consumer satisfaction are Which? reports
published by the independent Consumers’ Association, and media investigations, such
as the BBC ‘Watchdog’ programmes.
The Consumers’ Association usually examines mass-produced products, such as cars
and washing machines, and publicizes widespread impartial investigations using
customer feedback, which results in the listing of ‘best buys’ and criticisms of products
and services.
The ‘Watchdog’ programmes, on the other hand, usually focus on products and
services provided by national organizations, or sometimes international organizations,
which have resulted in intense customer dissatisfaction by one or more customers.
All such reports and programmes give an indication of customer satisfaction with
products or services of particular organizations. Some may be relevant to other
organizations attempting to monitor customer satisfaction, if only to suggest questions
that might be included in their own questionnaire.
(b) Press reports

Journalists also highlight public dissatisfaction. There have been a number of high
profile cases in the public domain. In such cases the limitations of individuals or
management resulted in customer dissatisfaction. All such cases provide valuable
information for many organizations that are trying to achieve customer satisfaction.
Each organization can decide how it monitors customer satisfaction although the
methods used for obtaining and using the information have to be determined.
Internal audit (clause 8.2.2)

The text of clause 8.2.2 in ISO 13485 is no different from the corresponding clause of ISO
9001, with the exception that reference is made to ISO 19011, Quality auditing – A guidance
document.
A procedure is required on internal auditing (see PC 103).
A carefully planned audit programme, if executed properly, ought to give confidence to top
management that the:
• organization’s quality management system complies with the requirements of

ISO 9001:2000;
• resulting quality management system has been effectively implemented and maintained;
77
• organization is doing what it has planned to do in accordance with clause 7.1.
Thus, internal auditing ought to be a first-class management tool and any findings might
provide opportunities for improvements to be made. Internal audits have to be carried out at
planned intervals.
When auditing against ISO 9001:1994, internal auditors had to determine the effectiveness of
the quality system and verify whether quality activities and related results complied with
planned arrangements (i.e. the organization’s procedures and work instructions). ISO 9000:1994
did not require the internal auditors to measure the organization’s compliance with the actual
requirements of the standard. This has now been introduced when auditing against
ISO 9001:2000.
Personnel other than those who actually perform the activity being audited must conduct the
audits. Thus, auditors must not audit their own work. This is a welcome change, particularly for
small organizations, since finding an independent auditor within a small organization is not
always possible.
It has been common practice for all internal auditing to be conducted only as compliance
audits against the organization’s procedures and work instructions. The new focus is on
processes. Thus, an auditor could take one of an organization’s major processes and work
through it meticulously, step by step, until a final product is reached or a service is completed
to the satisfaction of a customer, or customers. In working through a major process, pauses in
the steps forward will be inevitable and frequent, during which time supplementary processes
will have to be checked. These, in turn, will result in examination of compliance with one or
more of the organization’s procedures, work instructions and forms. Some compliance auditing
will still continue to be necessary.
The new focus on processes will mean that internal audits are likely to take much more time
and skill than would be the case if an auditor were merely checking for compliance with one
or more isolated procedures. Auditing should become much more interesting and more
meaningful because of its direct link with the reasons why an organization exists. Moreover, in
discussions with auditees, it should provide opportunities for considering ways in which
changes might be made to the major processes, and to the associated supplementary
processes, so that the major processes can be improved.
An audit program, or audit schedule, must be prepared that covers all the areas to be audited.
As explained in the previous paragraphs the focus should be on the organization’s major
processes. Once these have been clearly identified all the other audits can be planned
accordingly in logical sequence. The schedule must identify the frequency of such audits based
on the status and importance of various activities. The schedule of internal audits should be
flexible and changes will be inevitable as the results of earlier audits become available.
A properly designed nonconformity form is recommended for use during internal audits. This
will include, as a minimum:
• a section for defining the nonconformity;
• the department where the nonconformity was located;

• the individual who identified it and when;
• the corrective actions agreed to be taken;
• the individual responsible for undertaking the corrective action and when.
78
The form should include space for preventive action to be recorded, if this is deemed
necessary (see clause 8.5.3). Another section requires verification of the corrective action (and,
perhaps, preventive action) by the management representative or some such designated
person.
The findings of internal audits are a key item on the agenda of management review meetings,
which includes the effectiveness of any corrective (and preventive) actions.
Monitoring and measurement of processes (clause 8.2.3)

The text of clause 8.2.3 in ISO 13485 is no different from the corresponding clause of ISO 9001.
All processes must be monitored and measured, as and when deemed necessary, in such a
way that the output of a major process will satisfy customer requirements.
All monitoring and measurements must confirm the continuing ability of each process to
achieve the specified requirements. In the event that requirements are not being met, a
nonconformity form is completed. The same information needs to be recorded as for internal
audits (see clauses 8.5.2 and 8.5.3).
Any lower-level processes also need to be a monitored in the same way.
Monitoring and measurement of product (clause 8.2.4)

The organization must monitor and measure the characteristics of the product and/or service,
to verify that product and/or service requirements have been met. This must take place at
appropriate stages of the product realization process in accordance with planned arrangements
(see clause 7.1) and documented procedures (see clause 7.5.1.1). In the case of ISO 9001 no
such procedures are required, but clearly an organization could benefit from such procedures.
Evidence of conformity with accepted criteria must be documented and maintained. Records
must indicate the person, or persons, authorizing release of product (see clause 4.2.4).
Product release and service delivery must not take place until all planned arrangements have
been satisfactorily completed (see clause 7.1).
With ISO 9001, product can be released in certain circumstances if planned arrangements
have not been completed satisfactorily. In such cases, permission to release product can only
be given by a relevant authority and, where applicable, by the customer. Records must indicate
the person(s) authorizing release of product.
Particular requirement for active implantable medical devices and implantable medical
devices (clause 8.2.4.2)
The organization must record the identity of any personnel who are carrying out any
inspection or testing (see clause 4.2.4).
This requirement is not mandatory with ISO 9001, but its adoption could only be in
everybody’s interests.
Control of nonconforming product (clause 8.3)

A procedure is required for identifying and controlling all nonconformities of product, or
service, to prevent its unintended use or delivery (see PC 104). (Quality management system
79
nonconformities have already been addressed in clause 8.2.2 and process nonconformities
have been addressed in clause 8.2.3.)
Manufacturers
All nonconformities in product must be properly recorded and the nature of the nonconformity
clearly explained. If the nonconformity has been caused by an individual then this should be
highlighted on the report as this will help identify training needs that might be applicable to
that individual and maybe their whole department. In some cases, the cause of nonconformity
is not the result of an individual’s action or inaction, but may have been introduced earlier in
the design stage. Any nonconforming product should be clearly identified and the nature of the
nonconformity should be recorded on a prescribed form. In addition, the nonconforming
product must be carefully controlled to prevent unintended use or delivery.
Nonconforming product must be dealt with in one or more of the following ways:
(a) by taking action to remove the detected nonconformity;
(b) by authorizing its use, release or acceptance under concession;

With ISO 13485 concessions cannot be granted on medical products if regulatory
requirements have not been met. Otherwise, the relevant authority could grant
concessions.
With ISO 9001 there is no restriction, but concessions can be granted only by a
relevant authority and, where applicable, by the customer.
(c) by taking action to preclude its original intended use or application.
Whenever a product needs to be reworked, the organization must have a documented work
instruction for any rework process that has undergone the same authorization and approval
steps as the original work instruction. Prior to authorization and approval of a new work
instruction, a determination of any adverse effect of the rework on the product must be made
and documented (see clauses 4.2.4 and 7.5.1)
ISO 9001 does not require authorization and approval of a new work instruction nor does it
require a determination of any adverse effect of the rework of the product. This should be
carried out and documented. These steps would appear to be admirable and could easily be
adopted for non-medical products for organizations seeking registration to ISO 9001 as well as
to ISO 13485.
Records of the identity of the person authorizing the concession must be maintained (see
clause 4.2.4).
Whatever is the case, a record must be kept of the corrective action taken. The quality
manager must be kept fully informed. Only when the quality manager, or some such
nominated person, is satisfied that the nonconformity has been dealt with satisfactorily will
they sign-off the nonconformity form, which is retained as a QMS record (see clause 4.2.4).
If the organization becomes aware of nonconformity in a product after it has been delivered to
a customer, and even after a customer has started to use the product, it must take appropriate
action regarding the consequences, or potential consequences, of the nonconformity.
Exactly the same procedure should be followed in the case of outsourced processes
immediately after the nonconformity has been found.
80
Service organizations
Similar arguments apply to service organizations. If, during the delivery of a service, the
organization becomes aware of a nonconformity in the delivery of a service or through
comments made by a customer receiving the service, the nonconformity must be fully
documented as for a manufactured product and consideration be given to placing the service
‘on-hold’ until the problems have been amicably resolved with the customer.
Recording of nonconformities
In all cases in which product or service nonconformities arise every effort should be made to
identify and record on appropriate nonconformity forms the causes of nonconformities (see
clauses 8.5.2 and 8.5.3).
Review of causes of nonconformities

Nonconformities will arise for many reasons in any organization, e.g. human error, disregard
for procedures or other documentation; or an impractical procedure or process that has not
been properly tried and tested before its introduction.
Top management must review all such factual information on nonconformities. The regular
management review meetings are intended to be the focus of such discussions. Unplanned
management review meetings can, of course, be called at any time.
Top management should be in a position to manage nonconformities if:
(a) they are identified;

(b) the reasons for the nonconformity are identified;
(c) appropriate corrective (and, perhaps, preventive actions) are taken; and
(d) all relevant information [such as (a), (b) and (c)] is fully documented.
Analysis of data (clause 8.4)

ISO 13485 requires an organization to establish documented procedures and to determine,
collect and analyse appropriate data to demonstrate the suitability and effectiveness of the
quality management system. The organization must also make an evaluation as to whether
improvements to the effectiveness of the quality management system can be made.
ISO 9001 does not contain any specific requirements for the analysis of data. However,
provision for data analysis can still be addressed through an ISO 9001 management system
provided that preference is given to improving the effectiveness of the quality management
system whenever medical devices are being manufactured.
Data will include that generated as a result of monitoring and measurement and from any
other relevant sources.
The analysis of data will provide information in relation to:
(a) feedback (see clause 8.2.1 of ISO 13485);
This feedback is objective evidence on conformance or nonconformance with

requirements. The data can be analysed by whatever method is deemed to be
appropriate for medical devices.
Customer satisfaction (see clause 8.2.1 of ISO 9001)
81
Customer satisfaction is subjective evidence, but any analyses, if done properly, will give an
indication of customer satisfaction with the product or services provided by an
organization;
(b) conformance to product and/or service requirements (see clause 7.2.1);
(c) the characteristics and trends in processes, and products and services, including
opportunities for preventive action;
(d) the performance of suppliers.

Other sources would include, in particular, data on achievement of quality objectives
(see clause 5.4.1) and analyses generated for management review meetings (see clause 5.6).
These two sources will provide objective evidence on the suitability and effectiveness, or
otherwise, of the quality management system and also provide opportunities for continual
improvements in the effectiveness of the quality management system.
Records of the results of the analyses of data must be made and maintained (see clause 4.2.4).
There is no such requirement for ISO 9001, but results would usually be kept and easily
maintained.
Improvement (clause 8.5)
General/Continual improvement (clause 8.5.1)

With reference to ISO 13485
The organization must identify and implement any changes necessary to ensure and maintain
the continued suitability and effectiveness of the quality management system through the use
of the quality policy, quality objectives, audit results, analysis of data, corrective and preventive
actions, and management review.
The organization must establish documented procedures for the issue and implementation of
advisory notices. These procedures must be capable of being implemented at any time.
Records of all customer complaint investigations must be maintained (see clause 4.2.4). If
investigation determines that the activities outside the organization contributed to the customer
complaint, relevant information must be exchanged between the organizations involved. If any
customer complaint is not followed by corrective and/or preventive action, the reason must be
authorized (see clause 5.5.1) and recorded (see clause 4.2.4).
If national or regional regulations require notification of adverse events that meet specified
reporting criteria, the organization must establish documentary procedures to notify the
relevant authorities.
None of these requirements should present any difficulties for an organization seeking
certification to ISO 12385 and ISO 9001.
With reference to ISO 9001

In the case of ISO 9001, this requirement can easily be addressed by ensuring the continued
suitability and effectiveness of the quality management system.
The requirement for continual improvement in the effectiveness of the quality management
system does not automatically mean a continual improvement in products or services. It does
mean that an organization should always be striving to make changes that will result in
82
improving processes in the interests of efficiency, economy, etc. In fact these are all the things
that a good company should be doing in any case, irrespective of ISO 9001. Some areas of
process improvement could include:
• management;
• organization;
• new resources (more competent people and better physical resources);
• monitoring and measurements;
• collection and analysis of data;

• technology.
Some of these changes might result in improvements in existing products, but the focus is on
the processes and any improvements in a product from such changes could be coincidental.
Corrective action (clause 8.5.2)

The organization must take corrective action when nonconformities arise and also in response
to customer complaints.
Nonconformities
Corrective action is essentially a backwards looking phenomeno starting, at the latest, from the
time that a decision is made that corrective action is necessary in order to put right that which
is going wrong or that which has gone wrong and, whenever possible, to eliminate the cause of
nonconformity in order to prevent a reoccurrence. The implementation of the corrective action
may not always be possible immediately, but it will take place as soon as possible or as
appropriate in the immediate future. Eliminating the cause of nonconformity in order to
prevent a reoccurrence of nonconformity can also be regarded as a preventive action (see
clause 8.5.3).
When a car driver notices that a red warning light for the car battery on the dashboard lights
up intermittently, it is an indication that something is wrong. The most likely reason for a
flashing red light is that the battery is being charged only intermittently and the cause, at its
simplest, might be a slipping drive-belt. The driver, or other person, can take corrective action
immediately, or within a relatively short time, by taking the slack out of the drive-belt and
thereby return the battery charging to normal, when the red light will go out.
If a car driver ignores a constant red warning light it will mean, if ignored for long enough, that
the battery will become discharged. If an emergency breakdown service is called, the
mechanic might detect one of several reasons as the cause of the problem such as:
(a) a broken drive-belt on the alternator;

(b) a faulty battery that is no longer able to retain charge from the alternator;
(c) a faulty alternator.
The mechanic may be able to take corrective action to put right immediately what has gone
wrong; on the other hand, if another part is required that he does not carry and if it is out of
normal working hours, then the corrective action may not be able to take place until some
time in the near future when spare parts establishments are open.
83
Another example of corrective action being required after something has gone wrong might be
as follows. A car has been taken to a garage for a specific purpose such as a routine service.
Most owners check their coachwork when collecting their cars before leaving the garage. If any
damage has been done to the car whilst in the garage, e.g. if a wing of the car has been
scratched, this can be pointed out immediately. In such circumstances, the garage has to
accept responsibility and it will take corrective action to put right that which had gone wrong,
by re-spraying the wing. Incidentally, if the owner had returned to the garage a month later to
have another job done and on collecting the car discovered that another part of the car has
been badly scarred, the previous corrective action to put right that which had gone wrong
would have done nothing to prevent it from happening again in the future. The first incident
might have resulted in a request or warning to all staff to be more careful in the future, but the
warning would, hopefully, have removed the cause of such nonconformities.
The sole purpose of taking corrective action in the above cases was to eliminate the cause of
the nonconformity. In the case of the re-spray of a wing, the re-spraying returns the car to its
status quo. Likewise, tightening a loose driving-belt, replacing a driving-belt or replacing an
alternator are all corrective actions that are taken to put right that which was going wrong, or
has gone wrong and, whenever possible, to eliminate the cause of nonconformity in order to
prevent a reoccurrence.
A corrective action procedure (see PC 105) is required to define requirements for:
(a) reviewing nonconformities and customer complaints;

(b) determining the causes of nonconformities;
(c) evaluating the need for action to ensure that the nonconformities do not recur;
(d) determining and implementing action needed including, if appropriate, updating
documentation;
The ISO 9001 standard does not explicitly require the need to update documentation
but this could easily be included, with benefits, in the procedure.
(e) recording the results of the investigation and the action taken (see clause 4.2.4).
Likewise, ISO 9001 does not require any subsequent actions to be recorded but again
this could easily be included in the procedure.
(f) reviewing the corrective action taken and its effectiveness.
Similarly, ISO 9001 could easily review the effectiveness of corrective actions in
the procedure.
Nonconformities should be recorded on a prescribed form (a nonconformity form) by the

person identifying the complaint, or by a nominated person or persons. The form identifies the
nonconformity, who identified it, and the date and time of identification. The form includes
space to state the corrective action taken, i.e. action taken to put right that which has already
gone wrong, or is going wrong. The person who accepts responsibility for the corrective action
should sign that part of the form. The form should include space for preventive action, i.e.
action that the organization may decide it has to take in order to prevent a similar occurrence
of a similar nonconformity in the future (see clause 8.5.3). Finally, the prescribed form should
be signed off only by a responsible person within the organization, usually the management
representative, when he or she is satisfied that the nonconformity has been satisfactorily dealt
with from every point of view and the actions taken have been completed in every respect.
84
The corrective action taken should also be reviewed to decide whether it has been effective in
dealing with the nonconformity.
Nonconformity forms are systematically filed and presented at regular management review
meetings. One person, usually the management representative, should provide a summary of
events for the period between management review meetings.
Corrective actions must always be appropriate to the impact of the problems encountered and
the likelihood of them happening again. For example, a large amount of money should not be
spent following a single nonconformity or a single complaint when either is considered to be a
‘one-off’ event with a very low probability of recurrence.
Customer complaints
There seems to be some doubt about what is meant by a customer complaint. A good
guideline is that if anyone in an organization feels that it is necessary to apologize to a
customer, because the customer appears to be aggrieved by what has happened, or by what
has not happened, then a complaint has been received. It may appear to be an unjustifiable
complaint, but the customer evidently thinks otherwise so the complaint should be
acknowledged and investigated without undue delay.
Good organizations respond promptly to any customer complaints. A customer complaints
form, similar to the nonconformity form, should be used to deal with the complaint. Every
complaint should be recorded on the prescribed form. The form identifies the customer who is
complaining, the date and time of receipt of the complaint, the recipient of the complaint, and
the nature of the complaint. The form includes space to state the corrective action taken, i.e.
action taken to put right that which has already gone wrong, or is going wrong. The person
who accepts responsibility for the corrective action should sign that part of the form. The form
should include space for preventive action, i.e. action that the organization may decide it has
to take in order to prevent occurrence of a similar complaint in the future (see clause 8.5.3).
The prescribed form should only be signed-off by an authorized individual within the
organization, usually the management representative, when they are satisfied that the
complaint has been dealt with satisfactorily. Finally, the effectiveness of the actions taken
should be reviewed to ascertain that they have been effective.
The achievement of customer satisfaction is paramount. Even when investigations might show
that a complaint is considered to be unjustified, many organizations often give the customer
the benefit of any doubts and, sometimes, even when it is thought that the customer might be
partly to blame for what has gone wrong or even has lied about events, such doubts will result
in corrective action being taken as a measure of goodwill.
Customer complaint forms are systematically filed and presented at regular management
review meetings. One person, usually the management representative, provides a summary of
events since the last management review meeting.
Management should view customer complaints in a positive manner. They should not be used
to ostracize people. Complaints, when properly recorded, are an important management tool.
Most customers usually accept with good grace most mistakes, provided corrective action is
taken promptly. More importantly, from the organization’s point of view, customer goodwill is
thereby usually retained.
85
Preventive action (clause 8.5.3)

Preventive action is essentially a forward, looking phenomenon starting, at the earliest, from
the time that a decision is made that preventive action is necessary in order to prevent a
nonconformity or the recurrence of a nonconformity. Again, the implementation of the action
may not always be possible immediately, but it should take place as soon as possible.
An example in the former category is when preventive action is taken following a series of
incidents that have resulted in a number of corrective actions being taken, for essentially the
same reasons. If the paintwork of cars is being scratched regularly whilst they are being
serviced in a workshop, the garage will probably take action that hopefully will reduce the
likelihood of such incidents in the future. This would be preventive action.
An example in the second category of preventive action is when a car manufacturer decides
that a particular part that it has made will, or might, fail sometime in the future with disastrous
consequences. The manufacturer advises garages accordingly and the replacement of the said
part, or parts, is a preventive action by garages.
A preventive action procedure (see PC 106) is required for:
(a) determination of potential nonconformities and their causes;
(b) evaluation of the need for action to prevent occurrence of nonconformities and,
following a corrective action, to prevent a recurrence of a nonconformity or customer
complaint;
(c) determining and implementing action needed;
(d) records of the results of any investigations and of the action taken (see clause 4.2.4):
ISO 9001 does not require records of the results of any investigations but this
requirement could easily be included in the procedure.
(e) reviewing preventive action taken and its effectiveness.

Again, ISO 9001 does not include a review of the effectiveness of preventive actions but this
too could be introduced.
The same nonconformity form, or customer complaints form, can be used for recording details
of any preventive actions taken.
As with corrective actions, any preventive actions taken must be appropriate to the impact of
the potential problems and the likelihood of a problem recurring. Thus, it may be decided that
no preventive action is to be taken. For instance, the single failure in many thousands of cases
may not warrant the very high expense associated with the perceived preventive action
necessary to prevent a similar occurrence in the future. Likewise, a risk may exist in theory and
will not justify the expense to reduce the probability of that risk occurring.
86
Chapter 9:
Justification for exclusion of design and development
Introduction
This chapter should be read in conjunction with clause 7.3, Design and development in
Chapter 7.
Some exclusion from clause 7 is easy to justify and these have been referred to in Chapter 4.
However, exclusion of design and development is not always easy.
In both ISO 9001 and ISO 13485 clause 7 has seven subclauses. These are:
7.3.1 Design and development planning;

7.3.2 Design and developments inputs;
7.3.3 Design and development outputs;
7.3.4 Design and development review;
7.3.5 Design and development verification;
7.3.6 Design and development validation;

7.3.7 Control of design and development changes.
For people who have no experience of design and development work, it is important to realize
that up to and including clause 7.3.5, no product has been made. In the case of more
nebulous products such as the ‘product’ of a hospital, and similarly for a residential home for
elderly people, no action should take place before clauses 7.3.1 and 7.3.5 have been
addressed if design and development is to be included.
Ideally, clause 7.3.6 should also be addressed before manufacture or action commences. If these
points are clear then the remainder of this chapter will be understood more easily.
Manufacturing organizations
Clause 7.3 is unlikely to cause any problems for many manufacturers. For instance, if a
company merely manufactures a product to a third-party specification, be it the customer’s
87
own specification or some other specification acceptable to the customer, then the
manufacturer can justifiably claim that clause 7.3 can be excluded as far as product made to
that specification is concerned.
However, what is the position if a company that has justifiably excluded clause 7.3 on the basis
of the former paragraph and then decides after manufacturing some of the product that it can
improve the product, either by improving the processes or improving the end product itself?
Alternatively, a customer, in the light of experience using the first batch of the product, might
suggest to the manufacturer that the product would be even more acceptable if certain
changes could be made to the design before the next batch is produced. If a company does
decide to make changes to the original specification in the light of this new knowledge or
experience, the company is in fact undertaking development work to improve the original
design. The range of possible development work might extend from being a relatively trivial
change in the specification to a much bigger change in the specification. Would the earlier
justified exclusion of clause 7.3 now become unjustifiable? Moreover, if a trivial change means
that clause 7.3 can be excluded, at what point does a trivial change become non-trivial to the
extent that clause 7.3 can no longer be excluded?
Incidentally, it has been assumed in the previous paragraph that the manufacturer has not been
presented with a new updated specification for the next production batch. If this were the
case, the manufacturer would not be involved with development work, (and perhaps only with
the re-tooling) so that the original justified exclusion would still apply as far as the product in
question is concerned.
Service organizations
Consider next a service industry, which does not manufacture products, but provides services.
A field marketing company is one such case. A typical field marketing company will have many
clients and its core business is providing appropriate field marketing personnel, on a short-term
or long-term basis for their clients over a wide range of marketing opportunities. The selected
field marketing personnel might operate as sales teams, undertake merchandising, provide
road shows, give demonstrations, undertake auditing in the marketplace, carry out mystery
shopping and other activities.
In practice, the following occurs. The company’s client presents its needs and expectations.
These are carefully examined. The field marketing company prepares a detailed cost proposal,
which if successful is checked and rechecked before the operational stage. Whatever the
proposed operational activities, they are based on previous experience over a number of years,
so that the company has a more or less standard approach for implementing the activities such
as those listed above. There may be some fine-tuning of a proposed activity in order to satisfy
the slightly different needs of clients. Fine-tuning will, in any case, take place from time to time
based on the company’s earlier experience with similar activities, with the same client or other
clients.
Are the proposals for such service activities to be considered as design work and is the fine-
tuning development work? Such a company must consider such activities carefully before
deciding what stance to take.
88
Outsourcing of design and development work

If an organization delegates design and development work to another organization the relevant
responsibilities must be clearly defined and agreed. In some cases the outsourcing organization
will be able to exclude the whole or parts of clause 7.3, while in other circumstances this may
not be possible.
Sometimes readers might have difficulty in deciding whether design and development can be
justifiably excluded from their quality management system. Two examples are provided below.
A study of these examples might help readers to come to the right decision on whether in their
own case the design and development clause (7.3) can be justifiably excluded.
Example – Hospitals
ISO 9001 provides an opportunity for introducing quality into hospitals.
The major processes in any hospital are diagnosis and treatment. It is these processes that
are intended to maintain and, if possible, improve the quality of the life of a patient. ‘To
maintain or improve the quality of life of a patient’ can be regarded as the product of a
hospital. All the other activities that take place within a hospital associated with patient
care and support can be regarded as services.
When a patient is admitted to a hospital, after being taken through standard admission
procedures, the patient is made as comfortable as possible, as quickly as possible. Shortly
thereafter, an assessment is made by a professional person, such as a consultant in
medicine, a consultant psychiatrist or a nurse therapist to determine how to achieve the
best possible quality of life for the patient. Once a decision is made, it is usual to record
the findings in a few simple explicit sentences summarizing the general state of the patient
and making clear what action is to be taken, and when, for the benefit of the patient.
Can design and development, clause 7.3 in ISO 9001, be justifiably excluded from the
quality management system documentation for a hospital? In order to decide this, each
subclause of 7.3 is examined below against the major process of diagnosis and treatment
in a hospital.
Possible patient pathways leading to diagnosis and treatment in hospitals

Accident and emergency patients
The Accident and Emergency Department provides diagnostic and emergency treatment.
As soon as possible after reporting to the department a diagnosis is made to determine the
severity of a patient’s condition, with a view to discharge following treatment or to
providing emergency treatment as soon as possible or by immediate admission to the
hospital, whichever is considered to be most appropriate. The diagnosis and proposed
treatment, if any, will be recorded in the patient’s case notes.
The most senior person on duty will decide, in most cases without referral to anyone else,
what needs to be done to maintain or improve the patient’s quality of life.
89
Outpatients
Patients attend hospitals at appointed times to undergo investigative procedures. Such

procedures vary according to the nature of the suspected problem. The patient is seen by
a professional. Each individual process is a minor process, but collectively results in the
major process of diagnosis leading to treatment. The findings of the diagnosis are recorded
in the patient’s case notes.
Day patients and inpatients
As soon as possible after admission, the patient is examined and a case history is built up
in the patient’s case notes. If the patient has been to the same hospital before, the
patient’s case notes will be made available, in which case, the case notes will be brought
up to date. Minor processes may be called upon to aid the diagnosis: these might include
an X-Ray examination, an ultrasonic examination, electrocardiography examination, as
well as analyses of blood and urine samples. The case notes for the patient will contain the
results of each such investigation, as well as the results of any previous investigations.
These and any other minor diagnostic processes will enable the consultant in charge of the
patient to diagnose the problem. The diagnosis will be recorded in the patient’s case
notes. The consultant will then decide, in most cases without referral to anyone else, what
needs to be done to maintain and improve the patient’s quality of life.
In all the cases mentioned above (accident and emergency patients, out patients, day
patients and in patients) decisions are usually made by one professional who is ultimately
responsible for the quality of life of the patient while in their care.
Example – Legal companies

Sometimes there may be further possible complications when considering justifiable
exclusion of clause 7.3. For instance, the work undertaken by a legal company might fall
into two categories: contentious work and noncontentious work.
Contentious work
In all the contentious work it would appear that there is no problem in formulating client
requirements. The problem is in ensuring that the output will meet the input requirements.
The first clause 7.3.3(a) of ISO 9001:2000 is quite explicit, namely that the outputs shall
meet the input requirements. This is not to be interpreted as a mere aspiration.
Since clause 7.3.3(a) cannot be addressed with certainty, the subsequent clauses, 7.3.4,
7.3.5, 7.3.6 and 7.3.7 become irrelevant. This is likewise the case with clause 7.3.1, the
‘planning’ clause.
Since only the input clause can be addressed with certainty, the whole of clause 7.3 can
be justifiably excluded from the requirements of ISO 9001.
Example: Claim under health and safety legislation

Consider a legal company that is approached by an employee who is seeking
compensation from their employer for physical or mental injuries received at work.
90
The prime purpose of a legal organization is to ensure that the needs of its clients are
addressed and, if the employer can be shown to have been negligent, to obtain
compensation in return for the negligence that might have caused mental and physical
damage to the client.
On first reporting to the legal company, the client is taken through more or less standard
questioning by a professional person, with specific expertise in litigation cases concerning
health and safety issues, to ascertain the facts in connection with the alleged incident.
(a) If physical damage has been caused to the client by the negligence, the
‘functional and performance requirements’ are to ensure that the individual’s
health is restored to what it was before the incident. This can only be determined
following a clinical examination of the client. If the client is mentally disturbed as
a result of the incident, psychiatric examination may be necessary.
(b) It is axiomatic that a professional person responsible for the interests of a client
will abide by statutory and regulatory requirements.
(c) All professionals responsible to a client will automatically draw on their

knowledge and experience. This might not be recorded and it might be
impractical to do so.
(d) The professional will have ensured that all matters relevant, or possibly relevant,
to the case, will have been addressed. Otherwise, the professional would not
have done their job properly.
The professional will certainly review the facts and their deductions for adequacy. Their
professional training ensures that all aspects of the case will have been noted.
Professionalism again means that there is no ambiguity or conflict in requirements.
Thus, the input requirement is to restore the individual back to the state he was in prior to
the incident. A secondary requirement might be to obtain financial compensation for the
inconvenience caused by the incident. (If the client is neither physically nor mentally
damaged, financial compensation may be the only design and development input.)
It would appear that clause 7.3.2 cannot be justifiably excluded.
• 7.3.3(a) Meeting the input requirements

In a legal case, the input is provided from the professional’s interview with the client.
The professional alone will usually decide on what is to be done for the benefit of the
client. The professional cannot be certain that when the proposals are implemented
that, in spite of extensive knowledge and experience and due consideration of the
input from interviews, the results will prove satisfactory to a given client. The
professional is also aware that there is no such thing as a standard client with a
standard case and that what has resulted in completely satisfactory outcome for one
client might be less successful in another case with apparently similar problems. Legal
matters are not an exact science so that expected outputs cannot always be
guaranteed.
91
A lawyer’s brief may be a few pages, but it can also be extensive running into many
pages. The brief will state the way forward in the light of the known facts. The
expected outcomes are likely to be recorded, but there is no certainty that an
expected outcome will be achieved. Thus, in the legal profession outputs are recorded,
but there is no question of comparing design and development inputs (the brief) with
design and development outputs (the outcome) before legal action is taken.
Clause 7.3.3(a) cannot be addressed and can be justifiably excluded.
• 7.3.3(b) Provision of information for purchasing, production and service provision
The lawyer will provide whatever information is required in order to support their case
and thereby achieve a satisfactory output in accordance with the input information
provided by the client. But as explained above, the output is uncertain, so that
whatever information is provided, the unknown output cannot enable verification
against the design and development input.
Clause 7.3.3(b) can be justifiably excluded.
• 7.3.3(c) Product acceptance criteria
The designed output is drawn up by a professional and does not have to be approved
by anyone. The client will be advised what the sought after designed output is.
The acceptance criteria cannot be stated rigidly. At best a desirable outcome in favour
of the client can be stated. Law is not an exact science and others will decide the final
results. Clause 7.3.3(c) cannot be addressed because rigid acceptance criteria cannot
be stated by the client or given by the lawyer.
As a result, clause 7.3.3(c) can be justifiably excluded.
• 7.3.3(d) Characteristics of the product that are essential for its safe and proper use.
This clause requires that the service to be provided by the professional be done
properly. (Safety is irrelevant in this case.) This is axiomatic, or should be, by reason of
the professional’s training. To attempt to prove that the service to be provided will be
done properly is impracticable. Both requirements are inherent in the activities of the
professional by virtue of their knowledge, training, experience and competence.
Clause 7.3.3(d) is impractical and can be justifiably excluded.

A professional prepares a brief based on the information provided by their client and the
relevant aspects of the law.
The purpose of a design and development review is to ensure that the design and
development output does indeed match the design and development input. However,
as explained in 7.3.3(a), legal outputs cannot be defined beforehand so that any reviews,
however long and thorough, can never result with certainty in the designed output for
the client.
As a professional, the lawyer will have provided a brief in the first instance that will merely
state a desired output.
Clause 7.3.4 can thus be justifiably excluded.
92

In the legal profession, the output will be decided by a third party and so there can be no
attempt to verify that the output will meet the input requirements.
The professional decides what action to take. They might seek the second opinion of
another professional but there is no obligation to do so. The professional is well aware that
he cannot be certain that the output will match the input.
Clause 7.3.5 can, therefore, be justifiably excluded.

Validation is an after-event, i.e. something that takes place after a product has been
manufactured or after a service has been provided. Its purpose is to ensure that a
customer is satisfied, i.e. that their needs and expectations have been addressed. If they
have not, the validation will expose any shortcomings so that they can be addressed to the
satisfaction of the customer or client.
Since the outcome has never been stated explicitly or with any definite certainty,
validation would appear to be impossible.
This clause exists to ensure that if there are changes proposed by the customer, client, or
the lawyer dealing with the case, they are fully documented and agreed by both parties.
In a legal case, the professional is in complete control and can change the brief as deemed
necessary without reference to anyone else and in particular without reference to those
opposing the case against their client.

The purpose of this introductory clause is to ensure that organizations plan and control the
design and development of a product or the provision of a service.
Examination of the above clauses shows that only the first clause (7.3.2) is applicable in
this particular legal case. In other words, the design and development input requirements
could be addressed. However, as explained above, all of the other clauses cannot be
satisfactorily addressed.
Since all the other clauses of 7.3, with the exception of clause 7.3.2, can be justifiably
excluded, then clause 7.3.1 can also be justifiably excluded.
Since clause 7.3.2 serves no purpose on its own, the whole of clause 7.3, Design and
Development, could be justifiably excluded in this particular case of contentious legal work.
Noncontentious work
Legal companies also conduct noncontentious work, e.g. trademarks, and terms and
conditions of trading.
In this type of work, outputs can be made to match inputs precisely and therefore all the
93
subsequent clauses need to be considered carefully. Planning (clause 7.3.1) would be

minimal, since what a client requires would follow standard processes for each particular
kind of work, perhaps controlled by a checklist.
In this case, clause 7.3 cannot be justifiably excluded
Other cases
Readers may well be faced with cases in which they feel that design and development can be
excluded. In such cases they should study clause 7.3 and the examples given in this chapter
and apply similar arguments to their own situations.
94
Chapter 10:
Guideline audit questions
Introduction
The prime purpose of this book is to focus on ISO 13485, the medical devices standard.
However, since ISO 13485 is based on ISO 9001, as explained in the preface, an attempt has
been made to correlate the two standards when compiling audit questions.
If preparations are being made for certification to both standards simultaneously, it is important
to establish the different requirements for the two standards. There is much common ground
between the two standards but to help the reader distinguish the key differences in the
requirements of both standards, ISO 13485 requirements are printed in italics whereas the
corresponding ISO 9001 requirements are printed in bold. The regular text indicates provisions
that are applicable to both. In some cases a question is printed only once when there are only
a few extra words to be added to comply with the additional requirements of ISO 13485.
These additional words are also printed in italics.
In view of this new focus on processes, the new emphasis in auditing is on process auditing.
Process auditing means that the auditor is checking the sequential and interrelated steps
against planned activities, from the beginning of a major process until the final validated
product is achieved, delivered and, perhaps, installed or, in the case of a service, until the final
validated service is completed. This kind of auditing is called process auditing, rather than
compliance auditing, and it might prove to be more attractive to some employees because
they can relate more easily to the purpose of such audits.
In spite of the new emphasis on process auditing, there will still be a need for some
compliance auditing. Compliance auditing will be necessary when checking on the stand-alone
processes, such as calibration of measuring devices, when checking that the relevant
requirements of the standard have been addressed and when checking on the ‘output’ of a
major process.
The output of a major process is checked to ensure that the product or the service, or both,
meet the planned outputs. Sampling the outputs and comparing them with the required inputs
can do this. Good auditors will also check by various methods, such as checking on final test
records and customer complaints, to determine whether planned outputs are being met.
It is clearly impossible to produce an all-embracing list of audit questions for a universal major
95
process. However, it is possible to compile a comprehensive list of typical audit questions that
address the requirements of ISO 13485 and ISO 9001. Thus, the reader, when process
auditing, can then pick and choose the relevant questions when he or she is following a
specific audit trail through a major process, pausing, as necessary, when interacting processes
intervene, until the intended output is achieved. Compliance auditing is much easier and likely
to be less time consuming the specific questions should also be of help to those conducting
them.
Another approach to be recommended to inexperienced auditors is to concentrate on a

particular group of questions. Concentrate on them until you are absolutely certain you
understand them individually and as a group. Write down your own ideas on how to address
them. Often, there is more than one way. Ask other people, colleagues and friends, how they
would address them and then, if possible, see how they have been addressed by experts in the
field. Out of such endeavours you will become fully familiar with the requirements of the
standard as far as that particular clause is concerned. You will know in your own mind how to
address those requirements and before very long, after carrying out one or two process audits
or compliance audits that involve the clause in question, you will find that only occasionally
will you have to refer to the relevant audit questions, or to the standard itself. If your auditing
decisions are ever challenged you will be in a strong position to answer.
It is perhaps necessary to stress that auditing is not just about having a list of questions or
knowing about such possible questions. To be a good auditor one requires other skills and
personal attributes. Newcomers to the art and science of auditing might benefit from studying
my earlier book ‘ISO 9000 Quality Systems Auditing’ [3].
These guideline audit questions can be used for internal auditing, second-party auditing and
for third-party auditing.
Some accredited certification bodies carry out their audits in two stages. In the first stage,
lasting perhaps one or two days, the object is to determine whether the organization has
prepared its quality management system in accordance with the requirements of ISO 13485
and ISO 9001 as they apply to the proposed scope of certification. In stage 2, an auditor is
seeking objective evidence that the planned processes, objectives, etc. as defined by the
documentation during the stage 1 audit (or pre-audit stage) are in fact being followed. Any
minor nonconformities raised during the stage 1 audit will have to be cleared during the stage
2 audit. The division between stage 1 and stage 2 audits is often inevitably blurred during the
actual auditing processes.
Surveillance audits are usually conducted at six monthly intervals or annually depending on the
size, complexity and overall performance of the organization. Successive surveillance visits
check that the quality management system that was approved at the stage 2 audit is still in
place and is continuing to be effective. In the case of ISO 13485, the audit needs to verify that
current regulations, and possibly any new regulations, are being addressed and in the case of
ISO 9001, whether attempts are being made continually to improve the effectiveness of the
During a ‘closing meeting’ an auditor from a certification body should have stressed that they
have not been able to examine everything, however skilful they might be. In other words, they
have sampled what is going on within the organization. Surveillance visits also provide an
opportunity to widen the scope of the previous sampling. New nonconformities might be
found that did not come to light during previous visits. These are treated in the same way as
any earlier nonconformities.
96
Quality management system (clause 4)
General requirements (clause 4.1)
Has the organization: established, documented, and implemented a quality management

system, and is it being maintained?
Can I have a copy of all such documentation for examination as and when appropriate?
(It is accepted that some parts might be in different departments and can be examined later.)
What do you understand as the purpose of the quality management system based on ISO
13485? Do you state this in your documentation?
(It is to maintain the effectiveness of the quality management system in accordance with the
requirements of the standard so as to consistently produce safe and effective products or to
deliver safe and effective services.)
If certification to ISO 9001 is being sought as well, there is an additional requirement

that the organization must also continually improve the effectiveness of the quality
management system. Is there a statement to this effect in your documentation?
What are the organization’s major processes?

Are there any supplementary processes (sometimes referred to as second- and third-level
processes) associated with any of the major processes?
Are these clearly identified?
Can I see any flow diagrams, charts, etc. that exemplify these processes?
Please show me how the second-level processes interrelate with the major processes at the
appropriate times and that they all function as planned.
What monitoring and measurements take place, followed by analyses, to ensure that planned
results are achieved?
How does the organization ensure the availability of appropriate resources?

Is there an individual who carries this responsibility or is it done by a committee?
Can you show me evidence of one such case?

How do you ensure that appropriate documentation/information is always readily available to
support the processes?
Please show me how the system works.
Are any processes outsourced?

Are they clearly identified in the quality management system (see clause 8.5.1)?
Who is responsible for controlling any outsourcing?
Please show me an example.
How does the organization implement actions to achieve planned results and:
• maintain the effectiveness of the quality management system in accordance with
ISO 13485 requirements?
• continually improve the quality management system in accordance with

ISO 9001 requirements?
97
Documentation requirements (clause 4.2)

Can I please see the documentation on which the quality management system is based?
Is it partly or wholly on the intranet?
If it is on intranet how is it controlled?
Is there only one hard copy of the documents?

How are these copies controlled?
May I see your quality policy statement (see clause 5.3)?
Can I please see a list of your quality objectives (see clause 5.4.1)?
Can you confirm at this stage that you have the following mandatory procedures?
• control of documents (see clause 4.2.3);

• control of quality records (see clause 4.2.4);
• internal audit (see clause 8.2.2);

• control of nonconforming product (see clause 8.3);
• corrective actions (see clause 8.5.2);
• preventive actions (see clause 8.5.3);

• validation of the application of computer software (and changes to such software
and/or its application) (see clause 7.5.2.1);
• validation of sterilization processes (see clause 7.5.2.2);
• identification of returned medical devices (see clause 7.5.3.1);

• preservation of product (with limited shelf-life or requiring special storage)
(see clause 7.5.5);
• monitoring and measuring devices (see clause 7.6);
• feedback on quality problems and corrective and preventive action processes

(see clause 8.2.1);
• monitoring and measurement of product (see clause 8.2.4.1).

Please show me any other documentation (procedures, flow diagrams, work instructions, forms
and internal documents) that is being used by the organization to ensure effective planning,
operation and control of its processes.
Have you established records that provide objective evidence of conformity to requirements
and the effective operation of your quality management system? I will ask to see those records
shortly as and when deemed appropriate (see clause 4.2.4).
Do you have other documentation specified by national or regional regulations?

I would like to choose a file on one of your medical products.
Is it comprehensive in itself and does it refer to other documents, drawings, etc?
Does it cover the whole spectrum of manufacture and, if applicable, installation and servicing?
98
Quality manual (clause 4.2.2)
Does the quality manual outline the structure of the organization’s quality management system?
Does the quality manual include the scope of the quality management system?
Please may I see it?
Have all requirements of the standard been addressed?

If not, are the exclusions (from clause 7 only) recorded in the quality manual?
Some exclusions might be applicable only to ISO 13485, if allowed by regulatory requirements
(see clause 1.2) and some exclusions might be applicable only to ISO 9001. Some
exclusions may apply to both standards.
Have you justified in the quality manual the reasons for the exclusions?
Please will you go through the arguments for such exclusions now?
Have any parts of clause 7 been excluded because of the terms, ‘if appropriate’ and ‘where
appropriate’ in the text of the standard (see clause 1.2)?
(An exclusion cannot be accepted if a requirement is considered to be ‘appropriate’ when its
inclusion is necessary in order:
(a) for a product to meet specified requirements; and/or

(b) for the organization to carry out corrective action (see clause 8.5.2).
Does the quality manual make reference to procedures at appropriate points in the text?
Please show me examples.
Does the quality manual include procedures or are they filed separately?
If procedures are filed separately from the quality manual is there a comprehensive list in the
quality manual?
Does the quality manual include a description of the interaction between all the processes?
Please show me how you have achieved this.
Control of documents (clause 4.2.3)
How is the quality management system documentation controlled?
Do you have a mandatory procedure for this purpose?

Who finally reviews and approves documents (quality manual, procedures, flow diagrams,
work instructions, forms, internal documents and flow diagrams) for adequacy, before they are
allowed to become part of the quality management system?
Please show me evidence of this.
How are documents readily identifiable?

Do they have unique reference letters and/or numbers?
What arrangements are in place for reviewing, updating as necessary, and reapproving such
documents prior to their being reissued?
99
Are changes to documents approved either by the original method of approval or by another
designated person, or persons, who have access to pertinent background information on which
to give approval to the changes?
How are changes in a document, or a single page in a document, identified?

How is the revision status of a document, or part of a document, identified?

How does the management representative, or another named person, ensure that relevant
versions of applicable documents are always available at points of use or application?
Show me an example.
How does the organization ensure that all documents remain legible?
How does the organization ensure that all documents are readily retrievable?
How are documents of external origin (e.g. standards, codes of practice, forms) controlled to
ensure that only the latest issues of such documents can be used?
Is there a master list of external documents?
Who is responsible for updating this list?
Is there a controlled distribution of external documents?
What happens to superseded documents?
What precautions are taken to prevent unintended use of obsolete documents?
Are they returned to the management representative, or another person, on receipt of an
updated document, or when a document is no longer applicable?
Is one copy, clearly marked ‘superseded’, filed separately, and retained for knowledge
preservation purposes?
Does the organization define the period for which at least one copy of obsolete controlled
documents must be kept?
How is this period chosen?
(This period is defined by the organization as being at least equal to the lifetime of the medical
devices. This lifetime must not be less than the retention time of any resulting record (see
clause 4.2.4) or as specified by relevant regulatory requirements.)
Is the quality policy statement a controlled document?
How is the quality policy statement document controlled?
Is it, for instance, a quality management system internal document (QMS ID) with a unique
number and issue number?
Is the statement of quality objectives a controlled document?
How do you control the document on quality objectives?
Control of records (clause 4.2.4)
Do you have a procedure for the control of records?

Can I now examine in more detail your documented procedure for control of records?
100
Does it include a list of records?
Are records always clearly legible and identifiable?

Are all records stored carefully?

Can I please see how they are stored?
Can all records be easily retrieved?
How, for instance, can I retrieve (document X)?
Are all records protected from possible damage?

Show me examples of how protection is assured.
Are all records legible and do they remain legible?

Please can I see some of your older records?
Have retention times of different records been defined?

Please give examples and explain any different requirements.
Who has the authority to dispose of records?
Can you give me an example of disposal and the authority for such disposal?
Management commitment (clause 5.1)
These questions are addressed to a member of top management (e.g. the chief executive or
managing director).
I have already spent some time seeking objective evidence about your quality management
system based on ISO 13485 and ISO 9001. I am impressed (or unimpressed) by what I have
found so far. Everyone has been most courteous and helpful so far (or, say, courteous but
reluctantly helpful, or whatever is appropriate). Would you kindly let them know what I feel?
The revised standard makes it clear that top management has to be actively involved in the
organization’s quality management system. All requirements in clause 5 begin, ‘Top
management shall - ’.
I have asked to spend a little time with you, because I hope you will be able to convince me of
your commitment to the development and implementation of your quality management system,
and to the continual improvement and effectiveness of the development and implementation
of it.
With these points in mind, I would like to ask you a few questions.
How do you communicate with your employees the importance of meeting customer
requirements as well as statutory and regulatory requirements?
In the case of ISO 13485 statutory requirements are limited only to the safety and performance
of the medical devices.
I see you have a quality policy. Are you confident that all employees understand it and try hard
to adhere by it?
101
I also see that you have established quality objectives. How does top management promote the
importance of these objectives?
Do you find that management review meetings are really worth the time they take up?
Has top management benefited from them?

Do you chair such meetings?
Who is responsible for ensuring that adequate resources are available?
At the end of the interview an auditor must make a judgement as to whether top management
is committed to the development, implementation and continual improvement in the
effectiveness of the quality management system.
The final judgement will be influenced to some extent by any objective evidence obtained
earlier. This explains the importance of not interviewing top management at the beginning of
an audit. These are the possible outcomes:
Subjective evidence good
If the subjective evidence collected from top management is good and the objective evidence
collected earlier was good, the commitment of top management to the quality management
system would appear to be satisfactory.
If the subjective evidence is good, but the objective evidence collected earlier was poor, then
top management has evidently failed to develop and implement its quality management system
satisfactorily.
Subjective evidence bad

If the subjective evidence is bad, or poor, and the objective evidence collected earlier was good
this would suggest the quality management system is functioning satisfactory in spite of the
lack of enthusiastic commitment of top management.
If the subjective evidence is bad and the objective evidence collected earlier was poor, then it
can be safely assumed that the quality management system is operating under the most
unsatisfactory conditions and with little commitment of top management.
In both circumstances in which the subjective evidence is suggesting lack of top management
commitment, an auditor would be wise to refrain from commenting until the closing meeting
of the audit. By that time he or she might have collected other damaging objective evidence to
support earlier impressions of the lack of commitment of top management.
Customer focus (clause 5.2)
In the case of ISO 13485, how does top management ensure that customer requirements are
determined and met (see clauses 7.2.1 and 8.2.1)?
Is this a primary consideration?
How does the organization determine customer requirements?

Please show me an example?
In the case of ISO 9001, how does top management ensure that customer requirements
102
are met with the aim of enhancing customer satisfaction (see clauses 7.2.1 and 8.2.1)?
Is this a secondary consideration?
How does the organization convert the needs and expectations of customers into the
requirements of customers so that through the product realization processes customer
satisfaction is achieved (see clause 7.2.1)?
Can you please show me one example of how you went about this?
How do you determine whether you have achieved customer satisfaction in the case of a
particular product or a given service (see clause 8.2.1)?
Quality policy (clause 5.3)
Is it appropriate and positive in every respect (for ISO 13485 and ISO 9001)?
In the case of ISO 13485, does it include a commitment to comply with requirements and
maintain the effectiveness of the quality management system?
If it does, what do you understand by this statement?
How do you go about ensuring that this happens?
In the case of ISO 9001, does it include a commitment to comply with requirements and
continually improve the effectiveness of the quality management system?
I note the commitment of top management to comply with the requirements of ISO 9001.
Can you give me one or more examples in which the requirements of the standard have
forced your organization to change the ways in which it operates?
Does it state that a framework is in place for reviewing quality objectives?
Please explain and show me examples of how this is done.
How is the quality policy communicated to staff?

What arrangements are in place to ensure that members of staff understand the quality policy?
How is the quality policy statement controlled?
Has it been signed by someone in a senior position?

Is it dated?
Does it have an issue number?
Is it a stand-alone document?
How do you ensure that people at all levels in your organization know about the quality policy
and understand what it means?
How do you ensure that the quality policy is reviewed for its continuing suitability?
103
Planning (clause 5.4)

Quality objectives (clause 5.4.1)
Who is responsible for setting quality objectives?
Have quality objectives been set at relevant functions and levels within the organization?
Please can I see the quality objectives that are in place so as to meet the requirements of
manufactured product or to satisfy the requirements of the service provision?
Are quality objectives reviewed in a systematic manner?

Please may I see the details of the last review?
Are all of the quality objectives compatible with the quality policy statement?
Quality management system planning (clause 5.4.2)
When planning the quality management system, were the general requirements of the quality
management system addressed (see clause 4.1), as well as the quality objectives (see clause 5.4.1)?
When changes to the quality management system are planned and implemented who is
responsible for ensuring that the integrity of the quality management system is maintained?
Can you please show me an example of such a change?
Responsibility, authority and communication (clause 5.5)

Responsibility and authority (clause 5.5.1)
How do you ensure that responsibilities and authorities are defined and communicated within
the organization?
Is there an organization chart? Please may I see it?
If the organization chart is not in general circulation, how are employees expected to know
who is responsible for what and the responsibilities accorded to different people?
If there are no names, or very few names, on the organization chart although individuals are
bound to know to whom they report to, are the reporting lines clear to others in the organization?
Are the responsibilities and authorities of individuals clearly specified in some other ways?
Has top management established the interrelation of all personnel who manage, perform and
verify work affecting quality of the product?
How has top management ensured the independence and authority necessary for such people
to perform the above mentioned tasks?
Is the organization bound by national or regional regulations to nominate specific people as
being responsible for activities related to monitoring experience from the post-production
stage onwards and thereafter to report adverse events (see clauses 8.2.1 and 8.5.1)?
104
Management representative (clause 5.5.2)
I see that your management representative is (name).

Have you defined their responsibilities and authority?
May I see how these are documented?
Does everyone know about the responsibilities and authority of the management representative
for establishing, implementing and maintaining the quality management system?
Does the management representative report to top management?

May I please see your latest organization chart again?
To whom does the management representative report on the performance of the quality
management system (see clause 8.5)?
Please show me examples of such reporting.
To whom does the management representative report on the need for any changes to be made
for improvements in the quality management system (see clause 8.5)?
Can you show me such examples?
How does the management representative ensure the promotion of awareness of regulatory and
customer requirements throughout your organization?
Can you please show me examples of such promotional activities?
Is your management representative responsible for liaison with external parties, e.g.
certification bodies, on matters relating to your quality management system?
If not, who is responsible for such activities and what arrangements exist to ensure that the
management representative is kept fully informed of such developments?
Internal communication (clause 5.5.3)
How do you ensure that appropriate communication processes are established within your
organization?
How do you ensure that communication takes place within your organization regarding the
effectiveness of the quality management system?
Management review (clause 5.6)

What arrangements are in place for top management to review the quality management
system?
What are the planned intervals between such meetings?

Please show me that the planned intervals between management review meetings have been kept.
Have the reviews of the quality management system shown that it continues to be suitable,
adequate and effective for the organization?
105
Have such reviews resulted in opportunities for changes to be made that have resulted in
continual improvement in the effectiveness of the quality management system?
Please show me one example of such continual improvement.
The reviews provide opportunities for changes to be made to the quality policy. Have any such
changes been made?
Have the reviews resulted in the need for changes to quality objectives?
Can you show me an example of such a change?
Are records kept of management review meetings (see clause 4.2.4)?

Please may I see the records of the last few management review meetings?
Review input (clause 5.6.2)
Do you have a standard agenda for your management review meetings?

As a minimum, does it include the following:
(a) matters arising from earlier management reviews?

(b) the results of internal audits?
(c) performance of processes?
(d) product conformity?
(e) nonconformities?
• quality management system: corrective and preventive actions
• processes: corrective and preventive actions
• products: corrective and preventive actions

• customer complaints: corrective and preventive actions
(f) customer feedback: monitoring of customer satisfaction?
(g) any changes, whatever their origin or nature, which could have a bearing on the quality
management system?
(h) recommendations for improvement in the effectiveness of the quality management system?
(i) new or revised regulatory requirements?
Review output (clause 5.6.3)
Can you give me examples of decisions and actions decided at management review meetings
that have resulted in:
(a) improvements needed to maintain the effectiveness of the quality management system?
(b) improvements in the effectiveness of the quality management system?
(c) improvements needed to maintain the effectiveness of the processes?
106
(d) improvements in the effectiveness of the processes?
(e) the need for more resources?
Provision of resources (clause 6.1)
Who is responsible for determining and providing resources needed:
(a) for implementation of the quality management system?

(b) for maintaining the effectiveness of the quality management system?
(c) for meeting regulatory and customer requirements?
(d) for implementation and maintenance of the quality management system?

(e) for continually improving the effectiveness of the quality management system?
(f) for enhancing customer satisfaction by meeting customer requirements?

Can I please see examples of the person’s work in these respects?
Human resources (clause 6.2)

How do you ensure that employees whose duties and responsibilities can have a bearing on the
quality of the products or services of the organization are competent on the basis of their
relevant education, training, qualifications, experience and skills?
Can you give me a few examples?
Competence, awareness and training (clause 6.2.2)
Are competency needs defined for those employees whose work has a bearing on the quality
of the organization’s products and/or services?
Please show me several examples.
How does the organization arrange training, where necessary, or other actions, to achieve the
defined competencies?
Can you show me evidence of this?
How is in-house training (and any external training) evaluated?
Please can I see examples?
How do you ensure that all employees are made aware of the relevance and importance of their
activities and how each one contributes to the achievement of quality objectives?
How do you ensure that any new employees are suitably briefed on this matter?
107
How do you maintain appropriate records of all staff on education, training, qualifications,
experience and skills (see clause 4.2.4)?
Please may I choose, at random, some training records for examination?
Also, specifically, may I see the training record(s) of your internal auditor(s)?
How do you ensure that all records are kept up to date?
How long do you keep personnel records?
Where are the minimum retention times defined (see clause 4.2.4)?
Who has the authority to dispose of them (see clause 4.2.4)?
Do national or regional regulations require the organization to establish documented

procedures for identifying training needs?
Infrastructure (clause 6.3)
If an organization is to achieve conformity of product, or conformity in the provision of

services, then management has to determine, provide and maintain an appropriate
infrastructure.
How are such decisions made and by whom?
In particular, who is responsible for buildings, workspace (offices and manufacturing areas)
and associated utilities, such as toilets?
Please give an example.
How are decisions made on process equipment for hardware?
Please give an example.
Who makes decisions on computer software?
Is the software system outsourced?
Who makes decisions on supporting services such as transport and communications services
that are essential in order to provide a quality product or service?
Are the required maintenance activities documented for equipment when lack of proper
maintenance could affect product quality?
Is the frequency of such maintenance specified in such documents?
Please could I see the records on such maintenance activities?
Work environment (clause 6.4)
How does management determine and manage the human and physical factors of the work
environment that are necessary to achieve conformity of product or conformity of services?
Has the organization documented requirements for health, cleanliness and clothing of
personnel if contact between such personnel and the product or work environment could
adversely affect the quality of the product (see clause 7.5.1.2.1)?
Can the work environment have an adverse effect on product quality?
108
If so, has the organization established documented requirements for the work environment
conditions and documented procedures, or work instructions, to monitor and control these
work environmental conditions (see clause 7.5.1.2.1)?
If people have to work temporarily under special environmental conditions within the work
environment, are they properly trained or supervised by a trained person [see clause 6.2.2(b)]?
Are special arrangements in place and documented for controlling contaminated or potentially
contaminated product so as to prevent contamination of other product, the work environment
or personnel (see clause 7.5.3.1)?
How does the organization consider the:
• safety of individuals?
• ergonomics of working?
• appropriate lighting levels?
• appropriate temperature and humidity controls?
• acceptable noise levels?
• acceptable levels of cleanliness and hygiene?
• minimum pollution levels?
• appropriate protective equipment?
Which of the above are covered by legislation, regulations or codes of practice?
If the organization requires special facilities, e.g. clean rooms or sterile areas, how are
such special requirements addressed?
Planning of product realization (clause 7.1)
Do you have quality plans for each specific product, service, project or contract?
Can I please examine several such quality plans?
Do the plans show the customer requirements for a product or a service?

Are the quality objectives for the product or service defined?
If design and development work is required, have the following been determined:
• Are the design and development stages clearly identified?

• Do the plans address the interfaces between different interested parties to the design
and development project, with clear assignment of responsibilities and paths of
communication between different parties?
• Is it proposed to hold design and development reviews, as appropriate, at different

stages of the design and development?
• Do the plans indicate when verification of the design and development will take place
and by whom?
• Do the plans make clear how the products, or services, will be validated; when, by
whom and where?
109
• Is it clear how planning output will be updated as design and development projects
progress towards completion?
Have all the processes been clearly identified?

Have the sequence and interaction of these processes been clearly defined?
Have the criteria and methods been determined to ensure that processes proceed to their
planned outputs in an effective manner?
Who ensures that suitable resources are provided to achieve the planned output?
Does the plan identify where suitable documentation has to be available for the processes to
proceed to their planned outputs in an effective manner?
Does the plan show what monitoring and measurements have to be made, and where and
when?
What test activities have to be undertaken, on what and when?

If outsourced products or services are used, does the plan show how the outsourcing will be
adequately controlled?
Does the plan address delivery of a product to a customer or completion of a service for a
customer?
Does the plan explain in adequate detail what post-delivery services will be in place?
Does the plan identify the records that will be taken and maintained as the planned product or
service proceeds to completion (see clause 4.2.4)?
In the case of ISO 13485 has the organization established documented requirements for risk
management throughout product realization?
Records arising from risk management must be maintained (see clause 4.2.4).
(ISO 14971 gives guidance related to risk management.)
Customer-related processes (clause 7.2)

Determination of requirements related to the product (clause 7.2.1)
Please explain how customer needs and expectations are turned into customer requirements. Is
this through:
• any statutory and regulatory requirements?

• requirements that are necessary for intended use?
• any other requirements considered necessary by the organization?
Can you please show me examples of these additions in which the organization has added to a
customer’s needs and expectations, with the approval of the customer?
Do the requirements include delivery and post-delivery activities?

Can I please see an example?
110
Review of requirements related to the product (clause 7.2.2)
Who is responsible for reviewing product and/or service requirements before the organization
makes a commitment to supply a product and/or provide a service (e.g. submission of a tender,
acceptance of contracts/orders or acceptance of changes to contracts or orders)?
Can I please see documented evidence of such reviews?
Do such reviews define the product or service adequately?

Have all requirements differing from those previously expressed been resolved?
Is the organization able to meet the defined requirements?
Is there evidence that the reviews include consideration of required delivery dates, as defined
by the contracts or orders?
Following each review process has the outcome been that product and/or service requirements
are clearly defined?
In the case of ISO 13485, product requirements must be defined and documented.
In those cases in which documentation has not been received from a customer, has the
customer always been made to confirm (by letter, fax or email) their needs and expectations
and consequential requirements before acceptance of any order or contract? Can I please
see examples?
Who is responsible for ensuring that any contract or order requirements differing from those
previously expressed are resolved to the mutual satisfaction of the customer and the
organization?
Can you please show me examples in which such differences have been resolved?
When product requirements are changed, is all relevant documentation amended and relevant
personnel advised accordingly?
Are the reviews and the follow-up discussions and actions recorded (see clause 4.2.4)?
Customer communication (clause 7.2.3)
How does the organization communicate with its customers:
• on product information?
• on customer feedback?
• on customer complaints?
• on enquiries regarding contracts or order handling, amendments to contracts, etc?
In the case of large and/or complex contracts has management agreed with the customer
mutually acceptable arrangements for all communications between the two parties? If this is
the case, please show me examples.
If advisory notices have to be sent, who is responsible for them (see clause 8.5.1)? Could I
please see an example?
111
Design and development (clause 7.3)

In the case of ISO 13485 there must be a mandatory procedure on design and development.
Please show me a few design and development plans.

Are the design and development stages clearly identified?
Please show me how the people responsible for different design and development activities
have been identified and the limitations placed on their authority.
Please show me how the organizational and technical interfaces between the different groups,
which input to a design and development, are identified.
Please show me how effective documented communications systems have been put in place for
all the people who have to be kept informed about design and development.
Is it proposed to hold design and development reviews, as appropriate, at different stages of the
design and development?
Do the plans indicate when verification of the design and development output will take place,
and by whom?
Do the plans make clear how products, or services, will be validated? When will this happen,
by whom and where?
Do ‘design and transfer activities’ during the design and development process ensure that the
design and development outputs (see clause 7.3.3) are verified as being suitable for
manufacturing before they become production specifications?
Is planning output documented and updated as design and development projects progress
towards completion (see clause 4.2.3)?
The design and development input is based on customer requirements, or perceived customer
needs and expectations. Who in particular is responsible for defining and documenting
customer requirements?
Please show me an example of design and development input. Do the requirements include:
• functional, performance and safety requirements according to intended use?
• functional and performance requirements?

• applicable statutory and regulatory requirements?
• applicable information derived from previous similar designs?
• any other requirements essential to design and development?

• outputs of risk management (see clause 7.1)?
112
Are these inputs reviewed for adequacy and approved?

Are these inputs reviewed for adequacy?
Can you show me examples of design reviews?

Have any such reviews shown that the input requirements are incomplete, ambiguous or are
incompatible with other requirements?
Please can you show me the documentation for a finally agreed design and development output
specification for manufacture of a product or provision of a service?
Can you show how the documentation for the proposed design and development output
enables verification against the design and development input?
Was the design and development output document approved by the designated authority before
being released?
Will you please explain how the design and development output document satisfies the design
and development input requirements?
Does the design and development output document provide appropriate information for
departments, such as purchasing and for other people who are responsible for the operation
and control of the processes, to produce the required product or provide the required service?
What product or service acceptance criteria are included in the proposed design and
development output document?
Does the design and development document identify any characteristics that are crucial to safe
and proper functioning of the product or the provision of a service?
Are records of the design and development outputs maintained (see clause 4.2.4)?
(These might be specifications, manufacturing procedures, engineering drawings, engineering
or research logbooks.)
The design and development plan for the project under consideration (see clause 7.3.1)
specifies when design and development reviews shall be undertaken. What actually happened
in this particular case?
Did the reviews evaluate the ability of the results of design and development to satisfy
requirements?
Did the reviews identify any problems and propose necessary actions?
Can you provide evidence that in the review processes all the interested parties in the design
and development, including representatives of functions concerned with the design and
development of the stage(s) being reviewed, were represented, as well as other specialist
personnel (see clauses 5.5.1 and 6.2.1)?
113
Can you provide evidence that in the review processes all the interested parties in the
design and development, including representatives of functions concerned with the design
and development of the stage(s) being reviewed, were represented?
Were any problems identified?

Were follow-up actions clearly stated and those responsible for follow up clearly identified?
Can I please see the record of such actions?
Can I please see the records of such reviews?

Do they record the actions required by different people?
Are records maintained of all such reviews?

Do the records show the actions carried out be different people (see clause 4.2.4)?
Please show me evidence of design and development verification that has been conducted to
ensure that the design and development output satisfies the design and development input
requirements.
In the case of very complex and probably very expensive projects how would your
organization conduct verification of the design and development output work?
Do you have such a project?

How was verification carried out?
Please can I see the documentation relating to validation of a product or a service?

Can I see an example in which the validation process was carried out in accordance with
planned arrangements (see clause 7.3.1)?
Were further actions found to be necessary?
Was validation completed prior to delivery?
In the case of ISO 13485 has validation been completed prior to delivery or implementation of
the product?
(If a medical device can be validated only after assembly and installation at point of use,
delivery is not considered to be complete until the product has been formally transferred to the
customer.)
Are there any examples in which only partial validation was possible (presumably, stated in the
planning document)?
Has any partial or complete validation been carried out by customers?
Please show me any such results.
As part of design and development validation, the organization must perform clinical
evaluations and/or evaluation of performance of a medical device, as required by national or
regional regulations.
Has this been done? Please show me the evidence.
114
(Provision of the medical device for the purpose of clinical evaluations and/or evaluation of
performance is not considered to be delivery.)
Have records been kept and maintained on all such validations?
Please show me the evidence.
Please show me examples of design and development changes requested by a customer.
Please show me design and development changes requested by the organization.

In all of the above changes in design and development have they always been clearly
identified, appropriately documented and adequately controlled from the time of their agreed
inclusion in a design and development project?
Please let me see an example of such changes.
Have all the secondary consequential effects on other parts of the design and development
been considered?
Show me examples.
Have all changes in the design and development been approved before implementation?
Have all changes gone through the verification and validation processes again (as appropriate)?
Have any of the agreed changes been made after delivery of some of the product or delivery of
a service?
Did it prove necessary, or was it considered advisable, to recall product or repeat a service, in
such circumstances?
Can you provide me with an example in which this was done?
Are records of the results of all reviews of changes and any necessary actions systematically
kept and maintained?
Please show me these records.
Purchasing (clause 7.4)

Purchasing process (clause 7.4.1)
In the case of ISO 13485, does the organization have a documented procedure to ensure that
purchased product conforms to specified purchase requirements?
In the case of ISO 9001, does the organization ensure that purchased product conforms to
specified purchase requirements?
What kinds of controls are exercised by the organization over suppliers and subcontractors?
What criteria are used for their selection?
115
Are evaluations carried out periodically?

If so, is this done at defined intervals?
Are records of the results of all evaluations kept and maintained?

Can I please see such records?
Can I please see any records of re-evaluations that have become necessary because of poor
performance?
Has your organization ever been required, as a condition of a contract or placing of an order, to
use a specific supplier or subcontractor, named by the customer?
If so, have any such suppliers or subcontractors defaulted in their requirements and had a
bearing on the final quality of the product, or the quality of the service being provided?
Can you please show me evidence of such occurrences?
Has the introduction of purchasing controls resulted in a reduction in the number of suppliers
and subcontractors, with consequential savings in administration, etc?
Purchasing information (clause 7.4.2)
Could I please see a few purchasing orders?

How are orders reviewed and approved to ensure the adequacy of specified purchase
requirements before being despatched?
For ISO 13485, if traceability has been a requirement, has the organization maintained relevant
purchasing information, e.g. documents (see clause 4.2.3) and records (see clause 4.2.4)?
Verification of purchased product (clause 7.4.3)
By what means does the organization verify purchased product?

Is all purchased product examined the same way on receipt?
If not, please explain why not.
In the case of a new supplier, does the organization impose strict verification processes?
Are the strict verification processes agreed in advance and implemented on receipt of goods?
Does the organization, or its customer, intend to verify purchased product, or the service to be
provided, at the supplier’s premises?
Do purchasing documents make it perfectly clear about such visits?

Does the purchasing document state how verification will be conducted?

In the case of manufactured products is there to be 100% testing, batch testing, or sampling?
In the case of a service, what specified items are to be checked, or is random testing to be used?
Do purchasing documents state what acceptance criteria for inspections at the supplier’s
116
establishment are to be used and the method of product release to the organization?
Are records of the verification always maintained (see clause 4.2.4)?

Production and service provision (clause 7.5)

Control of production and service provision (clause 7.5.1)
I need evidence that the organization plans and carries out production and service provision
under controlled conditions. Let us consider one or two products (or services).
Can I see the specification or documents relating to a product please?

In the case of ISO 13485, are documented procedures, documented requirements, work
instructions, reference materials and reference measurement procedures readily available, as
necessary, for each particular product?
In the case of ISO 9001, are work instructions available, as necessary?
Is suitable equipment being used?
What monitoring and measuring devices are used?

What requirements have to be satisfied before products can be released?
Who is responsible for the safe delivery of products?
Who is responsible for any post-delivery activities?

Is the labelling and packaging of medical devices carried out as documented?
Are records of medical devices kept and maintained (see clause 4.2.4)?
Please show me records on:
(a) the number of medical devices manufactured in each batch (a batch can be a single
medical device);
(b) how many devices were subsequently approved for distribution;
(c) traceability to the extent specified in clause 7.5.3;

(d) verification and approval of batch records.
117
Control of production and service provision – Specified requirements (clause 7.5.1.2)
Cleanliness of product and contamination control (clause 7.5.1.2.1)
Has the organization decided that it should have documented requirements for cleanliness of
product? If so, please may I see it?
Does the document specify:
(a) how product is to be cleaned by the organization prior to sterilization and/or it use?
(In such cases, the requirements in clauses 6.4(a) and 6.4 (b) do not apply prior to the
cleaning process.)
(b) how product, if supplied non-sterile, is to be cleaned prior to sterilization and/or use?
(In such cases, the requirements in clauses 6.4(a) and 6.4 (b) do not apply prior to the
cleaning process.)
(c) if product that is intended to be supplied and used non-sterile, whether cleanliness is of
importance before use;
(d) if any process agents are to be removed from the product during manufacture?
Installation activities (clause 7.5.1.2.2)
Has the organization documented the requirements for acceptance criteria for installing and
verifying the installation of the medical device?
If so, can I please see the documentation?

Has the organization subcontracted the installation of any of its medical devices?
If so, please show me the installation and verification documents.
Can I see the records on installation and verification whether carried out by the organization,
its authorized agent or any other appointed subcontractor (see clause 4.2.4)?
Servicing activities (clause 7.5.1.2.3)
Is servicing of medical devices a specified requirement?

Does servicing include, repair and maintenance?
Can I see the documentation for performing servicing activities and how such work must be
verified so as to meet the specified requirements, such as:
(a) procedures?
(b) work instructions?
(c) reference materials?
(d) reference measurement procedures?
118
Can I see the records of the process parameters for the sterilization process used for each
sterilization batch?
How do I trace such sterilization records to each production batch of medical devices (see
clause 7.5.1.1)?
Validation of processes for production and service provision (clause 7.5.2)
Does the organization have any processes for production and service provision where the
resulting output cannot be directly validated?
Does the organization have any processes for which only indirect validation of such processes
is possible? Please show me examples.
Have criteria been defined for review and approval of any such processes?
Has the equipment used been approved by a recognized authority?

Have the personnel using the equipment proved themselves to be competent in the use of the
equipment by a recognized authority?
Are specific methods and procedures being used that have been approved by recognized
bodies?
Could I please see the organization’s records in this connection (see clause 4.2.4)?
Whenever planned results are evidently not being achieved, does revalidation take place
following appropriate changes to equipment, materials or staff?
Can I see the procedure for the validation of the application of computer software (including
changes to such software and/or its application) for production and service provision that
affect the ability of the product to conform to specified requirements?
Have such software applications been validated prior to initial use?
May I see the validation records please?
Can I please see your procedure for the validation of sterilization processes?
Are sterilization processes validated prior to use? Please show me evidence of this.
Can I see your records on each sterilization process (see clause 4.2.4)?
119
Identification and traceability (clause 7.5.3)
Identification (clause 7.5.3.1)
Please may I see your documented procedures for product identification?
How is product identified? Is it:

(a) during product realization?
(b) during delivery?
(c) during installation (if applicable)?

Where appropriate, how does the organization identify product by suitable means
throughout product realization?
Has the organization established documented procedures to ensure that medical devices
returned to the organization are identified and distinguished from conforming product [see
clause 6.4(d)]?
Traceability (clause 7.5.3.2)

General (clause 7.5.3.2.1)
Please may I see your documented procedures for traceability?

Do the procedures define the extent of product traceability and the records required (see
clauses 4.2.4, 8.3 and 8.5)?
Where traceability is a requirement, how does the organization control and record the unique
identification of the product (see clause 4.2.4)?
Has the organization decided to provide full traceability on any, or all, of the organization’s
products or services?
If so, please show me how this is done.
Please show me the documentation.
If a customer requires full traceability, what documentation is provided by the organization for
identification of individual items, or batches of items, as appropriate?
How are traceability records maintained?

Are any certificates of conformance or test certificates issued by the organization? Please show
me examples.
120
Particular requirements for active implantable medical devices and implantable medical
devices (clause 7.5.3.2.2)
In the traceability records, does the organization include:
(a) records of components?

(b) materials?
(c) work environment conditions?
If any of these could cause the medical device not to satisfy its specific requirements:
Does the organization ensure that its agents or distributors maintain records of the distribution
of medical devices to allow traceability?
Are such records available for inspection by the manufacturer of the medical products?
Does the organization keep and maintain records of the name and address of the shipping
package consignee (see clause 4.2.4)?
Status identification (clause 7.5.3.3)
How does the organization identify product status with respect to any monitoring and
measurement requirements?
Please show me a few examples.

How is the identification of product status maintained throughout production, storage,
installation and servicing of the product to ensure that only product that has passed the
required inspections and tests (or released under an authorized concession) is dispatched, used
or installed?
Customer property (clause 7.5.4)
Does the organization receive any product from customers that the customer wants the
organization to incorporate into the product that is being made for it by the organization, or for
activities related to what the organization is doing for the customer?
When customer product is being incorporated into the organization’s product, how is it
identified, verified, protected and safeguarded?
When customer product is being used by the organization for ‘related activities’, is the same
care exercised as for product that is being incorporated into the organization’s products?
Does the organization recognize any intellectual property as belonging to a customer? How is
that safeguarded?
Does the organization have any documentation to help to ensure that all property belonging to
a customer is properly controlled?
Please show me.
121
What happens when customer property is lost, damaged or otherwise found to be unsuitable
for use?
Do you have any special arrangements in place to protect the intellectual property of
customers?
Can you show me an example of any the safeguards?
What arrangements are in place to protect confidential health information?
Preservation of product (clause 7.5.5)
Please may I see your procedures or work instructions for preserving conformity of product
during internal processing and delivery to the intended destination?
How does management ensure the conformity of product during internal processing and
delivery to the intended destination? Please demonstrate this by means of a few
examples.
How does the organization ensure that sensitive product, which might be damaged by any
adverse method of packaging and storage, is preserved whilst under its control so that product
remains undamaged from any such potential threats up to the time of its delivery to a customer?
Is consideration given to controlling environmental conditions, such as temperature, humidity,

lighting and static electricity?
If damage by static electricity is a possibility, is special packaging and storage used to prevent
electrostatic damage to them?
Is all stock appropriately segregated until the time has arrived for its use or dispatch?
Is all incoming stock carefully segregated and preserved until it is required for use?
Protection
After final inspection and test, how does the organization provide protection against damage
whilst within the confines of the organization?
Packaging
What controls does the organization have in place to ensure that any packing or packaging is
adequate to prevent damage that would result in the product being unacceptable to a customer?
What methods are used for identifying packaged product? Show me examples.
Once a product has been suitably identified, how is the identification preserved until it is
delivered to the intended destination.
Identification
How is finished product identified?

What kind of documentation is used?
Does the documentation need to be signed?
Who signs the documentation?
122
Handling
What does the organization do to ensure that the ways in which product is handled do not
result in damage to or deterioration of product?
Storage
Do you have dedicated storage areas suitably organized so as to prevent damage or
deterioration of product whilst it is awaiting use or dispatch?
If so, can you identify these please?
What criteria, if any, are used to decide whether product should be received or dispatched?
If the criteria are not met, what happens to any such product?
How do you deal with products (incoming or outgoing) that are likely to deteriorate with time?
Delivery
How does the organization make provision against accidental damage during handling whilst
the product is in transit to a customer?
Have you any cases in which special attention must be paid to any contractual conditions in
this respect?
Control of monitoring and measuring devices (clause 7.6)
How does management decide what monitoring and measurements, which can have a bearing
on the quality of the product being manufactured/assembled or on the service that is being
provided, need to be made and how accurate they need to be before choosing suitable
equipment?
Please may I see your documented procedure that ensures that monitoring and measurement
are carried out in a manner that is consistent with the monitoring and measurement
requirements?
Has the organization established processes to ensure that monitoring and measurement
are carried out in a manner that is consistent with the monitoring and measurement
requirements?
Has management decided whether any of the chosen measuring and monitoring devices need
to be calibrated? If so, please identify them.
Which devices are to be calibrated externally and which are to be calibrated internally?
How are devices safeguarded from irresponsible adjustments that would invalidate the
calibration?
How are devices protected from damage and deterioration during handling, maintenance and
storage?
If a device is found to be out of calibration at recalibration, how does management address the
‘out-of-calibration’ state of the device and assess the possible consequences of the recent
measurements having been incorrect?
123
If corrective action need to be taken, who would be responsible for such action?
Is this documented?
How is software, which is used for measuring and monitoring of specified requirements,
validated prior to use?
Does the organization allow customers and stakeholders to have access to calibration data?
External calibration
Is any equipment calibrated externally?
Have UKAS accredited calibration laboratories been used?

If laboratories have been used that are not UKAS accredited, has the equipment used to
calibrate the organization’s equipment been calibrated by a UKAS calibration laboratory and
thereby linked to an international or national standard?
Please can I examine all the organization’s external calibration certificates?
Does the organization keep accurate records on all calibrations?

Please show me the records.
Is there a calibration register?
Does it state the calibration intervals for each device?
Does the organization keep calibration logs for each piece of external calibration equipment?
Does the calibration register and do the calibration logs show the normal locations of
calibrated equipment so that, in the event that a calibration label is detached from a piece of
calibrated equipment, its unique identification and calibration status can be traced through a
process of elimination?
Internally calibrated equipment

Which externally calibrated devices are to be used as reference standards?
Are devices used as reference standards set aside in a safe and secure environment and used
only for internal calibrations?
What are the acceptable limits for the calibration results for a particular instrument or device
that is to be calibrated internally?
Is the known accuracy of the calibrated reference standard sufficiently greater (e.g. 10 times
greater) than the theoretical accuracy of the instrument or device being calibrated internally?
Is the uncertainty for the calibrated reference standard low enough to ensure that the
uncertainty of calibration of the instrument or device being calibrated will be acceptable in the
circumstances in which it will be used?
Who decides how often the instrument or device will need to be calibrated?
What documentation is used to ensure that all internal calibrations are carried out in a
professional and scientifically acceptable manner?
Is the environment suitable for the calibrations being performed?
Who is responsible for internal calibrations?

Is documentation available for each device, which is to be calibrated internally, so as to ensure
that all relevant matters are addressed and to ensure that the steps to be taken in the calibration
124
process are clearly defined?
Equipment not calibrated: used for indication only

Management may have decided that some monitoring and measuring devices need not be
calibrated and are used for indication only.
Are such devices listed?
Unique identification of calibrated devices
Has all calibrated equipment (externally calibrated and internally calibrated) been uniquely
identified?
How is this done?
If labelling is used, do labels give:
(a) a unique identification number or code for the equipment?

(b) the date when calibration took place?
(c) the date when recalibration is due?

(d) the initials of the person responsible for calibration?
Are there unusual circumstances in which it was found impossible to place a label on
calibrated equipment?
How is this identification problem overcome?
How are inspection and monitoring devices that are used for indication only marked?
Note ISO 10012 gives guidance related to measurement management systems.
General (clause 8.1)
There is a requirement on the organization to plan and implement:

• monitoring and measurement processes (see clause 8.2);
• analysis processes (with explanations of the methods used) (see clause 8.4);
(Are there any national or regional regulations that require documented procedures for
implementation and control of the application of statistical techniques? If this is the case,
please can I see your procedures?)
• the improvement processes (see clause 8.5);
in order to:
• ensure conformity of the quality management system to the requirements of

ISO 13485 and ISO 9001 (see clause 8.2.2);
• demonstrate conformity of product or service (see clause 8.2.4);
125
• maintain the effectiveness of the quality management system (see clauses 8.4 and 8.5.1);
• continually improve the effectiveness of the quality management system

(see clauses 8.4 and 8.5.1).
Do you feel confident that you have addressed these issues in general?
These specific requirements and associated requirements are addressed below.
Monitoring and measurement (clause 8.2)

Feedback/Customer satisfaction (clause 8.2.1)
What methods are used to monitor information relating to whether the organization has met
customer requirements (see clause 7.2.1)?
Can I please see the latest findings?
Are they more satisfactory than earlier findings?
Has the organization established a procedure for a feedback system [see clause 7.2.3(c)] to
provide early warning of quality problems and for input into the corrective and preventive
action processes (see clauses 8.5.2 and 8.5.3)?
Do national or regional regulations require the organization to gain experience from the post-
production phase? If so, can I see the review of this experience? Is it part of the feedback
system (see clause 8.5.1)?
What methods are used to monitor information relating to whether the organization has met
customer requirements (see clause 7.2.1)?
Can I please see the latest findings?

Are they more satisfactory than earlier findings?
Internal audits (clause 8.2.2)
What do you think is the purpose of internal audits?

May I see your procedure for internal auditing?
Are the responsibilities and requirements for planning and conducting audits clearly stated?
Are the methods of reporting results clearly defined?

Does the procedure make clear how records will be kept and maintained?
May I please see your audit programme?
Has consideration been given to the status and importance of the activities and areas to be
audited, as well as the results of previous audits?
Does anyone audit their own work?

Please show me evidence that auditors have been trained?
How do you establish that your auditors are competent?
Please may I see the records of a few internal audits?
126
How does management ensure that timely corrective action is taken on nonconformities and
any observations found during the audit?
Please show me a few examples.
How is verification of any corrective actions and preventive actions achieved?
How are results recorded and reported to management?
Monitoring and measurement of processes (clause 8.2.3)
How are all processes monitored (and/or measured, as and when deemed necessary), so that
the outputs will satisfy customer needs and expectations?
Give me an example of monitoring and measurements undertaken during one major process
and the associated interacting supplementary processes.
If monitoring shows that a requirement is not being met, how is this dealt with?
Can you please show me examples of any such nonconformities found?
Monitoring and measurement of product (clause 8.2.4)
What monitoring and measurement of the product and/or provision of a service, or both, take
place at appropriate stages to ensure that the requirements are being met (see clause 7.1)?
What evidence of conformity with accepted criteria is documented, and what evidence
authorizing the release of product, and/or provision of a service, is recorded (see clause
4.2.4)?
How do you ensure that product and/or service delivery does not take place until all
requirements have been satisfied (unless otherwise approved by a relevant authority and,
where applicable, by the customer)?
Please show me a few normal cases of such approvals.
Please show me examples of any exceptional cases.
Can I see your procedures for monitoring and measurement of product?
Products, and/or services must be monitored (and perhaps measured) to verify that product and
service requirements have been met.
What monitoring and measurement of the product and/or provision of a service, or both, take
place at appropriate stages to ensure that the requirements are being met (see clause 7.1)?
What evidence of conformity with accepted criteria is documented, and what evidence
authorizing the release of product, and/or provision of a service, is recorded (see clause 4.2.4)?
requirements have been satisfied (see clause 7.1)? Please show me a few normal cases of such
approvals. Please show me examples of the exceptional cases.
127
requirements have been satisfied (unless otherwise approved by a relevant authority and,
where applicable, by the customer)?
Please show me a few normal cases of such approvals?
Please show me examples of any exceptional cases?
Particular requirement for active implantable devices (clause 8.2.4.2)
Do your records show the identity of personnel performing any inspection or testing?
Control of nonconforming product (clause 8.3)
Please may I examine your procedure for dealing with nonconforming products or
nonconforming services?
Does the procedure identify responsibilities and authorities for dealing with nonconformities?
How is a nonconforming product (or a nonconforming service) identified?
How are nonconforming products controlled to prevent unintended use or delivery?
How are unsatisfactory services (once identified) controlled?

What methods are used to deal with any nonconformities? Do you:
• take action to eliminate the detected nonconformity?
• authorize the use of the nonconforming product or service (perhaps under

concession, but only if regulatory requirements hare been met)?
• authorize the use of the nonconforming product or service (perhaps under
concession by a specified person and perhaps by the customer)?
• take action to preclude its original intended use or application?
How do you ensure that corrected nonconforming product, and/or service, is subject to
reverification after correction to demonstrate conformity?
What arrangements are in place to ensure that if a nonconformity is discovered, after delivery
or use, appropriate action is taken regarding the consequences of the nonconformity to users of
the product or the results of an inadequate service?
Are records kept and maintained on (see clause 4.2.4):
• the nature of any nonconformities?
• any subsequent actions taken?

• any concessions obtained?
• records of the identity of the person(s) authorizing the concession?
Please show me such records.

Can you show me examples of when product has been reworked, perhaps one or more times?
Are rework processes done under work instructions that have undergone the same
128
authorization and approval procedure as the original work instructions?

Prior to authorization of a rework instruction, does anyone determine the adverse effect of the
rework on a product?
Are such considerations documented (see clauses 4.2.3, 4.2.4 and 7.5.1)?
Analysis of data (clause 8.4)
May I see your procedures to determine, collect and analyse appropriate data to demonstrate
the suitability and effectiveness of the quality management system and to evaluate whether
improvement of the effectiveness of the quality management system can be made?
Does this include data generated as a result of monitoring and measurement and from other
relevant sources?
Has the organization determined, collected and analysed appropriately data to:
• demonstrate the suitability and effectiveness of the quality management system
(see Figure 5.1)?
• evaluate how continual improvements can be made in the effectiveness of the
quality management system (see clause 8.5.1)?
Does this include data generated as a result of monitoring and measurement and from
other relevant sources?
How are data analysed to provide information relating to:

• characteristics and trends in processes, characteristics of products, opportunities for
corrective actions, opportunities for preventive actions?
• conformity to product and/or service requirements (clause 7.2.1)?

• feedback (8.2.1)?
• customer satisfaction (8.2.1)?

Are data on the performance of suppliers collected and analysed?
If so, please show me an example.
Are data analysed from any other sources?
If so, please show me an example.
Are records of the results of the analysis of data kept and maintained (see clause 4.2.4)?
129
Improvement (clause 8.5)

General/Continual improvement (clause 8.5.1)
How does the organization identify and implement any changes necessary to ensure and
maintain the continued suitability and effectiveness of the quality management system?
In what ways do the following bring about improvements in the effectiveness of the quality
management system?
• the quality policy?

• the quality objectives?
• audit results?
• analysis of data?
• corrective and preventive actions?
• management reviews of the quality management system?

Does the organization have procedures for the issue and implementation of advisory notices?
Can these procedures be implemented at any time?
Has a specific person been nominated to be responsible for the issue of advisory notices?
Can I see your records on dealing with customer complaints (see clause 4.2.4)?
If it is believed that third parties are partially or wholly responsible for the customer complaint
being raised, does the organization contact the third party to resolve such matters and prevent
a recurrence (see clause 4.1)?
Please show me any such cases.
Corrective action (clause 8.5.2)
Nonconformities
Please may I see your procedure on corrective actions?
Does it include corrective actions to be taken in response to customer complaints?
Are requirements defined for reviewing nonconformities? Please show me an example.

Who is responsible for determining the cause of any nonconformities? Please show me
examples.
Who is responsible for determining the need for action(s) to ensure that nonconformities do
not recur? Please show me examples.
Who is responsible for determining and implementing action needed, including, if appropriate,
updating information (see clause 4.2.4)?
Who is responsible for evaluating and implementing the action needed?
Who records the results of any investigation and the corrective actions taken (see clause
4.2.4)? Please show me examples.
Who records the results of the action taken?
130
Who reviews the corrective action taken and its effectiveness?

Who reviews the corrective action taken?
How many nonconformities have there been over the last year? Is a log kept? Please show me it.
Customer complaints
Are customer complaints addressed in the nonconformity procedure or is there a separate
procedure?
Whatever is the case, please may I see your documentation on customer complaints?
Are requirements defined for reviewing customer complaints? Please show me an example.
Who is responsible for determining the cause of any customer complaints? Please show me
examples.
Who is responsible for determining the need for action(s) to ensure that customer complaints
do not recur? Please show me examples.
Who is responsible for determining and implementing action needed, including, if appropriate,
updating information on customer complaints? (see clause 4.2.4)?
Who is responsible for evaluating and implementing the action needed on customer
complaints?
Who records the results of any investigation and corrective actions taken in response to
customer complaints (see clause 4.2.4)? Please show me examples.
Who records the results of the action taken in response to customer complaints?
Who reviews the corrective action taken in response to customer complaints and its
effectiveness?
Who reviews the corrective action taken in response to customer complaints?
How many customer complaints have there been over the last year?
Is a log kept? Please show me.
Are requirements defined for reviewing customer complaints?
Is there a policy of dealing with all customer complaints in a timely manner?

Are serious customer complaints dealt with differently?
If this is the case, how are they dealt with?
Is action always taken to address the complaint from the customer’s point of view?
Are requirements defined for reviewing customer complaints?
Who is responsible for determining the cause(s) of any customer complaints?
Who is responsible for evaluating corrective action so that customer complaints do not recur?
Who is responsible for determining and implementing appropriate corrective actions needed?
131
Who is responsible for recording the results of the corrective actions taken (see clause 4.2.4)?
Who reviews the corrective actions taken?
Please show me evidence of such reviews.
How many customer complaints have there been over a given period?
Is a log kept?
Please show me.
Preventive action (clause 8.5.3)
Please may I see your procedure on preventive actions?
Does it address the need for action to eliminate the causes of potential nonconformities in
order to prevent their occurrence?
Does it state that preventive actions must be appropriate to the effects of the potential
problems?
Does the procedure define requirements for:

(a) determining potential nonconformities and their causes?
(b) evaluating the need for action to prevent the occurrence of potential nonconformities?
(c) determining and implementing the preventive action needed?
(d) recording the results of any investigations and of any preventive actions taken
(see clause 4.2.4)?
(e) recording the results of preventive actions taken (see clause 4.2.4)?
(f) reviewing any preventive actions taken and its effectiveness?
(g) reviewing any preventive actions taken?
132
Appendix 1:
Quality management system mandatory procedures
This appendix includes the mandatory procedures for ISO 9001. It is recommended that any
other procedures, mandatory or otherwise, follow the same format. The mandatory procedures
are as follows.
PC 101 Control of Documents
PC 102 Control of Records
PC 103 Internal Audit

PC 104 Control of Nonconforming Product
PC 105 Corrective Action
PC 106 Preventive Action
133
Quality Management System Procedure
Control of Documents
Controlled Copy
Copy no:
Registered holder:
Position:
Prepared by: Approved by:
Management representative
Date: Supersedes:
PC 101 Issue 1
135
1. Purpose
The purpose of this procedure is to show how documents are controlled within the quality
management system.
The rigid controls that are imposed on such documents are there for a specific purpose,
namely, to ensure that only approved documents, and the latest current issue and the latest
revision of documents are in use in all locations throughout the organization.
2. Scope
This procedure applies to all the documents within the quality management system. The
framework documentation includes:
the quality manual (QM 01);

process diagrams (PD 101, etc.);
policies (PL 101, etc.);

procedures (PC 101, etc.);
work instructions (WI 101, etc.)

forms (FM 101, etc.);
external documents (ED 101 etc.);
external forms (EFM 101, etc.).

Working documents will include many other documents that need to be properly controlled.
3. Responsibilities
It is the responsibility of the management representative to control all the documentation

associated with the quality management system: the framework documents; working
documents and records.
4. Associated documents
Forms:
Control of Framework Documentation, FM 101

Acceptance of Documentation, FM 102
Register of Framework Documentation, FM 103

Framework Documentation – Change Request, FM 104
Changes to Framework Documentation, FM 105

5. Details of procedure
5.1 Control of documents
The management representative is responsible for giving final approval to all documents that
are part of the organization’s quality management system.
It is inevitable that some documents will have to be changed from time to time. These must be
reapproved by the management representative prior to being reissued to interested parties.
Changes to external documents and external forms cannot be made by the organization, but
136
the management representative has the responsibility of ensuring that they are properly
controlled.
5.2 Reference letters and numbers, and issue and revision numbers
5.2.1 Reference letters and numbers

The reference letters that precede reference numbers, issue numbers and revision numbers
have been allocated as follows:
QM quality management system policy manual
PD process diagram
PC procedure
PT protocol
WI work instruction
PL policies
FM form
EFM external form
ED external document
The appendices to the quality manual provide useful information and stand-alone documents
as an important part of the quality manual.
External forms and external documents need to be considered as part of the quality
management system documentation since they might have some bearing on the quality of the
services provided by the hospital. Hence they need to be properly controlled.
Each document is given a unique reference number, e.g. 001, which follows the reference
letters. In some cases blocks of numbers, e.g. 101 to 150 are allocated to certain departments
or certain activities.
5.2.2 Issue and revision numbers
The issue number of a document is indicated by an appendage, 1, 2, 3, etc. An original page
does not have a revision status, but if a single page is altered in any way it is given a revision
appendage, e.g. Rev. 1, which indicates the first revision status of a page. Further revisions of
the same page become Rev. 2, Rev. 3, etc.
When a number of pages have undergone revision, the document can be reissued without
revision numbers, but with the grading of Issue 2, Issue 3, etc. The management representative
decides when this will be done.
Forms do not have revision numbers, only issue numbers.
External forms and external documents are listed in a logical manner by the management
representative.
5.3 Distribution of documents

Each copy of the quality manual or a procedure is given a unique copy number. When
controlled documents are despatched to a member of staff they are accompanied by form FM
101. An acceptance form, FM 102, will also be sent. This must be signed by the recipient and
137
returned to the management representative.
When, for instance, a procedure is reissued following a number of changes, the superseded
documents must be returned to the management representative. Single pages that have been
superseded must be destroyed by the recipient of the new pages. Such measures should
prevent the continuing use of superseded documents. If the management representative
decides to keep superseded documents for ‘knowledge preservation purposes’ or for any other
reasons, they are clearly identified as such by being stamped ‘superseded’.
It is the responsibility of the head of a unit or department to ensure that relevant versions of
applicable documents are always available at points of use. Such documents must remain
legible and be readily identifiable.
The appendices to the quality manual will change from time to time; these will be issued to
recipients in a controlled manner.
Documents of external origin are listed by the management representative. They are
distributed, and updated when necessary, in the same manner as any other documents. This
ensures that only the latest version of any external document, or external form, is being used.
The management representative uses form FM 103 to keep a record of where documents have
been sent.
5.4 Changes to documents
All staff are encouraged to make suggestions on how to improve the documents on which the
hospital’s quality management system is based. Any such changes should first be discussed with
immediate colleagues who might be affected by the proposed changes.
Requests for any changes should be made on a change request form, FM 104. This is submitted
to the management representative who after due consultation with interested parties, and
perhaps after discussion in a management review meeting, may issue an amendment to the
documentation in accordance with the steps outline below.
Changes in a document are identified by a vertical line placed in the left hand margin,
alongside the changed line(s) or paragraph(s). When a page is changed in this way the revision
number is increased as explained above. When a further change is made on the same page
only the latest change is indicated by a vertical line.
When a number of changes have been made to a document the management representative
may decide to reprint and redistribute the document with a new issue number (with no
revision number).
Form FM 105 is also issued to staff along with any changes to the documents. Such forms
summarize the changes made to a particular document, including the latest changes. They are
intended to be retained as an appendix to the document in question, so that anyone can see
at a glance what changes have been made. As appendices, they are placed at the back of the
relevant part of the documentation.
5.5 Quality management system forms

A complete set of controlled forms will be held in a designated place accessible within the
organization. They can be copied for use as and when necessary.
Changes to forms are addressed in the same way as any changes to any other documents.
138
External documents and external forms are listed in a logical manner by the quality manager.
5.6 Uncontrolled documents

Each controlled document is stamped ‘controlled copy’ in red ink. Copying of the framework
documentation is not normally allowed, with the exception of external documents and
external forms, since such uncontrolled copies would defeat the whole objective of
maintaining controls on the quality management system documentation. Uncontrolled
documents can easily be identified, as the red ‘controlled copy’ stamp will either be absent or
not be red. Nevertheless, occasionally, there may be a need for extra copies of a document to
be available, e.g. for discussion purposes at a meeting. If such a need arises, copies may be
made with the approval of the management representative, but each copy should be clearly
stamped ‘uncontrolled’. The uncontrolled copies should be withdrawn from circulation as soon
as practicable.
In the case of uncontrolled copies that are issued in formulating a quality plan, the
uncontrolled copies may become an integrated part of the quality plan and as such will need
to remain in situ perhaps for some considerable time, if the quality plan becomes dormant.
However, when such a quality plan is reactivated, the project manager will obtain from the
management representative a controlled copy of the relevant document and the uncontrolled
copy will be returned.
5.7 Documents (and records) on computer
Many documents and records (see PC 102) are stored on computer. The same rules apply to
electronic storage as apply to storage of hard copy documents and records, but additional
safeguards are required in the way of back-up storage, prevention of unauthorized access to
data, as well as prevention of corruption of data, etc.
The management representative has to be satisfied that adequate controls are in place for
these purposes.
5.8 Bureaucratic documentation
The quality management system documentation must not be bureaucratic. If any member of
staff believes that a document serves little or no useful purpose, such thoughts should be aired
with colleagues with a view to getting the bureaucratic document amended or removed from
the quality management system via the management representative.
139
Control of Framework Documentation
To:
Listed below, and attached hereto, are controlled documents for your retention. Please
ensure that the documents are accessible to your colleagues so that there can be no
misunderstanding as to how the organization functions.
I shall be glad to receive any suggestions for improving the documentation.
If you are receiving a document which supersedes an existing one, please ensure that
you return the superseded document at the same time.
Date:
Management representative:
FM 101 Issue 1.
140
Acceptance of Documentation
To: the management representative
I accept the safe receipt of the following controlled documents:
I am returning the following superseded documents:
I shall be glad to receive any suggestions for improving the documentation.

If you are receiving a document which supersedes an existing one, please ensure that
you return the supersede document at the same time.
Date:
Recipient:
FM 102 Issue 1.
141
Register of Framework Documentation
Reference Issued to Date Signature of

no. issued management representative
FM 103 Issue 1. Page of
142
Framework Documentation – Change Request
Reference:
Proposed change:
Requested by: Date:

Position: Department:
Comments sought from:
Comments by reviewer(s):
Signature(s) of reviewer(s):
Date:
Approved/rejected
by management representative: Date:
FM 104 Issue 1.
143
Changes to Framework Documentation
Reference Amendment/additions Date Signature of

no. issued management representative
144
Control of Records
Controlled Copy
Copy no:
Registered holder:
Position:
Date: Supersedes:
PC 102 Issue 1
145
1. Purpose
The purpose of this procedure is to ensure that records are established and maintained so
as to prove that the quality management system is in place; that it is working effectively in
accordance with the organization’s quality policy; and in pursuance of the organization’s policy
of maintaining and, whenever possible, improving the quality of life of all the residents.
2. Scope
This procedure applies to all the documents specified in ISO 13485 and ISO 9001 as well as
many working document records chosen by the organization. The management representative
might wish to add other records in the light of experience.
3. Responsibilities
The management representative is responsible for ensuring that records are collected, suitably
filed and stored, etc. Responsibility for records in the first instance lies with managers who
create and use the records. All staff are expected to contribute directly, or indirectly, towards
the establishment and maintenance of records during their everyday activities.
These are too diverse to list individually, since records arise from many quality management
system documents and from day-to-day operations.
5.1 Quality records
Records arise from the many activities that occur in the organization. They provide objective
evidence as to what has happened.
ISO 13485 and ISO 9001 require, as a minimum, certain listed records to be kept and
maintained. They provide objective evidence as to what has occurred. These are records on
the following:
(a) management review meetings (see clause 5.6.1);
(b) education, training, skills and experience (see clause 6.2.2);
(c) evidence that realization processes and the resulting products meet planned arrangements
(see clause 7.1);
(d) results from the evaluation of suppliers and the necessary actions arising from the
evaluations, if applicable (see clause 7.4.1);
(e) validation of processes where the resulting output cannot be verified by subsequent
monitoring or measurement (see clause 7.5.2);
(f) results of any calibrations on equipment, if applicable (see clause 7.6);
(g) validity of any previous measurements when measuring equipment is found to be,
or suspected of being, out of calibration (see clause 7.6);
(h) results of internal audits and actions arising thereafter (see clause 8.2.2);
(i) nonconformities (see clause 8.3);

(j) corrective actions and their signing off (see clause 8.5.2);
(k) customer complaints and their outcomes (see clause 8.5.2);
146
(l) preventive actions and their effectiveness (see clause 8.5.3).
In addition, an organization should establish and maintain records on:
(m) changes to the quality management system’s documentation (see PC 101);

(n) documentation relating to assessments, surveillances, etc. by a certification body;
(o) monitoring of resident satisfaction;
(p) contracts;
(q) maintenance carried out within the organization that might have a bearing on the
quality of products and the services provided;
(r) quality plans;
(s) review of quality objectives (see clause 5.4.1);

(t) review of quality policy (as and when deemed necessary) (see clause 5.3);
(u) any other records that management deem should be kept for regulatory and statutory
reasons and/or for continuing quality care of residents.
5.2 Collection, care and collation of records
Everyone associated with the creation of records must ensure that they are readily identified;
are legible and remain legible; are stored appropriately; are protected from damage; and can
be easily retrieved.
The management representative is responsible for the collection and collation of records arising
directly from the quality management system documents. They also have to be satisfied that
staff are collecting and collating their records in a satisfactory manner.
Storage will initially take place in designated areas following discussion with appropriate staff.
Longer-term storage will also be decided in consultation with the management representative.
Once each year the management representative has to confirm in writing to the management
review committee that all the defined records are in place, properly filed, preserved, etc.
Many records are stored on computer. The same rules apply to electronic storage as apply to
storage of hard copy records, but additional safeguards are required in the way of back-up
storage, prevention of unauthorized access to data, prevention of corruption of data, etc. (see
procedure PC 101).
5.3 Filing of quality records
All records are filed appropriately and securely.
5.4 Access to records

Access to records will be restricted to senior staff only and those who need to have access
because of their day-to-day responsibilities. Any resident has the right to examine their own
records.
5.5 Maintenance of records

The management representative is responsible for maintaining the records directly associated
with the quality management system. Likewise, other staff who have responsibilities for
initiating records based on their day-to-day activities are also responsible for their upkeep.
147
5.6 Archiving of records
All records will be archived from time to time by the management representative in a manner
that will allow easy traceability and retrieval when required. Records are kept and maintained
in a sound condition for a minimum period of years, decided by the organization, except in
those cases in which records are required by law to be maintained for specific periods of time.
5.7 Disposal of quality records

Only the chief executive, or some other nominated person, in consultation with the
management representative, can give approval for the disposal of records after the stated
retention times have been exceeded. Accounting records are retained for at least seven years,
but all other records are usually disposed of after the specified times.
148
Internal Audit
Controlled Copy
Copy no:
Registered holder:
Position:
Date: Supersedes:
PC 103 Issue 1
149
1. Purpose
The purpose of this procedure is to explain how internal audits are conducted on all aspects of
the organization’s quality management system with a view to establishing that the:
quality management system complies with the requirements of ISO 13485 and ISO 9001;
quality management system is being effectively implemented and maintained;
quality management system conforms to the planned arrangements so that the

organization’s products and services are in accordance with clause 7.1.
The internal audits must be conducted at planned intervals and are intended to highlight any
problems or difficulties and afford opportunities to make approved changes.
2. Scope
This procedure applies to all the internal auditing activities that are undertaken by or on behalf
of the organization.
3. Responsibilities
It is the responsibility of the management representative, or a person nominated by the owner

of the organization, or the registered person to ensure that internal auditing is being done
satisfactorily.
Quality management system manual.
Forms:
Internal Audit Schedule, FM 121;
Register of Internal Audits, FM 122;
Internal Audit Questionnaire, FM 123;

Nonconformity or Observation Form, FM 124;
Summary – Internal Audit Report, FM 125.
5.1 General
Internal auditing is one of the most important aspects of the organization’s quality management
system. It must be viewed in a positive manner, because internal quality auditing affords an
opportunity to all parties involved to consider ways of improving how the organization
functions.
5.2 Auditors
All auditing will be conducted by auditors who have received appropriate training. No auditor
is allowed to audit their own work, but auditors can audit work for which they are responsible.
Thus, a manager of a division, say, can audit the work of the people working for them, but the
manager cannot audit the actual work that they do. This could be done by, say, another
manager in the organization.
150
5.3 Planning of internal audits
The management representative ensures that there is a comprehensive schedule for internal
auditing at planned intervals, which embraces all aspects of work carried out in the
organization. Some areas of work that are key to the organization’s activities may undergo
internal auditing at frequent intervals. In addition, when an audit identifies problems, re-
auditing will be arranged in the near future on an agreed date.
The overall schedule for internal audits throughout organization is available for all members of
staff to examine.
During the implementation of the quality management system, internal quality audits can be
carried out as soon as an activity is considered to be ready for an audit. Proper records of
findings are made of all audits, including the preliminary ones.
An internal audit schedule can be prepared on form FM 121. This schedule will show the dates
on which internal audits will be conducted in different areas of the organization.
The form will identify processes and/or activities to be audited and the corresponding
relevant areas of the two standards.
Audits can be delayed or postponed in exceptional circumstances, but only with the approval
of the chief executive or managing director and the management representative. Additional
audits will be arranged by the management representative in consultation with others when a
previous audit has proved to be unsatisfactory.
5.4 Internal audit register
Prior to any audit, the management representative will allocate a number to an audit and
record the actual date of it on the Register of Internal Audits, FM 122. All subsequent
documents associated with the particular audit will include the audit number and date.
The management representative is responsible for maintaining the register at all times so that
the status of internal audits can be readily determined at any time.
5.5 Audit questions
Prior to any audit, an auditor will prepare a number of possible questions (Internal Audit
Questionnaire, FM 123) in connection with the area being audited. These will form the basis
of the audit, but other questions may be asked in the light of what is subsequently revealed to
an auditor.
It has been made clear to all members of staff that any member of staff may be asked
questions by an auditor in order for them to determine whether the quality management
system documentation (a process, procedure, or work instruction, etc.) is being implemented
satisfactorily and whether it is effective.
5.6 Findings of internal audits

Whenever an auditor discovers that there is a discrepancy (against the requirements of either
standard, a process, procedure, or work instruction, etc.) between what is laid down and what
is actually taking place in the organization, objective evidence to this effect will be recorded on
a Nonconformity or Observation Form, FM 124. The auditee will be asked to sign the form,
thus indicating their agreement with the findings.
At the end of the audit this form is sent to the management representative after corrective and
preventive actions have been addressed.
151
5.7 Corrective action
The Nonconformity or Observation Form will need other entries. Someone, for instance,
will have to state on the forms what action is to be taken. On occasions this may have to be
completed after an audit; the person responsible for such action has to be named and their
signature obtained. Observations might not result in the need for action to be taken. The date
by which any changes are to be implemented also has to be given (see procedure PC 105).
5.8 Preventive action
If preventive action is to be taken, it must be entered on the Nonconformity or Observation

Form, FM 124. The person responsible for such action has to be named and their signature
obtained. The date by which the changes are to be implemented also has to be given (see
procedure PC 106).
5.9 Verification of corrective and preventive action
It is the responsibility of the management representative to add their signature to the form
once verification of the corrective action, and possibly preventive action, has been confirmed.
5.10 Summary of internal audit
The auditor will complete a summary – an Internal Audit Report (FM 125) - after each audit
where the main findings (nonconformities and observations) are recorded along with an overall
summary of the audit.
At the end of the audit all the forms are sent to the management representative.
5.11 Completion of register of internal audits

Following completion of an internal audit, the management representative will enter the
relevant information in the Register of Internal Audits, FM 122. If no nonconformities or
observations have been found the ‘audit completed’ section can be signed off immediately,
otherwise, the audit will be signed off only when the management representative is satisfied
that the points raised have been completed satisfactorily.
5.12 Management reviews
The internal audit reports are considered at each management review meeting. They are used
as the basis for any discussions on the successful implementation of the organization’s quality
management system.
The management review committee has the authority to introduce changes via the
management representative with a view to continual improvement of the effectiveness of the
5.13 Quality records

All the documents associated with internal audits will form part of the organization’s quality
records. These will be retained for a minimum period specified by the chief executive or a
nominated person.
Nonconformity and Observation Forms (FM 124) will all be filed consecutively eventually, but
as an interim measure all outstanding nonconformity and observations forms will be filed
together in two groups. As each outstanding corrective action (and possibly preventive action)
is signed off by the management representative the form will be transferred to its appropriate
sequential position in the ‘closed-off’ section of the file, together with other sheets associated
with the relevant audit.
152
Internal Audit Schedule, 2006
Planned month Jan Feb Mar Apr May June July Aug Sept Oct Nov Dec
Actual month
Planned date
Actual date
ISO 13485 Process/activity
ISO 9001 Reference process diagrams
clause and/or
no. Name of the relevant clause

153
Date: Signature of management representative:

FM 121 Issue 1 Page of
Register of internal audits
Audit Date Activity Completion date Completion date Signature of

no. of audit reference for corrective for preventative management representative
document(s) action(s) action(s) following verification
154
Internal Audit Questionnaire
Audit no: Process/activity/reference documents:
Manual, ISO 13485 or

process, procedure, ISO 9001 Question Comments
form reference

155

Nonconformity or Observation Form

Audit no: Nonconformity or observation no:
Process/activity Reference documents Date
Nonconformity or observation (as appropriate):
Auditor: Signature:
Departmental representative: Signature:
Nonconformity - Corrective action(s) proposed or observation – Resulting in continual

improvements:
Person responsible for corrective

action(s) or improvements: Signature:
Date by which corrective action(s) or improvements will be implemented:
Preventive action(s) proposed (write N/A if no preventive action is proposed):
Person responsible for

preventive action(s): Signature:
Date by which preventive action(s) will be implemented:
Verification of corrective action(s) and preventive action(s)/adoption or rejection of observation
Signature of management
representative: Date:
156
Summary – Internal Audit Report

Audit no: Nonconformity or observation no:
Process/activity Reference documents Date
Nonconformity:
Observations:
Overall summary:
Auditor (print name): Signature:
157
Control of Nonconforming Product
Controlled Copy
Copy no:
Registered holder:
Position:
Date: Supersedes:
PC 104 Issue 1
159
1. Purpose
The purpose of this procedure is to ensure that all nonconformities are properly documented
and followed through by corrective action(s) and possibly preventive action(s).
Nonconformities can arise from a number of sources:

the failure to follow agreed processes;
the failure to follow agreed procedures, work instructions, etc.;
during internal audits;

as a result of complaints from customers.
2. Scope
This procedure applies to all nonconformities.

3. Responsibilities
It is the responsibility of the management representative to ensure that all nonconformities are
dealt with in the manner prescribed in this procedure.
Forms:
Register of Internal Audits Form, FM 122 (see PC 103, Internal Audit)
Nonconformity or Observation Form, FM 124 (see PC 103, Internal Audit).
Register of Nonconformities (Independent of Internal Audits), FM 131

Nonconformity (Independent of Internal Audits), FM 132
Register of Complaints FM 141 (see PC 105, Corrective Action)
Complaint Form, FM 142 (see PC 105, Corrective Action)
5.1 Nonconformities
All nonconformities found in the organization must be properly recorded. The nature of the
nonconformity and the name of the person who caused the nonconformity, if this is known,
are clearly recorded on the Nonconformity or Observation Form, FM 124 or Nonconformity
form, FM 132. In some cases, of course, the cause of nonconformity may not be the result of
any individual’s action, or inaction.
Any nonconformity in relation to a product or a service must be addressed with minimum

delay. A record must be kept of the corrective action taken on the nonconformity form.
The management representative must be kept fully informed. Only when the management
representative, or some such person, is satisfied that the nonconformity has been dealt with
satisfactorily will the form be signed off. It is retained as a record (see PC 102).
A complaint from a customer might have arisen because of a nonconformity (See PC 105).
In such cases forms FM 141 and FM 142 should be used.
The effects of the corrective action taken for the benefit of a customer must be subject to
discussion with the customer to ensure that the action taken has been effective.
160
All other nonconformities, whatever their source, are addressed in the same manner, except
that some might not require an immediate response in the way of corrective actions.
5.2 Review of causes of nonconformities

Nonconformities will arise for many reasons in any organization: human failure, incompetence,
disregard for procedures or other documentation, or an impractical procedure or process, etc.
which has not been properly tried and tested before its introduction.
All factual information on nonconformities must be reviewed immediately following their

discovery to ascertain the cause of nonconformities and to decide whether immediate
corrective action is required.
In some cases when a nonconformity becomes known, the chief executive must decide
whether the same nonconformity might have occurred previously with a number of other
customers.
5.3 Prevention of repetition of nonconformity
It is important to ensure that there is not a repetition of a nonconformity. The third part of the
appropriate nonconformity forms or complaint forms will be completed, if possible, perhaps
after discussion with the other interested parties, to prevent a recurrence of the nonconformity
in the future (see PC 106).
In those cases in which a single human failing has caused the nonconformity ‘N/A’
(not applicable) can be written in this section.
5.4 Verification of any corrective actions and any further actions
The nonconformity form is handed to the management representative as soon as possible.

The management representative will then sign the last section of the form once they are
satisfied that any corrective actions and any preventive actions have been carried out
satisfactorily and that the final outcome has been satisfactory.
5.5 Register of nonconformities
The management representative is responsible for maintaining the appropriate register of all
nonconformities.
5.6 Filing of nonconformities
A file will be maintained for nonconformities. The file will be divided into two parts: the first
part will contain ‘active’ nonconformities, and the second will contain those that are ‘closed’.
5.7 Management review meetings
The management representative will regularly review all factual information on

nonconformities and present, at the next management review meeting, their findings on all
the different kinds of nonconformities that have been recorded since the last meeting. The
regular management review meetings will provide an opportunity for wider discussions of any
nonconformities. Unplanned management review meetings can, of course, be called at any
time. Nonconformities based on customer complaints will require action immediately a
suspected nonconformity arises.
The meeting will consider what action to take about those reported at the last meeting that still
have to be signed off or closed.
161
If nonconformities are identified; if the reasons for the nonconformities are identified; if
appropriate corrective and perhaps preventive actions are taken; and if all such information is
fully documented, then the chief executive should be in a position to manage the organization
better than would otherwise be the case.
5.8 Quality records
All the documentation associated with nonconformities will form part of the organization’s
quality records.
Records on nonconformities will be maintained for a minimum period of time as specified by
the chief executive or a nominated person.
162
Register of Nonconformities
Date Signature of management

No. Nonconformity discovered representative
following verification
163
Nonconformity Form
No:
Customer:
Telephone no:
Reference no: Internal ref. no:
Nature of nonconformity:
Signature: Date discovered:
Corrective action(s) taken:
Person responsible
for corrective action(s):
Date: Signature:
Preventive action(s) proposed:
Person responsible
for preventive action(s): Signature:
Verification of corrective action(s) and preventive action(s)
representative : Date:
FM 132 Issue 1.
164
Corrective Action
(Arising from Nonconformities and Customers’ Complaints)
Controlled Copy
Copy no:
Registered holder:
Position:
Date: Supersedes:
PC 105 Issue 1
165
1. Purpose
The purpose of this procedure is to ensure that corrective action is taken to eliminate the cause of
any nonconformity in order to correct that which is going wrong or that which has gone wrong.
This procedure also applies when corrective action is taken in response to any nonconformities,
however discovered, and when complaints are received from residents or their representatives.
Corrective actions must always be appropriate to the impact of the problems encountered and
the likelihood of it happening again. For example, a vast amount of money should not be
spent after a single nonconformity or a single complaint when either is considered to be a
‘one-off’ event with a very low probability of happening again.
On the other hand if it is thought that the same, or similar, nonconformity or the same, or
similar, resident complaint might happen again sometime in the future, additional action,
preventive action, might be taken to ensure that it does not occur again. Sometimes, such
preventive action might become part of the corrective action, if the action taken is greater than
the essential corrective action necessary to put right that which was going wrong or had gone
wrong. In general it is better to think of corrective actions and preventive action as being quite
distinct and separate.
Sometimes corrective actions might require immediate attention because nonconformity in a

residential organization may have serious consequences if not dealt with immediately, and
resident complaints, even apparently trivial complaints, must be addressed without delay.
Preventive actions should be implemented as soon as is possible (see procedure PC 106,
Preventive Action).
2. Scope
This procedure applies to all nonconformities whether they are identified by a member of staff
in the organization or by a third party. It also applies to complaints whether they are received
verbally or by letter or telephone.
3. Responsibilities
It is the responsibility of the management representative to ensure that all corrective actions are
dealt with in an expeditious manner and that appropriate documentation is raised.
Forms:
Nonconformity or Observation Form, FM 124 (see PC 103)
Register of Nonconformities, FM 131 (see PC 104)
Nonconformity, FM 132 (see PC 104)

Register of Complaints, FM 141
Complaint Form, FM 142
5.1 Corrective action in response to nonconformities
Corrective action is essentially a backwards looking phenomenon starting, at the latest, from
the time a decision is made that corrective action is necessary in order to put right that which
is going wrong or that which has gone wrong. The implementation of the corrective action may
166
not always be possible immediately, but it will take place as soon as possible or as appropriate
in the immediate future.
Once a nonconformity has been identified it is recorded on a prescribed form as explained in

procedures, PCs 103, 104 and this procedure.
The person who accepts responsibility for the corrective action must sign the form.
All the forms referred to above include space for ‘preventive action’ (see procedures PC 103,
PC 104 and this procedure).
Finally, the prescribed form should only be signed off by a responsible person within the
organization, usually the management representative, when they are certain that the
nonconformity has been satisfactorily dealt with from every point of view and the actions taken
have been completed in every respect.
The corrective action taken should also subsequently be reviewed to decide whether it has
been effective in dealing with the nonconformity.
5.2 Complaints by customers (PD 104)
There should be no doubt as to what is meant by a customer complaint. If anyone in the
organization feels that it is necessary to say ‘Sorry!’ to a customer, because they appears to be
aggrieved by what has happened, or, maybe, by what has not happened, then a complaint has
been received. It may appear to be an unjustifiable complaint, but if the customer evidently
thinks otherwise it would be wise to tread cautiously and to promise to investigate the
complaint without undue delay.
5.3 Corrective action in response to complaints

A Complaint Form, FM 142, similar to the forms FM 124 and FM 132, is used to deal with
every complaint. Every complaint must be recorded on the prescribed form, be it a verbal
complaint, a complaint made by telephone, by fax, by email or by letter. The form identifies
the person who has complained; the date and time of its receipt; the recipient of the
complaint; and the nature of the complaint. The form includes space to state the ‘corrective
action’ taken. The person who accepts responsibility for the corrective action must sign that
part of the form.
The form includes space for ‘preventive action’ (see procedure PC 106).
The management representative will sign the last section of the form once the complaint
process has been completed.
The management representative is responsible for maintaining the Register of Complaints Form
141, as is the case for the Register of Nonconformities and, similarly, all Complaint Forms
(FM 141 and 142) are systematically filed like Nonconformity forms (see procedures PC 103
and 104).
5.4 Management review meetings
The management representative will present at each management review meeting details of all
nonconformities and customer complaints, and the organization’s responses.
Such meetings will consider what action to take about those nonconformities that were
reported at the last meeting which still have to be signed off.
All complaints should have been addressed promptly. Management should look upon customer
167
complaints in a positive manner. They are not be used to ostracize people, although when
incompetence has become evident, appropriate action needs to be taken by the chief
executive.
Most customers usually accept with good grace most mistakes, provided corrective action is
taken promptly. From the organization’s point of view, customer goodwill is thereby usually
retained; adverse publicity is avoided and litigation is less likely.
5.5 Quality records

All the documentation associated with corrective actions taken in connection with
nonconformities and customer complaints form part of the organization’s quality records.
168
Register of Complaints
Date Date and signature of

No. Complaint complaint management representative
made following verification
169
Complaint Form
No:
Organization:
Complaint: Telephone no:
Nature of complaint:
Signature: Date :
Corrective action(s) taken: Justified/unjustified
Person responsible
for corrective action(s):
Date: Signature :
Preventive action(s) proposed (if any):
Person responsible
for preventive action(s): Signature:
Verification of corrective action(s) and preventive action(s)
representative: Date:
FM 142 Issue 1.
170
Preventive Action
(Arising from Nonconformities and
Customers’ Complaints and Risk Management)
Controlled Copy
Copy no:
Registered holder:
Position:
Date: Supersedes:
PC 106 Issue 1
171
1. Purpose
The purpose of this procedure is to ensure that preventive action is taken:

(i) to reduce the likelihood of an earlier, or a similar nonconformity recurring in the future;
(ii) to reduce the likelihood of an earlier, or a similar kind of resident complaint recurring in
the future;
(iii) to prevent an untoward event from occurring for the first time, as determined by Risk
Assessments (RAs) or Failure Mode and Effect Analyses (FMEAs), etc;
(iv) to prevent an untoward event from occurring for the first time because of a very high
consequence rating for a specific possible fault or mistake;
(v) to prevent an untoward event from occurring for the first time because of new
knowledge, new technology, new evidence, etc.
Preventive action must always be appropriate to the impact of the problem encountered and
the likelihood of its happening again. In the second group of possibilities, (iii) to (v), in which
an event has not yet occurred, any preventive action taken must likewise be commensurate
with the perceived likelihood of the untoward incident taking place, but also with the
seriousness of the consequences that might occur.
2. Scope
This procedure applies to all kinds of preventive actions taken by the organization.
3. Responsibilities
It is the responsibility of the management representative to ensure that all preventive actions
are dealt with in an expeditious manner and that appropriate documentation is raised.
Procedures
PC 103 Internal Audit
PC 104 Control of Nonconforming Product
PC 105 Corrective Action (arising from Nonconformities and Complaints)

Forms:
Nonconformity or Observation Form, FM 124

Nonconformity Form, FM 132
Complaint Form, FM 142
5.1 Preventive actions
Preventive action is essentially a forwards looking phenomenon starting, at the earliest, from
the time a decision is made that corrective action is necessary to put right that which is going
wrong or has gone wrong. Action, preventive action, might then be taken to prevent a
recurrence of a nonconformity or a resident complaint.
Preventive action is also taken to prevent an untoward event from occurring for the first time.
172
Such preventive action might be considered necessary in the light of risk assessments and the
seriousness of the consequences identified in such risk assessments, as well as any new
evidence, new knowledge, new technology, etc. that have led the organization to believe that
an untoward event might happen in the future.
The implementation of the preventive action may not always be possible immediately, but it
should take place as soon as possible or practical.
5.2 Nonconformities and customer complaints
5.2.1 Preventive actions and nonconformities

If a decision is taken that there is a need to take preventive action this should be entered on
the Nonconformity and Observation Form, FM 124 (see procedures PC 103, Internal Audit), or
on Form FM 132 (see PC 104, Control of Nonconforming Product). The entry should give the
name of the individual responsible for carrying out the preventive action and the date by
which it is to be completed.
Sometimes preventive action is necessary because of one incident in which the outcome was
of serious consequence, or might have been of serious consequence. The case for preventive
action becomes even stronger when similar incidents have occurred before.
5.2.2 Preventive actions and customer complaints
Sometimes preventive action is necessary because of one complaint in which the outcome was
of serious consequence to a customer, or might have been. If a decision is taken that there is a
need to take preventive action this should be entered on the Complaint Form, FM 142 (see PC
105, Corrective Action)
Sometimes preventive action might be necessary because of several similar complaints, as
explained in the previous section. The case for taking preventive action becomes even stronger
when similar complaints have occurred before.
The entry on Form FM 142 should give the name of the individual responsible for carrying out
the preventive action and the date by which it is to be completed.
5.2.3 Verification of any preventive actions arising from nonconformities and complaints
In the case of preventive actions arising from nonconformities and customer complaints, the
prescribed forms (FM 124, FM 132 and FM 142) should only be signed off by a responsible
person within the organization, usually the management representative, when they are satisfied
that any proposed preventive actions have been implemented. The preventive actions must
also be reviewed to verify that the action taken has been effective in dealing with the
nonconformity or customer complaint.
5.3 Prevention of future untoward events

5.3.1 Routine planning
Resident safety in organizations is of paramount importance. Yet there are risks to be faced by
many residents in organizations. For instance, there are risks associated simply from being in,
or visiting an organization, from cross-infections. Such risks are nothing compared with the
risks incurred by all of us when outside organizations from, for example, road accidents and so
on. Nevertheless, the chief executive in an organization will have documentation in place to
minimize the risks involved in a number of areas. These will include the health and safety
policy and the fire safety policy.
173
Such documentation includes standard procedures and actions that should prevent any
untoward events or, at worst, minimize the effects of untoward events involving customers and
the organization’s own staff.
The management representative is responsible for ensuring that all such documentation is kept
up to date in accordance with the latest statutory and legal requirements.
The management representative is responsible for ensuring that all employees are regularly
briefed on the prevention of untoward events and on the documents that are in place for
dealing with such events. The chief executive will ensure that records are kept on all staff who
attend briefings on possible untoward events.
5.3.2 Risk Assessments (RAs): Risk Analysis Numbers
When contemplating future untoward events, it is helpful to make an estimate of the likelihood
of an untoward event happening and the resulting consequences should it happen.
Simple risk analysis is a method of combining both the likelihood and consequences of an
untoward event. The Risk Analysis Number is based on two estimated numbers.
Risk Analysis Number = qualitative measure of probability of an untoward event occurring
qualitative measure of the consequences of its occurrence
A qualitative measure of the probability of an untoward event occurring can be rated between
1 and 10 as follows:
1. Impossible.
2. Rare. Event will occur only in exceptional circumstances.
4. Unlikely. The event could occur sometime.
6. Moderate. The event will occur at some time.

8. Likely. The event will occur.
10. Certain. The event is expected to occur sometime.
A qualitative measure of the consequence of an untoward event occurring might be rated

between 1 and 10 as follows:
1. Negligible. No injuries. No financial loss.
2. Minor. First aid treatment. Moderate financial loss.
4. Serious. Medical treatment necessary. High financial implications, etc.

6. Major. Excessive injuries. Major financial loss, etc.
8. Single death.
10. Multiple deaths.
174
Qualitative risk assessment matrix
Probability Impossible Rare Unlikely Moderate Likely Certain

1 2 4 6 8 10
Consequence
Negligible 1 1 2 4 6 8 10
Minor 2 2 4 8 12 16 20
Serious 4 4 8 16 24 32 40
Major 6 6 12 24 36 48 60
Death 8 8 16 32 48 64 80
Deaths 10 10 20 40 60 80 100
The two numbers chosen are multiplied together to give a Risk Analysis (RA) number. The
levels of Risk Matrix can be established using all possible combinations of numbers. Each
number provides an estimate of the probability of an untoward event happening. The higher
the number, the more serious the failure mode. The chart clearly indicates that an untoward
event has virtually ‘no risk’ at one extreme and ‘high risk’ at the other, as shown by the bold
numbers 60, 64, 80 and 100.
In cases of calculated high risk for an event happening, then preventive action, or actions, are
taken to reduce the probability of an untoward event occurring. The high risk numbers should
help an organization to get its priorities right in deciding what preventive actions (not
corrective actions) should be addressed.
5.3.3 High consequence rating
Although the calculated RA numbers are extremely useful, preventive action, or actions, are
also given to any possible causes of failure that have been given a high consequence rating
such as 8 and 10.
5.3.4 Other risk management techniques

Other risk management techniques are available for enthusiasts in risk management. One such
technique is known as Failure Mode and Effective Analysis (FMEA). This is a little more
sophisticated than the simple technique referred to above and is based on three estimated
numbers, not two.
5.3.5 New evidence, new knowledge, etc.

Sometimes new evidence comes to light, new knowledge or the availability of new technology,
etc., that suggests that preventive action should be taken to prevent what hitherto was not
considered to be a likelihood of an untoward event occurring.
5.4 Records
All changes arising from preventive actions will be recorded and maintained for future
reference.
175

2005 Green Medical Devices - IsO 13485-2000 and ISO 9001-2000

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

2005 Green Medical Devices - IsO 13485-2000 and ISO 9001-2000

Transféré par

Droits d'auteur :

Formats disponibles

Medical Devices:

ISO 13485 and ISO 9001

© British Standards Institution 2005

BSI reference: BIP 2071

Typeset by Typobatics Ltd

This book should be of special interest to those:

Chapter 9: Justification for exclusion of design and development 87

PC 103 – Internal Audit 149

PC 106 – Preventive Action 171

Figure 3.2 – A process showing consecutive activities 15

Figure 3.4 – Example flow diagram (2) 17

Figure 4.1 – Quality management system documentation 29

Quality Objectives 42/43

FM 101 – Control of Framework Documentation 140

FM 102 – Acceptance of Documentation 141

FM 104 – Change Request 143

FM 105 – Changes to Framework Documentation 144

FM 121 – Internal Audit Schedule 153

FM 123 – Internal Audit Questionnaire 155

FM 124 – Nonconformity or Observation Form 156

FM 131 – Register of Nonconformities 163

FM 141 – Register of Complaints 169

Mass production and quality inspectors

Disadvantages of using quality inspectors

Meeting requirements of a contract

The birth of the modern technological age

The first non-military standard (1979)

ISO 9001, 9002 and 9003 (1987)

The ISO 9000:1994 series of quality assurance standards

Eight management principles

Principle No. 1. Customer-focused organization

Principle No. 2. Leadership

Principle No. 3. Involvement of people

Principle No. 4. Process approach

• determining customer requirements;

• ensuring supplementary processes interact with major processes;

• monitoring and measuring throughout the major processes;

• setting and achieving measurable objectives.

Principle No. 5. Systems approach to management

Principle No. 6. Continual improvement

Principle No. 7. Factual approach to decision making

Principle No. 8. Mutually beneficial supplier relationships

BSI Benchmark on the eight management principles

Latest revision of the 1994 series of quality standards

ISO 9001:2000, Quality management systems – Requirements.

Numbers of ISO 9001 certificates worldwide

Core terms and definitions

• diagnosis, monitoring, treatment, alleviation of or compensation for an injury;

• supporting or sustaining life;

• providing information for medical purposes by means of in vitro examination of

sterile medical device (from ISO 13485)

active implantable medical device

active medical device

notice issued by an organization, subsequent to delivery of the medical device, to provide

• the modification of a medical device;

ISO 13485 and ISO 9001

Format of ISO 13485 and ISO 9001

Clause 4: Quality management system;

Clause 7: Product realization;

Continual improvement in the effectiveness of the

Input Activity 1 Output

Figure 3.1 A simple process

Input Activity 1 Activity 1 Activity 1 Output