Iso Module Two
Iso Module Two
8.3.1 General The organization shall establish, implement and maintain a design and development
process that is appropriate to ensure the subsequent provision of products and services.
8.3.2 Design and development planning In determining the stages and controls for design and
development, the organization shall consider:
a) the nature, duration and complexity of the design and development activities;
b) the required process stages, including applicable design and development reviews;
d) the responsibilities and authorities involved in the design and development process;
e) the internal and external resource needs for the design and development of products and
services;
f) the need to control interfaces between persons involved in the design and development process;
g) the need for involvement of customers and users in the design and development process; h) the
requirements for subsequent provision of products and services;
i) the level of control expected for the design and development process by customers and other
relevant interested parties;
j) the documented information needed to demonstrate that design and development requirements
have been met.
8.3.3 Design and development inputs The organization shall determine the requirements essential
for the specific types of products and services to be designed and developed. The organization shall
consider:
e) potential consequences of failure due to the nature of the products and services.
Inputs shall be adequate for design and development purposes, complete and unambiguous.
Conflicting design and development inputs shall be resolved. The organization shall retain
documented information on design and development inputs
The organization shall apply controls to the design and development process to ensure that:
b) reviews are conducted to evaluate the ability of the results of design and development to meet
requirements;
c) verification activities are conducted to ensure that the design and development outputs meet the
input requirements;
d) validation activities are conducted to ensure that the resulting products and services meet the
requirements for the specified application or intended use;
e) any necessary actions are taken on problems determined during the reviews, or verification and
validation activities;
b) are adequate for the subsequent processes for the provision of products and services;
d) specify the characteristics of the products and services that are essential for their intended
purpose and their safe and proper provision.
The organization shall retain documented information on design and development outputs
The organization shall identify, review and control changes made during, or subsequent to, the
design and development of products and services, to the extent necessary to ensure that there is no
adverse impact on conformity to requirements. The organization shall retain documented
information on:
8.4.1 General
The organization shall ensure that externally provided processes, products and services conform to
requirements. The organization shall determine the controls to be applied to externally provided
processes, products and services when:
a) products and services from external providers are intended for incorporation into the
organization’s own products and services;
b) products and services are provided directly to the customer(s) by external providers on behalf of
the organization;
The organization shall ensure that externally provided processes, products and services do not
adversely affect the organization’s ability to consistently deliver conforming products and services to
its customers. The organization shall:
a) ensure that externally provided processes remain within the control of its quality management
system;
b) define both the controls that it intends to apply to an external provider and those it intends to
apply to the resulting output;
1) the potential impact of the externally provided processes, products and services on the
organization’s ability to consistently meet customer and applicable statutory and regulatory
requirements;
2) the effectiveness of the controls applied by the external provider; d) determine the
verification, or other activities, necessary to ensure that the externally provided processes, products
and services meet requirements.
The organization shall ensure the adequacy of requirements prior to their communication to the
external provider. The organization shall communicate to external providers its requirements for:
f) verification or validation activities that the organization, or its customer, intends to perform at
the external providers’ premises.
c) the implementation of monitoring and measurement activities at appropriate stages to verify that
criteria for control of processes or outputs, and acceptance criteria for products and services, have
been met;
d) the use of suitable infrastructure and environment for the operation of processes;
f) the validation, and periodic revalidation, of the ability to achieve planned results of the processes
for production and service provision, where the resulting output cannot be verified by subsequent
monitoring or measurement;
The organization shall use suitable means to identify outputs when it is necessary to ensure the
conformity of products and services. The organization shall identify the status of outputs with
respect to monitoring and measurement requirements throughout production and service provision.
The organization shall control the unique identification of the outputs when traceability is a
requirement, and shall retain the documented information necessary to enable traceability
The organization shall exercise care with property belonging to customers or external providers while
it is under the organization’s control or being used by the organization. The organization shall
identify, verify, protect and safeguard customers’ or external providers’ property provided for use or
incorporation into the products and services. When the property of a customer or external provider
is lost, damaged or otherwise found to be unsuitable for use, the organization shall report this to the
customer or external provider and retain documented information on what has occurred.
NOTE
A customer’s or external provider’s property can include materials, components, tools and
equipment, premises, intellectual property and personal data.
8.5.4 Preservation
The organization shall preserve the outputs during production and service provision, to the extent
necessary to ensure conformity to requirements.
NOTE Preservation can include identification, handling, contamination control, packaging, storage,
transmission or transportation, and protection.
The organization shall meet requirements for post-delivery activities associated with the products
and services. In determining the extent of post-delivery activities that are required, the organization
shall consider:
b) the potential undesired consequences associated with its products and services;
c) the nature, use and intended lifetime of its products and services;
d) customer requirements;
e) customer feedback.
NOTE Post-delivery activities can include actions under warranty provisions, contractual obligations
such as maintenance services, and supplementary services such as recycling or final disposal.
The organization shall review and control changes for production or service provision, to the extent
necessary to ensure continuing conformity with requirements. The organization shall retain
documented information describing the results of the review of changes, the person(s) authorizing
the change, and any necessary actions arising from the review
The organization shall implement planned arrangements, at appropriate stages, to verify that the
product and service requirements have been met. The release of products and services to the
customer shall not proceed until the planned arrangements have been satisfactorily completed,
unless otherwise approved by a relevant authority and, as applicable, by the customer
The organization shall retain documented information on the release of products and services. The
documented information shall include:
8.7.1 The organization shall ensure that outputs that do not conform to their requirements are
identified and controlled to prevent their unintended use or delivery.
The organization shall take appropriate action based on the nature of the nonconformity and its
effect on the conformity of products and services. This shall also apply to nonconforming products
and services detected after delivery of products, during or after the provision of services. The
organization shall deal with nonconforming outputs in one or more of the following ways:
a) correction;
d) obtaining authorization for acceptance under concession. Conformity to the requirements shall
be verified when nonconforming outputs are corrected.
9.1.1 General
b) the methods for monitoring, measurement, analysis and evaluation needed to ensure valid
results;
d) when the results from monitoring and measurement shall be analysed and evaluated. The
organization shall evaluate the performance and the effectiveness of the quality management
system. The organization shall retain appropriate documented information as evidence of the results
The organization shall monitor customers’ perceptions of the degree to which their needs and
expectations have been fulfilled. The organization shall determine the methods for obtaining,
monitoring and reviewing this information.
NOTE Examples of monitoring customer perceptions can include customer surveys, customer
feedback on delivered products and services, meetings with customers, market-share analysis,
compliments, warranty claims and dealer reports
The organization shall analyse and evaluate appropriate data and information arising from
monitoring and measurement. The results of analysis shall be used to evaluate:
9.2.1 The organization shall conduct internal audits at planned intervals to provide information on
whether the quality management system:
a) conforms to:
a) plan, establish, implement and maintain an audit programme(s) including the frequency, methods,
responsibilities, planning requirements and reporting, which shall take into consideration the
importance of the processes concerned, changes affecting the organization, and the results of
previous audits;
c) select auditors and conduct audits to ensure objectivity and the impartiality of the audit process;
d) ensure that the results of the audits are reported to relevant management;
f) retain documented information as evidence of the implementation of the audit programme and
the audit results.
how to apply the major areas of ISO 19011, impartiality during audit
Audit results can provide input to the analysis aspect of business planning, and can contribute to the
identification of improvement needs and activities.
An audit can be conducted against a range of audit criteria, separately or in combination, including but
not limited to:
This document provides guidance for all sizes and types of organizations and audits of varying scopes
and scales, including those conducted by large audit teams, typically of larger organizations, and
those by single auditors, whether in large or small organizations. This guidance should be adapted as
appropriate to the scope, complexity and scale of the audit programme.
This document concentrates on internal audits (first party) and audits conducted by organizations on
their external providers and other external interested parties (second party). This document can also
be useful for external audits conducted for purposes other than third party management system
certification. ISO/IEC 17021-1 provides requirements for auditing management systems for third party
certification; this document can provide useful additional guidance (see Table 1).
Table 1 — Different types of audits
10.2.1 When a nonconformity occurs, including any arising from complaints, the organization shall:
a) react to the nonconformity and, as applicable:
b) evaluate the need for action to eliminate the cause(s) of the nonconformity, in order that it does
not recur or occur elsewhere, by:
9.3.1 General
Top management shall review the organization’s quality management system, at planned intervals,
to ensure its continuing suitability, adequacy, effectiveness and alignment with the strategic direction
of the organization.
The management review shall be planned and carried out taking into consideration:
b) changes in external and internal issues that are relevant to the quality management system;
c) information on the performance and effectiveness of the quality management system, including
trends in:
6) audit results;
e) the effectiveness of actions taken to address risks and opportunities (see 6.1);
The outputs of the management review shall include decisions and actions related to:
c) resource needs.
The organization shall retain documented information as evidence of the results of management
reviews.
Quality management system and terms and definitions
terms and definitions related to quality management systems (QMS) in ISO 13485, which is the
international standard for medical device quality management:
These terms and definitions provide a foundation for understanding the key concepts within ISO
13485 and quality management systems in the context of medical devices.
Work environment
Review of requirements related to the product
Validation of processes
Preservation of property
ISO 13485 ISO 9001
The organization shall establish and The organization shall establish and
maintain the quality management system maintain the quality management system
documented and implemented within the documented and implemented within the
organization with conformity to the organization with conformity to the
requirements of the ISO 13485 Standard requirements of the ISO 9001 Standard
The organization is required to maintain the The organization is required to act
effectiveness of the quality management continually to improve the effectiveness of
system the quality management system
While establishing the quality management While documenting its quality management
system the organization shall refer to the system, the organization shall refer to the
following issues: following issues:
The main processes of the quality The main processes of the quality
management system shall be identified and management system shall be identified and
documented according to the application of documented according to the application of
the standard (chapter 1.2). The identified the standard (chapter 1.2). The identified
processes must be implemented processes must be implemented
The relations, applications, and sequences The relations, applications, and sequences
between the processes will be defined and between the processes will be defined and
implemented implemented
Methods and criteria for effective Methods and criteria for effective
monitoring and control of the processes will monitoring and control of the processes will
be defined and applied be defined and applied
Any resources and information needed for Any resources and information needed to
supporting these processes shall be support these processes shall be adequate
adequate and available and available
The processes will be controlled, The processes will be controlled,
monitored, measured, and analyzed monitored, measured, and analyzed
according to prior specifications according to prior specifications
The organization will implement specific The organization will implement specific
measures for obtaining improvement: measures for obtaining improvement:
achievement of objectives and achievement of objectives and
maintenance of effectiveness maintenance of effectiveness
The processes will be planned, The processes will be planned,
implemented, and realized according to the implemented, and realized according to the
requirements of the ISO 13485 Standard requirements of the ISO 9001 Standard
Outsourced processes that have a direct Outsourced processes that have a direct
affect on the product’s quality shall be affect on the product’s quality shall be
included in the quality management system included in the quality management system
and shall be submitted to control and and shall be submitted to control and
monitoring as well as for continual monitoring as well as for continual
improvement improvement
Subclause 4.2.1 is a general paragraph presenting the main documentation requirements of a quality
management system according to the ISO 13485 standard.
• The achievement of unity and equality between all the organizational units
The quality manual is a document with a clear goal: to introduce and communicate the
intentions,scope, and structure of a quality management system in an organization.
Medical device file
The organization must maintain a specific file describing the documents for the medical device
specifications. Such a file is often referred to as a Technical File or Device Master Record (DMR).
This file will serve as a table of contents of specific documentations required for obtaining
materials, components, and specifications for manufacturing, and realization evaluation and
control of a specific medical device.
The objective of such a file is to refer each of the organizational participants to one definite
location or file that contains master records and specifications relevant to the medical device.
This is a key element of a quality management system. In order to achieve document control, a
method must be maintained. The main idea is to provide control over the documents under the
quality management system and to eliminate any confusions and mix ups of different documents
from different sources.
A Documented Method
The standard demands a method for controlling the documentation that serves the organization
for the purpose of effective planning, operations, performance, and control of process.
Definition of Document
The organization needs to distinguish between documents that will be controlled and documents
that will not be included under the QMS
• Communication of information
I suggest a table that will specify all the documents under the QMS. The fields of the table are:
• Identification number
• Description or name
• Media
• Location
• Internal/external
Each document used by the organization must be supervised, reviewed, and approved before
submission for use. The objective isto ensure that the document was appropriately designed, is
suitable for working, and will assist the organization in meeting the medical device objectives as
well as regulatory requirements.
Identification of Documents
Any document (internal or external) must be identified. Documents must have a name, catalogue
number, or other means of identification: an element that can identify it and submit it to the
control.
The method shall ensure that documents will remain safe and available for use.
Updated and Revised Documents (and Their Status)
The method must ensure that the latest version is always the version in use—and not an older
one. Therefore you must define a method for maintaining updated versions and elimination of
use of older versions.
Changes as a Necessity
The standard demands that documents will be periodically reviewed and reapproved according
to need.
You need to identify these events and request initiation of a change, review the change and its
consequences, and reapprove the document. The method will determine:
• Identification of parties, roles, and authorities needed for the review and approval
• Method of review: what are the inputs, where and when will the review take place
• Submission to the process of removing obsolete editions, and distributing and implanting the
new one
Document Removal
The method will ensure the use of updated documents throughout the organization, in work
stations, departments, or any other locations where the documents are stored. It will be
achieved with the removal of invalid documents and their replacement with the updated ones.
The input for the removal activity will be a change on a document. The method will include the
following steps:
• The second stage is the evaluation of the removal: where or which organizational units use the
document.
• The physical removal itself: from the work station or from a server.
Each document will be available to the relevant role or function at the point of use. Defining the
availability and distribution of documents must include the following:
• Location of the document: Where must a document be kept before and after use
Archiving
Activities for archiving old documents and obsolete editions will be determined. It is necessary to
define what is to be done with old versions that are not updated, how one handles them, and
whether they are to be disposed of or archived. Invalid documents that are not disposed of are
to be indicated or marked.
Retention Time
For obsolete editions of a document, it is necessary to define the retention time according to the
following conditions:
• The retention time will be as short as the lifetime of the relevant medical device (the medical
device that the document relates to) as defined by the manufacturer.
• When regulatory requirements set retention time for obsolete documents, according to the
type of the relevant medical device, the retention time will be set accordingly.
• In any case, retention time of an obsolete edition of a document will not be less than the
lifetime of records that relate to this obsolete edition of a document.
Control of Records